How do you persuade an organisation that there is value in bringing in a GRC system when you are talking to business owners who simply see it as a regulatory or compliance requirement?
Brandts: Sometimes, when a company is being assessed to death – as one of our customers put it – you can relieve their burden, so rather than getting the same question five times during the week, you will only ask it once and report on it five times. That is a quick benefit. One of the common misconceptions is that a GRC system is set up to be unidirectional – everything goes to corporate and there is a nice report going to senior management and maybe to a regulator, but nothing comes back. If you can provide business managers with benchmark information – for example, on how other business units are performing in comparison – it can be a big help.
White: Based on my experiences – though I hate to say it – it’s great if you have had an operational risk incident or a regulatory request. Sometimes that will get you where you want to be, albeit for the wrong reasons. But, risk managers should use incidents that take place to really sell the benefits –responding to information requests from regulators can take weeks and weeks of effort at the moment.
You have got to understand how the stakeholders do their jobs and what is important to them. What information flows are really important to enable your senior management to do their jobs? And what difference will this particular programme make that they don’t already get?
If it is only sponsored by risk, and the risk team is the only group that thinks it has any benefit, you are unfortunately doomed to failure, so you have to get the business to see that a GRC programme is actually something that would bring a benefit to them, and then they will want to get involved.
What should a company be looking for when deciding which GRC product and provider to choose?’
White: It is really important before you talk to a software provider to understand what you are trying to get and what your own risk processes are, so you can describe some of the challenges that you have got, and some of the outputs that you are hoping to get.
It is also important to pick a software provider with whom you can have an honest and open conversation. A lot of them look very similar, but you need to ask: can they adapt the product to our needs? Do they recommend we take a phased approach? Do they just recommend you take it all in one go? Or, do they actually say: ‘we don’t think that would be a good idea for you’ ? Are they honest in their feedback? And, you need to bring them into the firm to see if they are a good cultural fit with your information technology (IT) team, your change team and your business areas. Often people don’t invest enough time in actually understanding their own business and building a relationship with providers before choosing, so they choose somebody and then spend the next few years actually finding out that maybe it wasn’t the best provider to have chosen.
Brandts: We get some requests for proposals (RFPs) that are very difficult to answer. Some questions are asked in such an abstract way that it is almost impossible to say no – you need to be looking for somebody who gives you a more detailed answer about what is possible and what isn’t possible, and what is best practice.
These are not simple processes. I don’t think a complex organisation can simply implement a broad GRC programme within six months. It is not about just a piece of technology. Everybody can install a CD or put something in a Software as a Service environment, but it is about trusting that they can solve your problems. And you also need to understand that the final system is not going to be exactly what you think it’s going to be today. If you take the position that it needs to be exactly what you have in mind, then you are essentially building something yourself, which is possible but very lengthy and very costly.
Zirano:Looking back over the past six or seven years of experience at MEGA, we have got RFPs ranging from half a page to 300 pages. But beyond the RFP side of the choice process for a customer, we think you need to be looking at what relationship you want to build with a provider and the fact that sometimes the solution provider is a combination of the software vendor and a consulting company. Also, you need to make sure the provider can accompany you throughout the programme – if he has been in business for a long time, the chances are he will be in business for a long time into the future. It is not just sell and go, programmes are long and often start on a small scale and expand. As a solutions provider, you need to demonstrate you are going to be able to expand across the organisation.