The Case for GRC Tools, Part 2: GRC Tools Comparison
July 22, 2021
Effectively weigh GRC tools and solutions
As discussed in Part One of this series, there are real, tangible costs, as well as intangible ones, associated with current manual methods of IT security provisioning and compliance reporting. And for so many organizations, these costs are ever-increasing.
As the impact – specifically, time and money lost – becomes untenable, a search for potential solutions begins. Now in Part Two (of this three-part series), we will discuss the hunt for a governance, risk management and compliance (GRC) automation tool and how to build the business case to acquire one.
Searching for solutions
One answer to streamlining user provisioning and compliance reporting might be to hire more staff. However, most enterprises are reluctant to do so, since increasing staff often increases complexity. Confusing, complicated processes can get more confusing and complicated by adding “cooks” – as novice hands tend to make more mistakes, and senior talent spends too much time having to clean up afterward.
Another possible solution is to try to automate linkages between existing systems and reports in the attempt to streamline processing. However, home-grown programs and scripts don’t always work well, and maintaining customer code or scripts can take on a life of its own.
Typically, the best solution is purpose-built commercial software with comprehensive, automated workflows. Proven solutions, such as our ControlPanelGRC, are easy to implement.
Evaluating software solutions: A GRC tools comparison
In order to evaluate solutions for automating IT user provisioning and compliance reporting, an organization must first identify specific criteria for assessing the quality and “fit.” Based on the criteria, RFPs can be developed to solicit proposals.
Some requirements may include:
- Automate and streamline approval workflows and provisioning processes
- Reduce cycle time
- Eliminate manual tasks
- Enable self-service and improve visibility
- Improve compliance efforts
- Provide a single source of the “truth”
- Centralize SAP security data (e.g., with a common dashboard)
- Reduce operational workloads for the technical team
- Expedite processing user and role requests
- Expedite and improve compliance reporting
- Provide quantifiably more time to support innovation in the business
When evaluating solutions, it’s also important for organizations to recognize their own internal constraints. Do they have the capacity to purchase, install, and maintain incremental servers and infrastructure? Can their staff develop specialized skills to implement and support new solutions? Is there budget for a large implementation using external consultants? Politically, what are management’s expectations of the project – a quick win or building value over time?
A total cost of ownership (TCO) analysis of solutions should be performed. Considerations often include:
- Cost of software licensing
- Infrastructure costs
- Training costs
- Implementation costs
- Costs associated with ongoing operations
Vendors themselves must also be evaluated. Is their business approach that of a long-term partner? Are they continuing to enhance their product? What is their product roadmap? Are there concerns about their viability, stability or vision? Will they be in business three years from now? The GRC market is evolving; are they?
The evaluation cycle can reveal a lot about each vendor’s commitment and characteristics. For example, were the demos customized? Did the sales and technical staff really listen? Were they honest about shortcomings? Did they take the time to understand the organization’s needs? Were they timely and detailed in responses?
In short, it’s important to be comfortable with a vendor for them to truly be a partner that helps move your enterprise forward.
Refining the search
When you have well-defined requirements, potential solutions can be dismissed quickly based on:
- Total price-point out of reach
- “Footprint” requirements too high (e.g., with incremental servers and infrastructure, and incremental administration, interfaces, and day-to-day “care and feeding”)
- Specialized skillsets required
- Implementation costs and timeframes too high
- Ongoing operational complexity
Building the business case and calculating ROI
Netted out, the time, effort and risks associated with the escalating difficulties in manual user provisioning and compliance reporting become unacceptable.
As discussed in Part One of this series, the first step in building a business case for an automated solution is to make clear, visible metrics on the current situation.
Ask and answer questions such as: What is the current, average turnaround time for processing routine user provisioning requests? What percentage of requests gets lost or requires special handling? How many hours are spent processing user provisioning requests? What are the total current costs (hours times salaries) for processing user requests?
Similarly, actual costs may be determined for current methods of compliance reporting.
Adding up the actual costs and hours spent on current methods of user provisioning and compliance reporting creates a benchmark against which the projected savings of an automation solution can be justified. Vendors should be able to provide references and case studies to estimate these projected savings.
Applying estimated time savings against current costs creates the basis for a return on investment calculation.
In addition to defining hard ROI estimates for implementing an automated user provisioning and compliance reporting tool, there are other benefits that can be articulated:
- Better service to the business
- Faster time-to-value for new or changing employees (faster provisioning of user and role requests)
- Freeing technical teams from “operational drudgery” and improving morale
- Less manual provisioning
- More time for new initiatives and innovation
- Streamlining audit reporting
- Less time spent preparing for audits
- Less time for auditors to perform their jobs
By conducting a GRC tools comparison and implementing an automation solution for user provisioning and compliance reporting, organizations can realize extensive gains. In the final part of our GRC tools series, we’ll explore the implementation process and how to prove the ROI of your new GRC automation solution.
And if you’d like to learn more about ControlPanelGRC, and whether the solution is right for you, request a free risk assessment today.
Scott Goolik is the vice president of SAP security and compliance at the Managed Cloud & Infrastructure Services of NTT.