Security icon

Select and Implement a Governance, Risk, and Compliance (GRC) Solution

Vendor Evaluation

Get Instant Access to this Blueprint

View Storyboard

Solution Set Storyboard Thumbnail


  • French Caldwell, MetricStream
  • Mike Rost, MetricStream
  • Vasant Balasubramanian, MetricStream
  • Andre Da Silva, NBN Co Ltd.
  • Christ Desjardins, Ecom Trading
  • Louis Lerman, International Monetary Fund
  • BG Naran, MDC
  • Frank Santora, Hudson City Savings Bank
  • Teri L. Toth, U.S. Pharmacopeial Convention
  • +1 Anonymous Contributor

Your Challenge

  • Significant resources are required for an organization to leverage solutions to manage governance, risk, and compliance information. However, these efforts to manage the GRC solution are still often less than the efforts required for ad hoc and retroactive management.
  • GRC solutions can seem overwhelming, and for good reason, as they enable the management of a broad range of operations from risk management to financial controls management.
  • Depending on your organization size, compliance requirements, and budget, GRC will be an investment. Ensuring your team understands roles and responsibilities prior to implementation will help ease the transition into using this new tool.

Our Advice

Critical Insight

  1. A complete GRC solution is not always required: Everyone needs a firewall, but not a GRC solution. GRC can be a costly investment (i.e. in terms of money, time, and resources). If necessary, affordable alternatives are available.
  2. A GRC solution is one part of the bigger picture: A GRC solution today is for managing GRC, and will not work without proper controls and processes already in place.
  3. Be strategic when deploying modules: Initiate a phased roll-out of modules rather than all of them at once. Focus on your highest priority needs, then gradually introduce new components to prevent boiling the ocean.

Impact and Result

  • Short-term: Evaluate the players in the GRC marketspace to select the right solution based on your requirements. Avoid common implementation pitfalls and plan for effective system operations and management once your contract has been negotiated and finalized.
  • Long-term: Increase operational efficiency by providing visibility to improve your GRC controls. Leverage these management solutions to reduce manual data manipulation, thus increasing automation, allowing users to focus on primary jobs.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should implement a GRC solution, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Launch the GRC selection project

Assess the value and identify the organization’s fit for a GRC solution, and structure the GRC selection project.

2. Select a GRC solution

Investigate the vendor landscape, produce a vendor shortlist, draft and evaluate RFPs, and conduct vendor demonstrations to select the right GRC solution.

3. Plan the GRC implementation

Plan the GRC implementation and measure the value of the GRC solution.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Launch the GRC selection project

Call #1 - Identify organizational fit for the GRC solution and create the project plan.
Call #2 - Identify the most appropriate use case.

Guided Implementation #2 - Select a GRC solution

Call #1 - Understand the GRC vendor landscape.
Call #2 - Shortlist the vendors and create an RFP.
Call #3 - Score RFP responses and review contracts.

Guided Implementation #3 - Plan the GRC Implementation

Call #1 - Plan the implementation.
Call #2 - Finalize success metrics.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Launch the GRC Project

The Purpose

  • Understand the GRC marketspace.
  • Plan the GRC procurement process.
  • Identify the use case scenarios that align with your GRC requirements.
  • Determine baseline metrics to evaluate the solution’s effectiveness.  

Key Benefits Achieved

  • Be aware of the options existing and where the market is going with respect to GRC solutions.
  • A formally documented procurement process will keep the process on track as individuals are aware of roles, responsibilities, deadlines, etc.
  • Focus on the use case scenario that applies to your organization.
  • Assess your GRC solution based on concrete metrics that matter.




Discuss the current GRC market.

  • Realistic perspective of the GRC marketspace.

Determine if a GRC solution is right for you.

  • Aspects that require a fully implemented GRC module.

Develop the GRC Procurement Charter.

  • Formalized procurement process.

Identify your best-fit use-case scenario.

  • The most appropriate use-case scenario to structure your evaluation around.

Brainstorm baseline metrics and target goals to gauge the solution’s effectiveness.

  • Set of metrics to track the effectiveness of the solution.

Module 2: Plan Your Procurement and Implementation Process

The Purpose

  • Review the vendor profiles to understand strengths, weaknesses, and challenges.
  • Customize the RFP to submit to vendors.
  • Ensure vendor demos focus on the features you care about, rather than simply highlighting their strengths.
  • Learn from best practices to streamline the implementation process and leverage all available resources to get started.

Key Benefits Achieved

  • Select a solution that meets your requirements and fulfills your specific needs. What’s best for one organization isn’t necessarily best for everyone.
  • Save time developing the RFP to share the statement of work, scope of work, requirements, budget & estimated pricing, etc.
  • Realistic view of the products performing relevant tasks.
  • Simplified and efficient implementation plans.




Analyze the vendor landscape.

  • Detailed understanding of the vendor landscape.

Create a custom vendor shortlist.

  • Narrowed down list of suitable solutions.

Develop Request for Proposal (RFP).

  • Completed and reviewed RFP document.

Standardize a Vendor Demo Script.

  • Fairly evaluated vendor demos.

Plan the implementation, including building, testing, and rolling it out.

  • Best practices regarding GRC implementation.

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.




$ Saved

Days Saved

Delta Dental Washington

Guided Implementation




District of Columbia - Department of Children and Families

Guided Implementation




Parks Canada

Guided Implementation




Comprehensive Health Services, Inc.

Guided Implementation




Zs Associates, Inc.

Guided Implementation




Search Code: 77368
Published: April 22, 2015
Last Revised: September 29, 2015

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019