How To Minimize The Cost And Time Required in GRC Implementation

Posted on by

Governance, risk, and compliance (GRC) solutions provide value by helping organizations to manage the complexity of information management, process execution, and stakeholder coordination in light of increasing volatility, regulatory complexity and change, and other concerns. The resulting benefits generally relate to improved visibility into and mitigation of risk factors while reducing manual efforts on the part of compliance management, risk management, and other stakeholders.

The expansive reach and complexity of GRC platforms add to the challenge of implementation and deployment. Often, GRC provides a basic solution framework that must be adapted to an organization’s individual needs and use cases. As a result, organizations’ GRC implementations involve the same challenges of other enterprise applications, while also trying to match their particular mix of stakeholders, processes, requirements, and standards. The resulting delays, missteps, and unnecessary costs can significantly erode the value provided and even lead to abandoned projects.

To help organizations identify and avoid common implementation obstacles, this report collects Blue Hill Research’s observations of twenty-one analyzed GRC implementations. By comparing post-mortem assessments of delayed projects and Worst-Case scenarios with projects seeing about a quarter of the deployment time and one-third of the cost, this report provides key recommendations to help promote the efficiency and effectiveness of GRC implementation.

THE STUDY AT A GLANCE

Blue Hill Research conducted an analysis of 21 GRC deployments in order to identify decisions and practices that helped organizations to minimize the time and cost required in implementation.

Profile of Best-Case Implementations Reviewed
  • 3 to 4 months in length
  • $75,000 to $180,000 in costs
  • High end-user satisfaction
  • Very high satisfaction with business impact
Characteristics Contributing to Best-Case Implementations
  • Scope extends to future state vision
  • Emphasis on business needs
  • Planning focused on process change required
  • Solution implemented by components or phases
  • Assessment of value conducted at the conclusion of each stage
  • IT plays a strategic decision making role
  • Emphasizes scalability of the solution to match future stakeholder needs
  • Out-of-the-box and configurable capabilities used

About the Research Participants

This report collects Blue Hill Research observations resulting from analysis of the experiences of twenty-one organizations in implementing new GRC platforms. Participants were selected to provide a diversity of corporate profiles and GRC investment objectives. Blue Hill Research limited evaluations to new GRC platforms. Subsequent expansions or upgrades were considered only in the evaluation of solution success.

Participants primarily constituted large enterprises with a median annual revenue of approximately $3.5 billion and a median employee count of approximately 5,700 employees.

The majority of the organizations reported annual revenue ranging between $1 billion and $12 billion. Two outliers reported revenues of approximately $240 million and $25 billion, respectively. Employee headcounts primarily ranged between 4,000 and 12,000 employees, with the outliers employing about 300 and 140,000 individuals, respectively.

The strongest concentration of industry verticals included financial, utilities, and healthcare sectors. Other sectors represented include IT services, manufacturing, mining, telecommunications, and others (see sidebar). The geographic scope of business operations of participants varied as well, with six organizations operating within regional boundaries, nine organizations operating in national markets, and six organizations managing global businesses.

While underlying business and operational objectives differed, Blue Hill Research identified several common themes in the investment drivers reported across all participants. These include:

  • Reduction in manual labor involved in information entry, management, and acquisition
  • Improved awareness and timeliness of insight with respect to changes in managed risks and related business operations
  • Increased visibility with respect to risk and compliance management operations
  • Improved timeliness and defensibility of responses to inquiries from regulators, executives, auditors, and other stakeholders

Demographics

Revenue
  • Median: $3.5 billion
  • Majority Range: $1 to $12 billion
  • Outliers: $240 million; $25 billion
Employee Headcount
  • Median: 5,700
  • Majority Range: 4,000 to 12,000
  • Outliers: 300; 140,000
Industries Represented
  • Healthcare Services / Products: 5
  • Energy & Utilities: 4
  • Financial / Banking: 4
  • IT Services / Software: 3
  • Government: 1
  • Insurance: 1
  • Mining / Minerals: 1
  • Process Manufacturing: 1
  • Telecommunications: 1

Review of GRC Implementation Experiences Observed

Blue Hill Research collected information from participants describing experiences related to:

GRC investment objectives, solution capabilities deployed, the scope of the implementation, deployment strategy, the value realized, and satisfaction.

Evaluations of the GRC implementation process considered the following factors:

  • Time required to complete implementation
  • Costs incurred to complete implementation
  • End-user satisfaction with the solution functionality
  • Corporate satisfaction with the impact on business objectives
  • Corporate satisfaction with ease of implementation

Across research participants, Blue Hill Research found that implementation costs ranged between $75,000 and $700,000, with a median implementation cost of approximately $485,000. Time required for implementation fell between three and sixteen months, with a median deployment time of 10.5 months. Blue Hill observed that reported costs tended to cluster at the high and low end of these ranges, with few organizations reporting costs near the median.

In order to identify factors that correlate to the respective groupings, Blue Hill Research isolated the three organizations reporting the highest combined implementation cycles and costs (“Worst-Case”) as well as the four companies reporting the smallest implementation cycles and costs (“Best-Case”). On the comparison of these companies, Blue Hill Research found further correlations to trends in organizational satisfaction with the solution. Table 1 profiles the range of experiences reported by each group with respect to these categories.

Table 1: Profiles of Worst-Case and Best-Case Implementation Experiences

Evaluation Factors

Implementation Time

Period from implementation kick-off to completion of all defined project milestones for functioning capabilities and user adoption

Implementation Cost

Nearest-dollar estimate of costs related to software licenses, hardware, vendor-provided professional services, and third-party consultants engaged in support of the implementation

Satisfaction with Functionality

Measured on a five-point scale from “very low” to “very high” based on qualitative estimate of organizational response provided by participant

Satisfaction with Business Impact

Measured on a five-point scale from “very low” to “very high” based on qualitative estimate of executive response provided by participant

Satisfaction with Implementation

Measured on a five-point scale from “very low” to “very high” based on qualitative estimate of implementation owner response provided by participant

Interested in being informed when a new blog post is released?

Leave a Reply

Top

DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.

Learn More
X