GRC 2020 CoreStream GRC Solution Perspective

GRC 2020 Analyst Solution Perspective on CoreStream GRC’s Platform

22 May

“Over the past few months, GRC 2020 has been performing an independent review of our platform, taking inputs from a variety of existing CoreStream clients. This has work has culminated in a ‘Solution Perspective’ document which we are delighted to be able to share with clients, partners and network.

It provides an excellent outline of what CoreStream can do and means a lot as this is authored by a much admired GRC market analyst (Michael Rasmussen – ‘the father of GRC’). Michael has unrivalled domain knowledge so we’re particularly thrilled to read his conclusions which entirely match our objectives for the platform. 

We will allow ourselves a small celebration and then get right back to work, delivering the value our clients expect!” Platform and Products Director, Co-Founder, Richard Eddolls

Outline of what Michael Rasmussen thinks of CoreStream GRC

Delivering 360° Next-Generation GRC Management

CoreStream GRC is a solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed, dynamic, and disrupted business environments across industries and around the world. CoreStream GRC is an agile GRC management platform that can be used to manage a range of risk and compliance processes and other business processes. They deliver a no-code solution with a modern information architecture and intuitive interface.

It truly is a next-generation business management platform with a governance, risk management, and compliance focus.

CoreStream GRC provides organizations with out-of-the-box GRC capabilities and the ability to configure and adapt the solutions to support the needs of a range of other business processes. GRC 20/20 has evaluated the features and capabilities of CoreStream GRC and finds that it delivers a flexible, intuitive, and engaging solution for enterprise GRC management. It is used to collect, organize, link, report, and analyze data with increased control, collaboration, transparency, and accountability. GRC 20/20’s evaluation, research, and interactions with CoreStream GRC clients have determined the following:

Before CoreStream GRC

Clients of CoreStream GRC typically are replacing manual processes of risk and compliance management that consist of legacy systems, documents, spreadsheets, and emails. Such approaches can be very time-consuming and prone to errors -particularly in aggregation and reporting on data that involves hundreds to thousands of documents and spreadsheets, too often done in different ways. This led these clients to significant redundancy in data as well as gaps. Clients said they were tired of the time spent on manual processes, things getting missed, and documentation lost. Others moved to CoreStream GRC from older legacy GRC solutions that they found too costly to implement and maintain, complex and not intuitive. The customization on these older platforms often broke things, particularly on upgrades. Something the technical design of CoreStream GRC helps prevent.

Why CoreStream GRC

Organizations choose CoreStream GRC as they seek a single agile and integrated process and information architecture to automate a range of GRC and business processes. Clients required an agile architecture that could handle an integrated taxonomy of risks and controls mapped to an organization’s context and regulatory obligations, with the ability to link and show relationships that was highly configurable to the organization’s needs. They particularly found value in the CoreStream GRC capability to graphically model processes and associate GRC content. Clients state they chose CoreStream GRC as it showed a strong focus and interest in the customer and understanding customers’ needs. They also found that CoreStream GRC capabilities met their needs, but it also presented a significantly lower cost of ownership – from acquisition through maintenance – over its competitors. Engagement and accessibility are also key factors for the selection of CoreStream GRC as it supports multiple languages, works on a range of devices from mobile to tablet as well as laptop/desktop, and supports WCAG compliance for users with additional accessibility needs.

How CoreStream GRC is used.

Typical use cases for CoreStream GRC vary to meet specific risk or regulatory needs to broad GRC challenges. Many CoreStream GRC clients have used the agility and configurability of the platform to deliver custom applications in a no-code environment. These include:

Enterprise and operational risk management

  • Risk management framework
  • Risk registers
  • Operational resiliency and business continuity management
  • Corporate tax reporting
  • IFRS 16 reporting
  • Third-party (e.g., vendor, supplier) risk management
  • Vendor and supplier audits and assessments
  • Risk-based audits

Compliance and regulatory management

  • Policy management
  • Process mapping
  • Legal register
  • Internal control management
  • Control framework
  • Control self-assessments
  • Control testing and the capture of audit evidence
  • Management certification – self-attest controls

IT security and audit management

  • Application security assessments
  • Issues and incident management
  • Vulnerability and asset management
  • Internal audit management and tracking audit findings

Where CoreStream GRC has excelled

Organizations state that CoreStream GRC has improved the quality of their GRC information, reporting, and processes through a single source of truth. This improves the organization’s overall visibility into GRC contexts across the organization while also eliminating the overhead of managing manual processes encumbered by hundreds to thousands of spreadsheets, documents, and emails. Clients find that the solution is flexible to adapt to their organization’s requirements, has the core capabilities needed, and provides them the ability to grow and mature their program over time. They also find the solution to be particularly easy to implement and roll out in their organization. Some have used CoreStream GRC’s configurability to build out a range of other business process management such as charity selection and health and safety.

CoreStream GRC Enables a Range of GRC Management Processes

GRC 20/20 finds that CoreStream GRC is a solution that can grow and expand with the organization and adapt as the organization and its environments change. It can be easily implemented to meet the needs of specific risk and compliance management processes or be implemented as the backbone for an enterprise and operational risk management architecture to a fully integrated GRC platform. Many clients have used the agility of the platform to build out their own modules to manage business processes beyond a traditional GRC context.

CoreStream GRC is a solution that simplifies and strengthens GRC in organizations across industries and organizations of all sizes. GRC 20/20 particularly finds that CoreStream GRC delivers exceptional . . .

  • Depth and breadth of capabilities. The CoreStream GRC solution is surprisingly robust in capabilities. It is self-evident that it was created by practitioners that understand risk and compliance management in detail. What is particularly amazing is that not only does it have the breadth and depth of capabilities, but it is delivered in a very intuitive and modern user experience.
  • User experience. The CoreStream GRC platform has a modern user experience (UX) design that is clutter-free, highly engaging and intuitive to use. Most buyers of GRC solutions rank user experience as one of their most critical criteria, even more than the cost of the solution; particularly in engaging the front-office/firstline in risk management responsibilities. CoreStream GRC delivers well in this area.
  • Cost of ownership. The CoreStream GRC solution is easy to deploy and maintain. It offers a no-code solution that is easy to implement and maintain. It is also easy to configure and adapt to the organization which delivers greater value in ongoing maintenance and management costs.
  • Technical architecture. Under the hood, the CoreStream GRC’s technical architecture is strong and capable of handling various data, integration, analytics, and reporting at enterprise scale. It has a fully modern technical architecture stack. Clients find it easy to integrate with other business systems and other data/ intelligence sources that form a fundamental part of the CoreStream GRC ‘hub and spoke’ strategy. CoreStream GRC offers global hosting options with content delivery networks enhancing speed, resilience, and security.
  • Platform depth. CoreStream GRC is a highly configurable Software-as-a-Service (SaaS) platform. The solution requires no coding, which makes it easy to configure and implement and ensures smooth updates/upgrades. The interface, workflow, tasks, and processes are all configurable. Users can configure each hierarchy and object, including field addition. Access control and security are also fully configurable. The solution can integrate with corporate directories and other business systems/applications. The user interface is responsive and supports mobile devices. There is a robust and configurable audit trail/system of record. Workflows can be created and can be either linear or parallel in nature.

CoreStream GRC delivers a platform designed to make risk management processes efficient, effective, and agile in a dynamic business environment. To achieve this, CoreStream GRC delivers core GRC management modules that can be further configured to the exact needs of the organization. These include:

  • Enterprise and operational risk management. CoreStream GRC delivers an ERM solution to document and manage the range of enterprise risks across strategy and operations. It enables the organization to define objectives and has clear visibility and understanding of risks that impact objectives. CoreStream GRC facilitates the identification, assessment, management, and monitoring of operational risks across the organization. It enables the tracking of risks, risk ownership/ accountability, and reporting on risk and risk exceptions using unique and insightful data visualizations The CoreStream GRC solution has enabled many clients to also define and manage their processes to manage a range of specific risks in the organization such as health and safety.
  • Internal control management. CoreStream GRC simplifies the management and assurance of internal control management and processes for compliance and risk management. With CoreStream GRC, organizations can assess and report on compliance controls and to identify gaps, create risk treatment plans, track remediation activity, and continuously monitor compliance.
  • Compliance and regulatory management. The CoreStream GRC solution has a breadth of capabilities to ensure the organization meets its regulatory as well as self-imposed (e.g., ESG) obligations. This includes the ability to provide a regulatory/obligation register (and the associated content, as required), conduct compliance assessments, gather attestations, track action items, and manage issues.
  • Continuity and resiliency management. CoreStream GRC enables operational resiliency and continuity in the development, maintenance, and implementation of business continuity and disaster recovery plans. It also delivers on operational resilience to ensure services and processes stay within impact tolerances and comply with regulations.
  • IT risk and security management. CoreStream GRC enables IT risk and cybersecurity management, as well as the full management of an ISO 27001 Information Security Management System and program. CoreStream GRC lines the overall IT security risk and control evaluation to enable the organization to measure risk posture and communicate this to key business owners. Clients have used it for a range of digital governance, information asset, and IT risk and incident management needs.
  • Issue and incident management. CoreStream GRC enables the organization to track and respond to issues, incidents, cases, investigations, and threats impacting the organization, which includes centralized management of cases, root cause analysis, reporting, and tracking.
  • Third-party/vendor risk management. CoreStream GRC enables the organization to manage risk and compliance across the extended enterprise (the breadth of vendors and suppliers) to ensure that risk and compliance are addressed in critical business relationships.
  • Policy management. CoreStream GRC provides a platform to document, approve, and communicate the range of organization policies and ensure they are understood and followed. This includes the capability for collaborative policy authoring and editing with multiple people working on a policy simultaneously. Policies can be mapped to various factors such as role and geography for easier engagement through its intuitive policy portal.
  • Audit management. CoreStream GRC supports the ability to manage internal audits through audit planning, audit execution, and reporting.

Benefits Organizations Have Received with CoreStream GRC

Most CoreStream GRC clients moved to the solution because they found their manual, document-centric approaches consumed too many management resources, and they found things were getting lost in the continuous barrage of information and manual processes, as well as regulatory and business change. Others moved to CoreStream GRC as they found their previous solution was dated, cumbersome, complicated to use and implement, and lacked the depth the business needed to engage in GRC-related processes. Across these clients, there is consistent praise for the value of the ongoing cost of ownership of the CoreStream GRC platform – in the speed of deployment, return on investment, improved effectiveness, and agility to manage a range of risk and compliance, as well as broader business processes. Clients particularly love the transparency and visibility CoreStream GRC bring them through a single source of truth information architecture. Everyone that needs access can have access, and there is full auditability and accountability of risk and compliance across the enterprise. Specific benefits that GRC 20/20 finds that CoreStream GRC clients have achieved in their implementations are:

  • 360° visibility into GRC – risks, compliance, controls – across the enterprise – where all information is in one place and gives complete situational, contextual, and quantitative awareness of risk in relation to objectives and processes.
  • Eliminating hundreds to thousands of documents, spreadsheets, and emails and the time needed to monitor, gather, and report on them to manage related activities and processes.
  • Significant efficiencies in time through automation of workflow and tasks, as well as reporting. One client states they are no longer scrambling around to consolidate multiple spreadsheet files or fighting their inability to bend SharePoint to do what we need.
  • Fewer things slip through the cracks, as there are established tasks, notifications, and escalation when things are approaching deadlines or are past due.
  • Efficiency in streamlining processes through identification of requirements, accountability, tracking, and getting things done.
  • Greater granularity and ability to report on specific risk and control details that could not be done in documents or spreadsheets.
  • Increased awareness and accountability of risk and control by individuals who are informed on the subject matter in the context of their role.
  • Collaboration and synergies across GRC management functions, instead of different roles doing similar things in different formats and processes.
  • Consistency and accuracy of information as the organization conforms to consistent processes and information structures. Several clients state it has become an accepted single source of truth for all risk data and information. They state it provides both enterprise-level views and more granular business area views – and everything in between – and has given them more flexibility to act as a business without risk management becoming a blocker.
  • Accountability with full audit trails of who did what and when: this particularly has delivered value in fewer things slipping through the cracks.
  • Increased agility in the context of change enables the organization to be proactive and not just reactive – leading to less exposure and being caught offguard. One organization claimed it has enabled them to be more responsive to change and enabled the business to make better-informed decisions.
  • Ability to manage risks and controls in the depths of the business that also rolls up to an enterprise perspective. This includes greater risk mitigation at all levels of the organization.
  • Removal of errors that result from manual processes, conflicting documents and spreadsheet versions, and silos of information.
  • Real-time visibility into risks and controls provides a centralized view of all aspects of the business and informs decision-makers and risk-takers with useful and accurate insights.

Considerations in Context of CoreStream GRC

Every solution has its strengths and weaknesses and may not be the ideal fit for all organizations in all situations. While GRC 20/20 has identified many positive attributes of the CoreStream GRC solution to enable organizations to achieve consistent risk, control, and compliance management processes, readers should not see this as a complete and unquestionable endorsement of CoreStream GRC.

CoreStream GRC clients praise the solution for its return on investment while delivering the capabilities they need to manage risk, compliance, and controls and enable process management of a range of other business processes. They see that they have achieved great value in implementing CoreStream GRC to bring together all the organizations GRC related data and processes into one system.

One client stated, “We love working with them. They are serious about what they do and can deliver it in a friendly, collaborative way. It is clear that they care about what they do, from the most senior levels down to the analysts working with us on various projects.”

Clients do express that they look forward to CoreStream GRC continuing the journey to deliver end-user personalized reporting.

CoreStream GRC is a capable solution for a range of GRC use cases and industries, with a particular history and depth in risk and control management. It is ideally suited for organizations moving from manual processes or legacy GRC solutions that have a high cost of ownership and older technology. Organizations engaging with the CoreStream GRC solution will find that the speed of implementation and cost of ownership is superior to many other solutions available in the market.

2023-05_SoP_Corestream_CoreStreamVersionDownload

FAQs: Commonly Asked Questions About CoreStream GRC

Q: What is CoreStream GRC?
A: CoreStream GRC is a next-generation governance, risk, and compliance (GRC) management platform. It provides an agile, no-code solution to manage risk, compliance, and other business processes with flexibility, transparency, and accountability.

Q: Who uses CoreStream GRC?
A: CoreStream GRC is used by organizations of all sizes and industries, especially those operating in dynamic, distributed, or disrupted environments. It is ideal for businesses transitioning from manual processes, spreadsheets, or outdated legacy systems.

Q: What can CoreStream GRC do?
A: CoreStream GRC supports a wide range of processes, including but not limited to:

  • Risk and compliance management
  • Policy management
  • Operational resilience
  • Internal audit and control management
  • IT security and vendor risk management

Q: Why do organizations choose CoreStream GRC over other solutions?
A: Organizations select CoreStream GRC for its:

  • Agile, configurable architecture
  • Intuitive user experience
  • Lower cost of ownership
  • Accessibility features, including multi-language support and WCAG compliance
  • Robust technical infrastructure for scalability and integration

Q: How does CoreStream GRC improve risk and compliance management?
A: CoreStream GRC centralizes GRC data into a single source of truth, eliminating manual inefficiencies and enabling real-time visibility into risks, controls, and compliance. It enhances collaboration, accountability, and decision-making across the enterprise.

Q: What are the key benefits of using CoreStream GRC?
A: Clients report:

  • Streamlined processes and reduced time spent on manual tasks
  • Greater visibility and accountability in risk and compliance
  • Improved reporting and data accuracy
  • Enhanced agility to respond to regulatory and business changes

Q: Can CoreStream GRC handle non-GRC business processes?
A: Yes! CoreStream GRC is highly configurable and has been used by clients to manage other processes like charity selection, health and safety management, corporate tax reporting, and more.

Q: Is CoreStream GRC difficult to implement?
A: No, CoreStream GRC is designed to be easy to deploy and maintain. Its no-code platform simplifies configuration and ensures smooth updates and upgrades.

Q: How does CoreStream GRC support accessibility?
A: CoreStream GRC complies with WCAG standards and offers multi-language support, making it accessible to diverse users across a variety of devices (desktop, mobile, and tablet).

Q: What makes CoreStream GRC a “next-generation” platform?
A: CoreStream GRC delivers a modern information architecture, intuitive user interface, and robust technical design. It enables organizations to manage evolving risks and compliance requirements efficiently while scaling with the business.