GRC Technology: Perfect Can Be The Enemy of Good Enough

March 18, 2022

In this post, Senior Practice Manager Kurt Reindl:

 

  • identifies common pitfalls of difficult governance, risk and compliance (GRC) technology implementations;
  • offers practical guidance to improve time-to-value when implementing GRC; and
  • shares insight on operationalizing your GRC tool quickly by focusing on out-of-box features and functionality.

 


 

Practical guidance toward improving time-to-value and momentum in your risk and compliance digital transformation.

 

The temptation, or maybe misunderstanding, when considering the right technology to support your governance, risk and compliance/information risk management (IRM) program is to identify a tool that lets you simply import your current processes and make the tool succumb to your whims. Don’t do it.

 

I intentionally used the word “make” versus setup or configure, because too often we try to make the technology meet us when it should be the other way around. GRC tools, regardless of the provider, are not designed specifically for your program. Instead, they’re designed from an industry perspective based on standard use cases, current trends, competitor analysis, platform structure and the amount of product management R&D spend the vendor applies to keep the software updated.

 

I’m not the foremost authority on GRC technology, but I have learned a few hard lessons from the past 12 years of implementing GRC software. At a high level, I do know for certain that forcing these tools to mirror your processes will lead to:

 

  1. elongated implementation projects;
  2. scope creep leading to technical debt (yes, I know the dreaded cliché, but it’s perhaps the most egregious of errors);
  3. negative budget variance; and finally,
  4. delayed return on investment and time-to-value.

 

Oh, and don’t forget your customer. End users, most commonly first and second line of defense team members, will be saddled with how workflow is designed and reporting structured based on decisions made during the implementation project. GRC tools should be a net efficiency gain for your organization. Define what efficiency gains you’re seeking and change your mindset to drive toward how the tool will change your approach and process for the better. If you buy a GRC tool, understand why you are buying it and what you expect to gain from it. Moving manual and inefficient processes to the tool versus adopting the capabilities of the tool will surely limit your success.

 

Now let me climb off my righteous, editorial soapbox and lean in with some helpful thoughts to optimize value in a reasonable period. Hopefully, this helps keep you out of harm’s way so you don’t get swept away with building your own system. The guiding principles below aren’t all-inclusive, but are based on the real experience of leading your organization through an effective GRC system implementation.

 

  • Avoid redesigning the GRC system provided by the vendor: If you find your organization doing this – stop. You won’t achieve the change and efficiency gains you initially purchased the GRC system for. If you’re more focused on building the system to accommodate your existing processes rather than leveraging the out-of-box capabilities, I suggest you double your budget and timeline before the project begins. This is arguably the biggest mistake made and it creates serious challenges in the now, next and beyond paradigm. If you adopt a “good enough” approach you’ll achieve your objectives with much-improved time-to-value. Let the vendor absorb the R&D cost instead of your organization prematurely customizing, only to find out the vendor already has it on their roadmap (meaning you just wasted time and money).

    • With some applied patience, plus insight into industry and vendor roadmaps, you can get the features that maybe, right now, you have to bypass and accept as good enough, but that long term will help you avoid needing to build something that isn’t upgrade-safe.

    • Next, focus on getting value quickly and evolving the tool over time with smart, targeted decisions focused on where you want to spend additional money and resources. Why customize something now when you haven’t operationalized it yet in your organization? Get some practical experience using the tool first and be willing to concentrate on change.

    • Look beyond this initial implementation cycle and understand you licensed this GRC tool for three to five years. This should be a long-term solution. Let the system’s out-of-box features and capabilities, along with any minor configuration inputs, drive change in your organization. If, for some reason, after using the system you determine there’s a level of customization you need, okay – now you’re spending targeted dollars with actual practiced experience. Plus, GRC vendors spend their time and money investing in the tool so you don’t have to.

  • Iterative build and design methodology: Regardless of who is implementing the system –and this may be your internal team, a system integrator or the selected GRC vendor – insist on an iterative design and build process. Some may refer to this as an agile approach, but I generally avoid that term and formal practice unless both the implementer and client are agile shops. Regardless, the principle is similar: configure the selected solution through achievable, frequent, high-quality releases and rigorous feedback cycles. This implementation approach will provide early visibility to end users, allow for iterative feedback cycles to ensure adjustments and set up some quick wins and confidence. Track potential wants as backlog but don’t act on those items prematurely. With this methodology, you will also avoid the big bang of waiting until you deem the project complete before realizing value. An additional value will be shorter user acceptance testing (UAT) cycles, as the team will have participated in review cycles and already provided feedback through the iterative design process. Testing should then amount to final validation.

  • We’re not gathering requirements during the implementation: If you don’t already know what your requirements are, then you aren’t ready. And you likely will aimlessly set up a system that will resort back to your tried and true, yet manually built processes, only now in a system that isn’t specifically designed for those processes. In my experience, requirement-gathering sessions turn into wish lists confused for actual requirements of the system. These wish list items lead to potentially costly customizations. Instead, shift your view to facilitating “design workshops” versus requirement gathering. In a few workshops – with focus and commitment toward leveraging out-of-box capabilities – you can decide on design configuration elements and quickly move to the configure and build stage. Focus on what’s good enough” and begin operationalizing your tool.

  • Don’t forget change management: Executing a GRC system implementation effort isn’t trivial. It should be one of the most important tools in the Risk and Compliance organization. But those organizations often forget to include a change management element. Remember, users of existing manual processes or other GRC systems may not have the same insight into why the organization is making these changes. It’s critical, as part of the effort, that change management is included. This goes beyond system training. It involves a communication plan, which may include up front awareness campaigns, ongoing newsletters with timelines, achievements and status updates. Include first-line champions and encourage them to share their insights. This will yield big dividends and establish credibility as the ultimate end users, your customers, feel engaged and empowered. These first-line participants can then help evangelize progress and the positive impacts of the new system on user effectiveness (while everyone learns something new, which is always cool). Forgetting to include first-line resources in your effort will contribute to misuse, potential misalignment for real process improvement and engagement. Ultimately, organizations want adoption of their tools. Avoiding an opportunity to effectively promote change could negate the value you intended to create.

 

GRC tools can be a powerful and effective in managing your compliance and risk posture. Companies building GRC software own the responsibility of keeping their tools current with customer needs in mind. Let them carry the burden and cost of making the product better (with your insight, of course). At the same time, avoid trying to build the perfect system because it may cost you in the long run.

 

Don’t let perfect become the enemy of good.

Kurt Reindl
Senior Practice Manager, Risk Automation | Optiv
Kurt has 30 plus years of professional experience in senior management roles in services technology in multiple industries, back-office operation leadership, P&L management, Governance, Risk and Compliance (GRC) technology and software implementations, consulting, and project management. He has significant client-facing experience with clients globally in a diverse array of process and technology engagements, all focused on continuous transformation efforts around risk and compliance technology and process improvement. Kurt has a proven track record in delivering large complex GRC software implementations with large global organizations. The last 10 years of Kurt’s career have been spent dedicated to advancing client capabilities through the effective use of GRC technology.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Missing media item.

 

Risk Automation

 

Optiv’s Risk Automation services enable you to increase efficiencies and reduce costs of risk management.

Image
Risk-Transformation Service-ServiceBrief_List-Image_476x210

 

Risk Management Transformation Service

 

Our Focused Cyber Risk Strategy Development engagement includes a range of services, including risk, privacy, compliance and vulnerability management.

Image
Risk_RiskAssessment_ServiceBrief_list_476x210

 

Risk Assessments Service Brief

 

Our risk assessments provide a holistic view of cyber risk throughout your organization or agency.