Every risk and compliance leader knows the pattern.
A GRC investment starts with the right ambition: consolidate, standardise, improve reporting, support assurance, reduce manual work.
Then scoping begins.
Requirements multiply.
Stakeholders pull in different directions.
Timelines tighten.
Costs become harder to predict.
And by the time the shortlist is set, the organisation is already committed, based on assumptions it never properly tested. That is how ‘tool selection’ quietly becomes ‘tool compromise’.
The smarter move is to tighten scoping earlier, before pricing conversations, before demos dictate direction, and before your minimum viable product turns into a maximum viable headache.
When GRC budgeting is opaque, scoping becomes your only leverage
According to Gartner ("How Can ERM Rightsize Their GRC Tool Investment?"):
“Budgeting for GRC tools is complicated for heads of ERM because vendors are often not transparent about pricing.”
We believe this single sentence captures the root cause of a familiar failure mode: when cost signals are unclear, organisations overcompensate by over-scoping. It feels safer. It is rarely safer.
Our view is that right-sizing is not a cost-cutting exercise. It is a governance discipline. It means spending where it changes outcomes, and deliberately deferring what can wait, so value arrives sooner, adoption is higher, and delivery risk stays manageable.
|
Protecht case study: Pinnacle Investment Management Pinnacle Investment Management took a phased approach to their Protecht rollout. By starting with a limited set of registers, they could demonstrate early value to business units and prove adoption before expanding the system more widely. This helped overcome resistance and delivered momentum at each stage. Find out more in Protecht’s From spreadsheets to strategy guide to choosing a GRC system. |
The reality in most organisations: multiple tools, multiple truths
Many ERM teams are not starting from zero. They are starting from a place of confusion.
According to Gartner:
“Eighty-five percent of Gartner clients who use GRC technology have multiple tools in place.”
We believe that when risk data is split across tools, the downstream impacts pile up. Reporting becomes stitching work. Controls and assurance activity duplicates. Teams build local workarounds because they cannot see what already exists.
Right-sizing, then, is not simply choosing a platform. It is deciding what should be consolidated, what must integrate, and what your organisation can realistically implement and sustain.
What the Gartner research is designed to help you do
The Gartner research provides general vendor pricing guidance and framework to assess GRC licensing and implementation costs. According to the research:
“This process helps heads of ERM assess if their likely budget requirements are in the five-figure, six-figure or seven-figure price range.”
Gartner states what this guidance does and does not replace:
“While there are no shortcuts to avoiding demos and time-intensive sales processes, this research can help save you time and narrow the focus of your RFP to vendors that are likely to fit within your budget constraints.”
For a busy risk leader, we believe that this means fewer dead ends, tighter early assumptions, and a more grounded starting point before internal stakeholders (or vendor demos) lock you into a direction.
Four vendor categories, one practical way to structure early decisions
A common procurement trap is treating every vendor conversation as comparable. Gartner provides four main vendor categories:
“Start by understanding the four main vendor categories: enterprise GRC solutions, agile GRC solutions, adjacent GRC point solutions and disruptors.”
In our view, even if you do nothing else, this kind of categorisation improves stakeholder conversations. It clarifies the type of solution under evaluation before the organisation debates configuration details, edge cases, and “nice-to-haves” that can quickly become contractual obligations.
The three Gartner scoping questions 
We believe each of these questions forces a decision that organisations often postpone until it is too late, when delivery risk is already baked in.
Protecht’s perspective: applying this in practice
This is where many promo blogs drift into vendor claims. We will not do that; instead, we will keep this practical.
In Protecht’s experience, right-sizing works best when an organisation starts with a strong ERM foundation, then extends into additional areas without rebuilding everything from scratch.
Three disciplines make the difference early:
- A clear minimum viable outcome (not just a minimum viable feature set).
- A realistic adoption path across teams and lines of defence.
- A design that can scale into additional risk terrains when governance and maturity allow.
If you are having those conversations now, we believe that Gartner’s questions give you a useful structure and language to guide them.
Get complimentary access to the Gartner® research
If you are scoping a new tool, rationalising multiple tools, or trying to avoid overbuilding at launch, this research is designed to help you plan with more confidence.
References and disclaimer
Gartner, Quick Answer: How Can ERM Rightsize Their GRC Tool Investment?, By Joel Backaler, 26 August 2025
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.