Implementing a new GRC tool company-wide
2022
The group risk team need to develop a business case for implementing an organisation-wide risk tool. Business units need to use it to manage risks and group risk need to use it for oversight and reporting purposes. I need to speed up the process of putting together the business case, as well as hear first-hand experience from practising risk leaders about the risk systems they’ve used - the good, bad and ugly - in order to choose a system from the shortlist I've collated.
Risk Leadership Network member
Head of Group Risk at an ASX-listed metals and mining company
1. Produced a peer-contributed business requirements template
We collected business requirements from practising risk leaders at listed companies of a similar size and structure to the member. With this information, we produced a peer-contributed and peer-validated business requirements template, collating over 300 business requirements into a filterable template. This includes questions around Provider Credentials, Audit Modules, Risk Assessment Capabilities, Reporting and Analytics Functions etc.
2. Facilitated a series of 1-to-1 discussions
Risk Leadership Network set up a series of 1-to-1 discussions with other risk leaders, so that the member could ask candid questions about their peers' experiences with different risk systems.
- What’s your experience been with the risk system you implemented?
- What are the strengths and weaknesses of the system you implemented?
- What lessons learned do you have from systems you trialled or implemented?
- What regrets do you have about your risk system selection?
- Which systems have hidden problems/obstacles?
- Do you have any tips or advice when we come to implement?
We sourced mature risk leaders who had implemented different risk systems; allowing the member to gain honest and open feedback on these GRC systems, away from vendors.
How this helped
Saved a lot of time creating a business case
The business requirements template allowed the member to take the business case to their boss quickly, confident that they'd covered all bases. From the 300 peer-contributed business requirements, the member could quickly search and choose the business requirements that were appropriate for their business case.
Confidence in selection of new GRC system
Speaking with practitioners who had no vested interest they got honest feedback and became privy to first hand user experience. They avoided the headaches of trawling through sales pitch after sales pitch from vendors who only try to tell you the positives and benefits of their tools.
Avoided early pitfalls with implementation
The member benefited from speaking in-depth to mature risk leaders about the mistakes they'd made when implementing their new GRC systems. They heard candid feedback from fellow CROs on their implementation and optimisation of many different GRC systems including RSA Archer, ServiceNow, Galvanize and many more.