What do you need to include in a GRC RFP? We asked one of the experts in this interview.
Enterprise governance, risk, and compliance (GRC) strategies can help organizations across the board become more efficient and agile in navigating the ever-changing regulatory and risk environment. However, in order to maximize efficiency, effectiveness, and agility, organizations need to approach GRC with a collaborative, inter-departmental strategy.To make GRC software implementation as strong as possible, organizations should have a clear business case, strategy with defined goals, and detailed system requirements.
We sat down with Michael Rasmussen of GRC 20/20 to talk about the components of a successful GRC business case and strategy, how to understand the range of GRC capabilities, how to navigate selecting a solution, and what to include in a GRC RFP. Here are some of his responses.
The value of GRC
Eric Goldberg: How do we go about articulating the value, or the ROI, of a GRC strategy?
Michael Rasmussen: It starts with finding that “as is” state, evaluating where you are today, and doing an inventory of existing systems, documents, spreadsheets, emails, manual processes, etc. Then, we need to find the “to be” state, or where we want to be.
Next, we need to identify the delta, as well as how that is going to change things. How will it make us more efficient in saving time and dollars, effective in being accurate, complete and thorough, and agile to a dynamic regulatory environment? You can measure and build a business case around all three of those angles using both hard facts—things like dollars—and the soft facts.
Eric: I hear customers asking, “Is there a GRC calculator where I can find my ROI?” There are so many aspects of GRC time-savings, accountability, preparations for audits—I don’t know if it’s possible. Is it?
Michael: To a degree, but there isn’t one model that fits every organization.
Eric: If you asked clients what their biggest win from automation was, what would it be? What would they say is the best improvement?
Michael: Time saved. Over and over again, it would be getting away from manual processes and documents, spreadsheets and emails. Second would be the greater reliability of information.
Getting the team on board for GRC
Eric: What if someone in the department does not want to participate in the GRC strategy? Is there anything you can do about that?
Michael: My advice is to try and work around them—unless they’re critical to the strategy and then you need to educate them.
Team members typically fall into three groups. There’s the group that says, “I get this. We need to share information and collaborate. Then there’s the group that is the opposite that says, “I don’t understand this. I do my job this way and I don’t understand these other pieces.” For that group, it’s just a matter of education.
It’s the group that falls in the middle that can be irritating. They say, “I’ve been doing my job this way for the last 20 years and I don’t want to change. I understand it, but I’m not cooperating.” That’s the group you may need to work around until you have some success, then bring them back on board.
Creating and selecting a GRC RFP template
Eric:What resources are available to help with the requirements of GRC RFPs?
Michael: One option is to talk to your peers. A lot of vendors have templates for RFPs, but they’re often designed to favour their solution. Professional services firms will usually also have content in this area to help. I also have a GRC RFP template library and frequently get involved in writing and managing RFPs.
Eric: It’s very common for an organization to put together a number of requirements and send them out to GRC vendors. The reality today is that solutions are very mature and almost everyone will claim to be able to get the job done. Where do you go from there?
Michael: Interact with the vendors you’re considering.
“A lot of these solutions can do a lot of similar things, but you don’t want to work with someone you don’t think you’ll get along with.”
I like to understand who is representing the organizations, then focus on the people you believe it will be easiest to engage, and collaborate and work with.
Eric: What questions should you ask references for a GRC RFP? How do you get them to give the kind of answers you’re looking for?
Michael: I ask them a range of questions. I ask how they’re using the solution, what use cases, where the solution has excelled for them and how it’s made them more efficient, effective, and agile. I also ask them where the solution isn’t working for them, where the solution has failed, or where the vendor has failed. I ask about any issues and how the vendor responded. Then I ask where they’d like to see the solution provider enhance their solution or where they’d like to see them grow. This might point to where there is a weakness in the solution.
Eric: Is it important to talk to references within the same vertical? Or can you talk with organizations from any industry with similar use cases?
Michael: It should be a combination of the two. However, if you’re lining up the vertical, you’ll also usually have similar use cases. I like to work with vendors who have proven themselves within my vertical. This usually means there will be less of a learning curve and they’ve implemented that solution in a similar environment and with similar organization requirements.