Online Services and the Competitive Edge of a GRC Solution

If your organization's primary revenue stems from an online services model (SAAS, ASP, etc.), you're intimately familiar with the governance, risk, and compliance (GRC) requirements of your customers. Deals can be won and lost depending on your organization's ability to demonstrably address GRC requirements—which is a daunting endeavor. Chances are that your organization is considerably smaller than that of your customers, resulting in customer demands that your organization might struggle to accommodate. Your customers could also span many industries and locations, and could range from garage startups to pillars of the fortune 100. How does your organization handle these diverse GRC requirements? More importantly, how do you make your organization's GRC Service Management solution a competitive differentiator? You might quickly find that your GRC solution could become a barrier to your competitors and prevent your customers from even considering them as an alternative. 

Focus on markets with similar GRC needs

If your organization can identify a market segment that shares similar GRC requirements, a focused compliance effort can result in domination of that market. If your organization steadily raises the compliance bar, it can build a solid GRC solution that forces the competition to follow your lead. More complex GRC markets can then be tackled, easing the organization's compliance burden through paced incorporation of a truly functional and auditable GRC solution. Soon you aren't blindly promising that your customer can trust you, hoping nothing happens. Instead you can let your GRC solution speak for you, while your competition is left scrambling for evidence they can meet the new bar you've set.


Regardless of the size of your organization, your customers will expect its GRC requirements are your GRC requirements. These requirements can quickly overwhelm your organization if you are a small vendor catering to a fortune 100 client. Gather your head of marketing, sales, and your GRC subject matter expert(s) to create a heat map of potential industries, locations, and customer groups that share common GRC requirements that are applicable to your service. This exercise shouldn't take more than a few hours, and you will likely be able to quickly identify customers who share common GRC requirements due to region or industry, for example. Your GRC subject matter expert will also be able to quickly judge the complexity of the regulations that apply to these customer groups. Government and healthcare organizations will top the list of complex GRC requirements. Customers in Europe will top the list of regions with the most complex GRC requirements. Is your organization prepared to handle such complex requirements, or should you aim for less complicated industries and locations with requirements that can immediately be met? International, government, and healthcare industries are lucrative, but they maintain significant and often hidden costs that will be forced onto your organization once a deal is signed.  

Tally the cost of customer GRC requirements

 Greater GRC expectations include documented business processes, a regularly tested disaster recovery plan, dedicated hardware, security staff, and complex, customized configurations along with regular onsite audits. Beware the executive who dismisses these requirements as mere paperwork or worse, that they limit the liability of non-conformity to the cost of the contract.  The costs of non-conformity will not end at the value of a contract, and could potentially dwarf any profit.  Your organization's insurance might not cover any breach or failure to apply required controls. Non-compliance could even ruin the reputation of your business through a publically communicated security breach, required under many privacy laws. 


Before someone dismisses these costs as inconsequential to the potential profit, you should tally and review all potential costs of the customer's requirements. Passing these costs to the potential customer doesn't work in all situations, especially if the GRC requirement will benefit many or all of your customers once instantiated, or if it requires significantly more investment in the GRC solution than will be realized by the customer. For example, it is doubtful (although possible) that a single customer would pay for a disaster recovery site. Potential profit requires accurate tallying of GRC requirement costs. 

Develop a cohesive GRC message

Does your organization manage customer GRC requirements individually, or are the lessons learned from each engagement brought together under a GRC solution? Could the sales staff use a secret weapon to thwart the competition? Gather the sales executives, sales engineers, and deployment team managers together to determine whether GRC requirements are important to your customers. Determine what types of questions come up during demonstrations, RFCs, RFPs, and deployment of the customer's newly purchased solution. Questions don't end when a deal is signed! Determine if a cohesive GRC message could be created that enables the sales team to close deals quickly and confidently. The GRC solution could span from a sales presentation to a repository of answers used to quickly and uniformly fulfill customer RFCs and RFPs. Determine how the competition deals with these issues, and make your solution more professional than any available. Train the sales staff so that they understand why this is a secret weapon, and raise their confidence that your organization has the best solution.  

Pace the GRC solution

 Your organization cannot certify to every available set of GRC documents, commonly referred to as GRC authority documents. There are more than 400 GRC authority documents, many of which carry certifications. Determine which certifications would close deals, and which are too costly to consider. This determination will lead to new markets and possibly close others. Consult with your GRC subject matter expert to determine the best course of action. 

Keep competitors in the rear-view mirror 

The competition won't be ready for the bad news when your GRC solution becomes a deal-closing trump card. They also won't be prepared to immediately close the gap. After all, consider how much thought went into the analysis, planning, and execution of your new GRC solution. Consider what questions your customers should ask the competition. Improve and expand those questions as your organization matures, gains certifications, and increases market penetration. You'll be leading the pack, closing deals while others aren't even invited to the table.


Jeffrey Miller

Comments (1)

Skip to main content