tiero - Fotolia


How to evaluate and select GRC vendors and tools

There is a variety of governance, risk and compliance software on the market. Learn about some of the available products and how best to evaluate GRC tools and vendors.

A governance, risk and compliance program can be created in-house or deployed via specialized software that helps manage GRC activities and provides actionable information to optimize them.

Once a company has established what it needs from a GRC program, it is time to research the market for GRC vendors and review their offerings. Then comes the selection process. Here are some tips to complete these steps.

GRC tool and vendor analysis

GRC software is available for on-site or hosted deployments. A broad range of pricing is available, depending on features and system requirements, such as data storage, disaster recovery, server availability and network bandwidth.

It may make sense to launch a new GRC initiative with a modest investment in a GRC package, whereas an established program may need a more mature feature set. Note that GRC software with extensive features will translate into a larger investment.

Information on GRC software is readily available from multiple resources. Gartner clients should check to see if Gartner has a report examining GRC tools and services. Alternatively, research options using any available search engine. Be sure to use the baseline criteria in our downloadable GRC product comparison checklist to prepare a side-by-side comparison of prospective systems.

GRC product comparison checklistClick here to download a
GRC tool checklist to
compare product offerings.

Complete this analysis of vendors candidates, examine financials, consider contracts and warranties, and interview existing customers if possible.

Vendor selection and ongoing vendor tasks

Once options have been analyzed and a selection made, prepare a request for proposal or request for quotation to secure pricing and other issues, such as installation, training, warranties, support for service-level agreements, maintenance costs, testing capabilities, documentation provided, and technical support and assistance provided.

The next step is to formally select the vendor, have contracts reviewed and approved, organize funding, and schedule deployment and training schedules. Coordinate with the vendor's technical team to schedule pre-installation, cutover and post-installation activities.

With the vendor, this includes the following:

  • setting up a project plan coordinated with vendor(s);
  • coordinating system administrator and user training activities with vendor(s);
  • gathering vendor-provided documentation for installations;
  • reviewing network connectivity, e.g., internet bandwidth, for hosted systems;
  • scheduling periodic prelaunch meetings with internal teams and vendors; and
  • reviewing vendor documentation.

During the testing phase, teams should:

  • Review vendor documentation.
  • Evaluate the vendor's technical support team.
  • Identify training support from the vendor.
  • Evaluate the vendor's post-cutover support.

Once the GRC system has gone into production, conduct daily or weekly reviews with users to identify any issues for remediation. Provide regular feedback to the vendor(s) on system progress and problems.

GRC software options

There are a variety of GRC software offerings on the market for organizations to consider. Get to know a few of the available product options:

  • IBM OpenPages GRC Platform is a suite of applications that supports enterprise risk management activities. The platform includes modules in financial controls management, operational risk management, policy and compliance management, IT governance and internal audit management. On-site and cloud options are supported.
  • MetricStream Enterprise GRC Solution provides a single platform that incorporates relevant GRC activities into a unified system. Modules include enterprise risk management, operational risk management, internal audit management, Sarbanes-Oxley Act compliance management, compliance management, and policy and document management. On-site and cloud options are supported.
  • HighBond by Galvanize, part of ACL Services Ltd., provides a modular suite of applications addressing GRC and other related activities. Its ITGRCBond module addresses IT risk and compliance management; additional modules include RiskBond for risk management, ComplianceBond for compliance management and ControlsBond for internal controls management. On-site and cloud deployments are supported.
  • Saviynt's Identity Governance and Administration 2.0 advanced risk analytics platform integrates a variety of technology and application platforms for an optimized GRC system. On-site and cloud software are supported.
  • Donesafe uses its cloud technology platform, in addition to 30 different applications, to tailor a custom GRC system.

Planning for, selecting and deploying GRC software is no different than implementing any other IT installation. Many options are available with a broad range of pricing, which can make for a challenging evaluation process. Use the above tips and downloadable GRC product comparison checklist to make a prudent choice. The right GRC software will be consistent with business requirements, provide the desired results and perform according to the customer's outlined expectations.

Next Steps

6 open source GRC tools compliance professionals should know

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG