Understanding that there is a time commitment and financial outlay to implementing a GRC solution, it is important to consider the return on investment (ROI). The benefits of a properly implemented GRC solution certainly live up to the hype. Although meeting the rigorous governance, risk and compliance requirements in today’s environment demands time and dedication, a GRC solution reduces the time and effort needed to meet those requirements. – Gene Geiger, Chief Technology Officer at A-LIGN
Gene is featured in Florida CPA Today: Fall 2019 | Volume 35, Number 4 (Pages 17-19).
Reprinted with permission, FICPA.
GRC Tools: Hype or Reality?
The industry and regulatory requirements placed on companies have significantly increased over the past 10 years. Since the introduction of the Statement on Auditing Standards (SAS) No. 70 in 1992, companies have been under a constant barrage of requirements including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Federal Information Security Management Act of 2002 (FISMA), the Payment Card Industry Data Security Standard (PCI DSS) in 2004, increased adoption of HITRUST in 2016, and most recently the General Data Protection Regulation in 2018.
In addition to the regulatory pressure, increasing data breaches — in both size and impact, are driving companies to escalate their focus on risk management. Focusing on risk requires additional work from existing information security and compliance professionals. These tasks include tracking assets, maintaining and monitoring vendors, and keeping track of service providers; all of which require additional time to complete.
Tracking these responsibilities and data points on spreadsheets and notebooks has become unrealistic from an efficiency and effectiveness position. To address this issue, the market has responded with an industry of software providers to support the Governance, Risk and Compliance (GRC) needs of companies. The question remains: Do these technology platforms truly drive audit efficiency and reduce the workload on the information security and compliance professionals and the companies, as a whole?
Defining GRC Platform Options
GRC platforms typically provide one or many of the services below. The purpose of each module is to provide a centralized, systematic platform to perform the governance, risk or compliance activities.
- Compliance Management: The flagship GRC offering for most platforms designed to support the annual audit cycle
- Enterprise Risk Management: Supports the overall risk management function of the companies
- Vendor Management: Assists in identifying, risk ranking and monitoring of vendors
- IT Risk Management: Risk management specifically focused on IT-related risks
- Business Continuity Management: Business continuity planning, document hosting & event management
- Internal Audit: Conducting internal assessments of the company’s controls
- Policy Management: Drafting, updating and hosting company’s policies and procedures
- Vulnerability Management: Conducting vulnerability scanning activities against the company’s information technology assets
GRC platform providers are broken into two primary categories: purpose-built or wholistic. Purpose-built GRC platforms focus solely on one of the GRC modules and strive to be best-in-class in that risk area. Wholistic providers offer most, if not all, of the modules in a single software solution. The goal of the wholistic GRC solutions provider is to be the single solution that companies select to meet their governance, risk and compliance needs. Although there are many strong, purpose-built GRC solutions, wholistic GRC solutions continue to be the predominant offering in the GRC space.
Whether considering a purpose-built solution or a wholistic solution providing a wide range of GRC solutions, how do you know if a GRC solution is right for your company?
Need for GRC Solutions
GRC software solutions were traditionally reserved for the large to enterprise-level companies. There are two key drivers leading small to medium-sized businesses (SMB) to adopt GRC solutions and resulting growth of the GRC software industry. First, risk management activities and adoption of audit frameworks are not just for large companies. SMB companies are also feeling the added pressure of audit requirements. Second, the software as a service (SaaS)-based delivery model and subscription pricing now brings the GRC platform’s price point and implementation effort to a reasonable level for the SMB market.
With these trends, the SMB, as well as enterprise companies, should evaluate if a GRC solution is right for their company. The need for GRC solutions can be driven by a number of characteristics. Companies in highly regulated industries including healthcare, financial services and government, are strong candidates for GRC solutions to assist in the management of the risk and compliance landscape. Service providers with strict audit, compliance and contractual requirements from their customers are also strong candidates for a GRC solution. Lastly, companies that host a large amount of sensitive data should consider a GRC solution to help manage risk.
Benefits of GRC Solutions
Understanding that there is a time commitment and financial outlay to implementing a GRC solution, it is important to consider the return on investment (ROI). As the audit, risk and compliance requirements increase within a company, the need for GRC solutions increases. “Managing our multiple audit requirements without a GRC solution is a significant time draw on my team,” shared Milinda Rambel Stone, vp & ciso for Provation Medical. “By implementing a GRC solution my team will be able to systematically manage the requirements for the audits.” The benefits of a properly implemented GRC solution certainly live up to the hype. Although meeting the rigorous governance, risk and compliance requirements in today’s environment demands time and dedication, a GRC solution reduces the time and effort needed to meet those requirements.
Selecting the Right GRC Solution
If your company decides to move forward with a GRC solution, you should contemplate the following questions:
- What type of implementation should you consider? For most companies, a SaaS solution would be the right selection. For large to enterprise size companies that own their infrastructure, an on-premises solution could be considered. Your company should evaluate the technical skills and capacity of your information technology team before making a selection.
- Should you customize your solution or accept an out-of-the-box configuration? Companies commonly will find that the features within most GRC solutions will meet their needs. However, for companies that are in unique industries or may have internally-developed GRC requirements, a customized solution may be appropriate. The cost associated with the customized solution should be considered against the ROI of the additional needs.
- When should you select a purpose-built solution over a wholistic GRC solutions provider? The value proposition for purpose-built platforms is strongest for those companies with a critical need for one specific risk area. For example, a large company that has hundreds or even thousands of vendors that present a high level of risk may want a best-in-class vendor management GRC platform. Without a specific focus on a particular risk area, a wholistic provider may be the optimal choice.
The verdict is in, the heightened risk-focused world that we all live in requires an automated solution to reduce the time and energy needed to maintain a strong governance, risk and compliance program. There are many solutions in the marketplace to meet your company’s needs, no matter the size or industry you operate in. Companies should evaluate their industry, regulatory requirements and internal capabilities and select the solution that is right for their company.
About Gene Geiger
Gene Geiger, Chief Technology Officer at A-LIGN, has spent his career implementing and assessing information technology controls. He focuses on the governance, risk and compliance software industry and leads A-LIGN’s development efforts for the A-SCEND platform.