Is the sky falling? Or is it clearing? Will the new owners be a breath of fresh air? Or will they turn the business upside down? As a risk or compliance manager, you’ll likely hear all sorts of messages from peers, providers, and competitors. Following the acquisition of your Governance, Risk & Compliance (GRC) provider, the only message that matters is this: You have options.
It’s easy to feel as if your hands are tied as you seek answers to questions about what a new, combined company means for you and the users of your current GRC. Asking questions and voicing any concerns regarding the answers you receive is the surest way to proceed prior to extending your contract.
Perhaps the biggest question—and in some cases, the one that is the most difficult to get an answer to—is whether or not you’ll be forced to migrate to the existing GRC platform of the acquiring vendor.
While migration sometimes means you’ll be gaining access to functionality not available in your current system, the reality is that the move may not be as simple, or as straightforward, as promised.
For example, if you are forced to migrate to a new platform...
#1 How long would a migration take? What are the contingency plans should the process take longer than expected, or worse, fail?
Migration is never a “push button” operation. Moving a single client to a new system is difficult—much less dozens or hundreds. Whether the promises are coming from your new GRC vendor or a competitor asking you to consider a switch, any message that doesn’t “fess up” to this fact should be looked at with skepticism.
How long will the process take? Where do you fall in the order of “importance” in relation to other clients? What is the success rate when migrating a system and data similar to yours? Will there be a period during which you’ll be forced to work in two systems—your previous GRC platform and your new one?
Read Next: It's YOUR D@*# Data: You Shouldn’t Pay for Your Risk Management Data
#2 Will the system be flexible enough to replicate existing screens, workflows, and reports used on a day-in, day-out basis?
Beware of assurances that “nothing will change,” as it’s highly likely that there will not be a 1:1 correlation between the features you currently have and those available in a new system. When it comes to functionality, will you be losing anything? How might that affect your processes?
Beyond core functionality, this also applies to any custom solutions that may have been developed over the years. If they are not mirrored through functionality or settings in the new system, can they be easily recreated? If so, does that work come with a lengthy waiting period or additional cost to you?
#3 Will the new system be compatible with other systems used throughout your organization?
Whether it’s a payroll, accounting, or HR system developed in-house or by a third-party, it’s likely that your organization has already invested heavily in software used by other departments.
Will the new system be capable of integrating with those systems? If so, at what cost? Who will be picking up the cost of developing solutions necessary for making the exchange of critical data possible?
Read next: Choosing ERM Frameworks and Technology
#4 Following migration to the new system, what happens next?
Even if your previous system had its limitations, many of your organization’s users “knew” that system inside and out. Power users likely had both the knowledge and, in some cases, access to system tools that allowed them to make changes and quickly resolve issues.
Upon migration, will the new system require a significant amount of training? If so, does your new GRC vendor have plans for providing it? How long will it take for users to get up to speed? Once that happens, will system administrators have the same level of access they had before?
The acquisition of your GRC vendor by another provider doesn’t necessarily mean disaster looms, even if you are forced to migrate. The move to a new platform could be the right thing, long-term, for your organization.
However, relying exclusively on a “wait and see” approach carries significant risk. You do have options.
To explore your options and begin a dialog about what a move to Origami Risk could mean for your organization’s ability to more efficiently manage risk and compliance, start a conversation with us. If you're looking for a guide to help weigh your options, download our free Vendor Performance Assessment.