What is GRC software and what does it do?

Governance, risk and compliance FAQs and answers

When it comes to governance, risk, and compliance—GRC—there are a lot of questions from risk management professionals about the implementation of GRC software platforms: Can it do that? Will it work this way? What will happen next year? Here are a few of the most commonly asked questions we receive about GRC software and its capabilities and benefits.

Q. How can you tell if the GRC platform you’re considering will support your organizations needs, now and in the future?

Look at which processes an organization has or will need to move into a system. Will they need reporting capabilities? Do they want to send out messages to people based on different criteria in the system? Can the platform start to automate some of the organization’s processes? That’s one of the big things—looking for automation and reporting, and keeping in mind how you build things or what you’re looking to do in the future.

Building out a road map is important. You need to know what you want in two years, in four years. You have to make sure that the system can check the boxes of what you’re looking to do short term, long term, and have those questions ready if you’re going through RFP’s or demos. Have the answer from the vendors of what you can do today, what’s on your road map or what you’re looking to do in the future.

Check out these best practices when considering your RFP.

Q. If you’re at square one in planning for GRC software, what’s the most important thing to take into consideration?

Avoid thinking you can look at just one aspect. At the root of things with GRC, looking at governance, risk, and compliance, it would be probably two-pronged, as far as importance goes:

  1. Identification and storage of business risks.
  2. Established controls and policies to ensure proper handling of risks.

These two items are extremely important. A lot of what we do at Onspring stems from those two things.

Q. How easy or difficult is it to prove ROI with Onspring?

A lot of proving ROI in terms of Onspring might come down to man-hours or how long it’s taking somebody to do something today versus what it might take them to do using Onspring. The audit program library is something our customers are stating has provided both discipline/organization and time-saving benefits.

Another ROI benefit:

If in your current state, your audit team is spending time to create workpapers manually, then saving them to only go back and review again, then it’s worth looking at automation. This process flow could be easily repeated in Onspring to save a lot of time, and saving time is a big ROI with Onspring.

We have a customer who told us how many hours they estimated their people were spending in their old platform versus Onspring, and if you compare that to the wages of all those people in a certain salary range, you can start to see and understand that they were saving money and time, and were also able to spend more of their time with customers instead of time in the system.

Reducing administrative work and increasing the amount of time your control specialists are testing controls is a big ROI.

Q. How long does it take to get GRC software implemented?

The average implementation time for Onspring customers is between a month and two months. Some customers launch in less than a month and some customers with complex processes, multiple integrations or legacy data migration have taken six months.

Q. How secure is Onspring?

Onspring is a very secure platform. We’re preparing for both FEDRamp and SOC2 security clearances, which require the highest security standards on the market. Additionally, we maintain strict protocols for hosting customer data, in addition to who at Onspring can access customer data if ever needed.

Q. Is there a difference between GRC and IRM?

Integrated risk management (IRM) looks more at IT security or other information security pieces. GRC covers a broader spectrum than IRM. The goal of a lot of organizations is how to keep all of their data, all of their risk management and compliance data, in one spot so they can link it together and start running analysis off of it.

Q. Does Onspring makes things easy in the GRC world?

Onspring is a very intuitive solution, a drag-and-drop platform, plus a highly-capable support team that helps you build things out. When you pull back the curtain while you’re building, it looks easier than what people would imagine. We get feedback from clients on how simple it is, and they’re like, “Wow, that’s all you did to do that? That was a lot easier than I would’ve expected.”

About the author

Beth Strobel GRC Subject Matter Expert at Onspring

Beth Strobel
Director at Onspring & Treasurer at Women in Security
15 years GRC experience