Kate Armitage

Recent Posts

How to find the best GRC software solution

Posted by Kate Armitage on Thu, Mar 01, 2018

Governance, risk and compliance (GRC) software was originally designed to keep your information controlled in an electronic format. It was often only accessed by quality teams to show external auditors and customers processes and procedures.

I found the day most useful. It’s great to see the materials that have been shared with us. I often go on learning events and have never experienced the same level of willingness to (2).png

Over time, however, GRC software has evolved to become a single source of truth for your entire business, underpinning every decision made. 

GRC software is now a robust tool that helps businesses to manage complex processes, assign roles and responsibilities, identify risks and opportunities, capture data from applications across the business, automate workflows, and create instant KPI dashboards.

From a quality perspective, GRC software provides visibility into performance across your business. It is used to plan, manage, monitor and optimise. Whether your quality objectives are to focus on reducing the cost of poor quality, nurturing customer satisfaction or fostering a culture of continuous improvement, a GRC software solution is essential for every modern business. 

With so much opportunity, it actually makes buying a GRC solution very difficult. Unsurprisingly, the scope of "GRC software" solutions has evolved in many different directions. Vendors now provide many different types of solutions. For a customer, you need to choose between hundreds of different solutions.

So how can you find the best GRC solution for your business? 

In this article, I’ve talked you through five key considerations to help you get the best grc solution for your business. These are:

  1. Defining what the 'best' solution looks like for your business
  2. Knowing what to spend
  3. Finding the right vendor for you
  4. Avoiding common mistakes
  5. Listening to feedback

I hope you’ll find this guide useful and actionable. If you have any questions, please give me a call on +44 (0) 114 282 3338 or drop me an email. 


1) Defining what the 'best' solution looks like

I mentioned earlier that GRC software has evolved a lot over recent years. GRC software doesn't just keep you compliant - it offers a bevy of tools to help you make your business more profitable, enhance your company culture and make your employees happier. Yes - I said it - GRC teams now have tools to make everyone from your shop floor to your top floor happier.

So how do you know what you want to achieve with your solution? 

I'd recommend creating a User Requirements Specification (URS). A URS is basically a list of all the features you want. Qualsys provide a template URS to help you get started. You can purchase it here for £29.99. 

Customise the template by going around your business and asking questions. What are the business's pain points? What works at the moment? What doesn't make any sense?

You'll get a lot more ideas by asking people early on in the process and it'll help you to avoid scope creep later on in the process. 

In this blog post you'll find an example survey you can send to your employees to understand more about their pain points

Once your URS is complete, send it to your vendors.

Some example features you may want from your GRC software solution: 

  • Instant KPI Dashboards: Get real-time insights into performance across your business. You can track sites / departments / individuals and share what is working well. Use these lessons and share it across your wider business. 
  • Documents / Policies: Systematically keep on track of document and policy life cycles - get the software to do this for you! No more searching through thousands of duplicated documents in SharePoint. 
  • Supplier management: Few businesses know who all their suppliers are and what they use them for. This results in duplicated purchases, and wasted revenue! Get a solution with a Supplier Management module and you can get control. 
  • Audits: Make the most of your subject matter experts across your business by requesting that they routinely voice their opinions, issues and ideas using auditing software. 
  • APIs and Integrations: Bring all your data together, instantly. No more chasing departments for data and waiting three weeks.  
  • Risks: Give employees the opportunity to speak up about risks they see and identify issues before they occur.
  • Equipment / data processing register / asset register: Wouldn't tackling regulations such as GDPR be so much easier if you knew exactly what equipment was in use and how it was being used?  
  • Training records: People are your most important assets. Keep their training up to date, keep them informed and properly record the training. 
  • CAPA / issues / complaints / change / workflows: So many businesses hope that their employees will always take responsibility and step up when there is either an issue, complaint or CAPA requirement. But most businesses are busy and encounter new issues, and this causes a number of issues. Assign roles and responsibilities, and you get rid of frustration and have a happier, more confident and aligned business. 

Buy URS template here 

EQMS Modules.png

Diagram: How Qualsys's modules integrate to make a complete GRC solution  


2) Knowing what to spend

There are so many ways GRC software can be priced. And if you aren't completely clear about how the pricing works, it can be easy to end up confused and make a bad decision. 

Pricing models tend to be annual plans. However, vendors will include different things within this price. For example: 

  • Hosting 
  • End users
  • Administrator licenses
  • Training costs
  • Support and maintenance 
  • What modules you'll get
  • Implementation costs 

If you're getting confused by pricing, calculate the price per employee over a 5-year period.  

My advice:

  • Have a budget. Stick to it. You don’t want to overspend and have a system which is too expensive in the long-haul.

  • Be realistic. You can’t expect the most feature-rich solution if your budget is £50 for the year. 

  • Align with your long term business strategy. If your business is planning to grow by 50% you'll need a system which will support your long term business strategy. 

  • Consider return on investment. Upfront costs might be higher because you require a thorough implementation or you may need to validate your software to meet regulatory requirements, but this could provide return on investment faster than a cheaper solution. Try our interactive ROI calculator for more information. 

  • List your top 3 most important criteria before you start. Do you want a system that you can roll out across your entire business? You need free end-users. Do you want a system which your suppliers can access? You need free supplier portals. 

We’ve got a more in-depth blog about costs and the factors which will influence the cost of your solution here or try our total cost of ownership calculator.

Calculate the total cost of ownership.png

Try our 4-year total cost of ownership tool here. 


3) Finding the right vendor for you

As previously mentioned, there are many different GRC software vendors, and they all specialise in different areas and can help you achieve different goals. 

So what do you want from your system? What does your business want to achieve? 

Below, I’ve listed the GRC software vendors my customers have come across and how I would define each of their strengths. These are listed without prejudice, we dont profess to be experts on the nuances of all offerings:


Strength / areas of expertise


For growing businesses who want a scalable, integrated GRC system.  Available via SaaS (cloud), on-premise (server) and/or mobile (iOS and Android).

RSA Archer

Risk management for financial businesses 

IBM Open Pages 

Highly bespoke solutions in larger enterprises.

ISO Tracker 

For businesses where compliance is managed in one department / by one person. 

BSI Entropy

For businesses with less than 10 employees. 


For businesses in hospitability, retail and construction. 


Heavy focus in the NHS and Aerospace sector. Wide portfolio of products.


Useful auditing tool for tablets, though not integrated into a wider EQMS (for aggregate data/trends analysis/findings etc).

ISM Xpress

For very small businesses. 


For managing documents.


We've provided some free templates and tools to help you select the best vendor for your business in our Business Case toolkit


Image: Use our vendor comparison tool in our Business Case toolkit

Tips for choosing a vendor: 

  1. Get a demonstration - It'll help you see the solution and understand how it could work for you.
  2. Send the vendor your URS - Give your vendor a week or two to complete your URS so you can score your vendors for your key criteria. 


4) Avoiding common mistakes

With so many different GRC software solutions available, choosing the right one can be really difficult. 

Here are some mistakes to avoid: 

  1. Underestimating the implementation process
  2. Choosing an inexperienced vendor
  3. Neglecting the employee engagement process
  4. Choosing a system which you will outgrow
  5. Making-do with a solution because it is cheaper
  6. Free solutions - put your business at risk
  7. Scope creep
  8. Choosing a vendor who is too big to care about you 

For more tips and advice from leading brands, read our Software Buying Guide.  


5) Listening to feedback

There are many different places where you might find reviews about GRC software.

Here are a few: 

At Qualsys, we always encourage you to call or visit at least one of our existing customers. We find this not only enables you to see our system in action, it provides an opportunity to learn, share and get ideas from others like you. 


What you should do now

Now you know how to find the best GRC solution, you'll need to build a business case to get internal buy in. Download our free business case template here. 

Governance risk and compliance management software


Managing quality in high-growth organisations [Download playbook]

Posted by Kate Armitage on Wed, Apr 26, 2017

“The biggest single problem with communication is the illusion that it has taken place.” GBS.png

Being part of a high-growth organisation can be incredibly rewarding. But for a quality manager, what does this mean for you? 

A growing organisation poses many challenges for quality. It means new products, new sites, new employees, new regulations, new processes, new innovations, new customer requirements, and new risks.

If your leadership team have ambitious plans for growth, they are going to need your help to get them there. However, managing quality in this sort of environment is not for the faint-hearted. It is often complicated with many moving parts. Every second counts.

Getting processes, systems and procedures in place sooner rather than later is critical to prevent chaos and damage to your brand and to generate sustainable growth. 

Where to begin? 

Start with our playbook.

In this no-nonsense guide, Kate Armitage, Quality Manager at Qualsys, shares her approach to: kate.png

  • Aligning quality priorities with the strategic direction of the organisation
  • Winning leadership buy-in
  • Assembling a team of champions
  • Creating a plan of action
  • Encouraging scalable processes
  • Choosing technologies wisely
  • Leading your company to success

Who is this playbook for? 

  • Quality professionals who are starting a new role and want to make an impression
    in the first 100 days. 
  • Quality professionals who have noticed their company is growing and need to get on
    top of things.


"Managing Quality
in High-Growth Organisations"

quality high-growth business.png

What does EQMS do that SharePoint doesn't?

Posted by Kate Armitage on Fri, Apr 07, 2017

The Global Quality Trends Report 2017 revealed that 45% of quality professionals work without a quality management software tool to manage their documentation. Of these, 20% use SharePoint to handle documents, while others have archaic systems of printed documents, shared drives, or shared MS Word/Excel files.

There are big problems here for any quality professional who strives for continuous improvement and wants to implement a culture of quality across their organisation.

A platform like SharePoint has many features that a developer can use to build a document manager solution. But for the average end-user, and for businesses whose systems need to consider regulatory demands, EQMS offers that much more when it comes to use, configuration and compliance. 

1) SharePoint's lack of controls mean documents are unprotected from editing

Hosting documents in a central hub such as SharePoint, or on an internal shared drive without proper controls, means there's every chance your vital information could be edited incorrectly by individuals who lack the necessary authorisation. If this information is then disseminated throughout your organisation – or, worse, to your customers – there could be no limit to the damage.

For example, using the wrong instruction for a product will result in a poor-quality or even an illegal product being created. And if the same instruction's followed at the quality assurance stage, that poor-quality or illegal product could be provided to the public. Had this product inadvertently broken regulations (maybe it failed to include the right nutritional information), the harm to your reputation, and the costs associated with product recalls and rectifying damage, are significant.

orange_tick_opt.pngSolve it: With EQMS Document Manager, administrators can create tailored user groups and edit document controls case-by-case or by batch. Permissions for editing, uploading and downloading information can be set according to user group and type. If any documents are changed, the system will produce a change log with time stamp and user ID to ensure there's a full and clear audit trail.

2)  SharePoint's security features offer no guarantees that sensitive data won't be seen

While you may have some restricted-access folders on your shared drive or within SharePoint, there's no guarantee that your sensitive information won't be seen by the wrong people. Someone with a little IT knowledge could easily bypass security protocols, or it could be something as simple as the wrong person being given permission (or not having their permission revoked) by mistake.

Your organisation must protect its interests by retaining control over its sensitive and confidential data, and old and outdated systems just don't offer the right level of security to give you peace of mind. Any business aiming for ISO 27001 would be at a distinct disadvantage in this situation!

orange_tick_opt.pngSolve it: EQMS Document Manager allows you to organise documentation into specific groups, areas, or even between different companies if your organisation's a parent to multiple businesses or clients who need access to some but not all documents. Confidential information is restricted to the relevant parties, so only the right eyes can see sensitive data.

3)  SharePoint doesn't tell you when documents have been read or received 

Sometimes you WANT people to see documents! Once you've uploaded a new document or made important changes to an existing one, it's important you communicate this to the relevant people.

But how do you know that those people have read the document? There's no surefire way to tell that your staff have read your latest policy update – which puts your organisation at risk of things like damage to its reputation, or litigation following an incident that the new policy would have covered.

orange_tick_opt.pngSolve it: EQMS Document Manager allows document owners to select a read-receipt acknowledgement, ensuring the tick-box system confirms that users (individuals or groups) have read the document. A change log on the document means users can easily see why the change was made, while a feedback option allows any user to give the document owner feedback for making further updates or changes.


What you should do now

If you're one of the 45% of quality professionals not yet using a quality management system to control your documentation, ask us for a free demonstration of EQMS Document Manager to see how it can help you improve security, reduce errors, and promote quality improvement.

Document control software 

Tags: Document Management

ISO 9001:2015 leadership battles – Advice from quality professionals [Global Quality Survey results]

Posted by Kate Armitage on Wed, Mar 22, 2017

translate good quality performance.png

67% of quality professionals say leadership do not demonstrate commitment to qualitykate.png

Amid tighter regulation, greater public scrutiny, and more requirements for Leadership to promote a culture of quality in ISO 9001:2015, it appears that quality professionals still feel a lack of commitment from their leadership.

The Global Quality Survey* results demonstrate that two in three quality professionals feel their leadership do not do enough to demonstrate commitment to quality. 

Despite this, 91% of quality professionals surveyed said that ISO 9001:2015 is relevant to their organisation.

So, what is going wrong? And how can we as Quality Leaders encourage leadership to make the necessary changes?




Why do so many quality professionals feel their leadership team are disconnected from their quality team?

“Leadership aren’t engaged with quality. They do it because they have to, not because they see the cost-saving potential."

(Karen Bayliss, Kartan Consulting)

“The rules are too difficult and boring. Quality brings little empirical value to the leadership role and they feel like their time is better spent elsewhere.”


“Leadership see quality as a necessary overhead, rather than a cost-saver.”

(Quality Leader at a global FMCG manufacturer)

“We’re only consulted when something goes wrong – we’re still a bolt-on at the end of a project, rather than integrated into the business processes,” 

(Quality Manager at a Textile Manufacturer) 

“Leadership only want a certificate on the wall.”


“It’s too easy for leadership to have an “over to you” attitude.”

(QHSE lead at an energy company)


So, what exactly should leadership be doing?



The New Leadership Game

The new ISO 9001:2015 standard gives quality assurance teams an opportunity to reiterate the responsibility of the leadership team and drive the management system to conform to the standard.

Do your leadership team know they must…

  • Inform everyone of the importance of the quality management system?
  • Tell everyone why they should participate in its effective implementation?
  • Ensure the quality policy and quality objectives are compatible with the strategic direction and the Context of the Organisation?
  • Promote risk-based thinking in respect of their organisation’s quality management system?
  • Make sure the management system achieves its intended outcome?
  • Ensure there are adequate resources to maintain the quality management system?
  • Ensure the effectiveness of the quality management system?

ISO 9001:2015 requires leadership to be much more involved with the quality management system. And it seems like these new requirements are ruffling a few feathers.

So, how can quality professionals get leadership to step up to the mark?  

The Key Issue

Advice Offered

No direct line to leadership

“The QP needs direct access to the executive team. In larger organisations, the executive team focus is on commercial effectiveness and productivity without necessarily addressing the link between implementation of an effective management system and operational performance. Be really clear what you want leadership to do.”

Jon Swift, Head of Compliance and Risk at TBS GB Ltd.

Leadership sees quality as a cost

“You need to demonstrate how quality improves customer experience and reduces churn.  Introduce quality awareness programs.”

Roger Van Beeck – RJS Management Services

Not speaking the language of the business

"I trained all my quality staff on business. It isn't about quality - it is about business. We speak a different lanugage from everyone else and expect them to understand. I find quality professionals are too focussed on quality and not on what everyone else is driving forward."

Dr. Patrick Druggan, Ipsen

Not knowing who is engaging with the system 

“We got Qualsys Ltd to do a health check of our quality management system. It helped us to understand how effective the quality management system is to our leadership team.”

Quality Manager – Thomas Miller

Different objectives / drivers

“You can win by tightly coupling Voice of the Customer & management engagement initiatives e.g. centralise actions lists and a complaints inventory.”

Former member of BNP Paribas Fortis

Lack of tangible objectives

“Raise awareness of quality and centralise all quality initiatives.”

James Mwathi, KTDA, Kenya

No single source of truth

“If you do not have a single source of truth, you are not doing your job. You need a central system to make it easy for your leadership team.”

Paul Isherwood, SHS Drinks

Not communicating

“Schedule weekly / monthly meetings demonstrating objectives and results.”

D Morgan, Echo Managed Services

Talking the language of leadership

“Many management teams want a certificate on the wall, so you need to use that to your advantage. Explain how to use the standard to benefit the company (not the certification body).”

Tommaso Plamitesta, Avanti Performance

Lack of accountability

“Layered process audits driven from top management allows them to see acts of non-compliance in day-to-day activity.”


Defining Leadership

"Quality professionals need to have leadership abilities (read Daniel Goleman on Leadership)."

Karl Pallister, Sapphire Ballustrades


What you should do now: 

If you would like more information and advice from quality professionals on the global quality survey results, sign up for the newsletter. 

Alternatively, learn how EQMS can help you win leadership engagement and accelerate momentum towards your strategic goals by requesting a demonstration with one of our experts here. 

 Business Case builder