Published on: Nov 8, 2016
Six Features to Consider When Evaluating GRC Platforms
Governance, Risk, and Compliance (GRC) is increasingly becoming a more integral part of most businesses, especially with mandates of risk analysis and information security integration within all aspects of business processes. Most organizations have regulatory, contractual or legal requirements obligations, and complying with these may seem like a daunting task to manage, and it can be. However, this demand has brought some great GRC solutions.
Selecting the Right GRC Platform
Selecting the right GRC platform for your organization isn't as simple as finding out who scores best on the magic quadrant. There are many well-established players on the market, each with their strengths and weaknesses, but finding the perfect fit for your organization can be both time-consuming and expensive. Find out what is important to you, and what features you require to help make your GRC program a success.
Where to Begin: Laying the Groundwork
Before diving into the sea of GRC vendors, it's crucial to clarify your organization’s unique needs and objectives. Pin down your must-have features, budget limitations, and any compliance requirements your business faces—be it SOX, HIPAA, GDPR, or industry-specific standards. This will serve as your compass throughout the evaluation process. Consider launching with a modest package if you're new to GRC, or seek a more mature feature set if you have an established program.
GRC Tools and Vendor Assessment
GRC software comes in many flavors, from on-premise solutions to cloud-based platforms, and pricing can vary widely depending on deployment method, features, data storage, disaster recovery, service level agreements, and more. Conduct a thorough market scan—leverage analyst reports, independent reviews, and good old-fashioned web research. Prepare a side-by-side comparison checklist to evaluate each tool’s offerings against your baseline requirements. Don’t forget to look at contracts, warranties, and even reach out to existing customers for candid feedback.
Once you have a shortlist, dig into the details. Review documentation, evaluate training and support options, and consider the vendor’s track record for updates and security patches. During the testing phase, scrutinize how the platform handles your real data, and gather feedback from both technical and non-technical users.
Dashboards: Your GRC Program at a Glance
Dashboards are living, breathing ways to have a quick look at the overall view of your GRC program and its performance.
While a dashboard with lots of information seems like a great idea, this will result in a poorly designed dashboard that while looking visually stunning, provides little value to the user.
Dashboards should contain information relevant to the end user, and their role. The IT support staff responsible for performing testing of your organization's controls are not interested in the implementation status of unrelated HIPAA or FISMA programs.
Relevant Customizable Reporting
Reporting may be one of the most important aspects of your GRC platform and must have enough diversity and customization to allow for different audiences to be properly informed.
Individual reports should provide an executive view of key aspects of your GRC program. In this case, not entirely different from your dashboard, where the key point is summarizing information that is clearly strategic and matters for the upper management.
On the operational level, your teams may require information on each asset, process, or control managed within your GRC platform, such as a detailed report of risks per asset, risk treatment options and who owns each.
Make sure the vendor you're evaluating has a robust reporting solution, whether integrated into the platform or will work with you as the client to create reports that are valuable to you and your organization.
Cost
Let's not kid ourselves; cost often is a critical aspect when evaluating GRC platforms. Organizations might not be willing to spend a significant part of their budget on GRC. If you experience any pushback, try to identify the cost savings of using GRC software over managing your program with ad-hoc methods. You will often find that the amount of man effort your team puts into maintaining the GRC program is costing the organization more than the expense of a suitable solution. Communicating this to executives typically ends up with a quickly signed purchase order.
There are also some instances where the investment may be mandatory. Understanding the strategy, culture, risk appetite and context of your business is the key to success. If your company must comply with a law like Sarbanes-Oxley, it stands to reason that a significant investment on GRC is required.
Licensing costs vary significantly, ranging from the typical one-time purchase plus annual maintenance for client-server applications to per-user-per-month for SaaS web-based platforms. And of course, the large players on the market with substantial upfront setup costs, expensive implementation consultants, and then exorbitant monthly costs based on your organization's size.
SaaS or On-Premise? Deployment Considerations
Convenience, quick deployment, reduced costs and having your GRC platform available anywhere can make a SaaS solution very attractive for some companies. But is it the best option for your business? Possibly, but not always.
Understanding your information security requirements is a must. While you may not want, or can, invest in the infrastructure and workforce to manage an on-premise solution, some companies will not be comfortable with the idea of storing critical information outside the local physical perimeter. Multinational business' might even have legal limitations of where the information can be available.
How much control do you want to have over your information? Do you have a local team with sufficient knowledge to install and maintain the GRC solution up and running at all required times, and even recover it during an incident or disaster? Will an NDA be enough to protect my information or do I have to take further action to enhance protection and confidentiality?
Those are the kind of question you want to answer before evaluating individual platforms.
Usability and User Experience
A sophisticated and effective GRC platform should offer you a simple, intuitive and easy on the eyes interface. While this may not make your GRC program better, it will make you and your team more likely to embrace and use the application. You've heard the saying you taste with your eyes; the same holds true for software and web application. Nobody wants to eat an unattractive GRC tool. At StandardFusion we believe this whole heartedly and typically spend weeks designing new features and functions before a single line of code is written. This ensures that it aligns with our vision of a beautiful and intuitive GRC application.
Security
Most information handled during GRC management will include confidential or strategic data that will require an adequate level of protection. Information security is an essential function you should look for on a GRC platform.
It is important to understand that information should be available only for authorized users, and access should be given on a need-to-know basis. A secure identity and access management system must be a part of a mature GRC platform.
Ask your vendor about their processes for patch management, and application vulnerability assessments. They should have no reason not to outline their processes to potential clients. If available, have a look at their ISO 27001 Statement of Applicability, or the SOC2 report.
The Vendor Selection and Implementation Journey
Once you’ve narrowed your list and identified your preferred platform, it’s time to get serious. Prepare a request for proposal or quotation and be sure to consider more than just price—installation, training, maintenance, service level agreements, testing, documentation, and ongoing technical support should all be weighed.
Work closely with your chosen vendor to:
Set up a project plan and coordinate deployment activities
Schedule and deliver training for admins and users
Gather and review all vendor-provided documentation
Assess your network capabilities and ensure requirements are met, especially for hosted solutions
Hold regular pre-launch meetings with internal and vendor teams
During the testing phase, dive deep: review documentation, evaluate the vendor’s support responsiveness, and clarify post-launch support procedures. Once the system goes live, hold regular check-ins with users to uncover any issues early, provide feedback to the vendor, and ensure the platform is delivering on expectations.
Selecting a GRC platform that is both adequate, cost-effective and will provide value to the business is no easy task, and there are many more factors to consider than those mentioned above. However, it is a good place to start and important points to consider. With careful planning, a structured evaluation, and clear communication with vendors, you’ll be well on your way to building a successful GRC program tailored to your organization’s needs.
What to Include in Your Request for Proposal or Quotation
Once you've narrowed down your options and are ready to get serious, preparing a thorough request for proposal (RFP) or request for quotation (RFQ) is essential. This is your opportunity to ensure you're evaluating apples to apples and avoiding unpleasant surprises down the road.
Here are the key components to include in your RFP or RFQ for a GRC solution:
Pricing Structure: Make sure to request clear breakdowns of all costs—licensing, ongoing maintenance, user fees, setup or migration costs, and any "hidden" charges.
Implementation and Training: Ask vendors to detail their implementation process, estimated timeline, training sessions, and resources available to get your team up to speed.
Warranties & Support Agreements: Clarify service-level agreements (SLAs), support hours, escalation processes, and included technical support.
Security Practices: Request documentation about security protocols, encryption standards, vulnerability assessments, and third-party certifications like ISO 27001 or SOC2.
Maintenance and Updates: Understand how updates are delivered, patch management schedules, and any associated costs for ongoing maintenance.
Testing & Validation: Ask whether the vendor offers sandbox environments, trial access, or ways to test integrations and workflows before you commit.
Documentation Provided: Comprehensive user manuals, API documentation, and quick start guides should all be on the table.
Scalability & Flexibility: Inquire about the solution's ability to grow with you, can it easily accommodate more users, entities, or changing compliance requirements?
References & Case Studies: Don't be shy about asking for references, case studies, or even contact information for similar clients.
A well-structured RFP or RFQ doesn't just help you compare solutions—it sets expectations, fosters transparency, and helps you spot the true leaders in the field.
What to Evaluate During GRC System Testing
During the testing phase, organizations should take a broad look at the GRC solution and its support ecosystem before making the leap. It’s not just about clicking through features—there are several critical areas worth a closer examination:
Thorough Documentation: Make sure the platform comes with comprehensive, clear, and up-to-date user guides and technical manuals. Good documentation makes onboarding new team members a breeze and helps seasoned users find answers without calling for backup.
Responsive Support: Test the vendor’s technical support team firsthand. Reach out with real or hypothetical scenarios and see how quickly and effectively they respond. A stellar support team is invaluable when you run into hiccups on launch day—or any other day.
Training Resources: Evaluate the training offered. Does the vendor provide engaging self-paced modules, live workshops, or hands-on onboarding sessions? The right training resources can seriously shorten the learning curve.
Post-Implementation Help: Don’t forget about support after the system goes live. Ask about the vendor’s ongoing assistance—are they accessible for troubleshooting, updates, or when your team inevitably needs a refresher six months from now?
With these considerations covered during testing, you’re one step closer to a GRC platform that isn’t just powerful, but also a natural extension of your organization’s workflow.
Implementing Your GRC Platform: Working With Your Vendor
Once you've selected a GRC platform, smooth implementation depends on close collaboration with your chosen vendor. Setting the foundation right during this stage paves the way for long-term success and support. Here’s what you can expect (and should be ready to coordinate):
Planning and Coordination: Work with your vendor to map out a clear project plan. This should outline the timeline, milestones, and responsibilities—think of it as your implementation roadmap.
Training Your Team: Arrange for comprehensive system administrator and user training sessions provided by the vendor. Well-trained users are essential for quick adoption and to prevent those “how do I…?” moments down the road.
System Preparation: Collect all necessary vendor documentation, from installation guides to configuration best practices. Double-check your network readiness—ensure your internet bandwidth and connectivity can support a hosted GRC solution without hiccups.
Regular Check-Ins: Schedule repeated meetings with internal stakeholders and vendor representatives before the official rollout. These help surface any overlooked requirements and keep everyone aligned.
Ongoing Documentation Review: Documentation is often overlooked, but it’s vital. Continuously review the materials provided by the vendor to spot potential pitfalls and clarify any points of confusion early on.
During the crucial testing phase, don’t hesitate to put the vendor’s support team to the test—literally. Evaluate how responsive and effective their technical assistance is, clarify what ongoing training is available, and confirm the process for getting help after go-live.
And when your shiny new GRC system finally goes live? Keep the channels of communication open. Hold regular touchpoints (daily or weekly) with your users to quickly identify any snags, and funnel constructive feedback back to the vendor. That way, you’ll iron out issues while the implementation is still top of mind and keep your GRC system running smoothly.
What Should You Do After Your GRC System Goes Live?
Rolling out your shiny new GRC platform isn’t the finish line, it’s just the beginning. Ongoing maintenance and engagement are key to making sure the system delivers real value (and doesn’t slip into “set it and forget it” obscurity).
Start with regular user check-ins. Schedule daily or weekly touchpoints with your team. Not just to spot technical hiccups, but to gather feedback on real-world usage and pain points. Is the interface working as promised? Are folks actually logging in and getting value, or are they reverting to ancient spreadsheets and emails? User adoption is your canary in the coal mine.
Next, keep the communication lines open with your vendor. Don’t hesitate to report any issues, share suggestions for improvements, or ask for additional support. Good vendors appreciate feedback and may even incorporate your ideas into future updates, think of it as free custom development.
Finally, stay on top of system updates and security patches. Whether your platform is cloud-based or on-premise, regular maintenance is crucial to avoid vulnerabilities and keep things running smoothly. Continuous improvement is the name of the game.
