"The platforms that are being built by most vendors are proprietary," Brown says. "On the good side, this means that they come with a prebuilt controls library and a generic risk process. But on the bad side, this means it's generally difficult to extend or customize in any meaningful way."

Brown has two suggestions for vendors. The first is that they build the GRC platform on top of an open source content management system. "This enables a much wider array of options when it comes to modules and potential integration," he says.

"Most if not all of the GRC tools that I have seen use a proprietary database schema and customized software. This means there is no economy of scale when it comes to leveraging the work of a broader open source community."

Brown's second suggestion is to ensure that a well-documented, published, open API is available for the product. "This API should go in both directions--to enable an easy ability to get data into the system and an easy way to get data out of it," Brown says.

"A number of vendors are moving in the direction of an API, or have one already. But very few, if any, are built on an open platform."