GRC technology in many ways is a data analysis function, Brown says, and just like any other data process it's only as good as the input. "For example, to build proper linkages you need to know all of the people in your company, on an ongoing basis as it changes, all of your technology platforms and systems, your policies/standards and controls, etc.," he says. "And all of that changes with the business regularly. We initially tried GRC with spreadsheets, then databases, then a vendor product, until we finally rolled it up on our own."

The problem with the company's earlier approaches was getting timely, accurate data, Brown says. "Spreadsheets are great today, but tomorrow that IT asset you just linked could be rebuilt, virtualized [or] moved to a cloud," he says.

"Your wonderful risk models and all of the work you completed is now outdated because your business process changed. And the real value of risk management is not in chasing change in your environment, it's understanding the threats and risks based on how the environment is changing."

[Read ]

Another challenge companies face when implementing GRC software is staffing. "In many cases the folks who are handling GRC have other responsibilities, so whatever product is used has to be measured by how much care and feeding it needs," Brown says. "Who hosts it? How does it get patched/updated? Will the update break any of our existing content? If there is too much overhead in maintaining the software, it cuts into the time to actually conduct risk assessments."