Perhaps one of the biggest questions facing the leadership of businesses and organizations in today's Governance, Risk, and Compliance space is "What do I do first when it comes to implementing an IT GRC Program? Do I procure an IT GRC software solution (platform) first and then implement the program while building out and configuring the platform? Or, do I first develop and implement an IT GRC program and then procure an IT GRC platform down the road? And, if the latter is the case, how do I know when the right time is to begin that procurement?"
All very good questions, and like most things IT GRC related, there's no "silver bullet" answer. There are, however, lessons learned and best practices that can be followed to make the best possible decision for your particular company or organization.
One paramount lesson that is continuously learned the hard way by companies and organizations is realizing the procurement of an IT GRC platform in itself is not going to create a stable, effective IT GRC program. Typically, what happens in this scenario is a company now owns a big software application that nobody knows how to use to manage the GRC program ? not even the company that sold it to them.
Why does this happen? Because IT GRC is not a software solution, but rather a program and process. In order to successfully implement an IT GRC platform solution, you must first have a clearly defined IT GRC program in place. And, once the program is in place, it will continue to evolve with changes in requirements and guidelines. Therefore, the configuration requirements for the GRC platform should be continuously defined even after the IT GRC program is implemented. While the program and platform can both come at the same time, or one before the other, the Program always defines the Platform, and therefore, I recommend organizations develop the program first.