How to go about choosing your GRC solution

August 19, 2019

With more and more organisations turning to GRC solutions or GRC tools to ensure the business stays compliant, is well-governed and manages risk effectively it is clear that the GRC industry is established and here to stay.

There are many GRC software vendors offering an array of GRC software solutions, enough to meet a variety of different requirements in different industries. But working out exactly which GRC software vendor to work with is a challenge and poses many questions for the organisation that is looking.

Should it be hosted on your own infrastructure or in the cloud? How customisable is the GRC software and can it be configured to your own specific needs? What training is required? That’s just the top of the iceberg, and this blog post aims to provide guidance should you be looking to implement a GRC solution in 2019.

Getting started – the first steps when looking for a GRCsolution

The first step in choosing a GRC solution for your organisation is to undertake a number of audits. This should include looking at the tools you are currently using to manage Governance, Risk and Compliance (GRC). Some businesses still use Microsoft Excel as their IT GRC tool, which is not really fit for purpose, whereas others may have a legacy GRC solution in place that has become outdated.

Next you need to get a feel for what your precise GRC requirements are. What do you need to achieve and what are your overall objectives? Then it’s time to evaluate what your market options are. What is your budget for a GRC solution, not just initially but how much do you want / can you afford to pay for it on-going?

When you have a shortlist of possible GRC software vendors that meet your topline criteria, then it’s time to get answers to the following questions:

Will it integrate with the business?

A GRC tool is not really a techie product to be deployed by technical staff. It’s very much a business tool, to be used on a regular basis by the compliance and risk teams. Any GRC solution therefore must be able to integrate completely with current systems and be very user-friendly.

It also needs to be scalable. As an organisation grows, so do the regulatory requirements so it’s imperative to find a GRC solution that can grow with you and one in which you can add users to in an instant. Also, new regulation comes into existence constantly, so your GRC tool needs to be able to manage new compliance requirements as well as existing ones.

Is it hosted on-premise or in the cloud? Some organisations retain a little anxiety about hosting and would prefer their GRC solution to be hosted on their own infrastructure. To an extent this is understandable – the data and content around compliance and risk is often highly confidential –althoughit’s also true that there is nothing less secure about using a solution hosted in the cloud.

So the GRC software vendor must be able to provide its GRC tool in either way, and if you choose to host via the cloud then ensure that the GRC vendor has full accreditation for its data centres.

Is full training provided? While it’s important for any GRC solution to be easy to use, there are occasions when some training will be required on how best to get the most from your new GRC software. This will be provided as a matter of course by larger GRC software vendors, but some smaller providers might be less strong in this area. Always check that the required training is available to you.

What partnerships does the GRC software vendor have? The most effective way of approachingGRC is via a digital and continuous method. This ensures that nothing gets missed and gives 100% peace of mind that an organisation will remain compliant and mange and mitigate any risk effectively.

But this approach relies on the GRC software vendor having the right consultancy partnerships, to advice on regulation and what is required. A poor partner can minimise the value of even the best GRC tool, so it’s an essential question. At Oxial we work with partners such as EY, BDO and Grant Thornton, so it’s area in which we are especially strong.

Is the GRC tool customisable? Out of the box GRC tools are very useful, especially for smaller to medium sized firms. They can be up and running very quickly and are typically a much easier roll-out and implementation than bigger GRC solutions. But every organisation has its own specific needs, so it is important for any GRC tool to be fully customisable. That’s in terms of that organisation’s branding, but also in terms of the specific functionality required and integration with other tools in the business.

Choosing a GRC solution can be challenging but looking at the above questions should give you some good pointers.

Oxial’s sGRCsolution is one that has been lauded by analysts and is used by customers all over the world.For further details of how it could help you with your GRC requirements, get in touch with us here.