How to Buy GRC (Risk & Compliance) Software
The GRC software space is vast with numerous vendors. In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software. Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC. Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.
How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?
Before I give some guidance on this – let me first state that GRC software is needed in organizations. Using a document centric approach done in spreadsheets and word processing documents is prone to issues. Issues in consolidation and reporting – both errors and time it takes. Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization. Issues in efficiency as document centric approaches take more resources to manage.
The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.
My advice on buying GRC (and related risk and compliance software):
- Get to know the vendor. I have spent nearly twenty years in this space. There are good vendors and bad vendors. There are good sales people and bad sales people. A successful software implementation is going to require a relationship. Make sure that the vendor and sales person you are considering doing business with is someone you want to work with. Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform. Pick the vendor that appears to have your best interest in mind and not theirs.
- Understand who the vendor typically sells to – industry and role. Every vendor in this space has a history and track record. Some have strengths in audit or risk or compliance or information security or some other role. Some have a history in financial services while another is healthcare. While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
- Use caution with Forrester Waves and Gartner Magic Quadrants. Too many organizations see whoever is in the upper right quadrant and pick them for their short list. THIS IS A MISTAKE. These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization. That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital. They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization. There may be a vendor not even in the research that is the ideal fit for you.
- Check references. Require that the vendor give you references – and check them. Grill the references. Ask questions on what they like least about the vendor and the solution. Ask them what they would change. Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor. I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others. Talk to analysts and insist on knowing the good, the bad, and the ugly. If the analyst does not have much to offer – go to one that has experience.
- Control the vendor. A huge issue with GRC software projects is when the vendor sees $$$. I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for. In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues. This kills GRC projects. Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
- Get in the drivers seat. A HUGE ISSUE is that some vendors are great at demos. They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime. It is important that you demo the solution and get behind it yourself. Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it. This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
- Test your enterprise needs. Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management). I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.
- GRC Technology Innovation Awards. I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February. If you have something revolutionary that changes the landscape of GRC for the future – contact me for a nomination form. This is not for ‘me too’ functionality but is something that is really unique and game changing.
- Ultimate [GRC] Platform Designation. If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces. Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label. Please contact me for more information. The ultimate platform designation can be pursued in the following categories:
- The Ultimate Enterprise GRC Platform
- The Ultimate Risk Management Platform
- The Ultimate Compliance Management Platform
- The Ultimate Audit Management Platform
- The Ultimate Policy Management Platform
- The Ultimate Legal Management Platform
- The Ultimate IT Risk & Compliance Platform
- The Ultimate 3rd Party/Vendor/Supplier Platform