Considerations When Purchasing GRC Solutions

Every organization does GRC. . .

It makes no difference whether you use the acronym ‘GRC’ or not, every organization has some approach to governance, risk management, and compliance. Your organization’s approach to GRC may be:

  • Ad hoc and fly by the seat of your pants;
  • Decentralized and siloed; or,
  • Collaborative and integrated.

No matter an organizations approach to GRC, the use of technology is pervasive in GRC processes. Technology for GRC can be using documents, spreadsheets, and emails; or in focused applications deployed to meet specific GRC needs; or in enterprise GRC platforms and architectures that pull many functions together.

GRC 20/20 Research is deeply focused on analyzing, monitoring, differentiating, and forecasting the market for GRC solutions. In this context I have mapped over 600 solutions into the GRC market.  These include solutions focused on specific areas of GRC (e.g., policy management, investigations, health & safety, legal matters, third party management) to GRC platforms that bring multiple modules together at a department or enterprise level. In the course of an average week, GRC 20/20 answers between 5 and 10 inquiries from organizations looking for GRC related solutions and assists many organizations in RFP development, management, and evaluation of solutions.

Over the next few months I will be doing a regular series of posts on buying considerations in different areas of GRC. However, before getting into specific areas, I want to share considerations organizations should have when looking at any type of GRC related solution.  The guidance provided below is applicable whether you are looking for something very narrow such as occupational health & safety, or very broad such as enterprise GRC platforms.

When considering GRC related solutions, organizations should:

  • Think GRC Architecture and not GRC Platform. There is no GRC silver bullet that does everything. Solution providers may sincerely think they can do it all but they do not. Yes, there can be a core platform that becomes the hub of GRC integration and reporting but it is often not the only GRC solution involved. Organizations often have several GRC related solutions deployed for different purposes. Just this past week I had dinner with individuals from three major financial services organizations that all had deployed one solution for operational risk management and another for IT GRC. I have been seeing this for years. Organizations are too focused on trying to find one platform to be all things and then find they have watered down areas of GRC and forced different GRC groups to work to the lowest common GRC denominator.
  • Be Diligent in Checking Client References. Ask the hard questions. Push them to find out what they do not like about the solution, find out where it has under-delivered, how issues were responded to. Understand that when solution providers give you a reference it is usually vetted and it is a decision-maker that purchased the product that has a vested interest in the product, and the solution provider treats them like royalty. I talk to these references, but I also insist on talking to someone else who uses the solution on a daily basis on a separate call without others on the line. Often the decision-maker will sing the solution’s praises on the first call and the other call you will hear the truth of the implementation and frustration with the solution.
  • Be Wary of the RFP “Yes, We Do That” Responses. This really frustrates me. Some solution providers basically answer ‘yes’ to nearly every criteria in an RFP. They simply believe it is a matter of ‘configuring’ their solution to support this requirement. They do not tell you it will be a six-month project to do configure it for this feature. This is why organizations have to get solutions and test drive it themselves. I have gotten to the point that I add a field in RFPs that asks if it is a native feature existing out of the box in the solution or if it is something that has to be configured and built-out.
  • Know the Solution Provider’s Expertise. A common complaint I am getting these days is that the GRC solution providers developers have no clue on GRC. Some of the most basic fundamentals of risk management have to be explained over and over again. Everything sounded great throughout the sales process, but as soon as the deal was closed and the implementation begun the implementation team and supporting developers are ignorant of GRC concepts. Make sure that you have a good understanding of the implementation team expertise and background in GRC and the developers supporting that team.  Note, I have stated developers a few times, several of the leading solutions are very bespoke and require a lot of build out for each implementation.
  • Be Cautious with Analyst Rankings and Advise. In full disclosure – I am an analyst. I spent seven years at Forrester and now eight on my own. My concern over analyst reports and rankings is growing at an alarming rate. The recent series of Magic Quadrants from Gartner has put me into a state of shock. Organizations rely on these reports to make decisions. Yes, Gartner has a veiled warning that solutions in the upper right may not be the best fit for all organizations. Still, the perception and ranking marks the ones in the furthest upper right as the best. Some advice:
    • Consider Solutions Beyond the ‘Leaders.’ I hate the two-dimensional rankings of the Forrester Wave and Gartner Magic Quadrant. There is a natural assumption that those in the upper right are the best solutions when reality it is someone in the lower left or not even in the report that may be the best fit for your organization. Many solutions cannot even get into the Gartner and Forrester reports based on their criteria for number of offices, global presence, and revenue. These are still very capable solutions and often are more agile and using newer and more innovative technologies with better user interfaces. A good RFP and evaluation often has a mixture of those evaluated and ranked highly by major analyst firms as well as a few that are not covered or did not score as highly.
    • Gartner does not publish criteria. Seriously, why can’t this be transparent? I guess this is the magic in the magic quadrant as Gartner does not want anyone to know the criteria and scores of each solution. A research organization should be able to publish its criteria, methodology, and scores or it should not call itself a research organization. Forrester does publish criteria and scores though they have been rolling up GRC Waves and it has become very high-level and lacks usefulness.
    • Reliance on video demos and questionnaires. Gartner does not have a consistent process for Magic Quadrants across their research, and even in the range of GRC Magic Quadrants they just published there is variance. However, the general approach for the recent series of GRC Magic Quadrants has been having GRC solution providers fill out a survey questionnaire and submit a video demo of the solution. For some Magic Quadrants they did not dig deeper than this. Companies are investing hundreds of thousands of dollars in GRC solutions based on Gartner rankings which in turn are based on a video demo and survey. This simply turns the Magic Quadrant process into a video beauty pageant.
    • Client references done by surveys. On top of this, Gartner did online client surveys for reference checks and randomly called a few to fact check responses. This is ridiculous. Subscribers pay tens of thousands of dollars for research access. Gartner sells redistribution rights to Magic Quadrants to vendors for thousands of dollars. Organizations are making big purchasing decisions based on these reports. Get on the phone and talk to all the client references and grill them, don’t just send them survey questions. BTW, Gartner’s day rate for consulting is over $15,000 a day which is higher than most Wall Street lawyers. Earn your money and get on the phone with clients and roll-up your sleeves and dig deep into the solutions.
    • Rankings that simply do not make sense. I look at the Magic Quadrant graphic for operational risk management and scratch my head in bewilderment. The plotting is a mystery to me. Some marked as Leaders have deep operational analytic capabilities, they have operational loss data and metrics tied to loss databases aggregating industry loss information to go into capital modeling for operational risk. These are solid solutions. Then you have others in the Leaders category that barely skim the surface of operational risk management with limited analytical capabilities. These are apples and oranges. Those that have very deep operational risk capabilities are being plotted next to others that have limited capabilities. I guess that is to be expected when evaluation is being done by submitting a video demo and questionnaire. Under those circumstances anything can be made to look better – it is like airbrushing magazine models. This was again verified this past week at the dinner I referenced above, all three major financial services firms picked one of the leaders for operational risk management because of their deep operational risk analytic capabilities while not choosing the incumbent already being used for IT GRC which scores further in the upper right in Gartner’s operational risk Magic Quadrant. Go figure . . . I could state the same for the IT Risk Management Magic Quadrant.

This is some collected advice and experience I have from a few decades of experience. What is your experience and advice to organizations in evaluating solutions related to GRC?