Pitfalls in GRC Software Selection and RFPs
There is a broad array of governance, risk management, and compliance (GRC) related solutions available in the market. In fact, GRC 20/20 has catalogued and mapped over 800 technology solutions and over 300 content/intelligence solutions that organizations use to improve GRC processes in an effort to make them more efficient, effective, and agile. Navigating this array of solutions is not easy and organizations need to understand what there needs today as well as into the future to select the right solution(s) that best fit their needs. GRC 20/20 offers complimentary inquiry to organizations looking for solutions in the market and need some quick guidance as well as deeper RFP assistance and help in our RFP templates and support
GRC 20/20 maps these solutions across the following categories and capabilities:
- Audit Management & Analytics
- Automated Control Monitoring & Enforcement
- Business Continuity Management
- Compliance Management
- Enterprise GRC Platforms & Architecture
- Environmental Management
- GRC Intelligence & Content
- Health & Safety Management
- Internal Control Management
- Issue Reporting & Management
- IT GRC Management
- Legal Management
- Policy & Training Management
- Quality Management
- Risk Management & Analytics
- Strategy & Performance Management
- Third Party Management
Some organizations are looking to solve a specific problem, such as addressing a regulatory requirement like Sarbanes Oxley, US Foreign Corrupt Practices Act, UK Modern Slavery Act, UK Senior Manager’s Regime, or PCI DSS compliance (just a random sampling as there are thousands of regulations). Others are looking to address a range of requirements and risks within a specific department or domain like environmental, health and safety, IT security, internal control over financial reporting, HR investigations, or business continuity. Then some organizations look to address a specific area consistently across the organization such as enterprise policy management, third party management, or enterprise investigations management. Then there are organizations looking to address a range of domains and GRC requirements across departments in a single or core common technology backbone, this is what we refer to as Enterprise GRC platforms.
There are two things that are consider when looking at GRC related technologies.
- GRC is something you do not something you buy. Yes, there is a wide range of GRC related technologies in the market, but at the end of the day GRC is not about technology it is about organization’s actions, decisions, capabilities, and collaboration on GRC. The official definition of GRC as found in OCEG’s GRC Capability Model that I helped contribute to is that GRC is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Certainly technology can enable this and make it more efficient, effective, and agile – but it is not a silver bullet that accomplishes this magically for the organization. The organization needs a strong culture, established boundaries of controls and policies, and strong processes for GRC to make a technology investment in any GRC related area a success.
- There is no one stop shop for all of GRC. Yes, there are GRC platforms that can accomplish a range of capabilities and needs across departments for an organization. However, there is no solution out of the 800+ solutions that does everything GRC. In fact, there are broad solutions that span many areas but they often do not go deep in some areas. Too often I find organizations with failed GRC projects because they try to do everything in one platform and find that in some weak areas of the platform they water things down and lose capabilities they previously had with deeper focused solutions.
Organizations should really be thinking about GRC architecture and not GRC platforms. There can still be a core GRC platform when the organization has the maturity and cross-department collaboration to be successful, but this platform will have constraints. Organizations are best served with understanding these constraints and integrating best of breed solutions when and where they make sense. There are many organizations I interact with and advise that have an Enterprise GRC strategy that have a strong core platform for GRC and operational risk but break off and integrate best of breed solutions that go deeper in areas such as IT GRC/security, third party management, policy management, quality management, or commodity/market risk management. In fact, this past year I interacted with three tier-1 financial services organizations that all used one GRC solution for enterprise GRC and operational risk management and all three had another solution in place for IT GRC and security that went deeper in that area.
The point is that organizations should define their strategy and understand their processes then select the right GRC technologies that provide the information and technology architecture to enable the strategy and process and not handicap it.
Some other common pitfalls in GRC solution selection to be aware of are . . .
- RFP beauty contests. I work on a lot of RFPs, and get engaged for my RFP templates and support regularly. I have seen a lot of horrible things happen in RFPs. Good solutions get ignored because some sales person did a half-hearted attempt at answering questions while a problematic solution gets selected because they had great but not always honest answers to RFP questions. Also, some solution providers are brutally honest in their RFP responses to their own demise while other solution providers will say anything to win the deal. My job is often to come in and keep these solution providers honest and raise red flags when I see them.
- Client references are tricky. Understand that client references that solution providers give are often the decision makers that stand behind there decision to invest thousands to hundreds of thousands of dollars in a GRC solution. They will have rosy and glowing things to say about the solution. You need to ask the hard questions to these references and word them in a way they cannot wiggle out of them. Ask them what they like least about the solution. I also thank them for their time and ask if I could talk to someone on their team that works with the solution every day – one of the GRC worker bees. I often get a completely different perspective on the solution. In one situation the Chief Audit Executive loved the product and only had great things to say about it, while the auditors I talked to that reported to the CAE hated the solution and it was the bane of their workday.
- Understand what is actually a feature in the solution. There are solution providers that say yes to everything in RFPs. Some do so because they are shady and will do anything it takes to win deal, others do it because they genuinely believe they have a flexible solution that simply can be tailored to meet any need or requirement. Either way, I have seen implementations that have dragged out for over two years because of all the build out and customization required to meet what the organization purchasing the solution thought already existed in the RFP. I assisted one company in their RFP and against my advice they selected a solution I did not recommend. I told them there is a lot that has to be built out for this and it will take a lot longer than they planned. They came back two years later and told me they wished they would have listened to me as they were just rolling out the initial phase of the solution and were seriously behind timeline and over budget. They now are with a different solution in the market.
- Ease of use is critical. A solution can have tremendous capabilities but if it is complicated to use, lacks intuitiveness, and users simply ignore it . . . the implementation fails. Many solutions in the market are very dated and have interfaces that look like they are 10 to 15 years old. This makes it hard to engage all levels of the organization on GRC. The number one selection criteria I see in organizations moving from one solution that has failed them to another solution is ease of use and intuitiveness. One enterprise policy management implementation I advised after they had an abysmal failure in their implementation because what could be done in one screen took three of four screens and lacked any sense of user friendliness and intuitiveness.
- Integration and openness is a key to success. Siloed solutions that do not integrate with other solutions are a dead-end. Organizations needs solutions that have a strong API for integration. One global Fortune 100 company I am advising on third party management needs to be able to integrate their third party management platform with their ERP environment to sync master data records. They tried one solution which failed them on this because of data integrity issues in the syncing (and user experience issues as well), they are now seeing success with a different solution that has strong integration capabilities. This is important across GRC areas. For example, policy management solutions should be able to integrate with HR systems to get new and changed employee records to be able to automate the communication of new policies when employees are on-boarded or change roles in the organization.
- Mobility matters in GRC. In most situations if a solution does not have a mobility strategy it is best be ignored. I am seeing growing demand for using tablets and smart phones for audits, assessments, investigations & case management, policy management and communication, training and clearing, issue reporting, and more.
- Cloud is everywhere, but be cautious. Everyone has a cloud solution – but this does not mean all cloud solutions are equal. Some use the term cloud and simply mean a hosted model while others refer to it as a multi-tenet architecture. The scalability and cost parameters can make a difference here. Security is to be critically understood and evaluated as well. I do not like the cloud naysayers that avoid it because they are concerned about security. I have seen many cloud environments that are more secure than the organizations evaluating them. This does not mean they all are secure . . . do your homework and evaluation.
I would love to hear your comments and thoughts on GRC related software and strategy. Please post below . . .
- Have a question about GRC related solutions and strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
- Looking for GRC related solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over hundreds of requirements for each GRC domain.