Navigate Through GRC Purchasing Decisions With These Three Considerations
The market for governance, risk, and compliance (GRC) technologies is competitive, diverse, and supports a broad range of capabilities. Having many options to choose from is a good thing; having too many options without a clear sense of what you need, what you can afford, or what resources are available to utilize the technology you’ve purchased can be paralyzing.
As firms invest in new technologies to expand GRC to new use cases, replace technologies they’ve outgrown, or automate manual processes, risk and compliance pros that are currently evaluating or planning to invest in GRC technologies need to navigate through a diverse set of vendors that vary by size, functionality, geography, and vertical market focus.
Be Pragmatic To Find The Right Fit
To find the technology that best meets their risk management needs and business strategy objectives, GRC pros must consider their capabilities and ask themselves these three questions:
- What problems am I solving for today, and how quickly may that change? Not all firms use GRC technology for the same purpose or may use more than one technology to support their GRC efforts. Larger/more mature organizations use GRC to support multiple use cases such as risk assessment, regulatory compliance, IT risk, audit, business continuity, etc., while other firms may be starting out with one or two specific use cases, such as third-party risk or continuous controls monitoring. To avoid paying for features you don’t need or won’t likely use in the next 24 months, identify the nice-to-have and need-to-have capabilities and prioritize them against your program’s growth trajectory.
- Do I have the bandwidth, budget, and executive support to deploy and manage this technology? Sometimes our buying decisions are influenced by the aspirational ideas versus the pragmatic realities. Before investing in a full-service GRC, make sure you understand the true costs of the purchase (subscriptions, deployment, and/or professional services), how many full-time employees are required to manage the technology, and ensure that you have commitment from management to support your investment.
- Is my program mature enough to take advantage of all this technology has to offer? GRC technology can help you mature your risk and compliance processes — it is NOT a substitute for lack of process. Take the Forrester GRC maturity assessment to identify your current maturity level, then match your maturity (current and desired state) with the level of sophistication of each vendor you’re considering. Ideally, you want a GRC technology that can support your program as it is today and grow with you over time, not one that’s overly complex or too basic.
Create A GRC Shortlist Based On Vendor Size, Functionality, And Expertise
In the “Now Tech: Governance, Risk, And Compliance Technology, Q4 2019” report, I look at 23 different technologies broken out by four functional segments and 14 technical segments such as risk and compliance mapping, configurable dashboards and reports, predictive analytics, and risk quantification, among other criteria. Use this report to understand the expected value from the various GRC providers and to gain perspective on how best to align vendor capabilities with your firm’s strategy, capacity, and maturity.
For a deeper dive into the top GRC platforms, look for “The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2020” report publishing next month.
(Written with Kate Pesa, senior research asssociate at Forrester)