What is GRC-as-a-Service?

SimpleRisk Fist Bump

When is GRC-as-a-Service Right for You?

At SimpleRisk, we’ve met with countless security practitioners over the past few years and have learned that while cybersecurity is a "top priority" for most organizations, many lack the financial clout and internal resources to run an effective security program in-house. On the flip side, we’ve also been contacted by many potential vCISO/MSSP partners asking if SimpleRisk offers a "multi-tenancy-like" deployment model that could be used in concert with our Governance, Risk Management, Compliance and Incident Management Platform to deliver GRC-as-a-Service to MSSP customers. Until recently, we did not have such an offering.

Enter the SimpleRisk GRCaaS Platform

Based on both end user and partner input, we determined there was an emerging market segment geared to adopt an affordable, simple to use, comprehensive GRC-as-a-Service platform. We set out to bridge this gap by introducing a solution that leverages the SimpleRisk GRC Platform as the foundation from which GRC-as-a-Service could be delivered. SimpleRisk CEO and creator, Josh Sokol, proceeded to design an innovative delivery architecture and SimpleRisk launched its GRCaaS Platform. To help ensure this service would be a viable option, we identified five essential requirements that needed to be met upfront.

  • Security – Ensure customer data is secured within each discrete SimpleRisk instance;
  • Scalability – Able to support multiple SimpleRisk instances from a central console;
  • Affordability – Must be cost-effective for any size MSSP or customer;
  • Simple to Deploy – Requires minimal effort to add new customers to the platform;
  • Easy to Administer – Automate updates, backups, data retention & uptime monitoring.

Early Adopters

In the the middle of 2020, the SimpleRisk GRCaaS Platform was first launched as a production service by a highly respected early adopter in the GRC consulting space that also offers managed services and it was deployed to multiple customers.  This allowed us to collect real world data points to help validate the benefits of the GRCaaS Platform. It also allowed us to gain clarity as to what types of organizations and partners would likely be best suited for this approach. While the criteria listed below is not all inclusive, it’s representative of what we learned early on and holds true to this day.

Customer Attributes that Align with GRC-as-a-Service Adoption

  • Lack the internal resources to establish an effective GRC program in-house;
  • Hiring security experts and purchasing GRC software is cost prohibitive;
  • Using manual GRC processes that are error prone and don’t scale;
  • Struggling to keep up with regulatory compliance that is often mandated;
  • Perform ongoing internal and external risk assessments and are falling behind.

MSSP Attributes that Align with a GRC-as-a-Service Delivery Model

  • Inability to scale GRC services using spreadsheets and manual processes;
  • Unable to justify the investment in costly, complex GRC software;
  • Lack automated processes to track and measure the security posture of customers;
  • Have challenges building long term customer relationships via one-off engagements;
  • Delayed deliverables impede business growth and affect customer satisfaction.

How does the SimpleRisk GRCaaS Platform Work?

The SimpleRisk GRCaaS Platform is designed around an MSSP/vCISO model and it enables the delivery of GRC-as-a-Service on top of the SimpleRisk GRC and Incident Management Platform.

For the GRCaaS Platform, SimpleRisk provisions a dedicated Kubernetes cluster for each MSSP, which utilizes Docker to provide security and scalability for each new customer that the MSSP onboards. The GRCaaS Platform is a functional equivalent to our SimpleRisk Hosted Large Enterprise Plan, which includes all of the SimpleRisk Extras, except for Incident Management and Organizational Hierarchy which are priced separately. The MSSP must commit to a 36-month term on the platform with a minimum of 3 instances.

The billing process is frictionless, as fees are automatically paid monthly via credit card and there is no limit to the number of instances that can be included. In addition, instances can be swapped in and out with different customers as necessary. It’s also worth noting, because we're able to obtain a substantial discount via AWS for a three year commitment upfront, we're able to pass those savings along, which translates into a 40% discount off of the list pricing for the SimpleRisk Hosted Large Enterprise Plan.

What are the Primary Benefits?

Now that we have more experience under our belt with the GRCaaS Platform, we’ve identified many benefits for both customers and MSSPs that have adopted the GRC-as-a-Service approach. Below, we’ve highlighted a few of these advantages.

Key Customer Benefits

By adopting GRC-as-a-Service, customers are able to:

  • Enable internal resources to focus on the end game - managing risk;
  • Eliminate the need to invest and maintain costly and complex GRC software in-house;
  • Avoid continuity gaps when employee turnover, unexpected illness and vacations occur;
  • Gain multiple support resources with access to MSSP SMEs and SimpleRisk expertise;
  • Stay on track with their GRC program and strategic objectives.

Key MSSP Benefits

By delivering GRC-as-a-Service, MSSPs are able to:

  • Leverage SMEs more effectively with an efficient, scalable GRC delivery platform;
  • Accelerate overall growth through economies of scale;
  • White Label GRC-as-a-Service to extend their brand and create competitive advantage;
  • Fast-track customer deliverables by automating GRC processes;
  • Establish long-term relationships by guiding customers through their GRC journey.


We recognize that GRC-as-a-Service is not for everyone, but given that there are numerous organizations mired in manual GRC processes that are error prone and don’t scale coupled with MSSPs that are challenged delivering GRC services, SimpleRisk introduced the SimpleRisk GRCaaS Platform as a way to address this overlooked market segment. Thus far, it appears to be an attractive option for both customers and MSSPs where the adoption profile is a good match for this innovative approach.

If you’d like to schedule a demo to learn more about the SimpleRisk GRCaaS Platform, you can access our online calendar here and choose any one hour slot that’s convenient. Or, feel free to register for a free 30-day Hosted Trial where you can try out the fully-featured version of SimpleRisk firsthand. Should you need any assistance, please don’t hesitate to reach out to contact us – we’re here to help!

compliance governance GRC hosted risk simple SimpleRisk