A lot of times when we start showing a client our out-of-the-box audit solution, we’ll be told, “Oh, that’s pretty close to what we already do.” We’ll have to tweak a couple of fields, but what Onspring starts with initially is usually all that a lot of clients will need. We take a lot of pride in the fact that we’ve added and shaped our audit solution to meet most of the needs presented to us by customers.
Much like my fishing trip, you should begin defining your requirements and planning early on, maybe even wade around in research materials for a few months before beginning the purchasing process itself. It is of paramount importance to ask yourself the tough questions that will help shape and define your scope—questions around your budget, specific needs, timeline and workflow requirements tend to work best.
One of the prerequisites to acquiring a GRC platform should be like a lot of other major items that are bought; when you are looking to make a major purchase or acquisition, consult many people in a lot of different areas. Ask your friends or colleagues, read reviews, do extra research, and as strange as this seems, even see what the trolls of the internet have to offer.
The Onspring Sales team knows you probably don’t want us to sit on the couch with you and watch Onspring videos after just having spoken for the first time, but we do our best to make you feel at ease with the resources available to help with education and awareness of where you’re at with your processes and where you can be in the future.
Onspring’s leadership, product, solution engineering, professional services and sales teams have hundreds (yes, hundreds!) of years of combined experience in business process automation with a focus on GRC. Nearly all of us here have had experience working for other GRC software providers or have helped to deliver consulting and implementation services across nearly every GRC product listed in a review, quadrant, report or software list.
When GRC platforms started becoming a “thing” in the mid-2000s, there were only a few major players in the market. They focused primarily on IT: whether it be controls, policies or risk management. Additionally, with the Enron and Worldcom scandals, SOX and its myriad of financial reporting controls quickly became platform offerings as well. As the market started expanding quickly at the turn of the decade, the concept of “eGRC”, with the “e” standing for enterprise, swept the landscape. Why settle for managing IT processes when many of the tools were capable of managing an entire organizations’ Governance, Risk and Compliance frameworks? The natural progression had begun.
If in your current state, your audit team has to spend time creating work papers manually and then saving them and going back and looking at them, that’s a manual step that is something that could be easily repeated in Onspring that ends up saving a lot of time. Looking at how much time were we spending on admin work in the past and now how much time are we pivoting that toward audit work—time, saving time is a big ROI with Onspring.
I have always had a fondness for risk management; in my career, there have been many times where I have argued against something because it was too risky, at least in my eyes. Governance and compliance always seemed to be burdens to me, and to be completely honest, I was fairly prejudice against them. With compliance, I could see the benefit from a societal level, but at a certain point I viewed it as checking off proverbial boxes.
With automated processes in place, organizations save time and ensure best practices are implemented to improve overall operational efficiency. Using a GRC platform like Onspring can help you automate many, many different kinds of jobs. You can build custom workflows for repetitive tasks, create triggers to remind you when something is due, set up approval paths, auto-generate email notifications—our no-code platform makes a lot of things easy.
For all that you do and are trying to accomplish with the use of your platform, there has to be some form of accountability within the confines of using it within your company. That means validating the controls, testing procedures and risks, etc. Without accountability, without the audit element of someone coming in and saying, “Here is what is supposed to be done,” you will find yourself missing a key letter in GRC.
Whether it be ISO27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.
In my role leading the Solutions team at Onspring, I have the distinct honor of being one of our company’s primary storytellers. When your primary responsibility is helping clients piece together the various, individual aspects of their GRC programs—risk assessment software, compliance and control, and other solutions—into a compelling narrative about the overall health of the organization, you quickly realize that this analogy is apt.