Skip to content
Is your organization ready to unlock the power of Copilot? Learn More
Get a Free Assessment

Advisory - GRC Vendor Selection Service

Implementing a technical Governance, Risk, and compliance (GRC) platform is an integral step in setting up a complete program. The initial strategic direction and development of risk and compliance content is only half the journey

The inclusion of GRC content in a tool is a paramount step in automating the end-to-end lifecycle of any program’s exposure. 

Selecting the right-sized GRC vendor for your organization’s scope, regulatory requirements, and reporting cadence is not only a key component of this lifecycle but can mean the difference in an effective asset to communicate and manage your GRC program or a financial drain with skyrocketing total cost of ownership. SoHo Dragon can facilitate this process by understanding your organization’s GRC maturity lifecycle, short-listing the optimal vendors for your regulatory and financial needs, facilitating vendor functional demonstrations, and presenting a methodical scorecard summary of our findings.

Project Scope

SoHo Dragon will collaborate with your stakeholders to understand your program requirements, functional necessities, and strategic imperatives to gain a thorough understanding of your organization’s GRC charter. We will conduct discovery sessions (on-site or remote) to understand your program’s current state and “to-be” business processes and use cases that need to be implemented in a technical GRC tool. SoHo Dragon’s deep bench of resources brings an average of 7-15 years of experience from across industry verticals to bring a wide range of GRC technical and strategic knowledge capital to the engagement. This deep pedigree will be brought to the project to ensure an analysis is conducted not only from a technical capabilities perspective but also to ensure the right platform is recommended from a financial and market strength perspective.

SoHo Dragon’s involvement in this project will include delivery of the activities outlined below:

  • Conduct a kickoff call and schedule logistics, discovery workshops, and stakeholder interviews.
  • Partner with the organization to identify GRC process owners to be included in discovery sessions.
  • Document Enterprise GRC goals and objectives as they relate to the needed GRC use cases.
  • Facilitate GRC vendor demonstrations against the defined use cases and categories of GRC tool functionality, including but not limited to, business case effectiveness, ease of configuration, workflow, access control, reporting, integrations, and performance.
  • Analyze process cross-dependencies and document a point of view on potential business or technical conflicts.
  • Define and document a GRC Vendor Scoring Matrix outlining SoHo Dragon’s recommendations for implementing best of breed GRC capabilities leveraging the selected vendor platform.


  • Project Kick-Off Presentation. Includes a level-setting of approach, timelines, stakeholders and general project management methodology.
  • Project Kick-Off Call with Stakeholders. Establishes a cadence and background for the project and sets expectations for the requests on the business.
  • Vendor Short-List with Business Justifications. Determines the vendor list to include in the GRC demonstrations, including a business justification on why that vendor was selected to participate.
  • Technical/Functional Vendor Demonstrations. Provides a framework and facilitation for running vendor demonstrations, discovery questions, and prioritized collaboration sessions.
  • GRC Vendor Scoring Matrix. Includes a summary scoring and weighting of the GRC requirements for the organization, as well as any ancillary findings and a general recommendation for the best possible fit for the organization based on risk, compliance, and financial objectives.

Fully Managed Implementation

  • Our core knowledge capital is in the configuration and development of GRC platforms.
  • Our PM-certified project managers, business analysts, and certified Archer administrators are fully scalable to achieve a single solution implementation or large-scale enterprise integrations.

Health Check and Tunning

  • Our platform health check and tuning service assesses your GRC environment to meet your business's changing and increasing demands.
  • Whether for new product deployment or an existing platform that has matured over time, we help you identify risks, issues, and areas of opportunity.



  • RSA Archer
  • Service Now
  • LogicGate