While some companies chose to build their own compliance technology solutions, many choose to save time by purchasing from an external vendor. When undertaking a vendor selection process there are a large number of issues to consider, many of which may fall outside the standard skillset of a compliance team.
In order to successfully purchase and implement a solution in the most efficient manner, here are ten things to think about when selecting a compliance technology suite.
1. Why do you require the technology?
The first (and probably most important) item is to be clear about what you and your organisation want out of a compliance system. It is vital that you are able to articulate how it will support or improve the business as these will be the first questions you are asked when you seek budget and buy-in from your key stakeholders.
You must to be clear on who is going to use the technology. There are often many other business units who require or already have similar systems (such as supply chain management or partner management). In those cases it is important to decide whether the other units should be included in the programme. If the other business units are included you may be able to split the costs; however, you may decide it is cannier to determine your own needs first and allow others to share the benefits later rather than giving them a seat at the decision-making stage.
However you decide to manage the process, it is vital to remember that there will be many stakeholders in a technology project (including IT) and each stakeholder needs to be managed for the project to be successful.
2. Which functions do you need?
Once you have established your reasons for the technology the next step is to determine which functions will allow you to achieve those aims.
This analysis needs to go beyond the obvious “I need a system to manage my gifts and entertainment policy”. You will need to consider the complexity of your overall processes and determine where the technology-based compliance system will start and stop.
It is often the case that you will be looking for a solution to whatever issue is currently most pressing. When selecting a technology solution, however, it is wise to consider the functions you may need in the future as well as those you need today, either in terms of new compliance programmes or building out the current programme. The worst solution is to have a number of independent systems managing different aspects of what should be a single compliance programme.
3. What are your security needs?
Security is always going to be a key issue in any decision to purchase a technology suite, both in terms of securing the information against the outside world and also controlling access internally. Check your company’s security policy to understand what your IT department has determined as minimum standard.
To help with this decision it is important to consider what information you will be storing (both now and in the future). Some information will be personal (for example information about your or your partners’ employees) and may be subject to privacy legislation which will mandate a certain level of security. Other information may be of a confidential nature; something that you want to keep secure for commercial reasons or information a partner has stipulated security requirements for in a contract.
4. How will you host the system?
The review of your security requirements will lead into the decision about where to host the system. There are a number of decisions to be made with hosting:
- Should you manage the system yourself or let the vendor manage it? Self-management may be cheaper, but the vendor knows the system better so will be able to provide a higher level of support.
- Should you host the system yourself in your own data centre or let the vendor host it? Internal hosting may seem more secure (and is certainly within your control), but its quality depends on your IT budget. It may end up costing more overall as you don’t gain the benefits of low-cost data centres.
- If your vendor is hosting the system, how much of it can be shared with other clients? While many IT infrastructure elements will be shared (networks, firewalls etc.), certain other elements can be dedicated to you if you require (servers, virtual machines, databases etc.). As always, this comes at a cost.
- Where a vendor is hosting the system, can you allow your data to be stored “in the cloud”, where a hosting company (such as AWS or Azure) determines the location without any say from you or the vendor, or should it be a hosted solution in a fixed location which merely makes use of shared resources?
- If you have a choice of location, where should you put your data? Data hosted in Europe will provide the benefits (and obligations) of European Union data protection legislation, and data hosted in the United States may be subject to government surveillance; however, data hosted outside these two areas might raise suspicions amongst your partners about the quality of the protection.
5. How much support will you need?
Whilst every vendor would like their system to be available 100 percent of the time, the reality is that things break. Many problems can be overcome by sensible architecture (including backup components and reducing single points of failure) and appropriately sizing the capacity required, but again, this adds to cost.
Most vendors will provide some form of after-sales support for the systems they sell. There will generally be a cost to this service, determined by the level of support you require. It’s easy to say that your system is mission critical and requires 24-hour, seven-day support and 99.9 percent uptime, but how much are you willing to pay for that?
When considering support it is important to understand the different types that are available:
- Infrastructure support – fixing servers and network equipment (but not the internet) and the underlying software (operating systems, web servers etc.)
- Software support – maintaining the software that you have purchased
- Usage support – assisting with the day-to-day use of the system, ranging from password reset requests through to “how to” questions
- Data support – ensuring and maintaining data quality if data has been entered incorrectly
- Process support – making sure that people follow the processes that you have determined.
Some vendors will support the infrastructure and software but will leave you to manage everything else yourself. It is also worth considering how much of the support you can manage internally through your existing support desk function.
6. How should the system be maintained?
It is easy to focus on getting your system purchased and implemented and neglect to consider the changes that may occur over its lifetime. Changes that you should consider include:
- amendments to your compliance programmes after reviews or changes to legislation
- changes to your business with internal restructuring and mergers or demergers
- the workflows and processes within the programmes changing when people join or move around the business or when defects and inefficiencies are removed
- updates and improvements that the vendor provides for the system
- changes to data retention and archiving requirements.
Whilst the future is generally unknowable, it is important to have these changes in mind as part of your overall vendor selection.
7. How will the system be implemented?
It should never be forgotten that a software solution is not a business solution. Prior to any launch there is likely to be a large amount of work to be done to configure the suite to meet your requirements and workflow.
You therefore need to decide what resources are available to perform this work, who will manage the project, and whether the vendor has any resources or skills to support your implementation.
In addition to building and implementing the suite it is vital to train your staff on how to use the system and how the processes within have been designed. Deciding who needs to be trained and how to go about training is another key decision to make.
8. How will the system connect to your other systems?
It is rare that a full suite of compliance tools will run without any interaction with your existing systems. Regardless of where the system is hosted, you should consider whether you could benefit from integration with:
- human resources systems to ensure new users are added and old ones removed
- authentication systems which allow single sign on to simplify the log-on process for users
- enterprise resource planning (ERP) systems to manage new partner on-boarding
- travel and expense systems to support gifts and entertainment tools
- learning management systems (LMS) to support central recording of training.
Once you have determined the type of data to integrate you should then consider the level of integration. This can often have a significant cost implication.
Types of integration include:
- manual uploads using a defined template
- manual file transfers using a secure protocol
- automated transfers at regular intervals over the internet
- automated transfers on demand (i.e. when a new user starts or a new partner is entered).
Decisions on the automation and level of integration require a cost-benefit type review to weigh the time and resources of a manual process versus the cost of building and maintaining an automated process. Vendors should be reviewed not only on the integration options they provide, but also on their flexibility in allowing integration to grow as you better understand your processes.
9. Which vendor will you use?
Once you have answers to the preceding items you will have a fairly clear and detailed specification to use in a vendor selection process. In cases where no single vendor provides the total package it becomes important to weigh up the various aspects to find the best overall solution.
It should be remembered that, like any other large-scale technology, a compliance system requires a long-term relationship. So what else should you look for in a vendor?
If you were to look at venders in the same manner as you do your third party compliance programme you would probably ask questions about their reputation and the way they do business. Can you trust them with the confidential and private information that will likely be stored on the system? Do they understand your business? Do they understand what compliance is about? How you will be using their system to further your compliance objectives?
10. How often will you review the system?
A final consideration is when to review the choice of system as a whole. Given the time and effort which goes into selecting and implementing the suite of tools this is not a review that will be undertaken more than once every few years. It should not, however, be forgotten. Thinking about the criteria which will guide any future review prior to vendor selection can often help to highlight the relative importance of the original selection criteria.
In the event that you do decide to change systems, you must consider your contractual rights and how you retrieve your data from the incumbent vendor.
There are a lot of factors to consider when deciding on a compliance technology suite. The most important rule to remember is that the technology should always be adapted to your needs rather than you being led by a vendor. Understanding and clearly articulating your requirements is the first step towards that goal.