10 Probing Questions To Ask Your GRC VendorPublished December 23, 2016 by Karen Walsh • 5 min read
Managing GRC-related work often seems like an overwhelming task. Fortunately, GRC software has helped many companies like Uber, Fastly, and ThousandEyes streamline the process. When considering the purchase of GRC software, one of the most important factors to consider are how a potential GRC software vendor’s feature set will meet a company’s individualized needs.
How can a company establish the appropriate GRC program? What are the most important questions to ask when trying to hire a GRC vendor?
Steve Stumpfl, VP of Sales at Tevora, offered insights on how to assess risk and what questions to ask while assessing tools and vendors to improve GRC practice.
Searching for the right GRC tool means doing research: both external and internal. Internally, a company needs to define its risk, shared language, and metric use goals to find the right tool. Externally, a company needs to determine the tool’s innovation, implementation, available integrations, feedback timelines, and training program. By reviewing these internal and external factors, a company can determine what tool best meets its business needs and provide the best ROI. Explaining this ROI to executives will give them financial incentive to approve a GRC software purchase.
Determining Risk Tolerance and Shared Language
One of the fundamental aspects of compliance will be assessing and managing risk. With the continuously expanding compliance landscape, finding ways to automate and personalize the GRC process is more important than ever. Organizations need to start with a shared language that incorporates all business lines and then use this to rate both enterprise risk and process risk. Once the risk has been defined, companies will determine their control framework to confirm measurements. The framework will then define the reporting requirements and report consumers.
Management and other internal stakeholders should all discuss the metrics being applied before hiring a GRC vendor. Once this has been decided, a company can build use cases to decide on which tool is the best fit.
Deciding to Purchase GRC Software
A study by Blue Hill Research shows that implementing a GRC platform could create anywhere between a 25% to 30% time savings. This creates a considerable cost saving for mid-market to enterprise-big businesses whose compliance needs are great. However, even small and medium businesses can benefit from getting an additional 30% of time from their employee. Moreover, a study from OCEG notes that 85% of companies feel that technology integration of GRC activities offer a benefit.
A company can most efficiently evaluate a GRC tool or software vendor based on functionality, ease of use, the future innovation of the tool, feature roadmap, the analytics and insights that the tool provides, types of integrations provided, implementation process, and the ROI.
Providing Value Add
At the most fundamental level, GRC tools act as record retention system allowing companies to see where program mappings overlap.Additionally, GRC software provides additional security and privacy since migrating the information to a platform allows individualized access and editing protocols.
Moving from spreadsheets to a software platform also allows for the automation of processes and workflows. Automation means the tool can follow up with staff on a regular basis saving time and eliminating the stress of a manual calendar. In terms of audit, the risk assessment process helps determine that the tool chosen adheres to the compliance standards and the documentation that auditors will request. GRC software vendors therefore provide added value for the documentation of testing, evidence gathering, and issue remediation. Customer-driven instance customization gives companies more control over its compliance and eliminates the time required for submitting customization requests.
Evaluating a GRC Tool’s Innovation
The GRC software purchaser will have different uses for the tool than others in the company. Before committing to a GRC tool, management should determine how that functionality will impact other users and whether they will be able to navigate it easily.
Since businesses and compliance landscapes are constantly evolving, another important evaluation to make would be the future vision of the platform selected. Looking at the product roadmap can provide insight as to where a business’s projected developments and the GRC company’s vision align.
Next, a company should evaluate the GRC vendor’s timeline for updates and responses to feedback. Larger vendors may review large amounts of feedback and then vote on them slowing down the update process. Smaller vendors may be able to release enhancements faster to respond to high demand.
Using Metrics Provided by a GRC Tool
For many companies, executives have little visibility in the organization’s compliance and risk posture. increasingly, However,standards and regulations want top management to be aware of the business’s information security program. Sharing metrics provided by a GRC tool can be an effective way to inform top executives about the both past and future compliance issues.
GRC software provides accessible metrics to show executives both compliance and appropriate risk tolerance. Moreover, when regulations change, GRC tools can help provide management with an overview of where gaps exist to ensure continued compliance in a shifting landscape.
Implementing and Integrating Easily
GRC tool implementation often inhibits companies from wanting to engage in software purchase. Knowing whether a software vendor is integrated with Google apps, JIRA, ServiceNow, or other vendor management tools that are compliance or risk related may help determine the ease of integration into the business model.
However, integration with a company’s connectors is only one issue. Implementation can take anywhere from 6 to 18 months for full engagement. Those trying to close compliance gaps before an audit or year-end need to plan for this. ZenGRC implements its software in four weeks or less, unless a company needs more time to develop appropriate use cases in order manage compliance and risk. Implementation also includes training.
For any software product to be successful, employees need to understand how to use it to their advantages. This is where either the chosen software vendor or GRC consultants that specializes in implementation can help.
Getting management support for purchasing a GRC tool means explaining the financial bottom line. Often, top executives are not involved in the daily processes of compliance. Therefore, to get them to understand the ROI of a software, it is important to monetize the time savings and show how efficiency impacts the financial stability of the organization.
Looking at a vendor means analyzing whether it will help with head count or save time when working with third-party auditors. If third party auditors know about the vendor, the cost may be lower because the audit will be faster due to knowing where to locate evidence. If a GRC tool provides automatic updates regarding new regulations or standards, this saves the company time otherwise spent following and researching updates. It can also save a company financially and reputationally by ensuring that there is no gap in compliance.
Finally, when reviewing a GRC vendor’s proposal, a company should analyze whether the contract is license based, monthly subscription or module based to determine the tool’s cost effectiveness.
10 Most Important Questions
1. How easily can you map one control across multiple standards?
2. How do you build ad-hoc workflows to automate various compliance tasks?
3. How easily can you test and gather evidence? How do you remediate issues?
4. How easy is it to customize my instance?
5. Will your company share their product roadmap?
6. How can executives quickly see the status of our past, present, and future compliance programs?
7. How does your tool readily identify gaps in our compliance posture?
8. What are the connectors your solution offers? Where do your clients find the most value?
9. How much time will it take GRC tool you’ve chosen to be up and running?
10. How will your software save me enough time and hassle to justify the cost?