The GRC Investment ChasmJoe Wilson
We see a good deal of companies trying to figure out how much to invest in compliance. Tough question, right? How do you know when enough is enough until you are faced with the situation that you are trying to prevent?
But, there is a reasonableness factor in investing in GRC. You need to make sure that you are compliant with external regulations, industry standards, or internal organizational policies. That is a given.
We have outlined 4 decision gates to help assist in your business planning:
Decision 1 – Automation
Do you invest in a system or do you maintain it as a program? Really, it is a business risk decision. Can you meet your goals without having a system? Is there a return for automating the program?
Decision 2 – Transitioning from Soft to Hard Costs
From there it goes to a budgeting conversation. Running a compliance, vendor, and quality program internally usually is budgeted based on FTEs so it is considered a soft cost. When you move to a system, you move to hard costs. I think this is where most companies get stuck in the chasm. “We know we need to move to a system, but I can’t justify a hard cost return on investment.” Save me time, reduce the workload on the team, automate a process, etc. are tough to justify on the basis of “just because”.
It takes a sophisticated and motivated organization to build a business case based upon risk mitigation, audit defense, standardization, and process optimization. Rule of thumb for organizations that are struggling with this challenge: Look to other parts of the business that have had similar budgeting challenges. Is the business comfortable with transitioning from a soft cost model to a hard cost model? Where else have they done it? How did they justify it?
Decision 3 – Right-sizing requirements
We see a lot of organizations that don’t really know what they need so they collect a set of features and functionality from the vendors websites as their requirements. More often than not, the vast majority of requirements never get implemented and actually hurt your adoption.
Hurt my adoption? Why would having a bunch of features hurt my adoption of my GRC system? It is counter-intuitive, but as we have seen over the last 5 years with the new application design methodologies, less is more. Users get overwhelmed by too much on a screen, too many options, and too many things to learn.
A good implementation program always considers user needs and tries to right size to deliver as close to current needs as possible. Just-in-time feature delivery is a key to adoption.
Decision 4 – Flexibility, Maturity, Unique Requirements versus Professional Services Costs, Resources, and Time
There is a tradeoff between flexibility, cost, time, and resources when it comes to implementing systems. Having a newer generation platform usually mitigates the impact from flexibility and the ability to configure most of your requirements, but some organizations need custom functionality or they need specific integration, etc. Having a good requirements roadmap, functionality and feature prioritization, along with clear performance milestones will allow you to decide how much you need up front, how quickly you need additional functionality, and which vendor is a good fit for your investment model.
The more that you are prepared or we can help educate you, the better we can serve your needs.