Modern companies, both small and large, require more software and tools to compete in an ever-changing marketplace. A particularly valuable tool is software that handles Governance, Risk, and Compliance, or GRC.
GRC is software that allows a company to unify the technology they utilize and business goals, manage risk, and ensure compliance with any regulations they might be obligated to meet.
GRC can provide structure and order to what can be a chaotic mess of incongruent objectives, compliance issues, and technology while also providing ways to protect your business from the data breaches that around 63 percent of tech companies have suffered in the last two years, according to Hyperproof.
Unfortunately, finding the right set of tools or software for your GRC needs can be its own chaotic mess, filled with potential pitfalls and promises that don’t deliver. To help you navigate the GRC market, here are some tips and suggestions for getting started, along with a look at some of the top GRC tools.
Why Use GRC?
On top of helping ensure your company is compliant with necessary regulations, there are a number of reasons for using a GRC solution. It can save your business money by reducing instances of unnecessary spending by getting ahead of potential threats to your bottom line, whether that be fines and penalties for non-compliance or unnoticed risks that balloon into big, expensive problems. For example, a well-implemented GRC solution can help prevent breaches of sensitive information like personal data of employees or customers and company financial information or catch them early, saving companies millions of dollars.
GRC allows for more transparent data-sharing between departments, which can improve efficiency and decrease potential data silos. Finally, a good GRC solution can help ensure your business’s data is more secure in a post-COVID world where so many employees work in remote or hybrid settings.
Also Read: What Is GRC?
Key Features of GRC Software
We’ve given a basic definition of GRC, but what features should you be looking out for? According to Steve Durbin, CEO of the Information Security Forum, you should ensure that the GRC product is supported, and ideally referenced, to an industry-recognized methodology. He recommends considering these basic requirements:
- Ability to conduct assessments at varying levels of detail depending on the criticality of the environment/system being assessed
- The need to host/upload evidence (especially the compliance requirements in the GRC)
- Provide / display outputs in accordance to recognized standards, regulations (ISO, NIST CSF, PCI)
- Predefine a set of attributes to produce a risk analysis in a short space of time, for example, define system criteria, such as internet-facing and processing personally identifying information (PII). This is particularly important for agile environments
- Provide deep analysis on business reporting with an emphasis on how this should be communicated. The reporting needs to consider multiple audiences, such as technical IT teams who typically want to know what controls to implement, the chief information security officer (CISO) for threats, and the business for costs and return on investment (ROI)
- Future proofing of functionality by considering quantitative ways in which to report risk and report the mitigating actions, such as comparing the cost of a possible risk to the cost of implementing controls both operational expenditure (OPEX) and capital expenditure (CAPEX)
Tips for Choosing the GRC Tool That’s Right for You
“Buying the right GRC platform for your organization is all about asking the right questions,” explained Sam Abadir, vice president of Industry Solutions at LockPath, a leading provider of compliance and risk management software. “There are questions to ask about your internal processes, questions to profile vendors, and questions to justify the purchase of a GRC platform. Whether you’re buying a GRC platform or trying to prepare for a mountain climb, asking the right question lowers your risk and increases the favorability of the desired outcome.”
Abadir suggests you ask three questions before buying a platform:
1. What or Who Is Driving the Need for a GRC platform?
Determining what or who prompted the search for GRC platforms can reveal what factors you need to consider before purchasing a GRC platform. From our experience, there are typically three forces at work:
- The current solution can no longer meet the demand.
- An executive or board member requested the search.
- Or an incident like a data breach has occurred.
2. How Are You Going to Support Your GRC Platform?
A GRC platform should integrate with your organization’s pre-existing processes. As such, you’ll need to consider how you will support the platform: Will you need an infrastructure team of GRC experts to manage the platform? Will you need to train staff on using the platform? Knowing what is necessary to support each potential GRC platform is critical to success.
3. Where Are You Now and Where Do You Want to Be With Compliance?
To make any progress toward any goal, you first need to determine where you’re starting. Have you purchased a GRC platform before? Are you moving from a point solution like policy management software? Do you have staff with experience using a GRC platform? Check your current proficiency level against your goals to determine what is a “must have” versus a “nice to have.”
Also Read: How to Implement a GRC Strategy
Top 10 GRC Tools in 2022
We analyzed each company’s platforms and solutions and the overall GRC marketplace through major market resources like Gartner, Forrester, and G2 to put together this list of the best GRC solutions available right now. We used the criteria provided by Steve Durbin above to help determine what platforms provided the key features that make a GRC solution worth looking at.
1. Workiva
Workiva is best-suited for organizations in the fields of banking, utilities, government, higher education, insurance, and investments. In addition to a multi-departmental GRC platform, it provides a marketplace where users can find templates and other services related to the platform offered by Workiva itself as well as partner companies like Deloitte, PwC, Oracle, and Namely. The platform can connect to data sources both on-premises and on-cloud and includes, among others, the following solutions:
- ESG Reporting
- Enterprise Risk Management
- Financial Statement Automation
- Policy and Procedure Management
- IT Risk & Compliance
- Board Report Creation
Workiva’s platform is designed to simplify the usually-complex GRC processes and ensure even the less tech-savvy members of a business can utilize its features. For external reporting, it’s excellent, though some users report requiring additional use licenses for services outside that realm.
Workiva was categorized as a Leader in the 2021 Q3 Forrester Wave Governance, Risk, and Compliance Platforms report.
Demo and pricing information are available from Workiva.
2. IBM OpenPages
Tech giant IBM’s GRC platform is powered by their IBM Watson AI and can provide a scalable software solution to medium-to-large organizations in practically any industry. Available solutions and product modules include:
- Operational Risk Management
- Model Risk Governance
- Regulatory Compliance Management
- End-to-End Data Governance
- Internal Audit Management
- IT Governance
Some users criticize the platform for the number of steps needed to set up the platform or perform simple tasks. However, its automation tools and comprehensive out-of-the-box tools are well-regarded. IBM OpenPages was named a Leader in Gartner’s 2021 Magic Quadrant for IT Risk Management. The 2021 Q3 Forrester Wave GRC Platforms report listed it as a Strong Performer.
The platform’s price can range from $48,000 to $207,000. Interested users can find more demo and pricing information on IBM’s website.
3. RSA Archer
With customization options for organizations of all sizes and industries, Archer is a good pick for companies looking for a GRC solution that can adapt to a variety of compliance and risk management needs. Its diverse suite of solutions includes the following:
- Regulatory and Corporate Compliance
- Audit Management
- IT & Security Risk Management
- Third-Party Governance
- Operational Resilience
- ESG Management
Users praise Archer for its comprehensive toolkit and solutions suite, but some have concerns with integration and customization difficulties.
In Gartner’s 2021 Magic Quadrant, Archer was named a Leader in the IT Risk Management and IT Vendor Risk Management Tools categories.
If you’re interested, RSA offers a demo of the platform, as well as pricing information, on the Archer website.
4. LogicManager
LogicManager is usable across a variety of industries, but organizations in education, retail, financial services, government, or healthcare should especially pay attention to this GRC platform. Notable features include:
- Incident Management
- Third-Party Risk Management
- Audit Management
- Financial Reporting Compliance
- IT Governance & Security
- Policy Management
Users praise LogicManager for its ease of use but some aren’t satisfied with the platform’s ability to handle more detailed contracts and documents.
Gartner recognized LogicManager as a Challenger in its 2021 Magic Quadrant in the IT Risk Management category, with the platform scoring the highest in Ability to Execute. Similarly, Forrester listed it as a Strong Performer in its Q3 2021 GRC Wave.
Interested buyers can contact LogicManager for pricing information and a demo.
5. MetricStream
MetricStream is best for organizations with a diverse set of users with distinct needs, such as executives, IT managers, and auditors. It supports industries such as life sciences, energy, telecom, technology, and insurance. It boasts an array of features, including:
- Compliance Management
- Enterprise Risk Management
- Internal Audit Management
- Regulatory Compliance Management
- Third-Party Risk Management
- IT and Cyber Compliance Management
MetricStream’s platform can be delivered on-premises or via the cloud and provides a unique user interface that’s good for less tech-savvy users.
Forrester’s GRC Wave for Q3 2021 named MetricStream a Strong Performer, and the platform was a Leader in Gartner’s 2021 Magic Quadrant for IT Risk Management.
No pricing information is available on MetricStream’s website, but you can contact the company for a demo.
6. OneTrust
With across-the-board versatility, OneTrust is great for organizations who need solutions for employees in multiple departments and roles. It also comes complete with a number of useful solutions, such as:
- Audit Management
- Vendor Risk Management
- Awareness Training
- IT & Security Management
- Enterprise & Operational Risk Management
- Incident Management
OneTrust’s platform boasts over 500 integrations, including Dropbox, G-Suite, Office 365, and GitHub, and can work in a variety of compliance and risk frameworks.
While Gartner named it a Challenger in its 2021 IT Risk Management Magic Quadrant, Forrester recognized OneTrust as a Leader in its Q3 2021 GRC Wave.
Pricing information is available on OneTrust’s website, and interested buyers can also schedule a demo.
7. Fusion Framework System
Built on Salesforce’s Lightning platform, Fusion Framework System is one of the best options for organizations already working with it and other Salesforce tech. Here are some of the features included in the solution:
- Crisis and Incident Management
- Risk Management
- IT & Security Risk Management
- Business Continuity Management
- Operational Resilience
- Third-Party Risk Management
With the Fusion Framework System, users can lay out their entire business with an easy-to-use click-to-configure user interface. Guided workflows help make the platform even more user-friendly, and its impressive integrations list make it a versatile tool for any business.
Although Forrester and Gartner both left Fusion Framework System off their respective 2021 GRC lists, Forrester did name the company a Leader in its 2021 Business Continuity Management Software Wave. The Disaster Recovery Institute International (DRI) also awarded it the Product/Service Provider of the Year prize in 2022.
Pricing information is not available on Fusion Framework System’s website, but interested parties can contact the company for a demo.
8. Riskonnect
Riskonnect is a great pick for users in the healthcare, financial services, insurance, retail, and manufacturing industries. It includes a wide array of features such as:
- Internal Audit
- Claims Administration
- ESG Management
- Compliance Management
- Enterprise Risk Management
- Third-Party Risk Management
Customers laud Riskonnect for its ease of use once everything was set up, but some find the product difficult and confusing to implement.
Riskonnect was named a Contender in Forrester’s GRC Wave for Q3 2021, and Gartner named it a Niche Player in its 2021 Magic Quadrant for IT Risk Management.
No pricing information is available on Riskonnect’s website, but interested readers can contact the company for a demo.
9. ServiceNow
With certain industry-specific solutions, ServiceNow is great for organizations working in fields like telecom, education, manufacturing, and government, among others. Its features include:
- Performance Analytics
- Operational Risk Management
- Policy and Compliance Management
- Operational Resilience
- Vendor Risk Management
- Audit Management
Users praise ServiceNow for the ability to coordinate between internal and external teams, as well as its easy-to-implement integrations. That said, some users have spoken about issues with the company’s customer support capabilities as well as an inefficient IT asset management system.
Thanks to its impressive GRC chops, Forrester listed ServiceNow as a Leader in its Q3 2021 GRC Wave. Gartner recognized the company as a Leader in IT Risk Management for its 2021 Magic Quadrant.
Pricing and demo information are available on ServiceNow’s website.
10. Diligent
Through its versatile GRC platform, Diligent seeks to help client companies modernize their governance procedures for the Digital Age. Notable features include:
- ESG Tracking & Reporting
- Policy & Training Management
- IT Risk Management
- Entity & Subsidiary Management
- Regulatory Compliance Management
- Third-Party Risk Management
Users appreciate how feature-rich Diligent’s platform is, especially regarding analytics and big data insights. However, some feel the platform could do with some streamlining, particularly in the areas of setup and implementation.
In its Q3 2021 GRC Wave, Forrester marked Diligent as a Strong Performer. The company was a Leader in Gartner’s 2021 Magic Quadrant for IT Risk Management as well.
Interested readers can request demo and pricing information from Diligent on the company’s website.
GRC vs. IRM
While researching GRC, you will inevitably stumble on the debate between GRC and integrated risk management (IRM) and what the differences are between the two. The claim made by some is that IRM is newer and more effective at risk management than GRC, but the two are very similar.
Notably, many of the same product leaders in GRC found themselves listed as product leaders in IRM when research and consulting firm Gartner coined the IRM term in 2018. It can be helpful to view IRM software as a subgenre of GRC software, one more focused on the R than the G or the C. It’s ultimately up to you to determine whether your business needs IRM or GRC more.
Final Thoughts
Choosing the right GRC product for your business isn’t easy, but we hope that the above tips and list will give you a head start on your way to GRC success. These are some of the very best GRC solutions on the market and will give you a sense of what’s available on the market as you evaluate your own needs and budget. An informed decision will help your business tremendously in the long run.
Read Next: Top Data Quality Tools & Software 2022
This post updates a Feb. 20, 2018 article by Sue Poremba.