GUEST BLOG
Choosing the right Governance, Risk, and Compliance (GRC) tool can be a daunting task. There are several software solutions that can help companies leverage technology to increase their GRC capabilities and efficiencies. Certainly, in this age of doing more with less, a comprehensive GRC solution is increasingly a part of a well-run internal audit department, compliance function, risk management program, and more. However, choosing from the many providers, offerings, and packages can be mind-boggling for even the most tech-savvy executives.
There are many options for educating yourself in this area such as consultants, buyer’s guides, articles, webinars, and sales associates. Here we will look to an unconventional source for some assistance on choosing the right GRC tool or suite of tools: the children’s fairy tale.
As we learned in my previous articles, During Culture Audits, Pay Attention to the Little Red Flags and Don’t Let Fraudulent Wolves Blow the Company’s House Down, there are many things to be learned from children’s fables. This time we will look at what can be learned from the story of “Goldilocks and the Three Bears.”
Once upon a time, there was a little girl named Goldilocks who was wandering through the forest. She came upon a house, knocked on the door, and when no one answered, she let herself in. Goldilocks was hungry and realized there were three bowls of porridge on the table. You know how it goes from there: She tried each bowl of porridge and found the first too hot, the second too cold, and the third one just right. Whether it was porridge, chairs, or beds, Goldilocks thoroughly evaluated all her options before settling on the best choice for her. This story reminds me of the journey that many companies embark on to find the GRC tool that is best for them.
As organizations grow, many are moving away from using standalone documents or spreadsheets in Microsoft Office or SharePoint in favor of a more efficient and comprehensive GRC solution. Through this exploration, companies quickly realize GRC tools come in many forms and with a wide array of capabilities. They may also be designed for different divisions within an organization. For example, some GRC tools are perfect for those leading Sarbanes-Oxley (SOX) compliance or internal audit departments, but may not have an enterprise-wide view of the entire company’s risks and controls. Others may be exactly what the second line of defense would need to capture, but it can’t be used to capture audit workpapers effectively or efficiently. Some find certain packages too complex for their needs and others find that same package too simple.
GRC Software Considerations
If you are embarking on the journey to choose the GRC tool that is right for your organization, don’t despair. You don’t have to eat all of the porridge to find the best option. When approaching the strategy and selection process for your GRC solution search, consider these steps:
1) Establish your objectives and requirements: You’ll first want to collaborate with key stakeholders to define both short- and long-term business objectives for a new GRC tool. Through this process, you can document your technical and business requirements and develop key use cases that will help drive your decision. Based on the knock-out criteria established, you can rule out tools that won’t fit. There are many tools in the market, and it will be important to swiftly move on to the next “bowl of porridge.”
2) Assess different vendors and tools: Whether you start with a request for information (RFI) or you participate in every demo available at a conference, you’ll want to coordinate vendor demonstrations and on-site visits to ensure stakeholders can evaluate each tool’s capabilities firsthand. Be sure to provide your requirements and use cases to the vendors and request they showcase how their products can accommodate your unique needs. The evaluation should be governed through a vendor scoring methodology to ensure you don’t end up comparing porridge to chairs.
Different tools have different pricing structures, so you will want to factor that into your evaluation, as well. It may make more financial sense for your organization to use a vendor that charges based on the number of controls, number of users, or a fixed flat rate. Make sure to perform a detailed cost analysis that considers initial fees, annual fees, implementation fees, support fees, ongoing maintenance, and other hidden costs so you understand exactly what that tool is going to cost you. You don’t want to sit in the chair that feels just right, only to realize later that you could never actually afford it.
3) Complete vendor selection and build organizational consensus: Hopefully, at this point you have the right stakeholders involved in the process of choosing a GRC tool. For a successful implementation, you’ll need all groups who will use and rely on the tool to be aligned on the selection process and ultimate decision. After all, you wouldn’t want someone to think the bed is too hard and the others to think the bed is just right. Too often the decision is made at a high level, but the individuals required to put the tool into action aren’t on the same page. Once aligned, it’s time to negotiate the contract with your preferred vendor and rest comfortably in the bed that’s just right for the whole organization.
The moral of the story is, it is important to weigh your options, even if it’s a little more time consuming. You may still have to eat a few bowls of porridge to find the one that is just right for you, but hopefully these steps will ensure that the process isn’t too much of a bear for your organization. 
Jill Agudelo has almost twenty years of experience in internal audit, Sarbanes-Oxley (SOX), and risk management. She is a senior leader and the national SOX lead within the Risk and Compliance practice at CrossCountry Consulting, a business advisory firm. Additionally, Jill oversees CrossCountry’s client delivery for a Fortune 100 company.