Reading Time: 2 minutes

Performing a google on GRC tooling will provide you with a wide variety of vendors. Many of the vendors provide a variety of what they call plug and play solutions to enable you to start as fast as possible. When you will peel off the cosmetics, you will find that GRC tooling is in fact fairly simple. In simple terms, GRC tooling contains a database, a document repository, a workflow engine with alerting, reporting and dashboards, web-based and mobile accessibility, and in few cases, a data integration service. In a way by combining these different components with similar client issues, software vendors provide packages including go-to-market use cases and in some cases via an intermediate module layer.

The GRC ecosystem is still relatively young with new entrants and solutions regularly emerging. The innovators i.e. modern entrants tend to focus on emerging compliance and/or risk themes like GDPR, Cyber, Vendor Risk and/or Regulatory Risk, with strong capabilities in data integration and advanced analytics. The long-established players by now have developed a more grown-up suite of traditional use cases like audit management, operational risk management, SOx (internal control over financial reporting) and are now being faced with the challenge of keeping up pace with the new technologies being developed and introduced. Vendors seem to position themselves in the GRC ecosystem driven by three main questions and six related design principles.

In principle, GRC vendors only license the software or underlying code of the application. Rest of the aspects namely setting up the different instances, environments, servers, databases are performed during the implementation project and are mostly or partly the responsibility of the customer. We notice a couple of issues in the way GRC software is delivered:

  • Most vendors prefer a subscription license model over a perpetual license model. For financial and also other reasons, a subscription model is very appealing for the vendor.
  • Vendors receive more and more customer demand to provide an end to end solution (software, infrastructure and management). This demand is mainly driven by the efforts that go into the set-up of the in-house sourcing of the GRC tooling and the need for in-house skills to support the tool.

The combination of both of these giveaways some early hints of GRC tooling becoming fully cloud adopted (delivered as a service) like VComply. Nevertheless, for two main reasons we look for GRC tooling to still be delivered in a more traditional way, at least for the next few years. First of all, companies will be showing care in bringing sensitive or personal data and business critical processes to the vendor because of the security reasons i.e is it safe?, and secondly, a full multi-tenant delivery model will be requiring remarkable changes and thus investment in the software code, resulting in vendors more likely focusing their efforts on maturing the software.


FavoriteLoadingAdd to favorites