"You will only be successful if you have a sound risk management framework and you have the right engagement across the organization," says Jorge Beaujon, vice president and head of operational risk at WorldPay US Inc., an Atlanta-based global card payment acquiring business. He says a solid framework and the use of GRC software from Modulo Security have helped his company tackle regulatory compliance, security and other risk areas. "If your framework is not appropriately designed, your GRC program will fail irrespective of the system you choose to support it," he says.

"You have to have good processes before you can be successful in implementing IT and enterprise GRC," agrees Paul Proctor, vice president of security and risk management at research firm Gartner Inc. in Stamford, Conn. "The single biggest failure we see in the implementation of these systems is if [for example] you buy one of these for vendor risk management and you don't really have a decent vendor risk management process in place."

In this in-depth Governance, Risk and Compliance (GRC) report

"When a bad process is automated, it just increases the efficiency with which that bad process happens," says McClean. "Risk professionals still need to create a framework for how risk is measured, who is involved, what processes are required and what decisions will be affected by these efforts. Then they can use technology to standardize these efforts and pull together information from a lot of different areas to improve oversight."

Bodies such as auditors, regulators and risk committees "more and more are concerned with the processes of risk and compliance as opposed to just the outcomes of those efforts," McClean says.