The GRC software space is vast with numerous vendors. In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software. Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC. Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.
How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?
Before I give some guidance on this – let me first state that GRC software is needed in organizations. Using a document centric approach done in spreadsheets and word processing documents is prone to issues. Issues in consolidation and reporting – both errors and time it takes. Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization. Issues in efficiency as document centric approaches take more resources to manage.
The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.
My advice on buying GRC (and related risk and compliance software):
- Get to know the vendor. I have spent nearly twenty years in this space. There are good vendors and bad vendors. There are good sales people and bad sales people. A successful software implementation is going to require a relationship. Make sure that the vendor and sales person you are considering doing business with is someone you want to work with. Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform. Pick the vendor that appears to have your best interest in mind and not theirs.
- Understand who the vendor typically sells to – industry and role. Every vendor in this space has a history and track record. Some have strengths in audit or risk or compliance or information security or some other role. Some have a history in financial services while another is healthcare. While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
- Use caution with Forrester Waves and Gartner Magic Quadrants. Too many organizations see whoever is in the upper right quadrant and pick them for their short list. THIS IS A MISTAKE. These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization. That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital. They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization. There may be a vendor not even in the research that is the ideal fit for you.
- Check references. Require that the vendor give you references – and check them. Grill the references. Ask questions on what they like least about the vendor and the solution. Ask them what they would change. Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor. I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others. Talk to analysts and insist on knowing the good, the bad, and the ugly. If the analyst does not have much to offer – go to one that has experience.
- Control the vendor. A huge issue with GRC software projects is when the vendor sees $$$. I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for. In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues. This kills GRC projects. Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
- Get in the drivers seat. A HUGE ISSUE is that some vendors are great at demos. They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime. It is important that you demo the solution and get behind it yourself. Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it. This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
- Test your enterprise needs. Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management). I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.
- GRC Technology Innovation Awards. I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February. If you have something revolutionary that changes the landscape of GRC for the future – contact me for a nomination form. This is not for ‘me too’ functionality but is something that is really unique and game changing.
- Ultimate [GRC] Platform Designation. If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces. Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label. Please contact me for more information. The ultimate platform designation can be pursued in the following categories:
- The Ultimate Enterprise GRC Platform
- The Ultimate Risk Management Platform
- The Ultimate Compliance Management Platform
- The Ultimate Audit Management Platform
- The Ultimate Policy Management Platform
- The Ultimate Legal Management Platform
- The Ultimate IT Risk & Compliance Platform
- The Ultimate 3rd Party/Vendor/Supplier Platform
LinkedIn Groups
Group: Compliance Week
Discussion: How to Buy GRC (Risk & Compliance) Software
Excellent advice for this or any other enterprise software purchase.
Posted by Scott
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: How to Buy GRC (Risk & Compliance) Software
John,
Excellent advice here. At the end of the day this type of purchase is like all purchases of strategic enterprise software–you have to do the necessary due diligence upfront if you hope to be successful. In the healthcare space there are now a number of high quality (and affordable) SaaS solutions that guide a covered entity or business associate toward HITECH / HIPAA Compliance. That said, you will get out of it what you put in, there are no magic bullets with respect to the GRC challenge. BTW, “enterprise” as used here applies to organizations of all sizes.
Posted by Carlos
LinkedIn Groups
Group: Enterprise Risk Management
Discussion: How to Buy GRC (Risk & Compliance) Software
I like the suggestions as well. I am a CEO and I would advocate looking not just a risk framework, but a governance, value management and performance framework. How is the business going to create and preserve value? How is the business going to perform better than the competition? How are we going to govern well for our investors and other stakeholders? How do we enable the organization to excel!
Posted by Michael
LinkedIn Groups
Group: Enterprise Risk Management
Discussion: How to Buy GRC (Risk & Compliance) Software
Good piece Michael, some excellent tactical suggestions. I’m curious though. Isn’t the precursor to all of this developing strong internal processes and a risk framework so that you have some context to go out with in your RFP (basically knowing your requirements so that you can articulate them to the potential vendors)? Too many organizations seem to think that buying software will fix their problem of no framework, when in fact you have to have your framework first. Is that sort of assumed and you picked up from that point?
Posted by Eric
LinkedIn Groups
Group: Continuous Controls Monitoring
Discussion: How to Buy GRC (Risk & Compliance) Software
Good advice. In my Continuous Monitoring, and other work, I have seen how fragmented the GRC software space is and the enormous need for technology solutions, for Enterprise GRC and for subsets of GRC, like IT GRC, Risk, legal, finance, tax, all including continuous assurance and continuous monitoring dimensions. Your commentaries on this subject have been helpful – I plan to study the subject more in 2012, with the help of the FEI Committee on Finance and Technology, which is already following continuous monitoring.
Posted by Michael P.
LinkedIn Groups
Group: Enterprise Risk Management
Discussion: How to Buy GRC (Risk & Compliance) Software
An electronic GRC program, once installed and running, is a great tool to ease the manpower required to monitor your organization, but until you have utilized it for a while and fully understand its capabilities it is only as good as your manual program.
Posted by Jeffrey M.
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: How to Buy GRC (Risk & Compliance) Software
Very sound advice, which we (my organisation) are in the process of applying. We have referenced Gartner, plus our vendor experience plus some intitial demos to gather a short list. Would be keen to know if anyone have specific knowledge experience of some of the GRC vendors such as SAP, Bwise, CURA, Archer & Metric Stream to name a few…
Posted by RUSSELL
LinkedIn Groups
Group: Enterprise Risk Management
Discussion: How to Buy GRC (Risk & Compliance) Software
Michael, I agree with Eric’s view – the acquisition of a software solution in the GRC space is a project about to be undertaken by the enterprise and should be subject to the same ERM analysis as any other operational project.
Posted by Ben
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: How to Buy GRC (Risk & Compliance) Software
Good advice. As a software vendor for hospitals/healthcare org’s, I would add that looking to others in your health system, if applicable, is a good place to start for references since they should be managing their GRC in a similar way. Some software such as ours even has powerful collaborative features that will save you a lot of time in the long run, i.e. the ability to share policies and procedures across facilities within the same system. It’s not just a feature that can be tacked on later, so you’ll want to look for it while you’re in the RFP process. http://www.policystat.com
Posted by Whitney
LinkedIn Groups
Group: Risk, Audit, and Compliance Executives (RACE)
Discussion: How to Buy GRC (Risk & Compliance) Software
I agree 110%, Michael. A FI must do their homework and find successful references for each vendor, maybe even 2 or 3. If you already have a vendor in house, like ICS RA, that you are comfortable working and consulting with already, why go anywhere else? They understand the risk management philosphy of your FI, the thoroughly understand your compliance approach and these current vendors have worked within your governance team and will not need that educational curve overcome. And if you aren’t comfortable with your current vendor, then visit our website, http://www.icsriskadvisors.com, and see how we have made a successful difference for over 1,000 FI’s in the United States, including organizations worth over $100 MB!
Posted by Gretchen
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: How to Buy GRC (Risk & Compliance) Software
As a vendor representative I could not agree more. Please ask our clients and join our webinars where you ask for interaction with the live system. Implement our next generation GRC solution for SAP in one or two weeks. And then save costs every week in the operation through the compliance automation concept and the out of the box reporting features.
Posted by Albert W.
Michael, I think you will agree that because software for GRC processes is such a broad category, it is absolutely critical for every potential buyer to identify and prioritize their business needs, rather than buy a ‘package’ that may not suit them.
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: How to Buy GRC (Risk & Compliance) Software
Excellent article, Michael. I would also recommend to look at the vendor’s product roadmap for the upcoming year. As a policy management software vendor ourselves, we find that the needs of hospitals and healthcare organizations are maturing and evolving. The same system that they used a few years ago no longer handles the sophisticated needs for automation, workflow and standards linking that they have.
A look at a vendor’s roadmap is telling as to whether they will be able to keep up with your own organization’s evolving policy management needs. It will also give you insight as to whether the vendor has a strong enough understanding of your space to understand where product innovation should go.
Once again, great coverage of this issue, Michael.
Cheers,
Daisy Jiang
Marketing Specialist
PolicyMedical | http://www.policymedical.com