Choosing GRC software is not an easy task. Read this post to get a few tips on how to make the choice easier.

There are a number of organizations that compare GRC (Governance, Risk and Compliance) software functions. Among the best known is Gartner, which regularly publishes its popular Magic Quadrant, and OCEG  (The Open Compliance and Ethics Group), which issues reports on GRC technologies.

But before we talk about software, we need to understand what GRC is.

What exactly is GRC?

Of course, everyone can quickly understand the acronym GRC, but simply understanding these words does not really explain the concept as a whole.

Although the “inventor” of this abbreviation is not commonly known, I find the OCEG definition to be one of the most interesting. They offer more than one definition- in fact, they provide an entire explanatory page. Here are some excerpts to help you understand GRC:

GRC is the integrated collection of resources that allows an organization to achieve objectives reliably, resolve uncertainties, and act with integrity.

GRC, as an acronym, refers to GOVERNANCE, RISK and COMPLIANCE – but the full story of GRC is much more than just these three words.

The acronym GRC refers to the critical resources that should work together to achieve Performance with Principles – the resources that make up governance, management and performance assurance, risk and compliance activities.

This includes the work done by departments like internal auditing, compliance, risk, legal, finance, IT and HR, as well as business lines, the executive team and the board itself.

It has to do with achieving goals that will add value to the business. Governance includes establishing goals and strategies, managing the organization through informed and intelligent decision-making, measuring and monitoring performance, and much more. The road to success should include anticipation and management of what can happen (Risk) while acting with integrity (Compliance). Each part of the organization has to work together, in harmony, and with shared goals, in order to achieve the full potential of the company.


The role of risk management and internal audits in corporate governance

The difficulty in choosing GRC software

Few GRC solutions and platforms have any significant functionality for defining and communicating objectives and strategies (not to mention integrating risk and measuring performance in relation to these goals and strategies). In other words, they do not really provide information on how well we are doing with respect to our goals, and what we are doing to ensure they are achieved.

It involves much more than just adding risk to a report with performance indicators. It is about understanding the probability of achieving goals.

Most solutions think of GRC as meeting needs related to a subset of GRC, such as, for example, the combination of:

  • Risk management
  • Policy and procedure management
  • Some aspects of compliance
  • Internal auditing

However, in some cases, even the combination of these elements may not make sense. What needs to be clear is that they should converge toward the overall performance of the organization. Which elements add value so that the strategic objectives can be achieved?

This is an analysis that needs to be done individually and honestly, and the conclusions may be (and in most cases will be) different for each organization. In one organization, internal auditing may play a very important role, since controls need to be highly accurate and effective. In another, compliance with policies through automated processes and procedures may be crucial to performance.

With this in mind, choosing GRC software should be simpler and give better results.

Recommendations for choosing GRC software

  • Purchase software that meets the needs of your organization as a whole, and not necessarily those attributed to GRC or with the highest ranking by analysts. Your organization’s needs are unlikely to match the criteria used by analysts.
  • Understand how you want the different business processes to work in the short and long term, and how they can be improved with technology. Do this by focusing first on individual functions (such as risk management), rather than trying to analyze multiple functions at the same time.
  • When it makes sense to buy a solution that meets the needs of more than one organization, where integration has clear value, do so. But do not value integration at the expense of efficiency and effectiveness of the individual parts.
  • Do not let features have too much influence on the acquisition of technology. The people in those areas of the organization where technology should add more value to the business as a whole should have the greatest influence. (This is to avoid, for example, the lack of functions for internal auditing from preventing the acquisition of the best technology for risk management.)
  • Involve all areas that will have responsibilities in the GRC process. The alignment and consensus of expectations can be a difficult task, but it needs to be done at this stage.

SoftExpert GRC

SoftExpert GRC is a web solution that supports governance, risk management and compliance processes across the organization. It allows organizations to effectively integrate business strategy execution with compliance and risk management practices. As a result, administrators can work towards achieving their goals with the support of risk management, while ensuring compliance with corporate policies, laws and regulations, such as SOXCOSOCOBIT and ISO 31000, among others.

Find out more about SoftExpert GRC

Tobias Schroeder


Tobias Schroeder

Spécialiste en gestion stratégique chez UFPR. Analyste d’affaires et de marché chez SoftExpert, fournisseur de logiciels pour l’automatisation et l’amélioration des processus d’affaires, la conformité réglementaire et l’organisme de gouvernancerativa.

Tu pourrais aussi aimer:

Recevez du contenu gratuit dans votre e-mail!

Abonnez-vous à notre Newsletter et recevez des informations sur les meilleures pratiques de gestion produites par des spécialistes.

En cliquant sur le bouton ci-dessous, vous confirmez que vous avez lu et accepté notre politique de confidentialité

Remplissez le formulaire pour téléchargement

Champ obligatoire
Champ obligatoire
Champ obligatoire
Veuillez informer un numéro de téléphone valide.
Champ obligatoire

En cliquant sur le bouton ci-dessous, vous confirmez que vous avez lu et accepté notre Politique de Vie Privée.