Over the last several months we have seen partnership announcements from several Enterprise Risk (ERM) or Governance, Risk and Compliance (GRC) vendors. The announcements go to great lengths to explain how the strengths of each party complement the other. Typically, one vendor gets access to the other’s superior client base while the other gets access to superior technology.  In theory, the partners benefit by leveraging each other’s customer bases and technology.

What is not so clear – and what the press releases don’t address – is this: What is the value to customers, and what are the hidden costs and risks associated with these partnerships?

From the business user perspective, implementation, training and customer support issues will all need to be addressed. How much additional time and money will need to be budgeted for implementation and training? Will customers require training on two different systems? Will customers experience longer implementation times? Who does the customer call when bugs occur, and will they need to report the bug twice? What are the ongoing customer service implications? How will upgrades be coordinated? How will customers address product enhancements? How will the customer incorporate evolving ERM initiatives?  How does the customer deal with the fact that vendor incentives and capital budgets may not be aligned?

On the IT side, the operational complexity surrounding partnerships grows exponentially. Building an integrated product offering is a non-trivial exercise. It includes concerns such as overlapping ownership of data (e.g. permissions, risk control library), performance (how can you synchronize caches across heterogeneous technology?), coordinating product upgrades and compliance with corporate standards across multiple disparate product lines and teams, and providing a single point for administration, logging and backups.  Without the seamless integration of both parties, a number of critical functions of the system become impossible – including harmonized security and consolidated or aggregated reporting. Additionally, customization efforts will be more costly as new feature requests will need to be developed bearing in mind functionality from products that have disparate APIs and databases.

It’s possible to solve these challenges, but it’s not easy. And if the integration attempts from companies like Oracle (Stellant) and IBM (Filenet) — who presumably had the wherewithal and competencies to address these challenges – are any indication, it’ll be years before these ERM partnerships can offer their customers a truly integrated offering