BWise vs KCM GRC Platform

• Great reporting tool (uses SAP Business Objects). It is quite flexible on types of reports that can be created and supported. Also the reporting consultants are very competent and nice.
• Highly customizable solution: almost everything can be tailored to an organization's needs, assessments, audits, issues, recommendations, tasks, etc. However, there's a trade-off between customization and the integration of different areas of the organization.
• Increases visibility and efficiency in the organization. BWise offers centralized repositories (catalogs) that can be easily accessed and used by everyone in the organization (e.g. Process catalog, Policies and Procedures catalog, Risks, Controls, Laws catalogs, etc.). Also, the application allows findings on controls tested by Audit to be automatically reflected in controls monitored by SOX for example, without the need for SOX to retest them. So one area can leverage on the work of other areas increasing operational efficiency.
• Increases integration and avoids silos. By choosing the correct design (e.g. Risk Workshops instead of Open Assessments), one area can see and benefit from another areas' work. An example was mentioned above; another would be Operational Risk area considering the results of Business Continuity, Vendor Management, Info Security, etc. assessments when carrying out theirs. Additionally, processes can be integrated: when contracting a new vendor for instance, one can include questions about data confidentiality and usage of models in the Vendor risk assessment. Answers to these could then trigger Info Sec / Model Risk assessments.
• Increases accountability. Application provides full audit/change log with the type of change, name of executor, and date of change.
• Easier follow-up. BWise sends automatic emails with reminders to the people required to take action on an issue, assessment, etc.

Read full review

• Mapping controls across different compliance frameworks. It saves you a ton of time and energy!
• Performing risk assessments at the granularity that you prefer, splitting assessments across departments and teams if you wish.

Read full review

• Integration with SAP for continuous control monitoring.
• Control mapping to standards: ISO; COSO; COBIT; HIPAA; SP800_53 (NIST); FedRAMP; PCI_DSS; BITS; GAAP; AICPA; BSI; CCM; COPPA; CSA
• Surveys.

Read full review

• Vendor management has a few kinks to work out. We want to be able to do internal questionnaires for vendors as a compliance checklist before we sign off on a contract. Nothing in the works yet, but there are a few workarounds.
• The navigation between different tasks in scope is clunky, and it's easy to lose your place, and it forces you back to the main page of the scope to retrace your steps.

Read full review

• Increased employee efficiency especially considering incident management and follow up.
• Increased visibility and senior management information/awareness.
• Increased employee accountability.
• Reduction of silos.

Read full review

• Just having the capacity to do things the right way, and formally, has driven some of our compliance efforts.
• Due to licensing limitations, we likely overspent on seats to the platform that we didn't need but also didn't want to miss out on.

Read full review