GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
Welcome to the first in our Partner Spotlight Series, where we let our partners describe their companies, backgrounds, and experience with LogicGate. First up is Rich Gearity, CEO of Agile GRC Solutions.
LOGICGATE: Can you provide a brief overview of your company and how you work with your clients?
RICH: Each of our company principals have been working within the GRC space since 2006, and each have more than 30 years of experience in Information Technology disciplines, including software development, architecture, UI design, business analysis, program management, and executive leadership. Agile GRC Solution’s consultants are senior-level GRC specialists, and draw upon a rich and varied background of industry, business unit, and GRC experience. The ability to speak the same language as the client—in terms of understanding the unique challenges inherent in that business unit, within their industry—while also bringing the real-world experiences of other, similar clients to the table, are the two key factors in gaining the confidence of the customer and ultimately being successful.
What sets you apart from other companies in your field?
Many of our competitors use junior-level personnel who have not had much experience in the business world. Our competitors do this because they can simply make more money off junior-level resources than senior-level resources, who command higher pay. However, while the vendor may make more margin off of these individuals, the client is the one actually paying the price. Here is why: these junior-level folks can tell clients how they can do something but cannot explain why they should do it—they simply do not have that strategic, real world experience to do so. We have that experience, which results in incalculable value for our customers in terms of a clear understanding of the impact of all decisions and the confidence that decisions will evolve and integrate smoothly as their ERM program scales in the future.
How do you see your clients’ needs evolving over the next year? Next 3 years?
We believe the face of the GRC software market is going to change significantly. Customers will re-evaluate their strategic priorities in terms of mitigating risk and review why they initially procured the GRC software they did. In many cases this is older technology, which is costly in terms of both customization services and ongoing maintenance. They will be questioning why they are spending so much financial and people capital on implementing and maintaining GRC software when their goal was simply to mitigate corporate risk. This re-alignment of priorities will be the impetus for companies to start looking at more agile, cost-effective GRC software—such as LogicGate—that has a lower cost for customization while also quickly delivering bottom-line results that align with their GRC mission. Total cost of ownership with regard to their GRC software will be the key determinant for companies going forward.
What trends have you noticed in the GRC market in the last few years?
Just like large companies, small- and medium-sized companies are realizing that they too have GRC requirements they need to address. Company size becomes irrelevant when talking about operational and financial risk and the need to recognize and mitigate those risks. However, small and medium sized companies have been largely shut out of the GRC solutions market due to cost. With more cost-effective GRC solutions—such as LogicGate—we see many of these companies embracing sound GRC practices going forward and using cost-effective, state-of-the-art GRC software to get them there. In addition, we are seeing large companies question their expenditures in bloated, cumbersome, outdated, and expensive GRC software technology. This is the core reason why these companies will reassess their original reasons for purchasing GRC software, and we believe that is going to be the impetus for these same companies to look for agile GRC software that is easy to configure and provides an immediate ROI.
What are the greatest pitfalls you see people face when tackling GRC processes?
- First and foremost, companies begin an ERM program when there is no senior, authoritative entity formally running the program. If a company does not have an Enterprise Risk Management group, a Risk Officer, or a CISO overseeing the ERM program, many times the program will flounder. It is imperative that the individual tasked with implementing the GRC software have the backing and support of senior management. There will be many times when the GRC team will face impediments in trying to implement their ERM program. In those critical times, the GRC team will need the authority of the ERM overseer in order to remove those roadblocks or else the program will fail.
- Second, companies with an immediate short-term need purchase GRC software that addresses that specific need but not the future of the entire enterprise. They fail to consider that the company may want to incorporate the entire enterprise in the GRC system down the road, including needs outside of that original use case. This leads to data silos being set up for that particular, immediate need and rushing the solution to production without regard for the “bigger picture”.
- Lastly, companies rush into purchasing GRC software without fully understanding the long-term cost of customization. The players that have dominated the enterprise GRC software market for 15 years provide a reasonable cost per use case model. However, over the long-term, these are very expensive solutions and the reasons why may not be apparent when companies are doing their initial research around these tools. Companies see one side of the cost coin—the yearly subscription cost of the software—and think that this is the year-over-year cost for the program. They are often shocked to find out that the cost for professional services to customize the software is very expensive and their cost of ownership could easily balloon into the millions of dollars, annually.
What is the best advice you would give someone who is charged with leading a new ERM program?
Our advice is threefold:
- Understand the reason for purchasing GRC software, and develop that purpose into a mission statement. Then assign the execution of that mission to a person (CISO or Risk Officer) or entity (ERM Group) with senior-management support.
- Understand all out-of-the-box capabilities of the GRC software, as well as the total cost of ownership for years one through five, including anticipated customization costs. Many GRC products on the market require customizations that involve actual coding changes, which are expensive. Do your homework up front, talk to current users, and understand the complete picture around cost so there are no surprises later on.
- Have both a 12–18 month tactical plan as well as a longer-term strategic plan (1–, 3–, and 5–year) for GRC implementations that convey near– and long-term priorities for the ERM program. Agile GRC Solutions can serve as a bridge to help clients map their priorities to strategic plans, with detailed “quick wins” and long-term value spelled out.
Why did you select LogicGate as a trusted partner?
We evaluated many GRC software tools and after extensive research, LogicGate clearly emerged as the partner that made the most sense for us. This was based on the following factors:
- Customer Reviews: There is nothing more powerful than the feedback from actual customers. Every single review on the G2 website about LogicGate was glowing.
- Internal Priorities: Having worked for the past 13 years with many GRC software suites, we are very aware of the shortcomings of the current major players. Because of this we outlined our own priorities when selecting a GRC software partner, and they aligned with LogicGate's mission very well.
- Cost: We were seeking a partner that provided true, out-of-the-box functionality to clients with minimal customization expense. We also felt small-to-medium sized companies were being shut out of the GRC software market, so we wanted to partner with a company with a price-point these companies would find attractive.
- Flexibility: We were very impressed with the flexibility of the LogicGate product. Customers can modify the configuration for their specific needs without having to send people for extensive training, and end users can quickly get up to speed with the technology. Many customers are confidently configuring LogicGate within a month of installation.
- User Interface: The LogicGate UI is clean and elegant—it looks like an interface with cutting-edge backend technology, because it is.
- Drag-and-Drop Workflow: With its drag-and-drop functionality, LogicGate has made developing custom workflows a snap for its clients—a huge differentiator.
- Graph Database: While other GRC software packages require the customer to adapt their data architecture to the constraints of the software, LogicGate is built on a Graph Database structure which allows companies to define their data architecture within the LogicGate software.
