How to: Choose the right governance risk and compliance (GRC) software

13 November 2015 Karan Vidal

You’ve presented your business case and finally have the OK from leadership to implement a governance risk and compliance (GRC) program. Careful consideration needs to be given to choosing the right software. One false move can leave your business worse off and exposed to more risks.

Knowing what you’re trying to achieve with your governance will make selecting the right GRC software easier. Arm yourself with must-have features, so you can eliminate those that don’t make the grade.
Our guide will help you to opt for the best GRC software for your business.

Compliance priorities

Businesses have compliance regulations coming at them left, right and centre. It would be difficult to find GRC software that addresses all compliance needs. This is where you’ll need to prioritise which areas of compliance you want to focus on.

System requirements

The requirements of GRC software can be split into two areas:

  • Functional requirements are what the system will deliver to the users. An example is the reporting function.
  • Non functional requirements are what are needed to run the system. The I.T department has to make sure that appropriate supporting applications, such as security controls are in place.

Ultimately, your business has to decide whether the GRC software will be a good fit, in terms of the business and technical side. This analysis must be done with both current and future circumstances in mind.

At this stage, everyone who will be affected by the system needs to have their say about what they need. It’s unlikely that a single system will be able to deliver everything on the ‘wish-list’. However, getting everyone together will help to determine which functions are absolutely necessary.

Large organisations don’t need to limit themselves to one piece of GRC software. Different business units can use different GRC tools. Risks around different GRC software can be managed, by making sure they are integrated. Ensuring that the systems can ‘talk’ to each other, mean that it’s easier to review the overall state of governance and compliance across the organisation.

In-house or SaaS

Even though the trend for software is leaning towards Software as a Service (SaaS) models, there can be situations where it’s more suitable for a system to be managed in-house.

Answering the following questions will help you to decide which model is best for your business:

  • How easy is it for the software to accommodate your company’s growth?
  • Can the software be configured to deal with different users’ needs?
  • Is it able to keep up with changes in compliance regulation?
  • How expensive are the running costs?

Request for proposals (RFPs)

alt

To ensure that you have a fair assessment ‘across the board’ of vendors, you need to prepare an RFP. This will make it less complicated to compare answers to your questions.

The following should be included in you RFP:

  • Your company’s background.
  • The issues that you’re facing in relation to governance and compliance.
  • Your objectives.
  • What you need.
  • Your budget.
  • What a successful GRC software implementation will look like.
  • Expectations of service levels.

Choosing a vendor

The next step is to choose the provider of the software. Do your homework by:

  • Talking to your network.
  • Reviewing websites.
  • Attending trade conferences.

Before you send out request for proposals (RFPs), you should already have your needs prioritised. Vendors can be scored according to their ability to address your requirements.

To narrow down the vendors that can meet your needs, it’s advisable that you:

  • Provide a script with your ‘must-haves’. It’s then up to the vendor to demonstrate how they can provide these functionalities.
  • Ask for a meeting and a demonstration of the software.
  • Request case studies of how the software has solved problems for others.

After you’ve ‘pruned’ your list of potential vendors, go further by finding out about their:

  • Disaster recovery plans.
  • Security in relation to their data and premises.
  • Change process.
  • Support systems.
  • Financial health.

Businesses need to tread carefully when choosing GRC software. Going with the wrong system can make the compliance process even more burdensome. Try to negotiate a free trial with two or three vendors so your company can get a ‘feel’ for using the software. If the software isn’t the right fit for your business, at least you won’t have been tied into long and expensive contracts.