Quick Start to a GRC RFP

So far 2015 has been the busiest year I have seen in the GRC market. There is increased demand for GRC solutions in all varieties, across industries and geographies.

The GRC market is a broad market with a variety of segments. It is not all about Enterprise GRC Platforms. In fact, only about 25% of the inquiries GRC 20/20 gets from organizations are for Enterprise GRC strategies and platforms. A good 75% of the market is aimed at solving department and specific regulatory or risk area needs. There are over 700 technology solution providers in the GRC market across 16 primary market segments. In addition to this there are over 90 GRC intelligence (content) providers offering over 350 GRC intelligence solutions of various capabilities.

The challenge is: how do you find the right GRC solution for your organization?

This is where GRC 20/20 comes in. If you are looking for GRC solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website. I will do my best to see that you are responded to quickly and efficiently. GRC 20/20 is currently answering between 5 and 10 inquiries each week from organizations looking for GRC related solutions.

The next step is building out the requirements for a GRC RFP. Whether this is for an enterprise GRC platform or a very specific segment of GRC, GRC 20/20 has detailed RFP criteria for many domains of GRC. These involve over 200 requirements (sometime many more) in a given segment of GRC that are broken into basic, common, and advanced functionality. This allows organizations to select the criteria that best fits their needs as require only simple functionality while others require advanced functionality.

GRC RFP Criteria is available, in an engagement, in the following areas:

  • Enterprise GRC Solutions
  • Audit Management Solutions
  • Policy & Training Management Solutions
  • Risk Management Solutions
  • Third Party Management Solutions (e.g., vendor, supplier)
  • Compliance Management Solutions
  • IT GRC Management Solutions
  • Internal Control Management Solutions
  • Automated/Continuous Control Management Solutions
  • Business Continuity Management Solutions
  • Environmental, Health & Safety Management Solutions
  • Issue Reporting & Management Solutions
  • Quality Management Solutions

GRC 20/20 can be engaged on RFP projects to rapidly enable organizations to developing RFPs based on our RFP criteria library. Simply email me at [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Considerations When Purchasing GRC Solutions

Every organization does GRC. . .

It makes no difference whether you use the acronym ‘GRC’ or not, every organization has some approach to governance, risk management, and compliance. Your organization’s approach to GRC may be:

  • Ad hoc and fly by the seat of your pants;
  • Decentralized and siloed; or,
  • Collaborative and integrated.

No matter an organizations approach to GRC, the use of technology is pervasive in GRC processes. Technology for GRC can be using documents, spreadsheets, and emails; or in focused applications deployed to meet specific GRC needs; or in enterprise GRC platforms and architectures that pull many functions together.

GRC 20/20 Research is deeply focused on analyzing, monitoring, differentiating, and forecasting the market for GRC solutions. In this context I have mapped over 600 solutions into the GRC market.  These include solutions focused on specific areas of GRC (e.g., policy management, investigations, health & safety, legal matters, third party management) to GRC platforms that bring multiple modules together at a department or enterprise level. In the course of an average week, GRC 20/20 answers between 5 and 10 inquiries from organizations looking for GRC related solutions and assists many organizations in RFP development, management, and evaluation of solutions.

Over the next few months I will be doing a regular series of posts on buying considerations in different areas of GRC. However, before getting into specific areas, I want to share considerations organizations should have when looking at any type of GRC related solution.  The guidance provided below is applicable whether you are looking for something very narrow such as occupational health & safety, or very broad such as enterprise GRC platforms.

When considering GRC related solutions, organizations should:

  • Think GRC Architecture and not GRC Platform. There is no GRC silver bullet that does everything. Solution providers may sincerely think they can do it all but they do not. Yes, there can be a core platform that becomes the hub of GRC integration and reporting but it is often not the only GRC solution involved. Organizations often have several GRC related solutions deployed for different purposes. Just this past week I had dinner with individuals from three major financial services organizations that all had deployed one solution for operational risk management and another for IT GRC. I have been seeing this for years. Organizations are too focused on trying to find one platform to be all things and then find they have watered down areas of GRC and forced different GRC groups to work to the lowest common GRC denominator.
  • Be Diligent in Checking Client References. Ask the hard questions. Push them to find out what they do not like about the solution, find out where it has under-delivered, how issues were responded to. Understand that when solution providers give you a reference it is usually vetted and it is a decision-maker that purchased the product that has a vested interest in the product, and the solution provider treats them like royalty. I talk to these references, but I also insist on talking to someone else who uses the solution on a daily basis on a separate call without others on the line. Often the decision-maker will sing the solution’s praises on the first call and the other call you will hear the truth of the implementation and frustration with the solution.
  • Be Wary of the RFP “Yes, We Do That” Responses. This really frustrates me. Some solution providers basically answer ‘yes’ to nearly every criteria in an RFP. They simply believe it is a matter of ‘configuring’ their solution to support this requirement. They do not tell you it will be a six-month project to do configure it for this feature. This is why organizations have to get solutions and test drive it themselves. I have gotten to the point that I add a field in RFPs that asks if it is a native feature existing out of the box in the solution or if it is something that has to be configured and built-out.
  • Know the Solution Provider’s Expertise. A common complaint I am getting these days is that the GRC solution providers developers have no clue on GRC. Some of the most basic fundamentals of risk management have to be explained over and over again. Everything sounded great throughout the sales process, but as soon as the deal was closed and the implementation begun the implementation team and supporting developers are ignorant of GRC concepts. Make sure that you have a good understanding of the implementation team expertise and background in GRC and the developers supporting that team.  Note, I have stated developers a few times, several of the leading solutions are very bespoke and require a lot of build out for each implementation.
  • Be Cautious with Analyst Rankings and Advise. In full disclosure – I am an analyst. I spent seven years at Forrester and now eight on my own. My concern over analyst reports and rankings is growing at an alarming rate. The recent series of Magic Quadrants from Gartner has put me into a state of shock. Organizations rely on these reports to make decisions. Yes, Gartner has a veiled warning that solutions in the upper right may not be the best fit for all organizations. Still, the perception and ranking marks the ones in the furthest upper right as the best. Some advice:
    • Consider Solutions Beyond the ‘Leaders.’ I hate the two-dimensional rankings of the Forrester Wave and Gartner Magic Quadrant. There is a natural assumption that those in the upper right are the best solutions when reality it is someone in the lower left or not even in the report that may be the best fit for your organization. Many solutions cannot even get into the Gartner and Forrester reports based on their criteria for number of offices, global presence, and revenue. These are still very capable solutions and often are more agile and using newer and more innovative technologies with better user interfaces. A good RFP and evaluation often has a mixture of those evaluated and ranked highly by major analyst firms as well as a few that are not covered or did not score as highly.
    • Gartner does not publish criteria. Seriously, why can’t this be transparent? I guess this is the magic in the magic quadrant as Gartner does not want anyone to know the criteria and scores of each solution. A research organization should be able to publish its criteria, methodology, and scores or it should not call itself a research organization. Forrester does publish criteria and scores though they have been rolling up GRC Waves and it has become very high-level and lacks usefulness.
    • Reliance on video demos and questionnaires. Gartner does not have a consistent process for Magic Quadrants across their research, and even in the range of GRC Magic Quadrants they just published there is variance. However, the general approach for the recent series of GRC Magic Quadrants has been having GRC solution providers fill out a survey questionnaire and submit a video demo of the solution. For some Magic Quadrants they did not dig deeper than this. Companies are investing hundreds of thousands of dollars in GRC solutions based on Gartner rankings which in turn are based on a video demo and survey. This simply turns the Magic Quadrant process into a video beauty pageant.
    • Client references done by surveys. On top of this, Gartner did online client surveys for reference checks and randomly called a few to fact check responses. This is ridiculous. Subscribers pay tens of thousands of dollars for research access. Gartner sells redistribution rights to Magic Quadrants to vendors for thousands of dollars. Organizations are making big purchasing decisions based on these reports. Get on the phone and talk to all the client references and grill them, don’t just send them survey questions. BTW, Gartner’s day rate for consulting is over $15,000 a day which is higher than most Wall Street lawyers. Earn your money and get on the phone with clients and roll-up your sleeves and dig deep into the solutions.
    • Rankings that simply do not make sense. I look at the Magic Quadrant graphic for operational risk management and scratch my head in bewilderment. The plotting is a mystery to me. Some marked as Leaders have deep operational analytic capabilities, they have operational loss data and metrics tied to loss databases aggregating industry loss information to go into capital modeling for operational risk. These are solid solutions. Then you have others in the Leaders category that barely skim the surface of operational risk management with limited analytical capabilities. These are apples and oranges. Those that have very deep operational risk capabilities are being plotted next to others that have limited capabilities. I guess that is to be expected when evaluation is being done by submitting a video demo and questionnaire. Under those circumstances anything can be made to look better – it is like airbrushing magazine models. This was again verified this past week at the dinner I referenced above, all three major financial services firms picked one of the leaders for operational risk management because of their deep operational risk analytic capabilities while not choosing the incumbent already being used for IT GRC which scores further in the upper right in Gartner’s operational risk Magic Quadrant. Go figure . . . I could state the same for the IT Risk Management Magic Quadrant.

This is some collected advice and experience I have from a few decades of experience. What is your experience and advice to organizations in evaluating solutions related to GRC?

Exploring the New Frontiers Between Legal and GRC

2014 GRC Technology Innovation Award: Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation

The cost and time to implement enterprise GRC solutions has been a barrier to many organizations, paritcularly those integrated with an ERP environment such as SAP. This often means that SAP GRC projects feel like necessary overheads that are difficult, costly and drag-on.  Integrc is an innovative service provider that enables organization to achieve the rich value of SAP GRC but in a way that is radically different. Their goal is to implement SAP GRC ten-times faster. With Integrc’s innovative RouteONE, many elements of an SAP GRC deployment have been reduced from weeks to minutes.

RouteONE is inspired by Michael Hewitt-Gleeson’s x10 thinking, which has been the mantra of Google CEO, Larry Page. Most companies would be happy to improve a product by 10%. But as Page sees it, a 10% improvement means that you’re basically doing the same thing as everybody else. That’s why Page expects Google employees to create products and services that are 10 times better than the competition. It works on the basis that ten heads are better than one, so rather than having top management provide inspiration, you enable your employees to do it. It’s a concept also referred to as ‘Bottom-up innovation’. X10 is one hundred times 10% – and that radical objective changes the approach from modify to re-design from scratch.

RouteONE has become a revolutionary way to deploy SAP GRC solutions faster and cheaper. For organisations with a SAP centric application strategy, this now brings an integrated technology solution within reach in a way that has not been affordable or manageable before. RouteONE unlocks GRC automation, enabling organisations to bring IT enablement to enhance their GRC business practices. RouteONE is centered around an innovative automated configuration engine combined with an accelerated methodology, a library of pre-built content and an award-winning end-user adoption framework – Engaging Risk (recognized last year in GRC 20/20’s 2013 GRC Innovation Awards). When used by experienced SAP GRC consultants, RouteONE typically halves thetime and cost of implementing SAP GRC but delivers the tailored outcomes expected from a traditional approach.

The core of the RouteONE capability is the QuickBuilder engine, which automates the necessary configuration components of the SAP GRC products. It also automates the configuration of the SAP suite using business design workshops based on the customers own environment. The Quickbuilder is supplemented with the Quickloader tools, which enable the related master and transactional data to be managed via Excel spreadsheets. When compared to either a templated or traditional approach to deploying SAP GRC, RouteONE provides significant gains in efficiency, effectiveness, and agility. Customers no longer have to compromise any of their requirements or accept a long and potentially expensive project. RouteONE is transformational in that it delivers a solution specific to their unique needs, but goes beyond accelerators and basic knowledge transfer materials and enables the automation of key tasks throughout the implementation. This means organisations wanting an integrated system, tailored to their exact GRC needs, now have a much faster, more manageable and more affordable option.

RouteONE is game-changing because it unlocks the potential of integrated SAP GRC, which for many SAP customers was previously out of reach. Now they can dismantle many of their technology, cost and time-related barriers, roll-out SAP GRC far more quickly and cost-effectively than ever before and focus more effort on business change and end-user adoption. In short, it makes GRC automation more possible for many more organisations.

RouteONE has a continual emphasis on benefits realisation and on ensuring business users embrace the new system.Automation not only reduces human error, enables Integrc’s clients to go faster and saves them money – it also frees up time for more value-added activities, which is where Integrc’s change management framework – EngagingRISK comes into play. RouteONE can also provide a draft build of the system within 24 hours of starting a project, giving customers the benefit of hindsight in advance. So all in all, not only can faster outcomes be achieved, these outcomes are often better as well.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients