GRC tools can perform automated gap analysis, and they can rapidly extract relevant data and assess risk based on current posture, asset value to the business and threat status. In some cases, controls can be mapped against risk scores and vectors.

"If one of these high-risk controls have any sort of failure deficiency, I can automatically see that," says Johnson. "Our architects or engineers can start looking at that; we can focus on immediate risk and not just compliance risk."

They enable enterprises to rapidly adapt to change.

As new applications and systems come on line, employees come and go, and relationships with new partners and vendors are established, IT GRC tools help organizations adapt to and absorb the changes rapidly.

"What drives a lot of interest is need for agility," says Rasmussen. "You can go from acceptable to unacceptable risk, from compliance to noncompliance in a second. With these tools, you can manage risk and compliance in the context of change."