Assess the automation capabilities. Does the tool have an easy way to automate complex processes? Does the automation deliver value where your organization most needs it?

Investigate how the tool models risk. Some may have rudimentary dashboards that only display a red, yellow or green light, while others may apply sophisticated metrics and risk analysis and provide detailed diagrams and models.

See what external data sources are tied in. What threat and compliance update feeds can be linked to keep risk assessment and compliance current?

Look for a business-process-modeling feature that allows you to visually lay out your business processes, define risk and control points, and see where risks and exposures are.

Study the survey capabilities. Are they advanced enough to meet your needs?