GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
No single piece of software or platform can do it all. Investing in the right combination of technologies so that your teams can perform at their best is the puzzle you need to put together. Chances are, you put in a lot of time and resources into choosing new technology at your organization. There are so many details, decisions, and processes that need to be addressed before a purchase can be made. We have outlined the major considerations for GRC solutions in our blog, 8 Questions to Help You Select the Best GRC Software for Your Company, but how will this new GRC solution fit in with the rest of your organization’s tech stack?
Integrations are the connectors for your tech stack. They allow different systems to work together. However, the reality of integrations is that they can lead to unanticipated roadblocks and fall short of your expectations. That is why we wanted to put a magnifying glass on integrations. Let’s explore the possibilities of how GRC solutions can integrate into your world so you are set up for success when evaluating your GRC solution options.
Create Your Own Integrations Checklist
First things first, figure out where you need your GRC solution to connect. Integrations should fit into your process, and not the other way around. Kick off your checklist by conducting an internal audit of your organization’s tech stack. Compare and contrast your team’s technology usage to other departments that will participate in the GRC process. Try using a quick survey to get the full picture across different departments. This information will form the foundation to confidently make decisions about a GRC solution’s integration abilities.
Next, it’s time to imagine your technology wish list. The list of possibilities to integrate can seem endless, so segment them into “Must Have” and “Nice to Have.” The first question you should ask yourself before bucketing that platform into the “Must Have” column is “Why do these systems need to talk to each other?”
Here are examples of answers to look for when asking that question:
- System A has information that is needed to make a decision in System B
- System A has data that we would like to report on in System B
- Users of System A need to request information / assign tasks to users in System B
Integrations can lead to cost savings, improved process efficiency, and better insights into data across disparate sources. However, they can also lead to redundant or otherwise useless processes. Some due diligence on functionality will help you avoid these costly mistakes. Document exactly what you want each of your wish list integrations to do and the overlaps and gaps will become apparent.
Narrow Down the GRC Solution Market
Now we can put that checklist to work. Your GRC solution options may seem daunting, but the time you invested at the beginning of this process will easily narrow your focus in the market.
When it comes to GRC solutions, the market is divided into a few classifications and each approaches integrations differently.
- Manual solutions are typically what comes first before realizing a need for a more comprehensive technology. Think Excel spreadsheets, emails, and documents describing processes for an enterprise to follow—not the best for scalability or integrations.
- Point solutions are platforms that address one GRC application, such as employee compliance or audits. Many point solutions are cloud based and have varying levels of integration savviness.
- Legacy solutions are a more comprehensive GRC solution, but are typically on-prem or hosted software. This can result in clunky user experiences and nearly impossible process changes. Integrations can also feel more cumbersome or costly in this segment of the market. However, these solutions are well established and may have more integrations to choose from.
- Cloud-based GRC solutions, like Risk Cloud, are flexible, fast, and address risk holistically across your organization. Naturally, cloud solutions have an easier time connecting to other cloud solutions. If you have a list of cloud solutions you are looking to integrate into your GRC solution, choosing one that is cloud based would be to your benefit.
Not all integrations are equal. When comparing integration capabilities of these different GRC solution groups, functionality can vary widely. One vendor might “check the box” of an integration that you are interested in, but may not meet your expected functional requirements. Paying close attention to the functionality during the vetting process can save you the headache of teams filling in the gaps where you thought an integration would fit.
Requesting demos is a great way to get the full understanding of an integration’s functionality before you purchase. If a solution you are considering is not willing to provide a demo of a specific integration functionality, it is most likely because they don’t have it or it requires a long, expensive process to custom build.
Consider the Types of Integration Coverage
In addition to variances in functionality, there are also different ways that integrations can be delivered. The delivery matters because it can impact the functionality, updates, needed resources, and time it takes to get the integration up and running.
When most people think of integrations, they are thinking about native integrations. Native integrations are built directly into your GRC platform, take the least amount of setup, and are more likely to receive regular updates. It is important to keep in mind that native integrations often solve for the 1-2 most common use cases and may not cover what you had in mind.
If the vendor you’re vetting doesn't have the native integration you’re looking for, there's no reason to eliminate them quite yet. When native integrations don’t cut it, expand your questioning into overall integration coverage. Integration coverage means that there are other ways to connect with software that might add even more value for you.
First, many middleware technologies are designed with the sole purpose of connecting platforms together. For example, Risk Cloud is integrated with Zapier, which quickly and easily connects the platform to hundreds of the most common integrations, such as Formstack, DocuSign, and Sharepoint. Middleware may be the simplest solution to your integration needs.
Next, dig into the resources of the prospective vendor. A dedicated integrations team of experts to guide you through your integration journey may be just what you need. If custom integrations are part of your “Must Have” list, then these teams can provide a seamless and effective integration build. Ask about such teams and if they are part of customer services or if they require additional costs. The Integrations Services team at LogicGate was formed from the customer success team and focuses on making sure Risk Cloud customers have successful and effective integrations.
Finally, ask them about an API. An open API can open up possibilities for your IT team to connect to the specific integration you require. If you plan on building your integration, it’s worth validating that the platform or software has easy-to-use endpoints and readily available documentation. Your team's internal developers may need to be brought into a vetting call for this route. Risk Cloud has a RESTful API and can accommodate these custom integrations.
Integrations can be a tough landscape to navigate when qualifying your GRC solution options. The beauty of buying a cloud-based GRC platform is that you will receive automatic and constant enhancements to integrations. The team at LogicGate is dedicated to the continuing expansion of integrations to Risk Cloud. Contact us to learn more about putting Risk Cloud at the center of your GRC ecosystem.
