What do you like best?
ZenGRC brings all the tools you need to run a successful GRC program to the table in a clear, concise and minimalist package that's nimble and efficient. Our company had been utilizing the old method of email/spreadsheets and was getting lost in the weeds even on the smallest of audits and struggling to keep up each year to stay ahead. Our evaluations with other tools fell flat, didn't meet our requirements or introduced complexity. Our evaluation of ZenGRC started with skepticism, but quickly turned positive once we realized how logically organized the system was on the back-end. During our testing period, we were able to quickly create a Sarbanes-Oxley program, using both their template import and the GUI, in a matter of days. Since that time only a few short weeks ago we have now almost completed a full internal audit of our SOX program, complete with evidence collection and control evaluations. Our rough estimate has us gaining back a full week of time from previous audits last year and year prior using the old email/spreadsheet method. We are now rolling out an ISO27001, SOC2 and internal security control framework on the heels of the SOX success.
What do you dislike?
As with any SaaS from a small company that is new to market (less than 5 years), there are aspects of the tool that require some creative thinking and clever workarounds. This is not necessarily a dislike in my opinion, however less technical individuals may find this aspect difficult or troublesome. ZenGRC staff do redeem themselves on this front as they're quick to respond to feature requests and have already implemented several suggestions our team has submitted. Since starting to use the product, they have continually updated the product with new features, fixes and updates to existing functionality.
Recommendations to others considering the product
This is a light, minimal and logical GRC tool that has a lot to offer a company that has never used a GRC tool in the past. Definitely worth a demo and serious consideration.
What business problems are you solving with the product? What benefits have you realized?
Traditionally our audit cycles were difficult in that we rarely hit our target evidence collection windows. Adding to that difficulty we typically have sample requests that introduce complexity and cross-collection on requests with similar subjects and titles making it easy to get lost in email weeds. With ZenGRC, we removed all that complexity by making each and every evidence request unique. Sample requests were entered as new requests in the system so as not to get confused with the original request. Accountability was easily visible with the Request status on the Audit dashboard and escalations were efficient. On our first run, after a small 30 minute training session, we achieved 98.5% completion ahead of our submission deadline. That would have been impossible without ZenGRC.