In this article, I'll share a unique insight into the different licensing models, tricks and opportunities for buyers of GRC software. You'll also learn some secrets that traditional GRC vendors won't want you to know.
Traditional enterprise software licensing models
Historically, most enterprise software (SaaS) is licensed on one, or a combination of:
Per user. A pricing structure based on the number of users or seats. This pricing model is often segmented, with varying price levels for different user roles or levels of access - pro user, lite user, read-only user, administrator and so on.
Per module. Most enterprise software consists of different modules that cater to different use cases. Vendors may offer prices based on the specific modules a customer wants to use.
Per package or suite. A variation on the point above is where software modules are bundled as a package or suite. This helps remove complexity and simplifies the entry point for customers until they need more.
- Per metered metric. This is a way for customers to pay for what they use according to usage metrics such as the number of end-customers, number of vendors, total data storage, or number of records.
The GRC software market
Within the GRC software market there are a few nuances to the above in the way software is licensed:
Per content item: Some GRC solutions offer access to specific content libraries, such as regulatory compliance content, templates, or best practices. Pricing can be based on the level of content access or licensing required.
Per vendor: For organizations that need to manage and assess risks related to their third parties, GRC software might offer pricing based on the number of vendors or suppliers that are being monitored and managed through the platform.
Per compliance framework: GRC software often supports multiple compliance frameworks and standards, such as SOC2, ISO, NIST, or industry-specific regulations. Pricing may vary based on the number of compliance frameworks a customer wants to use.
With traditional GRC vendors, there's typically a professional services cost related to implementation, support and training. In most cases, this is priced separately and is a function of time, effort, and a rate card.
Lessons learnt from licensing GRC software
Here's what I've learned over 25 years as a CIO overseeing $750M in IT procurement:
- Simplicity is paramount: The importance of flexibility in software licensing is critical. Traditional per-user or per-module models can get very complex and end up being really hard to forecast.
- Cost transparency: Understanding the total cost of ownership (TCO) is critical. It's not about the initial licensing cost but also ongoing expenses like support, training, and maintenance. Clear visibility into all costs ensures there are no unexpected financial surprises down the road.
- The scale and complexity trap: Businesses evolve, and your software needs to evolve with you. Licensing models that allow for easy scalability at your discretion, ensure that your GRC software investment is in control.
- Risk mitigation: GRC is ultimately about managing risks. When it comes to licensing, risk mitigation means understanding the potential pitfalls of each model. Aside from licensing, the biggest risk comes from being locked into services with a misaligned licensing model.
The alternative approach at 6clicks
6clicks is licensed very differently from traditional GRC software. There's no user-based licensing, no per-module fee, and certainly no metering on things like vendors, assessments, content or compliance frameworks.
This approach is simple and aligned with our Hub & Spoke architecture (read more about this here).
So, with 6clicks, you just pay per spoke (say function, business unit, project or holding company.)
Avoiding the TCO squeeze
Have you heard of "the squeeze"?
It's a term traditional GRC software vendors use to describe the way in which they charge you more as your business grows and the complexity of your implementation increases. As a buyer myself, I've experienced this firsthand.
It's an experience that goes something like this:
You pay per user per month... start small, and costs seem in control.
You start paying more as the adoption and deployment grows based on usage.
It gets complex quickly with licensing rules left, right and centre.
You have to pay for upgrades, customization and configuration at a rate card and scope you can't control.
You've got no negotiating power.
Proportionally, it actually costs more.
If not for your team now, but for the teams that follow you, please avoid the squeeze.
Also, if you found the above useful, check out this blog: The question I am asked most about the GRC market from heads of risk and compliance.
About the author
Anthony Stevens is a thought leader and visionary in the field of Artificial Intelligence (AI) and enterprise software. As the founder and CEO of 6clicks, an AI-powered Software-as-a-Service platform for risk management and compliance, he is a pioneer in the industry.
Anthony has extensive experience in digital transformation and the application of advanced technologies, which he shares in his book Chasing Digital: A Playbook for the New Economy. Throughout his career, Anthony has overseen over $750 million of IT procurement and many major shifts in the enterprise software market.
Before founding 6clicks, Anthony held several executive roles for publicly listed and private businesses, including Partner and Chief Digital Officer at KPMG, where he led the digital transformation of the firm's business model. Anthony was also a CIO Advisor for Zoom.
Anthony holds a Bachelor of Commerce, a Bachelor of Information Systems, and a Master of Commercial Law from the University of Melbourne. He is also a Graduate of the Australian Institute of Company Directors and was named Young Executive of the Year in 2011 by AFR BOSS.