Competitively, that’s first!
Here are some do’s and don’ts when it comes to making the investment in a GRC system.
Do:
- Identify your requirements. What functions are you looking to digitise – Risk Management, Compliance, Internal Audit, etc? The GRC landscape is broad and identifying these will ensure you get the right system, not too narrow or not so broad you don’t make use of it. Add the requirements to the RFP.
- Document, and edit your RFP. Make sure it’s easy to read and understand, especially for a stranger who doesn’t work in your company. Ask someone not close to the project to do a peer review. Clearly state your milestone dates, and factor in extensions and holiday’s.
- Take your time to evaluate the responses. A weighted evaluation matrix will make it easier and more objective for you to shortlist your preferred systems. Schedule vendor meetings and demos. Use the time in between to read vendor responses, vendor and software reviews, watch vendor videos. Create white space in your calendar to give you time to reflect on what you have seen and read. Ask for deep dives by module.
Don’t:
- Don’t overcomplicate your RFP. Less is more. Most of your questions can probably be answered in an initial session and demo.
- Don’t schedule back-to-back meetings, I’d suggest max 2 a week. You will get tired and will forget who showed you what.
- Don’t expect another colleague to do your work or ask your questions, or worse cover your session – you know your functional area best, ask the vendor to show you what you need. You are going to use the system, so grab a front seat or reschedule for when you are available.