Speaking about the room for improvement in the solution, I mainly feel that it is not a GRC tool. So, I think that it is more of an IT risk management tool. Basically, it's very good at IT business management. It's not a good tool for governance risk and compliance beyond IT risk management. If you want to use it for business, financial, reputational, health and safety risks, or any other type of risk relevant to your industry or your organization, it's not ideal, and you probably have to get a different system. In short, it does risk management better than most generic GRP tools. However, most of the good GRC tools that are business focused also do IT risk management well enough, which is why OneTrust GRC is not a good enough solution by itself.

In future releases, the solution should work over its ability to manage business risks by incorporating something like an enterprise risk management module.

The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work.

There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.

The product is not that easy to set up. It is also not easy to get used to the naming convention. It requires in-depth training.

They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.

For the Vendor Risk Module I see only minor functionality improvements needed. Many are already being addressed and OneTrust is very responsive to customer feedback and suggestions. The Vendor Risk dashboard has seen a lot of improvement and is now interactive. Release frequency is three to four weeks.

OneTrust GRC's workflows aren't automated and need to be manually driven. Its audit and compliance also aren't very flexible, and the integration between its different modules isn't 100% and needs to be improved.

We encounter difficulties creating multiple platforms or interfaces and manual processes for changing certain settings. Additionally, they could work on the issue related to a controller release in the development environment.