GRC RFP

Considerations and Lessons Learned from GRC RFPs

The GRC technology market landscape is broad with over 800 solution providers across seventeen segments of GRC (see bottom of this post for a breakout of GRC segments). Approximately seventy solutions can be characterized as Enterprise GRC platforms while hundreds of solutions focus on specific areas/segments of GRC with focused solutions.

In 2016, GRC 20/20 answered 412 inquiries from organizations looking for GRC related solutions and was actively involved in nearly a dozen formal RFPs that leveraged the GRC 20/20 RFP templates and libraries – some for Enterprise GRC, others for policy management, compliance management, risk management, audit management, issue reporting/management, IT GRC, EH&S, and more. Forty-one percent of these came from North America, 28% from Europe, and then rest of world. The most dominant role that interacts with GRC 20/20 is compliance, followed by risk management, then internal audit, and IT/information security. Approximately 30% of these interactions were for Enterprise GRC Platforms while 70% of GRC 20/20’s interactions were for more focused solutions and implementations.

GRC 20/20 is focused on helping organizations navigate solution provider hyperbole to get to the honest features and functionality to ensure the right technology is selected that has the correct capabilities that the organization needs.

One of the greatest challenges and frustrations I have in RFPs is the way many solution providers respond to them. They simply answer yes to every question with the thought that it is something that just needs to be built out and customized on their platform. Every year I hear horror stories of rollouts of a solution that take up to two years to build out and implement – all because the organization chose a solution that promised the world in RFP responses but did not have the functionality and features existing in the solution. Further, analysts like Gartner often rank and score these solutions very highly although their evaluation of solutions is getting lighter and lighter. Some of their recent Magic Quadrants for GRC related areas only want video demos and do not sit down with the solution and go through it feature by feature. I have even heard that one recent Magic Quadrant in a GRC area is not even requiring a video demo and just wants answers to questions in a survey, Gartner will determine if they want to see the product.

The level of customization in these multi-year rollouts have significantly hurt a few major solution providers in the GRC market that find that upgrades are extremely difficult and often break. Leaving clients frustrated and unhappy. Three RFPs that I worked on this past year specifically stated they would not consider solution providers that Gartner and Forrester consistently rank in the top leader position because of their experience with the level of customization, length of rollout, cost of ongoing administration, and had things break on upgrades in previous positions at other companies.

Please note: there are many great solutions across GRC domains/segments. Solutions that have proven great value with strong features that can be rolled out rapidly and not be an engagement the size of an ERP implementation.

To provide clarity on features and functionality, I historically have had drop-down fields in GRC 20/20’s RFP templates that ask if the functionality is a ‘native’ feature in the application or something that has to be ‘built-out’ and customized. To provide greater granularity into solution provider responses, I have now updated the GRC 20/20 RFP template library to have the four-fold drop-down responses that organizations should consider (this is from interaction and collaboration with one major GRC player looking to address these challenges head-on):

  • Personalization. Is this feature something that requires no-code changes and can easily be done by a business user to suit their individual needs and preferences? It is completely upgrade safe?
  • Configuration. Is this a feature that can be easily configured by a power-user or IT developer without coding and is completely safe during upgrades?
  • Extension. Is this a feature that can be done by a power-user or IT developer that requires coding but is upgrade-safe?
  • Customization. Is this a feature that requires working with the solution provider (or professional services) to deliver functionality with coding? Will additional effort be needed for testing during upgrade processes?

This is one careful area of evaluation when looking at solutions across GRC related areas. I will be detailing other considerations in GRC related RFPs and evaluations in future posts.

GRC 20/20 segments the GRC market, with RFP templates, across the following seventeen domains:

  • Enterprise GRC. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
  • Automated Control Monitoring & Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC/Security Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

Supporting Research Briefings on the topic of purchasing GRC technology are:

No comments yet.

Leave a Reply