Security Experts:

How to Avoid Worst Case GRC

Governance, risk, and compliance (GRC) solutions are intended to help organizations reduce the complexities associated with information management, process execution, and stakeholder coordination in light of increasing volatility, regulatory complexity, and security challenges. However, the broad reach of GRC solutions creates a unique set of deployment challenges from both a technical and business perspective. Delays, missteps, and spiraling costs can erode the value of GRC deployments and even lead to abandoned projects. This raises the question – how can organizations avoid common GRC pitfalls?

Based on the dynamic changes in the threat landscape, board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. Accordingly, GRC solutions have seen increased demand as a means to provide greater visibility into an organization’s risk posture and reduce manual efforts in the context of policy and compliance management, risk assessments, and mitigation efforts. In turn, assessments of GRC solutions increasingly scrutinize realizable business benefits as well as cost of ownership. As outlined in recent Blue Hill Research reports such as the Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario (PDF) and GRC Vendor Implementation Success Strategies (PDF), these changes place greater emphasis on the time, effort, scalability, and cost of implementation as contributors to time-to-value and total value realized.

According to Blue Hill’s research, the biggest inhibitors of a successful GRC implementation are:

Limited Consideration of Underlying Business Needs and Process Change

By design, GRC is a broad-reaching solution platform that can support a wide variety of stakeholders and needs, from basic functionality such as policy management, risk register management, process management, and automated reporting, among other capabilities. As a result, many organizations make the mistake of focusing on solution features rather than evaluating their existing business processes for efficacy before considering software functionality. This leads to both missed opportunities for improvement as well as scenarios where the need for process change was discovered later in the process, requiring rework, setbacks, and cost overruns. A better approach is to integrate business process optimization with the implementation of a GRC solution. In addition, organizations should focus beyond just short-term gains to address any impending event (e.g., regulatory change, reported audit failures, data breach suffered by industry peers), and tie the implementation to clear business objectives and operational goals.

Lack of Involvement by All Stakeholders

During the implementation planning phase, many organizations overlook the need to enlist all of the key stakeholders, including those in Information Technology. Without the participation of all stakeholders in the process, higher adoption rates are typically tough to achieve. Primarily because many users and implementers feel forced to abandon existing tools or processes and often adopt an adverse stand, which hampers the overall success of the GRC implementation. Establishing an all-encompassing user council during the solution selection process and acceptance testing will greatly improve the project’s prospects for success.

Boil-the-Ocean Rollouts

Since GRC solutions promise to cover a variety of use cases, many businesses attempt to implement most or all of the desired functionality at once, or to roll out the solution to users in one effort. This boil-the-ocean approach requires tremendous discipline and attention to detail, which many organizations unfortunately lack. This often leads to an unfocused and chaotic process. Even in best case scenarios, a tremendous number of operations must be reconciled in a compressed timeframe in order to coordinate the needs and dependencies between tasks. Working out these processes can create additional delays and increase costs, as well as add to the difficulty of demonstrating clear value from the implementation. While it is tempting to implement many use cases at once, organizations should carve up their roll outs into digestible phases, ensuring proper oversight and high return on investment.

Customization Overkill

Another challenge standing in the way of successful GRC implementations is the amount of customization required compared to solution configurability. Obviously, some customization may be unavoidable, however, trying to tailor the GRC tool completely to an organization’s needs, can lead to excessive cost and time delays and make the solution very rigid to future adjustments. Blue Hill Research discovered that those organizations that demonstrated a preference for solutions that provided a high degree of software configurability, were not only able to yield better time-to-value and lower total cost of ownership, but ensure that flexibility persists throughout the life of the deployment.

While the above mentioned pitfalls relate more to the selection and implementation planning and strategy processes, Blue Hill’s research study reveals the following vendor-specific key factors that make for a higher chance for implementation success:

Efficient Implementation Support - In addition to strategic planning, customization, training, and other professional services, organizations should consider those vendors that supplement these traditional offerings with rapid deployment programs, best practices guidance, and roadmap planning support.

Solution Configurability - Organizations should account not just for configurability of reporting / dashboards and process workflow, but also take into account factors such as data elements, data relationships, and user interface.

Out-of-the-Box Capabilities - Organizations should ensure that besides embedded content sources (e.g., HIPPA, FERC, ISO, COBIT, NIST), the GRC tool in question also comes with embedded best practices, pre-built questionnaires and workflows, email templates, reports, data models, etc.

Cloud and Hosted Deployments - Organizations should take advantage of vendors offering cloud-based solutions, as they help minimize internal deployment requirements and minimize costs.

Organizations that follow the best practices outlined above stand to benefit from shorter time-to-deployment, lower cost of implementation, and higher end-use satisfaction, as well as the anticipated business impacts from their GRC deployment.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).