There are a number of organizations that compare GRC (Governance, Risk and Compliance) software functions. Among the best known is Gartner, which regularly publishes its popular Magic Quadrant, and OCEG (The Open Compliance and Ethics Group), which issues reports on GRC technologies.
But before we talk about software, we need to understand what GRC is.
What exactly is GRC?
Of course, everyone can quickly understand the acronym GRC, but simply understanding these words does not really explain the concept as a whole.
Although the “inventor” of this abbreviation is not commonly known, I find the OCEG definition to be one of the most interesting. They offer more than one definition- in fact, they provide an entire explanatory page. Here are some excerpts to help you understand GRC:
GRC is the integrated collection of resources that allows an organization to achieve objectives reliably, resolve uncertainties, and act with integrity.
GRC, as an acronym, refers to GOVERNANCE, RISK and COMPLIANCE – but the full story of GRC is much more than just these three words.
The acronym GRC refers to the critical resources that should work together to achieve Performance with Principles – the resources that make up governance, management and performance assurance, risk and compliance activities.
This includes the work done by departments like internal auditing, compliance, risk, legal, finance, IT and HR, as well as business lines, the executive team and the board itself.
It has to do with achieving goals that will add value to the business. Governance includes establishing goals and strategies, managing the organization through informed and intelligent decision-making, measuring and monitoring performance, and much more. The road to success should include anticipation and management of what can happen (Risk) while acting with integrity (Compliance). Each part of the organization has to work together, in harmony, and with shared goals, in order to achieve the full potential of the company.
The difficulty in choosing GRC software
Few GRC solutions and platforms have any significant functionality for defining and communicating objectives and strategies (not to mention integrating risk and measuring performance in relation to these goals and strategies). In other words, they do not really provide information on how well we are doing with respect to our goals, and what we are doing to ensure they are achieved.
It involves much more than just adding risk to a report with performance indicators. It is about understanding the probability of achieving goals.
Most solutions think of GRC as meeting needs related to a subset of GRC, such as, for example, the combination of:
- Risk management
- Policy and procedure management
- Some aspects of compliance
- Internal auditing
However, in some cases, even the combination of these elements may not make sense. What needs to be clear is that they should converge toward the overall performance of the organization. Which elements add value so that the strategic objectives can be achieved?
This is an analysis that needs to be done individually and honestly, and the conclusions may be (and in most cases will be) different for each organization. In one organization, internal auditing may play a very important role, since controls need to be highly accurate and effective. In another, compliance with policies through automated processes and procedures may be crucial to performance.
With this in mind, choosing GRC software should be simpler and give better results.
Recommendations for choosing GRC software
- Purchase software that meets the needs of your organization as a whole, and not necessarily those attributed to GRC or with the highest ranking by analysts. Your organization’s needs are unlikely to match the criteria used by analysts.
- Understand how you want the different business processes to work in the short and long term, and how they can be improved with technology. Do this by focusing first on individual functions (such as risk management), rather than trying to analyze multiple functions at the same time.
- When it makes sense to buy a solution that meets the needs of more than one organization, where integration has clear value, do so. But do not value integration at the expense of efficiency and effectiveness of the individual parts.
- Do not let features have too much influence on the acquisition of technology. The people in those areas of the organization where technology should add more value to the business as a whole should have the greatest influence. (This is to avoid, for example, the lack of functions for internal auditing from preventing the acquisition of the best technology for risk management.)
- Involve all areas that will have responsibilities in the GRC process. The alignment and consensus of expectations can be a difficult task, but it needs to be done at this stage.
SoftExpert GRC is a web solution that supports governance, risk management and compliance processes across the organization. It allows organizations to effectively integrate business strategy execution with compliance and risk management practices. As a result, administrators can work towards achieving their goals with the support of risk management, while ensuring compliance with corporate policies, laws and regulations, such as SOX, COSO, COBIT and ISO 31000, among others.