Considerations When Purchasing GRC Solutions
As a market research analyst, I get involved in a lot of inquiries and interactions with organizations looking to purchase GRC solutions. On average, GRC 20/20 handles about five interactions a week – some weeks more and some weeks less. These can range from simple questions via email or phone to detailed help in writing and managing RFPs.
Please note: I define GRC (governance, risk management, and compliance) as a broad market with a lot of different types of solutions in this market. While there is a concept of a GRC platform, most the vendors in the space are very focused. The GRC solution market has over 500 providers in it and some are very specific to areas of quality, environmental, health & safety, security, legal management, and more. However several solutions market themselves as platforms that tie a view of compliance, risk, audit, policy, and incident management into a cohesive information and technology architecture (whether this is reality or fiction is the focus of my points below). Some use the term GRC some do not – the discussion I give below is valid across the range of focused solutions to enterprise GRC platforms.
Over the past twenty years I have seen a number of mistakes and issues organizations have made in purchasing GRC solutions, and have noted many considerations when organizations evaluate and select solutions. Organizations are best served to keep the following points in mind when looking to purchase a GRC solution (these points are items to keep in mind and not meant to scare you away from solutions, there are great solutions out there – but all are not equal is the point) . . .
- Is that really a feature? Some solution providers will promise you the world and then after they close the deal inform you they have to build it. I have seen some amazing shenanigans in this market – which should alarm you, as an aspect of GRC is ethics. I have encountered situations in which solution providers tell you they do something when they do not and inform you they have to build it after you have signed a contract. In fact, there are times I have found solution providers doing demos when the demo they are showing is not their solution.
- Field of dreams. Many solution providers will woo you with how flexible and configurable their platforms are. They will captivate you with possibilities of customization and configurability. After all they have the most magical solution that you can do anything with – buy it and the rest of the organization will align. The truth is that some of these solutions lack specific depth in given GRC areas and love to take on long services engagements to build out and deliver. One organization that I provided RFP support for chose a leading GRC solution against my recommendation. I told them it would be over budget and well out of bounds of project timelines. They told me two years later when they were just starting to roll it out (seriously two years of building the GRC field of dreams) that they wished they had listened to my advice.
- Feature or customization? Related to these first two points is the common promise of a solution provider to say they do anything – after all they have a platform that you can build anything upon. A recent interaction illustrates this. A financial services organization had two different solutions doing an aspect of GRC (3rd party management). There was a push to standardize on one solution provider. One had a specific feature to do vendor self-registration; the other stated they could do that too. When you pushed the other solution you found out it was not a feature and would require services to build out and the last organization they built something similar for took six months to build.
- Customization breaks things. I have seen many organizations struggle because they bought into the GRC field of dreams that they can build and customize the solution. The field of dreams became a trap – a sticky pit of tar that is impossible to get out of. After significant investment in customization many have discovered that upgrades break things. At a GRC workshop I taught this past year I had several attendees present wanted to pour forth with their rants in how their GRC solution has not served them, cost them more in services than could be imagined, takes so many FTEs to manage, and customizations hindered upgrades. Others in the room had wonderful experiences with other solutions.
- Be careful with references. Solution providers always have a great set of references (OK, nearly always – I have been on a few calls where the references did not have anything good to say about the solution provider . . . those are always very interesting). When a solution provider gives you a reference understand that they are most likely giving you the decision maker – the person that made the purchasing decision. This person is paraded at the solution provider’s events and in materials. The decision maker stands behind their decision and loves the lime light of publicity¬ — basking in the praise of how wise they were to choose this solution. Talk to these references but ask them the hard questions – insist they answer; there is not perfect bed of roses. More importantly, be polite but ask to talk to someone on his or her team that uses the solution. You will often find that the people in the trenches using the solution every day have a completely different story to tell. And NEVER talk to the reference with the solution provider present and on the phone.
- Do not solely rely on major analyst reports. For full disclosure I spent seven years at Forrester and wrote the first two Forrester GRC Waves and ERM Consulting Waves. Gartner and Forrester tend to have an IT bent that fails to connect with those looking for solutions for problems outside of IT. The biggest issue is the Wave and Magic Quadrant itself (note, Gartner has stated they are going more broad with use cases to address this in the future). You cannot represent the market in a single two-dimensional comparison of solutions. The solution provider in the upper right may be a worse fit for you than the provider in the lower left. In fact, the provider that is not even in the report may be the best fit for you. These reports cover up to 20 solution providers in a market that has hundreds. The threshold to get in these reports means only a very few get covered.
- GRC platforms and the lowest common denominator. There are many solutions that tell you they can do everything including solving world hunger. Be careful in where you put your faith in a GRC platform. I do believe there can be a core platform that provides the backbone of GRC management and integration – but that is not the end all of GRC. I have not found one GRC solution provider that excels or even delivers on all aspects of GRC. You run the risk of forcing the organization to one view of GRC and requiring everyone to use the same approach. There are great and flexible solutions in the market, but there are also handicaps in any solution. Think of GRC architecture instead of platform. There can be a core backbone but you may need to integrate different technologies to achieve the GRC strategy, process, and information architecture needed to optimize value to the business.
- Be careful of department solutions masquerading as enterprise. There are dozens of GRC solution providers telling you they are an enterprise GRC platform – not all are the same. Some are departmental solutions that were never designed with the enterprise in mind. I had one financial services executive on a panel at a conference that stated the board never wants to see a risk report again from their ‘leading’ GRC solution. The solution was designed for a department and then moved to market an enterprise platf
orm. The issue is that it lacked any idea of risk normalization and aggregation. What was one department’s high risk was another department’s low risk. The result was a mess. Different departments need their risk scoring scales with rules for risk normalization and aggregation for enterprise reporting – many do not do this well. Some ‘leading’ GRC solutions address this directly, others tell you they do but it is not designed into their product and takes a year of services to configure, and others do nothing about it. - Consider intuitiveness. I know many organizations right now struggling through the pains of the complexity of their GRC solutions. Some of the leading providers in this space have a lot of features but using the system takes a PhD in chaos to begin to make sense of. When approaching GRC solutions make sure that you really do your evaluation of the intuitiveness and ease of use of solutions.
I could go on with more – but that is probably enough to digest for now. Please share your comments and experiences below for the benefit of all (solution providers, readers do not want product pitches so please avoid those in comments). My thoughts are notes of caution in evaluating solutions. There are great GRC solutions in the market – and the right solution for one organization is not the right solution for another. GRC 20/20 is here to help sort this all out – that is what we do, market research. We are not a consulting firm but an market research/analyst firm.