SlideShare ist ein Scribd-Unternehmen logo

Find the Right GRC Software

J
justinklooster

The document provides guidance on selecting governance, risk management, and compliance (GRC) software. It discusses defining goals for GRC implementation, conducting vendor evaluations, and criteria for assessing vendors such as implementation requirements, functionality, ease of use, reporting capabilities, and return on investment potential. The guide recommends evaluating vendors through demonstrations of their software to understand how well their solutions meet organizational needs.

1 von 25
Downloaden Sie, um offline zu lesen
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE SOFTWARE BUYER’S GUIDE A CISO & COMPLIANCE TEAM’S GUIDE TO PURCHASING GRC SOFTWARE RECIPROCITY A Publication of www.reciprocitylabs.com
TABLE OF CONTENTS Ch.1     What is Governance, Risk Management & Compliance (GRC)? 3 Ch.2     Smarter Compliance, Less Risk. 5 Ch.3     When Should I Implement? 7 Ch.4     How to Find the Best GRC Tool For Your Company 9 Ch.5     Conduct a Self-Assessment 10 Ch.6     Define Goals 12 Ch.7     Develop Vendor Evaluation Criteria 14 Ch.8     Getting Started 21 Ch.9     Getting the Best Results From Your New GRC Tool 23
WHAT IS GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE (GRC)? Governance, Risk Management, and Compliance, or GRC, is a broad term that covers a company’s approach to and strategy for managing its internal governance, risk, and compliance activities. Governance comprises the rules, structures, and accountability within the company, whether to internal requirements or those imposed from outside. Compliance includes the processes for implementing and reporting the company’s adherence to external requirements, including industry, governmental, and voluntary standards. Risk management ties the entire practice area together by helping a company identify its risk tolerance, and then take appropriate measures to mitigate those risks. GRC SOFTWARE BUYER’S GUIDE! 3 CHAPTER 1
GRC software tools streamline and automate the documentation and reporting of corporate governance, risk management. and compliance tasks, and align them with business objectives. A GRC software tool typically offers: • System of record (your “single source of truth”) • Policy management • Audit management • Risk management • Automated notifications to stakeholders to perform specific GRC-related tasks • Real-time notifications of workflow and audit activity • Closed-loop reporting for easy calculation of compliance and risk postures • Easy creation and editing of GRC components (controls, objectives, assets, risks, people and more) by non-technical users When used effectively, GRC software can help Chief Information Security Officers, Chief Security Officers, and Directors of Compliance move past spreadsheets to mature their risk management and compliance programs. This guide will walk you through the steps required to purchase a GRC software tool — from establishing goals, to identifying and comparing vendors, to getting ready for the implementation phase and future success. 4 A 2016 Governance, Risk and Compliance Survey found that 43 percent of respondents are operating their compliance efforts at an ad hoc or fragmented level. GRC SOFTWARE BUYER’S GUIDE!
SMARTER COMPLIANCE, LESS RISK Wondering how a GRC software tool can impact your business? Take a look at how an all-in-one tool can reduce your risk of non- compliance while decreasing costs and maximizing revenue, streamlining your audit, and improving accountability. Increase Productivity
 A GRC tool significantly lowers costs associated with managing compliance programs. First, a GRC tool will streamline and eliminate manual processes and allow teams to more easily become and stay compliant. Second, you will be able to utilize a GRC tool as your single source of truth for everything related to your compliance needs. Third, a GRC tool will significantly decrease the number of errors, gaps, and omissions that are currently being found in your spreadsheets. All of these benefits lead to a more productive compliance team. GRC SOFTWARE BUYER’S GUIDE! 5 CHAPTER 2
Your All-in-One Compliance Tool
 With a GRC tool, compliance teams can leverage a system of record, automated workflows, audits, pre-risk assessments, reporting & dashboards, and multiple third-party integrations all from one central platform. A GRC tool makes compliance trackable, automated and more visible for CISOs and their teams. Automate Your Compliance Tasks
 Companies commonly find that the real value of automation lies in the fact that there are routine tasks that must be completed. The GRC platform can automate some of those, and send reminders for those tasks which require human interaction. Deliver Robust Reporting
 CISOs often find it difficult to determine the ROI on their compliance efforts because of an inability to aggregate important compliance-related data. By utilizing out of the box reports, a GRC software tool allows businesses to understand their true compliance posture and identify gaps or overlaps in their programs. Dashboards and advanced reports deliver important metrics to users and business decision-makers. Support Your Audit Team
 Audit teams execute a process. And like any business process, they need quality input. A well-documented compliance program in a GRC tool and the ability to conduct an audit over that program can jumpstart your internal audit teams and ease the burden of providing information to an external auditor. Key tasks in the audit process also gain an efficiency boost from a GRC tool, such as automating evidence collection and dashboards to show progress. At the end of the audit, the outputs can be fed back into the GRC tool for automated tracking. Issues can be assigned for remediation, while the auditor’s opinions of control effectiveness can be documented to show your compliance posture. Fifty-nine percent of CCOs are only somewhat confident, or not confident at all, that the IT systems used by their compliance department can fulfill their reporting and responsibilities tasks, according to Deloitte’s In Focus: 2015 Compliance Trends Survey. GRC SOFTWARE BUYER’S GUIDE! 6 According to Blue Hill Research, the benefits resulting from implementing a GRC platform range between 25% and 30% in time saved in compliance and risk activities.
“We’re doing just fine using spreadsheets.” Research shows that almost 90% of all spreadsheets have errors. When you talk about the data in your compliance program, a 90% error rate, in most industries, is going to be completely unacceptable. The underlying cause is due to the lack of structure around collaboration and version control. If you’re using spreadsheets to manage multiple compliance programs, it’s imperative that you move to system of record that provides you with a single source of truth that’s more reliable. WHEN SHOULD I IMPLEMENT? Be proactive and make managing GRC less of a hassle and more productive! Below are three reasons why businesses put off implementing GRC tools, and responses for why these scenarios are actually the perfect time to get started. GRC SOFTWARE BUYER’S GUIDE! 7 CHAPTER 3
“I have an audit coming up” An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of the audit preparation involves getting your compliance data properly documented and collated for the auditor. Taking the additional step to migrate that content into a GRC tool where you can keep it up to date and use it as the basis for ongoing reporting helps you to leverage that work, getting more value out of your audit prep investment. Once you get results back from your audit, you can track your compliance posture and use the GRC tool to aid in remediation, rather than being forced to create and maintain new spreadsheets. “Budgets are tight right now” No compliance team is ever over-resourced. However, paying high earning professionals to manage inefficient spreadsheet-based programs is not the best use of your limited budget. Your team’s time would be better spent implementing and ensuring controls are operating effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues via email. A GRC tool that can send automated reminders for compliance tasks is a better investment than having a member of your staff sending out reminder emails and tracking completion status manually! GRC SOFTWARE BUYER’S GUIDE! 8 According to an OCEG study, 85% of companies feel that they would benefit from integrating the use of technology for their GRC activities.
HOW TO FIND THE BEST GRC TOOL FOR YOUR COMPANY Purchasing GRC software can streamline your work and remove a lot of headaches. But how do you know where to start? Choosing a GRC software solution is an important decision. Not only is governance, risk management and compliance a significant investment in time and resources, the system you choose will have an enormous impact on the daily workload of both your risk and compliance teams. So make sure to conduct the proper research and go into the process with the right questions in hand. Start by evaluating your own compliance effort to determine your particular needs and priorities, then take a closer look at the many features of governance, risk management and compliance software and what specific attributes to look for in each. The recommendations included in the next 3 chapters will help you decide what criteria you will use to evaluate GRC tool vendors. GRC SOFTWARE BUYER’S GUIDE! 9 CHAPTER 4
CHAPTER 5 CONDUCT A SELF-ASSESSMENT Gaining a better understanding of your compliance team’s regular and periodic processes will make it easier to identify opportunities for improvement. Review the following questions with your team and come up with thoughtful responses. GRC SOFTWARE BUYER’S GUIDE! 10
How many compliance frameworks are you required to implement (e.g. SOC 2, ISO 27001, PCI-DSS)? When do you conduct audits for each of these programs? ! Do you have a strategy to format spreadsheets for the different programs that you’re managing? How do you ensure that you can produce consistent metrics from each? ! How do you currently collect audit evidence? What are the inefficiencies in your process? ! Are you using Sharepoint, Google Drive, Box, or Dropbox as a content repository? Y N Does your compliance team use other software tools to manage compliance? Y N If yes, list the different tools, how you’re using them and explain how they work together. ! How do you handle the assignment and handoff of compliance tasks to non-compliance stakeholders, such as system configuration tasks assigned to sysadmins? ! How does your compliance team prioritize tasks? ! How are you measuring and evaluating your compliance programs? ! ANSWERS: GRC SOFTWARE BUYER’S GUIDE! 11
CHAPTER 6 DEFINE GOALS Once you’ve assessed your current processes, it’s time to define what you hope to achieve with implementation and plan out your strategy. In order to properly prepare for the search phase, it’s important to discuss governance, risk management and compliance with all departments that will be affected and define the specific requirements of each. Use the following questions to plan how each departments will use GRC software and reap the benefits. GRC SOFTWARE BUYER’S GUIDE! 12
Who in your company will use GRC software? Who will take ownership? ! What information will you need in order to make sound decisions about your GRC programs? ! What compliance frameworks are various departments tasked with implementing or maintaining (e.g. InfoSec handles PCI-DSS, Finance handles SOX)? ! How can other departments take advantage of a GRC software tool, and what benefits can you realize from having a single GRC platform shared across departments? How can you integrate other GRC-related software tools into your GRC software tool? ! What are your current KPIs, and how can you show each department’s value? ! What are some short-term goals that can be achieved with governance, risk management and compliance? ! What are some long-term goals that can be achieved with governance, risk management and compliance?? ! ANSWERS: GRC SOFTWARE BUYER’S GUIDE! 13
CHAPTER 7 DEVELOP VENDOR EVALUATION CRITERIA After you’ve conducted initial research and determined which vendors to investigate further, the next step is to schedule time to see demos of the products that have made the cut. Having the opportunity to compare and contrast each vendor’s solutions will help you understand what you’ll be able to achieve with each platform, and how well their features achieve your needs. Here are a few parameters that you should evaluate as the vendors work with you: • Implementation • Functionality • Ease of use • Executive dashboards • 3rd party Integrations and API capabilities • Expected ROI • Future innovation and product roadmap A typical demo may not cover everything you’re looking for. So, make sure to ask about a specific feature or use case. GRC SOFTWARE BUYER’S GUIDE! 14
GRC SOFTWARE BUYER’S GUIDE! Use the following questions as a guide as you begin conversations with vendors and discover the capabilities of their products: Implementation How long does it take to get value from the tool? Is training and support included, or is it an additional cost? How much time will it take GRC product you’ve chosen to be up and running? Is the amount of time it takes to implement reasonable (couple of weeks or months)? How many hours are you expected to contribute to this burden? How much will your compliance landscape shift between now and then? What kind of professional services are required to start using the application? If a standard changes in a year, how much will it cost you to be ready to comply with it? ANSWERS: 15
Functionality Can you easily map one control across multiple standards? Do you have full role-based access? Can you import existing data into the tool? Can you test and gather audit evidence, and remediate issues found during audits? Can you build ad-hoc workflows to automate various compliance tasks? Can you configure this system yourself or do you require professional services? Will the tool be able to support your use cases for today and in the future? Can I perform Pre-Risk Assessments of third parties? Are the risk scores of third parties plotted on a heat map? ANSWERS: 16GRC SOFTWARE BUYER’S GUIDE!
Ease of Use What are the different roles available and what access does each role get? How easy is it to import existing data into the tool? How long does this take? How can you test and gather evidence? How do you remediate issues? Is the user experience easy and simple enough to remove headache from your day-to-day tasks? Is this a product that is intuitive to you? Will other people in the organization use it? Will you find yourself using the product on behalf of others? ANSWERS: 17GRC SOFTWARE BUYER’S GUIDE!
Executive Dashboards Can executives quickly see the status of our past, present and future compliance programs? Can we readily identify gaps in our compliance posture? If a regulation changes or I’m forced to comply with a new standard, does the tool highlight my gaps and provide actionable intelligence to close them? Can I save money and make it easier to run an audit through a GRC tool? ANSWERS: 18GRC SOFTWARE BUYER’S GUIDE!
API Capabilities and Third-Party Integrations Give a brief overview of the connectors your solution offers. Where do your clients find the most value? Does the GRC tool allow you to integrate data from other software tools you’re using? How easy is that integration process? Does it require professional services, does it require custom development, or is it a simple point-and-click process? Does your solution offer ticketing software plug-ins to allow users to work within their preferred ticketing software platform? Which platforms? How long will it take me to get up and running for each of these integrations? How will your connectors provide my compliance team with additional insight into the needs of our programs? How will your connectors help with my reporting? How often do you add connectors? ANSWERS: 19GRC SOFTWARE BUYER’S GUIDE!
ROI of GRC How much time will this save across the company? Can this solution help me replace hiring one or more FTEs? Will this solution make my life as well as other colleagues’ lives better? Will this help save time when engaging and working with 3rd party auditors? What confidence do I have that errors and omissions will be removed with the implementation of a GRC tool? If a regulation changes or I’m forced to comply with a new standard, will this reduce time and cost? Will my licenses cover everything or will I need to buy additional modules to meet my needs? Is the pricing transparent? If your use case for GRC within the organization expands, how much in additional costs will it take for the tool to service those use cases and users? Will the product save me enough time to justify the money I have allocated in the budget? How much would it cost to hire someone to do what this GRC software does? How much time savings will this tool enable by centralizing everything? Future Innovation and Product Roadmap Will the company share their product roadmap? How quickly do they share releases? Does tool feel finished or is the tool immature? Will the product keep up with a changing compliance landscape? How does the product look modern? Do you feel that the product will receive regular upgrades? ANSWERS: 20GRC SOFTWARE BUYER’S GUIDE!
Get Organized
 Currently, the compliance related data you have may be spread out across multiple spreadsheets and emails. Build a single source of truth by aggregating all of your data. To ensure a seamless transition, make sure to use a consistent format that your GRC tool will accept. For example, CSV files are a popular format for uploading and mapping data to GRC tool frameworks. GETTING STARTED Once you’ve picked a governance, risk management and compliance solution that aligns with your needs  and goals, there are a few steps you can take prior to implementation to ensure success. GRC SOFTWARE BUYER’S GUIDE! 21 CHAPTER 8
To help you get started, it is useful to identify the following attributes in your compliance program data, and ensure they are easily identifiable within your documentation: Control implementation description. How do you as a company meet the requirement set by the standard? Ownership. Who’s responsible for implementing and maintaining this control in your environment? Applicability. Does this control apply to your entire company, or just to a particular product/department/business unit? Mappings. Is this control related to any processes, departments, or other compliance frameworks in use at your company? What a Complete Implementation Looks Like GRC tool implementations need to be managed at the executive level. CISOs need to communicate the GRC tool’s importance and goals to his or her team and company. Every IT implementation project should have a defined final milestone (often called a go-live date), and a GRC tool is no exception. Here are the criteria that signify you’ve finalized the implementation of your newly-purchased GRC tool. • Retire those spreadsheets: All future work by your designated stakeholders is done inside the tool, i.e. your compliance team and internal auditor both use the tool as a single source of truth for control implementation details • Reporting: Executive management has access to dashboards with real-time data feeds provided by the GRC tool. These should be self-service, and free up your resources to focus on tasks more valuable than creating Excel charts. • Automated process: Workflows, tasks, and reminders are enabled so your GRC tool can keep you up to speed on relevant work tasks. • Audits: All necessary information is documented, maintained, and accessible in the GRC tool. This can be leveraged into audits, which are managed in the tool, providing a seamless experience and reducing the overhead of coordinating audit artifacts and data. 22GRC SOFTWARE BUYER’S GUIDE!GRC SOFTWARE BUYER’S GUIDE!
CHAPTER 9 GETTING THE BEST RESULTS FROM YOUR NEW GRC TOOL To get the most out of your new GRC tool, you’ll need to use the built-in dashboards and reports to identify with your team how you can continually improve your compliance and risk initiatives. You should also review the following GRC Success Checklist regularly with your team to make sure you’re tracking your improvements. GRC SOFTWARE BUYER’S GUIDE! 23
Get executive and board support and buy-in for organization or department adoption. Board Committees have a need for consolidated and efficient compliance. Treat your GRC rollout like any other IT project. Define a scope, milestones, and assignments, and track these through to completion. Identify ways that the tool is more efficient, such as automated rules and actions. Identify relevant legal, regulatory, and industry compliance requirements which impact your business (e.g. PCI, HIPAA, SOX, SOC 2/3, FedRAMP, etc.) Identify a baseline framework to harmonize your company’s control set against, e.g. ISO 27001, COSO, CIS Top 20, etc. Think through the data taxonomy of your compliance programs and control objects and beyond. Document the mappings of your control set against your compliance requirements. Identify overlapping requirements to help cut through complexity. Identify the tool’s capabilities, functions, and features, as well as your needs, such as additional metadata you need to capture. Develop the tool to meet those requirements. Determine your Key Performance Indicators (KPI) and Critical Success Factors (CSF). Identify metrics to track and show the value of your tool investment. Plan how often you will revisit your programs to make sure you’re getting the most out of your investment in a GRC software tool. GRC SOFTWARE BUYER’S GUIDE! 24 The GRC Success Checklist
Reciprocity offers a best-in-class governance, risk management and compliance platform that manages compliance initiatives such as system of record, workflow and audit. We make compliance and risk officers more nimble with lightweight software designed to turn corporate compliance from a cost center into a valuable strategic asset. CONTACT US 2146 3rd Street
 San Francisco, CA 30326 415.851.8667 Or visit us online at www.reciprocitylabs.com.

Empfohlen

Enterprise Risk Management Software
Enterprise Risk Management SoftwareEnterprise Risk Management Software
Enterprise Risk Management SoftwareMike Taylor
 
Reciprocity-Compliance-Management-Tools-eBook 3.23.16
Reciprocity-Compliance-Management-Tools-eBook 3.23.16Reciprocity-Compliance-Management-Tools-eBook 3.23.16
Reciprocity-Compliance-Management-Tools-eBook 3.23.16justinklooster
 
GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP Dudley Cartwright
 
SAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeSAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeDudley Cartwright
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Auto audit
Auto auditAuto audit
Auto auditMazen Baset
 
EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer ChecklistAnita Amelia
 
The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesWill Kelly
 

Empfohlen

Enterprise Risk Management Software
Enterprise Risk Management SoftwareEnterprise Risk Management Software
Enterprise Risk Management SoftwareMike Taylor
 
Reciprocity-Compliance-Management-Tools-eBook 3.23.16
Reciprocity-Compliance-Management-Tools-eBook 3.23.16Reciprocity-Compliance-Management-Tools-eBook 3.23.16
Reciprocity-Compliance-Management-Tools-eBook 3.23.16justinklooster
 
GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP GRC Essentials for Customers using SAP
GRC Essentials for Customers using SAP Dudley Cartwright
 
SAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeSAP Security – Dealing with the Internal Threat of Working from Home
SAP Security – Dealing with the Internal Threat of Working from HomeDudley Cartwright
 
Compliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCompliance Management Software | Corporate Compliance
Compliance Management Software | Corporate ComplianceCorporater
 
Auto audit
Auto auditAuto audit
Auto auditMazen Baset
 
EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer ChecklistAnita Amelia
 
The Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesThe Plan for Upgrading Windows OSes
The Plan for Upgrading Windows OSesWill Kelly
 
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionEdge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionCMR WORLD TECH
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementCIO Look Magazine
 
Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2Anders Skjønaa
 
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Maria Wilson
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Cloud Compliance Use Case Demo
Cloud Compliance Use Case DemoCloud Compliance Use Case Demo
Cloud Compliance Use Case Demoforkish
 
FixNix GRC suite
FixNix GRC suiteFixNix GRC suite
FixNix GRC suiteFixNix Inc.,
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPAbhishek Ranjan
 
Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.ARITHMOS
 
Automated Regulatory Compliance Management
Automated Regulatory Compliance ManagementAutomated Regulatory Compliance Management
Automated Regulatory Compliance ManagementAdeel159
 
It32015 slides
It32015 slidesIt32015 slides
It32015 slidesJim Kaplan CIA CFE
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance centerNEMEA Security Services
 
Cp Oppt97
Cp Oppt97Cp Oppt97
Cp Oppt97bgregory63
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017Jane Jones
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmkJim Kaplan CIA CFE
 
Erp programme assurance
Erp programme assuranceErp programme assurance
Erp programme assurancePoonam pandey
 
Accenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-AuditAccenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-AuditDave Hildebrand
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetMarco Villacorta Olano
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 

Weitere ähnliche Inhalte

Was ist angesagt?

Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionEdge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionCMR WORLD TECH
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementCIO Look Magazine
 
Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2Anders Skjønaa
 
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Maria Wilson
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard Jim Robins
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Cloud Compliance Use Case Demo
Cloud Compliance Use Case DemoCloud Compliance Use Case Demo
Cloud Compliance Use Case Demoforkish
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPAbhishek Ranjan
 
Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.ARITHMOS
 
Automated Regulatory Compliance Management
Automated Regulatory Compliance ManagementAutomated Regulatory Compliance Management
Automated Regulatory Compliance ManagementAdeel159
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017Jane Jones
 
Erp programme assurance
Erp programme assuranceErp programme assurance
Erp programme assurancePoonam pandey
 
Accenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-AuditAccenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-AuditDave Hildebrand
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetMarco Villacorta Olano
 

Was ist angesagt? (20)

Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering SolutionEdge wave 6 Important Steps to Evaluating a Web Filtering Solution
Edge wave 6 Important Steps to Evaluating a Web Filtering Solution
 
Allgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance ManagementAllgress | Industry Proven Risk and Compliance Management
Allgress | Industry Proven Risk and Compliance Management
 
Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2Governance Center for SharePoint - Sept09-2
Governance Center for SharePoint - Sept09-2
 
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...Case Study: How a fortune 500 global security company reduced SoD Auditing by...
Case Study: How a fortune 500 global security company reduced SoD Auditing by...
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
Cloud Compliance Use Case Demo
Cloud Compliance Use Case DemoCloud Compliance Use Case Demo
Cloud Compliance Use Case Demo
 
FixNix GRC suite
FixNix GRC suiteFixNix GRC suite
FixNix GRC suite
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance Ready
 
eBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPPeBook Spreadsheet to WebAPP
eBook Spreadsheet to WebAPP
 
Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.Why project erp is a worthwhile investment for cros: ENSURING ROI.
Why project erp is a worthwhile investment for cros: ENSURING ROI.
 
Automated Regulatory Compliance Management
Automated Regulatory Compliance ManagementAutomated Regulatory Compliance Management
Automated Regulatory Compliance Management
 
It32015 slides
It32015 slidesIt32015 slides
It32015 slides
 
NEMEA Compliance center
NEMEA Compliance centerNEMEA Compliance center
NEMEA Compliance center
 
Cp Oppt97
Cp Oppt97Cp Oppt97
Cp Oppt97
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
Erp programme assurance
Erp programme assuranceErp programme assurance
Erp programme assurance
 
Accenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-AuditAccenture-Digitizing-Internal-Audit
Accenture-Digitizing-Internal-Audit
 
GP for Regulatory Management Product Sheet
GP for Regulatory Management Product SheetGP for Regulatory Management Product Sheet
GP for Regulatory Management Product Sheet
 

Andere mochten auch

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Acceleratorslideshareneilj
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay
 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Improving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software SystemsImproving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software SystemsYujuan Jiang
 
Muni chatarpal considerations for grc
Muni chatarpal considerations for grcMuni chatarpal considerations for grc
Muni chatarpal considerations for grcjpkush
 
eGRC for Information Export Control
eGRC for Information Export ControleGRC for Information Export Control
eGRC for Information Export ControlNextLabs, Inc.
 
Ronan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationRonan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationSteve Ronan
 
Archer Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley BoutoilleArcher Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley BoutoilleKelley Boutoille, ACP
 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation ChecklistSalina Saharudin
 
Infographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROIInfographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROIKony, Inc.
 
Forrester wave enterprise_grc_platforms_q4_2011
Forrester wave enterprise_grc_platforms_q4_2011Forrester wave enterprise_grc_platforms_q4_2011
Forrester wave enterprise_grc_platforms_q4_2011dudugolf
 
Steps to successful technology implementation
Steps to successful technology implementationSteps to successful technology implementation
Steps to successful technology implementationLisaWells
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklistwmartz
 

Andere mochten auch (20)

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Accelerator
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
 
it grc
it grc it grc
it grc
 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
Improving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software SystemsImproving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software Systems
 
Muni chatarpal considerations for grc
Muni chatarpal considerations for grcMuni chatarpal considerations for grc
Muni chatarpal considerations for grc
 
eGRC for Information Export Control
eGRC for Information Export ControleGRC for Information Export Control
eGRC for Information Export Control
 
Ronan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationRonan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and Implementation
 
Archer Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley BoutoilleArcher Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley Boutoille
 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation Checklist
 
Infographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROIInfographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROI
 
Forrester wave enterprise_grc_platforms_q4_2011
Forrester wave enterprise_grc_platforms_q4_2011Forrester wave enterprise_grc_platforms_q4_2011
Forrester wave enterprise_grc_platforms_q4_2011
 
Steps to successful technology implementation
Steps to successful technology implementationSteps to successful technology implementation
Steps to successful technology implementation
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklist
 

Ähnlich wie Find the Right GRC Software

ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance Jade Global
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHAMITTIWARI620759
 
servicenow grc training
servicenow grc trainingservicenow grc training
servicenow grc trainingkhushboo rai
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Reciprocity_Consolidated Objectives eBook v2
Reciprocity_Consolidated Objectives eBook v2Reciprocity_Consolidated Objectives eBook v2
Reciprocity_Consolidated Objectives eBook v2justinklooster
 
Empirix's Top Metrics to Achieve Contact Center Assurance
Empirix's Top Metrics to Achieve Contact Center AssuranceEmpirix's Top Metrics to Achieve Contact Center Assurance
Empirix's Top Metrics to Achieve Contact Center AssuranceAlex Johnson
 
A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC Aelum Consulting
 
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdf
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdfMeasuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdf
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdfMukesh Lagadhir
 
Acknowledging ServiceNow GRC's Potential for Transformation.pdf
Acknowledging ServiceNow GRC's Potential for Transformation.pdfAcknowledging ServiceNow GRC's Potential for Transformation.pdf
Acknowledging ServiceNow GRC's Potential for Transformation.pdfAelum Consulting
 
Contractor Compliance Management software
Contractor Compliance Management softwareContractor Compliance Management software
Contractor Compliance Management softwareRaviPratap83
 
A guide to scoping a crm project
A guide to scoping a crm projectA guide to scoping a crm project
A guide to scoping a crm projectCatherine Carlyle
 
Staffing Software Key Capabilities - Hidden Brains Infotech
Staffing Software Key Capabilities - Hidden Brains Infotech Staffing Software Key Capabilities - Hidden Brains Infotech
Staffing Software Key Capabilities - Hidden Brains Infotech Rosalie Lauren
 

Ähnlich wie Find the Right GRC Software (20)

ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance
ServiceNow Governance, Risk, and Compliance
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
 
servicenow grc training
servicenow grc trainingservicenow grc training
servicenow grc training
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive
 
task 1
task 1task 1
task 1
 
Reciprocity_Consolidated Objectives eBook v2
Reciprocity_Consolidated Objectives eBook v2Reciprocity_Consolidated Objectives eBook v2
Reciprocity_Consolidated Objectives eBook v2
 
Empirix's Top Metrics to Achieve Contact Center Assurance
Empirix's Top Metrics to Achieve Contact Center AssuranceEmpirix's Top Metrics to Achieve Contact Center Assurance
Empirix's Top Metrics to Achieve Contact Center Assurance
 
GRC tools
GRC toolsGRC tools
GRC tools
 
A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC A New Era of Compliance: Innovations in ServiceNow GRC 
A New Era of Compliance: Innovations in ServiceNow GRC 
 
GRC tools
GRC toolsGRC tools
GRC tools
 
GRC tools
GRC toolsGRC tools
GRC tools
 
FF - Buyers Guidex4
FF - Buyers Guidex4FF - Buyers Guidex4
FF - Buyers Guidex4
 
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdf
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdfMeasuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdf
Measuring Success in Software Outsourcing: Unveiling the Metrics that Matter.pdf
 
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Concept of Governance - Management of Operational Risk for IT Officers/Execut...Concept of Governance - Management of Operational Risk for IT Officers/Execut...
Concept of Governance - Management of Operational Risk for IT Officers/Execut...
 
Acknowledging ServiceNow GRC's Potential for Transformation.pdf
Acknowledging ServiceNow GRC's Potential for Transformation.pdfAcknowledging ServiceNow GRC's Potential for Transformation.pdf
Acknowledging ServiceNow GRC's Potential for Transformation.pdf
 
Software for Optimal Operations
Software for Optimal OperationsSoftware for Optimal Operations
Software for Optimal Operations
 
Contractor Compliance Management software
Contractor Compliance Management softwareContractor Compliance Management software
Contractor Compliance Management software
 
A guide to scoping a crm project
A guide to scoping a crm projectA guide to scoping a crm project
A guide to scoping a crm project
 
Staffing Software Key Capabilities - Hidden Brains Infotech
Staffing Software Key Capabilities - Hidden Brains Infotech Staffing Software Key Capabilities - Hidden Brains Infotech
Staffing Software Key Capabilities - Hidden Brains Infotech
 
Software Management
Software ManagementSoftware Management
Software Management
 

Find the Right GRC Software

  • 1. GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE SOFTWARE BUYER’S GUIDE A CISO & COMPLIANCE TEAM’S GUIDE TO PURCHASING GRC SOFTWARE RECIPROCITY A Publication of www.reciprocitylabs.com
  • 2. TABLE OF CONTENTS Ch.1     What is Governance, Risk Management & Compliance (GRC)? 3 Ch.2     Smarter Compliance, Less Risk. 5 Ch.3     When Should I Implement? 7 Ch.4     How to Find the Best GRC Tool For Your Company 9 Ch.5     Conduct a Self-Assessment 10 Ch.6     Define Goals 12 Ch.7     Develop Vendor Evaluation Criteria 14 Ch.8     Getting Started 21 Ch.9     Getting the Best Results From Your New GRC Tool 23
  • 3. WHAT IS GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE (GRC)? Governance, Risk Management, and Compliance, or GRC, is a broad term that covers a company’s approach to and strategy for managing its internal governance, risk, and compliance activities. Governance comprises the rules, structures, and accountability within the company, whether to internal requirements or those imposed from outside. Compliance includes the processes for implementing and reporting the company’s adherence to external requirements, including industry, governmental, and voluntary standards. Risk management ties the entire practice area together by helping a company identify its risk tolerance, and then take appropriate measures to mitigate those risks. GRC SOFTWARE BUYER’S GUIDE! 3 CHAPTER 1
  • 4. GRC software tools streamline and automate the documentation and reporting of corporate governance, risk management. and compliance tasks, and align them with business objectives. A GRC software tool typically offers: • System of record (your “single source of truth”) • Policy management • Audit management • Risk management • Automated notifications to stakeholders to perform specific GRC-related tasks • Real-time notifications of workflow and audit activity • Closed-loop reporting for easy calculation of compliance and risk postures • Easy creation and editing of GRC components (controls, objectives, assets, risks, people and more) by non-technical users When used effectively, GRC software can help Chief Information Security Officers, Chief Security Officers, and Directors of Compliance move past spreadsheets to mature their risk management and compliance programs. This guide will walk you through the steps required to purchase a GRC software tool — from establishing goals, to identifying and comparing vendors, to getting ready for the implementation phase and future success. 4 A 2016 Governance, Risk and Compliance Survey found that 43 percent of respondents are operating their compliance efforts at an ad hoc or fragmented level. GRC SOFTWARE BUYER’S GUIDE!
  • 5. SMARTER COMPLIANCE, LESS RISK Wondering how a GRC software tool can impact your business? Take a look at how an all-in-one tool can reduce your risk of non- compliance while decreasing costs and maximizing revenue, streamlining your audit, and improving accountability. Increase Productivity
 A GRC tool significantly lowers costs associated with managing compliance programs. First, a GRC tool will streamline and eliminate manual processes and allow teams to more easily become and stay compliant. Second, you will be able to utilize a GRC tool as your single source of truth for everything related to your compliance needs. Third, a GRC tool will significantly decrease the number of errors, gaps, and omissions that are currently being found in your spreadsheets. All of these benefits lead to a more productive compliance team. GRC SOFTWARE BUYER’S GUIDE! 5 CHAPTER 2
  • 6. Your All-in-One Compliance Tool
 With a GRC tool, compliance teams can leverage a system of record, automated workflows, audits, pre-risk assessments, reporting & dashboards, and multiple third-party integrations all from one central platform. A GRC tool makes compliance trackable, automated and more visible for CISOs and their teams. Automate Your Compliance Tasks
 Companies commonly find that the real value of automation lies in the fact that there are routine tasks that must be completed. The GRC platform can automate some of those, and send reminders for those tasks which require human interaction. Deliver Robust Reporting
 CISOs often find it difficult to determine the ROI on their compliance efforts because of an inability to aggregate important compliance-related data. By utilizing out of the box reports, a GRC software tool allows businesses to understand their true compliance posture and identify gaps or overlaps in their programs. Dashboards and advanced reports deliver important metrics to users and business decision-makers. Support Your Audit Team
 Audit teams execute a process. And like any business process, they need quality input. A well-documented compliance program in a GRC tool and the ability to conduct an audit over that program can jumpstart your internal audit teams and ease the burden of providing information to an external auditor. Key tasks in the audit process also gain an efficiency boost from a GRC tool, such as automating evidence collection and dashboards to show progress. At the end of the audit, the outputs can be fed back into the GRC tool for automated tracking. Issues can be assigned for remediation, while the auditor’s opinions of control effectiveness can be documented to show your compliance posture. Fifty-nine percent of CCOs are only somewhat confident, or not confident at all, that the IT systems used by their compliance department can fulfill their reporting and responsibilities tasks, according to Deloitte’s In Focus: 2015 Compliance Trends Survey. GRC SOFTWARE BUYER’S GUIDE! 6 According to Blue Hill Research, the benefits resulting from implementing a GRC platform range between 25% and 30% in time saved in compliance and risk activities.
  • 7. “We’re doing just fine using spreadsheets.” Research shows that almost 90% of all spreadsheets have errors. When you talk about the data in your compliance program, a 90% error rate, in most industries, is going to be completely unacceptable. The underlying cause is due to the lack of structure around collaboration and version control. If you’re using spreadsheets to manage multiple compliance programs, it’s imperative that you move to system of record that provides you with a single source of truth that’s more reliable. WHEN SHOULD I IMPLEMENT? Be proactive and make managing GRC less of a hassle and more productive! Below are three reasons why businesses put off implementing GRC tools, and responses for why these scenarios are actually the perfect time to get started. GRC SOFTWARE BUYER’S GUIDE! 7 CHAPTER 3
  • 8. “I have an audit coming up” An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of the audit preparation involves getting your compliance data properly documented and collated for the auditor. Taking the additional step to migrate that content into a GRC tool where you can keep it up to date and use it as the basis for ongoing reporting helps you to leverage that work, getting more value out of your audit prep investment. Once you get results back from your audit, you can track your compliance posture and use the GRC tool to aid in remediation, rather than being forced to create and maintain new spreadsheets. “Budgets are tight right now” No compliance team is ever over-resourced. However, paying high earning professionals to manage inefficient spreadsheet-based programs is not the best use of your limited budget. Your team’s time would be better spent implementing and ensuring controls are operating effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues via email. A GRC tool that can send automated reminders for compliance tasks is a better investment than having a member of your staff sending out reminder emails and tracking completion status manually! GRC SOFTWARE BUYER’S GUIDE! 8 According to an OCEG study, 85% of companies feel that they would benefit from integrating the use of technology for their GRC activities.
  • 9. HOW TO FIND THE BEST GRC TOOL FOR YOUR COMPANY Purchasing GRC software can streamline your work and remove a lot of headaches. But how do you know where to start? Choosing a GRC software solution is an important decision. Not only is governance, risk management and compliance a significant investment in time and resources, the system you choose will have an enormous impact on the daily workload of both your risk and compliance teams. So make sure to conduct the proper research and go into the process with the right questions in hand. Start by evaluating your own compliance effort to determine your particular needs and priorities, then take a closer look at the many features of governance, risk management and compliance software and what specific attributes to look for in each. The recommendations included in the next 3 chapters will help you decide what criteria you will use to evaluate GRC tool vendors. GRC SOFTWARE BUYER’S GUIDE! 9 CHAPTER 4
  • 10. CHAPTER 5 CONDUCT A SELF-ASSESSMENT Gaining a better understanding of your compliance team’s regular and periodic processes will make it easier to identify opportunities for improvement. Review the following questions with your team and come up with thoughtful responses. GRC SOFTWARE BUYER’S GUIDE! 10
  • 11. How many compliance frameworks are you required to implement (e.g. SOC 2, ISO 27001, PCI-DSS)? When do you conduct audits for each of these programs? ! Do you have a strategy to format spreadsheets for the different programs that you’re managing? How do you ensure that you can produce consistent metrics from each? ! How do you currently collect audit evidence? What are the inefficiencies in your process? ! Are you using Sharepoint, Google Drive, Box, or Dropbox as a content repository? Y N Does your compliance team use other software tools to manage compliance? Y N If yes, list the different tools, how you’re using them and explain how they work together. ! How do you handle the assignment and handoff of compliance tasks to non-compliance stakeholders, such as system configuration tasks assigned to sysadmins? ! How does your compliance team prioritize tasks? ! How are you measuring and evaluating your compliance programs? ! ANSWERS: GRC SOFTWARE BUYER’S GUIDE! 11
  • 12. CHAPTER 6 DEFINE GOALS Once you’ve assessed your current processes, it’s time to define what you hope to achieve with implementation and plan out your strategy. In order to properly prepare for the search phase, it’s important to discuss governance, risk management and compliance with all departments that will be affected and define the specific requirements of each. Use the following questions to plan how each departments will use GRC software and reap the benefits. GRC SOFTWARE BUYER’S GUIDE! 12
  • 13. Who in your company will use GRC software? Who will take ownership? ! What information will you need in order to make sound decisions about your GRC programs? ! What compliance frameworks are various departments tasked with implementing or maintaining (e.g. InfoSec handles PCI-DSS, Finance handles SOX)? ! How can other departments take advantage of a GRC software tool, and what benefits can you realize from having a single GRC platform shared across departments? How can you integrate other GRC-related software tools into your GRC software tool? ! What are your current KPIs, and how can you show each department’s value? ! What are some short-term goals that can be achieved with governance, risk management and compliance? ! What are some long-term goals that can be achieved with governance, risk management and compliance?? ! ANSWERS: GRC SOFTWARE BUYER’S GUIDE! 13
  • 14. CHAPTER 7 DEVELOP VENDOR EVALUATION CRITERIA After you’ve conducted initial research and determined which vendors to investigate further, the next step is to schedule time to see demos of the products that have made the cut. Having the opportunity to compare and contrast each vendor’s solutions will help you understand what you’ll be able to achieve with each platform, and how well their features achieve your needs. Here are a few parameters that you should evaluate as the vendors work with you: • Implementation • Functionality • Ease of use • Executive dashboards • 3rd party Integrations and API capabilities • Expected ROI • Future innovation and product roadmap A typical demo may not cover everything you’re looking for. So, make sure to ask about a specific feature or use case. GRC SOFTWARE BUYER’S GUIDE! 14
  • 15. GRC SOFTWARE BUYER’S GUIDE! Use the following questions as a guide as you begin conversations with vendors and discover the capabilities of their products: Implementation How long does it take to get value from the tool? Is training and support included, or is it an additional cost? How much time will it take GRC product you’ve chosen to be up and running? Is the amount of time it takes to implement reasonable (couple of weeks or months)? How many hours are you expected to contribute to this burden? How much will your compliance landscape shift between now and then? What kind of professional services are required to start using the application? If a standard changes in a year, how much will it cost you to be ready to comply with it? ANSWERS: 15
  • 16. Functionality Can you easily map one control across multiple standards? Do you have full role-based access? Can you import existing data into the tool? Can you test and gather audit evidence, and remediate issues found during audits? Can you build ad-hoc workflows to automate various compliance tasks? Can you configure this system yourself or do you require professional services? Will the tool be able to support your use cases for today and in the future? Can I perform Pre-Risk Assessments of third parties? Are the risk scores of third parties plotted on a heat map? ANSWERS: 16GRC SOFTWARE BUYER’S GUIDE!
  • 17. Ease of Use What are the different roles available and what access does each role get? How easy is it to import existing data into the tool? How long does this take? How can you test and gather evidence? How do you remediate issues? Is the user experience easy and simple enough to remove headache from your day-to-day tasks? Is this a product that is intuitive to you? Will other people in the organization use it? Will you find yourself using the product on behalf of others? ANSWERS: 17GRC SOFTWARE BUYER’S GUIDE!
  • 18. Executive Dashboards Can executives quickly see the status of our past, present and future compliance programs? Can we readily identify gaps in our compliance posture? If a regulation changes or I’m forced to comply with a new standard, does the tool highlight my gaps and provide actionable intelligence to close them? Can I save money and make it easier to run an audit through a GRC tool? ANSWERS: 18GRC SOFTWARE BUYER’S GUIDE!
  • 19. API Capabilities and Third-Party Integrations Give a brief overview of the connectors your solution offers. Where do your clients find the most value? Does the GRC tool allow you to integrate data from other software tools you’re using? How easy is that integration process? Does it require professional services, does it require custom development, or is it a simple point-and-click process? Does your solution offer ticketing software plug-ins to allow users to work within their preferred ticketing software platform? Which platforms? How long will it take me to get up and running for each of these integrations? How will your connectors provide my compliance team with additional insight into the needs of our programs? How will your connectors help with my reporting? How often do you add connectors? ANSWERS: 19GRC SOFTWARE BUYER’S GUIDE!
  • 20. ROI of GRC How much time will this save across the company? Can this solution help me replace hiring one or more FTEs? Will this solution make my life as well as other colleagues’ lives better? Will this help save time when engaging and working with 3rd party auditors? What confidence do I have that errors and omissions will be removed with the implementation of a GRC tool? If a regulation changes or I’m forced to comply with a new standard, will this reduce time and cost? Will my licenses cover everything or will I need to buy additional modules to meet my needs? Is the pricing transparent? If your use case for GRC within the organization expands, how much in additional costs will it take for the tool to service those use cases and users? Will the product save me enough time to justify the money I have allocated in the budget? How much would it cost to hire someone to do what this GRC software does? How much time savings will this tool enable by centralizing everything? Future Innovation and Product Roadmap Will the company share their product roadmap? How quickly do they share releases? Does tool feel finished or is the tool immature? Will the product keep up with a changing compliance landscape? How does the product look modern? Do you feel that the product will receive regular upgrades? ANSWERS: 20GRC SOFTWARE BUYER’S GUIDE!
  • 21. Get Organized
 Currently, the compliance related data you have may be spread out across multiple spreadsheets and emails. Build a single source of truth by aggregating all of your data. To ensure a seamless transition, make sure to use a consistent format that your GRC tool will accept. For example, CSV files are a popular format for uploading and mapping data to GRC tool frameworks. GETTING STARTED Once you’ve picked a governance, risk management and compliance solution that aligns with your needs  and goals, there are a few steps you can take prior to implementation to ensure success. GRC SOFTWARE BUYER’S GUIDE! 21 CHAPTER 8
  • 22. To help you get started, it is useful to identify the following attributes in your compliance program data, and ensure they are easily identifiable within your documentation: Control implementation description. How do you as a company meet the requirement set by the standard? Ownership. Who’s responsible for implementing and maintaining this control in your environment? Applicability. Does this control apply to your entire company, or just to a particular product/department/business unit? Mappings. Is this control related to any processes, departments, or other compliance frameworks in use at your company? What a Complete Implementation Looks Like GRC tool implementations need to be managed at the executive level. CISOs need to communicate the GRC tool’s importance and goals to his or her team and company. Every IT implementation project should have a defined final milestone (often called a go-live date), and a GRC tool is no exception. Here are the criteria that signify you’ve finalized the implementation of your newly-purchased GRC tool. • Retire those spreadsheets: All future work by your designated stakeholders is done inside the tool, i.e. your compliance team and internal auditor both use the tool as a single source of truth for control implementation details • Reporting: Executive management has access to dashboards with real-time data feeds provided by the GRC tool. These should be self-service, and free up your resources to focus on tasks more valuable than creating Excel charts. • Automated process: Workflows, tasks, and reminders are enabled so your GRC tool can keep you up to speed on relevant work tasks. • Audits: All necessary information is documented, maintained, and accessible in the GRC tool. This can be leveraged into audits, which are managed in the tool, providing a seamless experience and reducing the overhead of coordinating audit artifacts and data. 22GRC SOFTWARE BUYER’S GUIDE!GRC SOFTWARE BUYER’S GUIDE!
  • 23. CHAPTER 9 GETTING THE BEST RESULTS FROM YOUR NEW GRC TOOL To get the most out of your new GRC tool, you’ll need to use the built-in dashboards and reports to identify with your team how you can continually improve your compliance and risk initiatives. You should also review the following GRC Success Checklist regularly with your team to make sure you’re tracking your improvements. GRC SOFTWARE BUYER’S GUIDE! 23
  • 24. Get executive and board support and buy-in for organization or department adoption. Board Committees have a need for consolidated and efficient compliance. Treat your GRC rollout like any other IT project. Define a scope, milestones, and assignments, and track these through to completion. Identify ways that the tool is more efficient, such as automated rules and actions. Identify relevant legal, regulatory, and industry compliance requirements which impact your business (e.g. PCI, HIPAA, SOX, SOC 2/3, FedRAMP, etc.) Identify a baseline framework to harmonize your company’s control set against, e.g. ISO 27001, COSO, CIS Top 20, etc. Think through the data taxonomy of your compliance programs and control objects and beyond. Document the mappings of your control set against your compliance requirements. Identify overlapping requirements to help cut through complexity. Identify the tool’s capabilities, functions, and features, as well as your needs, such as additional metadata you need to capture. Develop the tool to meet those requirements. Determine your Key Performance Indicators (KPI) and Critical Success Factors (CSF). Identify metrics to track and show the value of your tool investment. Plan how often you will revisit your programs to make sure you’re getting the most out of your investment in a GRC software tool. GRC SOFTWARE BUYER’S GUIDE! 24 The GRC Success Checklist
  • 25. Reciprocity offers a best-in-class governance, risk management and compliance platform that manages compliance initiatives such as system of record, workflow and audit. We make compliance and risk officers more nimble with lightweight software designed to turn corporate compliance from a cost center into a valuable strategic asset. CONTACT US 2146 3rd Street
 San Francisco, CA 30326 415.851.8667 Or visit us online at www.reciprocitylabs.com.