Outside of Governance, Risk Management & Compliance (GRC), my passion and interest is in British medieval history – from the Anglo-Saxon period through the Plantagenets and the War of the Roses. Nothing quite inspires like a good Anglo Saxon epic, particularly Beowulf. One of my favorite moments is when Beowulf goes up against the vicious monster Grendel. Grendel is a behemoth of a monster, devouring, imposing, and outright terrifying. Beowulf engages Grendel unarmed with no armor and defeats him in a vicious battle by tearing off the monster’s arm. The agility of Beowulf in a fight against a dominant and imposing behemoth reminds me of what is taking place in the context of GRC platforms and technologies in the market.
The Dominion of the GRC Behemoth
A few months back there was a LinkedIn post that described the song Hotel California as being a parable of an implementation of one GRC solution, that after $500 thousand in license, and $2 million in implementation, three years later it is ready to do something. This is something I am hearing every week from organizations that are frustrated with GRC Market Leaders that have significant cost of ownership and build out. Where an organization has to have certified experts make changes because of the complexity of the system and it may take months to see configuration changes implemented.
Several of my workshops this past year have had prominent organizations express their frustrations with established GRC Leaders in the market (note: I use the term GRC but these are also the same leaders Gartner has in their IRM Magic Quadrant). In reviewing RFPs GRC 20/20 has been involved in over the past two years, solutions that Gartner and Forrester consider a Leader, in their respective Magic Quadrants and Waves, have a ratio of software license to implementation of 1:3 to 1:5. That is for every dollar spent on software license in the first year an organization can expect to spend 3 to 5 dollars on configuration and build out. This is the configuration and build out, not management consulting costs for process design. Solutions that are outside the Leaders quadrant have a ration of about 1:0.5 to 1:2. While some of these GRC Leaders are working hard to rearchitect their solution to address this, it is opening the door to other solutions that have entered the market with highly agile solutions.
Era of Agile GRC
The reality is that GRC can be agile and not a behemoth of cost. There are a range of solutions in the market that are highly agile with ease of configuration and adaptability. This was illustrated at a user conference I was a keynote speaker at last year in Sydney, Australia (note: I am not naming names in this post as there are several agile solutions in the market and want to be fair to all, you can always ask me about these in inquiry). This is a young GRC solution provider who had their solution on the market less than a year and had 200 people at their conference (which is very impressive for a user conference in Sydney, let along a first user conference). After my keynote, they had a session in which they stated they would build a complete case/incident management module with forms, workflow, tasks, and reporting in else than an hour. To illustrate this further they had 2 bartenders up front with 200 cocktail glasses and said this fully functioning module will be complete before the bartenders finished pouring 200 drinks for the attendees. They did it.
GRC 20/20 is seeing a range of highly agile GRC related solutions in the market that have a significant return on value and low cost of ownership when contrasted to legacy GRC solutions that are often seen as the market leaders. This is forcing the market to adjust to consider highly agile solutions available to organizations as well as traditional market leaders to rearchitect their solutions to remain competitive.
I would love to hear your thoughts and experience . . .
Or you can also ask GRC 20/20 an inquiry on what Agile GRC solutions are the up and comers and what is changing with traditional market leaders so they can maintain their positions . . . .