GRC software á la carte
You enter the GRC software restaurant and on the table is a prix fixe menu. For 250,000 units you can acquire a four course meal (no substitutions allowed). This is the “eGRC special”:
- Appetizer: Policy management
- Salad: Audit management
- Entrée: Risk management
- Dessert: Compliance management
250,000 units is a lot to spend and you are not sure these are the dishes that you want (even though 250,000 is within your budget). So you ask for the full menu. Here are some of the items you see:
- Anti-money laundering software – 40,000
- Audit management – 45,000
- Compliance management – 70,000
- Continuous monitoring – 50,000
- Data analytics – 40,000
- Disclosure and notes management – 60,000
- Enterprise application security – 90,000
- Computer forensics – 45,000
- Investigation management – 25,000
- Legal case management – 35,000
- Performance management – 60,000
- Policy management – 40,000
- Risk management – 100,000
- Spend management – 45,000
- Strategy management – 80,000
You notice that there is only a 5,000 unit discount for the total package, compared to picking them off the menu. You also notice that there are several other dishes that might meet your current appetite better than the “eGRC special”.
So, what would you buy: the prix fixe or something á la carte?
If the first restaurant you visited only had the items on the prix fixe menu, would you eat there or go next door to a software vendor that had a greater selection?
Leave a Reply
Share this blog
Recent Posts on Norman’s IIA Blog
- Those Who Serve and Lead the Practice of Internal Auditing July 14, 2017
- What Makes a Good Board? July 11, 2017
- Responding to the Cyber Crisis June 30, 2017
- Taking Richard Chambers’ Post to the Next Level June 26, 2017
- Very Useful Guidance on Risk Management Best Practices June 12, 2017
- Do Internal Audit Departments Focus on What Matters? Survey Says They Do Not June 5, 2017
- PwC Gets It Right on Internal Audit May 30, 2017
- Elevating the Board’s Oversight of Cyber Risk May 22, 2017
- The Current State of IT Auditing May 12, 2017
- The Internal Audit Risk Assessment May 8, 2017
Well, I’d like to see how the dishes on the prix fixe menu are prepared. I’m also not really sure how hungry I am at this stage or what I already had at my previous meal.
I guess what I’m saying is first I need to understand my requirements before I buy anything. Including the requirments of the Board who are bankrolling this nice soiree. So I’d want to engage with the waiter (vendor) and, if necessary the chef (whoever is implementing the solution), before making a decision.
Once I had worked out what I want, if there were any other customers in the restaurant I’d also want to hear what they think of all these tempting offerings.
I agree with Stephen on his points. Additionally, I’d probably want to see “GRC restaurant reviews” by unbiased food critics (not the ones who have a stake in the restaurant).
If I had a craving for a specific item, I might just go with the a la carte menu and pick something to fill my immediate craving. Or if no one is forcing me to have a GRC meal, I might go down the street to the many other specialist eateries/vendors and get something just for basic sustenance needs. Sure, the Clam Chowder Policy Management starter may not go too well with the Sweet & Sour Pork Audit Management entree, but they satisfy me for now, and more importantly fit my budget.
All this GRC talk is making me hungry.
What a great analogy! But on further thought, in the GRC software market, these are not menu items, but lists of ingredients. The real challenge is to work out what sort of meal you want and who is going to prepare and cook it. What is the cost of preparation and cooking the meal? Once you see the total cost and time involved, do you lose your appetitie or realise that the multi-course meal you originally envisaged is not appropriate for the 30 minutes you have available for lunch?
Norm,
Nice analogy, but I would offer that the choice is not really off an ala carte menu, because you cannot always pick apart a GRC solution to ONLY buy a few features, even if the platform is marketed as being “modular”. Rather, you pay the cost of entering a “buffet-style” restaurant (full featured integrated GRC platform), where you have full access to any of the items there, but you can pick and choose which ones to put on your plate as you make as many trips through the line as you want.
The price of eating isn’t dictated by how many items you ate (GRC modules), how much they weighed (# of key controls) or the size of the plate you used (mbs of storage for SaaS). It is simply how many people you brought with you for dinner (# of users) and if they ate their own or shared a plate with someone (Full vs. Casual users). GRC features tend to cross over lines, blending capabilities from one part of the application to the other (Issue tracking is key, regardless of whether the Issue was created from a SOX test failure or an Audit finding). Trying to parse the various features necessary to have a fully functional (or at least a scalable) GRC & Audit Platform is to create a false sense of control over what you can buy and successfully implement. GRC is an integrated mindset; it can’t be supported by a non-integrated solution. At least that is one man’s opinion.
Well, some have assumed that the items on the prix fixe menu are integrated and you would have to pull items out of the package. I think that is an invalid assumption.
1. You should buy want you like, what meets your needs/appetite, rather than what somebody else has put together as a package.
2. Some restaurants will cook these menu items using similar ingredients – and they are in fact integrated. Actually, there may be closer integration between risk management and strategy management than between audit management and other items on the prix fixe menu.
3. Do you really want your GRC items to be on one technology and the other enterprise applications on another? How efficient is that for IT?