Depending on how it is implemented, GRC software can actually add complexity to risk management. "A solid GRC program already has a number of work flows and data repositories in place," says , senior business leader of strategy, planning and initiatives at San Francisco-based financial services firm Visa.

"In trying to integrate and/or subsume all of these, GRC tools attempt to be all things to all people, which can only be achieved through a flexible and customizable platform. Implementing and maintaining that customized platform usually requires large, continued investments in both capital and labor."

Vendors can address the issue, Farshchi says, by improving interoperability so that organizations don't have to develop customized hooks for each disparate data set, application or system. In addition, they can tailor GRC tools to do one job really well rather than try to expand the reach to every functional GRC problem that any business might have.

Another key challenge with GRC tools is usability, Farshchi says. "They tend to be very complex and hard to use from a user-experience perspective," he says.