Enterprise risk management (ERM) teams are satisfied with governance, risk, and compliance (GRC) tools for basic ERM use cases, but they encounter significant challenges when trying to select a tool that meet the needs of a diverse set of stakeholders, according to Gartner, Inc.

“ERM departments find that selecting and implementing GRC tools is challenging, with the vendor evaluation process alone taking over six months in most organizations,” said Zachary Ginsburg, director, research in the Gartner Legal Risk & Compliance Practice. “Then, for a typical department, it can take at least an additional nine months to attain full functionality from a GRC tool.”

Finding a Single Tool to Meet All Needs is Challenging — And Often Leads to Worse Outcomes
The lengthy vendor selection process reflects a diverse range of requirements and stakeholders that are commonly involved with GRC tool selection. For example, approximately five functions or risk subfunctions —such as credit risk management, cybersecurity, IT, corporate compliance, and operational risk management — typically use ERM’s primary GRC solution 20% of the time or more, with similar numbers consulted in the purchasing decision.

However, many ERM buyers of GRC tools are increasing implementation time, encountering higher costs, or creating data or usability challenges based on faulty assumptions. Particularly, many buyers believe (and many vendors assert) that tools with modules for different workflows (e.g., compliance, audit) will outperform combinations of GRC tools and point solutions covering those workflows.

“Because GRC tools and third-party point solutions can be integrated via purpose-built data connectors or APIs, ERM and other functions can often choose the tools best designed to meet their needs and still have data integration,” said Ginsburg. “Therefore, heads of ERM should consider prioritizing their own functional needs when purchasing a GRC tool. In doing so, they may circumvent inefficiencies or costs that would be involved in accommodating a tool that’s not an ideal fit for their own workflows.”

Integrating Risk Data and Processes and Managing Stakeholder Create a Lengthy Implementation
ERM departments can use GRC tools to conduct risk assessment surveys or a limited number of other uses before full implementation. However, most primary GRC use cases, such as aggregating risk information across organizational silos, require full implementation.

The most common GRC tool implementation challenges tend to be inputting useful risk register/universe and training staff. Ensuring interoperability among systems and processes for ERM, compliance and other risk management functions is crucial for using GRC tools to aggregate risk information.

“Without selecting a GRC tool with sufficient interoperability capabilities with other systems containing risk information, heads of ERM may not realize GRC’s benefits without further customization or point solutions or indeed may never fully realize all potential benefits,” said Ginsburg. “Given that these implementation challenges commonly cause long delays in gaining the full expected value from GRC tools, heads of ERM should consider prioritizing GRC tools on how well they will work ‘out of the box’ in the selection process.”

Additionally, to build support for the best solutions, heads of ERM should engage other organizational stakeholders to determine which GRC tools can most easily support aggregating risk information from other teams and systems and actively manage stakeholder expectations throughout the implementation process.

Finally, heads of ERM should determine how the organization can derive value from the GRC tool during the implementation phase. Very few organizations seem able to use their new tool to complete some activities they perform within one to three months, with this number increasing more or less exponentially quarter by quarter.