Before buying GRC tools, build framework and clear requirements

When implementing governance, risk management and compliance tools, start small and know that GRC projects are ongoing endeavors that require upkeep.

Governance, risk management and compliance (GRC) software can give companies the critical data they need to get more comprehensive views of performance and ensure they're meeting compliance and regulatory requirements.

But before business leaders invest in GRC tools, they should learn the most effective strategies for making the right purchasing and implementation decisions, experts say. Besides constructing a governance framework, users also suggest understanding reporting requirements up front, starting small and ensuring that IT resources are in place for system maintenance.

Build framework first, then apply technology

"What companies need from the very beginning of the process is a [manual] governance framework. You don't need software to govern. You just need to understand your risk, what you're willing to tolerate, how you're going to manage it and what the expectations of the people in the organization are," said Renee Murphy, security and risk management senior analyst at Cambridge, Mass.-based firm Forrester Research Inc.

Murphy stressed that this step should happen before the vendor vetting process begins. "You're not in an application yet, you're just deciding what your risk management program is going to look like. You need that before you ever show up to a vendor."

For Fiserv Inc., a Brookfield, Wis.-based financial services technology firm, constructing its risk management program meant involving all the company's business units in the process.

"We developed a set of risk registers based on five categories: people, process, technology, infrastructure and environment and third-party services, [and] underneath those five categories we had a series of questions," said Ed Sarama, senior vice president and chief security officer at Fiserv. "Then we went out to all our business units and conducted an assessment to capture where they felt they were relative to inherent risk and residual risk based upon the controls they would have in place."

Subsequently, Sarama and his team brought all that information together -- much of it paper-based -- and developed a report to show the board of directors and executive management the individual risks in each business unit as well the common risks across all.

Next, Fiserv created a committee consisting of risk professionals and people with technical skills to help develop the request for proposal (RFP) for a tool that would enable the company to standardize its approach to GRC.

Sarama said the company went into the vetting process with the aim to purchase a product that could add value within its first year. Fiserv also wanted a tool that would support its business processes because the company didn't want to adapt its process to support the technology.

"One other important consideration we had was security," said Raji Ganesh, vice president of risk and compliance at Fiserv. She explained that the company is very large, with sixty separate entities. "We have our own security needs to protect the risk registers of those individual business units. So we had to have a granular security infrastructure in the tool."

GRC tools require upkeep

After evaluating several options, Fiserv decided RiskVision, produced by Sunnyvale, Calif.-based vendor Agiliance Inc., best met the organization's needs.

But it wasn't completely perfect out of the box. "When we acquired the product, we did have to make customization[s] to it, so we [invested] in some professional services. But it wasn't monumental," Sarama said.

And it will continue to be tweaked over time. "We look at enhancing it year after year after year. Risk management is a journey," Sarama added. "It is not a project where you're done and you move on. It is a continuous process."

As for implementation, Ganesh suggests starting small and simple. Don't try using all the features and functionality all at once, but stay focused instead on the target business outcomes, she said. An organization can add more capabilities as it becomes more familiar with the system.

Companies should also ensure that they have the technical people devoted to maintaining GRC products, Sarama said. "It's a critical tool and you need to make sure that you have the appropriate technical teams."

It's also important to understand reporting requirements up front, Sarama said. "Ultimately, it's just data. You have to understand who your audience is that's going to view the data as well as how they want you to present [it]."

He is pleased with the reporting that RiskVision provides Fiserv. "I think we have an outstanding reporting capability and it makes everything clear cut," Sarama said. "It allows us to drill down into very specific information -- all the way down to one particular register in one particular business unit. And we're also able to bring it up to an across-the-enterprise view."

Don't believe the GRC hype

John Wheeler, research director of risk and security management at Stamford, Conn.-based research firm Gartner Inc., said when it comes to selecting GRC tools, companies should look beyond the hype.

"There's so much confusion out in the marketplace as to what GRC really means, because vendors have used the term very loosely and tried to portray their solutions as satisfying all the risk needs of an organization when, in many cases, they don't," he said.

But getting past the marketing pitches to understand how vendors' products meet their exact requirements is key for firms that want to ensure they select the GRC software that's right for them.

"Companies have to understand the necessary GRC architecture and mix of applications that they need to support their enterprise risk management programs," Wheeler said. "So having that program well-defined and in place before going out and buying all these GRC tools is critical."

About the author:
Linda Rosencrance has written about technology for more than 10 years and has been a reporter for more than 20. A former Computerworld reporter, she is a freelance writer in Massachusetts and also an author of several true-crime books.

Dig Deeper on Financial analytics and reporting