16 top ERM software vendors to consider in 2025

Evaluating enterprise risk management tools

Nucleus Research analyst Charles Brennan recommends that IT decision-makers use the following features and attributes to help select the best risk management software for their organization:

• Integration. The seamless integration of risk management tools with other technologies is pivotal for real-time data exchanges and a comprehensive overview of different business risks.
• Analytics. The right data analytics and reporting features can identify relevant trends, patterns and anomalies in an organization's risk-related data sets.
• Customization. Decision-makers should prioritize tools that enable customization to align with their organization's risk management strategy and create user-friendly interfaces catering to diverse business stakeholders.
• Regulatory compliance. Tools should seamlessly adapt to changing regulations that affect business operations, such as data privacy laws and climate risk disclosure rules.
• Scalability. Look for tools that support modular and adaptable risk management capabilities to seamlessly integrate additional functionality as business requirements evolve.
• Total cost of ownership. Evaluating implementation, maintenance and future upgrade costs is a must to ensure the chosen tool remains financially viable and aligned with the organization's budget.

Here, listed in alphabetical order, are 16 prominent ERM software vendors and information on the tools they offer. Informa TechTarget editors compiled the list based on market reports and vendor rankings from Chartis Research, Forrester Research and Gartner, plus additional online research.

1. Archer

Founded in 2001 and owned by private equity firm Cinven since 2023, Archer has developed a full set of capabilities for enterprise, operational, IT, security and third-party risk management as well as regulatory compliance; management of environmental, social and governance (ESG) programs; and other risk-related functions. Its integrated risk management (IRM) platform supports common taxonomies, policies and metrics for managing all of an organization's risk data.

In February 2025, the company introduced Archer Evolv, a new SaaS version of the platform that includes integrated AI capabilities and a redesigned UX. A compliance management implementation is initially available, while an Archer Evolv for Risk one is due to be released later in the year. The platform also includes Archer Engage, a risk reporting and data collection application for both business users and risk management teams; a separate version of the Engage software for third-party vendors; Archer Insight, a risk quantification tool; and an AI governance module announced in 2024.

The Archer platform provides the following features as well:

• The Archer Exchange, a marketplace for prebuilt applications, data integrations, administration tools and configuration accelerators from the company and business partners.
• Resilience management tools for crisis and business continuity planning, with support for rules and guidance from regulators in the U.S., the U.K., Europe and Australia.
• Document governance capabilities added through the acquisition of software startup Atlas in 2023.

2. AuditBoard

AuditBoard was founded in 2014 by two former auditors at accounting and professional services firms PwC and EY. Initially, its core focus was on streamlining audit and compliance processes for companies required to meet complex regulations, such as the Sarbanes-Oxley Act. In recent years, though, the company has gradually expanded its cloud-based platform into other aspects of risk management.

In 2023, for example, it released AuditBoard ITRM for IT risk management, with a focus on IT security risks and support for collaboration between security teams, risk managers and business users. ESG program management software was added in 2022. AuditBoard, which was acquired by equity firm Hg in 2024, also offers a separate product for risk and compliance management across various IT frameworks plus ERM and third-party risk management modules. All those products are combined in an integrated platform with a unified UI. A set of AI tools with generative AI (GenAI), machine learning and workflow automation capabilities became available in 2024.

Additional AuditBoard capabilities include the following:

• A SOXHub tool for managing and reporting on compliance with Sarbanes-Oxley and other internal controls.
• OpsAudit, audit management software that supports real-time risk assessments and prioritization of audits based on business risks.
• An automated evidence collection feature that can pull compliance data from source systems without coding or manual collection processes.

3. Camms

Founded in 1996, Camms was acquired by fellow ERM vendor Riskonnect in June 2024 but remains a separate entity that still offers its own product line -- at least for now. Camms is based in Australia and also has a strong presence in the U.K. and Asia, with operations in the U.S. too. It emphasizes its governance, risk and compliance (GRC) capabilities but also offers a variety of related applications and tools in a single cloud-based platform. Camms touts its software's ease of use and accessibility and highlights its partnerships with various information providers, consultancies and professional services firms.

The core GRC tool supports management of operational, cybersecurity and third-party risks as well as regulatory compliance, audits, ESG programs and other functions. Other available technologies include a strategic planning and execution tool, a project and portfolio management application, a module for securely managing virtual meetings and a library of APIs for integrating the Camms software with other IT systems.

The following features are also built into the Camms platform:

• The ability to create registers to capture and report on risk data, with integrated workflows for automating management of them.
• A workplace health and safety module to manage potential hazards, report on incidents and track actions to address problems.
• Dashboard development and self-service reporting tools for distributing relevant data to business executives.

4. Diligent

Founded in 2001, Diligent was best known as a vendor of software for managing and governing boards of directors when it acquired SaaS GRC vendor Galvanize in 2021. It also bought Steele Compliance Solutions, a maker of ethics and compliance software, and ESG reporting tools vendor Accuvio that year. The combined company offers a GRC platform that supports enterprise, IT and third-party risk management as well as audits, internal controls and regulatory compliance.

Diligent One Platform, the core GRC software, provides advanced analytics and workflow automation to automatically identify risks and surface them to risk managers or the board of directors. Formerly named HighBond, the platform also includes prebuilt dashboards and reports for distributing information about business risks to the board. In addition, Diligent has an extensive library of integrations with enterprise applications, databases and third-party data providers.

Other notable features in the Diligent platform include the following:

• AI tools to automate GRC workflows, risk analytics, ESG and risk management benchmarking, preparations for board meetings and other risk-related functions.
• An automated monitoring and search tool to help identify reputational, financial and crime-related risks in real time.
• A due diligence module for investigating and evaluating potential risks in business transactions worldwide.

5. IBM

IBM OpenPages is an AI-driven GRC platform that supports risk management, regulatory compliance and data governance programs. It was first developed in the mid-1990s as an enterprise content management system for publishers by American Computer Innovators, which renamed itself OpenPages in 2000 and refocused on GRC. IBM acquired OpenPages in 2010 to expand its business analytics offerings into compliance and risk management processes. In 2020, the software was integrated into IBM Cloud Pak for Data, a set of cloud-based tools for organizing, managing and analyzing data.

OpenPages is designed to help organizations centralize siloed risk management initiatives. It includes a stack of GRC and ERM tools for managing operational, third-party and ESG risks; IT governance; data privacy; financial controls; audits; compliance; and more. The platform supports integration of GRC processes with third-party applications via IBM App Connect or REST APIs. In addition, IBM's Cognos Analytics software can be used for self-service data exploration and analytics in OpenPages systems.

OpenPages also includes the following features and capabilities:

• Deployment on a company's private cloud or any of the major cloud platforms, with a SaaS version also available in the AWS cloud.
• An embedded GRC Workflow feature with drag-and-drop functionality that can be used to create new risk management workflows or modify existing ones.
• Integration with IBM's Watson AI tools to support a GRC virtual assistant and connections to AI models.

6. LogicGate

LogicGate offers a GRC platform that seeks to enable risk management teams to present information about different business risks to the board of directors in a comparable form so investments in IT systems, people and risk mitigation processes can be prioritized. To that end, LogicGate's Risk Cloud platform helps quantify the financial impact of risks through a combination of traditional techniques, Monte Carlo simulations and support for the Open FAIR risk analysis standards.

Risk Cloud is a no-code platform that lets business leaders customize prebuilt workflows to identify, evaluate and mitigate risks. It includes 11 modules for ERM, cyber-risk management, third-party risk management, regulatory compliance, operational resiliency, ESG program management, AI governance and other functions. LogicGate, which was founded in 2015, also provides reporting and analytics features that include prebuilt reports and dashboards, real-time reporting and integrations with external BI tools.

In addition, the Risk Cloud platform includes these features:

• Support for mapping internal controls against more than 20 cybersecurity and privacy frameworks, with automated calculations of residual risk.
• An OpenAI integration that makes it easier to use GenAI models as part of policy generation, procedure management and other GRC processes.
• Additional integrations with collaboration tools and document repositories, plus a set of prebuilt connectors and a RESTful API for creating custom ones.

7. LogicManager

LogicManager combines enterprise risk management software with an associated consulting operation that pairs customers with advisory analysts and provides personalized training and guidance on risk management best practices, augmented by a GenAI tool that automates tasks and offers around-the-clock product support. Founded in 2005, the company centralizes risk management functions in a single platform that automates processes for identifying, mitigating and reporting on risks across operational silos in organizations.

In addition to ERM, the cloud-based LogicManager platform supports IT and cybersecurity risk assessments, third-party risk management, regulatory compliance efforts, business continuity management, internal auditing, financial controls and more. The platform can be customized for different industry needs and comes with all-inclusive pricing for consulting and implementation services, integrations, training and unlimited user licenses. An integration hub lets users connect to more than 500 external applications through a no-code, template-based approach.

Additional LogicManager features include the following:

• AI, machine learning and automation tools that include a document risk analyzer, an automapper that maps existing controls to new risks and automated risk assurance calculations.
• An operational risk taxonomy that provides a full view of risks enterprise-wide and can help identify duplicate controls and overlaps in risk mitigation work.
• A tool that helps users uncover information about organizational interdependencies involving vendors, resources, processes and controls to inform risk-based business decisions.

8. MetricStream

MetricStream has built its software strategy around AI-powered risk management and "connected GRC" capabilities that support an integrated and collaborative approach to managing risks. Founded in 1999, the company provides tools for use in risk, compliance, audit and ESG management processes. That includes its underlying MetricStream Platform and various product modules to help manage enterprise, operational, IT, cybersecurity and third-party risks as well as business continuity, regulatory changes, internal audits, organizational policies and more.

Announced in 2023, MetricStream's AI software uses large language models, generative AI capabilities and knowledge graphs based on GRC ontologies to augment decision-making and prioritization of work in GRC programs. For example, it can identify missing or duplicate controls in business units, map relationships between risks and controls, streamline issue management and gather risk-related information in response to prompts from risk managers or other end users.

Other MetricStream capabilities include the following:

• A federated data model with predefined relationships between risks, regulations, controls, organizational entities and other elements of GRC programs.
• Built-in dashboards and reports plus API-based integration with external BI tools for risk analysis and real-time insights.
• A set of out-of-the-box connectors and more than 200 built-in APIs that can be used to create REST or Kafka-based connectors.

9. Navex

Navex offers a GRC platform that includes ethics and employee compliance management, integrated risk management and third-party risk management software modules, plus reporting and benchmarking tools. The IRM software supports management of IT and operational risks, internal policies and controls, and compliance with data privacy regulations. Navex also provides capabilities to develop ethical standards that can be measured and enforced across various business processes, with customized tools and workflows for organizations in the healthcare, financial services, manufacturing, energy, insurance and life sciences industries.

Founded in 2012, the company initially focused on ethics and compliance tools but broadened its product offering in recent years. Many of the components of its Navex One platform, which was launched in 2020, were stitched together from acquisitions. For example, Navex IRM resulted from the acquisition of risk management vendor Lockpath in 2019.

Other notable features of the Navex platform include the following:

• An AI-powered Compliance Assistant that can answer questions from employees about company policies and procedures in natural language.
• Preconfigured Navex IRM Out-of-the-Box offerings designed to speed up deployments of IT and third-party risk management capabilities.
• A Navex One technology bundle for SMBs.

10. OneTrust

OneTrust's namesake cloud-based platform includes a set of tools for managing business risks and compliance programs as part of a broader product portfolio that also encompasses data privacy, data governance and related initiatives. Separate tools support management of technology and third-party risks, as well as internal compliance audits. Features include automated third-party risk assessments; risk data and external risk ratings on vendors; centralized management of cybersecurity incidents; and automated certification of compliance with security standards.

The IT risk management tool also enables users to track both qualitative and quantitative metrics to inform decisions on risk mitigation priorities and plans. The compliance automation software is integrated with more than 50 compliance frameworks, standards and regulations, while the third-party offering includes a due diligence tool that helps screen and monitor external organizations for various risks.

The following are some additional features provided by OneTrust, which was founded in 2016:

• Natural language processing capabilities that automate vendor onboarding and risk disclosure workflows.
• AI governance tools to help inventory, assess and monitor various risks associated with AI use.
• AI-driven document classification to help classify unstructured data more accurately and automatically apply relevant data governance and protection policies.

11. Riskonnect

As its name indicates, Riskonnect provides integrated risk management software for managing risks in an interconnected way, both within an organization and across third parties. Its namesake cloud-based IRM platform includes various tools to help manage insurance, ESG, healthcare, GRC and business continuity risks. The company also offers a software module that risk managers can use to visualize risks, analyze their potential business impact, identify trends and prioritize risk mitigation work.

Founded in 2007, Riskonnect acquired several smaller companies in recent years to expand its product line, in addition to buying Camms in 2024. Its ESG module is tightly integrated with Salesforce's Net Zero Cloud, enabling users to combine ESG, governance, risk and compliance data from the Riskonnect platform into the Salesforce sustainability management software. Riskonnect also provides a set of APIs for creating custom integrations with Salesforce and other external applications, with support for both REST and the Simple Object Access Protocol.

In addition, the Riskonnect platform includes these features:

• Risk analytics software with a set of built-in interactive dashboards supporting various data visualization techniques and industry-specific analyses.
• Implementation, data transformation and regulatory compliance services, plus consulting and managed services on business continuity.
• A risk register for tracking risks, plus tools for doing bowtie cause-and-effect analysis and analyzing risk management schedules and costs.

12. SAI360

SAI360 offers a cloud-based platform that combines software for managing GRC initiatives and ethics and compliance training programs. The company was founded as SAI Global in 2003, initially to publish and sell the various standards developed by Standards Australia. It later refocused on risk management and related practices, a strategic shift aided by several acquisitions -- most notably, the purchase of GRC vendor BWise from Nasdaq in 2019. The company rebranded its platform as SAI360 in 2018 and changed its name to that in 2021. It also added environment, health, safety and sustainability tools, which were spun off into a separate company named Evotix in October 2024.

SAI360's GRC software supports functions that include risk, audit, compliance and business continuity management, as well as internal controls and automated reporting on conflicts of interest among employees. The ethics and compliance training product provides a suite of tools and resources to promote risk awareness and corporate ethics across organizations, with a goal of incorporating consideration of potential ethics and compliance issues into business decision-making processes.

Additional capabilities built into the SAI360 platform include the following:

• FastStart, an implementation program that provides preconfigured templates, upfront cost information and a rapid deployment methodology.
• A variety of preconfigured dashboards for visualizing and analyzing data.
• Access to more than 300,000 AI models for use in risk management and analysis tasks.

13. ServiceNow

Founded in 2003, ServiceNow was a pioneer in cloud-based IT service management capabilities. It has since extended its product line across various other domains, including risk management for business, security and IT functions. Built on the company's Now Platform, ServiceNow Governance, Risk and Compliance supports enterprise, operational and third-party risk management. The software also offers capabilities for managing compliance, internal controls, privacy, operational resilience and business continuity.

The GRC module provides real-time visibility of compliance issues through dynamically updated dashboards as well as automated workflows and AI tools that are designed to increase risk management productivity. It supports ServiceNow's common data model and configuration management database to help avoid information silos. In addition, the software includes a set of prebuilt integrations with content consolidators, security score providers and business continuity vendors plus access to the company's Integration Hub for creating other integrations.

Other notable features in the ServiceNow GRC software include the following:

• Tools to continuously monitor for IT risks and authorize deployments of new IT systems against the NIST Risk Management Framework.
• A built-in risk assessment capability to help identify and mitigate various risks.
• A Virtual Agent chatbot that answers questions and helps end users resolve issues, and other AI tools that can assign tasks and suggest risk remediation strategies.

14. SureCloud

SureCloud launched in 2006 with a product for penetration testing as a service, which included a process to help manage security and IT risks. Over time, the company extended the risk identification and mitigation tools across various types of risks and created an integrated suite of cloud-based GRC software. In 2023, it introduced a new platform named Aurora that focused on information security risk management, but it has now reverted to a broader GRC strategy and a namesake platform.

The SureCloud platform includes modules for managing enterprise, technology and third-party risks as well as compliance, audits, data privacy, security vulnerabilities, incidents and risk-related policies. It also provides real-time dashboards and reporting tools along with a UI that's designed to be easy enough for business executives to use. In addition to the GRC software, the platform includes a set of continuous control monitoring tools for testing internal controls and checking their compliance with various security, privacy and risk management frameworks.

The following features are also part of the SureCloud platform:

• Customizable workflows and built-in alerting and notification capabilities.
• Embedded functionality for managing GRC tasks.
• Integration with a set of external task management, collaboration, document management, security, observability and HR tools.

15. Workiva

Workiva's cloud-native platform combines operational, IT and enterprise risk management; auditing; and other GRC workflows with financial reporting and ESG program management. The collection of GRC tools is designed to help organizations build risk-resilient operations and adapt internal processes and controls to address emerging risks. The software provides centralized collaboration capabilities; real-time views of risk management initiatives; and more than 3,000 templates for audits, risk assessments and other tasks.

Workiva was founded as WebFilings in 2008, offering tools to better control business data management and reporting processes. The company was renamed Workiva in 2014 and has expanded its product line through internal development and acquisitions. But transparent reporting capabilities are still at the heart of its strategy, with a focus on connecting different teams to needed data. For example, risk management teams can upload documents in their native format, and Workiva will automatically recommend risk remediations.

Additional features in the Workiva platform include the following:

• Generative AI capabilities that can streamline reporting workflows by creating draft documents and rewriting or summarizing information written by teams.
• An online marketplace that lists Workiva's prebuilt templates plus more than 70 connectors to other applications and 60 external consulting services.
• Drag-and-drop data transformation and preparation tools plus data lineage documentation that provides a full audit trail on changes to data sets.

16. ZenGRC

ZenGRC specializes in IT and cybersecurity risk management, offering software primarily designed for use by chief information security officers and information security teams. Founded in 2009 under the name Reciprocity, it initially sold a ZenGRC platform that automated compliance audits. In 2022, the company introduced the ROAR Platform -- short for Risk Observation, Assessment and Remediation -- as its new lead product, with broader risk management capabilities. But in June 2024, it consolidated the product offering as ZenGRC -- and after previously changing its own name to RiskOptics the year before, it made that ZenGRC too.

The ZenGRC platform includes tools to help assess potential third-party risk exposure from data breaches and other issues at vendors, suppliers and partners, as well as real-time risk scoring, reporting and compliance monitoring capabilities. It also continues to support compliance audits and assessments, and an add-on Trust Center portal provides a centralized location for sharing security and compliance documentation with customers and other stakeholders.

ZenGRC also offers the following features as part of its platform:

• A library of more than 30 compliance frameworks and standards, with tools to map internal controls to them.
• Built-in integrations with cloud and SaaS offerings from AWS, Azure, Microsoft, ServiceNow, Jira, Google Cloud, GitHub and other vendors.
• The ZenGRC Community, a self-service support, training and information-sharing hub.

Challenges in adopting risk management tools

When considering enterprise risk management systems, GRC software and other tools, organizations should also be aware of the challenges that can arise in deploying and using them. For example, integrating new risk management tools into existing workflows requires upfront planning to ensure it goes smoothly. But doing so is an important step to take.

"Often, process-specific tools such as risk management are seen in isolation, with standalone implementation," said Rajesh Kumar R., CIO at technology consulting services firm LTIMindtree. Instead, he advocated looking at ERM and GRC tools as an integral component of the enterprise software ecosystem and weaving them into core business workflows.

Kumar said another challenge is that these tools might not be integrated into identity and access management systems. The implementation of an ERM system should adhere to an organization's standard user authentication approaches so access control and platform security can be centrally managed at an enterprise level, he advised.

Risk management tools can also introduce new privacy and data security challenges. Risk management and security teams need to ensure that risk data is well protected against potential breaches.

The cultural shift required to adopt ERM tools should be considered too. Nucleus Research's Brennan said resistance to change, employee hesitancy about new technology and inadequate alignment with business objectives can impede adoption by end users. He recommended being open and transparent about a new GRC or ERM program so employees understand why effective risk management is important and how the chosen software can help streamline the process. "Cultivating a culture of proactive risk awareness ensures a smooth transition and sustained tool adoption," he said.

Editor's note: Informa TechTarget editors updated this article in March 2025 for timeliness and to add new information.

George Lawton is a journalist based in London. Over the last 30 years he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.