GRC Take 2: Key Factors in Choosing a New GRC Vendor

Governance, risk management, and compliance (GRC) is something every organization does: it is part of business. Whether the organization calls it GRC, ERM, EHS, or something else...every organization has some approach to GRC. It can be completely manual, broken, and reactive or it can be optimized, aligned, and integrated. The key question is how can we improve GRC related processes and information? How can we make it more efficient, effective, and agile?

GRC itself is about a strategy and process of collaboration between functions to share information to aid the organization in achieving objectives. The official definition of GRC is that it is an ‘integrated capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”

Technology plays a critical role in GRC strategy and process. Through technology, GRC processes can become more efficient, effective, and agile. Technology enables GRC. However, many organizations find that they have outgrown their current GRC technology platform. Some common issues I hear in organizations frustrated with their current technology architecture for GRC is that it is:

  • Dated and obscure. The organization is struggling with early generation GRC technology that looks like it was coded ten to fifteen years back and fails to be engaging and intuitive to the modern workforce.
  • Costly to maintain. Organizations are frustrated with technology that takes two years to roll out and whenever there is an update it takes months to configure.
  • Lacks key functionality. The GRC technology was implemented for a certain aspect of GRC and does not deliver the breadth of functionality and integration that the organization needs.
  • Focused on the back-office of GRC. When the technology was developed for back office functions of the second and third-line of defense but fails to provide the right interface to the first-line of defense, the front lines of the organization.

Organizations look to new GRC technology as they desire a fresh and up to date architecture that is highly functional and easy to service and integrated into the organization. One that is highly agile to the needs of a dynamic business environment.

Some key points of consideration when evaluating new GRC technology include:

  • Implementation. GRC technology should not take two years to implement, it should be easy to implement into the environment and adapt to the organization and its needs.
  • Integration. GRC technology should readily and easily interface and integrate with other business systems and content throughout the organization.
  • Ease of use. GRC technology should be easy to use and have an intuitive and modern interface that engages employees in all lines of defense.
  • Data visualization. GRC technology should facilitate monitoring and reporting through strong data visualization to provide 360° contextual intelligence of risk analytics and information.
  • Mobility. GRC technology should be available anytime and anywhere. This includes mobile and table apps/interfaces that makes GRC available online and offline.
  • Configuration. GRC technology should easily meet the processes and demands of the organization through streamlined configuration and not complex customization and coding.

GRC technology has evolved just as the organization has evolved alongside its risk and regulatory environments. Struggling with archaic GRC technology is futile and inhibits GRC as opposed to making it more efficient, effective, and agile in the organization. Organizations should look to new breeds of GRC technology that are easy to implement, engage all levels of the organization, lower cost of ownership, and integrate with the business.