Best Case And Worst Case Scenarios In GRC Implementations

Blue Hill Research found that companies experiencing Worst-Case GRC implementations largely shared: (1) limited consideration of underlying business needs and process change, (2) lack of involvement of IT stakeholders and consideration of IT needs in implementation planning, (3) big bang solution rollouts, and (4) a large degree of solution customization.

The various delays and costs that result from these factors ultimately serve not only to prolong time to value, they also erode the ultimate gain provided to the organization. Organizations undergoing Best-Case GRC implementations exhibited roughly a quarter of the deployment time and one-third of the cost of those involved in Worst-Case scenarios. Given the cost-avoidant nature of many of the business contributions made by GRC platforms, the pain and cost of implementation often become some of the most transparent impacts of the solution investment. As a result, extended or expensive implementations can create long delays in the time to adoption and value, eroding organizational support for and perceptions of value. To this end, some participants reported the most difficult implementations found the solutions ultimately went unused by the organization or were abandoned mid-deployment.

“We have over 150 locations across different countries and functional stakeholders to support. We selected a solution with a stable and scalable architecture that could be configured to fit each location’s needs. Once the infrastructure was in place, we rolled out to each location in place one-by-one. The whole process was done in 10 to 11 months.”

Systems Engineer
Process Manufacturer

Where implementations proceed painlessly and organizations can identify quick benefits and successes, it becomes easier to build support and adoption for the solution. This pattern can be observed in the correlation between time and cost to implement with high levels of satisfaction among both end-users and business owners among organizations experiencing Best-Case implementations.

As organizations plan their own GRC implementations, four core recommendations to consider may be extracted from a comparison of Best-Case and Worst-Case scenarios:

  • Build from a clear vision of business needs and process change – A review of the practices of organizations experiencing Best-Case and Worst-Case implementations reveals a significant disparity in the allocation of time between business planning and technical implementation. Organizations with Best-Case experiences place a large amount of focus and effort on assessing business needs and process development. Organizations should begin with an understanding of the most fundamental business objectives that relate to GRC processes and build from there, rather than permitting implementations to be determined by functional requirements or impending risk events. This helps these organizations to lay out a prioritized strategy for the implementation and maintain discipline as scope creep or differing visions for functionality and workflow are inserted in the process.
  • Align implementation milestones to business value requirements – the approach used by organizations that experience Best-Case implementation could be described as “start small and scale.” In this way, they help ensure they take the shortest path to value which can be used a proof of concept and build support for the investment as well as work out potential issues with relatively low stakes. The crucial factor in making this approach work is to prioritize the project by business objectives, organizational need, and the ability to show value. By identifying needs and measurable benefits at each stage of the roll-out, the organization can ensure that the solution is providing the value desired, or identify potential problems or changes that need to be made. This will help ensure that the organization continues to show value, which can be used to justify additional projects and expansions to the solution. Line of Business stakeholders can play a crucial role in identifying these needs, while financial and executive business management can help set the necessary goals and value thresholds.

“We already had defined processes and a proprietary risk management framework. An off-the-shelf system wasn’t going to cut it and we didn’t want to have to change to meet the needs of the system. The system needed to be able to meet our process. Out of the six vendors in our RFP, we found one that could walk in the door and configure the system to make it work in front of us. When it got to implementation, we only saw a few problems…and those were solved in minutes.”

Chief Operating Officer
Utilities Provider

  • Involve IT at the earliest stage of the investment – The extent and timing of IT’s involvement with the implementation process represent another key area of difference between Best-Case and Worst-Case implementations. Where Worst-Case implementations saw IT become involved in at later stages of solution identification and planning, Best-Case implementations exhibited close partnership between IT and line-of-business stakeholders from the earliest stages. As IT is in the position to identify major technical problems that can occur in the implementation, early involvement is key to helping the organization avoid and mitigate these issues with minimal impact on the process.
  • Seek configurability over customization, where possible – of all factors considered, Blue Hill Research found that software customization had the most direct impact on the length and cost of implementation. While customization is not always avoidable, organizations must pay careful attention to the flexibility and scalability of the options a GRC solution provides. While configurability does not eliminate the effort that is required to plan and tailor the solution, it minimizes the technical aspects of the implementation significantly and preserves flexibility to make changes as project requirements change or when GRC needs evolve in the future.
Interested in being informed when a new blog post is released?

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.