GRC 20/20 Announces 2014 GRC Value Award Recipients


GRC 20/20 Research is happy to announce the recipients of the second annual GRC Value Awards. The 2014 GRC Value Awards honors twelve leaders in GRC for real-world implementations of Governance, Risk Management and Compliance programs and processes that have returned significant and measurable value to an organization. 

GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].[1] Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment.

GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness and agility. Organizations looking to achieve GRC value will find that the results are:

  • GRC Efficiency. GRC provides efficiency and savings in human and financial capital resources by reduction in operational costs through automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • GRC Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators.
  • GRC Agility. GRC delivers business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events in a timely manner so that action can be taken to contain these and keep them from growing.

Nominations from GRC programs within organizations were evaluated and vetted. Nominations were evaluated for depth of quantitative facts and each final selection was validated by GRC 20/20 and the specific implementation to attest to accuracy. Nominations were scored on both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of GRC value as they pertain to the benefits they received. Twelve are recognized across the following categories (in alphabetical order of company that received the value):

  • How a Credit Union Achieved Value in IT GRCUnderstanding and managing IT governance, risk management, and compliance (IT GRC) in today’s environment requires a new paradigm in managing interconnections and relationships. What may seem as an insignificant IT risk in one area can have profound impact on other risks and cause compliance issues. One credit union that GRC 20/20 has researched, struggled with decentralized processes and documents for managing IT security, risk management, and compliance. The credit union evaluated their options and looked at IT GRC solutions to assist them with this problem.  The result of their evaluation led them to engage and deploy TraceCSO from TraceSecurity, a Software as a Service (SaaS) solution that the credit union found easy to engage and deploy to meet the range of their IT GRC needs. GRC 20/20 has evaluated and verified the implementation of TraceCSO at this particular credit union and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized TraceCSO with a 2014 GRC Value Award in the domain of IT GRC. TraceCSO gave them the ability to measure, identify and remediate issues across processes and operations more efficiently and at a much lower operational cost.
  • How DUBAL Achieved Value in Risk ManagementExponential growth and change in risks, regulations, globalization, distributed operations, processes, competitive velocity, business relationships, technologies, and business data encumbers organizations of all sizes. Organizations are hindered when aspects of risk are managed in disconnected silos that do not share information and collaborate. Integrated and sustainable risk management improves risk maturity and strengthens decision-making.  This cannot be accomplished in silos, but requires a federated approach to risk management supported by a foundational risk information and technology architecture.  Dubai Aluminium (DUBAL) was challenged in getting a consistent view of risks across the enterprise with standard definitions, language, and framework.   To address the challenge of herding the silos of risk, DUBAL established a structured and systemic approach to risk management by implementing a new Enterprise Risk Management (ERM) framework. To enable this ERM strategy, DUBAL implemented the MetricStream ERM Solution. GRC 20/20 has evaluated and verified the implementation of MetricStream at DUBAL and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized MetricStream and DUBAL with a 2014 GRC Value Award in the domain of Risk Management.
  • How Exxaro Achieved Value in Internal Control ManagementToday’s organization is in a continuous state of change in business operatio
    ns, processes, employees, business systems, transactions, access to systems, and more. Organizations cannot rely on manual, ad hoc, and document-centric approaches to manage controls of critical business systems. Organizations need to establish a strategy and processes supported by technology to build and maintain a risk-aligned process control program that balances business agility with control and security in order to mitigate risk, reduce loss/exposure, and satisfy both auditors and regulators while enabling business to perform consistently, efficiently, effectively, and in an environment that demands agility to stay in business. To address this challenge, Exxaro selected SAP Governance Risk and Compliance (GRC10.1) Process Controls to manage and monitor processes across all areas of the organization. GRC 20/20 has evaluated and verified the implementation of SAP Process Controls at Exxaro by CQS and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Exxaro, its partner CQS, and SAP, with a 2014 GRC Value Award in the domain of Internal Control Management.

  • How Fossil Achieved Value in Third-Party ManagementOrganizations today struggle to identify, manage, and govern risk and compliance in extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and other third parties. The Dodd Frank Act section 1502 obligates publicly traded companies governed by the SEC through the Exchange Act to disclose use of tin, tantalum, tungsten and gold – which are collectively referred to as 3TG – in products and processes and disclose if those minerals originated in the Democratic Republic of the Congo or nine surrounding countries. After a careful review of solutions Fossil chose LockPath’s Keylight GRC Platform for Conflict Mineral Compliance to manage supply chain risk and lower overall costs associated with Dodd-Frank 1502. GRC 20/20 has evaluated and verified the implementation of LockPath Keylight at Fossil and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized the LockPath Keylight platform with a 2014 GRC Value Award in the domain of Third Party Management.
  • How Hudson City Savings Bank Achieved Value in Issue ManagementBanks are struggling with disconnected approaches to issue reporting and management.  This is a particular concern with the growing regulatory requirements around the management and reporting of issues in the context of customer complaint management. To address this challenge, banks need to have a coordinated strategy and information architecture to provide consistent issue reporting and management. Hudson City Savings Bank (HCSB) is a bank that deployed MetricStream to manage the issue and complaint management program as part of a broader GRC strategy and architecture. GRC 20/20 has evaluated and verified the implementation of MetricStream at HCSB and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized MetricStream and HCSB with a 2014 GRC Value Award in the domain of Issue Reporting & Management. HCSB’s overall federated GRC approach and unified GRC framework and architecture provides a holistic view of issues, complaints, and associated risks that maps to subject matter experts who see things through to resolution.
  • How National Disability Services Achieved Value in Federated GovernanceKeeping business complexity and change in sync is a significant challenge for boards and executives as they seek to govern the organization. Organizations require complete situational and holistic awareness of governance across operations, processes, relationships, systems, and data to see the big picture and its impact on organization performance and strategy.   Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to governance. To meet this challenge, National Disability Services (WA) adopted Governance Manager from Blue Zoo with their Not for Profit Governance Maturity Framework solution. GRC 20/20 has evaluated and verified the implementation of Blue Zoo Governance Manager at NDS (WA) and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Blue Zoo and NDS (WA) with a 2014 GRC Value Award in the domain of Strategy and Performance Management for their governance capabilities.
  • How SAP Achieved Value in GRC ArchitectureThe primary directive of a mature governance, risk management, and compliance (GRC) program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance. Effective, efficient, and agile GRC is built on an integrated architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the front office; focused at value protection and creation; and is proactive in measurement, management and interdiction. GRC architecture connects the fabric of the business together across the organization and its disparate systems, processes, and information. To address this and build a sustainable architecture for the future, SAP turned to its own GRC solutions and put into practice exactly what they advocated other organizations to do. SAP implemented an integrated GRC architecture that brought together SAP Process Control 10 and SAP Risk Management 10 across a global implementation at SAP for risk assessed internal control monitoring and assurance. GRC 20/20 has evaluated and verified the implementation of SAP’s own internal use of SAP GRC and confirms that this implementation has achieved measurable value across the elements of GRC efficiency,
    effectiveness, and agility. In this context, GRC 20/20 has recognized SAP with a 2014 GRC Value Award in the domain of GRC Architecture and Integration.

  • How TransCanada Achieved Value in Audit ManagementToday’s audit department has growing demands to do more audits across operations and relationships while still being constrained by limited resources to fulfill these demands.  To effectively conduct audits, efficiently manage limited audit resources, and meet the agility required of a dynamic business environment requires a top-down approach to audit that is driven by risk-based priorities and technology is utilized to manage resources, analyze data, and streamline audit operations. To address a sustainable audit program for the organization, TransCanada selected Resolver’s GRC Cloud offering. This provided TransCanada an integrated audit management solution to collaborate, understand risk, align audit with strategic planning, and drive business value. GRC 20/20 has evaluated and verified the implementation of Resolver GRC Cloud at TransCanada and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Resolver and TransCanada with a 2014 GRC Value Award in the domain of Audit Management.
  • How TriColor Auto Group Achieved Value in Policy & Training ManagementWith today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity. With 16 locations and plans to expand into the California market, Texas-based Tricolor Auto Group was managing compliance obligations and policies manually: using paper-based documentation and conducting training from three-ringed binders. Tricolor Auto Group recognized that Tricolor would benefit from Complí Workforce Compliance Management. Complí has allowed Tricolor to transition from a manual paper-based compliance, policy and training system to a cloud-based process that meets the communications needs of bilingual employees as the company expands to new states, encounters additional compliance regulations, and faces complex employee onboarding requirements. GRC 20/20 has evaluated and verified the implementation of Complí at Tricolor Auto Group and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Complí and Tricolor Auto Group with a 2014 GRC Value Award in the domain of Policy & Training Management. 
  • A Global Security & Asset Protection Organization’s Approach to Access ManagementBusiness processes and technology change at a rapid pace. In the context of change, internal controls over financial reporting, regulatory requirements (e.g., SOX), internal and external auditors, and fraud risk put increased pressure on corporations to ensure ERP systems are secure and access control risks are managed in the context of a dynamic business environment. Segregation of duties (SoD), inherited rights, critical and super user access, and changes to roles are too much for today’s organization to manage adequately in manual processes. A global security and asset protection organization used to manually manage their access control testing in their SAP environments. To address this challenge, they found a solution in ERP Maestro that was not only cost effective, but also enabled them to achieve their goals of efficiency, effectiveness, and agility. GRC 20/20 has evaluated and verified the use of ERP Maestro at this organization and confirms that the ERP Maestro subscription service has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized ERP Maestro with a 2014 GRC Value Award in the domain of Identity & Access Management. 
  • How Tyco Achieved Value in Compliance Management. A reactive approach to compliance, with silos of compliance operations never coordinating and working together leads to greater risk to the organization. To enable effective, agile, and efficient compliance; organizations are developing a compliance information and technology architecture that is dynamic, proactive and information-based. Tyco International could either hire additional employee resources to manage compliance or Tyco could implement a compliance platform to deliver an integrated compliance platform across different compliance, risk and ethics focus areas. Tyco did a careful review of compliance & ethics learning solutions in the market and chose SAI Global as a compliance and ethics content partner GRC 20/20 has evaluated and verified the implementation of SAI Global at Tyco and confirms that this has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Tyco with a 2014 GRC Value Award in the domain of Compliance Management.
  • How a Large Commercial Bank Achieved Value in an Enterprise GRC Platform & StrategyManaging GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for governance, risk management and compliance (GRC) fail to actively manage risk in
    the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of GRC. To address this challenge, a large commercial bank developed a GRC strategic plan that spanned risk and compliance departments. With this plan and vision in place for GRC they then evaluated GRC platforms in the market and selected RSA Archer’s GRC Platform to be the backbone of their integrated Enterprise Governance, Risk, and Compliance program. GRC 20/20 has evaluated and verified the implementation of RSA Archer at this bank and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized RSA Archer with a 2014 GRC Value Award in the domain of Enterprise GRC Platform.

About GRC 20/20

GRC 20/20 is the authority in understanding how organizations implement GRC practices that are effective, efficient and agile. Through independent research and industry interaction, GRC 20/20 advises the entire ecosystem of GRC roles within organizations, technology and knowledge solution providers, and professional service firms. Organizations engage GRC 20/20 when they need insight, guidance and advice in dealing with a dizzying array of disruptive issues, challenges, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Visit GRC 20/20 at http://www.grc2020.com/ and follow on Twitter at @GRCPundit.

[1] This is the official definition of GRC found in the GRC Capability Model and other work by OCEG at www.OCEG.org.

 

Trackbacks/Pingbacks

  1. TraceSecurity Releases TraceCSO Patch Management Capabilities - TraceSecurity I Information Security and Compliance Management - 2015-01-06

    […] been honored with a 2014 GRC Value Award in the IT GRC Management category by GRC analyst firm GRC 20/20. The 2nd annual GRC Value Awards recognize real-world implementations for Governance, Risk […]

  2. LockPath receives 2014 GRC Value Award for Third Party Management - LockPath.com - 2017-03-07

    […] recipients will be written up and acknowledged in the GRC 20/20 blog. Solution providers and GRC practitioners were evaluated in the following […]

Leave a Reply