The Underlying Issue with Many GRC Solutions
GRC software is especially critical in organizations that rely on enterprise resource planning (ERP) software – such as SAP or Oracle – to essentially run all aspects of their business, from the supply chain to finance. However, the GRC software that comes with it is often overly complex and seldom deployed, resulting in unused “shelfware” that leaves the enterprise exposed to risk and fraud. This article provides tips on how corporate compliance and risk managers can avoid the “shelfware” trap and always remain audit-ready.
If you buy a piece of software, but never deploy it, does it exist?
This philosophical question is broadly impacting the security and risk industries. Years of fearmongering forced companies to buy overlapping products they didn’t need, and now many have ended up putting them unused on a virtual “shelf” – commonly called “shelfware.”
Just as the executives of those companies falsely assume their systems are protected (given they have bought products for that purpose), corporate compliance executives are beginning to realize they may not actually be compliant, never mind audit-ready.
A key driver for the shelfware issue is complexity. Governance, risk and compliance (GRC) software is especially critical in organizations that rely on enterprise resource planning (ERP) software – such as SAP or Oracle – to essentially run all aspects of their business, from the supply chain to finance.
The ERP software itself is very complex, and the GRC software that comes with it – often “thrown in” to help close the deal – is just as complex. In the best case, it typically requires the IT department to deploy, customize and use it. In the worst case, it can turn into a whole new project that requires outside consultants to customize it for a specific enterprise’s environment, adding time and cost to what was previously viewed as a “free” and “easy-to-deploy” software system.
Unfortunately, requiring IT or outside consultants to make GRC software work takes ownership and management of GRC and access controls out of the hands of those who should be in charge: with business users. Corporate compliance executives are then left with GRC shelfware while the organization remains exposed to risk and fraud.
Here are some tips on how to avoid the GRC shelfware trap:
Explore All Your Options
Even if your organization has made a significant investment in an ERP system that comes with GRC software, check the other options on the market to see what will suit your unique needs and ensure fast deployment, adoption by business users and audit-ready compliance.
Nondisruptive Deployment
ERP software is the “heart and lungs” of most organizations, so whatever you deploy cannot distract your team from running the business and ensuring compliance. This is another leading cause of GRC shelfware.
Fast Time-to-Benefit
If getting real risk and compliance insight takes weeks, months or years, there is no value. GRC and access controls software should be able to provide comprehensible insight to your environment quickly, typically within hours and up to a few days.
Actionable Business Intelligence
If your GRC and access controls software is deployed and providing raw data, but your business users are unable to decipher what it means, there is no value. GRC software needs to speak the language of business users as well as risk and compliance teams, not software engineers or IT administrators.
Ready for Hybrid IT Environments
As enterprises increasingly look to hybrid cloud platforms during migrations of their ERP and other software, it’s important that GRC software is cloud-ready. This can ensure any upgrades or migrations do not create new holes in their segregation of duties processes or other access controls and potentially expose the company to increased fraud – or turn into yet another consulting project.
To avoid ending up being exposed by GRC shelfware, IT needs to provide the infrastructure and help automate processes. But at the end of the day, it’s up to business decision-makers to ensure how best to address risks and access controls and to use GRC software that is designed from that perspective.
Scott Goolik is VP of Compliance and Security Services at 
