EGRC Solutions or Snake Oil ?
Beware of “Snake Oil Salesmen”
As is the case with any growing industry sector, the opportunity to provide support and services to organizations in need will draw new entrants to the market. A significant number of technology service providers have emerged in the EGRC space. Determining the best fit for your organization can be a daunting task; I am often asked what to look for and assess when seeking the right EGRC support partner for an organization.
Here are a few critical tips that will help you maneuver through the noise:
1. Any EGRC provider that tells you it can provide support across every risk discipline in your organization is a liar.
There is not one provider (at least today) that can be all things to all people. You should look to a provider that can meet 80-85% of your needs right out of the gate. Your organization can then look to solve for the remaining 15-20% as part of your long term strategic approach toward Compliance Risk Management.
2. Content is King!
Do not underestimate the value of regulatory content (i.e., new rules, laws, regulations at a Federal, State and International level). A large percentage of providers in the EGRC space do not have access to nor own the regulatory content you will need to effectively assess, distribute and mitigate regulatory risk. If you choose one of these providers, you will most likely need to source regulatory information from another third party source. Just my two cents – but I think there is tremendous value in “one stop shopping” for an EGRC solution with regulatory content.
3. DO NOT purchase technology for the sake of purchasing technology!
If you think that simply buying a piece of software will solve your Compliance Risk Assessment and Reporting problems – think again. If this is your strategy, don’t bother. The amount of time, energy and resources you will expend to undertake building the business case, gaining management support and approval, and implementing will not be worth the price of admission – and when this strategy fails, you will be left holding the bag.
One of the key components in making a decision to move forward with an EGRC strategy is the opportunity it affords organizations to reconcile their existing internal processes, conduct capability assessments and use the results to inform, modify and amend processes and protocols to best align to the technology being implemented. This is a critical part of project oversight and governance, offering an opportunity to challenge the status quo and ask the question, “If a process made sense 5 years ago – does it still make sense today?”
4. Internally Built and Supported vs. Externally Hosted Cloud Based Solutions
Is this simply a case of “You say tomato and I say tomahto ? Not quite. Historically, organizations were inclined to think that they could build technology better and cheaper than vendor based approaches. The fact is, the ongoing IT support required for internally built Compliance tools makes it tough to support a business case from a cost and ongoing resource perspective. I don’t know about your organization, but the last time I checked, there aren’t many IT folks hanging around Compliance departments asking for extra work to fill their spare time! With that said, many IT organizations have come to terms with the fact that they do not have economies of scale to build and support GRC solutions.
They have warmed to the notion of relying on vendors or support partners who focus on these solutions exclusively. It makes all the sense in the world. As a buyer of these services, you then become a beneficiary of upgrades, shared industry knowledge, best practices and “running with the pack.” You can build credibility with your regulators when they have a comfort level in the tools and solutions you are utilizing within your organization. There is value in familiarity!
How Can Compliance Risk Concepts Help?
EGRC implementation is one of the critical components to the CRC support model. We help organizations turn all of the “noise” into meaningful and impactful information that enables a robust and dynamic Compliance Risk Management process. From capability assessments to gap analysis to vendor identification, we can be an integral support partner to your Compliance / Risk organization – helping to turn the “chaos” into a long term, successful risk management strategy. Please visit our website for further details.