9JULY 2021users a test environment preferably including the identified features.· Sand box testing can help the team formulate a decision but also guide a project management plan, prioritization for implementation and affirms the optimal choice. This improves system awareness such as user interface, adaptability and may identify data or application dependencies.· Real or sample data can be used in the sandbox. Vendors should upload data to avoid wasting time. In this stage, a Non-Disclosure Agreement should be signed to protect both parties.· The availability and quality of the GRC vendor's support should be assessed and enables the company to assess the likely support and capability of the vendor post acquisition.· A small number of line managers from each of the control departments will test the functionality of the sand box. Particular attention should be strengths of the system and its ability to improve efficiencies. · The sand box may provide an indication of customization needs. `Off the shelf' is simplest. Customization is generally more expensive upfront, impacts ability and willingness of future upgrades but could be an optimal system.Commercial terms should be discussed and proposed. All implementation, ongoing service and system support costs should be included. Vendor assistance varies widely with some able to provide a full project management service. Others may suggest implementation partners which are likely an additional cost. Talk to Current and preferably Former CustomersRequest multiple recommendations from the vendor. References selected should be organizations with profiles as close to the company's as possible. Discussing product and implementation support with current customers in multiple stages of implementation should provide thought provoking circumstances, implementation challenges, the value (or not) of customization, unexpected costs and a view as to vendor performance. Ideally, there will customers with a variety of experiences. GRC software companies often manage conferences to potential and existing customers. Working group participation in conferences can be beneficial albeit generally with a positive selection bias. Lessons learned will be of important if they are shared. As a potential customer, you should attend several events and join conversations on the system effectiveness. Importance of Clarity in Service Level Agreements (SLA)Service Level Agreements are a critical part of any software implementation. Approvals of business managers, the legal department, procurement, IT assessments of security, compatibility, reliability and disaster recovery support. Carefully construct SLAs to include standards for delivery timelines, in-house or offshore resource provisions, implementation training, system specifications and service monitoring. Escalation procedures should be included to ensure appropriate attention is provided and available. Some elements of an SLA should include: · 1Maintenanceannex modifications during the project as adjustments are made.· Schedule of payments that match implementation phases and include certification;· Verification of completed testing;· Escalation procedures during implementation and once business is `usual';· Up time and response time requirements;· A break out clause. Finally, it will be time to implement. Implementations should start small, then scale after initial successes in certain modules. Many GRC systems are modular and best considered in increments rather than an all or nothing implementation. User Acceptance Testing (UAT) should be included in all phases of implementation. The SLA should specify standards of when implementation is completed and business as usual service begins. Incremental milestones of approval should allocate both internal and external resources sufficiently. This will isolate and identify system issues sooner. Finding hiccups in one module may reduce implementation time for others as test phases resolve bugs. Testing should provide positive reinforcement that the right software was purchased. Implement and use the software for at least 12 months to understand system functionality and judge system benefits. Keep abreast of vendorenhancements but don't seek upgrades until implementation is complete and there is broad acceptance of the system. Training of super users can ease adoption with internal experts capable of supporting occasional users. Eileen A Fahey
< Page 8 | Page 10 >