The document provides guidance on selecting governance, risk management, and compliance (GRC) software. It discusses defining goals for GRC implementation, conducting vendor evaluations, and criteria for assessing vendors such as implementation requirements, functionality, ease of use, reporting capabilities, and return on investment potential. The guide recommends evaluating vendors through demonstrations of their software to understand how well their solutions meet organizational needs.
1. GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE SOFTWARE
BUYER’S GUIDE
A CISO & COMPLIANCE TEAM’S GUIDE TO PURCHASING GRC SOFTWARE
RECIPROCITY
A Publication of
www.reciprocitylabs.com
2. TABLE OF CONTENTS
Ch.1 What is Governance, Risk Management & Compliance (GRC)? 3
Ch.2 Smarter Compliance, Less Risk. 5
Ch.3 When Should I Implement? 7
Ch.4 How to Find the Best GRC Tool For Your Company 9
Ch.5 Conduct a Self-Assessment 10
Ch.6 Define Goals 12
Ch.7 Develop Vendor Evaluation Criteria 14
Ch.8 Getting Started 21
Ch.9 Getting the Best Results From Your New GRC Tool 23
3. WHAT IS GOVERNANCE, RISK
MANAGEMENT AND
COMPLIANCE (GRC)?
Governance, Risk Management, and Compliance, or GRC, is a
broad term that covers a company’s approach to and strategy for
managing its internal governance, risk, and compliance activities.
Governance comprises the rules, structures, and accountability
within the company, whether to internal requirements or those
imposed from outside. Compliance includes the processes for
implementing and reporting the company’s adherence to external
requirements, including industry, governmental, and voluntary
standards. Risk management ties the entire practice area together
by helping a company identify its risk tolerance, and then take
appropriate measures to mitigate those risks.
GRC SOFTWARE BUYER’S GUIDE! 3
CHAPTER 1
4. GRC software tools streamline and automate the documentation and reporting of corporate
governance, risk management. and compliance tasks, and align them with business
objectives.
A GRC software tool typically offers:
• System of record (your “single source of truth”)
• Policy management
• Audit management
• Risk management
• Automated notifications to stakeholders to perform specific GRC-related tasks
• Real-time notifications of workflow and audit activity
• Closed-loop reporting for easy calculation of compliance and risk postures
• Easy creation and editing of GRC components (controls, objectives, assets, risks, people
and more) by non-technical users
When used effectively, GRC software can help Chief Information Security Officers, Chief
Security Officers, and Directors of Compliance move past spreadsheets to mature their risk
management and compliance programs.
This guide will walk you through the steps required to purchase a GRC software tool — from
establishing goals, to identifying and comparing vendors, to getting ready for the
implementation phase and future success.
4
A 2016 Governance, Risk and
Compliance Survey found that 43
percent of respondents are operating
their compliance efforts at an ad hoc
or fragmented level.
GRC SOFTWARE BUYER’S GUIDE!
5. SMARTER COMPLIANCE,
LESS RISK
Wondering how a GRC software tool can impact your business?
Take a look at how an all-in-one tool can reduce your risk of non-
compliance while decreasing costs and maximizing revenue,
streamlining your audit, and improving accountability.
Increase Productivity
A GRC tool significantly lowers costs associated with managing
compliance programs. First, a GRC tool will streamline and eliminate
manual processes and allow teams to more easily become and stay
compliant. Second, you will be able to utilize a GRC tool as your
single source of truth for everything related to your compliance
needs. Third, a GRC tool will significantly decrease the number of
errors, gaps, and omissions that are currently being found in your
spreadsheets. All of these benefits lead to a more productive
compliance team.
GRC SOFTWARE BUYER’S GUIDE! 5
CHAPTER 2
6. Your All-in-One Compliance Tool
With a GRC tool, compliance teams can leverage a system of record, automated workflows,
audits, pre-risk assessments, reporting & dashboards, and multiple third-party integrations all
from one central platform. A GRC tool makes compliance trackable, automated and more
visible for CISOs and their teams.
Automate Your Compliance Tasks
Companies commonly find that the real value of automation lies in the fact that there are
routine tasks that must be completed. The GRC platform can automate some of those, and
send reminders for those tasks which require human interaction.
Deliver Robust Reporting
CISOs often find it difficult to determine the ROI on their compliance efforts because of an
inability to aggregate important compliance-related data. By utilizing out of the box reports, a
GRC software tool allows businesses to understand their true compliance posture and identify
gaps or overlaps in their programs. Dashboards and advanced reports deliver important
metrics to users and business decision-makers.
Support Your Audit Team
Audit teams execute a process. And like any business process, they need quality input. A
well-documented compliance program in a GRC tool and the ability to conduct an audit over
that program can jumpstart your internal audit teams and ease the burden of providing
information to an external auditor. Key tasks in the audit process also gain an efficiency boost
from a GRC tool, such as automating evidence collection and dashboards to show progress.
At the end of the audit, the outputs can be fed back into the GRC tool for automated tracking.
Issues can be assigned for remediation, while the auditor’s opinions of control effectiveness
can be documented to show your compliance posture.
Fifty-nine percent of CCOs are only somewhat confident, or not confident at all, that the IT systems
used by their compliance department can fulfill their reporting and responsibilities tasks, according
to Deloitte’s In Focus: 2015 Compliance Trends Survey.
GRC SOFTWARE BUYER’S GUIDE! 6
According to Blue Hill Research, the
benefits resulting from implementing a
GRC platform range between 25%
and 30% in time saved in compliance
and risk activities.
7. “We’re doing just fine using spreadsheets.”
Research shows that almost 90% of all spreadsheets have errors.
When you talk about the data in your compliance program, a 90%
error rate, in most industries, is going to be completely
unacceptable. The underlying cause is due to the lack of structure
around collaboration and version control. If you’re using
spreadsheets to manage multiple compliance programs, it’s
imperative that you move to system of record that provides you with
a single source of truth that’s more reliable.
WHEN SHOULD I IMPLEMENT?
Be proactive and make managing GRC less of a hassle and more
productive!
Below are three reasons why businesses put off implementing
GRC tools, and responses for why these scenarios are actually
the perfect time to get started.
GRC SOFTWARE BUYER’S GUIDE! 7
CHAPTER 3
8. “I have an audit coming up”
An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of
the audit preparation involves getting your compliance data properly documented and
collated for the auditor.
Taking the additional step to migrate that content into a GRC tool where you can keep it up to
date and use it as the basis for ongoing reporting helps you to leverage that work, getting
more value out of your audit prep investment. Once you get results back from your audit, you
can track your compliance posture and use the GRC tool to aid in remediation, rather than
being forced to create and maintain new spreadsheets.
“Budgets are tight right now”
No compliance team is ever over-resourced. However, paying high earning professionals to
manage inefficient spreadsheet-based programs is not the best use of your limited budget.
Your team’s time would be better spent implementing and ensuring controls are operating
effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues
via email. A GRC tool that can send automated reminders for compliance tasks is a better
investment than having a member of your staff sending out reminder emails and tracking
completion status manually!
GRC SOFTWARE BUYER’S GUIDE! 8
According to an OCEG study, 85% of
companies feel that they would benefit
from integrating the use of technology
for their GRC activities.
9. HOW TO FIND THE BEST GRC
TOOL FOR YOUR COMPANY
Purchasing GRC software can streamline your work and remove a
lot of headaches. But how do you know where to start?
Choosing a GRC software solution is an important decision. Not only
is governance, risk management and compliance a significant
investment in time and resources, the system you choose will have
an enormous impact on the daily workload of both your risk and
compliance teams. So make sure to conduct the proper research
and go into the process with the right questions in hand. Start by
evaluating your own compliance effort to determine your particular
needs and priorities, then take a closer look at the many features of
governance, risk management and compliance software and what
specific attributes to look for in each. The recommendations
included in the next 3 chapters will help you decide what criteria you
will use to evaluate GRC tool vendors.
GRC SOFTWARE BUYER’S GUIDE! 9
CHAPTER 4
10. CHAPTER 5
CONDUCT A SELF-ASSESSMENT
Gaining a better understanding of your compliance team’s
regular and periodic processes will make it easier to identify
opportunities for improvement.
Review the following questions with your team and come up with
thoughtful responses.
GRC SOFTWARE BUYER’S GUIDE! 10
11. How many compliance frameworks are you required to implement
(e.g. SOC 2, ISO 27001, PCI-DSS)? When do you conduct audits for
each of these programs?
!
Do you have a strategy to format spreadsheets for the different
programs that you’re managing? How do you ensure that you can
produce consistent metrics from each?
!
How do you currently collect audit evidence? What are the
inefficiencies in your process?
!
Are you using Sharepoint, Google Drive, Box, or Dropbox as a
content repository? Y N
Does your compliance team use other software tools to manage
compliance? Y N
If yes, list the different tools, how you’re using them and explain
how they work together.
!
How do you handle the assignment and handoff of compliance
tasks to non-compliance stakeholders, such as system
configuration tasks assigned to sysadmins?
!
How does your compliance team prioritize tasks?
!
How are you measuring and evaluating your compliance
programs?
!
ANSWERS:
GRC SOFTWARE BUYER’S GUIDE! 11
12. CHAPTER 6
DEFINE GOALS
Once you’ve assessed your current processes, it’s time to define
what you hope to achieve with implementation and plan out your
strategy.
In order to properly prepare for the search phase, it’s important to
discuss governance, risk management and compliance with all
departments that will be affected and define the specific
requirements of each.
Use the following questions to plan how each departments will
use GRC software and reap the benefits.
GRC SOFTWARE BUYER’S GUIDE! 12
13. Who in your company will use GRC software? Who will take
ownership?
!
What information will you need in order to make sound decisions
about your GRC programs?
!
What compliance frameworks are various departments tasked with
implementing or maintaining (e.g. InfoSec handles PCI-DSS,
Finance handles SOX)? !
How can other departments take advantage of a GRC software
tool, and what benefits can you realize from having a single GRC
platform shared across departments?
How can you integrate other GRC-related software tools into your
GRC software tool?
!
What are your current KPIs, and how can you show each
department’s value?
!
What are some short-term goals that can be achieved with
governance, risk management and compliance?
!
What are some long-term goals that can be achieved with
governance, risk management and compliance??
!
ANSWERS:
GRC SOFTWARE BUYER’S GUIDE! 13
14. CHAPTER 7
DEVELOP VENDOR EVALUATION
CRITERIA
After you’ve conducted initial research and determined which
vendors to investigate further, the next step is to schedule time to
see demos of the products that have made the cut. Having the
opportunity to compare and contrast each vendor’s solutions will
help you understand what you’ll be able to achieve with each
platform, and how well their features achieve your needs.
Here are a few parameters that you should evaluate as the
vendors work with you:
• Implementation
• Functionality
• Ease of use
• Executive dashboards
• 3rd party Integrations and API capabilities
• Expected ROI
• Future innovation and product roadmap
A typical demo may not cover everything you’re looking for. So,
make sure to ask about a specific feature or use case.
GRC SOFTWARE BUYER’S GUIDE! 14
15. GRC SOFTWARE BUYER’S GUIDE!
Use the following questions as a guide as you begin conversations
with vendors and discover the capabilities of their products:
Implementation
How long does it take to get value from the tool?
Is training and support included, or is it an additional cost?
How much time will it take GRC product you’ve chosen to be up and
running?
Is the amount of time it takes to implement reasonable (couple of
weeks or months)?
How many hours are you expected to contribute to this burden?
How much will your compliance landscape shift between now and
then?
What kind of professional services are required to start using the
application?
If a standard changes in a year, how much will it cost you to be
ready to comply with it?
ANSWERS:
15
16. Functionality
Can you easily map one control across multiple standards?
Do you have full role-based access?
Can you import existing data into the tool?
Can you test and gather audit evidence, and remediate issues found
during audits?
Can you build ad-hoc workflows to automate various compliance
tasks?
Can you configure this system yourself or do you require
professional services?
Will the tool be able to support your use cases for today and in the
future?
Can I perform Pre-Risk Assessments of third parties?
Are the risk scores of third parties plotted on a heat map?
ANSWERS:
16GRC SOFTWARE BUYER’S GUIDE!
17. Ease of Use
What are the different roles available and what access does each
role get?
How easy is it to import existing data into the tool? How long does
this take?
How can you test and gather evidence?
How do you remediate issues?
Is the user experience easy and simple enough to remove
headache from your day-to-day tasks?
Is this a product that is intuitive to you?
Will other people in the organization use it?
Will you find yourself using the product on behalf of others?
ANSWERS:
17GRC SOFTWARE BUYER’S GUIDE!
18. Executive Dashboards
Can executives quickly see the status of our past, present and future
compliance programs?
Can we readily identify gaps in our compliance posture?
If a regulation changes or I’m forced to comply with a new standard,
does the tool highlight my gaps and provide actionable intelligence
to close them?
Can I save money and make it easier to run an audit through a GRC
tool?
ANSWERS:
18GRC SOFTWARE BUYER’S GUIDE!
19. API Capabilities and Third-Party Integrations
Give a brief overview of the connectors your solution offers. Where
do your clients find the most value?
Does the GRC tool allow you to integrate data from other software
tools you’re using? How easy is that integration process? Does it
require professional services, does it require custom development,
or is it a simple point-and-click process?
Does your solution offer ticketing software plug-ins to allow users to
work within their preferred ticketing software platform? Which
platforms?
How long will it take me to get up and running for each of these
integrations?
How will your connectors provide my compliance team with
additional insight into the needs of our programs?
How will your connectors help with my reporting?
How often do you add connectors?
ANSWERS:
19GRC SOFTWARE BUYER’S GUIDE!
20. ROI of GRC
How much time will this save across the company?
Can this solution help me replace hiring one or more FTEs?
Will this solution make my life as well as other colleagues’ lives
better?
Will this help save time when engaging and working with 3rd party
auditors?
What confidence do I have that errors and omissions will be
removed with the implementation of a GRC tool?
If a regulation changes or I’m forced to comply with a new standard,
will this reduce time and cost?
Will my licenses cover everything or will I need to buy additional
modules to meet my needs?
Is the pricing transparent? If your use case for GRC within the
organization expands, how much in additional costs will it take for
the tool to service those use cases and users?
Will the product save me enough time to justify the money I have
allocated in the budget?
How much would it cost to hire someone to do what this GRC
software does?
How much time savings will this tool enable by centralizing
everything?
Future Innovation and Product Roadmap
Will the company share their product roadmap?
How quickly do they share releases?
Does tool feel finished or is the tool immature?
Will the product keep up with a changing compliance landscape?
How does the product look modern?
Do you feel that the product will receive regular upgrades?
ANSWERS:
20GRC SOFTWARE BUYER’S GUIDE!
21. Get Organized
Currently, the compliance related data you have may be spread out
across multiple spreadsheets and emails. Build a single source of
truth by aggregating all of your data.
To ensure a seamless transition, make sure to use a consistent
format that your GRC tool will accept. For example, CSV files are a
popular format for uploading and mapping data to GRC tool
frameworks.
GETTING STARTED
Once you’ve picked a governance, risk management and
compliance solution that aligns with your needs and goals, there
are a few steps you can take prior to implementation to ensure
success.
GRC SOFTWARE BUYER’S GUIDE! 21
CHAPTER 8
22. To help you get started, it is useful to identify the following attributes
in your compliance program data, and ensure they are easily
identifiable within your documentation:
Control implementation description. How do you as a company meet
the requirement set by the standard?
Ownership. Who’s responsible for implementing and maintaining this
control in your environment?
Applicability. Does this control apply to your entire company, or just
to a particular product/department/business unit?
Mappings. Is this control related to any processes, departments, or
other compliance frameworks in use at your company?
What a Complete Implementation Looks Like
GRC tool implementations need to be managed at the executive
level. CISOs need to communicate the GRC tool’s importance and
goals to his or her team and company. Every IT implementation
project should have a defined final milestone (often called a go-live
date), and a GRC tool is no exception.
Here are the criteria that signify you’ve finalized the implementation
of your newly-purchased GRC tool.
• Retire those spreadsheets: All future work by your designated
stakeholders is done inside the tool, i.e. your compliance team
and internal auditor both use the tool as a single source of truth for
control implementation details
• Reporting: Executive management has access to dashboards
with real-time data feeds provided by the GRC tool. These should
be self-service, and free up your resources to focus on tasks more
valuable than creating Excel charts.
• Automated process: Workflows, tasks, and reminders are
enabled so your GRC tool can keep you up to speed on relevant
work tasks.
• Audits: All necessary information is documented, maintained, and
accessible in the GRC tool. This can be leveraged into audits,
which are managed in the tool, providing a seamless experience
and reducing the overhead of coordinating audit artifacts and
data.
22GRC SOFTWARE BUYER’S GUIDE!GRC SOFTWARE BUYER’S GUIDE!
23. CHAPTER 9
GETTING THE BEST RESULTS
FROM YOUR NEW GRC TOOL
To get the most out of your new GRC tool, you’ll need to use the
built-in dashboards and reports to identify with your team how
you can continually improve your compliance and risk initiatives.
You should also review the following GRC Success Checklist
regularly with your team to make sure you’re tracking your
improvements.
GRC SOFTWARE BUYER’S GUIDE! 23
24. Get executive and board support and buy-in for
organization or department adoption. Board
Committees have a need for consolidated and
efficient compliance.
Treat your GRC rollout like any other IT project.
Define a scope, milestones, and assignments, and
track these through to completion.
Identify ways that the tool is more efficient, such as
automated rules and actions.
Identify relevant legal, regulatory, and industry
compliance requirements which impact your
business (e.g. PCI, HIPAA, SOX, SOC 2/3,
FedRAMP, etc.)
Identify a baseline framework to harmonize your
company’s control set against, e.g. ISO 27001,
COSO, CIS Top 20, etc.
Think through the data taxonomy of your
compliance programs and control objects and
beyond. Document the mappings of your control
set against your compliance requirements. Identify
overlapping requirements to help cut through
complexity.
Identify the tool’s capabilities, functions, and
features, as well as your needs, such as additional
metadata you need to capture. Develop the tool to
meet those requirements.
Determine your Key Performance Indicators (KPI)
and Critical Success Factors (CSF). Identify
metrics to track and show the value of your tool
investment.
Plan how often you will revisit your programs to
make sure you’re getting the most out of your
investment in a GRC software tool.
GRC SOFTWARE BUYER’S GUIDE! 24
The GRC Success Checklist
25. Reciprocity offers a best-in-class governance, risk management and compliance
platform that manages compliance initiatives such as system of record, workflow
and audit. We make compliance and risk officers more nimble with lightweight
software designed to turn corporate compliance from a cost center into a
valuable strategic asset.
CONTACT US
2146 3rd Street
San Francisco, CA 30326
415.851.8667
Or visit us online at www.reciprocitylabs.com.