As highlighted in Blue Hill Research’s July 2015 Benchmark Report Contributors to GRC Implementation Success: Avoiding Worst-Case Scenarios, the business value offered by GRC solutions can often be eroded by the challenges and lengthy implementation cycles required to implement these solutions. The speed and effectiveness of implementation thus tie closely to the success of and satisfaction with the investment in a compliance system.
To provide organizations with concrete best practices for their own investments, this Case Study reviews the experiences of KBR, Inc. (KBR), a public, global professional services and technology provider, as it installed a new compliance system dedicated to supporting its Sarbanes Oxley (SOX) controls testing and review processes. After determining a new solution was required, the organization began to search for a replacement in September 2015. KBR completed user rollout in time to begin using the solution for its 2016 SOX controls review, a total project period of approximately 7.5 months, with 3.5 months of post-contract implementation work.
By reviewing KBR’s strategic decisions and tactical approach to key aspects of (1) business case and requirements definition, (2) solution evaluation and selection, and (3) deployment and rollout, Blue Hill identifies crucial best practices which will enable organizations to achieve similar results in their own implementations.
Solution Investment and Implementation Process
Invariably, GRC implementations are complex and can extend to a year or more of effort. KBR accomplished all stages over an approximately 30 week program. Within this cycle, the organization progressed from the identification of a solution investment need to running a live replacement.
To place these experiences in context, Blue Hill Research’s July 2015 Benchmark Report Contributors to GRC Implementation Success: Avoiding Worst-Case Scenarios identified the median time for technical deployment alone as 10.5 months. The organization completed technical deployment in 3.5 months.
Figure: Abstracted Timeline of Implementation Process Stages
The organization’s experiences are comparable to Blue Hill’s benchmarked Best-Case Scenario, which measured three-month technical deployment at its shortest edge experience. By contrast, Worst-Case implementation scenarios benchmarked involved technical deployment times that fell between 11 and 16 months in length, which well exceed the implementation cycle and levels of user satisfaction reported by the organization.
Table: Implementation Outcomes Compared to Blue Hill Benchmark
Blue Hill Analysis: Implementation Best Practices Demonstrated
KBR’s ability to achieve an implementation within this cycle and at levels of organizational satisfaction that match the Best-Case Scenario benchmarked by Blue Hill resulted from a number of aspects of the organization’s approach. These aspects include, among others:
- A “no surprises” approach to requirements definition with high attention to detail and connecting business and operational needs to the investment scope
- The use of requirements to guide all subsequent stages of the investment and implementation process
- A “show me” approach to solution evaluation that insisted on vendor demonstration of how requirements were met over check-the-box functionality review
- Selection of an offering whose architectural characteristics and delivery strategy supported implementation goals and a vendor that prioritized the same goals
- Primary responsibility for the implementation rests with the functional line of business owner
- IT stakeholders are involved at early stages of solution evaluation and investment planning
- A rigorous approach to project management throughout deployment
To Learn More about This Research
Key Sections covered in the published report include:
- Controls Test and Review Business Context and Needs
- Key Technology Challenges and New Platform Investment Drivers
- Key Roles and Responsibilities for the Implementation Project
- Business Case and Requirements Development
- Solution Discovery and Selection Processes
- Technical Deployment and User Rollout
- Implementation Outcomes
- Identified Best Practices for Implementation