For Security & Risk Professionals
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
by Nick Hayes
November 6, 2015
Why Read This Report
Before you can build a GRC program capable
of addressing today’s top business threats, you
first need to obtain the necessary budget and
leadership support to turn your GRC vision into
reality. This report focuses on just that — how
you can build an effective business case for GRC,
detailing the essential elements of cost, benefit,
risk, and flexibility to accurately estimate GRC’s
ROI. In addition, we include ways to bolster the
numbers by positioning your GRC program as a
method for improving the business through better
governance, ethical behavior, and performance.
Forrester reviews and updates this document
periodically for continued relevance and accuracy.
forrester.com
Key Takeaways
GRC’s Value Prop Is Clear, But That Doesn’t
Mean You’ll Get The Support You Deserve
Risk management may be a more frequent topic
among top leadership and board members,
but they still won’t allocate precious corporate
resources away from other priorities unless the
business case is clear and articulated effectively.
Position GRC Value In Terms Of Efficiency,
Risk Reduction, And Strategic Performance
The business benefits of GRC programs fall into
three main categories: 1) improved efficiency; 2)
risk reduction; and 3) strategic decision-making
and performance. To reach the second and third
categories, you need more mature programs and
better technology integration.
Critical Factors In Achieving GRC ROI Are
Flexibility And Broad Participation
GRC programs can’t function without participation
from across the organization and the flexibility
to adapt to changing organizational and market
environments. Without both of these elements, the
chances are high that your program will falter and
negate any expected return on your investment.
For Security & Risk Professionals

Build The Business Case For GRC

Business Case: The Governance, Risk, And Compliance Playbook

by Nick Hayes
with Christopher McClean, Claire O’Malley, and Peggy Dostie
November 6, 2015

Table Of Contents Notes & Resources

2 The ROI For GRC Is There, But Can You Get Forrester interviewed vendor and end user
The Support You Need? companies and incorporated insight gained from
briefings, client inquiries, and various interactions.
2 Build The Business Case With ROI Figures
And Effective Persuasion
Related Research Documents
Provide Accurate Cost Estimates Upfront To
Build Trust And Demonstrate Competence Assess Your GRC Program With Forrester’s GRC
Maturity Model
Articulate The Benefits Of GRC, Highlighting
Three Categories Of Business Value Benchmark The Performance Of Your GRC
Program
Technical Maturity Drives Better Business
Outcomes Choose The Right Technologies To Support Your
GRC Program
Account For The Risks Of The GRC Program
Itself To Set Appropriate Expectations Maximize Business Performance With A World-
Class GRC Program
Recommendations
7 Stay Focused On GRC Vision And Corporate
Performance

9 Supplemental Material

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
© 2015 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®,
Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester
Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or
distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

The ROI For GRC Is There, But Can You Get The Support You Need?
Is return on investment (ROI) for GRC the wrong message? If our ultimate collective goal is to develop
organizations that are high-performing, well-governed, and well-controlled, then the answer in most
cases is yes. Seen through a different lens, though, building an effective business case is a necessary
business practice that can actually lead to clearer strategies and more-advanced GRC programs.

If you’re lucky enough to have board and executive support for GRC initiatives, it’s because they
believe that such efforts are critical to business success. But for the rest of you, GRC is more likely to
start with a grass-roots campaign based on your business pitch that allocating resources to GRC (and
away from other revenue-generating functions) is more than a necessary evil, but an endeavor that
improves strategic decisions and bolsters corporate resilience. This is a land war not easily won, and
every attempt to gain ground is a heavily contested battle.

Build The Business Case With ROI Figures And Effective Persuasion
The following approach for building a strong GRC business case incorporates the key elements of
Forrester’s TEI methodology and applies effective advocacy tactics to help you position the value of
GRC beyond the numbers. This two-pronged strategy aims to help you gain the resources and support
from leadership your GRC program needs and deserves.

Provide Accurate Cost Estimates Upfront To Build Trust And Demonstrate Competence

It may seem counterintuitive to start by laying out the costs, but it’s a proven negotiation tactic, known
in psychology as the “door-in-the-face” technique.1 As the term implies, this is a shock and awe
method whereby you lay out all of the large (but necessary) costs required for your GRC program first.
By getting the costs out of the way, this leaves you with the remainder of the time to demonstrate
why the program is worth the investment and the business outcomes that will result. To estimate an
appropriate GRC budget, you will need to factor in the costs for:

›› Subscription-based GRC platforms. The de facto licensing model for GRC platforms today is an
annual subscription delivery model, most frequently as SaaS or hosted platforms.2 The average
customer deal size for GRC platforms is between $200,000 and $300,000, including software, data
storage, and ongoing support fees, in addition to one-time implementation fees for services like
data migration, configuration, and integration to other systems.3 For the largest instances, annual
costs can rise well above that range. Subscription-based pricing models are primarily based on
the scope of functionality along with number of users, commonly split into two main groups: 1)
infrequent users and 2) power users and administrators.4

›› On-premises GRC platform implementations. For on-premises GRC implementations,

customers will typically pay an upfront, one-time fee for a perpetual license of the software and
associated hardware costs.5 Depending on the contract terms, on-premises deal sizes average

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

about three times what you might pay for a SaaS or hosted version of the same product, in addition
to implementation fees, plus annual maintenance and support.6

Complicated technical integration requirements of many on-premises deals will drive up

implementation costs even more, with some customers at the high end reporting these costs at
50% of the total initial price.7

›› Other risk management technology and services. In addition to GRC platforms, Forrester
identified 12 other relevant risk technology and service categories that support GRC functions.
GRC platforms can offer some of the capabilities found in these other categories, such as audit
management, regulatory intelligence, and risk and compliance training, but you will likely have to
source from different vendors other valuable risk capabilities, such as workforce risk analytics,
digital risk monitoring, and brand protection solutions.8

›› Staffing. The scope and size of GRC teams vary widely today, but all GRC programs require
experienced risk, compliance, and audit personnel who can implement and manage risk
frameworks, maintain legal and regulatory obligations, and assure process consistency and validity.
The professional staffing firm Robert Half estimates that the average annual starting salary in
2015 for operational risk, compliance, and internal audit manager roles at large, financial services
firms ranges between $86,250 and $144,250.9 And this doesn’t include other benefits and cost
considerations associated with any new hire. Additionally, you also need to consider internal
technology support staff, especially for on-premises instances.10

›› Strategic consulting. Another cost associated with GRC initiatives is for strategic consulting
services, which are often necessary to define organizational roles and responsibilities, guide
process improvements, and identify elements of the business that GRC will support. GRC software
vendors often have consulting capabilities, while they may refer more complex client challenges
to consulting partners for these services. There’s a host of strategic consulting partners to choose
from, including the big four (Deloitte, EY, PwC, and KPMG), large system integrators, and smaller
specialty consulting firms.

›› Time requirements of other business stakeholders. Whether it’s risk assessments, policy
attestations, vendor reviews, or ethics and compliance training, your entire company will participate
in GRC-related activities in one form or another. Although this won’t be a direct cost you have to
pay, it can be a key metric to track to demonstrate process and other efficiency improvements
related to the time required from the rest of your organization.

Articulate The Benefits Of GRC, Highlighting Three Categories Of Business Value

Building the business case for GRC ideally starts at the highest levels of the organization, where
objectives like improved oversight, greater control, and long-term value creation and protection
are critical. However, many of you will have to start with more basic ROI arguments upfront and
demonstrate higher-level value over time. Beginning with the least complicated, demonstrate how
effective GRC leads to (see Figure 1):

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

›› Efficiency improvements. Most GRC customers will point to improved efficiency as their first —
and most easily recognized — benefit. Because GRC implementations are so different from one
organization to the next, this category may include many different elements. Some elements to
consider are related to faster and cheaper policy and control management, risk management, audit
management, compliance management, and action management.

›› Risk reduction. Demonstrating a reduction of risk helps to elevate the value proposition, but
like efficiency, it’s going to be very different for each organization. It’s important to note that this
benefit must focus on the risk reduction enabled by the management of risk and control efforts,
not enabled by the controls themselves. Benefits to consider for your GRC platform business case
include improved compliance (fewer audit findings, regulatory enforcement actions, and lawsuits),
more effective risk treatment (prioritized remediation and faster remediation), and more tolerable
risk posture (lower cost of capital and insurance premiums).

›› Better strategic decision-making and performance. The benefits in this category are the
most difficult to achieve and most difficult to demonstrate. Programs that can show strategic
benefits usually enjoy self-sustaining support from executives and a culture that encourages
active participation in compliance and risk management from employees across the organization.
Strategic benefits of GRC include greater oversight (fewer unexpected loss events, accurate view
of risk and compliance posture), more-informed decisions (related to development, procurement,
and investments), and better performance (more successful product launches, market expansions,
branch openings, technology implementations, or partner engagements).

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

FIGURE 1 Calculating The Benefits Of GRC

Category Examples Example calculations

Efficiency • Policy and control management (faster • Hours saved per function multiplied by
development, review, update, approval, the average rate for fully burdened risk,
distribution, access, and attestation) compliance, or audit professionals
• Risk management (faster risk identification, • Payroll savings from delay or
analysis, evaluation, and monitoring) avoidance of staff increases
• Audit management (improved scoping, • Reduction in costs of external audits
scheduling, data collection, and reporting) and assessments
• Compliance management (easier association
of controls, control assessments, assessment
data aggregation, and reporting)
• Action management (faster event
identification, notification, escalation,
remediation, review, and approval)

Risk reduction • Improved compliance (fewer audit findings, • Reduction in incident response costs
regulatory enforcement actions, and lawsuits) • Reduction in the number and size of
• Improved risk treatment (prioritized and fines and penalties
faster remediation) • Increase in risk exposure mitigated per
• Improved risk posture (lower cost of capital dollar/hour spent
and insurance premiums) • Reduction in cost of capital
• Reduction in insurance premiums

Strategic • Greater oversight (fewer unexpected loss • Reduction in costs required for
performance events, accurate view of risk and compliance unexpected, short-term injections of
posture) capital, staff, or other resources
• More-informed decisions (related to • Greater amount of relevant data to
development, procurement, and investments) support decision-making
• Better performance (more successful • Increase in financial or on-time
product launches, market expansions, performance (business units,
branch openings, technology partners, projects, etc.)
implementations, or partner engagements)

Technical Maturity Drives Better Business Outcomes

The level and type of value GRC demonstrates to the business is dependent on the degree of
technology integration and the maturity level of the GRC program (see Figure 2). For instance, if you
conduct manual assessments and manage numerous, disparate spreadsheets, it’s nearly impossible to
measure and track risk consistently across the organization, not to mention reaching the point where
risk data could be leveraged for strategic insights. As your GRC program and technology improve,
you enable more-advanced GRC capabilities and, ultimately, better performance and business value.
To determine where your program adds business value today and how you’d like to advance it in the
future, evaluate your organization’s GRC maturity using our self-assessment framework, the Forrester
GRC Maturity Model.11

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

FIGURE 2 Demonstrate Greater Business Value As Technical Capabilities Mature

GRC enablement Business value

Optimized
• Control enforcement
• GRC intelligence Strategic performance
• Risk optimization
Technology maturity
Embedded

• GRC coordination
• Risk measurement Risk reduction
• Interactive dashboards
Automated

• Policy & content mgmt

• Process modeling Efficiency gains
• Workforce and alerts
Facilitated

• Spreadsheet tracking
• Manual assessments Basic compliance
• Ad hoc reporting

Account For The Risks Of The GRC Program Itself To Set Appropriate Expectations

Many of the risks related to GRC programs are similar to those in other business and technology
management programs; however, GRC initiatives often involve top executives, a large number of
employees, and significant costs, all of which can multiply the impact of any risks that manifest. Just
as you do in every other facet of your job as a risk pro, make sure you account for the uncertain events
or circumstances that could interrupt your GRC success:

›› Inaccurate risk measurements can a create false sense of security or danger. Miscalculating
the likelihood or impact associated with any risk can lead to poor, and even detrimental, decisions
and resource allocations. For example, Jason Spaltro, the former CISO for Sony, had the right
idea by making “risk-based decisions” with respect to Sony’s data protection strategy; he just
measured risk entirely wrong.12 While Sony’s massive data breach is an extreme example of the

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

consequences, you should incorporate a margin of error in your own risk calculations and set
expectations that risk measurement is primarily for prioritizing remediation efforts; the numbers will
rarely be perfectly accurate.

›› Operational miscues can derail your forward momentum. Rolling out a new GRC program, or
advancing your current one, can mean significant operational changes; and as with anything else that
changes, it’s possible things will go wrong. Whether the setback leads to missed project milestones,
slow user adoption, or process or system glitches, take into account the possibility that something
will go wrong and plan contingencies accordingly. Especially when it comes to major GRC technology
implementations, assume there’s a good chance the project will take longer than expected, as was
the case for close to a third of GRC customers in our recent Forrester Wave evaluation.13

›› Ineffective controls and oversight can create blemishes on your program. Even when you
have mature, comprehensive governance and controls in place, they can only take you so far;
employees can circumvent policies, and new technologies can leave outdated controls ineffective.
As you continue to improve your GRC program, set expectations that you won’t catch everything,
and that, at least for the foreseeable future, you will likely always have audit findings, risk events,
control gaps, and vulnerabilities to address.

›› Vendor viability and other third-party risks can collapse your ecosystem. All companies you
do business with are susceptible to a range of unexpected events, such as an economic downturn
forcing the company into bankruptcy or a sudden acquisition by a company that decides to
sunset a product you use. Current market growth suggests that imminent chances of this are
remote for the GRC market segment. Nonetheless, it’s worthwhile to include in any business case
consideration for the vendor’s viability and what controls or assurances are in place to mitigate
these risks.

Recommendations

Stay Focused On GRC Vision And Corporate Performance

Winning the budget battle has its pros and cons: It means you have the resources needed to
implement your strategy, but you also have a brighter spotlight shining on you should you falter.
As much as possible, advocate for the strategic benefits that will encourage long-term interest and
ongoing support from your executives. Establish compliance obligations and basic improvements
in efficiency as a baseline, and aim for higher degrees of business value — first, risk reduction, then
strategic performance — over time. As you build your business case to reach the highest levels of
business value for your organization, try to:

›› Drive greater awareness and participation. A key indicator of an effective GRC program is
an active, engaged, and risk-aware workforce. Moreover, GRC programs can’t function without
participation from employees across the organization to conduct risk assessments, control tests,

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

policy attestations, and other critical functions. While awareness doesn’t equate to culture change
directly, it’s an important first step that often leads to more-efficient GRC processes, fewer issues
and accidents, and better performance (e.g., greater employee satisfaction and retention).14

›› Emphasize GRC and business flexibility. A key consideration when making any investment is the
degree of flexibility it provides to help take advantage of future opportunities. In the context of your
GRC program, determine how you could expand its scope to incorporate related risk functions
with similar requirements for documentation, workflow, assessments, and reporting (e.g., business
continuity, supplier and third-party risk management, etc.).15 With respect to your broader business,
consider how GRC methodologies and technology can improve the outcomes of other business
initiatives (e.g., how effective GRC support could enable smoother integration of new business
partners and recently acquired entities).

›› Equate efficiency gains to cost reduction and scope expansion. Some benefits that come with
a GRC technology implementation or process improvements lend themselves to cost reduction,
such as shorter compliance reporting time. However, you can show more strategic value by also
including elements of scope expansion, such as enabling auditors to cover a larger number of
processes and systems, or extending risk assessments to include a larger percentage of projects,
operations, or business partners.

›› Make projections at least three years out. Even simple GRC programs can take six months
before they start to show results, and it’s common for more-complicated programs in global
enterprises to take a year or more to get going. GRC platform implementations alone can take
a few months just to get all the data and processes into the live application. Although some of
the benefits discussed in this report will be seen almost immediately, many are based on audits,
assessments, and other functions that occur on a quarterly or annual cycle. Three years is likely the
shortest time frame you can use to accurately evaluate cost and benefit figures side by side.

›› Whether it’s GRC process or technology — apply a similar approach. The same principles you
use to build the business case for your GRC program are also directly applicable when you need
to advocate the business benefits of other relevant risk and compliance technologies and services.
Effective tools will help to advance the core objectives of your program across the same categories
mentioned above: efficiency, risk reduction, and strategic performance.

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our
research to your specific business and technology initiatives.

Analyst Inquiry Analyst Advisory

Ask a question related to our research; a
Forrester analyst will help you put it into
practice and take the next step. Schedule
a 30-minute phone session with the analyst
or opt for a response via email.
Put research into practice with in-depth
analysis of your specific business and
technology challenges. Engagements
include custom advisory calls, strategy
days, workshops, speeches, and webinars.

Learn more about inquiry, including tips for Learn about interactive advisory sessions
getting the most out of your discussion. and how we can support your initiatives.

Supplemental Material

Survey Methodology

As part of our Forrester GRC Wave evaluation for “The Forrester Wave™: Governance, Risk, And
Compliance Platforms,” Forrester conducted an online survey of 50 governance, risk, and compliance
professionals in the spring and early summer of 2015. Approximately 74% of respondents were
governance, risk, and compliance professionals located in the United States. The remaining
participants were ethics and compliance professionals based in Africa, Asia Pacific, Europe, South
America, and the Middle East.

Endnotes
The door-in-the-face technique is a well-established persuasion tactic studied in psychology and various other
1

academic realms for the past 30 years. Source: Cialdini, R.B., et al., “Reciprocal concessions procedure for inducing
compliance: The door-in-the-face technique,” Journal of Personality and Social Psychology, February 1975 (http://
psycnet.apa.org/psycinfo/1975-11600-001).

According to participating GRC platform vendors in Forrester’s Risk Management TechRadar, two-thirds (66%) of
2

deals over the past 12 months were sold in SaaS, hosted, or managed service subscription delivery models. The
remaining one-third (34%) were delivered as on-premises implementations. For more information, read the upcoming
“TechRadar™: GRC, Q3 2015” Forrester report.

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook

Implementation fees are typically 20% to 30% of the initial deal size, which includes initial product training, basic system
3

configuration, user and process definitions, and data migration to upload existing risk and compliance information.
4
Many vendors will incorporate different or additional variables like organization size, data hosted, desired functionality,
GRC program scope (i.e., number of use cases or “modules” addressed), or regulatory content when calculating the
purchase price.

Compared with other on-premises deployments, GRC hardware costs are relatively low, usually requiring an
5

application server, web server, and database.

Implementation fees are typically 20% to 30% of the initial deal size, which includes initial product training, basic
6

system configuration, user and process definitions, and data migration to upload existing risk and compliance
information. In on-premises implementations, standard support packages for GRC platforms are generally about 20%
of the software license costs, with less variability between vendors than there is for other costs.
7
Hosted and SaaS options will reduce many of these costs, but they’re not completely free of service needs — hefty
configuration and data migration are essential elements of any GRC technology initiative.

To determine other risk offerings to leverage and their approximated cost, read the upcoming “TechRadar™: GRC, Q3
8

2015” Forrester report.

According to the professional staffing firm Robert Half, at large financial services firms the average annual starting
9

salary range for a compliance manager position is between $86,250 and $113,250; for an operational risk manager
position it’s between $91,500 and $116,500; and for an internal audit manager position it’s between $100,000 and
$144,250. The firm estimates the salary range for these positions has increased between 3.6% and 4.2% year-over-
year since at least 2013. Source: “The Salary Guide for Accounting and Finance,” Robert Half (http://www.roberthalf.
com/accountemps/the-salary-guide-for-accounting-and-finance).
10
Depending on the complexity of the program, plan for at least one full-time equivalent for roughly every 50 to 75 active
users for on-premises GRC platforms.
11
You can use Forrester’s self-assessment tool to evaluate the current and desired future state of your GRC program
across four main domains: oversight, technology, process, and people. To download our GRC self-assessment tool
today, see the “The Forrester GRC Maturity Model” Forrester report.
12
Spaltro’s evaluation of Sony’s risk posture was entirely inaccurate and led to the deprioritization of security as a key
initiative for the organization. Spaltro said that he “will not invest $10 million to avoid a possible $1 million loss.” If
Spaltro had properly measured and tracked risk, he would have understood and been able to communicate to the
executive team and board that security risks lead to much bigger corporate losses — including losses for Sony that
now may well exceed $100 million, not to mention reputational damage and other intangible factors. See the “Quick
Take: Sony Breach — A Sad Tale Of Epic Failure That Could Have Been Avoided” Forrester report.
13
Close to one-third (29%) of customer references surveyed as part of our Forrester GRC Wave evaluation indicated
that their adoption took longer than expected. For more information, read the upcoming “The Forrester Wave™:
Governance, Risk, And Compliance Platforms” Forrester report.
14
Policies are only as good as the behavior and intentions of the people required to follow them. Without a well-tuned
culture based on the right ethics and compliance values, employees will find loopholes and control gaps that expose
you to substantial risk, leading to scenarios where: Enormous financial losses, regulatory fines, and legal settlements
hit bottom lines; employees lose motivation and loyalty; and customers lose confidence in the brand. For more
information, see the “Cultivate Culture For Sustained GRC Performance” Forrester report.
15
For example, if your executives are having difficulty seeing why a GRC platform is worth the $300,000, show them how
the company could leverage the same system to address needs of another related program (e.g., business continuity
or internal audit) for their risk and compliance requirements for just an additional $50,000. Similar support may come
from operational risk, technology management, corporate compliance, supplier and vendor management, HR, and
other functions.

© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
›› Core research and tools
›› Data and analytics
›› Peer collaboration
›› Analyst engagement
›› Consulting
›› Events

Forrester’s research and insights are tailored to your role and

critical business initiatives.
Roles We Serve
Marketing & Strategy Technology Management Technology Industry
Professionals Professionals Professionals
CMO CIO Analyst Relations
B2B Marketing Application Development
B2C Marketing & Delivery
Customer Experience Enterprise Architecture
Customer Insights Infrastructure & Operations
eBusiness & Channel ›› Security & Risk
Strategy Sourcing & Vendor
Management

Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 56677