Nov 8, 2016
Six Features to Consider When Evaluating GRC Platforms
Governance, Risk, and Compliance (GRC) is increasingly becoming a more integral part of most businesses, especially with mandates of risk analysis and information security integration within all aspects of business processes. Most organizations have regulatory, contractual or legal requirements obligations, and complying with these may seem like a daunting task to manage, and it can be. However, this demand has brought some great GRC solutions.
Selecting the right GRC platform for your organization isn't as simple as finding out who scores best on the magic quadrant. There are many well-established players on the market, each with their strengths and weaknesses, but finding the perfect fit for your organization can be both time-consuming and expensive. Find out what is important to you, and what features you require to help make your GRC program a success.
Dashboards: Your GRC Program at a Glance
Dashboards are living, breathing ways to have a quick look at the overall view of your GRC program and its performance.
While a dashboard with lots of information seems like a great idea, this will result in a poorly designed dashboard that while looking visually stunning, provides little value to the user.
Dashboards should contain information relevant to the end user, and their role. The IT support staff responsible for performing testing of your organization's controls are not interested in the implementation status of unrelated HIPAA or FISMA programs.
Relevant Customizable Reporting
Reporting may be one of the most important aspects of your GRC platform and must have enough diversity and customization to allow for different audiences to be properly informed.
Individual reports should provide an executive view of key aspects of your GRC program. In this case, not entirely different from your dashboard, where the key point is summarizing information that is clearly strategic and matters for the upper management.
On the operational level, your teams may require information on each asset, process, or control managed within your GRC platform, such as a detailed report of risks per asset, risk treatment options and who owns each.
Make sure the vendor you're evaluating has a robust reporting solution, whether integrated into the platform or will work with you as the client to create reports that are valuable to you and your organization.
Cost
Let's not kid ourselves; cost often is a critical aspect when evaluating GRC platforms. Organizations might not be willing to spend a significant part of their budget on GRC. If you experience any pushback, try to identify the cost savings of using GRC software over managing your program with ad-hoc methods. You will often find that the amount of man effort your team puts into maintaining the GRC program is costing the organization more than the expense of a suitable solution. Communicating this to executives typically ends up with a quickly signed purchase order.
There are also some instances where the investment may be mandatory. Understanding the strategy, culture, risk appetite and context of your business is the key to success. If your company must comply with a law like Sarbanes-Oxley, it stands to reason that a significant investment on GRC is required.
Licensing costs vary significantly, ranging from the typical one-time purchase plus annual maintenance for client-server applications to per-user-per-month for SaaS web-based platforms. And of course, the large players on the market with substantial upfront setup costs, expensive implementation consultants, and then exorbitant monthly costs based on your organization's size.
At StandardFusion, we spent a lot of time trying to identify what pricing model made the most sense for our clients and for us, and we always came back to the very simple no setup fee, no contract, per user per month model.
SaaS On-premise
Convenience, quick deployment, reduced costs and having your GRC platform available anywhere can make a SaaS solution very attractive for some companies. But is it the best option for your business? Possibly, but not always.
Understanding your information security requirements is a must. While you may not want, or can, invest in the infrastructure and workforce to manage an on-premise solution, some companies will not be comfortable with the idea of storing critical information outside the local physical perimeter. Multinational business' might even have legal limitations of where the information can be available.
How much control do you want to have over your information? Do you have a local team with sufficient knowledge to install and maintain the GRC solution up and running at all required times, and even recover it during an incident or disaster? Will an NDA be enough to protect my information or do I have to take further action to enhance protection and confidentiality?
Those are the kind of question you want to answer before evaluating individual platforms.
How easy is it to use?
A sophisticated and effective GRC platform should offer you a simple, intuitive and easy on the eyes interface. While this may not make your GRC program better, it will make you and your team more likely to embrace and use the application. You've heard the saying you taste with your eyes; the same holds true for software and web application. Nobody wants to eat an unattractive GRC tool. At StandardFusion we believe this whole heartedly and typically spend weeks designing new features and functions before a single line of code is written. This ensures that it aligns with our vision of a beautiful and intuitive GRC application.
Security
Most information handled during GRC management will include confidential or strategic data that will require an adequate level of protection. Information security is an essential function you should look for on a GRC platform.
It is important to understand that information should be available only for authorized users, and access should be given on a need-to-know basis. A secure identity and access management system must be a part of a mature GRC platform.
Ask your vendor about their processes for patch management, and application vulnerability assessments. They should have no reason not to outline their processes to potential clients. If available, have a look at their ISO 27001 Statement of Applicability, or the SOC2 report.
Selecting a GRC platform that is both adequate, cost-effective and will provide value to the business is no easy task, and there are many more factors to consider than those mentioned above. However, it is a good place to start and important points to consider.