What is GRC Software and What Does It Do?
Governance, Risk and Compliance FAQ
When it comes to governance, risk and compliance—GRC—I’ve learned that there are a lot of questions from prospective and current clients about the implementation of platforms: Can it do that? Will it work this way? What will happen next year? Another thing I’ve learned is that If you have a specific GRC question, Onspring’s experts will have the right information or needed resolution. I recently talked with Pat Richards, a manager with Onspring’s Professional Services team, and he gave me his insight on a lot of GRC questions he is frequently asked.
Q. How can you tell if the GRC platform you’re considering will support your organization’s needs, now and in the future?
I look at which processes an organization has or will need to move into a system. Will they need reporting capabilities? Do they want to send out messages to people based on different criteria in the system? Can the platform start to automate some of the organization’s processes? That’s one of the big things—looking for automation and reporting, and keeping in mind how you build things or what you’re looking to do in the future.
Building out a road map is important. You need to know what you want in two years, in four years. You have to make sure that the system can check the boxes of what you’re looking to do short term, long term, and have those questions ready if you’re going through RFP’s or demos. Have the answer from the vendors of what you can do today, what’s on your road map or what you’re looking to do in the future.
Q. OK, you’re at square one, on the front edge of planning a GRC platform. What’s the most important thing to take into consideration?
I don’t think that you can look at just one thing or aspect. At the root of things with GRC, looking at governance, risk and compliance, it would be probably two-pronged, as far as importance goes: First, have you identified and do you store the risks to your business, and then, do you have, on the compliance piece, controls and policies in place to make sure that you’re handling those risks in a way that’s appropriate to the business? Those two items are extremely important. A lot of what we do at Onspring stems from those two things.
Q. How easy or difficult is it to prove ROI with Onspring, and how often are you asked to answer that question?
A lot of proving ROI in terms of Onspring might come down to man hours or how long it’s taking somebody to do something today versus what it might take them to do using Onspring. I know that the audit program library is something we built out that a couple of teams have used and it provides many benefits.
Another ROI benefit: If in your current state, your audit team has to spend time creating work papers manually and then saving them and going back and looking at them, that’s a step that could be easily repeated in Onspring to save a lot of time, and saving time is a big ROI with Onspring.
We have a customer who told us how many hours they estimated their people were spending in the old platform versus the Onspring platform, and if you compare that to the wages of all those people in a certain salary range, you can start to see and understand that they were saving money and time, and were also able to spend more of their time with customers instead of time in the system. Reducing administrative work and increasing the amount of time your control specialists are testing controls is a big ROI.
Q. I know one question you’re asked a lot is about time implementation. On average, how long does it take to get a platform implemented?
The average implementation time is between a month and two months per solution—probably two months for a full, baked-out solution. But there’s been some that we’ve been able to do in less than a month, and some projects that have taken six months or more. It just depends on how complex the build out is. If we’re implementing audit, risk and compliance all at the same time, that can take longer, but I think that the ease of configuration can speed things up versus some of our competition, and having worked in some competing platforms before, we are able to configure faster than some of the other platforms that I’ve previously worked in.
Q. How secure is Onspring?
I’ve never had a problem with security on any of my projects. The fact that we have our data centers in the cloud and with all of the controls that we have in place to secure people’s data, I can say that Onspring is a very secure platform. With the user license cost comes all of the security—we’re storing your data, we’re protecting your data. You don’t have to have database administrators that are making sure that your data’s safe and that it’s recoverable. We handle those pieces and in times where people have accidentally deleted their own things, we’ve been able to restore them. Onspring is very secure.
Q. Is there a difference between GRC and IRM?
I’m sure that there are some nuance differences between the two, but governance, risk and compliance is broader and encompasses more areas. Integrated risk management (IRM) looks more at IT security or other information security pieces. The GRC space covers a broader spectrum than IRM, and I think it’s better to be broader. The goal of a lot of organizations is how to keep all of their data, all of their risk management and compliance data, in one spot so they can link it together and start running analysis off of it.
Q. Does Onspring makes things easy in the GRC world?
I think so, and our customers do as well. It’s a very intuitive solution, a drag-and-drop platform that has a lot of help text, plus a highly-capable support team that helps you build things out. When you pull back the curtain while you’re building, it looks easier than what people would imagine. We get feedback from clients on how simple it is, and they’re like, “Wow, that’s all you did to do that? That was a lot easier than I would’ve expected.”
Onspring, in the world of GRC, is on it.