My first compliance software sourcing project was in 2008, and it failed miserably. I went on to experience varying degrees of failures and ultimately successes over the years through trials-and-errors, incorporating lessons learned into each new project. Without getting into the stories, my early projects failed for one big reason, which drove every other reason—I didn’t engage end-users. I was head of enterprise compliance programs and I was clear on what was technically required. After all, I wrote the policies, standards, and procedures that informed on our operations. But ultimately, I wasn’t the one using the solution on a day-to-day basis, so failing to account for that early and often has an unpleasant downstream effect.
To hear more about my experiences and delve deeper into the qualities you should be looking for in a regulatory compliance software, sign up for our weekly fireside chats. What I present below are the best practices I distilled from my experiences to finding the regulatory compliance software to meets your needs.
How to Find the Best Regulatory Compliance Software
As you know, there are so many processes and considerations that go into sourcing a software solution. Chances are your firm has a third-party risk management program and they have established processes you have to follow. This article is not focused on those. This is focused on those few things you, as a compliance professional and the subject matter expert, must do so you get the technology solution that adds value to your operations because the best regulatory compliance software solution is the one that does what you need it to do, and what those things are vary from firm to firm depending on the maturity of your compliance management system.
1. Develop an Acquisition Strategy
- Calibrate strategic choices for your acquisition strategy
- Use an incremental approach when searching for the best regulatory compliance software solution. A single-step acquisition should be an exception
- Incorporate commercial off-the-shelf (COTS) solutions only where an 80:20 solution is good enough
- When you define your acquisition strategy, choose an approach that takes into consideration operating and maintaining the solution
To avoid underachievement of expectations and failures, you must clearly define outcomes and critical success factors, and the acquisition strategy helps you by asking two fundamental questions: (1) What technology solution do you need to acquire? And (2) How do you acquire it? It establishes a roadmap that you follow throughout the life cycle of the acquisition and/or implementation.
Keep in mind that a technology solution in and of itself may not be the right answer to achieving your goals. It can help or hinder it, but it cannot create it in any sustainable fashion. You can’t make good use of technology until you can tell whether they’re relevant to your business goals. If it doesn’t fit squarely with the capabilities you need, ignore the hype and move on. If it is relevant, then become a pioneer in applying the technology.
So, the first question you need to ask yourself is why are you in the market for a regulatory compliance software solution? Is it the need to access new technology, desire to streamline processes and gain operational efficiencies and boost employee morale, or desire to reduce cost? Answering these questions will help focus your research and lead you to the best regulatory compliance software solution.
Start by defining your strategic business and technology goals and objectives. Breakdown your current processes and assess how a different approach might improve quality, promote transparency, improve operational efficiency, and reduce cost. The move to developing and/or implementing a software solution is transformative and you will be successful only if you are clear about what you want, understand how it supports your goals and objectives, and follow through with an operational model that allows you to manage the change while simultaneously managing the solution provider.
Remember—You are trying to manage one specific risk—the risk that the solution will not meet the needs of your stakeholders, i.e., the end-users.
One thought about COTS solutions. Based on my experience, for regulatory compliance operations, COTS products don’t work out as well. The advantages I was sold when I implemented one were lower cost and quicker availability, but by the time we configured it to meet at least 80% of our specific needs, it took 6 months and we ultimately didn’t save money than if we had simply outsourced the development. Simply put, the use of COTS in regulatory compliance introduces challenges. When a software provider builds you a solution to meet your specified set of requirements, it gives the solution provider more detailed insight into your operations. With a COTS product, this is not the case. The system has been developed to meet a broader need defined by the larger market. If the market’s needs do not fully align with your specific needs, and they rarely do, then an 80:20 solution is what happens. This creates endless frustrations for your team and sooner or later, you’ll scrap it.
And trying to modify a COTS solution beyond the specified configuration options is not a good idea. When you change a product in such a way that it diverges from the commercial product, it will no longer function to meet its defined purpose, and much of its original benefit is lost. Continuing with my COTS experience, because we reconfigured it so much, we ended up with an enormous data quality issue. Further, support of the product becomes complicated, if not impossible, and installing subsequent releases forces you to incorporate the changes into every new release. My recommendation—If your needs don’t align fully with those of the commercial component, you should reconsider using a COTS solution. Alternatively, you can modify your needs to the capabilities of the COTS solution.
2. Develop Acquisition Requirements
- Obtain stakeholder needs, expectations, constraints, and interfaces. Probe for the rationale of business processes, tasks, and deliverables
- Immerse yourself in the end-user’s environment. Instead of relying only on user’s stories, and reviewing policies, procedures, and standards about how work is performed, observe how work actually gets done
- Carefully assess how much value the proposed solution will add to the end-users. Let the business situation determine the technology solution
- Translate stakeholder needs, expectations, constraints, and interfaces clear, concise, and testable requirements
- When documenting contractual requirements, focus on the value-add
The essence to finding the best and successful regulatory software solution is to understand which solutions will add value. So, the first step in developing your requirements is to engage the end-users early and often. My early software acquisition failure was that I didn’t engage end-users early and often. Present the idea to them immediately. Help them understand what you have in mind.
The second step is to listen to them carefully, thoroughly, and in enough detail and context that you can understand what is really important. Remember that the stakeholders’ focus is on the solution that adds value to their day-to-day operations. Therefore, making requirements explicit early in the acquisition process reduces the need for later redesign and rebuilding, and the endless frustration for you and end-users if the wrong solution is ultimately implemented. I include “you” because the equally endless complaints will eventually find their way to you.
Decompose business processes. Use observations and walkthroughs to elicit needs. Watch individuals at work and produce detailed records of work activities. Actual work practices differ from prescribed practices as documented in policies, standards, and procedures. Observations provide additional insight into how end-users perform their activities. By analyzing social interactions, you gain a better understanding of what people do and how or why they do it.
When you define the requirements, don’t produce a plethora of all the requirements. That will do more harm than good as it becomes a constraint for the solution provider. Rather, focus on significant differentiators (minimum requirements), i.e., the specific foundational characteristics that enable the software to achieve its purpose. This allows you to answer the question – how good is the solution in satisfying your specific needs compared with how those needs are satisfied today?
Accurate minimum requirements allow you to make choices about which requirements meet your criteria. This process determining whether a requirement a must-have or an attractive requirement is the first step in prioritizing your requirements. This takes profound knowledge, but if you’ve done a good job engaging end-users, it’ll make it easier.
Look for software solutions with nonfunctional requirements in mind. I’ve made the mistake of focusing mostly on functional requirements. For the solution provider, this is good because they can easily translate these into codes. However, in the regulatory compliance space, in many instances, nonfunctional requirements like usability, scalability, reliability, and performance, determine functional requirements and should be the deciding criteria for your solution.
After you have established your significant differentiators and standard requirements, translate them to contractual requirements. The contractual requirements specify the criteria that solution providers must meet to have a successful deliverable.
3. Establish a Solicitation Package That Accurately Identifies and Clearly Defines Desired Functionality, Security, and System Features
- Create a solicitation package that is commensurate with the value and risk of the capabilities your looking for
- Build flexibility into the proposal for a solution provider to demonstrate creative alternative solutions
- Use a competitive process to allow you to review various solutions and alternatives
- Evaluate proposed solutions according to the documented proposal evaluation plan and criteria
- Select solution providers based on the evaluation of their ability to meet specified requirements and established criteria
After you have developed the acquisition strategy and requirements, identify potential solution providers that have the capabilities and resources to meet the needs of your acquisition. In finding the best regulatory compliance software solution, one of the most important decisions is which provider to partner with. Use Request for Information (RFI) and Request for Proposals (RFQ) to facilitate your vetting process. A competitive environment is valuable not just from a pricing perspective but also because it gives you the opportunity to review various solutions and look at alternatives.
Your solicitation package must be comprehensive enough for providers to formulate an accurate and targeted response but flexible enough to allow them to offer suggestions of other ways to satisfy the requirements. If you don’t clearly articulate your objectives in your RFI or RFQ, providers who respond will merely add risk to your project. Remember, the solution provider’s responses are only as good as your proposal. Therefore, your RFQ should correspond to the caliber required for your complex undertaking. And finding the best regulatory compliance software is a complex undertaking.
4. Verify and Validate the Solution
- During development and/or implementation, continuously review the performance limits of the proposed solution
- Verify the implementation against contractual requirements
- Validate the product and analyze the results of the validation. To increase the probability that the proposed solution will perform as intended, validate requirements in frequent exchanges with the end-users
- Thoroughly test and pilot training materials
- Analyze the interface to ensure that they are complete and in alignment with the intended environment
The biggest risk in finding a regulatory compliance software solution is that the solution will not meet the needs of stakeholders. To this end, develop measures of progress and output that are traceable to your goals. Without metrics, you cannot manage a software acquisition.
Verify that the product will function in the intended environment, that it is of the specified quality, and that it meets the criteria established in the agreement.
It is also crucial to ensure that personnel are trained to operate the new solution. A solution that isn’t used as intended diminishes in value proportionately to the time, effort and money that were put into unused or unusable feature(s).
It is critical that you perform technical reviews. They establish the consistency of the proposed solution vis-à-vis the contractual requirements and design constraints. Throughout the project, review for how “real” the proposed design is—does it live up to your requirements for performance, usability, and scalability?
Finally, you must account for the learning of stakeholders. This is the only reliable way to establish, continuously modify, and validate the solution’s value proposition.
Risk Management in the 21st Century: Actionable Steps to Ensure Effective Regulatory Compliance
Today, many businesses and organizations choose to outsource aspects of their risk management effort. As a trusted advisory and managed service provider, Compliance Core delivers risk management and regulatory compliance excellence. Our services are designed to simplify compliance risk management while retaining efficiency and effectiveness.
Compliance Core has seen first-hand how organizations run operational and compliance programs. Over the years, we have helped industry-leading businesses and organizations to streamline and transform regulatory compliance management processes. Our approach drives a more efficient, strategic, and proactive process that supports organizations’ efforts to respond to evolving regulations and comply with regulatory obligations.
To quickly assess your risk management and compliance program, we’ve developed a short quiz. Use this as an opportunity to identify risk management and compliance gaps. After the quiz, you’ll be given an opportunity to connect with us and discuss next steps towards your risk management and compliance goals.