Top 5 assessment considerations
Evaluation aspects for any GRC software review
Whether you’ve made the decision to invest in new GRC software or to replace your current legacy software, there are important factors to consider as products in this space have significantly evolved over the years. Here are the top 5 factors to consider as you look at the many alternatives, along with why each factor should be important to you.
1. Cloud-Based vs. On-Premise
Cloud-based applications provide multiple advantages over on-premise solutions. With today’s technologies, cloud-based providers should be able to deliver better performance over on-premise solutions which still tend to get installed in virtualized environments that share resources with a multitude of other applications. Cloud-based solutions also allow for seamless upgrades with little to no downtime, which will keep you on the newest release to take advantage of product enhancements and the latest features. Have you been frustrated with the performance of your current application? Have you ever found yourself constantly fighting with your internal IT team to upgrade your software application, often getting stuck several releases behind and missing out on new features? You’ll want to perform due diligence to ensure the cloud provider protects your data from a security, privacy, and compliance perspective, but cloud-based solutions should perform better and be easier to manage.
2. Platform vs. Point Solution
Many business processes fall under the GRC umbrella. This includes—it’s a long list—policies, controls, and compliance activities, risk registers and risk assessments, vendor and third-party assessments, audit projects, workpapers and findings, incident investigations or complaints, business continuity and disaster recovery plans, and many more. There are typically two ways to attack this problem—either by finding the best “point” solution in each category or by finding the best “platform” that you can utilize to manage all of these processes. The big advantage of platform technology is that relationships between data can be easily formed to help your team connect the dots between many interdependent processes. For example, wouldn’t you want to easily identify which of your controls helps to mitigate risks in your risk register? And how many incidents or complaints have been logged against one of your vendors or third-party suppliers? Point solutions tend to keep data in their silos or make it difficult (and expensive) to integrate data between different software applications. A GRC platform solution will help you manage these processes more efficiency with huge gains in visibility and data analysis. Platform technologies also allow you to have a single software product to learn (whether as an administrator or as an end user) and one company to contact for support.
3. Per User vs. Per Module Pricing
Traditionally, legacy GRC systems were sold on a “per module” basis. That means for each business process you’re looking to manage, you would need to purchase that module whether you had 5 people on the team, 50 people, or even 500 people. For many organizations, the price tag for these modules prevented them from expanding their use of the platform into other parts of the organization. As just mentioned, the inter-dependencies between these related processes is a core element of a successful GRC implementation and important to help your organization connect the dots. To encourage collaboration and the ability to cost-effectively expand into other groups or departments, per user licensing helps you accomplish just that without the large price tag to go with it. If your internal audit team could benefit from the same automation, workflow and reporting features as your compliance and risk teams, why wouldn’t you encourage them to use the same set of tools you’re using? Per user licensing gives organizations the flexibility and scalability that are needed to break down silos and get everyone on the same page.
4. Business Process Automation vs. GRC Only
In our experience, there are a lot of use cases and other business processes that don’t fit in a software company’s pre-defined module. That is why it’s important that any platform technology you invest in has the ability for you to create additional applications to support these processes. For example, if you’re managing GRC for your organization, wouldn’t it also help to have a place to capture charitable giving, IT service requests, loss prevention, mergers and acquisitions, CPE tracking, privacy management, and other data points you might be tracking in an Excel spreadsheet, Google Doc or other point solution? As we mentioned previously, many of these processes have natural tie-ins to what your team is performing on a day-to-day basis. The ability to relate data and report across these functions continues to give your organization the information it needs to make better-informed decisions around your risk and compliance posture. Many of the legacy GRC software platforms either limit or entirely restrict your ability to create applications on your own. They want you to modify your process to “fit” within their module. Instead, look for a GRC platform that gives you the flexibility to configure, customize and build applications. And you should be able to do this on your own (no-code!) without having to rely on IT or having a development background. If the software company has to make all changes for you or send the work to an offshore development team, this can often be expensive and result in large delays in getting your solutions rolled out. The platform should be modified to fit your process, not the other way around!
5. Client-Focused vs. Market Leader Mentality
A lot of the legacy software companies in this space have changed significantly over time. While many started out with good intentions, as mergers and acquisitions occurred or large investments were made to be placed in an analyst’s GRC quadrant report, several of these organizations stopped incorporating client-requested product enhancements and started getting comfortable with the market leader mentality of “we were the first, so people have to buy us.” We’ve seen these companies stop supporting older versions of their product, and in some cases, even asking their clients to pay to get a new product release because of updates they had to make to their underlying technologies or user interface. We’ve seen many of them struggle with trying to move from on-premise to cloud-based solutions. In many instances, as these companies have been swallowed by a much larger public company or they’ve consolidated with several others in the hopes of going public, their focus has moved from providing value to their clients to providing value to their shareholders. This has left their clients weighing the decision between continuing a sunk investment for a product they don’t love any more versus evaluating whether there are better options out there. If you find yourself in this position, there is hope. Check out unbiased, verified reviews from companies like Info-Tech Research Group or Capterra. Before making a decision, find out what percentage of product enhancements were based on client requests, ask to speak to customer references or attend a user group conference or event. Spend the time upfront to understand how the company is wired.