Over the last 13 years, we’ve seen nearly every kind of GRC use case. Despite the variety, we can narrow down success factors to these common denominators: Ease of Implementation and Degree of Stakeholder Buy-in.
It’s important for organizations to select the ideal batting-order for use cases. When you’re looking at a GRC implementation, you’re essentially looking at balancing value and time. Getting a quick-win can be more important than trying to solve for every requirement at once. The longer it takes to get your use case up and running the longer you delay on the return on your investment; which can lead to diminishing stakeholder support
Here’s a guideline we use with customers who are trying to decide which use cases to tackle first and in which order.
|GRC Use Case||Ease of Implementation||Degree of Buy-In|
|Application Security Assessments||Moderate to Complex||Highly Coordinated|
|Compliance-Specific Assessments||Easy||Easy to Moderate|
|Policy Exception Tracking||Easy||Easy|
|Threat & Vulnerability Management||Moderate||Easy to Moderate|
|Policy Management||Complex||Easy to Moderate|
|Policy Library||Easy||Easy to Moderate|
|Vendor Risk Management||Moderate||Moderate to Complex|
|Business Continuity Management||Moderate to Complex||Moderate|
|SOX/Financial Controls||Easy to Moderate||Easy|
Remember, the goal is to keep the implementation manageable and moving forward. If your organization isn’t ready to implement a complex, highly coordinated effort like Application Security Assessments, don’t lead with that use case out of the starting gate.