5 Things to Consider Before Purchasing a GRC Solution

We're seeing more and more of this with financial institutions, and the vendors offering this seem to multiply every day.  I'm talking about the online solutions that help manage Governance, Risk, and Compliance.  They typically include modules for an IT Risk Assessment, Vendor Management, Policy, Business Continuity, etc.

The concept is great, but without proper planning and thought in the selection process, you can spend a lot of money and not get the results you are looking for.  More and more I'm seeing these solutions overpromise and underdeliver.

So 5 things to think about before making the plunge:

1. What does the reporting look like?  This is top of the list for me in that if you can't determine what is going on with your program and information in a really effective and easy way, it's almost worthless.  Make sure they don't just look pretty, but can actually tell you something.
2. Process Before Login - I've heard this from a mentor of mine several times now.  It means that you should always know the process prior to implementing the technology.  Often we think that the tech will solve the problem, but it rarely does.  Determine what you need to do and how you'll do it first, then find the tech to make it more efficient.
3. Try it before you buy it - does it logically make sense?  Does it make your established processes easier or harder?  (for risk: make sure it has the basic concepts of risk down, like likelihood, impact, inherent risk, control effectiveness, residual risk, etc.  - SOME don't get this!)
4. Do you have the people to manage the tool?  We sometimes see new tech sitting idle for the simple reason that no one has the time to fully utilize it.
5. How hard is it to get your data/files/documents out of the tool if you choose to leave?  We sometimes see this with vendor management: you can easily load contracts and SOC2s in the tool, but getting them back out requires individual downloads and that can be a real pain.  

If you need help evaluating whether a GRC Solution is a good fit for your institution email us at support@bedelsecurity.com or give us a call at 833-297-7681.