One aspect of the GRC process that is not covered by products, Brown says, is the "G" in its acronym: governance. "How are committees defined and how often do they meet?" he says. "What happens once risks are identified? Once you prioritize and accept a risk, what happens next? Does this link to a project management office function to define remediation efforts? How do those efforts get funded? All of these questions are very relevant to how GRC might work, but in many cases are not answered by a GRC product, nor are they cookie-cutter for each company that implements GRC."

Brown recommends that vendors focus on educating the community at large about GRC. This includes publishing sample policies, discussing different governance models, and presenting podcasts and videos with customers discussing what approaches work and don't work.

"This information should be freely available on the Web and in social media, without a requirement to provide contact information or create an account on the vendor's website," Brown says. "The vendor could also host a collaboration forum for the community to discuss GRC, either on their own Web site or perhaps leveraging LinkedIn communities."

To address some of the issues the company encountered, Western Bridge built its own GRC tool using the open source content management system Drupal. "Software cost was zero, it has widespread community support, we tailored it exactly to our needs, there are no ongoing vendor costs, and we can integrate it however we see fit," Brown says. "It has worked very well, and most people are blown away when we even describe it at a high level."