Governance, risk and compliance (GRC) technology that integrates multi-stakeholder requirements on a single platform is often held out as the holy grail of GRC—especially by GRC vendors. Nevertheless, we’re still seeing many companies combine enterprise resource planning (ERP) platforms, such as Microsoft SharePoint, with multiple GRC point solutions to effectively manage compliance.
The question is, "Should companies be investing in a single platform to develop a more aggregated picture, or are there more significant benefits to using multiple custom point solutions to support GRC efforts?"
At the recent General Audit Management (GAM) Conference in Las Vegas, one of the speakers mentioned that he uses a single GRC platform from a certain vendor to support multiple efforts. The speaker said the software required his company to harmonize processes, propounding this as a benefit and noting that many of the GRC platform providers advocate process harmonization in order to make best use of the platform.
But GRC is a big tent, and just because two different stakeholder groups within an organization are doing some type of GRC-related effort, that doesn’t mean the data set required for one group is going to be relevant to another.
Similarly, the frameworks and methodologies used to assess and evaluate assurance often vary, depending on the subject matter, and even localized factors, such as regulatory requirements of the countries the company operates in. Other factors that may prevent key stakeholders from collaborating on the same platform may include inability to sync across all groups or support the onboarding of new groups, additional software licensing required, project phasing, etc.
This begs the question: While convergence on a single platform sounds right, is it optimal in all cases, or may it be more advantageous to use the same platform when such synergies actually exist while allowing different stakeholder teams to pursue solutions tailored to the unique GRC elements of their specific disciplines?
For single or synergistic department GRC efforts, implementation of point solutions—especially using software as a service (SaaS) deployment models—can often be more cost-effective and efficient than attempting to onboard all stakeholders on the same platform. For larger, multi-stakeholder deployments, market feedback suggests that the implementation cost for so-called off-the-shelf configurable GRC software is often comparable to the cost of developing custom applications that leverage existing technology platforms within the enterprise, such as SharePoint.
Which choice is better for your organization? That’s not for me to say, but here are some questions to help you decide for yourself:
The question is, "Should companies be investing in a single platform to develop a more aggregated picture, or are there more significant benefits to using multiple custom point solutions to support GRC efforts?"
At the recent General Audit Management (GAM) Conference in Las Vegas, one of the speakers mentioned that he uses a single GRC platform from a certain vendor to support multiple efforts. The speaker said the software required his company to harmonize processes, propounding this as a benefit and noting that many of the GRC platform providers advocate process harmonization in order to make best use of the platform.
But GRC is a big tent, and just because two different stakeholder groups within an organization are doing some type of GRC-related effort, that doesn’t mean the data set required for one group is going to be relevant to another.
Similarly, the frameworks and methodologies used to assess and evaluate assurance often vary, depending on the subject matter, and even localized factors, such as regulatory requirements of the countries the company operates in. Other factors that may prevent key stakeholders from collaborating on the same platform may include inability to sync across all groups or support the onboarding of new groups, additional software licensing required, project phasing, etc.
This begs the question: While convergence on a single platform sounds right, is it optimal in all cases, or may it be more advantageous to use the same platform when such synergies actually exist while allowing different stakeholder teams to pursue solutions tailored to the unique GRC elements of their specific disciplines?
For single or synergistic department GRC efforts, implementation of point solutions—especially using software as a service (SaaS) deployment models—can often be more cost-effective and efficient than attempting to onboard all stakeholders on the same platform. For larger, multi-stakeholder deployments, market feedback suggests that the implementation cost for so-called off-the-shelf configurable GRC software is often comparable to the cost of developing custom applications that leverage existing technology platforms within the enterprise, such as SharePoint.
Which choice is better for your organization? That’s not for me to say, but here are some questions to help you decide for yourself:
- Which of your GRC or assurance groups have the potential for synergy among them?
- What elements of your framework are shared across multiple groups?
- What is best for each stakeholder group?
- What specific capabilities do you have and need? (Most GRC platforms provide good risk and control assessment functionality, but if you’re looking for a specific capability—regulatory insight, advanced analytics or e-learning—others might do better.)
- In terms of timing, how well do the projects of different stakeholders sync with each other?
- Does licensing new modules of the GRC platform already in-house approximate the cost of licensing another application?
- Does the “configurable” GRC solution require significant technical competence to implement new features and support? If so, do you already have more technical competence on another platform that is a better fit with your overall enterprise information technology (IT) architecture?
I’m not advocating here one solution over another. It’s a conversation for you and your GRC stakeholders. I’d love to read your thoughts on the matter.
This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2015. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit (www.protiviti.com).
Scott Wisniewski is managing director, risk technologies, at Protiviti and leads the risk technology solutions product management team. He is responsible for the direction, design and development of Protiviti’s governance, risk and compliance (GRC) platform. Mr. Wisniewski has worked extensively with Global 1,000 clients in all industries, including energy, to implement the Governance Portal, a GRC technology solution, and create a sustainable, cost-effective GRC program.