Book A Meeting

Sector Spotlight: GRCs and ERMs

Print Friendly, PDF & Email

Sector Spotlight: GRCs and ERMs

JUNE 10, 2025

By: Tyler Brown

Risk management software helps financial institutions of all sizes address the many business risks and regulatory obligations they face in their day-to-day operations and in the long run. Core risk tools are governance, risk, and compliance platforms (GRCs), which emphasize the ability to meet regulatory and ethical standards, and enterprise risk management platforms (ERMs), which identify, assess, and mitigate a wide range of risks that could impact the bank’s strategic objectives. A bank may adopt a GRC, a GRC and an ERM, or a platform that does both:

  • Governance, risk, and compliance (GRC): GRC software focuses on meeting tactical regulatory obligations and maintaining governance frameworks, including the board’s oversight of internal policies and ethical standards, the organization’s adherence to those standards, and compliance with AML and data privacy regulations. Most financial institutions have a GRC solution.

  • Enterprise risk management (ERM): ERM software focuses on strategic risk management, capital adequacy planning, stress testing, and other scenario analyses. Their scope extends to credit, market, operational, liquidity, cyber, and reputational risk, and they’re designed to support decision making with ongoing risk analysis. ERMs are designed for more complex and larger financial institutions.

A GRC or ERM vendor’s suitability subsequently depends on an institution’s size and complexity. A traditional community bank may have simple needs; an institution of similar size with high-risk activities will need more advanced systems. The risk management needs and budgets of national and global institutions will be entirely different from those of community institutions.

What’s going on in GRCs/ERMs

Banks face scrutiny from federal, state, and in some cases, international regulators, making GRC and ERM compliance features fundamental. ERM’s strategic risk tools are critical to meeting capital requirements and passing stress tests for institutions of the requisite size and complexity. Both types of systems may address cyber risks, but ERM focuses on threat modeling and resilience, while GRC ensures compliance with data protection laws. AI-driven risk assessment and real-time compliance monitoring are becoming standard in GRC and ERM software.

GRC and ERM needs and capabilities can be broken down roughly by institution size:

  • Community banks, which have limited IT resources and often low risk profiles, need cost-effective, user-friendly tools for basic risk and compliance. They frequently rely on manual processes and generic software. This is the market for straightforward software that automates GRC processes and lightweight ERM.

  • Regional banks, which need scalable solutions for growing regulatory demands, benefit from solutions with more sophisticated GRC and ERM features, particularly for those that handle more diverse and complex regulatory requirements.

  • National banks, which must manage complex, overlapping regulations and risks across the country, need highly sophisticated, AI-enabled, and integrated GRC and ERM solutions augmented by third-party risk tools.

  • Global banks, which offer products and services that include international, corporate, and investment banking, must address extremely complicated risk exposures across borders, currencies, financial instruments, and regulatory regimes, demanding the most sophisticated and customizable GRC and ERM tools.
     

GRC/ERM vendor snapshot

Vendors differ based on how they integrate with existing systems, their scalability, upfront and operational costs, and how appropriate they are for an institution’s regulatory environment. A bank’s choice of GRC system, ERM system, or both will depend on its business and functional requirements. Many vendors offer integrated ERM and GRC capabilities; some GRC systems include lightweight enterprise risk modules.

Here’s a snapshot of GRC and ERM systems. The list is representative:

Sector Spotlight: GRCs and ERMs
Click Image to Enlarge
  • Archer (GRC): Archer, which RSA spun out in 2021, provides an integrated risk management platform tailored to large organizations. It includes solutions for operational risk, regulatory compliance, and audit management. Banks use Archer to manage complex risks and ensure compliance with a broad set of regulatory standards.

  • Auditboard (GRC, ERM): AuditBoard, which was founded in 2014, offers a cloud-based platform for audit, risk, and compliance management. Its solutions include internal audits and risk assessments, and it emphasizes SOX compliance. Institutions leverage AuditBoard to streamline audit processes and enhance risk visibility across the enterprise.

  • Diligent (GRC, ERM): Founded in 1994 as Manhattan Creative Partners, Diligent has evolved into a GRC solution provider. Diligent provides tools for audit, risk management, compliance tracking, and ESG reporting. In 2021, the company acquired risk management and audit software provider Galvanize and ethics and compliance provider Steele Compliance Solutions. Diligent launched the Diligent One platform in 2023.

  • IBM OpenPages (GRC, ERM): OpenPages, originally developed in 1996 and acquired by IBM in 2010, is a GRC platform designed for large enterprises. The latest version, which was released this year, introduces AI-driven capabilities for risk and compliance management. The platform offers modules for operational risk, policy management, and regulatory compliance.

  • Kroll Resolver (GRC): Resolver, founded in 2000, offers risk intelligence software encompassing incident management, compliance, and audit solutions. In March 2022, Resolver was acquired by Kroll. The platform is designed to integrate risk data across departments and improve decision-making processes.

  • LogicGate (GRC): LogicGate, which was founded in 2015, offers the RiskCloud GRC platform. It offers customizable workflows for risk, compliance, and audit management, making it ideal for regional banks that require adaptable solutions to manage regulatory and operational risks.

  • LogicManager (GRC, ERM): LogicManager, founded in 2005, provides a comprehensive GRC and ERM platform designed to promote a risk-based approach to governance and compliance. The platform includes key modules for policy management, compliance monitoring, internal audit, risk assessments, and business continuity planning.

  • MetricStream (GRC): MetricStream, which was founded in 1999, offers an integrated GRC platform designed to streamline and automate enterprise-wide risk programs. Solutions include regulatory compliance, internal audit, and cyber risk management. Organizations across various industries use it for risk intelligence and compliance automation.

  • NAVEX (GRC): NAVEX, which is the product of mergers between several ethics and compliance firms and private equity transactions, provides a GRC platform that includes modules for policy and procedure management, whistleblower services, incident intake and case management, and third-party due diligence.

  • Ncontracts (GRC): Founded in 2009, Ncontracts started as a provider of contract and vendor management solutions tailored for financial institutions. It has evolved into a platform with modules for compliance and third-party risk management. The software is built specifically for the needs of banks and credit unions.

  • Ncontracts (Quantivate) (GRC): In 2023, Ncontracts acquired Quantivate, (marketed as a separate brand), a GRC provider for banks and credit unions that was founded in 2005. This acquisition expanded Ncontracts’ offerings to include Quantivate’s modules for business continuity, vendor management, and IT risk.

  • Oracle (GRC): Oracle, established in 1977, offers comprehensive GRC features that integrate with its suite of enterprise applications. Oracle’s GRC suite includes modules for risk management, compliance, and audit, and is designed to help organizations manage regulatory requirements and internal controls.

  • Riskonnect (GRC, ERM): Riskonnect, which was established in 2007, provides integrated risk management solutions encompassing GRC and ERM. The platform supports policy management, audit tracking, and compliance reporting. Its scalability and features make it a good fit for banks that aim to centralize risk management processes.

  • SAI360 (GRC): SAI360, which was founded within Standard Australia in 2002 as SAI Global and has since gone through several private equity transactions, offers a GRC tool that’s a product of its legacy features and GRC functionality acquired in 2019 via BWise. It includes IT and third-party risk, internal controls, business continuity, and compliance management.

  • SAP (GRC): SAP’s GRC solutions offer tools for risk identification, regulatory compliance, and audit management. The company announced the latest generation of its GRC platform in May. It touted a unified platform for SAP GRC solutions, an enhanced user interface, AI capabilities, and easier integration with other SAP applications.

  • ServiceNow (GRC): ServiceNow, which was founded in 2003, launched its GRC application for IT in 2011. In 2015, ServiceNow expanded its GRC capabilities by acquiring Intréis. ServiceNow’s GRC platform offers integrated risk management, compliance tracking, and audit capabilities for different types of organizations.

  • Workiva (GRC): Workiva, founded in 2008 as a platform designed to simplify regulatory reporting, offers increasingly sophisticated solutions that centralize compliance, document management, and regulatory reporting and analytics, including the ability to manage audit readiness.

  • Wolters Kluwer (GRC, ERM): Wolters Kluwer, a product of the 1987 merger of Kluwer Publishers and Wolters Samsom, is a Dutch information services company that serves the finance, healthcare, and legal sectors. In 2014, it launched OneSumX, a platform that integrates governance, finance, risk, and compliance tools and enterprise risk management modules. Some components have been re-released as SaaS products.

What to look for in GRCs/ERMs

Features overlap between GRC and ERM systems. They are segmented by fundamental governance, risk management, and compliance tasks and narrower tasks related to credit, market, operational, and liquidity risk. Vendors aren’t equally suited to all institutions; community, regional, national, and global banks have distinct needs.

Sector Spotlight: GRCs and ERMs
Click Image to Enlarge

CCG Catalyst recommends that all banks use GRC software to streamline compliance, strengthen governance, and centralize risk data, and that banks leverage sophisticated ERM software when they need to manage strategic risks that are typical of large banks and those that work with risky financial products. Most banks ought to opt for GRC platforms with fundamental ERM capabilities.

GRC

  • Compliance management: Supports adherence to regulatory standards, including AML, KYC, and data privacy rules, consolidates regulatory obligations across jurisdictions, and automates compliance checks.

  • Policy and control mapping: Maintains a dynamic register of internal policies and controls mapped to applicable laws, regulations, and standards. Enables tracing high-level requirements to operational procedures with an audit-ready paper trail.

  • Automated reporting: Automates regulatory reporting and audit workflows to support internal and external reviews and supports collaboration between compliance departments and regulators.

  • Governance and compliance workflow management: Centralizes the ability to assign, monitor, and escalate tasks related to compliance, governance, and policy management.

  • Risk monitoring: Uses real-time data to detect and flag potential fraud, sanctions violations, or other measures of noncompliance. Includes rules-based alerts, integration with third-party data sources, and audit trails.

  • Financial institution focus: Designed for banks and credit unions. GRCs tend to be sold to many industries and may need to be customized for banking.

ERM

  • Regulatory frameworks: Enables implementation of standardized risk frameworks that align with national and international banking regulations. Supports measures of financial risk.

  • Real-time risk dashboards: Visualizes enterprise risk indicators in real time that include credit risk, liquidity, and market risk. Enables risk managers to monitor exposures by geography, product, and counterparty.

  • Capital planning and stress testing: Offers tools to simulate stress from macroeconomic events, estimate their potential impact on the institution’s balance sheet, and square the results with regulatory requirements.

  • Enterprise risk aggregation: Consolidates risk data across business units and risk domains, minimizing silos to support an enterprise-wide view of risks.
READ MORE INSIGHTS
SUBSCRIBE TO INSIGHTS
FORWARD TO A FRIEND

Phoenix • New York

Phoenix • New York • London • Singapore

Phone: +1-480-744-2240  • Contact Us

© 2025 CCG CATALYST. Privacy Policy & Terms of Service.
Request a Call Back
Linkedin
Subscribe
to our Insights
Subscribe
BANK
FINTECH
FUSION
Linkedin

Subscribe to our Insights