GRC Implementation Success, Part 1: Implementation Success is GRC Success
DoubleCheck Software presents GRC Implementation Success, a guest blog series by Blue Hill Research Principal Analyst David Houlihan. This series draws on five years of Blue Hill studies in GRC in order to highlight key lessons for purchasing and implementing GRC software.
Part 1 of this series examines why implementation success is a key factor in the overall success or failure of an organization’s GRC investment.
Any enterprise software purchase is a risk. At the most basic level, it is a bet that the money spent on new tools and capabilities will result in a payoff in the ability to do something better, faster, or cheaper. In most business cases, this bet is articulated in simple terms: “If we start using X, then we will get benefit Y.”
The reality, of course, is less cut and dry. A wide variety of factors contribute to the value an organization realizes (or fails to realize) from a technology investment. The most significant factor is also the most obvious: how much did it cost the organization to put the technology in place. An investment with relatively little impact can be a success if the cost is low enough, just as a huge benefit can be negated if the cost to implement it was high enough. This is why return on investment (ROI) is such a potent indicator of success.
Charting Implementation Success and Failure
This is as true of investments in governance, risk, and compliance platforms (GRC) as it is any other enterprise technology. However, the degree to which GRC investment is based on indirect value propositions means that the cost and difficulty of implementation possess enhanced importance in determining organizational value and satisfaction. To this end: Blue Hill’s Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario benchmark report showed a clear correlation between shorter, less expensive implementation cycles (“the best case”) with ultimate business and user impact than those benchmarked as the most costly and time-sensitive.
Table: Profiles of Best Case and Worst Case Implementations
As with all enterprise application investments, GRC implementation is complex. It can require significant process change, integration with the existing enterprise ecosystem, and solution tailoring to fit organizational needs. Where these factors are poorly managed, the consequences can be dramatic. In just a few failed implementations examined by Blue Hill, those consequences have included:
- Implementation cycles that run a year or more over schedule
- Budgets that ballooned multiple times over the initial estimate (often due to unforeseen consulting labor)
- Abandonment of the investment mid-implementation
Even where the implementation project is completed, poor planning and management can result in user abandonment due to gaps in the solution or inflexibility in the environment that fails to accommodate inevitable changes in standards or business processes.
Planning and preparation make the critical difference to implementation success. To this end, Blue Hill found that factors such as solution architecture, data model, and vendor pricing and service strategies (while factors) were not strongly correlated to the length and cost of an implementation. The failure to assess, consider, or plan for these factors was much more important. By contrast, a recent case study involving KBR, Inc.’s implementation of DoubleCheck GRC for SOX compliance management demonstrates how a well-considered evaluation of business requirements that drives solution evaluation and implementation from the beginning can yield a complex GRC rollout, completed in under eight months from inception to rollout.
The Relationship Between Implementation Success and Investment Success
These differences in implementation experience can result in tremendous differences to the time-to-value, overall lifetime value, and ROI, where the impact of the investment is otherwise the same.
To illustrate this point, assume that a GRC investment contributes $125,000 in savings for every quarter that the organization uses the platform ($500,000 annually). Now, compare the first three years of that investment under Blue Hill’s Worst Case scenario with a Best Case scenario. Using the mid-point values in Blue Hill’s data, the Worst Case scenario costs the organization $637,500 and takes 13.5 months to deploy. The Best Case scenario takes 3.5 months to deploy and costs $127,500. Ignoring maintenance fees and other factors for simplicity, we can map the differences in experiences. At the end of the three year cycle, the Best Case scenario has yielded $1.2 million dollars in value, while the Worst Case scenario has yielded $300,000 (a difference of 308%).
Figure: Impact of GRC Over Three Years in Best Case and Worst Case Scenarios
While a simple illustration, the difference between these two scenarios works to show the range of experiences that can follow a GRC implementation, based on the implementation. As this series continues, we’ll look at the primary factors that Blue Hill’s research has found to influence the time and effort involved in the implementation process itself.