Rsam GRC Review

We have built our own modules using their application-building features.

What is our primary use case?

GRC & IRM (integrated risk management). We use it for Assessments, Vendor Risk, and Threat and Vuln Management.

How has it helped my organization?

We have far more visibility into our compliance, risks and controls, etc. over the areas we are managing vs accepting risk.

Rsam has also been extremely helpful with the annual audits we receive from our regulators.

We used another tool before (Archer) but it was too cumbersome to manage. Rsam just requires a single administrator and is far easier to integrate.

What is most valuable?

We have used Rsam's out-of-the-box modules for:

We have also built our own modules using their slick application-building features for:

  • Access Provisioning
  • Advanced Threat Detection
  • Custom Surveys

The most valuable feature is the management of risk & compliance data across the application. Searching, dashboarding, reporting and metrics (KRI / KPI) are quick and easy. Workflow and decision support is very clean and very dynamic.

What needs improvement?

Last time I said "Multilingual would be nice, and an update to their questionnaire interface.".. looks like in 9.2 they have this now. I have yet to try it.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

We have encountered occasional stability issues, though they are quick to patch.

What do I think about the scalability of the solution?

We have not encountered any scalability issues. That was an issue with our Archer implementation (about the 2 million record mark). Rsam with its indexing feature has us at 10 million with no issues.

How are customer service and technical support?

Customer Service:

Customer service is excellent.

Technical Support:

Technical support is excellent.

Which solution did I use previously and why did I switch?

We previously used Archer... but we had a lot of trouble with maintenance (required three administrators and lots of consulting to manage). We also ran into performance issues when we hit the 1-2 million record mark. We still have Archer for one group (because they spent millions on services and don't want to lose that effort), but everyone else is now Rsam.

How was the initial setup?

GRC does require some planning / attention to detail. I would say Rsam was far easier than our Archer implementation... but it still had some complexities in deciding on organizational structure and workflow.

What about the implementation team?

An Rsam team helped us with our first two modules, and we did the rest (including our own custom modules).

What was our ROI?

We went from three admins down to one... and millions in consulting down to about 60K.

What's my experience with pricing, setup cost, and licensing?

For us, we found end-of-quarter motivation was helpful in negotiations. They are already reasonable compared to others because it doesn't require a lot of services. Some of the other products were cheaper for the software, but the total cost-of-ownership is very high.

Which other solutions did I evaluate?

  • Archer (Our tool we were replacing.)
  • MetricStream (They are COMPLETELY CUSTOM builds for everything... not manageable.)
  • LockPath (Company is too small / not easy to deal with. They have like four developers in the entire company.)

What other advice do I have?

Rsam is a good solution... but make sure you have a good admin as well... A good admin is key to making a GRC solution work well (and you cant have ours). :)

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 Comment
author avatarDaniel Eakin

I find that in reviews of other solutions and in discussions with other specialists that RSAM continues to be the way to go despite some frustrations with it recently. They're taking our well being and morale very seriously there now and i'm still able to confidently advise it as being the best solution to management.

Sign Up with Email