Want to contribute to this article?
Governance, risk and compliance (GRC) software was originally designed to keep your information controlled in an electronic format. It was often only accessed by quality teams to show external auditors and customers processes and procedures.
Over time, however, GRC software has evolved to become a single source of truth for your entire business, underpinning every decision made.
GRC software is now a robust tool that helps businesses to manage complex processes, assign roles and responsibilities, identify risks and opportunities, capture data from applications across the business, automate workflows, and create instant KPI dashboards.
From a quality perspective, GRC software provides visibility into performance across your business. It is used to plan, manage, monitor and optimise. Whether your quality objectives are to focus on reducing the cost of poor quality, nurturing customer satisfaction or fostering a culture of continuous improvement, a GRC software solution is essential for every modern business.
With so much opportunity, it actually makes buying a GRC solution very difficult. Unsurprisingly, the scope of "GRC software" solutions has evolved in many different directions. Vendors now provide many different types of solutions. For a customer, you need to choose between hundreds of different solutions.
So how can you find the best GRC solution for your business?
In this article, I’ve talked you through five key considerations to help you get the best grc solution for your business. These are:
- Defining what the 'best' solution looks like for your business
- Knowing what to spend
- Finding the right vendor for you
- Avoiding common mistakes
- Listening to feedback
I hope you’ll find this guide useful and actionable. If you have any questions, please give me a call on +44 (0) 114 282 3338 or drop me an email.
1) Defining what the 'best' solution looks like
I mentioned earlier that GRC software has evolved a lot over recent years. GRC software doesn't just keep you compliant - it offers a bevy of tools to help you make your business more profitable, enhance your company culture and make your employees happier. Yes - I said it - GRC teams now have tools to make everyone from your shop floor to your top floor happier.
So how do you know what you want to achieve with your solution?
I'd recommend creating a User Requirements Specification (URS). A URS is basically a list of all the features you want. Qualsys provide a template URS to help you get started. You can purchase it here for £29.99.
Customise the template by going around your business and asking questions. What are the business's pain points? What works at the moment? What doesn't make any sense?
You'll get a lot more ideas by asking people early on in the process and it'll help you to avoid scope creep later on in the process.
Once your URS is complete, send it to your vendors.
Some example features you may want from your GRC software solution:
- Instant KPI Dashboards: Get real-time insights into performance across your business. You can track sites / departments / individuals and share what is working well. Use these lessons and share it across your wider business.
- Documents / Policies: Systematically keep on track of document and policy life cycles - get the software to do this for you! No more searching through thousands of duplicated documents in SharePoint.
- Supplier management: Few businesses know who all their suppliers are and what they use them for. This results in duplicated purchases, and wasted revenue! Get a solution with a Supplier Management module and you can get control.
- Audits: Make the most of your subject matter experts across your business by requesting that they routinely voice their opinions, issues and ideas using auditing software.
- APIs and Integrations: Bring all your data together, instantly. No more chasing departments for data and waiting three weeks.
- Risks: Give employees the opportunity to speak up about risks they see and identify issues before they occur.
- Equipment / data processing register / asset register: Wouldn't tackling regulations such as GDPR be so much easier if you knew exactly what equipment was in use and how it was being used?
- Training records: People are your most important assets. Keep their training up to date, keep them informed and properly record the training.
- CAPA / issues / complaints / change / workflows: So many businesses hope that their employees will always take responsibility and step up when there is either an issue, complaint or CAPA requirement. But most businesses are busy and encounter new issues, and this causes a number of issues. Assign roles and responsibilities, and you get rid of frustration and have a happier, more confident and aligned business.
2) Knowing what to spend
There are so many ways GRC software can be priced. And if you aren't completely clear about how the pricing works, it can be easy to end up confused and make a bad decision.
Pricing models tend to be annual plans. However, vendors will include different things within this price. For example:
- Hosting
- End users
- Administrator licenses
- Training costs
- Support and maintenance
- What modules you'll get
- Implementation costs
If you're getting confused by pricing, calculate the price per employee over a 5-year period.
My advice:
-
Have a budget. Stick to it. You don’t want to overspend and have a system which is too expensive in the long-haul.
-
Be realistic. You can’t expect the most feature-rich solution if your budget is £50 for the year.
-
Align with your long term business strategy. If your business is planning to grow by 50% you'll need a system which will support your long term business strategy.
-
Consider return on investment. Upfront costs might be higher because you require a thorough implementation or you may need to validate your software to meet regulatory requirements, but this could provide return on investment faster than a cheaper solution. Try our interactive ROI calculator for more information.
-
List your top 3 most important criteria before you start. Do you want a system that you can roll out across your entire business? You need free end-users. Do you want a system which your suppliers can access? You need free supplier portals.
We’ve got a more in-depth blog about costs and the factors which will influence the cost of your solution here or try our total cost of ownership calculator.
Try our 4-year total cost of ownership tool here.
3) Finding the right vendor for you
As previously mentioned, there are many different GRC software vendors, and they all specialise in different areas and can help you achieve different goals.
So what do you want from your system? What does your business want to achieve?
Below, I’ve listed the GRC software vendors my customers have come across and how I would define each of their strengths. These are listed without prejudice, we dont profess to be experts on the nuances of all offerings:
Vendor |
Strength / areas of expertise |
Qualsys |
For growing businesses who want a scalable, integrated GRC system. Available via SaaS (cloud), on-premise (server) and/or mobile (iOS and Android). |
RSA Archer |
Risk management for financial businesses |
IBM Open Pages |
Highly bespoke solutions in larger enterprises. |
ISO Tracker |
For businesses where compliance is managed in one department / by one person. |
BSI Entropy |
For businesses with less than 10 employees. |
Form.com |
For businesses in hospitability, retail and construction. |
QPulse |
Heavy focus in the NHS and Aerospace sector. Wide portfolio of products. |
iAuditor |
Useful auditing tool for tablets, though not integrated into a wider EQMS (for aggregate data/trends analysis/findings etc). |
ISM Xpress |
For very small businesses. |
Box |
For managing documents. |
We've provided some free templates and tools to help you select the best vendor for your business in our Business Case toolkit.
Image: Use our vendor comparison tool in our Business Case toolkit
Tips for choosing a vendor:
- Get a demonstration - It'll help you see the solution and understand how it could work for you.
- Send the vendor your URS - Give your vendor a week or two to complete your URS so you can score your vendors for your key criteria.
Image: Internal auditing software integrates with the central document management system.
4) Avoiding common mistakes
With so many different GRC software solutions available, choosing the right one can be really difficult.
Here are some mistakes to avoid:
- Underestimating the implementation process
- Choosing an inexperienced vendor
- Neglecting the employee engagement process
- Choosing a system which you will outgrow
- Making-do with a solution because it is cheaper
- Free solutions - put your business at risk
- Scope creep
- Choosing a vendor who is too big to care about you
For more tips and advice from leading brands, read our Software Buying Guide.
5) Listening to feedback
There are many different places where you might find reviews about GRC software.
Here are a few:
- Capterra (owned by Gartner)
- G2 Crowd
- Join local meetups to talk to GRC professionals
- GRC 20/20
- Training and GRC software taster workshops
At Qualsys, we always encourage you to call or visit at least one of our existing customers. We find this not only enables you to see our system in action, it provides an opportunity to learn, share and get ideas from others like you.
What you should do now
Now you know how to find the best GRC solution, you'll need to build a business case to get internal buy in. Download our free business case template here.
Share your thoughts on this article