Your Compliance team has finally decided to take the plunge and purchase a GRC solution. You have developed an eGRC vision (see last month’s post on creating an eGRC Vision), talked to stakeholders about needs, reviewed Forrester and Gartner’s reports on GRC, have executive support (CCO, CRO, CAO, CISO, etc.), and invited a handful of vendors to demonstrate their out-of-the-box capabilities of their products. Expectations are high as compliance stakeholders arrive for the demo, but by the end of the demo, the stakeholders are confused, frustrated, and are beginning to question if they should move forward with purchasing a solution. What happened? What went so wrong during the demo?

Over the past several years, I have supported clients throughout the GRC vendor selection process and have seen the best and the worst of vendor demos. In my second post in the series on CCOs and GRC, I will be examining why vendor demos fail and how your organization can adequately prepare for GRC vendor demos.

Mistake #1: “We Only Want to See Out-of-the-Box”

One of the most common mistakes in requesting a GRC solution is to request that the vendor onlyshow you the “out-of-the-box” solution. The problem with this request is that most GRC solutions are not meant to be turn-key solutions. Instead, vendors have developed framework solutions that are designed to be broad and flexible. Enabling implementers to configure the system to meet an organization’s specific risk and compliance processes, while not changing the underlying code. These changes can include, adding or removing fields, creating custom workflows, notifications, adding company specific risk assessments, surveys, questionnaires, etc. Thus, when you ask for a vendor to only show you “out-of-the-box”, the vendor might struggle with how to make the demo meaningful for you and your stakeholders.

Mistake 2: Failing to Provide Process Examples 

The second, and closely related, mistake is not providing the vendor with any process examples to be incorporated into their demo. The goal of doing so is to understand how the tool can be configured to meet your organizations vision and objectives, while still understanding the main components that come pre-developed by the vendor. By providing some examples of your processes, you can begin to bridge the gap of how risk & compliance operates at your organization and give some of your expectations for how the tool should actually function. This way, the vendors performing the demo can compare and contrast the way the tool works out-of-the-box vs. your organizations’ internal processes. This can spur some excellent conversation and give great insight to the stakeholders.

Mistake 3: Lack of Awareness Among Stakeholders of the eGRC Vision 

The importance of communicating the eGRC vision and level setting expectations around the enterprise nature of a GRC solution with stakeholders is often overlooked. Most stakeholders entering demos want to see how a GRC solution will directly benefit their program. In some instances, the stakeholder is already using a point solution or custom-built spreadsheets that meet the programs objective, but fail to provide any enterprise visibility. Without an understanding of the enterprise vision for GRC, individual stakeholders will shy away from solutions that provide greater enterprise visibility and select point solutions that they believe will better fit their specific needs.

How to Adequately Prepare for a Successful Vendor Demos

The overall goal of the vendor demo process is to assist your organization in selecting a GRC solution that best supports its eGRC vision, while meeting core business requirements. A successful vendor demo provides your organization with a better understanding of each solution’s strengths and enable stakeholders to visualize how their processes could be enabled inside the tool. To accomplish this goal, l encourage my clients to consider the following:

Even with proper preparation and communication, the quality of vendor demos can vary greatly from one vendor to the next. Typically, one or two will rise to the top, while another vendor will leave you wondering if they even looked at your provided examples. Hopefully, through this process you are able to make an informed decision and begin the process of achieving the CCO’s eGRC vision.

Want to share your GRC vendor selection experience? Contact us.