Global online payments pioneer discovers it pays to talk to experts before choosing a compliance technology solution
In-depth comparison of existing GRC application versus custom SharePoint solution to support new regulatory compliance program.
A vetted comparison of costs & timelines for defined set of program requirements so that organisation can choose and implement a solution confidently.
A custom regulatory compliance solution, timely implemented & within budget, that meets the organisation’s regulatory compliance program requirements.
Should we implement an off-the-shelf solution to support our regulatory compliance program? Or, is a custom-built technology solution a better option? Buy versus build?
These were questions a new chief compliance officer (CCO) grappled with as he began his new job at a global financial services organisation that provides an online payments system and serves as an electronic alternative to paper currency. The CCO’s first task at his new company: implement a regulatory compliance program supported by a technology solution within a very aggressive timeline.
Conscious of the tight deadline, the CCO’s first thought was to leverage the existing governance, risk and compliance (GRC) technology solution that the organisation’s enterprise risk management team had invested millions of dollars to implement to support their risk management and Sarbanes-Oxley activities. Such option would be quicker and, at least on the surface, less expensive. However, based on previous experience with the existing tool, he questioned whether the technology could accommodate the unique regulatory compliance needs of the company and whether any required changes could be made within his timeline and budget.
Dare to Compare
With misgivings about the existing technology solution and more questions than answers, the CCO turned to Protiviti for a detailed cost and functionality comparison. At his former organisation, the CCO had worked with Protiviti on the design and implementation of a custom regulatory compliance solution based on Microsoft SharePoint. Drawing on that experience, he engaged the Protiviti GRC Tech Advisory team to answer the following questions:
- Could the existing GRC technology solution meet his new company’s compliance requirements?
- If so, what would be the costs, timing and required customisations?
- How would the costs and time required to update the existing solution compare to building a custom regulatory compliance solution in SharePoint?
The company’s technology team worked with Protiviti to set up a test site that allowed the Protiviti team to mock up the requirements and identify potential gaps. Protiviti then worked with the GRC technology vendor to validate the gaps and understand if they could be addressed with customisations, as well as determine the timing and cost of the required changes.
The detailed mock-up of the regulatory compliance requirements within the existing GRC technology test site provided the CCO and his team with a hands-on understanding of the tool’s capability gaps. The test also helped determine the project scope and the costs of obtaining the required customisations from the vendor, and identified the challenges likely to affect the required timeframe.
Next, Protiviti provided the client with a comprehensive analysis of the costs and timeline associated with developing a custom regulatory compliance platform using SharePoint, based on the same requirements.
After reviewing the comparison, the CCO decided to move forward with a custom SharePoint solution, which was certain to meet both his specific requirements and the aggressive implementation timeline. Using an agile methodology that allowed for scope flexibility and leveraging our expertise in risk processes and custom development, Protiviti’s team was able to deliver a custom regulatory management solution on time and on budget. The new solution was implemented and well received both at the highest levels in the organisation and by its everyday users. Since the roll-out, the company has expanded the use of their new solution, adding more modules and using it to assess additional risk functions beyond compliance.
While off-the-shelf GRC solutions offer a lot of functionality and can meet the compliance needs for many organisations, for this particular client, with its unique business model and compliance requirements, a customised solution proved to be the right answer. Whether a company buys or builds a GRC solution, a detailed comparison is the logical first step that can ensure the company can make the right decision with confidence.