"What drives a lot of interest is need for agility," says Rasmussen. "You can go from acceptable to unacceptable risk, from compliance to noncompliance in a second. With these tools, you can manage risk and compliance in the context of change."
IT GRC Selection Criteria
As mentioned earlier, these tools are complex and vary widely--one size does not fit all. Some are strong on policy management, others excel in their support for integration with other tools and systems. One tool may have the richest content library of controls, compliance mappings, threat information, and so on, while another may be notable for its flexibility and extensibility.
"The first question you should ask," says Gartner's Proctor, "is what audience--executives, internal auditor regulators--are you trying to serve? It stuns me how many companies just don't think of this."
Here are some criteria for determining your corporate IT GRC needs and what you should look for to meet them:
Assess your programs for managing policy, investigations, audit, compliance, and risk. Then determine which of these are your highest priorities and match them against each tool's capabilities. "You want to understand the complexity and burden on your business to see how to make it more efficient through the software you buy," says Rasmussen. "Take an inventory of what are you trying to do today. What assessments are out there, what risk areas, compliance areas?"
See if the data repository is robust and scalable enough to meet your current and future requirements.
Determine what kind of content you have and what kinds you expect the vendor to supply.
Use the interface. Is it clear and concise? Will your users be able to navigate it and accomplish their tasks easily?
Learn how much integration will be required. Will you have to use in-house or third-party developers?
Decide how much you can do on your own and where you may need professional services.
Assess the automation capabilities. Does the tool have an easy way to automate complex processes? Does the automation deliver value where your organization most needs it?
Investigate how the tool models risk. Some may have rudimentary dashboards that only display a red, yellow or green light, while others may apply sophisticated metrics and risk analysis and provide detailed diagrams and models.
See what external data sources are tied in. What threat and compliance update feeds can be linked to keep risk assessment and compliance current?
Look for a business-process-modeling feature that allows you to visually lay out your business processes, define risk and control points, and see where risks and exposures are.