GRC Use Cases: Issues that Impact Success

Over the last 13 years, we’ve seen nearly every kind of GRC use case. Despite the variety, we can narrow down success factors to these common denominators: Ease of Implementation and Degree of Stakeholder Buy-in.

It’s important for organizations to select the ideal batting-order for use cases. When you’re looking at a GRC implementation, you’re essentially looking at balancing value and time. Getting a quick-win can be more important than trying to solve for every requirement at once. The longer it takes to get your use case up and running the longer you delay on the return on your investment; which can lead to diminishing stakeholder support

Here’s a guideline we use with customers who are trying to decide which use cases to tackle first and in which order.

GRC Use Case Ease of Implementation Degree of Buy-In
Application Security Assessments Moderate to Complex Highly Coordinated
Compliance-Specific Assessments Easy Easy to Moderate
Policy Exception Tracking Easy Easy
Risk Register Easy Easy
Threat & Vulnerability Management Moderate Easy to Moderate
Policy Management Complex Easy to Moderate
Policy Library Easy Easy to Moderate
Audit Management Moderate Easy
Vendor Risk Management Moderate Moderate to Complex
Business Continuity Management Moderate to Complex Moderate
SOX/Financial Controls Easy to Moderate Easy

Remember, the goal is to keep the implementation manageable and moving forward. If your organization isn’t ready to implement a complex, highly coordinated effort like Application Security Assessments, don’t lead with that use case out of the starting gate.