Diary of a Wimpy GRC Solution
I understand what it is like to be the underdog. In grade school and junior high I was the target to be picked on. The scrawny emotional kid that was an easy target. Things changed. In high school my Viking Danish DNA caught up and I became a more forbidding obstacle to be a target of. Which worked well for my phlegmatic disposition.
In the GRC market, I have a soft spot for the underdogs. There are many great solutions available that never get the attention they deserve. They have great clients that are amazed with the solution, but they have a hard time getting the clients as they are overshadowed by the popularity contest of solutions that get all the attention from analysts, media, and professional service firms.
Why is this? There are many reasons to this, consider the following . . .
- Analysts. Yes, I am a market research analyst, but I truly hope of a different flavor. To get analyst attention today requires a lot of money and engagement. My competitors often charge $15,000 or more a day for advisory time to solution providers. They charge tens of thousands of dollars to redistribute research reports in which a solution provider is mentioned. When it comes to their evaluation of solutions, they have more intimacy with those that spend tens of thousands of dollars on advisory days and less on solutions that they simply request video demos from and not actually dive deep into.
- Professional Service Firms. There are some great advisor and consultants in any firm, but then there are those that think more economically and strategically for the firm. Many major consulting/advisory firms partner with solutions that are very complex and require a lot of build out and customization. The reason is revenue. When GRC projects become the scale of ERP projects and take six months to two years (or more) to roll out . . . that is a lot of services revenue. I have seen one email from a major consulting firm that was responding to a solution provider about partnership. It stated that they are more than willing to work on an opportunity should the solution provider bring one to them, but why would they want to partner with this SaaS solution that stated it was so easy to implement and configure. Where was the services revenue?
- Black and White Honesty. Many solution providers approach RFPs without any creativity and thoughtfulness. They say no to many answers in a black and white perspective without actually thinking how their solution could meet the criteria. On the other hand, major competitors are saying yes to everything in RFPs and it takes years to build out and deliver as it was not true. But the Yes solutions get further in RFPs than the brutally honest No solutions that have capabilities they did not even consider. In fact, I have even found one major GRC solution in the market demoing functionality that did not exist in their product . . . they were demoing someone else’s functionality for risk management.
- Poorly trained sales. Too often good solutions fail in getting into deals because they have poorly trained sales people that do not understand the market, how to engage buyers, understand organization needs and requirements, or think outside the box. Perhaps they have focused on IT security for their careers and fail in understanding how to talk to a corporate compliance officer on bribery or corruption, or procurement on human slavery and international labor standards in a supply chain. I recently saw one solution provider fail in an RFP because the sales person only understood IT GRC and the demo scripts requested by the buyer were about EH&S. They kept going off script to talk about security instead of demoing the solutions EH&S capabilities that were there.
- Misaligned marketing. Too often marketing is taxed with limited resources to adequately message the variety of use cases a solution can be used for. Too often I recommend a solution to an organization and then the organization goes out to the solution providers website and finds nothing about their specific need. Following up with them later on I find they went to others I had recommended that did have messaging to their specific needs.
- Lack of market intelligence. Many solutions simply do not have visibility into the opportunities available in the market. They miss doors of opportunity as they do not know who to call on and interact with. The analysts are not covering them, professional service firms ignore them, and they have no insight into the many opportunities available to them in the market.
Don’t get me wrong, there are established and mature solutions in the market that do some great things and have happy clients. But there are also many situations in which major GRC solutions take years to build out and implement and cost a ton of money to administer. In fact, one major GRC solution that major analysts love and rank so very highly (I am not naming names in a post like this), has a string for failures. Consider:
- IT GRC @ Global Manufacturer. I wrote the IT GRC for this RFP. The CISO stated they will not consider this major GRC platform because of the horrible experience at a previous firm he was with.
- Enterprise GRC @ Utility & Energy Company. The project owner at this firm stated they would not allow this solution into the RFP because of the failure and cost to administer the solution at a previous firm.
- Enterprise GRC @ Bank. In this RFP I helped with, this solution was already in house for an area of GRC. They told me that they would let the solution provider respond to the RFP as they were an incumbent, but they would not be a consideration because they are very dissatisfied with it.
- Enterprise GRC @ Outsourcer/Professional Service Firm. In this instance, I helped write and manage the RFP. At the last-minute IT stepped in and said they wanted to be part of this and that it would be this particular solution provider. As they controlled the budget, no one could argue. I warned them that this would not be my choice, that they would be over budget and well past their deadlines. They came back to me two years later and said they wished they would have listened. That they were just now doing the initial rollout and they were way over budget. They now have scrapped the solution and have implemented another they are happy with (which I originally recommended).
My point here is that there are great solutions available in the market. Popularity should not be the measuring stick. While there are exceptions, the popular kids in school were often the jerks and bullies.
Organizations need to do their homework and understand solutions for their features, functionality, ability to deliver, ease of administration, and how agile the solution provider is to engage and adapt to the organization. GRC does not need to be the scale of ERP. There are highly agile, intuitive, easy to use solutions available in the market. All you need to do is ask. GRC 20/20 offers complimentary inquiry to guide organizations on what solutions are available in the market for their specific needs. Every week GRC 20/20 answers between 5 and 15 questions from organizations looking for GRC related solutions in the market.
When you measure the value of a GRC solution in the market, I suggest you frame it around the following three areas:
- GRC efficiency. How does this solution make you more efficient in your use of human and financial capital?
- GRC effectiveness. How does this solution make you more effective, accurate, and complete in executing GRC processes, activities, and tasks.
- GRC agility. How does this solution help you keep up with change – business change, regulatory change, risk change – in your environment. Also, how does it help you quickly identify issues and concerns to contain them before they become big issues.
One more thing, GRC 20/20 has an extensive RFP requirement library across GRC domains. Organizations can engage GRC 20/20 to assist with their RFP development and engagement in the following areas:
- Enterprise GRC Platforms
- Enterprise & Operational Risk Management
- Audit Management
- Automated/Continuous Controls Management
- Business Continuity Management
- Compliance/Ethics Management
- Environmental, Health & Safety Management
- Internal Control Management
- Issue Reporting and Investigations/Incident/Case Management
- IT GRC Management/IT Security
- Policy Management
- Quality Management
- Third Party (Vendor/Supplier) Management
On the flip side, if you are a GRC Solution Provider in the market, check out GRC 20/20’s next Research Briefing on How to Market and Sell GRC Solutions to go through these challenges discussed in this post and how to overcome them.