Should we implement an off-the-shelf solution to support our regulatory compliance program? Or, is a custom-built technology solution a better option? Buy versus build?
These were questions a new chief compliance officer (CCO) grappled with as he began his new job at a global financial services organization that provides an online payments system and serves as an electronic alternative to paper currency. The CCO’s first task at his new company: implement a regulatory compliance program supported by a technology solution within a very aggressive timeline.
Conscious of the tight deadline, the CCO’s first thought was to leverage the existing governance, risk and compliance (GRC) technology solution that the organization’s enterprise risk management team had invested millions of dollars to implement to support their risk management and Sarbanes-Oxley activities. Such option would be quicker and, at least on the surface, less expensive. However, based on previous experience with the existing tool, he questioned whether the technology could accommodate the unique regulatory compliance needs of the company and whether any required changes could be made within his timeline and budget.
While off-the-shelf GRC solutions offer a lot of functionality and can meet the compliance needs for many organizations, for this particular client, with its unique business model and compliance requirements, a customized solution proved to be the right answer.
With misgivings about the existing technology solution and more questions than answers, the CCO turned to Protiviti for a detailed cost and functionality comparison. At his former organization, the CCO had worked with Protiviti on the design and implementation of a custom regulatory compliance solution based on Microsoft SharePoint. Drawing on that experience, he engaged the Protiviti GRC Tech Advisory team to answer the following questions:
The company’s technology team worked with Protiviti to set up a test site that allowed the Protiviti team to mock up the requirements and identify potential gaps. Protiviti then worked with the GRC technology vendor to validate the gaps and understand if they could be addressed with customizations, as well as determine the timing and cost of the required changes.
The detailed mock-up of the regulatory compliance requirements within the existing GRC technology test site provided the CCO and his team with a hands-on understanding of the tool’s capability gaps. The test also helped determine the project scope and the costs of obtaining the required customizations from the vendor, and identified the challenges likely to affect the required timeframe.
Next, Protiviti provided the client with a comprehensive analysis of the costs and timeline associated with developing a custom regulatory compliance platform using SharePoint, based on the same requirements.
After reviewing the comparison, the CCO decided to move forward with a custom SharePoint solution, which was certain to meet both his specific requirements and the aggressive implementation timeline. Using an agile methodology that allowed for scope flexibility and leveraging our expertise in risk processes and custom development, Protiviti’s team was able to deliver a custom regulatory management solution on time and on budget. The new solution was implemented and well received both at the highest levels in the organization and by its everyday users. Since the roll-out, the company has expanded the use of their new solution, adding more modules and using it to assess additional risk functions beyond compliance.
While off-the-shelf GRC solutions offer a lot of functionality and can meet the compliance needs for many organizations, for this particular client, with its unique business model and compliance requirements, a customized solution proved to be the right answer. Whether a company buys or builds a GRC solution, a detailed comparison is the logical first step that can ensure the company can make the right decision with confidence.