You've spent months identifying exactly your organization's governance, risk and compliance obstacles, and have determined the qualities you're looking for in a GRC solution to meet those needs. Now comes the equally difficult part: reviewing your homework and making the final determination on which GRC tool works best for your organization.
"The key here is to understand what your governance program is trying to achieve and how a tool can support you in meeting the program objectives," said Steve Durbin, global vice president of the Information Security Forum. "You can then judge the tools against business-focused criteria and technical criteria, resulting in a better decision."
This balance between technical needs and business needs is vital when developing a relationship with a GRC vendor, experts say. Of course, the solution needs to help meet the organization's specific regulatory compliance and risk management needs. But it's also important to consider the organization's culture and who will be using the tool, said French Caldwell, a vice president and Gartner Fellow at Gartner Inc.
"Quite often these days, it's more and more coming down to the usability and the user experience," Caldwell said. "As the market matures and the vast majority of the vendors have the basic capabilities that it takes to be competitive, then it starts boiling down to the end user."
Clunky GRC systems with confusing workflows and systems that make it difficult to generate reports create headaches for the user -- and potentially increase risk in the process. "All of those things are impediments to the customer selecting a vendor," Caldwell said.
Companies should also consider how the GRC solution will be implemented and maintained, including its ability to integrate with enterprise software and consumer devices. With endless new compliance regulations in the pipeline for many industries, another important factor is how easily the tool can be updated.
When examining technical criteria for a GRC solution, upgrade paths and scalability should be examined as well, Durbin said.
"One important criterion is the deployment model. Will the tool be deployed and managed in-house or will it be provided as cloud SaaS [Software as a Service]?" Durbin said. "Cloud-based provision brings a number of advantages, but these need to be balanced against the risks associated with cloud use."
The benefits -- and risks -- of multiple GRC tools
GRC experts are quick to point out that typically, no single product will meet 100% of an organization's GRC needs. Many GRC platforms support a wide range of use cases, and some vendors are stronger in certain areas than in others. That may mean different departments end up implementing different GRC tools. If this happens, it's vital to take into account the overarching goals of the organization's GRC program, its objectives and how the tools will support these goals.
"If a modular product is to be purchased, risk can be mitigated by deploying one module, integrating it, capturing lessons learned and then applying those to the next module," Durbin said. "If this is not possible and tradeoffs have to be made, a pilot deployment may assist in determining how best to implement the tool and understand the impacts of those tradeoffs."
The lack of holistic solutions creates its own risks to consider, however. Scott Peeler, managing director at New York-based digital risk management and investigation firm Stroz Friedberg, notes that using multiple vendors with different products may not provide the complete GRC overlap the company is seeking.
"In the end, they buy solutions that they have to spend a lot of time managing," Peeler said. "The converse is they hold off making a decision, which leaves them additionally exposed."
Companies should consider the compliance areas that most often keep them up at night, and develop their top four or five compliance priorities. Companies can then further determine details such as deadlines and budget considerations, Peeler said.
"By teasing out the wish list for the next few years' budgets, they can steer toward a tool or tools that can help most," Peeler said.
It's important for organizations to address a few concerns up front, such as how the tools or tools specifically address and provide value to an overall compliance risk mitigation strategy, Peeler said. Another factor is how holistic each specific tool is -- in other words, where does the GRC value run out?
"I think, a lot of times, there's a reluctance [to buy tools from multiple vendors] because they think they are buying a partial solution," Peeler said. "They're putting a fence up on one side of their property but they are still leaving three sides open, and I think there is a great frustration with that."
Of course, it still comes back to selecting the vendor -- or vendors -- that are most relevant to your organization's needs. Caldwell said businesses should ultimately avoid choosing vendors based only on name recognition, and instead consider a smaller operation if it has experience in their specific industry, or is located in an area that makes sense geographically. For example, a midsize bank based in the Netherlands with minimal global reach would probably be best served by a local GRC vendor that would be most responsive to its needs, Caldwell said.
To further vet potential GRC-tool candidates, Caldwell recommends that organizations present a "script" for the vendor to follow during the selection process, rather than just request a demo.
"Instead of just giving the vendor carte blanche to just come in and do whatever they want, think about how you are going to be using these tools and write out the script telling the vendor exactly what you want to see," Caldwell said.
The script could outline specifics, such as "a day in the life" of auditors, compliance managers or anybody else who would be using the tool. Asking basic questions, such as exactly how employees will be using and interacting with the tool, is hugely beneficial when making a decision, Caldwell said.
"Script that out and have the vendor demo against that script," Caldwell said. "That would give you a much better idea on whether something is a truly going to be a capability that our people will use because we understand it, it makes sense, or whether it looks clumsy, difficult and challenging."