Building a Business Case & RFP for GRC-Related Software
I am an analyst; my job is researching the challenges companies face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and particularly technology and services. Every week, I answer between 10 and 20 inquiry questions from organizations that want insight into GRC-related solutions and services and desire my perspective on the market (I offer an initial interaction at no cost).
My job as an analyst is two-fold:
- Horizon Scanning. Forecasting the drivers and trends over the next two to five years and providing insight into what organizations will need and where the market is headed.
- The Current Situation. To understand what is being delivered in the market, what differentiates one solution/service from another, and provide insight to buyers of solutions and services on what they should look at and consider meeting their current and future needs.
We are entering that time of the year when I get a lot of interactions on how to build a business case and prepare for an RFP for GRC-related software as organizations prepare for next-year budgets.
Note I stated GRC-related. It is not all about one platform that does everything for one thing that does not exist. There may be a core platform for GRC, but there are a lot of best-of-breed and deep solutions that extend the GRC architecture of an organization. There are deeply capable solutions and RFPs for specific domains of GRC, such as third-party risk management, ESG, resilience and continuity, policy management, audit management, regulatory change management, case management, and more. What I go through below can be applied to a broad GRC platform doing various things or a very specific domain and use cases for GRC with dedicated best-of-breed solutions.
I am very busy with many current and developing RFPs. Some are within small to mid-sized organizations that are trying to replace manual processes of documents, spreadsheets, and emails. Others are with the mid to large enterprises that have found several, and in one case nine, different GRC platforms installed across the organization with further complexity of various point solutions and a maze of documents, spreadsheets, and emails.
Building a business case starts with a current state analysis to understand the present to prepare and architect for the future. Often, organizations find themselves trapped in a chaotic jungle of documents, spreadsheets, emails, and discrete point solutions when managing GRC. A current state analysis is pivotal for:
- Identifying inefficiencies. A deep dive into the prevalence and breadth of GRC management practices across the organization typically will unearth redundancies, bottlenecks, gaps, and silos in processes and information flow.
Once we understand the current state, we can begin designing/architecting the future state. Some might have a pretty good strategy and process in place that is supported by a robust GRC-related information and technology architecture. These organizations will take a Japanese kaizen approach to GRC processes and technology, with small incremental improvements. Others will find a mess and need a complete overhaul.
To shape a future where GRC management is streamlined and synergistic, it’s imperative to:
- Integrate technology where it makes sense by implementing GRC-related software to consolidate data, automate workflows, and enable data analytics.
- Optimize and re-engineer processes by identifying and eliminating non-value-added activities, leveraging technology to augment process efficiency.
- Enhance collaboration and visibility by breaking down silos and barriers to foster cross-functional collaboration, ensuring information and best practices are shared across departments.
- Build a resilient GRC framework with a system that addresses current governance, risks, and compliance requirements and is agile enough to adapt to future changes.
Once a clear understanding of the current state (most likely a mess that looks like an illustration of Dante’s Inferno) and a desired future state is defined. The organization can then begin to build a business case that measures and quantifies the value of the future state in contrast to the current state.
When I work on a business case, I build it around the following four areas:
- Efficiency (Time & Money Saved). Implementing GRC software eradicates manual processes and redundant systems, diminishing human error and freeing employee time. It also provides an integrated architecture for information and reporting, reducing costs. One firm I helped with found that 80 of their risk staff time was managing and chasing documents and emails and NOT managing risk. Another was spending 200 hours building a report every year for the board of directors (now takes 5 minutes).
- Effectiveness (Risk Reduction & Enhanced Productivity). This is where we get more done, fewer things slipping through the cracks, a single source of truth and system of record, greater accountability, and enhanced visibility. GRC-related software offers a comprehensive view of organizational risks, enabling better-informed decision-making to reliably achieve objectives; if done properly.
- Resilience (Proactive Issue Discovery & Management). GRC solutions with analytics capabilities empower organizations to identify and address issues before they escalate. The organization can address risks, events, incidents, and issues before they become bigger. The organization can recover quickly when things go wrong.
- Agility (Adaptability to Keep Up With Change). Organizations face constant change. Risk changes in the external environment (geo-political, economic, disasters, competitive). Regulations and laws continuously change. At the same time, the business itself is changing with employees, processes, technologies, strategy, mergers and acquisitions, and event third-party relationships. GRC technology enables organizations to be agile in a changing business and forecast and see risks coming at the organization and prepare the organization to reliably achieve objectives, address uncertainty and risk, and act with integrity in meeting obligations amid continuous change and evolution.
Once the budget has been approved, it is time to write the RFP. I have hundreds of requirements from the simple to the complex across GRC domains. Each area/domain of GRC can be a full paper on requirements. When you’re clear about the current state, desired future state, and business case, design a Request for Proposal (RFP) is the ensuing step:
- Identify Key Requirements. List the functionalities and capabilities the GRC software must have to bridge the gap between the current and desired states.
- Define Evaluation Criteria. Establish metrics for evaluating potential vendors, such as functionality, technology stack, user-friendliness, customization capabilities, and post-implementation support. This includes demo scripts and use cases.
- Consider Future Scalability. Ensure that the software can scale and adapt to the future growth and diversification of the organization.
- Measure Total Cost of Ownership (TCO). Consider not just the procurement cost but also implementation, customization, training, and maintenance costs.
In summary, transforming GRC management (whether a broad strategy or a focused area) from a document-heavy, siloed operation into a streamlined, technology-enabled function necessitates a deep understanding of the current state, a clear vision of the desired future, and a robust business case that underscores the benefits in terms of efficiency, effectiveness, resilience, and agility. By establishing a clear business case and desired future state delivered in a well-crafted RFP, organizations can navigate the complex maze of GRC solutions and services, ensuring they are always ahead in this dynamically evolving business world.