Global GRC Report 2018 Now Live - What's changed in Governance, Risk and Compliance since 2015? 

Posted by Chris Webster on Wed, Mar 21, 2018

Qualsys are delighted to announce that the Global Governance, Risk and Compliance Benchmarking report 2018 has now been published. 

Access your free online copy of the report by clicking the image below: 

report grc


About the report

In February 2018, Qualsys Ltd distributed the annual benchmarking survey, asking GRC professionals about their day-to-day roles. The 38 questions in the survey were grouped into four broad categories: GRC skills & areas of focus, key roles and activities, technology and systems, and organisational culture.

The 202 responses we received from many different industries have provided important insights into how the role is changing.

We’ve used the survey results to answer three questions:

1) How are GRC professionals spending their time?

2) What factors are influencing the role of GRC?

3) What are the key priorities for 2018?

We hope that you'll find the report insightful and useful in your role.

Download a free copy of the report here. You'll get: 

  • 20+ page report
  • Comments from the team
  • This report is being updated with insights from industry experts and GRC professionals. Leave a comment below or tweet @QualsysEQMS to get featured. 

 Access the report: 


Get even more insights

There was too much information to just put into a single report! Be sure to check out our Friday Feature every week. 


Tags: ISO 9001:2015, News, Friday feature

The GDPR more important than ever: Cambridge Analytica 'Big Data' Scandal

Posted by Michael Ord on Tue, Mar 20, 2018

Cambridge Analytica has provoked international uproar for exploiting the data of millions to manipulate the US 2016 presidential election and the UK Brexit referendum, using data harvested from Facebook's mobile application, "Thisisyourdigitallife".

Both Facebook and Cambridge Analytica have denied any wrongdoing. 


As the app was launched in 2015, it is covered by the Data Protection Act (DPA). But if it were to be in use after 25 May of this year, then the General Data Protection Regulation (GDPR) would apply. Here's how both Cambridge Analytica and Facebook would be implicated. 

Big data.jpg

Online identifiers and profiling 

The DPA only covers personal data and sensitive data. But Cambridge Analytica used data to psychologically profile people and deliver a series of content to manipulate their beliefs and values. The GDPR will not allow businesses to profile people without their explicit permission. The regulation covers online identifiers, profiling data subjects, and other data you have. 


Explicit consent 

The application was developed by University of Cambridge academic Aleksandr Kogan who has no connections with Cambridge Analytica. As was common with apps and games in 2015, the application was designed to harvest not only the user data of the person taking part in the quiz, but also the data of their friends. 

Facebook has since changed the amount of data that developers can scrape in this way. However, the General Data Protection Regulation puts responsibility on both the controller and processor. In this case, Facebook would have a responsibility to protect the data subjects and be transparent and explicit about how the data is to be used.

controller vs processor.png

Want to learn more about GDPR? Join our upcoming workshop


Time it takes to report a breach

Cambridge Analytica has been withholding information. Under the DPA, breach notifications are not mandatory. The business can decide who and what they report to the ICO. However, under the GDPR, breach notifications are mandatory and must be made within 72 hours or face huge fines. Penalties for breaches of the GDPR are substantial - sharing personal information and using it beyond the stated purpose will incur a €20 million or 4% of global turnover fine


GDPR changes.png


Time to get your data policies up to the mark!

According to the Global GRC Survey 2018, 99% of governance, risk and compliance professionals feel their businesses aren't fully prepared for the General Data Protection Regulation. 

Prepare for the regulation, get template policies, and ask questions by joining our GDPR workshopClick here to learn more.

Alternatively, download our GDPR toolkit


Tags: ISO 27001, EU GDPR

Qualsys nominated as SaaS Enterprise Solution of the Year

Posted by Alex Pavlovic on Mon, Mar 19, 2018

Qualsys is delighted to reach the finals of the 2018 IT Europa European IT & Software Excellence Awards, in the SaaS Enterprise Solution of the Year category.


The Awards

The Awards showcase the best of the European IT industry, from big names like Google and Microsoft to independent software vendors, system integrators and solution VARs. The 2018 ceremony will mark the tenth anniversary of the Awards.

The category

Qualsys has reached the finals for the SaaS Enterprise Solution of the Year category. The category focuses on independent software vendors delivering SaaS solutions to large, multinational enterprise customers.

Finalists were required to demonstrate how their enterprise software solution offered ease of deployment, management and integration for their customers. Scalability, international application and ability to support complex, international business operations were also key benchmarks of success.

Why Qualsys?

The strength of Qualsys's business partnership with Sodexo was a determining factor in reaching the finals of the Awards.


As the world's 19th largest employer, Sodexo contains thousands of end users in 80 countries using Qualsys's document, audit, issue and training management software modules.

Five key performance indicators demonstrated how Qualsys's SaaS enterprise solution positively impacted the Sodexo operation:

1. Qualsys's unlimited free end user model allowed Sodexo to scale their solution as widely as desired without prohibitive costs

2. The user-friendliness of the modules, coupled with Qualsys's 'train the trainer' approach, allowed rapid but controlled exponential deployment across the Sodexo infrastructure

3. Process automation and integration between modules allowed considerable time savings and more efficient working: Sodexo's Global VP of Quality & Compliance Carl Stanbridge reported a 60% decrease in time expenditure for internal auditing.

4. Qualsys's continued post-deployment technical support and agile development process allowed Sodexo to maximise their use of the system, offering feedback for the Qualsys development team to action into continuous improvement.

5. Sodexo testimonials, such as:

The relationship we have with Qualsys is outstanding. We are very happy. 

Rob Gibson, EQMS Manager


Qualsys’s experience in working with large, complex, multinational organisations was a key factor in Sodexo’s decision. The flexibility of our enterprise quality management system has allowed Sodexo to tailor the solution to address a complex requirement, whilst simplifying and embedding compliance. I saved 60% of my auditing time with iEQMS.

Carl Stanbridge, Quality & Compliance Director - Global Pharmaceuticals & FMCG


What next?

The award will be presented to the winner on 19 April.

To read more about our partnership with Sodexo, click here.

Access our free enterprise case study booklet to see how BT, Diageo and Sodexo use our solution for more robust and efficient quality management.

Discover more about our GRC solution for enterprises here.

And wish us luck for the finals!


GRC solutions for enterprises

What you need to know about ISO 45001

Posted by Alex Pavlovic on Thu, Mar 15, 2018

ISO 45001, the world's first international occupational health and safety quality standard, was published on 12 March, replacing the previous OHSAS 18001 benchmark.

As with any new standard, it's vital for quality professionals to understand the requirements of ISO 45001, what the standard means, and how it will affect their business.

Here's what you need to know.

Image result for health and safety


1. You've got three years

Already compliant with OHSAS 18001? You have until 12 March 2021 to make the switch to ISO 45001. The good news is that you'll recognise most of the requirements of the new standard have been carried over from OHSAS 18001. But of course, in line with the requirements prescribed by other ISO standards, ISO 45001 contains several new areas of focus. You will need to be familiar with these as well if you want to work towards compliance.

Image result for calendar countdown

2. It makes some key changes

ISO 45001 adds to the requirements of OHSAS 18001 in several areas. Some common themes from other recent ISO standards are apparent here, as follows:

  • Increased focus on risk management - Companies must consider, identify and take the necessary corrective and preventative action to address any risks posed to the health and safety of their workforce.
  • Increased emphasis on business context -  Linked to the focus on risk is the emphasis on context-specific business risks seen in ISO 31000. Businesses need to consider the unique ways that the health and safety of their workers might be compromised - and act accordingly.

  • Increased commitment from senior management - Top management must actively engage in the health and safety management system of their business, and contribute to it. In many ways, this change has been a long time in motion- the number of directors jailed for H&S negligence tripled in 2016 alone - but ISO 45001 formalises and codifies the managerial responsibility for health and safety in a way that OHSAS 18001 did not.
  • Increased focus on objectives and KPIs - Businesses should set, monitor and evaluate health and safety performance objectives as drivers of continuous improvement in the workplace.

 iso 45001 health and safety workplace


3. It's compatible

ISO 45001 is designed for close integration with other ISO standards. So if you're already working to one or more other ISO benchmarks, you have a firm advantage for getting 45001-compliant as well.

It also means you can more easily build a holistic, ISO-compliant environmental, health and safety management system. The incorporation of Annex SL gives ISO 45001 the same top-line framework as other ISO standards, placing the same emphasis on leadership, planning, continuous improvement, and other key areas. Take the necessary steps prescribed by Annex SL, and your business is much closer to a resilient 'culture of quality'.


Image result for annex sl


What to do next

1. Read a breakdown of the key ISO 45001 clauses here

2. Making the change to the new standard? Download our free ISO 45001 transition toolkit.

3. Looking to build risk-based thinking into your EHS system? Join our risk workshop on 22 March. 

4. Qualsys's software modules are designed to simplify, streamline and automate your health and safety management procedures with powerful and user-friendly functionality. Read more here.


Read about ISO 45001 management software


The 3 ways every business should be managing risk

Posted by Alex Pavlovic on Tue, Mar 06, 2018

Risk lurks in every nook and cranny of a business - and there is increasing pressure from standards like ISO 9000 and 31000 for senior management teams to address it. 

Yet a 2017 Qualsys survey revealed that 67% of quality professionals believe that their leadership team is completely disengaged with governance, risk and compliance management. Worse still, most businesses aren’t currently using any formal risk assessment process.

Nothing grabs the headlines like a good business disaster - think of Volkswagen's $30 billion emissions scandal, Uber's hacker breach or KFC's chicken shortage.

So how can businesses embed the risk-based thinking they need into their daily operation? 

Risk management workshop - sign up today

1. Get everyone in the business to own risk

Identifying risk, of course, comes first, and it’s not something you can just know. Risk exists in every area, site and department of a company, from finance and production to information security and suppliers. Examples include:

  • Mergers and acquisitions
  • Liquidity
  • Reputational damage
  • Counter party risk
  • Market competition

As such, no one person can pinpoint risk on their own. Different areas of a business operate differently and can be stronger or weaker in their management of risk.

Nor should a risk assessment be a one-off: “our office is in a flood risk area, so if there is heavy rain it might flood, forcing us to shut down.” As business processes change, new risks are constantly being introduced - so looking at risk should be a routine.

Onboarding a new supplier? Introducing a new IT system? Updating a financial policy? They all bring risk, and every employee connected to those areas should consider how. Risk assessment should be a constant, flexible process encompassing everyone in your business.

Human error can strike anywhere, even in the largest and most complex of enterprises. In 1999, NASA's $125m Mars Orbiter probe entered the orbit of Mars 100 kilometres too close to its surface and was destroyed - because its attitude control system used imperial measurements, while its navigation software used metric. A costly, so-called 'schoolkid blunder' might have been averted had more eyes been on the case.

Implementing a robust system collating input from everybody is a valuable way of strengthening your risk assessment and gathering a comprehensive picture of the full gamut of risk - what mistakes might be made, what uncertainties can impact your objectives, and how to manage and minimise them. Just because a particular risk hasn’t happened yet, it doesn’t mean it won’t.


risk map.png

2. Implement an integrated risk management system

So you’ve asked your staff to consider and identify risk areas. But how do you quantify each risk and assess how to respond to them? You’ve probably seen a risk assessment matrix like this before, where risks are assessed by severity and likelihood:

 risk matrix assessment


The standard matrix is an effective, if simplistic, tool for risk assessment. Knowing what to do with risk information is another thing entirely; new standards and regulations are demanding increasingly sophisticated, specific and comprehensive risk programs, while giving businesses flexibility to determine their own processes.

The 2015 iteration of ISO 9001 prescribes 'risk-based thinking', with preventative actions and input from senior management, while the ICO mandates a privacy-risk-specific Privacy Impact Assessment (PIA) to comply with the EU’s upcoming GDPR regulation.

 Because of this, understanding how to assess and manage specific risks in compliance with various frameworks and the context of your organisation takes time and consideration.

Some businesses are more risk-averse than others and have a lower ‘risk appetite’. Some appreciate resources like gap analysis templates and risk management software as effective tools for risk management. Others employ methods like the Delphi technique or SWOT.

Take the opportunity to do your research and consider what external support you can draw on.

Whatever process you map out for risk control, some key elements include:

  • Auditing auditing auditing. 'Taking the temperature' of your business at frequent intervals with internal audits allows you to see how risks are being addressed and managed.
  • Fine-tuning responses. Don’t wait for a risk to mature - ensure CAPA processes are already in place. When something does go wrong, your team can respond quickly and intuitively.
  • Delegating responsibility and making sure skill gaps are plugged. Your staff should know what is expected of them, and how. An airtight workforce will have a lower incident rate and faster risk remediation time
  • Looking for standard commonalities. New ISO standards share the Annex SL high level structure, giving them similar risk management themes and values. Targeting these core areas avoids duplication of efforts and allows risk management to be rapidly implemented. One Qualsys customer, Aberdein Considine, used this approach to achieve four ISO standards in less than a year.

 Image result for  risk

3. Measure risk opportunities


Lastly, you should avoid seeing risk as a purely negative phenomenon. As well as asking, “what could go wrong?”, ask, “what uncertainties might present opportunities?” Risks and opportunities are really two halves of the same coin: uncertainty.


  • A project might be budgeted for - and come in above or below target.
  • An inbound marketing campaign might aim to increase website traffic - and bring in absolutely nobody, or so many people that your website crashes.
  • A new product might flop, or completely swamp production with high demand.

The common thread is the uncertain; the difference is that positive risk presents opportunity, while negative risk demands redressing. By planning for positive risk as well - what to do with those unspent funds, how to tweak your website to cope with more visitors, what production contingency plans you can put in place to cope with demand - you are not only encouraging optimism as well as caution, you are prepared for any eventuality. And your business will be stronger, healthier and more prepared because of it.


iso 9001 risk based thinking

What to do next

Unsure how to start tackling risk?

Our free ISO 31000 toolkit contains a range of resources to help you get to grips with the risk management standard.

Qualsys are also hosting a full-day interactive risk management workshop at our Sheffield office on 22 March. Delegates will learn how to:

  • Drive and embed risk-based thinking across their business
  • Apply risk standards like ISO 31000 to their processes and practices
  • Build a robust risk management system around core risk principles using tried and tested tools and templates 
  • Engage team members to identify and manage risk

Find out more here


Cloud GRC software vs On-Premise GRC software

Posted by Chris Webster on Tue, Mar 06, 2018

When selecting a new governance, risk and compliance software solution, one important decision you will need to make is whether you will be hosting your system on the cloud or on-premise. 

Cloud-based GRC systems have become much more popular in recent years - especially among small and medium sized businesses - but there are many reasons why you may decide a traditional, on-premise system is better for you.  

Qualsys can actually offer you three options - cloud-based software, on-premise or a hybrid deployment. Hybrid means cloud GRC software can be hosted on your private servers if you choose. 

To help you to make an informed decision, this article shares with you key considerations. 

 Chris w 1.jpg


The most frequently asked question we usually get asked is "Which is the most secure option?" 

Our systems are all hosted in an ISO 27001 data centre, and we have never had a major information security incident. 

Qualsys's cloud hosted system provides you with: 

  • High availability firewall
  • Anti-virus for file servers 
  • Managed to PCI DSS standard
  • Back ups every 15 minutes. 




The initial costs for on-premise are usually higher as you'll need to invest in a Virtual Machine (VM) or a physical server. The minimum server specification for our software:

  • Microsoft Windows 2008 Server/Windows 2012 Server
  • Microsoft Internet Information Server (IIS)
  • Windows Search Service
  • Microsoft SQL 2008 server or higher
  • Recommended 8 GB or higher
  • minimum Intel Xeon 2.4GHz processor or higher
  • A full EQMS system installation requires 1.5GB disk storage with no documents or data loaded
  • Recommended 100GB of disc space for document storage with room for expansion.

You'll also need to ensure you have allocated resource for internal IT time and system maintenance. 

Hosting with Qualsys's cloud solution starts from £120 per month and all of the technical work is completed for you with very little resource required from your internal technical teams. 


Time to set up

For client server systems, we usually recommend allocating 2 days of internal resource to install the software. For systems hosted with Qualsys, it takes 1.5 days to install a UAT and live system. 


Support and help

Whether you have a cloud hosted system by Qualsys or opt for on-premise, you'll still be entitled to an upgrade every year. These upgrades can be completed remotely. 



Both systems can be made availabile via browser (Firefox, Chrome etc) from any web enabled device, including smartphone and tablet applications (IOS and Android). Our software has passed stringent speed tests. 

Need more information about our hosting or technical information? 

Talk to a domain expert or schedule a call when you are next available.

Alternatively, read more about our technical product features by downloading our datasheets.

GRC Softwar datasheets


Tags: EQMS, Implementing EQMS

Types of quality management systems

Posted by Michael Ord on Mon, Mar 05, 2018

No matter what industry you're in, getting the right information to the right person at the right time is necessary for the success of your business. This is where quality management system (QMS) software comes into play. 

Different types of QMS software support your business goals in different ways. Choosing the best QMS for your company requires looking at your objectives and determining the main quality challenges you need to resolve.

Black LightGlow Party (2).png

What is a QMS? 

Short for quality management system, a QMS helps your business automate quality processes to improve efficiency, track the cost of poor quality (COPQ), and improve customer satisfaction. 

What are the benefits of using a QMS? 

A good QMS enables you to focus on building a culture of quality and mentoring / training employees, rather than scrambling to keep tabs on all your policies, processes and procedures, you can see your strengths, weaknesses, opportunities and threats from a centralised system. A QMS helps you make sense of large volumes of data, so you can focus on the most pressing issues. 

Whether you are looking to implement a QMS for the first time or want to switch to something that better suits your business needs, there are several types of QMS software solutions you may want to consider. 

List of the different types of quality management system 

Qualsys provides a modular quality management system. This means that you can 'pick-and-mix' the module or modules as you require. 

Click on each of the below to learn more about the solution. 

EQMS Modules.png

By module: 

  1. Document control 
  2. Change control
  3. Enterprise & operational risk management 
  4. Supplier management 
  5. Equipment and asset management 
  6. CAPA management 
  7. Policy management 
  8. Internal audit
  9. Training records management 
  10. Integrated BI / GRC Dashboard 
  11. Complaints management system
  12. Accident and incident reporting management system


By management system

  1. Governance, risk and compliance management system 
  2. Integrated business management system 
  3. ISO 9001 management
  4. Product life cycle management 
  5. Food safety management 
  6. Health and safety management 
  7. Environmental management
  8. Information security management   


What to do now

Not quite sure what you need? We love to help. So drop us an emailgive us a call on +44 (0) 114 282 3338, schedule a discovery call at a more convenient time, or drop in for a coffee. 

Alternatively, read more about the changing role of quality management systems here. 

New Call-to-action

Tags: Quality Management Software

Policy management best practices 

Posted by Emily Hill on Mon, Mar 05, 2018

Every governance, risk and compliance person, regardless of the type of business they work for, wants their policies to be read and understood by their employees, customers and suppliers. 

But let's face it - most employees probably aren't engaging with your policies. Afterall, you wouldn't be getting so many repeated mistakes and issues if they had really read and understood your policies. 

Kate Armitage, Product Quality Assurance Manager at Qualsys has earned a reputation for making even the driest of subjects interesting and thought-provoking. 

So when it comes to creating Qualsys's policies, she's always got a strategy for raising awareness, getting everyone onboard and making real business improvement. 

In this article, Kate has shared 7 top tips for creating policies that are effective and engaging.

 Kate armitage - quality manager-718280-edited.jpg

1) Establish a process for creating policies

Create a process for creating policies. You can do this within our Document Manager software (see image below). 

Policies within our software.png

Determine what policies are needed. Typical business policies: 

  • Electronic device policy
  • Flexible working policy
  • Risk management policy
  • Quality policy
  • Information security 
  • Business continuity and disaster recovery planning
  • Ethical policy
  • Equal opportunities policy
  • Data protection policy 
  • Health and safety policy

Standardise a template for the processes and procedures. This way there is a common look and feel to all the documentation. Here is our privacy policy example. 


2) Don't do it on your own

All of your policies should have an official owner. But that doesn't mean you have to do everything. For example, get relevant departments to be part of the approval cycle before the policy goes live. Below is an example of how this works in our software. 

Approval path example.png

Give employees ownership, assign responsibility and create the processes and procedures with the staff members who are doing the work. This way your team feel involved and empowered and more likely to share any ideas or risks. 


3) Link between policies

Create good links between different policies and documents where relevant. This will encourage users to read around and you can improve views of your policies by up to over ten times.

 Qualsys process interaction map.png

Image: Example of Qualsys's policy map 


4) Make your policies really simple

Good communicators make themselves look smart. Great communicators make their audiences feel smart.

First, read this. Now the rule is to keep your policies as simple as possible.



5) Cater for different learning styles 

When you're writing a policy, first and foremost you are becoming a teacher. Good teachers cater to different learning styles. For example, create process flow diagrams to support the written processes or a visual representation often aids understanding, or, if you have the time, create a video / webinar or audio recording to go with the written policy.  


6) PDCA 

Always remember that as well as planning and implementing the policies, that you are also discussing and reviewing the processes during your audit schedule. 

 auditing software and quality management.png

7) Use our software to manage all of your policies

Your policies should not be dispersed, nor should they only exist on paper. You need a system which provides a framework for managing and controlling your policies. Our software enables you to manage the entire life cycle of your policies. 

See our policy management module in action. 


What you should do now

Try our Stakeholder engagement template for a free step-by-step guide to getting your team engaged with quality. 

 Stakeholder Engagement toolkit


Tags: ISO 9001:2015, Policy management

How to find the best GRC software solution

Posted by Kate Armitage on Thu, Mar 01, 2018

Governance, risk and compliance (GRC) software was originally designed to keep your information controlled in an electronic format. It was often only accessed by quality teams to show external auditors and customers processes and procedures.

I found the day most useful. It’s great to see the materials that have been shared with us. I often go on learning events and have never experienced the same level of willingness to (2).png

Over time, however, GRC software has evolved to become a single source of truth for your entire business, underpinning every decision made. 

GRC software is now a robust tool that helps businesses to manage complex processes, assign roles and responsibilities, identify risks and opportunities, capture data from applications across the business, automate workflows, and create instant KPI dashboards.

From a quality perspective, GRC software provides visibility into performance across your business. It is used to plan, manage, monitor and optimise. Whether your quality objectives are to focus on reducing the cost of poor quality, nurturing customer satisfaction or fostering a culture of continuous improvement, a GRC software solution is essential for every modern business. 

With so much opportunity, it actually makes buying a GRC solution very difficult. Unsurprisingly, the scope of "GRC software" solutions has evolved in many different directions. Vendors now provide many different types of solutions. For a customer, you need to choose between hundreds of different solutions.

So how can you find the best GRC solution for your business? 

In this article, I’ve talked you through five key considerations to help you get the best grc solution for your business. These are:

  1. Defining what the 'best' solution looks like for your business
  2. Knowing what to spend
  3. Finding the right vendor for you
  4. Avoiding common mistakes
  5. Listening to feedback

I hope you’ll find this guide useful and actionable. If you have any questions, please give me a call on +44 (0) 114 282 3338 or drop me an email. 

 Assad Quality and governance, risk and compliance softwre.png

Image: GRC Dashboard collating data from multiple business applications, ERPs, Salesforce etc. to give leadership a picture of the business


1) Defining what the 'best' solution looks like

I mentioned earlier that GRC software has evolved a lot over recent years. GRC software doesn't just keep you compliant - it offers a bevy of tools to help you make your business more profitable, enhance your company culture and make your employees happier. Yes - I said it - GRC teams now have tools to make everyone from your shop floor to your top floor happier.

So how do you know what you want to achieve with your solution? 

I'd recommend creating a User Requirements Specification (URS). A URS is basically a list of all the features you want. Qualsys provide a template URS to help you get started. You can purchase it here for £29.99. 

Customise the template by going around your business and asking questions. What are the business's pain points? What works at the moment? What doesn't make any sense?

You'll get a lot more ideas by asking people early on in the process and it'll help you to avoid scope creep later on in the process. 

In this blog post you'll find a free example survey you can send to your employees to understand more about their pain points

Once your URS is complete, send it to your vendors.

Some example features you may want from your GRC software solution: 

  • Instant KPI Dashboards: Get real-time insights into performance across your business. You can track sites / departments / individuals and share what is working well. Use these lessons and share it across your wider business. 
  • Documents / Policies: Systematically keep on track of document and policy life cycles - get the software to do this for you! No more searching through thousands of duplicated documents in SharePoint. 
  • Supplier management: Few businesses know who all their suppliers are and what they use them for. This results in duplicated purchases, and wasted revenue! Get a solution with a Supplier Management module and you can get control. 
  • Audits: Make the most of your subject matter experts across your business by requesting that they routinely voice their opinions, issues and ideas using auditing software. 
  • APIs and Integrations: Bring all your data together, instantly. No more chasing departments for data and waiting three weeks.  
  • Risks: Give employees the opportunity to speak up about risks they see and identify issues before they occur.
  • Equipment / data processing register / asset register: Wouldn't tackling regulations such as GDPR be so much easier if you knew exactly what equipment was in use and how it was being used?  
  • Training records: People are your most important assets. Keep their training up to date, keep them informed and properly record the training. 
  • CAPA / issues / complaints / change / workflows: So many businesses hope that their employees will always take responsibility and step up when there is either an issue, complaint or CAPA requirement. But most businesses are busy and encounter new issues, and this causes a number of issues. Assign roles and responsibilities, and you get rid of frustration and have a happier, more confident and aligned business. 



2) Knowing what to spend

There are so many ways GRC software can be priced. And if you aren't completely clear about how the pricing works, it can be easy to end up confused and make a bad decision. 

Pricing models tend to be annual plans. However, vendors will include different things within this price. For example: 

  • Hosting 
  • End users
  • Administrator licenses
  • Training costs
  • Support and maintenance 
  • What modules you'll get
  • Implementation costs 

If you're getting confused by pricing, calculate the price per employee over a 5-year period.  

My advice:

  • Have a budget. Stick to it. You don’t want to overspend and have a system which is too expensive in the long-haul.

  • Be realistic. You can’t expect the most feature-rich solution if your budget is £50 for the year. 

  • Align with your long term business strategy. If your business is planning to grow by 50% you'll need a system which will support your long term business strategy. 

  • Consider return on investment. Upfront costs might be higher because you require a thorough implementation or you may need to validate your software to meet regulatory requirements, but this could provide return on investment faster than a cheaper solution. Try our interactive ROI calculator for more information. 

  • List your top 3 most important criteria before you start. Do you want a system that you can roll out across your entire business? You need free end-users. Do you want a system which your suppliers can access? You need free supplier portals. 

We’ve got a more in-depth blog about costs and the factors which will influence the cost of your solution here or try our total cost of ownership calculator.

Calculate the total cost of ownership.png

Try our 4-year total cost of ownership tool here. 


3) Finding the right vendor for you

As previously mentioned, there are many different GRC software vendors, and they all specialise in different areas and can help you achieve different goals. 

So what do you want from your system? What does your business want to achieve? 

Below, I’ve listed the GRC software vendors my customers have come across and how I would define each of their strengths. These are listed without prejudice, we dont profess to be experts on the nuances of all offerings:


Strength / areas of expertise


For growing businesses who want a scalable, integrated GRC system.  Available via SaaS (cloud), on-premise (server) and/or mobile (iOS and Android).

RSA Archer

Risk management for financial businesses 

IBM Open Pages 

Highly bespoke solutions in larger enterprises.

ISO Tracker 

For businesses where compliance is managed in one department / by one person. 

BSI Entropy

For businesses with less than 10 employees.

For businesses in hospitability, retail and construction. 


Heavy focus in the NHS and Aerospace sector. Wide portfolio of products.


Useful auditing tool for tablets, though not integrated into a wider EQMS (for aggregate data/trends analysis/findings etc).

ISM Xpress

For very small businesses. 


For managing documents.


We've provided some free templates and tools to help you select the best vendor for your business in our Business Case toolkit


Image: Use our vendor comparison tool in our Business Case toolkit

Tips for choosing a vendor: 

  1. Get a demonstration - It'll help you see the solution and understand how it could work for you.
  2. Send the vendor your URS - Give your vendor a week or two to complete your URS so you can score your vendors for your key criteria. 

 auditing software and quality management-1.png

Image: Internal auditing software integrates with the central document management system.


4) Avoiding common mistakes

With so many different GRC software solutions available, choosing the right one can be really difficult. 

Here are some mistakes to avoid: 

  1. Underestimating the implementation process
  2. Choosing an inexperienced vendor
  3. Neglecting the employee engagement process
  4. Choosing a system which you will outgrow
  5. Making-do with a solution because it is cheaper
  6. Free solutions - put your business at risk
  7. Scope creep
  8. Choosing a vendor who is too big to care about you 

For more tips and advice from leading brands, read our Software Buying Guide.  




5) Listening to feedback

There are many different places where you might find reviews about GRC software.

Here are a few: 

At Qualsys, we always encourage you to call or visit at least one of our existing customers. We find this not only enables you to see our system in action, it provides an opportunity to learn, share and get ideas from others like you. 


What you should do now

Now you know how to find the best GRC solution, you'll need to build a business case to get internal buy in. Download our free business case template here. 

Governance risk and compliance management software


Money for nothing: the cost of poor quality

Posted by Alex Pavlovic on Tue, Feb 27, 2018

KFC's running supply chain débâcle is costing them £4.2m every week by one estimate.

A recent Deloitte quality report identified manufacturers spending up to $100,000 (£71,510) and 116 workdays per site per year to comply with overly complex, outdated and redundant quality management systems (QMS).

And after 25 May, fines of up to €20m (£17.64m) await businesses without GDPR-compliant information security processes in place. 

The cost of poor quality is getting increasingly eyewatering- and more and more businesses are investing in preventative measures to save themselves from serious financial jeopardy down the road. 

kfc crisis supply chain poor quality costColonel Sanders's supplier management processes leave something to be desired

The importance of being standardised


Deloitte's 'Quality 2020' survey revealed three key commonalities among respondents in the manufacturing sector:

  1. Standardisation was identified as the key goal for quality management, impacting on other quality areas such as operational efficiency and the cost of poor quality. 96% believed a moderate to extreme improvement in quality would arise from standardising quality management.
  2. The main problems contributing to the rising cost of poor quality were identified as: the rising complexity of standard requirements, having to maintain multiple quality systems for multiple standards, and the growing gap between certification and actual quality performance
  3. The overwhelming majority believed that 'significant effort' would be needed to effect the necessary changes 

In short: businesses are losing vast amounts of money to unstandardised, overly complex quality management processes, while quality standards themselves become more complex and numerous. This expenditure can be crippling and, even worse, is completely avoidable.

In the case of KFC, some businesses are neglecting to follow robust quality processes. KFC switched their supplier from Bidvest to DHL without the correct vetting, leaving themselves stranded with a logistical chain unable to cope with demand.

It's no surprise then that David Cau, Director of Business Risk at Deloitte, concluded that:

The GRC market seems to be thriving, as more companies realise that they pretty much have to invest in this area.


investment return grc software

More and more businesses are willing to 'spend £1 to save £2' with a GRC solution


Why GRC?


Survey respondents estimated an expenditure reduction from 116 workdays and $100,000 per site needed to comply with quality standards each year to 67 workdays and $51,000 per site if their quality management systems were standardised, simplified and centralised.

And the cost of poor quality (COPQ) from events like closures, complaints and non-conformances naturally falls as fewer of these events occur.

The financial advantages of achieving these goals by onboarding governance, risk and compliance software has contributed to an explosive growth of the sector, with between 15% and 20% annual growth predicted between 2018 and 2020. 

Does it really take the 'significant effort' predicted by the survey respondents to implement a GRC solution?

That depends.

Implementation, cultural fit, bespoke business requirements and internal engagement are all problems which need to be considered by any company looking for a GRC software solution.


If the basic requirements aren't met, nothing will be.

Close research is needed for any procurement project; many businesses seeking GRC software vendors use 'quadrant' analyses provided by Forrester or Gartner. But many vendors are left out by this approach - as David Cau recognises.


These quadrants lead companies to limit their GRC tool selection process only to the vendors mentioned in the quadrants, or even only consider players from the leader’s quadrant and initiate their choice only from an IT standpoint, rather than also considering the business needs.


There's really no way around it: if your business wants to save money with a leaner, more efficient quality backbone, careful GRC software research is the way forward. Find the vendor for you, and the effort will undoubtedly reap rewards.

What to do next


We've put together a GRC software vendor scorecard to help you evaluate prospects - access it here.

Putting together a business case for a GRC software investment has never been easier, thanks to the obvious financial advantages. Kickstart the process with our business engagement toolkit.


Governance risk and compliance management software



Tags: Operational Excellence