Key Features to Look for in a GRC Tool

The best GRC platforms make it easier for the three lines of defense (operational/technology/business line management, risk/compliance, and internal audit) to coordinate activities, map assurance functions and perform independent validation.  This piece lists the main features to look for when evaluating GRC tools.  

GRC Tools that Integrate the Three Lines of Defense 

A GRC platform serves as a mechanism to enable the three lines of defense (operational/technology/ business line management, risk/compliance, and internal audit) to coordinate activities, map assurance functions and perform independent validation. To get value from a GRC platform, organizations must first overcome common barriers associated with integrating these three, including: 

• Lack of sponsorship and leadership to drive integration across disparate groups 
• Lack of collaboration across groups 
• Lack of a unified GRC and enterprise risk framework 
• Complexity of existing technologies 
• Lack of effective change management 
• Lack of return on investment

GRC technology cannot overcome all the integration barriers by itself. An enterprise risk management steering committee comprised of multiple stakeholders, along with standardized policies, underlying infrastructure and a rolled-up risk assessment process are all required. Then, the GRC technology can help bring everything together to meet the enterprise objectives. 

READ:  How to Set Up a Strong GRC Program 

GRC Tools Across the Three Domains   

GRC solutions typically cover three domains: enterprise risk management (ERM), compliance management and IT governance. 

ERM Platforms 

ERM platforms help companies execute their business strategies while managing enterprise and operational risks. They are designed to support management’s articulation of business objectives, key strategies and risk appetite. The platform should enable a clear linkage of risks to performance objectives and facilitate communication between leadership and the lines of business regarding their risk exposures. 

The ERM part of the GRC tool should be able to help organizations: 

• Establish a risk model that documents a common risk language across the organization, allowing risk managers to compare and manage risks across the enterprise. 
• Deploy risk assessments through an integrated workflow and survey engine, helping risk managers identify and focus on the risks to minimize exposure. 
• Develop response strategies to address identified risks and manage the implementation and execution of the strategies through completion. 
• Establish key risk indicators (KRIs) and generate alerts to stakeholders and executives when acceptable thresholds are violated, allowing risk managers to take action.

Compliance Management Platforms 

Compliance platforms help companies incorporate compliance with external laws and regulations, as well as internal policies into their enterprise risk profile. Platforms typically combine content and policy management with external regulatory and compliance feeds, along with internal controls companies should consider. 

The compliance part of the GRC tool should help organizations: 

• Manage policies, including documentation, review, communication and attestation. 
• Integrate policies with other enterprise content and records management systems. 
• Monitor external regulations through feeds from third-party content providers. 
• Associate regulations and risks with policies and controls. 

IT Governance Platforms 

IT governance platforms help companies align IT strategy with the needs of the business by establishing IT-centric risk and compliance processes that allow for effective management of business risks and external regulations. They serve as a central repository of the IT environment and allow organizations to prioritize and manage IT projects while optimizing resource allocation, effectively balancing strategic initiatives with equally necessary compliance requirements. 

The IT governance part of the tool should help organizations: 

• Inventory the IT landscape, including assets, data, processes, services, applications and infrastructure elements. 
• Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements. 
• Manage IT policies, including their development, maintenance, communication and monitoring for adherence. 
• Support the implementation of frameworks such as those for the ISO and PCI standards. 
• Highlight results of IT risk assessments, incidents and breaches. 
• Support development of business continuity plans. 
• Serve as a central platform to test technology controls and assess the impact of controls to key business processes. 

READ:  How to Establish Data Ownership and Governance Roles 

Features of a Successful GRC Tool   

A successful GRC platform can serve as a mechanism to pull the three lines of defense (operational/ technology/business line management, risk and compliance functions, and internal audit) together at an aggregated level. To do this, it must have the requisite features in place to enable those three lines of defense to coordinate activities, map assurance functions and perform independent validation. In addition, collaborative features, such as central dashboard reporting, automated workflows and user management, are table stakes for an effective GRC platform. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.