Rather than allowing multiple purchases of GRC software, or looking for GRC tools designed specifically for areas such as IT, Proctor says companies should aim to deploy multipurpose EGRC software that has strong IT functions and that can be used throughout the enterprise.

"We believe the EGRC tools are becoming more like ERP [enterprise resource planning] systems: big, overarching systems that help guide overall processes but have different modules that might be loosely connected," Proctor says. These modules cover areas such as technology, finance and risk management. (Read more about .)

GRC technology implementations are taking more of a platform approach, says Forrester's McClean. "Organizations are still primarily looking for solutions to a few of their most pressing risk and compliance issues, but it's just as important to license technology that is flexible to address a wider range of requirements," he says.

"[That] may include building their own applications on top of the core capabilities of GRC platforms," for content management, workflow, relational database and reporting.

Proctor suggests that organizations adopting GRC software treat the various components that make up governance, risk and compliance as if they're interrelated. It's a strategy that hasn't typically been deployed at companies, and it's a different way of understanding the value proposition of GRC.