Governance, Risk & Compliance Platforms

What is Governance, Risk, and Compliance (GRC) Software?

Governance, Risk, and Compliance (GRC) software helps to streamline the workflows involved in managing a wide range of governance, risk, and compliance issues across an organization. These include several specific domains, such as IT, Finance, and Legal, and broader areas, such as compliance management and enterprise risk management. GRC software can be integrated, domain, or point solutions.

Integrated solutions span the entire enterprise, integrating many domains and other concerns into one package. Domain-specific GRC solutions tend to be more specific. They will often be much more tailored than a generic solution and also more flexible within the domain. Point solutions typically handle one aspect of GRC, such as compliance management systems or third-party risk management software, even if that singular aspect affects the entire organization.

IT GRC Software

GRC within the information technology domain focuses on areas such as data privacy, access control, remediation, cyber risk assessment, and process auditing. It seeks to help quantify these risks and provide information about them to key stakeholders instead of siloing them within technical departments.

IT GRC can take several different forms. Some of these include Vendor Risk Management, Insider Risk Management, Data Loss Prevention, or Threat Intelligence. Additionally, many products within this area will focus on compliance with various standards, such as SOC 2.

Financial GRC Software

GRC within the finance domain heavily revolves around legal compliance with various accounting and disclosure standards. The two biggest of these are the Sarbane-Oxley Act (SOX) and, for publicly traded companies, the Securities Act.

These acts require establishing internal controls to ensure transparency in financial reporting. These internal controls, which are rules and policies established by the company to prevent fraud, are often the main focus of Financial GRC software. Managing these numerous rules and ensuring compliance can be a tedious task, and Financial GRC often helps streamline them and make compliance easier. It also makes information more accessible for audits, which are typically a critical part of Financial GRC strategies.

There are additional aspects to Financial GRC beyond internal controls. These include requirements around reporting, attestment, and storage of various financial information. GRC software can help structure the workflow around these areas and ensure compliance with designated procedures.

Policy Management and Compliance Management Software

There are often policies that cover employees across the entirety of the company. For example, a company may adopt policies about employee training on harassment, DE&I, and other workplace topics. The company may also adopt employee policies governing a wide range of workplace behaviors and interactions.

These policies need to be accessible to employees and leaders, and measures of compliance with these policies need to be obtained and accessible. This is where policy management software and compliance management software come in. Policy mangement software can help organize policies for easy, as well as streamline the creation and approval for new ones.

Similarly, compliance management software can help ensure compliance with these polices. For example, by recording who has completed training and making both individual data and summary statistics available to decision makers.

While many of the examples here have been HR-centric, general policy management and compliance management can affect many different departments. Policy management software in particular is mostly discipline agnostic, since it serves mostly a storage purpose. Compliance managment software may need to be more specialized, since a generic package may not have the tools to adequately measure certain types of compliance.

Governance Risk & Compliance Features and Capabilities

• Policy management
• Risk management and mitigation
• Automated compliance management
• Document and information management, including version control, audit trail and archiving
• Training record manager
• Audits and inspection management
• Incident management, including root cause analysis and corrective action (CAPA) tools
• Third party/supplier risk management
• Access and privilege control
• Ongoing monitoring of business processes
• Reporting tools

Governance Risk & Compliance Tool Comparison

There are a range of factors to consider when comparing GRC tools:

1. Business-wide GRC vs. system-specific: GRC tools vary in their scope of governance and compliance capabilities. Some products offer an all-in-one experience for governing data and facilitating regulatory compliance across the entire business. However, others focus on specific environments or processes, such as Office 365 systems or data integration processes. Buyer should consider what specific areas or processes require GRC support, and what scope best fits their needs.
2. Compliance focused vs. process-focused: Governance, risk management, and compliance tools usually focus on two business goals- preventing losses of data or resources, and ensuring regulatory compliance. Most GRC tools can serve both goals, but they may be more specialized in one area over the other. For instance, resource control-focused GRC platforms will emphasis Data Loss Prevention or policy management, while compliance-focused tools will prioritize reporting and audit support.
3. Usability: A key benefit of GRC tools is making governance and compliance easier for InfoSec professionals. The general usability of each product will have a large impact on realizing that benefit. For instance, how well does the platform streamline policy management, compliance reporting, etc.? Pay particular attention to the user interface’s ease of use and how streamlined workflows are. Both features are good metrics to gauge GRC tools’ usability on prior to purchasing.

Start a GRC comparison

Pricing Information

Vendors do not provide prices on their websites as the cost of a solution depends on many different variables, including the number of businesses processes that will be managed, number of modules implemented, number of administrators and users, and if the software is subscription-based or locally installed. However, online users estimate the cost of implementing a GRC solution to be between $10,000 and $600,000.