The compliance technology and broader GRC solution landscape are more complex than ever, and becoming a better buyer means more than just asking the right questions—it requires cutting through the noise of biased advice. In my recent analysis of RFPs, I’ve seen firsthand how the system can be stacked in favor of certain vendors, often driven by consulting firms with something to gain.
The Perils of Impartial Expertise
An alarming trend has surfaced: Many consulting firms, supposedly neutral advisors, are quietly steering clients towards solutions with massive implementation costs. Why? These firms benefit from bloated implementation projects that can cost millions and take a year or two to deliver value. What should be an impartial solution selection process is manipulated to favor these high-cost solutions, leaving more agile, cost-effective competitors out of the conversation entirely.
Consider . . .
The Consultant Trap
Consulting firms may claim to offer unbiased advice, but if they stand to gain from lengthy and expensive implementation projects, their motivations may not align with yours. Always question why a certain provider is being recommended. Is it truly the best fit for your organization, or is it the most lucrative for the consultant?
Analyst Firms and Narrow Perspectives
Similarly, industry analysts often provide a narrow view of the market, typically focusing on large, established vendors and have a focus on IT risk and compliance. The solutions they recommend may not be the best fit for your unique compliance challenges. Innovative startups or smaller players that could meet your needs more effectively are often overlooked. Don’t be afraid to dig deeper and seek out diverse perspectives.
The Stacked RFP
If your RFP seems unbalanced, with a shortlist that doesn’t reflect the full range of market offerings, ask how it was curated. I’ve seen many cases where RFPs are manipulated to exclude serious competition, favoring providers with deep ties to consulting firms or those offering the highest implementation project fees.
Becoming an Informed Compliance Technology Buyer
It doesn’t have to be this way. You can break free from these skewed dynamics by becoming a more informed buyer. Ask the tough questions, challenge the advice you’re given, and seek out diverse viewpoints. Don’t let any one voice dominate the conversation.
Ultimately, you deserve better—a technology solution that fits your needs, not one that lines the pockets of others. With the right approach, you can ensure that your organization makes decisions based on value and performance, not external agendas.
The challenges within the RFP process don’t just impact buyers—they frustrate vendors, too. An example from a recent RFP shows just how flawed this system can be. Common frustrations include:
- Little to no access to actual business stakeholders who would benefit from the system.
- RFP processes are too often managed by procurement teams that may be unempowered, uninformed, or uninvolved.
- Deadlines and due dates change, often at the last minute after submissions have been made.
- Poor communication on the outcome of decisions, with little to no feedback on why a vendor was disengaged or delayed indefinitely.
These experiences aren't unique to a single company or industry. Vendors, particularly in the post-pandemic era, have grown increasingly reluctant to engage in RFPs unless these common challenges can be addressed. The cost of participating in a broken process often outweighs the benefits.
Changing the Rules
The RFP game may be rigged, but with the right knowledge, you can change the rules. Whether you’re buying or selling compliance technology, it’s crucial to navigate the process with a clear-eyed perspective. Don’t be afraid to question motivations, challenge assumptions, and demand more transparency.
In the end, the goal is to find a technology solution that truly fits your organization’s needs—one that delivers value and impact, rather than inflating costs and complexity for others' gain.
Next time you're in the market for compliance technology, step back and ask: Who’s really benefiting from this recommendation? Then, chart a course that serves your organization’s best interests.
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on enterprise GRC strategy and processes supported by robust information and technology architectures. With 30+ years of experience, Michael helps organizations improve GRC strategy and processes supported by the correct GRC technology architecture. This enables organizations to align GRC with the business and deliver effective, efficient, resilient, and agile capabilities to the organization. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — the first to define and model the GRC market in February 2002 while at Forrester. Prior to founding GRC 20/20 Research, Michael was a Vice-President and ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm and has specific experience managing compliance and risk within organizations. Michael’s educational experience consists of a Juris Doctorate and a Bachelor of Science in Business. Michael is currently pursuing a M.A. in Church History at Trinity Evangelical Divinity School. He is GRCP (GRC Professional), a CCEP (Certified Compliance and Ethic Professional) as well as a CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his contributions and advancement of GRC practices around the world. Specialties: GRC (Governance, Risk & Compliance), compliance management, risk management (e.g., strategic, operational, legal, compliance), business ethics, corporate governance, investigations, corporate policy management & communication, corporate social responsibility.