What is required, says Gerry Halphen, vice president of product development at The Network, is a centralized repository of ethics and reporting information. That repository has to be robust enough to meet HR users' needs, as well as the needs of the loss prevention manager. It must also be capable of running ethics and compliance information from numerous data sources against a BI application. For example, a company might want to know how many ethics and compliance issues had arisen per employee for every new product rolled out.

"It helps you understand the ethical risk with other business activities you have going on," Halphen says.

Michael Rasmussen, senior analyst at Forrester, says a GRC platform must include "documentation, assessment, analysis, and loss information from every part of the business." To pull that off, an organization will need content management, business process management, and workflow.

Although all of this can be built and managed in-house, third-party providers have one other clear advantage. Let's face it: A hotline number managed by an outside call center or accessible through a third-party Web site will make employees far more comfortable than having to send a note to their local HR representative.