Governance, risk, and compliance, or GRC, is how a company forms a strategy for managing the systems and processes it needs to operate.
This includes managing the risks posed by the use of those systems, as well as complying with the relevant laws regulating their application for business.
From an IT perspective, GRC is essentially a way in which a company can achieve its business objectives while simultaneously balancing risk load and working within legal limits.
According to the OCEG, the U.S.-based think tank that invented the now mainstreamed concept of GRC, a GRC plan is a way of organizing the critical capabilities necessary to achieve what they call “Principled Performance.” This is achieved when management, performance assurance, liability risk, and compliance activities, have all been integrated into one coherent strategy.
Obtaining an effective GRC strategy is a huge asset for a business, and is really an essential part of any enterprise’s long-term success.
The benefits of good GRC include faster and smoother decision-making that won’t hinder business flow, more efficient investments in equipment and technology, reduced costs, and better coordination between your company’s departments.
But the most important asset of optimized GRC is, by far, the dynamism and adaptability it gives an organization. The ever-changing modern business environment requires companies to stay on their toes, and constantly be ready to respond to shifts and variations. This is especially true in the field of IT. Any organization in this sector will face a myriad of challenges due to the flowing complexity of the commercial landscape. Regulation, human capital and available skill sets, technological tools, and business processes and standards, are just a few of the factors that are perpetually in flux.
There’s good news though: What GRC does is put into place the tools and processes for companies to respond to new needs as they develop. With a well-structured GRC plan, any organization can acquire the ability to adopt innovation and adjust to new scenarios. As the good people at OCEG put it, the key thing to remember when first tackling GRC is, effective GRC strategy “does not burden a business. It supports and improves it.”
Understanding Your Organization’s GRC Needs
As you may have gathered, there is no one-size-fits-all when it comes to GRC.
The management and compliance needs of companies, even within the IT field, can vary significantly depending on the circumstances and the services they provide.
When adopting a GRC solution, there will undoubtedly be technicalities to work out. But a few basic concepts can help you understand what your general needs are right now and point you in the right direction.
Rigidity and Level of Regulatory Restriction
As you’re probably familiar with the legal landscape of your industry, this factor is probably gonna be the easiest to identify and measure.
To put it bluntly, business fields that are highly regulated and require strict adherence to local or international legislation are much more in need of GRC. For such a firm, every change to customer care, every new business strategy, every augmentation to a product or service, needs to be in lockstep with a comprehensive legal code. Being aware of this will help managers determine what type of GRC tools they need. The more regulated a company’s field is, the more rigid they’ll want their GRC platforms to be. This will allow management to propel business operations forward and take initiative while mitigating the risk of inadvertently violating the law.
Business complexity is the next major determiner of GRC needs.
Keep in mind, the complexity of a business is not necessarily the same as its size. While scaling up inevitably adds complexity, some businesses can be relatively straightforward operations even when they’re employing hundreds of workers.
For purposes of GRC, complexity is defined by the number of distinct assets the company requires in order to run. This includes the number of departments, sites, and expertise types necessary to make the business work. As the number of assets in a business goes up, it creates two types of GRC liabilities.
The first pertains to operational flow. If many different nodes are essential to operations, the connectivity and integration of those nodes can easily turn into an Achilles heel. Any organizations with high assets, such as those in the energy sector, for instance, have significant risk for operational impediments and more of a need for integrative GRC.
The second issue created by asset diversity is communication and synchronization. Very often, multiple business units will have independent objectives which (at least in the day-to-day) will be completely distinct from those of other offices within the company. In the best case, a lack of proper coordination can lead to overlapping work and significant losses in time and resources. In the worst case, different departments can actually end up working on clashing goals that undermine each other.
This hard reality underscores the need for a comprehensive framework that can give executives an encompassing view. GRC can offer that scope to the company, enabling management to both follow multiple departments, and orchestrate mutually beneficial objectives. The more complex diversity in an organization, the more integrative GRC tools they’ll need.
Level of Risk Tolerance
When assessing risk management, the question is not whether or not there is a risk but rather what type of risk you are dealing with. Every business is vulnerable in one way or another. But some businesses incur cumulative risk by the very nature of their operations. Services that send their employees out to hazardous jobs for instance have to deal with this type of liability. In the IT arena, exponential risk is created by the storage, transfer, and communication of sensitive digital assets. Fintech companies are literally taking responsibility for people’s digitized money. Many SaaS providers are being entrusted regularly with troves of their clients’ personal information.
In these and similar cases, errors in regular run-of-the-mill operations can produce major losses–either by losing the data, corrupting it, or leaving it open to theft of exfiltration. If your company provides a service like this, in which even small inaccuracies can create major problems, that means you have low-risk tolerance as far as GRC is concerned. Telltale signs this is the case? Ask yourself the following questions:
- Is my business highly regulated?
- Does my business deal constantly, as part of normal business, with personal identifying information?
- Does my business rely on the constant transfer and reception of data to and from multiple parties?
If you answered yes to any of these, you’re almost certainly in need of a more rigid GRC solution, one that will give you the assurance and stable framework you need.
While all businesses today incorporate technology, they can differ extensively in terms of who often they need to update their technological tools.
Change in approach and tools is a major sign–according to many the biggest sign–your company can benefit from a GRC solution. Changes in approach are always a red flag because they tend to open unforeseen gaps in both security and operational flow.
This is actually one of the more important characteristics of the IT industry. The rapid acceleration of digital information systems means that firms need to always be ready to incorporate new tools.
Despite being aware of this fact, many companies have no way of preparing for these upgrades. Instead, they simply ‘bite the bullet’ and put their staff through a torturous process whenever major changes to company systems occur. This is because many firms have never developed a fluid adaptive framework nor do they know such a framework is even possible. One of the main functions of effective GRC is bringing systems online capable of handling evolving technology spanning multiple business needs.
Ranking the Top 5
Now that we’re a bit more familiar with the factors GRS comes to address, we can jump into assessing some of the best tools in today’s market.
Fusion Framework is cloud-based GRC software that functions on top of the Salesforce platform.
For companies with a wide range of departments, clients, processes, and objectives, that are seeking to step up the organization, Fusion Framework can be a huge asset.
Fusion Framework specializes in accelerating the digital transformation of GRC. In other words, if a company is in the process of computerizing governance, Fusion Framework can help make that transition by integrating data, systems, people, processes, services, and under one platform. The actual software interface creates a map of day-to-day functions within your business that can be tracked and assessed with advanced analytics.
As far as compliance issues go, Fusion Framework’s software is designed to align operations with industry standards and regulations, improving visibility for managers and helping them stay on top of the compliance factors.
A big upside to the platform is that it’s configurable through click commands. No coding knowledge is necessary. The functionality of the system is guided making it a simple solution for any and all end users.
While Fusion Framework is great at integrating the full gamut of corporate departments under one GRC roof, this does come with a downside. The platform was designed with larger-sized firms in mind–especially those with a diverse range of operations. To get some perspective, giants such as Nike and Time Warner both use Fusion Framework for their GRC. Thus the con to the platform is it will not be ideal for small businesses.
Riskonnect has become an industry-standard, known for its ability to ensure continuity to diverse systems and operations within an organization.
The platform pulls and integrates data from multiple sources and improves automation for mundane processes while at the same time applying advanced analytics to ensure optimization of those processes as changes occur.
Because of its unique capabilities in process management, Riskonnect has become a favorite in industries with near-constant complex workflows such as retail, healthcare, financial services, insurance, and manufacturing. Today it is the single biggest Risk Management Information System (RMIS) provider. To cater to enterprises that have to manage large-scale systems, Riskonnect offers high-level analytics capabilities and allows for the interpretation of complex data to produce actionable intelligence. Similarly, Riskonnect offers excellent tools for self-auditing (an important asset for many compliance regimens) tracking specific relevant data points, storing important documents, and creating information summaries.
A downside of Riskonnect is it is certainly not for beginners. The features open to admins are a bit complex. While the provider does offer easily accessible support and a robust blog to learn about the platform, Riskonnect can be difficult for the uninitiated to operate.
IBM’s OpenPages is known as “the enterprise GRC”, meaning it was designed for corporations that need to manage all of their components under one solution. In this sense, it touts the capabilities of other corporate-level solutions such as Fusion Framework mentioned above.
OpenPages is a cloud-based, one-stop shop. It provides functional components including compliance, policy, operational risk, financial controls, and internal audit management.
A big advantage of OpenPages is that IBM integrated its famous Watson AI into the platform. Users consistently report that this is a huge help in addressing system defense at pretty much every layer of security. For companies with high demands for information security such as financial service firms, this is something to take note of. In fact, IBM boasts several major banks and financial institutions on their GRC client list, including Westpac Banking Group, Macedonia’s Stopanska Banka.
One downside of OpenPages is it is notoriously slow in reporting certain types of intelligence including risk assessments and issue logs. It has also been known to be a bit involved to set up automation on the program. While neither of these is a deal-breakers per se, it can be something to take into consideration depending on your particular business needs. Companies with little in-house IT support may want to think twice before going with OpenPages.
StandardFusion was explicitly designed with user experience in mind. The creators of this software understood the intimidating complexity GRC can present (especially for newcomers to company governance) and sought to bring a solution.
The tool has a powerful dashboard interface that is also extremely simple to interact with. Navigating within the software is pretty clear-cut and users can get anywhere they need with just a few clicks. This means that you don’t have to worry about the learning curve too much when introducing this program or onboarding new team members. Even newcomers will catch on quickly to the intuitive layout.
As far as functionality is concerned, StandardFusion excels in straightforward telling it like it is. Managers can assess and track the impact and likelihood of individual risks, understand their options for mitigating actions, and summarize their potential outcomes with the platform’s report generator.
Another element that sets StandardFusion apart is its auditing capabilities. One innovation of the program enables businesses to perform internal audits and gauge compliance by tracking already executed external audits.
Some users have reported downsides to the Standard Fusion platform. For instance, certain regular security features are not available unless paid for with an extra fee–such as SSO authentication. This is a serious disadvantage to companies where information and network security are top priorities.
Another drawback is the user experience on some of the more advanced features. The reporting section, for example, lacks the visually intuitive layout of the dashboard. It seems that the designers created some of these tools assuming a bit more technical know-how. This is certainly something to keep in mind if your company lacks personnel with technical expertise or you’re not interested in going through the downtime of training.
Enablon is a management supermachine designed with data organization in mind.
Enablon excels at handling large databases and has several built-in tools for repackaging and presenting data to make it more accessible such as downloading your data in Excel, PDF, or even PowerPoint forms.
It also offers sophisticated tools for setting reminders and notifications pertaining to various processes such as expiring permits for example. Users can also consolidate data from all the program’s modules to create consistently efficient reports and dashboards which help accelerate analysis. With these capabilities, it is no surprise that Enablon tends to cater to companies that deal with high quantities of complex product specs. Their more well-known clients include Apache, ADT, and the Canadian electrical company Hydro-Québec. Businesses that deal with hi-tech products, engineering services, heavy machinery, and other similar sectors, will probably find Enablon’s tools to be valuable assets.
Another important quality of Enablon is the customizability of its product. Their support team will work with clients to give them the closest thing possible to what they’re looking for.
The biggest drawback of Enablon is its usability and overall UX. administrators that work with the platform pretty much all come back with the same verdict: amazing integrative capabilities, but difficult for the average user to get used to. Again, if IT support and technical know-how are not in high supply, Enablon may not be the right option.
So to summarize:
- If sustainability, business continuity, and incident management are the primary goals for your enterprise, Enablon is likely your best pick.
- If you’re just beginning the digitizing of your GRC and want something that will give you an easy and reliable kickstart to management, probably best to give FusionStandard a try.
- Companies with confidentiality as a primary focus, or those that are scaling up their operations and need something that can handle the next level of business sophistication, should consider IBM OpenPages.
- If you’re in an industry that requires maintaining continuous processes, Riskonnect is the best tool for ensuring stability and optimization.
- If you’re in a compliance-heavy field, or a company with a wide range of departments and nodes (that’s that operational complexity we talked about) you should likely turn to Fusion Framework.
Can You Manage GRC Without Software Tools?
“Can’t I just do this myself?” is a very tempting argument to give into.
Some managers would prefer to avoid the whole discussion of “which is the right GRC tool for me” and just wing it.
There are a few reasons why you should resist the urge to try and execute GRC without the help of specialized software.
First off, you don’t actually want to handle GRC alone.
Even for relatively small organizations, proper governance involves aggregating and assessing large quantities of data and information. For many enterprises, this is simply impossible to do manually. But even if it could be done in theory, the time, manpower, and resources it would require would make the effort a nightmare.
Relating to compliance specifically, human error is a huge factor in violating regulation. To ensure proper compliance without software means tracking every process and every project yourself. For most organizations, it is simply negligent to even try this.
The third factor is simply the quality of the finished product.
At the end of the day, one of the central things you want from GRC is actionable intelligence on how to optimize business flow, productivity, and efficiency. Digitizing this process will produce a better deliverable ten times out of ten. Period.
How Much Do GRC Tools Cost?
Nearly all GRC systems of any worth are going to be software as a service (SaaS) products.
This means the amount you pay will depend on (A) the number of users, and (B) the subscription plan you choose whether it be yearly or monthly.
In terms of dollar amounts, costs can differ substantially from platform to platform, ranging from a few hundred dollars a year per user (IBM’s platform for instance) to over $700 a month for a regular package (StandardFusion).
But hold on.
Assessing costs doesn’t only mean how much you’re paying. It also means the tangible business value you’re getting in return. Forget the potential damage good GRC is helping a company avoid, from compliance penalties to data compromise, to loss of contracts because of failure to deliver. GRC can give a company return on investment right now. Higher efficiency, lower costs, and perhaps most important, a more pleasant (and therefore more effective) work environment for your staff are just some of the immediate benefits taking on a GRC platform can provide.