Copy

December 1, 2011

How to Buy GRC (Risk & Compliance) Software
Corporate Integrity, LLC

<<First Name>>,
 

The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.

How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?

Before I give some guidance on this – let me first state that GRC software is needed in organizations.  Using a document centric approach done in spreadsheets and word processing documents is prone to issues.  Issues in consolidation and reporting – both errors and time it takes.  Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization.  Issues in efficiency as document centric approaches take more resources to manage.

The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.

My advice on buying GRC (and related risk and compliance software):

  • Get to know the vendor.  I have spent nearly twenty years in this space.  There are good vendors and bad vendors.  There are good sales people and bad sales people.  A successful software implementation is going to require a relationship.  Make sure that the vendor and sales person you are considering doing business with is someone you want to work with.  Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform.  Pick the vendor that appears to have your best interest in mind and not theirs.
  • Understand who the vendor typically sells to – industry and role.  Every vendor in this space has a history and track record.  Some have strengths in audit or risk or compliance or information security or some other role.  Some have a history in financial services while another is healthcare.  While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
  • Use caution with Forrester Waves and Gartner Magic Quadrants.  Too many organizations see whoever is in the upper right quadrant and pick them for their short list.  THIS IS A MISTAKE.  These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization.  That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital.  They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization.  There may be a vendor not even in the research that is the ideal fit for you.
  • Check references.   Require that the vendor give you references – and check them.  Grill the references.  Ask questions on what they like least about the vendor and the solution. Ask them what they would change.  Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor.  I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others.  Talk to analysts and insist on knowing the good, the bad, and the ugly.  If the analyst does not have much to offer – go to one that has experience.
  • Control the vendor.  A huge issue with GRC software projects is when the vendor sees $$$.  I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for.  In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues.  This kills GRC projects.  Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
  • Get in the drivers seat.  A HUGE ISSUE is that some vendors are great at demos.  They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime.  It is important that you demo the solution and get behind it yourself.  Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it.  This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
  • Test your enterprise needs.  Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management).  I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.
If you have questions or need help on understanding the GRC software space – I am happy to help.

If you are a vendor, a few things you may be interested in are:
  1. GRC Technology Innovation Awards.  I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February.  If you have something revolutionary that changes the landscape of GRC for the future – contact me (mkras@corp-integrity.com) for a nomination form.  This is not for ‘me too’ functionality but is something that is really unique and game changing.
  2. Ultimate [GRC] Platform Designation.  If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces.  Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label.  Please contact me (mkras@corp-integrity.com) for more information. The ultimate platform designation can be pursued in the following categories:
  • The Ultimate Enterprise GRC Platform
  • The Ultimate Risk Management Platform
  • The Ultimate Compliance Management Platform
  • The Ultimate Audit Management Platform
  • The Ultimate Policy Management Platform
  • The Ultimate Legal Management Platform
  • The Ultimate IT Risk & Compliance Platform
  • The Ultimate 3rd Party/Vendor/Supplier Platform
 
Sincerely,


Michael Rasmussen, J.D., CCEPOCEG Fellow
Business Ethics & Compliance Lecturer, Author, & Advisor
mkras@Corp-Integrity.com


GRC Training & Professional Certification 

Join Corporate Integrity, LLC in an interactive training exercise in GRC Strategy, Process, and Technology.  Attendees receive value in understanding GRC and defining processes and strategy that aligns to OCEG’s GRC Capability Model. This seminar is authorized and endorsed by OCEG.  The objective of the seminar is to provide attendees with the knowledge necessary to efficiently design and enhance GRC activities across the business based on the GRC Capability Model.   Attendees learn about defining a GRC strategy and associated processes through lectures and practical group interaction, discussions, and exercises.
 

GRC Bootcamp/Seminar Dates and Locations:


January 9-10, 2012, San Francisco, CA, USA

February 28-29, 2012, Atlanta, GA, USA

April 16-17, 2012, Minneapolis, MN, USA

Where would you like to attend a GRC Bootcamp/Seminar? In-house training for your entire team is also available. If you have a suggestion for a location or would like to arrange an inhouse event, please let me know, mkras@corp-integrity.com.


GRC TECHNOLOGY INNOVATION AWARDS

I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February.  If you have something revolutionary that changes the landscape of GRC for the future – contact me (mkras@corp-integrity.com) for a nomination form.  This is not for ‘me too’ functionality but is something that is really unique and game changing.


ULTIMATE GRC PLATFORM DESIGNATION

If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces.  Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label.  Please contact me (mkras@corp-integrity.com) for more information. The ultimate platform designation can be pursued in the following categories:
The Ultimate Enterprise GRC Platform
  • The Ultimate Risk Management Platform
  • The Ultimate Compliance Management Platform
  • The Ultimate Audit Management Platform
  • The Ultimate Policy Management Platform
  • The Ultimate Legal Management Platform
  • The Ultimate IT Risk & Compliance Platform
  • The Ultimate 3rd Party/Vendor/Supplier Platform

State of the GRC Market, Q4-2011



Today’s complex and competitive GRC market demands that you be at the top of your game. This training is Corporate Integrity's quarterly uddate on the State of the GRC Market.  This is the summary of Corporate Integrity's market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year.  It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market.  It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.

Attendees will be able to answer the following questions:

  • Who are the leading (most active) GRC technology providers?
  • Why are organizations buying GRC technology?
  • What differentiates the GRC technology providers?
  • How do you categorize and define the GRC technology market?
  • What is the market size of the GRC technology market?  Where will it grow?
  • What are the leading risk and compliance drivers for buying GRC technology?
  • What is the value that organizations have achieved by implementing GRC technology?
  • Where is GRC technology headed?
  • What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
  • Who are some of the up and comers in GRC technology that I should be watching and why?

GRC Strategic Planning & Consulting

Corporate Integrity is actively engaged in helping organizations plan their risk and compliance strategies. If you need a few hours of advisory time on the phone or in person to help plan your strategic approach to risk and compliance and need to understand drivers, trends, best practices, benchmarks, assessments, and the landscape of professional services and technology providers - contact me.

Corporate Integrity, LLC
Phone +1.888.365.4560
info@corp-integrity.com


 Was this email forwarded to you? 
 

Corporate Integrity


  GRCPundit


 GRC Pundit Blog


 Corporate Integrity Events


 Michael Rasmussen



INQUIRIES:

Do you need advice? 

Corporate Integrity offers free 1/2 hour calls to those implementing GRC strategies and products within their environment - let us help you identify the best approach as well as vendors to work with, contact: inquiry@corp-integrity.com


 

RECORDED TRAINING:

UPCOMING TRAINING:

  • 3/26-28 CONFERENCE: Compliance 360 User Conference, Atlanta, Georgia, USA

RECENT BLOG POSTS


RECENT RESEARCH PAPERS

More research can be found on Corporate Integrity's WRITTEN RESEARCH web page . . .

 

LinkedIN Group: Corporate Integrity  /  Twitter:  MKRasmussen
Blog: 
GRC Pundit Blog  /  Events: Corporate Integrity Events  LinkedIN:Michael Rasmussen
Newsletter:
 forward to a friend 

Corporate Integrity, LLC · www.Corp-Integrity.com
Our mailing address is:

GRC 20/20 Research, LLC
4948 Bayfield Drive
Waterford, WI 53185

Add us to your address book

+1.888.365.4560 (main) +1.888.365.4561 (fax)

You're receiving this email because of your past interaction with Michael Rasmussen and/or Corporate Integrity, LLC.
To unsubscribe from the GRC.Informer Newsletter, Remove me from this list
New subscribers can subscribe here https://www.corp-integrity.com/register.php.

Copyright © 2011 GRC 20/20 Research, LLC, All rights reserved.