If you’re considering automating your governance, risk, and compliance (GRC) program there are dozens of choices out there and choosing the one that’s best for your program can be challenging.

While many tools out there can document controls and test compliance, managing enterprise-wide governance, risk, and compliance is about much more.  It’s about adding measurable business value and contributing to the achievement of strategic goals.

To help you separate tools that have simply jumped on the buzzword bandwagon from tools that will help you deliver business value, here’s a list of five must have features required to support your GRC or ERM program.

5 Capabilities that will add value to your GRC/ERM program


Is GRC and risk management tied to strategic goals? Senior management is concerned with where your organization is going.  Without a connection between risk and strategic objectives, you’re executive team is unlikely to make risk or compliance initiatives a priority.


Does it directly link activities to business performance? While it’s good to be in compliance and have some risks covered, your risk and compliance program should be aligned with operational goals.  This means using metrics and controls that can actionably improve business performance, not just meet requirements or checking off a box.


Does it drill down to the process level? Every day your front-line managers are making decisions about risk.  Does this software give you transparency into these decisions and will your process-level managers be able to use it?


Is information shared across business silos? Meeting several compliance standards often requires the collection of similar data.  Does this software allow information to be collected once and then be reused across silos and functions to prevent double-work?


Does it use SMART business metrics? S.M.A.R.T. business metrics are built at the process level, around root-causes, are comparable, and are forward looking to give you the most complete picture of your risk and compliance program.

Whether your risk management program flies under the banner of GRC or ERM you need tools that give you transparency into processes and shows relationships across your enterprise.

To learn more about these attributes, take the RIMS Risk Maturity Model Assessment today and see how your program compares to industry best-practices.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • On the question of tools for Governance, there are many. For example, there are tools for:

    • Board reporting
    • Whistleblower lines
    • Investigations
    • Legal case management
    • Internal audit management
    • Strategy management
    • Performance management
    • Financial reporting
    • Hiring and compensation
    • and more

    Most of the time, solutions that address 'governance' functionalities are not integrated with solutions for other aspects of GRC. But there are exceptions. For example, SAP's solutions for strategy management, budgeting, risk management, continuous monitoring and controls management, and more are all integrated. You can manage strategies, identify risks to their achievement, and then monitor those risks. A management report that shows a strategy together with both its KPI and KRI is standard in the strategy management product.

  • Steve, let me use a simile to explain how I feel about the phrases "GRC tools" or "GRC platforms".


    Accounts Payable is to Finance as Risk Management is to GRC.


    In other words, GRC covers a broad array of processes, organizations, and systems. The OCEG Red Book includes a list of the more common processes that are part of GRC:

    • Governance
    • Strategy and Business Performance Management
    • Risk Management
    • Compliance
    • Internal Control
    • Corporate Security
    • Legal
    • Information Technology
    • Business Ethics
    • Sustainability and Corporate Social Responsibility
    • Quality Management
    • Human Capital and Culture
    • Audit and Assurance
    • Finance

    ERM is included as an essential part of GRC (the 'G').

  • Hello Norman.  Please keep in mind this is just a short list of technology capabilities that can add value and is in no way a complete one.  There is much more to both ERM and GRC, however many technologies out there are missing this link between front-line activities and strategic goals.

    In your experience have you found ERM/GRC tools lack the capacity to manage governance?

  • Steve, just what is a "GRC program"? While I believe there is a GRC perspective, a set of processes, oprganizations, etc. that make up how an organization optimizes value, considering risk, and staying in compliance, I don't believe there are GRC processes per se. (I support the OCEG definition of GRC). Don't you think you are really advocating effective ERM plus effective compliance? I don't see where you are including key governance activities such as setting strategies, monitoring and optimizing performance, providing oversight of management, assessing management performance, etc.
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!