What is an RFP?
RFPs (request for proposals) are a widely used procurement process in large companies and government. Generally, RFPs in technology purchases also give the vendors latitude to propose creative solutions as well. RFPs are widely used in government procurement where regulation and fairness concerns are top of mind. If this document is poorly designed, the buyer will not get useful responses and vendors will struggle to understand your needs.
Developing Your RFP: What You Must Include to Receive Quality Responses From Vendors
Use this checklist to improve your next identity management vendor RFP. Keep in mind that long and complex RFPs may discourage vendors — especially smaller companies — from contacting you. If you have previously been disappointed by the number of RFP responses received, consider reducing the length of your RFPs.
1) The Business Need
In brief, explain why you are seeking an identity management solution. For example, you might be planning to take your company public next year. As a result, you are working on an enterprise-wide program to improve security and internal controls.
2) The Scope
Scope is a key factor in attracting the right responses. If you need an identity management system to be used by 2,000 managers spread across 10 countries, make that clear. Further, describe what business unit will have responsibility for identity management. If you are starting a brand new identity management program, mention that fact as well.
Tip: Many projects fail to achieve objectives and blow budget when the scope becomes too large. If you are purchasing an identity management solution for the first time, err on the side of a smaller scope (i.e. a pilot project for one division or department).
3) Key Technical Details
Adding new software to your company is like pulling on a thread — there are often unintended side effects. If integration with Microsoft products and systems like Active Directory matter, explain that as well. Keep in mind that some or all vendors may have never heard of your company before the RFP, so make your needs clear.
4) Existing Identity Management and Password Policies and Processes
No, we’re not asking you to publish your company’s secrets here. Instead, the goal is to help companies understand your level of maturity. A highly mature company might have comprehensive password policies and enforce those policies with systems. A less mature company may have policies but lack the means to enforce them.
5) Training and Consulting Requirements
Training and consulting is a factor that sets apart top tier companies from small players in enterprise software. When you’re managing cybersecurity, you don’t want to guess how to use the software. In your RFP, ask about the vendor’s documents and what training packages are available. For example, are you willing to pay for onsite training and/or implementation support? If you need training in multiple languages, spell out this requirement as well.
Tip: Launching an enterprise-wide cybersecurity program? You may need a separate RFP for a consulting firm to guide you through the process.
6) Specialized Industry Needs
Regulations, history, and habit are some of the reasons that industries develop specialized needs. In the healthcare field, HIPAA (Health Insurance Portability and Accountability Act) compliance is a factor in technology decisions. In the government context, experience with Federal Acquisition Regulation (FAR) makes a difference. Your industry needs may be more complex. For example, you may require a vendor to work with other vendors and outsourcing arrangements you have in place.
Tip: Not sure if you work in a specialized industry? Think back to the last time when you answered “What do you do?” at a party. If understanding your industry requires a specialized degree or certification, then provide detailed guidance on your RFP about your industry expectations.
7) Customer References
What do other customers say about their experience working with the vendor? That’s the key question you are getting at by asking for references. There are two schools of thought when it comes to asking for references. One approach is to ask for references and provide no guidance beyond length (e.g. “we request two reference letters from past customers, no longer than 500 words each”). The restrictive approach specifies additional details (e.g. “we ask references to comment on their experience with training and implementation”).
8) Legal Issues
If your company is sensitive about reputational risk, you may want to ask about the vendor’s legal status. Specifically, does the company have lawsuits, investigations, or audits underway? If so, addressing those concerns may distract the vendor from serving customers. If you receive a large number of responses, use this section to quickly disqualify vendors.
Getting the RFP Into the Market
Unless you are the federal government or a Fortune 500 company, publishing an RFP on your website will probably not cut it. If you only post your RFP to your website, relatively few companies will discover it. To make sure you get proposals from a wide variety of companies, use the following tips:
1) Write and distribute a press release
A press release is a tried and true method for getting your message into the business community. Look at companies such as PRWeb to assist you in distributing your news release. Issuing a press release makes it more likely that your needs will be circulated on high traffic websites like Google News.
2) Add it to RFP databases
There are RFP databases that gather together RFPs from many different online sources. For instance, RFP Zone and Find RFP are two popular options where vendors search for business opportunities. Thousands of companies visit these websites daily, so this is a great way to attract proposals.
3) Promote on LinkedIn
The world’s leading business social network is a great place to promote your RFP. Start by mentioning the update on your company’s LinkedIn page. In addition, look for LinkedIn Groups related to your needs. If you are working on selecting identity management vendor, look for cybersecurity groups. Note that some LinkedIn Groups have rules on what you can post, so keep that in mind.