Written by SureCloud’s CEO, Richard Hibbert.
For the last few decades, GRC software vendors have been dictating the business applications we need to buy to deliver a business outcome. The vendors have set the boundaries of those applications (features, functionality, and workflow) within the context of categories molded by the analyst community (you buy this application for compliance management, this application for third party risk management, this application for data privacy, etc.). However, the reality is that we probably only use 20% of the total application and, worse than that, may have to buy other adjacent applications, each delivering 20% value, to reach the end game.
Add to that the need to operate the applications effectively – how do I get 100% business benefit out of the 20% value I have invested in from my applications? Organizations don’t always have the necessary expertise to do this, for example, running a ‘best practice’ cyber risk steering committee, identifying risks relevant to an industry, or performing a thorough audit of a third party. Consulting companies, such as the Big 4, can provide this ‘know-how,’ and they understand the language of business outcomes. However, because they don’t write the software, the services they offer are not truly integrated with the applications. Their vision for delivering business outcomes is ultimately unachievable; GRC applications do not cater to the target setting and measurement necessary to show whether the outcomes are delivered.
This fracture in the model in which software vendors and consultancies operate can lead to less than optimum outcomes for buyers – often in the form of ill-advised solution procurement, incompatible software implementation, and – ultimately – the failure of your GRC program.
This isn’t hypothetical, either; it’s already happening with reports of failed GRC programs being discussed by swathes of commentators online.
But what phenomenon has led to this fractured model, and what can be done to fix these inherent problems?
The first step in solving any problem? Admitting that there is one.
GRC is broken.