Every organisation faces a unique set of risk and compliance challenges according to its industry, size, geographic location and third-party landscape. For a challenge such as the EU’s General Data Protection Regulation (GDPR), technology is likely to play an important role, and there is a tremendously wide variety of tools...
and technologies to help address these requirements. The difficulty is not just choosing which tool is right for a specific job, but rather what combination of tools is right for the entire set of jobs.
The governance, risk management and compliance (GRC) platform market features a wide range of products that are flexible, robust and comprehensive; you should not feel forced to settle on a technology that is so restrictive that you have to bend to its will.
It is best to look for a platform that can accommodate your functional needs and requirements, but, even more importantly, one that is flexible enough to mould to the process and cultural aspects of your organisation.
Tight integration with corporate IT systems is easier with a dedicated implementation. GRC platforms usually don’t exist in a self-contained ecosystem – they depend on other systems’ data to generate metrics, track issues for remediation, and monitor for conflicts.
These technologies usually integrate via web services or application programming interfaces (APIs), and some suppliers have developed proprietary technologies that make the data connectivity process less dependent on professional services. On-premise and hosted systems tend to meet the challenges of this requirement more easily because you have more control over the technical infrastructure.
Historically, dealing with an individual compliance mandate required a single, specialised tool, which is why organisations now have so many disparate systems. Now, the flexibility of GRC systems means that you can manage some sets of requirements on a single platform, while others may still require standalone systems with specialised features. There are two different options, and the vast majority of organisations opt for a combination of both.
Broad, general risk and compliance issues suggest a single-platform approach. When risk and regulatory environments call for strong processes and documentation without extremely granular content and analytical needs, a GRC platform is your best bet, especially when some of the requirements overlap.
Specialised requirements need best-of-breed technologies. Some regulatory requirements are so specific that they require very detailed content, sophisticated analytical capabilities, or other features not relevant for other compliance initiatives. For example, tools used to model the risk of catastrophic events are generally not helpful for other kinds of risk modelling. In these cases, business and regulatory needs go beyond what most general GRC platforms offer.
After identifying the functional requirements of your GRC system, you will have to choose the delivery model: on-premise, hosted or software-as-a-service (SaaS). Each of these comes with a long list of strength and weaknesses, so you will have to consider a number of internal and external factors to select the right option.
If you require a rapid return on your investment or if your adoption timeline needs to be accelerated due to regulatory concerns or audit findings, you may want to leverage a hosted or SaaS solution. These delivery models alleviate the wait time for hardware acquisition and software installation, although configuration will still take some time.
Another factor helping fast adoption is the fact that suppliers actively monitor the system’s performance and proactively work with clients to solve issues before they affect performance. Keep in mind that, in the future, adding modules or even instances of the product is also likely to be faster with a hosted or SaaS system.
Regulatory requirements regarding data residency may eliminate the SaaS option. The advantages of the cloud come from multitenant environments, where your data may be in dispersed physical locations anywhere in the world at any time. Some regulations, however, such as the GDPR, do not tolerate those porous borders.
If you have special regulatory considerations related to where your data resides, you might have to avoid SaaS unless your supplier can give you a data residency guarantee. These requirements will not completely go away with on-premise or hosted delivery models, but you will have more control and oversight in both scenarios.
Limited internal resources require external solutions for success, but strained budgets and limited staff resources should not put you out of the GRC tool market. SaaS and hosted systems often offer you several billing options and help absorb some of the costs related to hardware support staff, database administrators, security administrators, and specially trained administrative personnel to support the GRC tool.
If an on-premise delivery is still your preference, a few suppliers are starting to offer remote-administration services for in-house implementations. If your desired GRC platform does not meet corporate IT standards, start externally. The best technology for your GRC requirements might conflict with the standards your corporate IT group can support.
For example, your risk analytics might require specific database standards such as Hadoop or MongoDB, which may not have been vetted or standardised in your enterprise technology environment yet.
Here, leveraging a SaaS delivery model can resolve the misalignment. With some suppliers, you may even be able to bring an external system in-house after your corporate infrastructure standards evolve to meet the GRC platform requirements.
Tips on selecting the right GRC tools
• While the documentation of the basic GRC tool will be useful in the implementation phase, the documentation of the configured application will be how auditors, new users and light users will understand how to get what they need from it.
• While technical capabilities should be foremost in your mind, also look to see if there is a large, engaged and invested user community, and make that part of your decision process.
• Someone in your organisation will need training in the intricacies of your chosen platform, and the sooner the better. Negotiate the training costs before signing the contract, and attend the training before or during the implementation.
Source: Forrester – Choose the right technologies to support your GRC programme
This article is based on the Forrester paper, Choose the right technologies to support your GRC programme, by Renee Murphy and Claire O’Malley.