EMC Corp.'s announcement last week that it's buying Archer Technologies LLC, an Overland Park, Kan., provider of governance, risk and compliance (GRC) software, no doubt adds muscle to the EMC security division that will run Archer.
But it remains to be seen whether that roadmap will build on Archer's recent efforts to break out of the IT risk field and into what the industry refers to as enterprise GRC.
"Archer was really making a lot of headway in enterprise GRC and in being able to sell to that to the chief risk officer and the internal audit people who had more of an enterprise and finance view. A lot of questions remain as to what is EMC's commitment to that market," said analyst French Caldwell, who covers GRC at Stamford, Conn.-based Gartner Inc.
GRC technology that can help rationalize and integrate the multitude of compliance and risk factors across an enterprise is a relatively new development. And there is no shortage of experts highly skeptical that such GRC "platforms" exist.
Many of the vendors in the GRC marketplace, not just Archer, began with expertise in IT risk, operations, finance or legal, the big "buckets" for GRC software. Archer until recently was viewed as lacking the broad GRC capabilities of vendors like Thomson Reuters Corp. or OpenPages Inc., whose products were finance-focused from the start and are marketed as flexible, configurable GRC platforms.
In a 2009 analysis of GRC vendors from Forrester Research Inc., for example, the Cambridge, Mass.-based consultancy ranked Archer as a "strong performer" in GRC, well liked by its customers, if lacking the "vision" of Forrester's top picks -- Axentis Inc., BWise, MetricStream Inc., OpenPages and Thomson Reuters.
EMC priorities for Archer acquisition
Analysts briefed last week by EMC were told the company's priority in the coming months will be to integrate Archer with current RSA security offerings. After that, there are other places in the EMC portfolio, including content management, e-discovery and records management, to leverage Archer technology. And only after those synergies are explored will it be clear whether EMC wants to invest in GRC finance and the audit space, where Archer was making inroads.
For customers who have gone to Archer for IT GRC, "this is pretty good news," said Caldwell, because EMC certainly gives Archer the resources to accelerate its IT GRC product development. He also said he doesn't see any "immediate concern" for Archer's current finance, audit, risk and compliance officer customers. "It's not like they made some huge mistake" going with Archer, he said.
"For future buyers, I really think they have to wait and push EMC on what is on their development roadmap for those functions that are very important to enterprise GRC," Caldwell said. "That is going to be the real challenge for them."
Synergies with EMC document management, e-discovery, business continuity
Certainly, EMC has areas outside its RSA security division that can capitalize on Archer's technologies, said AMR Research Inc. analyst John Hagerty, citing e-discovery and document management as just two. In fact, five years ago, when GRC was just kicking off, Hagerty saw it as a "natural playing field" for the Hopkinton, Mass., powerhouse. The purchase by such a major player adds legitimacy to the GRC market, which Hagerty predicts will reach about $30 billion in 2010. And it may prompt others, like IBM, to jump in.
"At the same time, I was taken aback that after Archer spent such a long time talking about e-GRC how this appears to be an IT GRC play out of the box," said Hagerty, whose firm, AMR Research, was acquired last month by Gartner. Customers really like what Archer offers, he said, but "now it's a question of whether the name on the company matters in terms of people buying."
Caldwell agreed there are plenty of synergies in the deal, beyond IT security. Archer has a module for business continuity management that could sync up with EMC's disaster recovery business. Archer's vendor management module should also help EMC customers manage the risks associated with their migration from hardware to on-premise virtualized IT environments, and on to the cloud, Caldwell said. "As you look at all the vendors involved with the cloud, vendor management and vendor risk management become bigger issues."
But the fact is, these areas, while not strictly related to IT security, are still IT-centric, Caldwell said, great for broadening RSA's role in IT risk profile. "It doesn't move Archer out of IT," he said, or resolve the question of, "What is the future for the enterprise GRC buyer.'"
Archer CEO defends company's leadership role in GRC
Archer's desire to be taken seriously as an enterprise GRC player was on display in a SearchCompliance.com phone interview just last month with Archer CEO Jon Darbyshire. Speaking about a recent alliance with Big Four accounting firm KPMG, Darbyshire touted Archer's enterprise-wide capabilities, refuting the "accuracy" of the Forrester Research analysis and even taking aim at some reputed "leaders."
"We've competed against them [OpenPage] 14 times in the last year and a half, and we have won 13 of the last 14 times we've competed against them. To make that fair, though, most of those are companies that are focusing on the IT and finance part of GRC together, and that is where we are very strong, Open Pages being stronger on the finance-only component of GRC."
Analysts, including Forrester's Christopher McClean, agreed with Darbyshire that the company has made strides.
"We've seen them in a lot more deals on enterprise GRC, competing directly with BWise and with OpenPages and Thomson Reuters and MetricStream," Caldwell said, but stressed again that it's an "open question right now if that is going to continue."