Despite a less than perfect record, GRC vendors still tout the risk-management and governance capabilities of their products. In fact, they see a major marketing opportunity in the subprime crisis and in the current economic distress. “The collapse of the financial markets was a wake-up call,” says Narina Sippy, general manager of German software vendor SAP’s GRC business unit. “Companies are now taking action to ensure their organization is not next to be splashed across newspaper headlines,” she says.
Once awakened, the argument goes, companies will need to invest in software that helps them stay alert. John Capobianco, president and CEO of Lumigent Technologies, says that companies can expect to pay between the mid five figures and low six figures for his company’s product, broken out like this: a privately held company with $100 million in sales might pay as little as $53,000, while a midsize, newly public company with $750 million in sales might get started for $75,000, and a multibillion-dollar company with thousands of employees and several locations would begin at $113,000. In all cases, annual maintenance costs would run 22 percent of licensing fees; Capobianco predicts a positive ROI in a couple of audit cycles.
New York–based vendor BWise charges customers based on the number of users and the client’s choice of modules. A cost-conscious customer can start small and add modules as needs arise, since the modules are built-in and can essentially be turned on or off at the flip of a switch — or remittance of a check. Like many other vendors, BWise also offers subscription-based pricing for their installed software and software-as-a-service model that allows customers to pay as they go. Implementations normally take from one to three months, depending on a project’s complexity. BWise chief technology officer Luc Brandts also stresses a fairly short-term ROI (about one year).
Sharpen Your Pencils
All vendors, of course, lead with best-case scenarios. Deloitte principal Brian Parker warns that the tab can run a lot higher. A program dealing with regulatory compliance alone, he claims, can cost $200,000 or more. An integrated approach that delivers the full scope of GRC capabilities can crest the $1 million mark for a large organization. One reason for the spread is that there is not a great deal of uniformity among GRC products in terms of what they do and how they do it; therefore, each vendor’s pitch has to be evaluated very carefully against a company’s needs.
However complicated the buying decision may be, there is evidence that more companies will be sharpening their pencils and taking a closer look, if only to satisfy the growing drumbeat coming from the top of their organizations, and beyond. “Auditors, audit committees, governments, regulators, and credit-rating agencies are increasingly asking companies to improve their risk-management efforts,” says Brandts. “The influx of companies asking for help in this regard has significantly increased over the last few months.”
Corporate Integrity’s Rasmussen notes that a stampede toward G and R (if not C) is creating a brisk sales environment. “Vendors that can target third-party risk management — managing the risk of processes and relationships — are finding that this is a very hot area right now,” he says.