Government, Risk and Compliance (GRC) is increasingly becoming an integral part of organisations, which often results in a GRC platform requirement. Choosing a GRC platform, however, isn’t as simple as you may have first thought. There are a lot of factors to think about when procuring a well-established platform, so we have highlighted nine questions to consider when choosing a GRC platform.
1. Why do I need a GRC platform?
Some people will question why they need a GRC platform in the first place. Perhaps your organisation uses Excel spreadsheets or SharePoint to manage risks? Unfortunately, there are some downsides to using these solutions. Not only are they difficult and time-consuming to manage – they aren’t databases. They have no data integrity and no way to create and maintain a relationship between data in other files. Unlike modern GRC tools, spreadsheets do not automatically generate the complex reports required for IT compliance audits.
The key goal of a GRC platform is to provide a structured approach to aligning IT and business objectives, whilst effectively managing risk and meeting compliance requirements.
Organisations need GRC to:
- Minimise the threats and risks exposed on a daily basis
- Accomplish goals while streamlining risk profile and protecting value
- Operate within legal, contractual, internal, social and ethical boundaries
- Increase the safety/security in the organisation
- Ensure that all staff comply with and adhere to governmental regulations in the workplace.
2. How easy-to-use and flexible is the GRC platform?
A GRC platform should offer a simple, easy on the eyes, yet intuitive interface. This might seem like a insignificant element when choosing a GRC platform, but when it comes down to the nitty-gritty information it stores, ease of use is important. Your team are more likely to understand how to use the application, meaning they can use it faster and will get more out of the platform.
So what things should you look for? Can you customise different sections and choose what the menu titles are called? You are likely to have names and references in place in your risk management processes so it will be much easier to make the GRC platform fit for you, rather than the other way round.
Another thing to think about is how results and risks are formatted. Is it easy to see your biggest risks at a glance of a dashboard or can you only get this information by drilling down into the information?
All organisations will have different types of risks, so does the platform cater to your organisational language? Does it have the ability for taxonomies to make it easier to search for individual entries and groups or to create a hierarchy of all the data?
IRM’s GRC platform, SYNERGi, has a customisable Risk Matrix which displays on the dashboard, meaning you don’t have to dig through pages of information to find what you’re looking for.
Finally, if the GRC platform is modular-based, can you pick and choose the modules you need or are you restricted by the supplier?
3. Is the GRC platform cloud-based?
The use of a cloud-based platform means your servers, storage, databases, networking and software are stored in the cloud. This means you do not require dedicated hardware to be installed and maintained onsite, which will also reduce the cost. A cloud-based GRC platform will constantly be updated and maintained by the vendor. This is a great choice for organisations including small businesses.
Essentially, you should make sure there are various deployment options. Whether this is SaaS, private cloud or on-premises deployment, check that the supplier has the appropriate option for you.
4. What data can it consume?
Complex functionality of a GRC platform is all well and good, but only if you can input the data your organisation needs to process.
Let’s use an example. You’re currently managing the compliance of hundreds of third-party suppliers in spreadsheets. Would your new GRC platform allow you to input this information and how easy would this be?
Some platforms have a Vendor Management module which allows you to easily capture existing third-party data and gain a complete picture of your vendor landscape straight out-of-the-box. This helps you to easily track your vendors and ensure they stay compliant with ever-changing security standards.
You should also check to see if the platform has standard sets and policy libraries. Whilst your organisation is likely to want to monitor risks against standards such as GDPR or ISO 27001, it would be a tedious task to manually input these policies. Most platforms will have standards and legislation libraries already available in the system, meaning you can quickly link up policies to your different business assets and monitor and mitigate risks much easier.
In addition, check if the platform allows you to upload risk register templates and vulnerability reports imported from vulnerability solutions like Qualys and NESSUS.
5. What is the cost?
Cost is one of the biggest factors when it comes to choosing a GRC platform and the most asked question. Organisations might not have a big budget for GRC. But what organisations really need to think about is the cost of NOT implementing a GRC platform. What would the potential financial blow be if a compliance breach or cyber-attack occurred?
One example of how much a cyber-attack can cost is from the Norsk Hydro attack earlier this year. The Aluminium Company was hit with a ransomware attack infecting over 22,000 computers, 170 sites and 40 countries. The attack has cost Norsk Hydro over £45 million so far and it is still months away from a full recovery.
This financial impact could have been prevented with the support of an effective GRC platform. The platform could have enabled them to highlight and mitigate their biggest risks, increasing their visibility of overall compliance and cyber risks.
The cost of some GRC platforms start in the tens of thousands, whilst complex solutions can reach the millions. The final cost will depend on several variables including deployment options, number of users and chosen level of functionality in the platform.
6. How secure is it?
GRC platforms contain a critical amount of information about the security posture of the enterprise, including information about vulnerabilities, risks and data, as well as their classification. The consequences of a security breach are great and include exploitation of vulnerabilities, damage to credibility, financial loss and legal liability. As such, strong security measures should be provided in the platform to enforce protection from external breaches (e.g., through encryption) and insider misuse of information.
Security will range across different GRC platforms, but SYNERGi has all data encrypted both in transit and at rest, because it’s cloud hosted. With UK based servers, the platform and server locations are all certified by relevant regulatory standards.
7. What support do you get from the vendor?
It’s important for you to research the vendor, as you’ll be working with them throughout your GRC journey. Make sure they reply in a timely manner and understand your requirements. The vendor should be able to provide timely releases, maintenance updates and consulting services and customisation when required.
Other things to consider include how easy it is to contact support and what are their service level agreements (SLAs). For example, how long will it take for them to help you with a query? These are important things to consider when you may have an important project or report to run and you need the support of your platform supplier.
Additionally, will you have an account manager? At IRM, we provide SYNERGi customers with an Account Liaison Manager – you can reach out to them at any time and ask questions. They will support you via the website, email and phone. Our help desk provides additional support and training alongside an Implementation Manager who supports the onboarding process.
8. Does it allow other stakeholders to monitor progress?
If you’re going to be the key user of the platform, there’s no doubt that you’ll be an avid and efficient user after training and support from the vendor. But sometimes, you need to consider who else might like to use the platform.
Would you be able to use the GRC platform to provide access to an auditor, for example? Perhaps your next ISO 27001 audit is coming up and rather than going through printed reports and question templates with your auditor, you could provide them with access to your GRC platform.
This is something that a lot of our customers do, as it saves them time and resource. Auditors are always positively surprised to see the answers they need are right at their fingertips in a clear, visual format.
Similarly, if your Board of Directors wants to easily see where their biggest business risks lie, you could provide access to the GRC platform or pull off simple reports to give them the highlights.
If you plan to share access to the platform, you should also check with your potential vendor that you can easily section-off access. This means that if you only want people in a department to see certain information, you can close of other sensitive areas of the platform with ease.
9. How easy is it to project to end goals?
Can your supplier give you a clear breakdown of the milestones from the commercial cycle to your organisation using the tool for business as usual? Ensure the process is clear, as keeping your end goals in mind is vital to your time and budget.
Also ensure that the platform is efficient in driving results. Audit, risk assessment and compliance can be time-consuming without a GRC platform but it’s equally as frustrating if you procure a platform which doesn’t provide you with the appropriate output and results.
We understand that choosing a GRC platform is a significant investment, especially when you have specific questions to ask. That’s why we offer a proof of concept to allow you to experience the benefits of SYNERGi. It helps you to build a business case, validate your choice and see if we can answer your questions. If you’re interested in a free trial or demo of SYNERGi, simply contact us.