Part 7: Deployment as a Project and a Partnership

GRC Implementation Success, Part 7: Deployment as a Project and a Partnership

DoubleCheck Software presents GRC Implementation Success, a guest blog series by Blue Hill Research Principal Analyst David Houlihan. This series draws on five years of Blue Hill studies in GRC in order to highlight key lessons for purchasing and implementing GRC software.

Part 7 of this series examines the role of hosted and cloud delivery models in the deployment cycle.  

By now, we’re looked at how numerous aspects of strategic planning, vendor evaluation, and application characteristics (especially cloud and configurability) influence the success of a GRC implementation. Nonetheless, no matter how well an organization might plan, evaluate, and optimize for these factors, their contributions extend only so far. Sooner or later, the effectiveness of the deployment will come down to . . . how effectively you deploy.

Blue Hill’s research has highlighted two areas that demonstrate significant influence on the speed of the deployment process (neither of which is a surprise):

  • Disciplined adherence to implementation project management fundamentals
  • Cultivation of a close, collaborative relationship with the vendor through the implementation

Nor should it come as a surprise that KBR, Inc., the organization that we have followed through many of these posts (and detailed in this case study), demonstrated these characteristics through the use of a detailed and continuously updated project plan and timelines, dedicated project ownership and management in collaboration with the vendor, and a series of close, tightly managed cycles of feedback between the company and its vendor. To understand how these sorts of factors play a role, we’ll have to look a bit deeper.

Table: Factors Contributing to the Success of the KBR Implementation

Deployment Project Management

It should go without saying that effective project management leads to the effective management of projects. Nevertheless, Blue Hill research typically has not gone much deeper than to investigate the presence of formal project management practices. Findings from Blue Hill’s Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario benchmark discourage the use of Big Bang approaches and support the use of staged programs that “start small and scale” based on the business priority. Neither takeaway gives us much to go on to understand what actually goes into effective project management.

We do find some of those more granular details in the experiences of KBR, which incidentally did take a Big Bang approach and still completed technical deployment of its GRC platform in 3.5 months. KBR closely managed all aspects of the project plan under formal project management practices. KBR designated a formal project manager from the Financial Controls Group (the functional owner and user of the platform) with a peer project management on the vendor (DoubleCheck) configuration team. Blue Hill found two major aspects to this model that stood out as contributors to the effectiveness of their deployment:

  • The Project Plan and Schedule: KBR developed a detailed, task-level project plan and timeline to serve as the project timeline and “bible” maintained by the Financial Controls Group. As at other stages, KBR’s prior definition of business requirements played a role, guiding the scope of the implementation and setting milestones based on objectives. The plan was reviewed weekly and kept up-to-date and evolved over time.
  • A Dedicated Project Manager: Rather than designate a professional project manager to the project, KBR assigned primary responsibility for project management to a member of the Financial Controls Group.

Use of the project plan in this way ensured that deployment stakeholders maintained an eye on future tasks and prevented potential slippage and ensured that all parties remained aligned. It also became the key mechanism for driving and coordinating collaboration with the vendor (which we’ll get to below).

The designation of a functional owner as the project owner meant that the management of the project proceeded with clarity regarding the business objectives and operational context involved.

As such, the project manager could both define the project plan and schedule and drive the execution and progression of tasks with close scrutiny and an eye toward that ultimate business objective.

This approach may not be appropriate for every organization and every project, but organizations should consider how KBR created a scenario that maintained the project plan as a “living document” rather than a record and facilitated insight into business needs and collaboration among stakeholders. Considering how these objectives can be prioritized in the project management will go a long way to creating a model that accelerates the project.

Vendor Engagement and Deployment Support

Any enterprise application deployment will involve some support for implementation, training, and adoption processes. Most vendors will provide strategic planning, customization, consulting services, training, and other professional services to support a new customer deployment. Beyond these sort of standard services, Blue Hill’s GRC Vendor Implementation Success Strategies identified how an increasing number of vendors offer rapid deployment programs as a means to help “stand up” a working GRC solution quickly in order to accelerate time to value.

Blue Hill’s research suggests that the form that the program might take is secondary to the working relationship with the vendor. Again, KBR will provide an example. The RACI matrix below, detailing the respective roles and responsibilities of KBR’s Financial Controls team, its Chief Accounting Officer (CAO), and DoubleCheck provides an illustration of how this collaboration was structured, with ownership of business requirements generally falling on KBR and technical implementation steps performed by DoubleCheck. In this relationship, it’s critical to observe the prevalence of the “consulted” role is distributed across the non-delivering party.

Table: RACI Matrix – KBR GRC Implementation Roles and Responsibilities

This results in a highly collaborative relationship that nonetheless maintained clearly identified responsibilities and boundaries. This reiterates what we saw above, where, KBR and DoubleCheck assigned dedicated project managers that worked in close coordination with continuous communication. It is this clear and transparent communication and partnership with vendor stakeholders (and not the nature of the services provided or distribution of tasks) that was crucial to ensuring all parties remained on track.

This is to say that there is no magic bullet in how a vendor supports the application deployment.

Examination of KBR’s experiences and other like cases, shows the importance of understanding how a vendor approaches its customer relationships.

This should be contrasted with vendors that take an inflexible, pre-defined approach to the deployment or that continually scope development tasks as new work.

One factor that often comes up in these evaluations is how the vendor monetizes its implementation and deployment services. The assumption, generally, is that a vendor that approaches “professional services” as on an hourly billing or scoped project model has an incentive to extend the deployment or encourage scope creep. Vendors that offer “all-in” start-up services packages at a fixed price, by contrast, will be assumed to have an incentive toward efficiency (or perhaps corner cutting). However, these factors should be viewed with an eye toward cost of ownership, rather than their impact on project timelines. Rather, it’s the vendor’s customer relationship philosophy that appears to have deeper significance.

Of course, this is often a difficult factor to assess in a vendor evaluation.

Organizations should consider the provider’s proven success in assisting customers to rapidly deploy and realize value on implementations as well as the costs and pricing model associated.

It is also imperative for the buyer to understand what it needs to own in the deployment and how it can divide responsibilities and collaborate effectively to drive deployment success.

In our final post, we’ll discuss how to future-proof and grow the value of GRC.

Before, we discussed:    Why implementation success is investment success

GRC’s role and value contributions to the business

How robust business requirements must drive technical requirements

The “Show Me” approach to vendor assessment

Application tailoring without extended deployment

The role of cloud delivery models play in the deployment cycle


Interested in being informed when a new blog post is released?

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.