Brown thinks of GRC systems as being highly customizable and flexible ecosystems. "It should also be sold as a process, where it comes with integration services, training, governance models, sample policies and frameworks, and on-site or remote help to set up the program at a company," he says.

"Otherwise, by simply selling it as a software product, there is a high risk of the purchase becoming shelfware."

Brown's feeling on risk management in general repeats the starting point of our GRC examination: enterprise risk management/GRC is a process, not just a product.

"It takes thoughtful consideration when implementing it, educating business leaders, linking it to process and data, conducting the actual analysis, and then doing something meaningful with the results," Brown says.