What to Look for in Governance Risk and Compliance Vendors?
Governance risk and compliance (GRC) can impact virtually every company process and policy. From risk mitigation to ensuring full compliance with laws and regulations, GRC is a complex discipline to be certain.
With a company’s reputation and millions of dollars at stake for just a single fine, governance risk and compliance is not something that business leaders can take lightly. This underscores the need for experienced, world-class GRC vendors who have experience working in the right business sector, among other qualities.
With so much at stake, it’s easy to understand why it’s so essential to seek out governance risk and compliance vendors with the right skills and qualities. But what questions should you be asking? And what qualities should you be looking for in a GRC service provider?
Governance Risk and Compliance Vendors and Industry
Industry-specific or business sector-specific experience is very important because there are some dramatic differences and intricacies that will have a major impact on a company’s GRC strategy. Some of the most complex and specialized business types include the following.
- Hospitals, physicians, dental clinics, rehabilitation centers, nursing homes, and others in the healthcare industry – HIPAA regulations, stringent ethical codes, and insurance company dealings all affect GRC strategy for these company types. These are businesses that will benefit from a governance risk and compliance vendor with lots of industry knowledge and experience.
- Banks and lenders, financial firms, stock brokerages, and investment firms, along with other companies in the financial sector – The investment and financial sector is perhaps one of the most stringently regulated and it’s easy to see why. In addition to government regulations, there are also independent regulatory bodies that can hand down fines. And those penalties can total millions, making this one niche that demands a lot of industry expertise.
- Insurance industry – The insurance industry is highly regulated, with many complexities, laws, and regulatory bodies in the mix. Similar to the financial sector, the insurance industry carries many risks that are certain to complicate any GRC strategy.
- eCommerce, mobile app-based businesses, and web-based companies – Web-based businesses face some unique risks and compliance-related challenges. There is a fair amount of variation too, depending upon the exact business model, so an experienced GRC vendor is the ideal.
- Companies serving residents of the EU – The EU’s General Data Protection Regulation (GDPR) affects any company that does business with EU citizens, whether they’re physically situated in the EU or temporarily located in another part of the world.
While these business types are the most likely to need a GRC vendor with industry-specific experience, the above list is in no way exhaustive. The more unique and complex your GRC situation, the more important sector-specific experience becomes as you consider different vendors.
Governance Risk and Compliance Vendors and Process
What process does the governance risk and compliance vendor use to evaluate and address your needs as a client? Do they visit your headquarters and work on-site to achieve an in-depth understanding of your operations and your GRC-related needs? Is everything done remotely over Zoom and phone calls?
Also, what is the vendor’s approach for developing and implementing a solid governance risk compliance strategy? Generally, the most successful GRC consultants invest a lot of time and effort in getting to know the client’s company, their operations, their goals, and their pain points. Then, a strategy is developed in collaboration with the client, addressing the risks and challenges in a way that aligns with the company’s mission and budget, among other factors.
Governance Risk and Compliance Vendors and Technology
Is the GRC vendor you’re considering a specialist in the technologies that your company utilizes in the course of its daily operations? Consider your ERP platform, CRM, supply chain management software, enterprise mobile app, cloud data platform, eCommerce platform, and other essential software, interfaces, and platforms that make the world go ‘round for your company.
Also, remember to consider third-party platforms because these can certainly affect your GRC strategy.
Develop a complete list of these technologies and provide this information to prospective governance risk and compliance vendors. The ideal candidate will have experience in all or most of the platforms that your company is using.
References and Recommendations for Governance Risk and Compliance Vendors
Any reputable GRC vendor — or any other IT professional, for that matter — should be able to provide references and recommendations from satisfied clients.
Most IT vendors will have written testimonials on their website and company social media pages, and while these can certainly instill a degree of confidence, it is possible to fabricate this information. Therefore, it is prudent to approach vendors to request contact information for satisfied clients whom you can contact personally.
When speaking to a reference, don’t be afraid to ask lots of questions. The following queries will serve as fodder for an honest, insightful discussion that will help you to determine whether a vendor is right for your company’s needs.
- Tell me a bit about your company and your project with this vendor. What was the nature and size of the project?
- What would you describe as this vendor’s greatest strengths?
- Did you encounter any challenges or obstacles while working with this vendor? If yes, how were those issues addressed?
- Were the costs as expected for your project? Did it run under-cost or over-cost? If yes, was the cost differential significant?
- Did you see the expected ROI for your work with this vendor?
- Are you still working with this vendor? If no, why not?
- Would you recommend this vendor?
This information will position you to proceed with confidence or continue your search for a new candidate.
At iTech, we are well-positioned to offer comprehensive governance risk and compliance consulting and GRC solutions to clients in all industries. We understand the breadth and complexities of the regulations and risks facing today’s enterprises. Contact iTech today to get started finding the perfect GRC vendor for your needs as you work to reduce risk while achieving — and maintaining — full compliance with your industry’s unique laws and regulations.