Evaluating GRC software? Here are some of the things you should be considering.
Aiming to reduce silos across departments, an increasing number of organizations are re-evaluating their approach to risk management, compliance, and audit. They are actively looking for ways to achieve a more integrated approach that also incorporates automated transaction monitoring and risk assessment. Implementing governance, risk, and compliance (GRC) technologies is an effective way to move away from spreadsheets and shared folders, but given the number of vendors who offer GRC software, it can be difficult to choose the best solution.
One of the challenges is that many vendors claim functionality in an extensive number of areas even though actual capabilities may be quite limited in practice or ineffective for a desired type of use. This blog post looks at some product and support criteria that should be considered when evaluating potential vendors.
Features and capabilities
The features and capabilities of a GRC solution need to encompass the end-to-end governance, risk, and compliance requirements of your organization. Consider the following:
- Risk assessments and weightings.How easy is it to quantify and rank your risks? Some GRC solutions allow users to assign a score to each risk, as well as apply a weighting so that risks can be ranked for impact against others. This small feature can significantly help you prioritize the areas of your business that need to be tackled first.
- Risk database.Can your organization’s risks be easily shared and understood by others? A strong GRC solution simplifies the identification and communication of risks, for example through a centralized database of risks. This gathers common risks and provides sufficient detail so that uses different business areas can understand the impact of each risk.
- Controls database.How well can you link your risks to your controls? You want a solution that can map each risk to a corresponding control designed to mitigate it. The system should allow the control process to be described in sufficient detail and provide links to fully detailed documentation.
- Audit working papers and documentation.How effectively does the system support working papers and documentation? Internal audit processes overlap with many aspects of risk, control, and compliance processes, so one shared system is beneficial for all. Determine how effectively the vendor’s system supports requirements for audit working papers, audit programs, and related documentation.
- Exception management and workflow.How easy is it to manage exceptions? Managing the results of automated analytics is a critical part of many data-driven GRC processes. Your chosen software should support detailed and complex workflow related to the routing of exceptions and results to specific individuals, together with escalation procedures, and descriptions of resolutions that are linked back to risk and control data. Managing exceptions can be a tedious process. The easier the software can make this process for you, the better.
- Data connections, access, and extraction.How many data sources can you connect to effortlessly? Your solution should be able to connect to multiple different data sources and data extraction routines should be automated as much as possible.
- Data cleansing and manipulation.How does the vendor validate your data? Once data is extracted, it needs to be tested for validity. This often requires some form of cleansing and restructuring in order for it to be used in GRC processes, particularly for internal audit procedures.
- Analytics libraries.Can you store analytics for reuse? Automated and repeatable analytics used in audit and compliance testing should be maintained in secure and efficiently structured libraries.
- Ad hoc analytics.Is the software usable by third-parties? The ability for non-technical auditors and compliance specialists to perform ad hoc analysis of detailed data is increasingly important in many GRC processes, particularly internal audit. Going with a user-friendly solution puts you one step ahead of this potential challenge.
- Visual analysis.Can the software summarize data in a visual way? Easy-to-use visual analysis capabilities are important during the audit planning and risk assessment phases of internal audit, as well as in risk and compliance activities.
- Reporting and dashboards.What level of reporting can you achieve? The ability to produce flexible reports on multiple aspects of GRC processes is clearly important, and particularly in terms of providing dashboard views of the status of risk assessments at both the enterprise and functional area levels.
- Script building and automation.Does the software support complex scripting for your data? The automation of analytics for control testing and risk identification is critical to data-driven GRC processes. Software should support the ability to perform complex data manipulation and processing, as well as user interfaces for parameter input to automated analytics.
- Scheduling analytics.Can you schedule the ongoing processes you need? Many automated analytic tasks, including both data extraction and detailed monitoring and testing, need to be scheduled to run according to a variety of parameters including date, time, and the availability of specific data files.
Other important considerations
You now have an idea what GRC functions to look for in a provider. There are a few other elements to consider in your choice, that lie outside of core GRC functions. Consider the following:
- Security.How many layers of security exist for accessing and sharing your confidential data? Access privileges, protection against data breaches, and strong data encryption are essential parts of assessing a potential GRC solution.
- Scalability.Will the software that works for you now continue to work for you as your data grows? Data-driven GRC processes typically involve very large amounts of data, often from multiple sources and with complex processing requirements. Software needs to be able to efficiently and reliably handle increasing data volumes.
- Integration with other technologies.Does the software play well with others? Ideally one software platform is able to support multiple aspects of GRC processes, however, there are sometimes cases in which GRC software needs to connect closely with other specialized software that you might use, such as risk management software used in financial institutions.
- Mobile device support.Can the software be used on the go? Auditors and compliance and control specialists often need to access GRC systems, initiate processes, and view results while traveling and using multiple devices.
- Technical support.Can you get help when you need it? The availability of very effective technical and user support also plays a key role in successful use of GRC software, particularly during the initial phases of implementation.
These are some general features and considerations that you should include when evaluating GRC vendors, but don’t forget to include your own organization-specific requirements. You’ll also need to consider cost, vendor reputation, and product strategy (e.g., can the technology grow with your business needs?). Seem like an overwhelming amount of information? A good way to assess it all is to create a detailed table with all of your GRC requirements and considerations, and then add weightings/scores for each vendor on each of the criteria that is important to your organizational needs. Now you’ve got a data-driven evaluation to help guide your decisions!