by Erik T. Heidt | September 20, 2013 | Comments Off on Effective Selection and Implementation of IT GRC Solutions
The basic question is, how do you select tools to support your IT Governance, Risk Management and Compliance (IT GRC) needs? This has been a major focus for my research over the last 10 months. The first phase of that exploration focused on defining a guidance framework that could be used to identify the IT GRC needs of your enterprise and then structure your IT GRC practice to address those needs. That research culminated in the publication of “Achieving IT GRC Success“.
The next natural questions were:
- What are the critical capability for an IT GRC solution?
- What should my requirements be for such a solution?
- What tools are available that posses these critical capabilities, and may address my needs?
These questions are addressed in my latest document “Effective Selection and Implementation of IT Governance, Risk Management and Compliance Solutions“. This document should also be useful to organizations that want to optimize their utilization of an existing solution. The document examines these capability in terms of the how they are applied to improving IT GRC processes, and not in terms of technical characteristics of the tools – more on that later.
The six areas are:
- Asset and Entity Management
- Risk Management, Measurement and KRIs
- Risk Register and Exception Tracking
- Report and Dashboard Support
- Policy Management
- Risk Control Self-Assessment and Measurement
The document focuses on establishing requirements and evaluation criteria around these use cases, as opposed to focusing on a long list of technical features. RFPs and product evaluations that are focused around long checklists of features often overlook more important qualitative aspects, such how the tool will be used and maintained. It is very easy for suppliers to add capabilities through integrations with commercial (or open source) code libraries. Bolting on these capabilities does allow suppliers to check a lot of boxes and demonstrate technical capabilities, but how difficult those capabilities are for your organization to implement, maintain and manage is a completely different story.
In discussions with clients about failed implementations, technical capabilities are rarely the issue — and really only become an issue for enterprises with data volume or performance needs that push extremes.
The vast majority of failed implementation stem from:
- A lack of well defined requirements, resulting in classic project management failures.
- Low quality configuration or implementation work, resulting in unreliable or unmaintainable deployments.
- Inability to maintain a positive relationship between the supplier and client.
Their really isn’t anything unique to this list. These are the same common failure modes that plague all types of complex enterprise software deployments. As a result this research focused on establishing baseline and stretch requirements for each of these core capabilities, that enterprises can use to optimize their selection and deployment plans.
Additionally, 17 pages (roughly 40%) of the document focus on an analysis of the products in this market in terms of these capabilities, and should enable organizations to identify suitable products for inclusion in product evaluations.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.