Reciprocity_GRC Software Buyers Guide v5

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE SOFTWARE

BUYER’S GUIDEA CISO & COMPLIANCE TEAM’S GUIDE TO PURCHASING GRC SOFTWARE

RECIPROCITY

A Publication of

www.reciprocitylabs.com

TABLE OF CONTENTS

Ch.1 What is Governance, Risk Management & Compliance (GRC)? 3

Ch.2 Smarter Compliance, Less Risk. 5

Ch.3 When Should I Implement? 7

Ch.4 How to Find the Best GRC Tool For Your Company 9

Ch.5 Conduct a Self-Assessment 10

Ch.6 Define Goals 12

Ch.7 Develop Vendor Evaluation Criteria 14

Ch.8 Getting Started 21

Ch.9 Getting the Best Results From Your New GRC Tool 23

WHAT IS GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE (GRC)?

Governance, Risk Management, and Compliance, or GRC, is a broad term that covers a company’s approach to and strategy for managing its internal governance, risk, and compliance activities.

Governance comprises the rules, structures, and accountability within the company, whether to internal requirements or those imposed from outside. Compliance includes the processes for implementing and reporting the company’s adherence to external requirements, including industry, governmental, and voluntary standards. Risk management ties the entire practice area together by helping a company identify its risk tolerance, and then take appropriate measures to mitigate those risks.

GRC SOFTWARE BUYER’S GUIDE ! 3

CHAPTER 1

GRC software tools streamline and automate the documentation and reporting of corporate governance, risk management. and compliance tasks, and align them with business objectives.

A GRC software tool typically offers:

• System of record (your “single source of truth”)

• Policy management

• Audit management

• Risk management

• Automated notifications to stakeholders to perform specific GRC-related tasks

• Real-time notifications of workflow and audit activity

• Closed-loop reporting for easy calculation of compliance and risk postures

• Easy creation and editing of GRC components (controls, objectives, assets, risks, peopleand more) by non-technical users

When used effectively, GRC software can help Chief Information Security Officers, Chief Security Officers, and Directors of Compliance move past spreadsheets to mature their risk management and compliance programs.

This guide will walk you through the steps required to purchase a GRC software tool — from establishing goals, to identifying and comparing vendors, to getting ready for the implementation phase and future success.

4

A 2016 Governance, Risk and Compliance Survey found that 43 percent of respondents are operating their compliance efforts at an ad hoc or fragmented level.

GRC SOFTWARE BUYER’S GUIDE !

https://www.grantthornton.com/issues/library/survey-reports/advisory/2016/GRC-Survey/balancing-risk-opportunity.aspx

SMARTER COMPLIANCE, LESS RISK

Wondering how a GRC software tool can impact your business? Take a look at how an all-in-one tool can reduce your risk of non-compliance while decreasing costs and maximizing revenue, streamlining your audit, and improving accountability.

Increase ProductivityA GRC tool significantly lowers costs associated with managing compliance programs. First, a GRC tool will streamline and eliminate manual processes and allow teams to more easily become and stay compliant. Second, you will be able to utilize a GRC tool as your single source of truth for everything related to your compliance needs. Third, a GRC tool will significantly decrease the number of errors, gaps, and omissions that are currently being found in your spreadsheets. All of these benefits lead to a more productive compliance team.


CHAPTER 2

Your All-in-One Compliance ToolWith a GRC tool, compliance teams can leverage a system of record, automated workflows, audits, pre-risk assessments, reporting & dashboards, and multiple third-party integrations all from one central platform. A GRC tool makes compliance trackable, automated and more visible for CISOs and their teams.

Automate Your Compliance Tasks Companies commonly find that the real value of automation lies in the fact that there are routine tasks that must be completed. The GRC platform can automate some of those, and send reminders for those tasks which require human interaction.

Deliver Robust ReportingCISOs often find it difficult to determine the ROI on their compliance efforts because of an inability to aggregate important compliance-related data. By utilizing out of the box reports, a GRC software tool allows businesses to understand their true compliance posture and identify gaps or overlaps in their programs. Dashboards and advanced reports deliver important metrics to users and business decision-makers.

Support Your Audit Team Audit teams execute a process. And like any business process, they need quality input. A well-documented compliance program in a GRC tool and the ability to conduct an audit over that program can jumpstart your internal audit teams and ease the burden of providing information to an external auditor. Key tasks in the audit process also gain an efficiency boost from a GRC tool, such as automating evidence collection and dashboards to show progress. At the end of the audit, the outputs can be fed back into the GRC tool for automated tracking. Issues can be assigned for remediation, while the auditor’s opinions of control effectiveness can be documented to show your compliance posture.

Fifty-nine percent of CCOs are only somewhat confident, or not confident at all, that the IT systems used by their compliance department can fulfill their reporting and responsibilities tasks, according to Deloitte’s In Focus: 2015 Compliance Trends Survey.


According to Blue Hill Research, the benefits resulting from implementing a GRC platform range between 25% and 30% in time saved in compliance and risk activities.

http://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-aers-reg-crs-2015-compliance-trends-survey-051515.pdf

“We’re doing just fine using spreadsheets.”

Research shows that almost 90% of all spreadsheets have errors. When you talk about the data in your compliance program, a 90% error rate, in most industries, is going to be completely unacceptable. The underlying cause is due to the lack of structure around collaboration and version control. If you’re using spreadsheets to manage multiple compliance programs, it’s imperative that you move to system of record that provides you with a single source of truth that’s more reliable.

WHEN SHOULD I IMPLEMENT?

Be proactive and make managing GRC less of a hassle and more productive!

Below are three reasons why businesses put off implementing GRC tools, and responses for why these scenarios are actually the perfect time to get started.


CHAPTER 3

“I have an audit coming up”

An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of the audit preparation involves getting your compliance data properly documented and collated for the auditor.

Taking the additional step to migrate that content into a GRC tool where you can keep it up to date and use it as the basis for ongoing reporting helps you to leverage that work, getting more value out of your audit prep investment. Once you get results back from your audit, you can track your compliance posture and use the GRC tool to aid in remediation, rather than being forced to create and maintain new spreadsheets.

“Budgets are tight right now”

No compliance team is ever over-resourced. However, paying high earning professionals to manage inefficient spreadsheet-based programs is not the best use of your limited budget.

Your team’s time would be better spent implementing and ensuring controls are operating effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues via email. A GRC tool that can send automated reminders for compliance tasks is a better investment than having a member of your staff sending out reminder emails and tracking completion status manually!


According to an OCEG study, 85% of companies feel that they would benefit from integrating the use of technology for their GRC activities.

HOW TO FIND THE BEST GRC TOOL FOR YOUR COMPANY

Purchasing GRC software can streamline your work and remove a lot of headaches. But how do you know where to start?

Choosing a GRC software solution is an important decision. Not only is governance, risk management and compliance a significant

investment in time and resources, the system you choose will have an enormous impact on the daily workload of both your risk and compliance teams. So make sure to conduct the proper research and go into the process with the right questions in hand. Start by evaluating your own compliance effort to determine your particular needs and priorities, then take a closer look at the many features of governance, risk management and compliance software and what specific attributes to look for in each. The recommendations included in the next 3 chapters will help you decide what criteria you will use to evaluate GRC tool vendors.


CHAPTER 4

CHAPTER 5

CONDUCT A SELF-ASSESSMENT

Gaining a better understanding of your compliance team’s regular and periodic processes will make it easier to identify opportunities for improvement.

Review the following questions with your team and come up with thoughtful responses.


How many compliance frameworks are you required to implement (e.g. SOC 2, ISO 27001, PCI-DSS)? When do you conduct audits for each of these programs?!

Do you have a strategy to format spreadsheets for the different programs that you’re managing? How do you ensure that you can produce consistent metrics from each?!

How do you currently collect audit evidence? What are the inefficiencies in your process?!

Are you using Sharepoint, Google Drive, Box, or Dropbox as a content repository? Y N

Does your compliance team use other software tools to manage compliance? Y NIf yes, list the different tools, how you’re using them and explain how they work together.!

How do you handle the assignment and handoff of compliance tasks to non-compliance stakeholders, such as system configuration tasks assigned to sysadmins?!

How does your compliance team prioritize tasks?!

How are you measuring and evaluating your compliance programs?!

ANSWERS:


CHAPTER 6

DEFINE GOALS

Once you’ve assessed your current processes, it’s time to define what you hope to achieve with implementation and plan out your strategy.

In order to properly prepare for the search phase, it’s important to discuss governance, risk management and compliance with all departments that will be affected and define the specific requirements of each.

Use the following questions to plan how each departments will use GRC software and reap the benefits.


Who in your company will use GRC software? Who will take ownership?!

What information will you need in order to make sound decisions about your GRC programs?!

What compliance frameworks are various departments tasked with implementing or maintaining (e.g. InfoSec handles PCI-DSS, Finance handles SOX)? !

How can other departments take advantage of a GRC software tool, and what benefits can you realize from having a single GRC platform shared across departments?

How can you integrate other GRC-related software tools into your GRC software tool?!

What are your current KPIs, and how can you show each department’s value?!

What are some short-term goals that can be achieved with governance, risk management and compliance?!

What are some long-term goals that can be achieved with governance, risk management and compliance??!

ANSWERS:


CHAPTER 7

DEVELOP VENDOR EVALUATION CRITERIA

After you’ve conducted initial research and determined which vendors to investigate further, the next step is to schedule time to see demos of the products that have made the cut. Having the opportunity to compare and contrast each vendor’s solutions will help you understand what you’ll be able to achieve with each platform, and how well their features achieve your needs.

Here are a few parameters that you should evaluate as the vendors work with you:

• Implementation• Functionality• Ease of use• Executive dashboards• 3rd party Integrations and API capabilities• Expected ROI• Future innovation and product roadmap

A typical demo may not cover everything you’re looking for. So, make sure to ask about a specific feature or use case.


GRC SOFTWARE BUYER’S GUIDE !

Use the following questions as a guide as you begin conversations with vendors and discover the capabilities of their products:

Implementation

How long does it take to get value from the tool?

Is training and support included, or is it an additional cost?

How much time will it take GRC product you’ve chosen to be up and running?

Is the amount of time it takes to implement reasonable (couple of weeks or months)?

How many hours are you expected to contribute to this burden?

How much will your compliance landscape shift between now and then?

What kind of professional services are required to start using the application?

If a standard changes in a year, how much will it cost you to be ready to comply with it?

ANSWERS:

15

Functionality

Can you easily map one control across multiple standards?

Do you have full role-based access?

Can you import existing data into the tool?

Can you test and gather audit evidence, and remediate issues found during audits?

Can you build ad-hoc workflows to automate various compliance tasks?

Can you configure this system yourself or do you require professional services?

Will the tool be able to support your use cases for today and in the future?

Can I perform Pre-Risk Assessments of third parties?

Are the risk scores of third parties plotted on a heat map?

ANSWERS:

16GRC SOFTWARE BUYER’S GUIDE !

Ease of Use

What are the different roles available and what access does each role get?

How easy is it to import existing data into the tool? How long does this take?

How can you test and gather evidence?

How do you remediate issues?

Is the user experience easy and simple enough to remove headache from your day-to-day tasks?

Is this a product that is intuitive to you?

Will other people in the organization use it?

Will you find yourself using the product on behalf of others?

ANSWERS:


Executive Dashboards

Can executives quickly see the status of our past, present and future compliance programs?

Can we readily identify gaps in our compliance posture?

If a regulation changes or I’m forced to comply with a new standard, does the tool highlight my gaps and provide actionable intelligence to close them?

Can I save money and make it easier to run an audit through a GRC tool?

ANSWERS:


API Capabilities and Third-Party Integrations

Give a brief overview of the connectors your solution offers. Where do your clients find the most value?

Does the GRC tool allow you to integrate data from other software tools you’re using? How easy is that integration process? Does it require professional services, does it require custom development, or is it a simple point-and-click process?

Does your solution offer ticketing software plug-ins to allow users to work within their preferred ticketing software platform? Which platforms?

How long will it take me to get up and running for each of these integrations?

How will your connectors provide my compliance team with additional insight into the needs of our programs?

How will your connectors help with my reporting?

How often do you add connectors?

ANSWERS:


ROI of GRC

How much time will this save across the company?

Can this solution help me replace hiring one or more FTEs?

Will this solution make my life as well as other colleagues’ lives better?

Will this help save time when engaging and working with 3rd party auditors?

What confidence do I have that errors and omissions will be removed with the implementation of a GRC tool?

If a regulation changes or I’m forced to comply with a new standard, will this reduce time and cost?

Will my licenses cover everything or will I need to buy additional modules to meet my needs?

Is the pricing transparent? If your use case for GRC within the organization expands, how much in additional costs will it take for the tool to service those use cases and users?

Will the product save me enough time to justify the money I have allocated in the budget?

How much would it cost to hire someone to do what this GRC software does?

How much time savings will this tool enable by centralizing everything?

Future Innovation and Product Roadmap

Will the company share their product roadmap?

How quickly do they share releases?

Does tool feel finished or is the tool immature?

Will the product keep up with a changing compliance landscape?

How does the product look modern?

Do you feel that the product will receive regular upgrades?

ANSWERS:


Get OrganizedCurrently, the compliance related data you have may be spread out across multiple spreadsheets and emails. Build a single source of truth by aggregating all of your data.

To ensure a seamless transition, make sure to use a consistent format that your GRC tool will accept. For example, CSV files are a popular format for uploading and mapping data to GRC tool frameworks.

GETTING STARTED

Once you’ve picked a governance, risk management and compliance solution that aligns with your needs and goals, there are a few steps you can take prior to implementation to ensure success.


CHAPTER 8

To help you get started, it is useful to identify the following attributes in your compliance program data, and ensure they are easily identifiable within your documentation:

Control implementation description. How do you as a company meet the requirement set by the standard?

Ownership. Who’s responsible for implementing and maintaining this control in your environment?

Applicability. Does this control apply to your entire company, or just to a particular product/department/business unit?

Mappings. Is this control related to any processes, departments, or other compliance frameworks in use at your company?

What a Complete Implementation Looks Like

GRC tool implementations need to be managed at the executive level. CISOs need to communicate the GRC tool’s importance and goals to his or her team and company. Every IT implementation project should have a defined final milestone (often called a go-live date), and a GRC tool is no exception.

Here are the criteria that signify you’ve finalized the implementation of your newly-purchased GRC tool.

• Retire those spreadsheets: All future work by your designatedstakeholders is done inside the tool, i.e. your compliance teamand internal auditor both use the tool as a single source of truth forcontrol implementation details

• Reporting: Executive management has access to dashboardswith real-time data feeds provided by the GRC tool. These shouldbe self-service, and free up your resources to focus on tasks morevaluable than creating Excel charts.

• Automated process: Workflows, tasks, and reminders areenabled so your GRC tool can keep you up to speed on relevantwork tasks.

• Audits: All necessary information is documented, maintained, andaccessible in the GRC tool. This can be leveraged into audits,which are managed in the tool, providing a seamless experienceand reducing the overhead of coordinating audit artifacts anddata.

22GRC SOFTWARE BUYER’S GUIDE !GRC SOFTWARE BUYER’S GUIDE !

CHAPTER 9

GETTING THE BEST RESULTS FROM YOUR NEW GRC TOOL

To get the most out of your new GRC tool, you’ll need to use the built-in dashboards and reports to identify with your team how you can continually improve your compliance and risk initiatives.

You should also review the following GRC Success Checklist regularly with your team to make sure you’re tracking your improvements.


Get executive and board support and buy-in for organization or department adoption. Board Committees have a need for consolidated and efficient compliance.

Treat your GRC rollout like any other IT project. Define a scope, milestones, and assignments, and track these through to completion.

Identify ways that the tool is more efficient, such as automated rules and actions.

Identify relevant legal, regulatory, and industry compliance requirements which impact your business (e.g. PCI, HIPAA, SOX, SOC 2/3, FedRAMP, etc.)

Identify a baseline framework to harmonize your company’s control set against, e.g. ISO 27001, COSO, CIS Top 20, etc.

Think through the data taxonomy of your compliance programs and control objects and beyond. Document the mappings of your control set against your compliance requirements. Identify overlapping requirements to help cut through complexity.

Identify the tool’s capabilities, functions, and features, as well as your needs, such as additional metadata you need to capture. Develop the tool to meet those requirements.

Determine your Key Performance Indicators (KPI) and Critical Success Factors (CSF). Identify metrics to track and show the value of your tool investment.

Plan how often you will revisit your programs to make sure you’re getting the most out of your investment in a GRC software tool.


The GRC Success Checklist

Reciprocity offers a best-in-class governance, risk management and compliance platform that manages compliance initiatives such as system of record, workflow and audit. We make compliance and risk officers more nimble with lightweight software designed to turn corporate compliance from a cost center into a valuable strategic asset.

CONTACT US

2146 3rd StreetSan Francisco, CA 30326

415.851.8667

Or visit us online at www.reciprocitylabs.com.

https://reciprocitylabs.com