tiero - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to evaluate, select and implement enterprise GRC software

There are a variety of GRC software options on the market. Learn about some of the available product options and how best to compare and implement GRC tools.

In a post-GDPR world, it is more critical than ever for businesses to prepare for a governance, risk and compliance program. One strategy to consider is deploying specialized software to help manage GRC activities and provide actionable information to optimize them.

In this article, get tips for planning, evaluating, selecting and deploying a GRC system, and examine a few available software options.

Set the stage for GRC success

For both established and new GRC programs, a system designed to support GRC functions can be a strategic investment. Look for systems that can capture and analyze a broad range of controls and metrics, which can then be displayed on easy-to-understand dashboards. Report generation may also be important, especially when presenting findings and recommended activities to senior management.

As with any major activity, GRC programs must be supported by senior management and sufficiently funded. Staffing is the next important element, followed by identifying a suitable framework for the program. Also, ensure resources are available to support GRC system implementation. Whether the new system is cloud-based and remotely managed or implemented on-site, make sure it can be supported by IT.

Identifying and selecting candidates

Once the above elements have been established, begin evaluating and selecting potential GRC software candidates. Products are available for on-site or hosted deployments. There is a broad range of pricing, depending on features and system requirements, such as data storage, disaster recovery (DR), server availability and network bandwidth. It may make sense to launch a new GRC initiative with a modest investment in a GRC package, whereas an established program may need a more mature feature set. Note that GRC software with extensive features will translate into a larger investment.

GRC product comparison checklistClick here to download a
GRC tool checklist to
compare product offerings.

Information on GRC software is readily available from multiple resources. Gartner clients should check to see if Gartner has a report examining GRC tools and services. Alternatively, researching the options is easily done using any available search engine. Use the baseline criteria in our downloadable GRC product comparison checklist to prepare a side-by-side comparison of prospective systems.

Pre-launch activities

Once an organization has analyzed its options and selected GRC software, it should coordinate with the vendor's technical team. This will involve scheduling preinstallation, cutover and post-installation activities. A list of pre-launch activities includes the following:

  1. Consider using the software development lifecycle model for planning and installation activities.
  2. Establish an internal planning and installation team.
  3. Determine how the new system will be configured at launch.
  4. Set up a project plan coordinated with the vendor.
  5. Coordinate system administrator and user training activities with the vendor.
  6. Ensure all ancillary assets -- servers, storage, power supplies and data backup -- are configured and in place.
  7. Ensure all existing GRC-related files are in place and in the proper data format for use in the system.
  8. Coordinate with the change management team.
  9. Coordinate with the infosec team.
  10. Ensure that documentation is available for both hosted and on-site installations.
  11. Coordinate with the database administration team.
  12. Ensure space is available for any on-site hardware.
  13. Review network connectivity -- e.g., internet bandwidth -- for hosted systems.
  14. Schedule periodic pre-launch meetings with internal teams and vendors.
  15. Brief management on the system's progress and status.

Post-launch activities

Ensure a cutover plan is in place and coordinated with the GRC software vendor and network service provider to ensure a smooth system launch. Once the cutover has occurred, follow these steps:

  1. Complete system acceptance testing prior to going into production.
  2. Coordinate system changes and modifications that are needed based on cutover and system acceptance testing results.
  3. Coordinate data backup and DR activities with the vendor.
  4. Coordinate security activities with the vendor and the infosec team.
  5. Schedule and complete training activities.
  6. Send out notifications to all employees on the new system.
  7. Distribute documentation -- electronic and hard copy -- to system administrators and users.
  8. Complete a post-installation review, and provide results to senior management.
  9. Establish a maintenance schedule with the change management and help desk teams.
  10. Advise internal audit upon system completion and placement into service.

Once the GRC software has gone into production, conduct periodic reviews with users -- either daily or weekly -- to identify any issues for remediation. Provide regular feedback to the vendor on system progress and problems. If performance metrics, such as key performance indicators, have been established, schedule periodic reviews with the system administrators to ensure compliance with the metrics.

GRC software options

There are a variety of GRC software offerings on the market for organizations to consider. Get to know a few of the available product options:

  • IBM OpenPages GRC Platform is a suite of applications that supports enterprise risk management activities. The platform includes modules in financial controls management, operational risk management, policy and compliance management, IT governance and internal audit management. On-site and cloud options are supported.
  • MetricStream Enterprise GRC Solution provides a single platform that incorporates relevant GRC activities into a unified system. Modules include enterprise risk management, operational risk management, internal audit management, Sarbanes-Oxley Act compliance management, compliance management, and policy and document management. On-site and cloud options are supported.
  • HighBond by Galvanize, part of ACL Services Ltd., provides a modular suite of applications addressing GRC and other related activities. Its ITGRCBond module addresses IT risk and compliance management; additional modules include RiskBond for risk management, ComplianceBond for compliance management and ControlsBond for internal controls management. On-site and cloud deployments are supported.
  • Saviynt's Identity Governance and Administration 2.0 advanced risk analytics platform integrates a variety of technology and application platforms for an optimized GRC system. On-site and cloud software are supported.
  • Donesafe uses its cloud technology platform, in addition to 30 different applications, to tailor a custom GRC system.

Planning for and deploying GRC software is no different than implementing any other IT installation. Many options are available with a broad range of pricing, which can make for a challenging evaluation process. Use the above tips and downloadable GRC product comparison checklist to make a prudent choice. The right GRC software will be consistent with business requirements, provide the desired results and perform according to the customer's outlined expectations.

Dig Deeper on Compliance services