Security Risk Advisors

Top 5 Benefits of Implementing a GRC Tool

October 1, 2013 | Posted in GRC by Scott Byrum

Audits, risk assessments, regulatory exams, vendor assessments, vulnerability scans, penetration tests, security incidents, policy exception requests, business continuity and disaster recovery plans….is your organization drowning in this stuff?  Is it a challenge to manage and report on results from these processes, and to track actions required by business and IT stakeholders?  Do stakeholders gripe about the amount of time they spend gathering info for audits and assessments?  Organizations are turning to GRC tools to centralize data from such processes, to add workflow, and to improve reporting and metrics. 

Here are our top 5 tangible benefits organizations can realize by making the move to a GRC tool:

  1. Emergence of a sustainable organizational hierarchy – as a pre-req to integrating GRC processes, the various organization layers should be defined within the GRC tool (generally as a one-to-many relationship).  Business units are mapped to business processes and applications/systems with points-of-contact for each entry.  Embedding organizational hierarchy in a GRC tool is a task that is often overlooked but can have tremendous value.  We’ve seen the hierarchy evolve into the organization’s central authoritative inventory of applications and business processes.  Traditionally, “GRC teams” (e.g. Audit, Compliance/Risk/Vendor Management, Information Security) either don’t maintain an inventory or have conflicting inventories.  Without a clear snapshot of the organization, how do you effectively manage risk or compliance initiatives?
  2. A “one-stop shop” for GRC process results – the teams that perform the aforementioned audits, risk assessments, regulatory exams, vendor assessments, vulnerability scans, penetration tests, etc. probably use alternative approaches for sharing results including SharePoint sites, emailing Word documents, etc.  A GRC tool can be configured to enable business unit managers to access all relevant GRC info in one place in a user-friendly format.  Dashboards are configurable so the most important info can be displayed front and center.
  3. Process consolidation and consistency – GRC tool workflow capabilities and configuration flexibility make it possible to centralize, and improve consistency of, organization GRC processes.  For instance, teams like Audit, Compliance/Risk Management, and Information Security generally produce “issues” that require the affected business unit to take action to remediate.  Rather than having 3 or 4 inconsistent processes, with a GRC tool an organization can implement a single issues management process for all teams to use.  Workflow can be enabled to require issue owners to respond within 30 days to high risk issues with a remediation plan, timeline, and ultimately evidence of remediation.   Business units appreciate needing to know only one process and having a single system of record for viewing and managing issues.
  4. Improved relationship with business and IT stakeholders – do your GRC teams ever hit up stakeholders for the same information multiple times?  This is often a major point of frustration for those whose job is to generate revenue (they’ll remind you of this!)  GRC tools provide access control capability so that GRC teams can share info more effectively by enabling read-only access to each other’s information.  The ability to view a more complete picture can arm teams with the context necessary to understand the business unit profile and applicable risks and challenges.  Stakeholders will be pleased that GRC teams have taken action to reduce touch points.
  5. Savings associated with retiring legacy tools/approaches – prior to a strategic GRC tool implementation, teams rely on their own custom methodologies or tools.  After successful deployment of a GRC tool, it’s likely that these legacy approaches can be retired resulting in savings of time (less administration and overhead) and potentially licensing dollars.  One organization we worked with was able to retire two legacy GRC tools that were ineffective and poorly deployed, and discontinue use of a series of Microsoft SharePoint sites and Word/Excel templates in favor of a more strategic and integrated GRC tool.  One of the retired tools required vendor professional services any time a change was needed.

Has your organization experienced these and other benefits from rolling out a GRC tool?  We’d love to hear about your experience and share ideas.