Over the course of a year, I interact and advise on a lot of GRC related RFPs/RFIs. Some of these are for Enterprise GRC Platforms, most are in specific domains of GRC such as operational risk management, IT risk management, compliance management, audit management and analytics, policy management, third-party management, and more. Something I added to my RFP requirements back in 2005 is the criteria if the solution supports business process modeling (BPM) natively in the application.
I saw this as an important requirement fifteen years back, but it only seems to have become mainstream over the past few years. In an increasing amount of RFPs, as well as organizations purchasing a solution without an RFP, I am seeing the capability to support BPM natively in the GRC solution as a key requirement. Organizations are tired of using separate solutions like Visio to document process flows and attach them as evidence and documentation for risks, compliance, and controls. Today, organizations want to be able to do business process modeling within the GRC solution (whether for broad enterprise GRC or a specific area of GRC like GDPR or internal control management). They want to be able to identify risk and control areas visually on these process flows and even use them as dashboards to see how processes are functioning to reliably achieve objectives, address uncertainty, and act with integrity (OCEG GRC definition).
Consider that organizations are facing a range of requirements that require business process and data flow modeling in the context of GRC, these include:
- Privacy, GDPR & CCPA, Requirements. The foundational step to privacy compliance is documenting how personal information is collected, used, processed, shared, and even destroyed in the organization. This involves data process flow diagrams on how personal information is collected and flows throughout organization processes. Organizations want to be able to document the data flows of personal information and highlight where risks and controls are, and even use process flow diagrams as dashboards to show where they are having privacy issues and where those issues are occurring in business processes.
- Accountability Regulations – UK SMCR, Australia BEAR, Ireland SEAR, HK MIC, Singapore MAS. There is a growing array of accountability regulations that make senior management functions (SMFs) personally liable for lack of due diligence, negligence, or willful wrongdoing in risk and compliance contexts. These roles can be personally fined or go to jail. Core to compliance starts with accountability maps that map SMFs to accountability and responsibility structures and their associated processes. Organizations need business process modeling to map risk, compliance, control accountabilities to SMFs, and use these for regulatory reporting as well as dashboards and executive communication.
- Operational Resiliency & Business Continuity. The key to business continuity, and now the greater need for operational resiliency, is to map business process flows and services to clearly document how this works. When a disaster happens, there needs to be process maps to show how business process flows and services are adjusted in different scenarios to maintain continuity and resiliency and recover the organization. BPM is foundational, from my point of view, in addressing the Operational Resiliency requirements coming from the UK FCA, PRA, and Bank of England.
- Sarbanes-Oxley & Internal Control Management. Over the past several years the Public Company Accounting Oversight Board (PCAOB) has been putting pressure on external auditors to require of their clients business process diagrams for SOX compliance in addition to the lengthy written control narratives. Increasingly, organizations are looking for their internal control management solutions to be able to diagram business processes – such as accounts payable, accounts receivable, procurement – and document risk and control points in these processes visually. This is another ideal area to use process diagrams of dashboards to demonstrate how these processes are functioning to reliably achieve objectives while addressing uncertainty and act with integrity and light-up where controls are failing and issues are happening.
These are just some examples of many for the critical role of BPM in GRC related solutions. The key question for you . . . is your GRC solution supporting BPM natively in the application?
What Else are Organizations Looking for In GRC Solutions?
Wading through the onslaught of recent inquiries, research interactions, as well as the RFPs/RFIs I have interacted on this past year . . . here are the top things I am finding that organizations are looking for in next-generation solutions across segments of the GRC market. Across these interactions, I am getting regular interactions and references to my blog on Agile GRC 4.0 blog.
- User Experience. This is the number one criteria. Organizations want a modern user experience that incorporates the latest in UX design and interaction. One recent RFP for risk management that I advised on (for a global firm) made this the deciding factor. Several were weeded out early on because of dated user experiences and it came down to two. The one they chose had a superior and more modern user experience over the other.
- Value, Business Case, Cost of Ownership. This is up there right with user experience. Orgs want a clear and compelling business case of value and business justification. Not just acquisition costs but ongoing costs of management, maintenance, configuration, and upgrades. Too many have had horrible experiences with older solutions that take months to years to roll out. One RFP that is being formulated for risk management bought one solution three years back, spent these years building it out, and today has 0 users on it and is now looking for something more agile.
- Front Office, Not Just Back Office. With more and more risk, compliance, and control focus being put on the 1st line (front office) and not just 2nd and 3rd lines (back office risk/compliance functions) organizations want simple intuitive interfaces and experiences to engage front office personnel. They still want the depth of analytics and analysis for back-office functions, but they want a streamlined contextually relevant view to engage the front office in GRC areas.
- Configurable and Agile. Orgs want solutions that are no code and highly configurable that do not break on upgrades (or cost just as much to upgrade as a whole new solution). This includes the ability to easily integrate with other business systems.
- Modern & New Solutions. This one is a little challenging. I have encountered three RFPs in multi-national organizations where the first criteria is that they were not going to invite anyone that is in the Leaders quadrant of Gartner (and to a degree Forrester) as they have had bad experiences with these solutions. They only wanted to evaluate solutions that have a modern code-base and architecture. The downside to this is that some newer solutions may not have the depth of features and analytics. But the issue is bad experiences, failed projects, and the cost of ownership of legacy solutions.
- Understanding. The other interesting that has caught my attention is evaluating the domain knowledge and understanding of the solutions. I have seen solutions win because they have stronger engagement and thought leadership (e.g., blogs, white papers, webinars) over comparable solutions in the market. Buyers are becoming very sensitive to knowing that they are engaging a firm that truly understands their challenges and can speak to them in context.
What are you seeing as critical criteria for GRC solutions in your organization?