Home > Risk > GRC software á la carte

GRC software á la carte

September 27, 2011 Leave a comment Go to comments

You enter the GRC software restaurant and on the table is a prix fixe menu. For 250,000 units you can acquire a four course meal (no substitutions allowed). This is the “eGRC special”:

  • Appetizer: Policy management
  • Salad: Audit management
  • Entrée: Risk management
  • Dessert: Compliance management

250,000 units is a lot to spend and you are not sure these are the dishes that you want (even though 250,000 is within your budget). So you ask for the full menu. Here are some of the items you see:

  • Anti-money laundering software – 40,000
  • Audit management – 45,000
  • Compliance management – 70,000
  • Continuous monitoring – 50,000
  • Data analytics – 40,000
  • Disclosure and notes management – 60,000
  • Enterprise application security – 90,000
  • Computer forensics – 45,000
  • Investigation management – 25,000
  • Legal case management – 35,000
  • Performance management – 60,000
  • Policy management – 40,000
  • Risk management – 100,000
  • Spend management – 45,000
  • Strategy management – 80,000

You notice that there is only a 5,000 unit discount for the total package, compared to picking them off the menu. You also notice that there are several other dishes that might meet your current appetite better than the “eGRC special”.

So, what would you buy: the prix fixe or something á la carte?

If the first restaurant you visited only had the items on the prix fixe menu, would you eat there or go next door to a software vendor that had a greater selection?

  1. Stephen Osborne
    September 27, 2011 at 1:41 PM

    Well, I’d like to see how the dishes on the prix fixe menu are prepared. I’m also not really sure how hungry I am at this stage or what I already had at my previous meal.

    I guess what I’m saying is first I need to understand my requirements before I buy anything. Including the requirments of the Board who are bankrolling this nice soiree. So I’d want to engage with the waiter (vendor) and, if necessary the chef (whoever is implementing the solution), before making a decision.

    Once I had worked out what I want, if there were any other customers in the restaurant I’d also want to hear what they think of all these tempting offerings.

  2. Raymond A
    September 27, 2011 at 11:25 PM

    I agree with Stephen on his points. Additionally, I’d probably want to see “GRC restaurant reviews” by unbiased food critics (not the ones who have a stake in the restaurant).

    If I had a craving for a specific item, I might just go with the a la carte menu and pick something to fill my immediate craving. Or if no one is forcing me to have a GRC meal, I might go down the street to the many other specialist eateries/vendors and get something just for basic sustenance needs. Sure, the Clam Chowder Policy Management starter may not go too well with the Sweet & Sour Pork Audit Management entree, but they satisfy me for now, and more importantly fit my budget.

    All this GRC talk is making me hungry.

  3. September 28, 2011 at 3:12 AM

    What a great analogy! But on further thought, in the GRC software market, these are not menu items, but lists of ingredients. The real challenge is to work out what sort of meal you want and who is going to prepare and cook it. What is the cost of preparation and cooking the meal? Once you see the total cost and time involved, do you lose your appetitie or realise that the multi-course meal you originally envisaged is not appropriate for the 30 minutes you have available for lunch?

  4. Paul Fine
    September 28, 2011 at 5:20 AM


    Nice analogy, but I would offer that the choice is not really off an ala carte menu, because you cannot always pick apart a GRC solution to ONLY buy a few features, even if the platform is marketed as being “modular”. Rather, you pay the cost of entering a “buffet-style” restaurant (full featured integrated GRC platform), where you have full access to any of the items there, but you can pick and choose which ones to put on your plate as you make as many trips through the line as you want.

    The price of eating isn’t dictated by how many items you ate (GRC modules), how much they weighed (# of key controls) or the size of the plate you used (mbs of storage for SaaS). It is simply how many people you brought with you for dinner (# of users) and if they ate their own or shared a plate with someone (Full vs. Casual users). GRC features tend to cross over lines, blending capabilities from one part of the application to the other (Issue tracking is key, regardless of whether the Issue was created from a SOX test failure or an Audit finding). Trying to parse the various features necessary to have a fully functional (or at least a scalable) GRC & Audit Platform is to create a false sense of control over what you can buy and successfully implement. GRC is an integrated mindset; it can’t be supported by a non-integrated solution. At least that is one man’s opinion.

  5. Norman Marks
    September 29, 2011 at 8:29 AM

    Well, some have assumed that the items on the prix fixe menu are integrated and you would have to pull items out of the package. I think that is an invalid assumption.
    1. You should buy want you like, what meets your needs/appetite, rather than what somebody else has put together as a package.
    2. Some restaurants will cook these menu items using similar ingredients – and they are in fact integrated. Actually, there may be closer integration between risk management and strategy management than between audit management and other items on the prix fixe menu.
    3. Do you really want your GRC items to be on one technology and the other enterprise applications on another? How efficient is that for IT?

  1. June 15, 2016 at 3:25 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: