13 Top GRC Tools for an Integrated Governance, Risk and Compliance Strategy process.st/grc-tools December 14, 2020
Jane Courtnell December 14, 2020 Business, Management, Technology
“Realize that everything connects to everything else.” – Leonardo da Vinci, Good Reads A recent study from Ponemon and Globalscope reported the average cost of meeting compliance mandates is $5.47 million, versus non-compliance fines of $14.82 million. No organization wants to cough up massive non-compliance charges. And one effective means of avoiding such scenarios is by using a robust, effective, and integrated governance, risk, and compliance (GRC) approach. Due to today’s complexity of governance, risk, and compliance demands, it would be considered reckless to go about using an integrated GRC approach without utilizing viable GRC tools.
1/20
GRC tools help organizations strategize the management of governance, risk, and compliance regulations in an integrated fashion. In this Process Street article, you’re taken through a quick tour of our top GRC tools to meet the specificity of governance, risk, and compliance demands. I’ll then show you how to use Process Street, for free, to integrate these three separate entities for an integrated GRC approach. Click on the relevant subheader to jump to your section of choice. Alternatively, scroll down for your quick introduction to all things GRC, how the discipline has developed, and top tools and techniques you can use to implement GRC in your business. Let’s jump straight to it!
What is GRC? GRC is an integrated approach used by organizations to take control of their governance, risk, and compliance. Organizations have always adopted methods for corporate governance, risk, and compliance, and in this sense, GRC is nothing new. However, it was in 2007 that GRC as an integrated approach became more commonplace – we’ll touch more on this later. Before moving further, let’s cover the basics and define what is meant by the individual terms governance, risk, and compliance.
What is corporate governance? Corporate governance refers to the systems of rules, practices, and processes by which companies act. Corporate governance looks at how the company board chooses to run the organization, and how they set the mission and values of the company. This can be distinguished in dayto-day business operations. For instance, consider Process Street as an example. Process Street’s mission statement is: “Make recurring work fun, fast, and faultless for teams everywhere.” To succeed in this mission, employees follow 6 core values: 1. Act like the owner. 2. Default to action. 3. Focus on the process. 2/20
4. Practice prioritization. 5. Pay attention to details. 6. Over-communicate everything twice. Our mission statement and set of values define the heart of Process Street, determining how teams run, how the organization as a whole operates, and how it’s governed. Process Street then set out to build and document every procedure and process that keeps the organization functioning like a well-oiled machine. These documented processes are distributed to all team members to assist remote work and are built with the core vision, mission, and values in mind. Legal requirements are integrated into these processes, which can be accessed from anywhere via the cloud. This allows Process Street to operate as a fully remote organization.
What is risk management? Risk management in a business sense acknowledges that risk happens, and takes measures to ensure you’re completely prepared for it. The International Organization for Standardization (ISO) defines business risk management as: “…[The] systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk” – ISO, ISO 31000 Risk Management Guidelines For instance, business response to the COVID-19 pandemic exemplifies risk management in action. One of the main visible results of the 2020 COVID-19 outbreak has been the mainstream transition from traditional office-based work to remote work-from-home (WFH) arrangements. As such, the pandemic has amped up risk management, pushing employees into a remotework lifestyle as an adaptive response to manage global pandemic risks.
What is compliance? Compliance is the ability to act according to an order, set of rules, or requests. It’s a catchall term for how well a company follows the laws and regulations governing its business. Compliance requirements will vary from place-to-place, however, requirement failure has consequential impacts including fines, loss of good standing, and legal action. For example, you might remember the 2007-2015 Danske Bank scandal . Denmark’s 3/20
biggest financial institution took part in a $237 billion money-laundering affront via its Estonian branch. Compliance failures included staff training defects and compliance officer absence at the management level. These compliance failures resulted in prosecution.
GRC as a revolutionary approach and why it’s important Before an integrated approach was adopted, using disjointed governance, risk, and compliance activities caused several problems. For instance, separate departments were required for performance management, risk management, compliance, corporate social responsibility, etc. With this departmental design, programs were often siloed, ineffective, and yielded troubling drawbacks, such as: High-costs; A lack of visibility into risks; An inability to address third party risks; Difficulty measuring risk-adjusted performance; Too many negative surprises. Operating in isolation, departments established counter-productive objectives, selected sub-optimal strategies, and lacked performance quality.
Using governance, risk, and compliance via an integrated approach Looking at governance, risk, and compliance as entities to be integrated was an approach that hit the mainstream in 2007. The first scholarly article on GRC was written by Scott Mitchell, who formally defined GRC as: “The integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity” – Scott Mitchell, GRC360: A framework to help organizations drive principles performance The research referred to common keep the company on track activities, with the inclusion of all departments in a collaborative and integrated mix, conducting procedures such as internal audits, compliance, risk management, legal, finance, IT, and HR processes. Integrating GRC capabilities does not mean crafting a mega-department, and doing away with decentralized management. GRC is about establishing an approach that ensures the right people get the right information at the right time, under the right objectives, regardless of department. This brings benefits, as outlined by Finextra, such as: 4/20
Quick and informed decision making. ️ Organizational protection from financial and reputation loss, data breaches, compliance violations, and more. Continuous collaboration across departments, creating a holistic representation of risk. A single source of truth is provided to all employees, auditors, and regulatory bodies. ✅ Accuracy of risk and control information enabling stakeholders to make fast, riskinformed business decisions. Effective compliance programs to address changes to regulations, technology, and business – these changes are a given. Consistency in GRC measures and comprehensive insights into the internal operating environment. Ability to respond proactively to risks by the break down of restrictive functional, business, and organizational silos. A unified operating model for the business with the agility needed to manage emerging risks. Lower cost of assurance.
GRC tools GRC tools help organizations meet governance, risk, and compliance demands. GRC tools come under the umbrella term, GRC software, the 2 terminologies are used interchangeably. Today, using an integrated approach to GRC is not a viable option without GRC software and tools. To do so would be considered reckless due to today’s GRC complexity. When establishing GRC integration, the key is to start small. That is, you’ll want to implement a phased GRC plan, with clearly defined roles and priorities for each stage so that everybody understands what’s required. You must remember that, although integrating GRC is vital, governance, risk, and compliance are still separate entities and must be treated as such. This means they require their own strategies, steps, and procedures. With this in mind, in the next section of this article, we present to you our top 13 GRC tools across separate sections for governance, risk, and compliance. I’ll then explain how you can adopt an integrated GRC approach using Process Street along with these different tools.
Our top 13 GRC tools 5/20
A GRC program can focus on an individual area within a given enterprise. As such, to structure your GRC solution, we have split our top 13 GRC tools down across the following areas: Governance Risk Compliance
Governance Corporate governance refers to the systems of rules, practices, and processes by which companies act. Governance is in essence how an organization is run. Let’s take a look at top tools to help you run your department/team/organization as intended. Google G Suite
Value proposition: Teams can work and collaborate effortlessly across any device. Google G Suite offers a variety of applications, from email, team chat to document sharing and storage. In this sense, office productivity tools are kept in a single location, making Google G Suite a convenient and centralized place to store a team’s work. What it does for GRC: G Suite supports team collaboration and communication within and between teams from a single location. From here, work can be easily accessed, collaborated on, and shared supporting strong managerial control and governance.
6/20
Price: The basic plan is $5.59/user/month. The business plan is $11.18/user/month. Enterprise plans are quoted individually. Click here to check out Google G Suite today! Slack
Value proposition: Slack provides a place where your team comes together and collaborates. Share information, documents, images, and videos instantly, on a global scale. What it does for GRC: It’s impossible to manage business operations without effective and continuous collaboration and communication between upper management and team members. Slack is a great tool supporting team communication, whether your chatting in real-time or asynchronously. Communicate daily your company vision, mission, and values. Price: The standard plan is $6.67/user/month. The plus plan is $12.50/user/plan. Enterprise plans are quoted individually. Click here to check out Slack today! Airtable
7/20
Value proposition: Airtable is a super easy to use, no-code, database solution. With Airtable, teams can manage workflows using a spreadsheet-like interface. Features allow for real-time collaboration such as file attachments and reporting. What it does for GRC: Airtable eases task management and supports teamwork. It establishes centralized control for the tasks conducted within an organization, to make sure work is completed as per the organization’s vision, mission, and values. Price: The free plan is $0/user/month. The plus plan is $10/user/month. The pro plan is $20/user/month. Enterprise plans are quoted individually. Click here to check out Airtable today! Qualityze
8/20
Value proposition: Qualityze is a quality management solution built on the Salesforce platform. Qualityze is designed to empower businesses, to optimize quality via providing modules such as business audit management, complaint management, supplier quality management, document management, change management, and training management. What it does for GRC: Qualitzye assists corporate governance through its training management module. Training management is recognized as one of the most important processes to ensure product and service quality. Qualityze’s training module helps corporations build a knowledgeable and competent workforce via establishing better managerial team control for corporate governance. Price: Pricing starts at $20/user/month. A free trial is available. Click here to check out Qualityze! ISO 9001
9/20
Value proposition: ISO 9000 family of standards are set up by the International Organization for Standardization. These standards guide organizations in setting up and maintaining service/product quality standards. What it does for GRC: Organizational governance manages products and services against internal and external expectations. Using ISO 9000 as guidance, corporate products/services are checked against these expectations, aiding governance control. To access these standards, use the official ISO documentation along with Process Street’s ISO 9001 checklists. For more information on ISO 9001 and access to our free template resources, read: ISO 9001: The Ultimate QMS Guide (Basics, Implementation, ISO Templates). Price: Depends on certification provider and company size. Click here to check out ISO 9001:2015 standards! Using Process Street for governance Process Street is a Business Process Management solution to assist with the documentation of your business processes. This documentation sets the standard, by which all departments, employees, and teams abide. Employees can access these standard operating procedures from anywhere, at any time, from the cloud. With Process Street, you can create standard operating procedures in line with your organization’s vision, mission, and values. To help you build your standard operating procedures, why not use our Standard Operating Procedure (SOP) Template Structure. The purpose of this pre-made template is 10/20
to provide the necessary structure from which to create your procedures. Click here to access our Standard Operating Procedure (SOP) Template Structure! Our Standard Operating Procedure (SOP) Template Structure utilizes Process Street’s Task Permissions feature. This allows you to hide specific tasks to make the creation of your SOP’s only visible to the relevant personnel. Use Process Street along with the tools mentioned above for optimal governance control.
Risk Risk management in a business sense acknowledges that risk happens, and takes measures to ensure you’re completely prepared for it. Business risk is the exposure to factors that can potentially lead a company towards lower profits and failure. There’s no escaping risk in business, but business risk can be mitigated. In this next section, we’ll take a look at top risk mitigation tools. Resolver
Value proposition: Resolver is a tool that’s used across a number of industries and business needs, including manufacturing, hospitality, high tech, retail, etc. Resolver is an investigative software. The software investigates outcomes of a given business action by performing root causes analyses to determine contributing factors and failed controls. As such, the tool focuses primarily on risk planning and preparation. What it does for GRC: Resolver is a tool to be used in the early planning of risk 11/20
identification when the project objectives and regulatory requirements are still in the making. Resolver provides flexible and custom reporting, real-time accessibility and insight, and risk response management. Price: Price starts at $10,000.00 per month. There is no free version, and Resolver does not offer a free trial. Click here to check out Resolver today! TimeCamp
Value proposition: TimeCamp is an intuitive web-based time-tracking system that offers several benefits for project managers, teams, and individuals. Through its time-tracking functionality, TimeCamp gives a reliable indication of how much time is spent on a given project. This means more reliable budgets can be formulated and productivity is increased on the whole. What it does for GRC: Running out of time on a given project is one of the simplest vulnerabilities that could silently weaken the integrity of your business operations. TimeCamp is essentially a time-tracking tool helping teams deliver their responsibilities on time. Projects and budgets can be planned better to minimize the risk of failure. Price: Free time-tracking plan for single users. Price starts at $5.25/user/month for an annual package. Month-to-month packages start at $7/user/month. Click here to check out TimeCamp today! SpiraPlan 12/20
Value proposition: SpiraPlan is an agile planning board with color-coding and a simple drag-and-drop interface. The software acts as an all-in-one project management solution for managing project prerequisites, tasks, bugs/issues, releases, and tasks. What it does for GRC: Project risks can be easily tracked and defined by risk type – business, technical, schedule, etc. Risk is categorized regarding special attributes, probability, impact, exposure. This means risks that are more likely to happen will appear high up in the list relative to risks that are less likely to happen/or have a less serious consequence. Price: $46.66/month/user. A free trial is available. There is no free version. Click here to check out SpiraPlan today! A1 Tracker
13/20
Value proposition: Similar to SpiraPlan, A1 Tracker records and manages risks in a project. Track risks, incidents, audits, contracts, and assets through a web-system offering real-time reports and analytics. A1 tracker provides a bit more complexity and depth to the analysis of project risk relative to SpiraPlan – suitable if this in-depth analysis is needed. What it does for GRC: A1 tracker is a risk-management software providing risk assessments, heat maps, customizable reporting, charts, graphs & more. A1 provides an indepth analysis of project risk. Price: For the risk management functionality, A1 tracker costs $8,000/year. Click here to check out A1 Tracker today! Using Process Street for Risk Management Use the above tools along with Process Street’s risk management functionality. At Process Street we have a host of free template resources making risk management easier. Simply go to our template library to find the right template for you and your team. Find templates covering a wide range of risk management techniques such as SWOT, FMEA analysis, and ISO audits. For instance, check out our SWOT analysis template given below. Run this checklist to access the strengths, weaknesses, opportunities, and threats associated with your business. Click here to access our SWOT Analysis Template!
14/20
You’ll notice our SWOT checklist utilizes Process Street’s Conditional Logic feature, to adapt the checklist to your unique circumstance and needs. For further reading on business risk management and access to more of our associated template resources, read the following Process Street blog posts:
Compliance Compliance is the ability to act according to an order, set of rules, or requests. It’s a catchall term for how well a company follows the laws and regulations governing its business. Compliance is the process of making sure your company and employees follow the laws, regulations, standards, and ethical practices that are applicable to your organization and industry. In this next section, we’ll look at top tools to aid organizational compliance. ISO 14001
Value proposition: ISO 14001 has become the international standard for specifying environmental management system (EMS) requirements. Businesses have an obligation and a legal requirement to manage their environmental impact. The question that often arose, however, was how could companies measure, document, and record their activities with the question of sustainability in mind? This is where ISO 14001 standards come in. These standards provide a common global language to detail how environmentally friendly an organization’s activities are. Full transparency is given regarding the sustainability of business operations. 15/20
ISO 14001 (2015) is the latest specification for an environmental management system, designed to help organizations enhance their environmental performance. ISO 14001:2015 manages corporate environmental responsibilities in a systematic manner. What it does for GRC: Meeting environmental requirements is a compliance responsibility for organizations worldwide. ISO 14000 gives guidance to these organizations on how to alter their operations to meet environmental compliance requirements. Make sure you’re ISO 14001 compliant via using the International Organization for Standardization’s ISO 14001 family. However, for a more applicable approach to ISO 14001, I recommend you use the ISO 14001:2015 documentation standards along with Process Street’s unique ISO 14001 checklist. For more information, and to access these checklists, read: 5 Free ISO 14001 Checklist Templates for Environmental Management. Price: Depends on certification provider and company size. Click here to check out ISO 14001:2015 standards today! Diligent Entities
Value proposition: Diligent entities helps organizations centralize, manage, and effectively structure their corporate data to ensure compliance, mitigate risk, and improve decision making. Company data – and data modifications – are recorded accurately, to use for future reporting and auditing. Diligent entities acts as the sole source of truth for corporate records, and so is an effective software for global teams looking to manage their 16/20
data. What it does for GRC: Diligent entities is an integrated entity management system that unites multiple business units such as legal, tax, finance, and compliance, providing a single system of record to scale and solve business complexities. Entity information, documents, and organizational charts are stored in a highly secure format, acting as a single source of truth. This information can be accessed at any time to report on governance and compliance requirements and electronically file statutory forms for global regulatory bodies. Price: Starting from $15,000.00/year via subscription. No free trial is available. Click here to check out Diligent Entities today! Convercent
Value proposition: Weave ethics into the core of your organization with Convercent. Convercent provides a suite of applications that innovate ethics and compliance management, making it proactive. Users are encouraged to share, listen, and learn, with the aim of improving company culture, lowering risk, and improving business performance. What it does for GRC: Convercent permits business and compliance leaders to collect company-wide data. The software also makes it easy for employees to report issues by providing them with the appropriate communication channels. The management of policies and training programs that support ethical behavior is easy, with Convercent’s 17/20
robust disclosure management program designed to spot early signs of misconduct. All-inall compliance requirements regarding employee treatment are supported. Issues such as fraud, harassment, and resource abuse are easily analyzed and therefore prevented. Price: $10,000.00/year. Free trial available. Click here to check out Convercent today! Libryo
Value proposition: Libryo is an automated, cloud-based platform, inspired to help organizations know the laws applicable to their business, in every jurisdiction. Lirbyo makes it easy to know the law by filtering, configuring, and tracking site-specific legal registers, enabling people to quickly navigate regulatory complexity with clarity and certainty. What it does for GRC: Libryo offers a legal register that provides real-time updates on all laws and legislation to support company compliance. There’s no one specific industry that’s serviced. Training is also provided for a proactive compliance approach, informing employees regarding the company-related legal requirements. Price: Cost varies according to the complexities of operations and jurisdictions. There is no free version available. A free trial is available. Click here to check out Libryo today! Using Process Street for compliance 18/20
You can use Process Street’s compliance functionality along with these top compliance tools. Documenting business operations via a Process Street checklist gives you a single source of truth for your procedures. Incorporate best practice and compliance requirements in these checklists, and distribute them throughout your team to ensure everyone is following the process as required. Once more, you can create audit processes for internal audit compliance checks. For instance, check out our financial audit checklist embedded below. Financial auditing is the process of evaluating an organization’s financial reports, and reporting processes, in an objective and independent manner. Run our Financial Audit Process to conduct internal compliance checks on your organization’s financial information. Click here to access our Financial Audit Checklist! Checklist features such as our Approvals feature ensures processes are performed as they should be. Process completion is impossible before tasks are complete as necessary, to be evaluated and rejected/accepted by the relevant senior personnel.
Using Process Street to integrate your governance, risk, and compliance solutions
Process Street acts as a central hub for your documented governance, risk, and compliance processes. 19/20
Using the above-mentioned tools provides the specificity needed to meet governance, risk, and compliance demands. Then, by using Process Street to document your governance, risk, and compliance procedures, you create a centralized platform offering full process transparency and a means for cross-departmental collaboration. All processes are stored in-the-cloud and available, visible, and accessible on a global scale. Process Street supports an integrated GRC approach, whether you’re utilizing our already pre-made templates, or documenting your processes from scratch. By using Process Street, along with the tools presented above, you can develop a fully effective GRC solution that: Provides adequate reporting functionality; Provides an audit trail; Documents and stores workflows and tasks; Acts as a platform for team collaboration; Enforces compliance, governance, and risk controls.
Take control of your GRC demands using Process Street and our top 13 GRC tools To be effective in managing governance, risk, and compliance demands, you’ll want to use an integrated approach that also comes with the specificity needed for each entity. To recap, our top 13 tools for GRC are: ‌ and Process Street. Use these top tools to formulate an integrated GRC approach for your business. Establish immediate and long-term risk control, eliminate non-value adding activities, build business transparency, and reduce costs.
20/20