Halloween Analyst Magic
Well it’s Halloween and time for Analyst Magic. Gartner has published the Magic Quadrant for GRC, and all the other analysts seeking engagements of course are tweeting and blogging about what is right and wrong with the results. Just like Mike and Mike in the morning giving their analysis of the sporting teams, there is usually one person in the conversation that has at least played in the sport. The difference with our GRC analysts is very few of them have even helped or touched the applications they analyze. And most base their results on vendors who had to pay to get them to visit and customers who have asked for their wisdom and paid dearly. Unfortunately, the most they learn is by listening to the customers and to the vendors. Having been in both places, and hands on with many of the products, I would like to point out some of the many flaws:
Much of the criteria are highly subjective. Market penetration for example is usually based on the acquisition of customers, and not by who is getting a return on their software investment. Opinions are cheap, just like the sports analysts; they vary by the biases they have developed over the years. In addition, all of the product evaluations are done based on demos by the vendors. And you can bet these are well orchestrated and planned to impress. Often they are geared to what the analysts ask about. Usually this is guided by customer inquiries. These are collected from primarily paying customers, or references that have been carefully selected by the vendor for the analyst to contact.
I have been a customer and the only discussion I found worthwhile with any of the analysts was to get their idea of the price ranges I should expect before entering the negotiation process of the hardware of software acquisition process. In the case of GRC, these can vary widely. And there is a wide range of product capabilities. In most cases the “enterprise” tag given by the analysts is only indicative of the breadth of the product. The depth of the product is often overlooked, but a lot of attention to “look and feel” and user “friendly” criteria. One evaluation I saw presented during my days with SAP by an analyst was a demo, which got great accolades for an improvement in the user interface. And it was the same interface they had seen in the previous year, but the Demo Witch made it appear much better…. more smoke and mirrors.
Before you enter the haunted house of the GRC market, my advice is to ignore the analysis paralysis on useless features and concentrate on the road to Return on Investment. This will allow you to seek out not only the software that is the best fit but also the best practices that help you gain the best utilization from the product. The combination of the two is what makes the GRC ghost and goblins go away and reality to appear!
Many customers are busy managing their SAP GRC Application on their SAP infrastructures which run their financial operations. When Sarbanes Oxley Compliance was the main driver, the financial systems were always the ones in scope. Part of the GRC journey is extending segregation of duties to other systems in the SAP infrastructure, like HR, CRM, and BI platforms. All these require additional connectivity to help normalize the diverse security models as well as transaction models used by Governance Risk and Compliance Solutions.
If customers only look at the extension to other systems strictly from an Access Risk perspective the Enterprise reach of the program outside the financial scope is usually a nice-to-have and considered the last thing on the priority list. However, if we extend the purpose to help manage risks beyond the Financial Scope, it becomes very important to have an enterprise reach. The annual IBM risk study of 1800 firms confirms that operational risks in the enterprise are much bigger and frequent occurrences. In addition the operational risks are top of mind for Executive Management.
There are many customers who have extensive end-user applications which are not even included in their IT infrastructure but are valued for everyday operations. The ultimate goal is to manage risk across all these diverse areas. If we consider what part of the program is most basic to our long-term goals, then Enterprise Reach becomes the first priority. Even securing all the data in the enterprise has become a challenge with the move to the cloud and on-demand applications which reside outside the normal infrastructure confines of organizations.
Here are some products that enable the reach to many systems and computing islands in your infrastructure:
DB Luminous is a recent product on the market which helps identify Unique Data Elements across multiple data bases. Companies who are concerned about the treatment of certain data once it leaves the controlled source systems should explore this product. http://www.dbluminous.com/
Greenlight’s Design Studio supplies integration to normalize not only security models but also transaction models for ease of analysis and monitoring. Often this is thought of after Access and Control Solutions are purchased, but it should be the primary part of any company with complex environments. http://www.greenlightcorp.net/rta-design-studio
If you have others that have helped you, post them on our Customer Forum.
Customers are exhausted with big projects. License costs coupled with expensive implementation services have executives still looking for the promised return on investment. The recent OPEC study points to business value potential for enterprise scope endeavors. My experience is customers are lacking an overall enterprise strategy and embarking on a project by project approach. The first issue which ignited the GRC impetus was managing segregation of duties. After several years many SAP GRC Customers have yet to get beyond the basic risk analysis and remediation phases of their journey. Role redesigns and other associated services have interrupted the ultimate attainment of value from proactive risk-free provisioning. This is just one example. Many business and audit groups have chosen the deployment of point solutions to take on their needs. So now there are underutilized solutions owned by many, and the costs for internal or external IT resources to maintain the infrastructures required also adds costs as changes and updates are needed. And to make matters worse there are still new regulations and issues to be solved. How can customers get to a more pro-active enterprise strategy?
There are many solutions and service providers that will try to “market” their solution as enterprise. However, after the purchase is made, the “reality” comes to the surface. We believe these options and evaluations are not disclosed in lengthy “RFP’s” that deal with many of the archaic ways customers are currently managing compliance processes. Instead, we believe a strategic plan should drive the RFP so that options for solutions are presented. Options are what the customer should know, and can lead to a more holistic, cost effective solution.
Why not take a step back and get an assessment of where you are and how you compare to others? Both benchmarking against a best practices model and actual experiences from existing customers will help you get an honest and independent view of your GRC program.
Our Customer Exchange Forum was created to provide customers a safe place to post ratings and evaluations of products. This provides future and current customers more experience knowledge to test “marketing claims” by providers. In addition, many service providers can be rated on their approach and effectiveness in getting the solution implemented and producing sustained value for the organization. This is even more meaningful when products come out of Ramp-up and have limited customer experiences. Those that have taken the plunge can put their observations and warnings out for others on the product. Please help us fill this gap by posting your experience today!
Well just got back from three days of training Internal Auditors on SAP and SAP Governance Risk and Compliance. Most are thirsty for information about SAP and the real problems in software aren’t technical, they are lack of management and business acumen in managing the environment for SAP. However, one thing remains for all, connecting customers with customers on their experience is still a great way of others learning from others.
In order to support the exchange of information between auditors, we are announcing our own site to enable auditors to get information to each other. We are excluding consultants from this exchange on purpose. The Customer Advisory Exchange is not for consultants to try and snoop for opportunities but rather for customers to provide open dialogue and evaluations on software as well as providers. An invitation has been sent to a few customers and we invite others to join by registering on