The Ultimate GRC Automation Solution Buyer's Guide

Table of Contents

Introduction

While there are many GRC automation solutions on the market, not all of them are created equal. They differ significantly by nature, capabilities, use cases, and the value they can provide. Some solutions are designed to help jump-start an organization’s GRC program; others are fully enterprise-ready. Some solutions are out-of-the-box products, while others require customization. Some are audit-centric, while others focus on continuous compliance. You get the picture.

To see real (or any) value, it is imperative to choose the right solution from the outset. Choosing the wrong solution can result in wasted time and resources, audit delays, and frustration. No GRC team wants to go back to working with spreadsheets and screenshots and have to explain to management why they wasted money on an automation tool they don’t use!

So, how can you know what solution is right for you?

10 Factors to Consider When Choosing the Right GRC Automation Solution

1. GRC Maturity Fit

Be honest with yourself - how mature is your GRC program?

Evaluating where you stand is the first step toward determining what type of automation solution you need. Here are a few things to consider when assessing your maturity: How wide is the scope of your GRC program? How complex is the tech stack it covers? How big is your GRC team? What does your audit cycle look like? How are you managing risk? Take a few moments to consider where you want to be in the future, too.

Once you have a better idea of where your program stands, it is time to ask similar questions about the solutions you are evaluating. To find the right solution, check what kind of companies they are geared towards. Some companies will come right out and say it: “the best solution for startups/enterprises.” With others, you need to do a little bit of research. Do most of their customers share your level of maturity? Or are they less or much more mature? Can the capabilities and features the solution offers support your level of maturity today and where you hope to be in the near (and not-so-near) future?

2. Approach to Automation

While automation should be a given when you buy a… well, an automation solution, you should still check what exactly will be automated. Consider the level and type of automation your organization needs. How much of the work will be automated? Is it 10% or closer to 80%? What parts of the work will be automated? What will remain manual?

The most basic level of GRC automation is workflow automation. This is where a series of work-related tasks is automatically carried out based on predefined rules created by the vendor or, in some cases, by you. For example, risk assessment reminders, policy review notifications, and remediation requests can all be automated to increase efficiency.

The next level of automation involves eliminating one of the most manual and time-consuming GRC tasks: evidence collection. Chasing after control owners to get up-to-date evidence takes significant organizational time and resources. A more mature GRC automation solution offers automated evidence collection, reducing reliance on stakeholders by effectively automating data collection from enterprise apps and systems.

While some solutions collect the evidence to automate audit preparation, more advanced solutions aren’t geared towards audits at all. The most advanced level of automation is automatically testing the (automatically) collected evidence to achieve continuous compliance. The most flexible version of this level of automation allows you to define what continuous compliance means for your organization. By identifying any gaps in your program and allowing you to see their implication on your entire program, from risks to access management, this level of automation gives you deep visibility into your GRC posture.

3. Scope of Integrations

Automation needs to be fueled by something, and in the case of GRC, that fuel is data, which comes from integrations. As a rule of thumb - the greater the number of systems integrated, the greater the value a solution can offer your business, so it is essential to make sure that the solution integrates with most of your tech stack in the way it is implemented (on-prem, private, or public cloud). At the very least, you should make sure the solution integrates with the tools that take up most of your time.

But beyond the number of systems, you need to look into what the integrations themselves actually cover. What exactly does the solution collect from your tools? Does it cover everything you need for your program? Do you have any control over what the integration pulls?

Additionally, consider how the data being pulled through the integration will appear in the solution. Will you be able to see all of the data or will you simply get pass/fail test results? Is the data raw or standardized? These questions aren’t just about convenience but also whether auditors will be willing to work with the solution (see below).

4. Range of Frameworks

Depending on where your organization does business and its industry, you will need to adhere to a range of frameworks and regulations. Make sure that the GRC tool you’re evaluating supports all the frameworks you need, and ask about its roadmap. Does the company plan to onboard additional frameworks that align with your plans to expand your program?

Some tools can only support one iteration of each framework. Others allow you to manage multiple iterations of the same framework (for your different verticals or subsidiaries) while defining different scopes for each. If this is something you need, make sure the solution will easily support it. Another thing to consider is whether or not the tool supports custom frameworks (for more about customization, see below).

Finally, consider how these frameworks interact with each other, if at all. Does the solution cross-map your evidence across frameworks so that the work you do to validate evidence for one framework is applied to other relevant frameworks, eliminating redundancies?

5. Range of Applications

GRC is not just about ticking the audit boxes; it involves many more responsibilities. Check whether the GRC automation tool offers additional apps, add-on solutions, and premium features that support the automation of efforts like risk management, user access reviews, vendor risk management, policy review and approval, security assessments, and others.

6. Flexibility and Customization

Different tools offer different levels of customization of their solution. Some try to save their customers time and effort by taking a “one size fits all” approach, which can be helpful for smaller organizations with a more basic tech stack and GRC program. Other solutions follow the logic that no two mature programs are the same, so they offer higher levels of customization. When you look at solutions, check if they need to be customized, and if so, can they be customized to meet your unique needs.

Think of all aspects of your GRC program, from frameworks, controls, and evidence through risks, workflows, and reports. They may all need to be customized to fit your policies and specifications. Does the solution you're examining support that? How granular is the configurability? It is also important to understand how much customization you can do on your own and how much of it needs to be done by the vendor.

7. Cooperation with Auditors

This will heavily depend on the kind of evidence presented to the auditors (actual data vs. test results) and the level of accuracy and granularity the solution holds. A good first step here is to find out if leading audit firms, such as EY, Deloitte, Coalfire, and Schellman, accept the evidence presented in the solution.

Audits are time-consuming enough without having to serve as a middleman between the auditor and a GRC solution. That’s why some tools offer capabilities to collaborate with auditors. An example is enabling auditors to access the solution directly; some offer more restricted access to specific information, some offer communication capabilities, and so on.

8. Pricing

Cost is always a critical factor in evaluating a GRC automation tool (or any tool, really). When comparing prices, always compare value and cost together. Understand the components that make up the pricing (number of users, applications, frameworks). Ask about what impacts pricing, like usage, number of environments, and types of users. Some vendors may seem to be the cheapest, but you'll end up paying more as the fees increase with each additional framework or user.

Aside from the cost, consider the potential ROI since that is what management will be interested in, and their buy-in is crucial. A more expensive vendor that automates 80% of your tech stack may deliver a higher ROI than a less expensive vendor that automates only 40%.

9. Onboarding and Customer Service

Ok, so you’ve checked out the solutions and have answers to all the questions we mentioned above, but you’re not done quite yet!

It is critical to investigate the vendor’s after-sale support as well. Start by finding out what the onboarding process looks like, how many organizational resources will be needed, and how long it should take. You should also look into the kind of support the vendor will provide and how available the technical support team is. The intuitiveness of the platform and the robustness of the support can make a crucial difference in how successful the rollout will be.

10. Security

It should be a given that a GRC solution takes security seriously, but it’s worth checking anyway. Check whether the vendor has robust security and GRC programs and supports best practices. The vendor’s integrity is just as important as the security of the solution itself, so make sure to check both.

Ensure that onboarding the solution will allow you to maintain your best practices and adhere to internal policies. Look into whether the solution supports SSO and SCIM. Another thing to look into is where your data will be stored so that you can continue complying with your policies. Does the solution give you the option of having your data remain in your own perimeter?

Download as pdf