Blue Hill Research found significant differences in the characteristics, strategies, and methods adopted. In order to isolate factors with a determinative effect onGovernance, risk, and compliance implementation project success or failure, Blue Hill Research removed several characteristics that necessarily related to the cost and length of the GRC implementation. These factors included: (1) the scope of functionality deployed, (2) the complexity of policy, standards, and risk frameworks, (3) the number of supported users and locations supported, (4) the number of use cases and functional areas supported, (5) and the complexity of the IT environment.
For similar reasons, Blue Hill Research removed factors such as solution architecture, deployment method, data model, and vendor pricing and service strategy from consideration. Analysis revealed some correlation between these factors with GRC implementation costs, challenges, and delays. However, deeper investigation in all instances revealed that the resulting issues were not necessary consequences of these technical factors, but stemmed from early failures to consider or plan for these factors.
Remaining factors identified related to differences in practice and priority in: strategic decision making, stakeholder participation, and deployment. Blue Hill Research identified three phases of the process where these themes had a determinative effect on implementation success: (1) solution evaluation and project planning, (2) implementation strategy development, and (3) technical needs assessment and deployment.
Table 2 summarizes these key themes among each set of organizations as they manifested at each stage of the process. The sections that follow provide further observations with respect to each phase.
Table 2: Summary of GRC Implementation Experiences
Solution Planning: Functionality Desired versus Process Change Needed
Governance, risk, and compliance (GRC) is a broad-reaching solution platform that can support a wide variety of stakeholders and needs, from basic functionality such as policy management, risk register management, process management, and automated reporting, among other capabilities. Implementations of GRC focus alternatively on point use cases or functional units, such as internal audit or compliance management; particular risk sets, such as vendor risk management or data privacy; particular requirements frameworks, such as Sarbanes Oxley (SOX) or ISO/IEC 27002; or the consolidation of all these viewpoints within a central enterprise view. Considerations such as process change, the diversity of stakeholders reporting or consuming information, and data management practices involved must all be included as well. How well a GRC platform fits the balance of these needs plays a crucial role in determining the value that it provides, as well as the organization’s ability to head off downstream discovery of issues and obstacles that impede the implementation.
“We got every component there was, but it’s amazing how many people using the solution get frustrated. Honestly, we were better off with the spreadsheets. At least then, everyone could see the requirements framework, what we were actually doing, and where the gaps were.”
Director of Governance and Risk
The error that Blue Hill Research found among organizations experiencing Worst-Case GRC implementations was not a failure to consider these factors. Rather, it was in using its identified solution features and functionality desired as its primary lens for evaluation. As a result, these organizations largely approached planning under the assumption that they could automate or enable existing processes without consideration for the efficacy of the process. This lead to both missed opportunities for improvement as well as scenarios where the need for process change was discovered later in the process, requiring rework. By contrast, Blue Hill Research found that organizations with Best-Case implementations took the time to evaluate existing processes and needed changes before considering software functionality. In some cases, Blue Hill Research found that this evaluation represented separate transformations, where first the organization adopted enterprise frameworks for risk and compliance management and began evaluating GRC platforms that could enable that platform only after it had completed its process transition. However, this sort of global change process is not necessarily recommended in the absence of larger strategic planning (see Implementation Strategy, below).
At a more fundamental level of the planning process, Blue Hill Research found that organizations in Worst-Case scenarios gave relatively little consideration to ultimate business objectives. While no organization undertakes an enterprise software implementation without considering underlying objectives, Blue Hill Research found that Worst-Case implementations tended to proceed from reactive postures, as the organization sought to respond to an impending event, such as upcoming regulatory change, increased agency enforcement, or high-profile exposures or breaches suffered by peers. While undoubtedly a factor in any organization’sGovernance, risk, and compliance implementation, focus on the impending event can constrict the scope of the implementation to operational enablement of immediate need cases. Again, this can limit the value provided or the shelf life of the solution as point needs dissipate or change over time. However, neither concern is a measure of the effectiveness of implementation considered here. The more immediate consequence for organizations lies in scope creep or scope change.
Without a clear understanding of the business objectives to be achieved, it can be difficult to evaluate additions or changes to solution specifications as they emerge over the course of the implementation. This can be a particular problem when multiple groups of stakeholders or functional lines of business are involved without a clear owner, as various methods, processes, or feature sets become part of the implementation, adding to the cost and complexity of the project. By contrast, Blue Hill Research found that organizations exhibiting Best-Case scenarios followed more disciplined processes, tethered to clear business needs and operational goals.