Debunking Integrated Risk Management Assumptions: Part 2 – Total Cost of Ownership

By Will Whitaker

In the first part of this series, we explored the common assumptions and reality around two issues related to IRM solution implementations: ensuring user participation and the efficiency of using existing toolsets. In part two, we  examine another common assumption around the total cost of ownership, the realities and best practices for how to handle implementation, and the right way to increase your chances for success.

Assumption: You’ll Decrease Total Cost of Ownership by Adding IRM Use Cases to an Existing Enterprise Platform

Reality: When the analysis includes licensing costs, support and administrative costs, third-party consulting costs, ongoing internal resource time, and change management considerations, building IRM into an existing enterprise platform is not nearly as attractive an option.

This assumption when selecting an integrated risk management solution may be the riskiest of all stumbling blocks. Anything can be built with enough time, money, and resources.  But most organizations don’t have unlimited budgets.

Your existing enterprise platform provider may offer licensing incentives or discounts for IRM that make the licensing component of your TCO analysis appear more compelling on the surface. But a more thoughtful total cost of ownership analysis goes far beyond your initial integrated risk management software licensing costs.

While it is true that some efficiencies can be gained when an organization has trained a core team of existing platform administrators, that team must maintain a high level of competence, personnel redundancy, resource availability, project management, and have a very mature change management process. All of that comes with a real internal price tag. If not managed properly, changes introduced within one department’s implementation have the potential to collide with other existing platform applications.

Having all of the organization’s risk data in one enterprise platform is the end game for integrated risk management. The most useful intra-platform integrations within most enterprise platform architectures require fairly advanced administration skill sets to exploit. Depending on the requirement, advanced admins often deploy special scripts or other custom code that require acute knowledge of underlying data models within the specific applications. If the special code “sauce” is not well documented, unwinding it later with new resources will add even more to your TCO.

The bigger risk is that your IRM project requests are now a small handful in a sea of many competing enterprise programs, all vying for the attention of a singular core delivery team. Do you need the ability to be more agile in your IRM deployment? Then be prepared to invest in your own platform administrative team and/or instances (remember the global change management constraints). If you desire to fully own your IRM success and chart your own course at your own pace, you will likely find yourself frustrated, stuck in the back of the enterprise project bread line. And the line only gets longer as more stakeholders make the same erroneous assumption about their use cases.

Best Practices:

  • Before making the decision to adopt the existing enterprise platform as your IRM solution of choice, understand the complete enterprise platform landscape at your organization: number of use cases, current and future stakeholders in their planned roadmap, professional service offerings, etc. Identify where your IRM strategy fits within the complete scope of the enterprise’s strategic priorities.

  • Interview other existing stakeholders who have leveraged the services of the existing platform core team. Take detailed notes about resource commitments, coordination efforts, and service level quality. Quantify your findings in terms of dollars for budgeting purposes. 

  • Ask yourself, your team, and your leadership what the appetite is for a) developing core administrative capability within the team or b) outsourcing administrative capability to either your centralized (internal) services team or third-party consultants. Quantify the ongoing costs as realistically as possible.

  • Take a hard look at the ease of platform configuration available in the candidate IRM capabilities, and understand the timeline required by any centralized change management process to QA and deliver a release. Self-service configuration within your department’s own dedicated IRM platform may be easier than you realize with some basic training.

  • Evaluate whether your candidate solution provider has pre-built use cases that closely align with your integrated risk management processes to expedite your initial deployment. Platforms not focused on integrated risk management usually have limited to no pre-configured offerings for risk management workflows, content, or user roles.

  • Naturally, additional customizations increase both complexity and costs. Quantify the service costs for your implementation based on as many known requirements as you can uncover by mapping them to the default capabilities within your provider’s pre-configured solutions.

  • Industry experience matters! Consider an integrated risk management solution partner with real-world implementation expertise that can produce an achievable roadmap towards your desired future state.  More efficient solution delivery can significantly decrease your TCO.

  • Investigate whether your candidate vendor, or a vendor’s partner, can provide ongoing managed services for platform or configuration administration and at a reasonable cost that is lightweight. If there is no desire to develop internal administrative capability, add this ongoing services help along with your planned subscription renewal license costs to your TCO.

  • Capture your TCO analysis within a spreadsheet or similar tool, and do your best to quantify, at a minimum, a year 1 TCO and a year 3 TCO. Do not ignore hidden shadow costs that may or may not hit your budget directly (e.g., central service team, infrastructure/hardware upgrades, multiple environments, etc.).

We’ll conclude our series with Part 3 of Debunking Integrated Risk Management Assumptions,  by examining assumptions around on-prem and cloud implementation of an IRM solution.