The fourth annual GRC Innovation Awards recognize GRC solutions that are revolutionizing the Governance, Risk Management and Compliance (GRC) market. Thirty-three awards are given this year out of 119 applicants across fifteen GRC solution categories. These are broken into two innovation areas:
- User Experience Innovation
- Technology Innovation (below)
Over the years GRC technology has evolved and changed. The GRC Technology Innovation Awards process for 2015 recognizes this evolution and represents the most competitive pool of nominations to date. GRC 20/20 closely evaluated all of the written nominations and selected recipients to receive this honor. Some of these recognitions go to established solution providers — others go to up-and-comers. Some have mature offerings, others are still being polished — but all are advancing GRC into new areas. The current award recipients show thought leadership that take GRC in new directions.
These awards are challenging as there is a strong subjective element to them. There are many great technologies nominated that GRC 20/20 desires to recognize but did not quite make the award process. Unlike GRC 20/20’s Value Awards which are focused on quantitative value organizations have received from solutions, the innovation awards are based on what really captivates and intrigues GRC 20/20 analyst attention as new possibilities and directions in GRC technology. These awards are not for who has a better solution. They are for who is thinking outside the box and taking GRC in new technology directions as well as who is delivering better user experiences in GRC.
Below are the 2015 GRC Innovation Award Winners for Technology Innovation. The award winners for User Experience Innovations are found in the post: 2015 GRC Innovation Awards: User Experience Innovations.
2015 GRC Innovation Award Winners for Technology Innovation
GRC cannot be managed in isolation. Decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization. Complexity of business and intricacy and interconnectedness of GRC data requires that we have an integrated approach to business systems, data, and GRC.
In 1996, Fritjof Capra made an insightful observation on living organisms and ecosystems that rings true when applied to GRC and broader business today:
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”
Fritjof Capra, The Web of Life
Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of the ecosystem has cascading effects and impacts to the entire ecosystem. This is true in business. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise. What further complicates this is the exponential effect of risk on the business. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.
Organization requires complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to GRC architecture. GRC fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. GRC also fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.
The 2015 GRC Technology Innovation Award recipients are. . .
ACL GRC Mobile’s Scan to PDF: Innovation in Audit Management
The traditional audit workflow to capture evidence involves fieldwork, gathering of paperwork, working a copy machine, using a scanner, and then hours of endless file management. With so many steps to capture audit evidence, an auditor’s job begins to look like that of a file clerk. Auditors frequently work in remote areas, with limited access to equipment or lack of internet connectivity. Additionally, certain types of evidence require the capture of multi-media, beyond the traditional paper documentation. Wouldn’t it be nice if there was a way to provide auditors with a capability to capture audit evidence as easy as it is to post to Facebook or Instagram. The ACL GRC mobile app innovates the way auditors are able to capture information quickly by using built-in, smartphone multi-media features, which includes a built in PDF scanner to capture real-time evidence. Using smartphones or tablets, auditors can capture multi-media evidence and upload it to the cloud-based audit file.
ACL GRC’s ScriptHub: Innovation in Automated Controls Architecture
Auditors and business process owners have long realized the value of data analytics, only to be overwhelmed by the technical complexities of extracting, analyzing, and interpreting data. This is the most challenging obstacle to automated control analytics and implementation. In our tech savvy day and age, shouldn’t configuring data analytic tests for controls be as simple as building with Lego blocks? ACL’s innovative ScriptHub library delivered as part of the ACL GRC platform allows organizations to do just that. Script Hub is a repository of ready to use scripts for risk based analytics. The library of scripts contains numerous powerful code snippets to help automate such tasks as data imports from Concur, SAP, SAM lists; analytics to look for trends or anomalies; and various utility scripts to help you harmonize address fields, perform keyword searches, calculate distances b/w zip codes, compute the number working days between dates, and hundreds of others. Essentially, it provides users with access to pre-written data analysis scripts like Lego blocks to build analytic tests.
- Webinar: How ScriptHub is Revolutionizing Automated Controls
- 2015-10-26 , 1:00 pm – 2:00 pm CDT
- REGISTER FOR WEBINAR
ControlPanelGRC Dynamic Security with HR Analyzer: Innovation in Automated Controls for Human Resources
The world of automated controls has been largely focused on the financial side of ERP. Very little attention has been given to HR management systems. This is an issue as HR systems house critical and sensitive data that is governed by privacy laws around the world. The confidentiality, integrity, and availability of HR data is critical to organizations. ControlPanelGRC has demonstrated innovation by automating two critical HR processes that before were completed manually. Access Controls Suite’s HR Analyzer with Dynamic Security maps critical HR data to security by automatically tracking and removing sensitive access when job changes occur within the organization as well as provides reconciliation when tied to certain job changes. In large organizations this process was once executed by several employees that can be completed automated by ControlPanelGRC’s Dynamic Security with HR Analyzer.
CSI Tools’ Emergency Request: Innovation in Automated Controls for Privacy
Safeguarding human resources data in the context of strict privacy regulations (e.g., Germany, Belgium) is a significant challenge to organizations. This is particularly true when giving emergency access to critical HR systems and their data. CSI Emergency Request provides insight into who saw and/or who manipulated HR employee data. CSI Emergency Request is an ABAP4 based solution consisting of two components. The first component is a solution to manage and control emergency activities in SAP systems. The second component is a new and innovative solution to comply with the strict privacy regulations that are applicable in countries like Germany and Belgium. CSI Emergency Request enables organizations to have an efficient and effective solution for emergency access while safeguarding HR data access and complying with privacy laws.
Greenlight’s Access Violation Management: Innovation in Automated Controls for Access Management/SoD
Automated segregation of duties and access management technologies have been highly successful in automating controls, but to date they have not taken a risk-based approach based on the financial impact to the business. Access Violation Management by Greenlight enables organizations to manage user access and segregation of duties through a risk-based evaluation of the financial impact to the organization. This is accomplished through exception-based monitoring of actual access violations, reducing the need for manual controls to mitigate segregation of duties issues and eliminates false positives. When exceptions are identified, the solution tracks investigation and resolution until issues are resolved in a intuitive user interface designed for business users. The solution brings business context to SoD by quantifying the financial impact of these violations and drives change in access assignments and business processes where the materiality of risk may be too high for an organization to accept.
Continuity Logic’s FrontLine Live: Innovation in Business Continuity Management for Healthcare
Many healthcare organizations rely on an outdated system of “binders” and printed physical documents for business continuity plans. Static continuity plans created in documents are not likely to be relevant in unpredictable threats and disruptions. Even continuity plans created in a database rarely have mapped “interdependencies” between data elements to manage the ripple effects in emergency and crisis. Continuity Logic’s Fronline Live solution is showing innovation in offering a healthcare specific Business Continuity Management Planning (BCMP) and GRC system for Health Plans and Hospitals. The Frontline solution, has incorporated controls for HIPAA, HITRUST and compliance with meaningful use to transform both the process and experience of business continuity within hospitals and health systems. Frontline connects people, processes, technology, assets, third party relationships and other “interdependencies” – into a single, unified business continuity governance database that is dynamic and helps organizations be agile as disruptive situations unfold.
UCF Common Controls Hub: Innovation in Regulatory Intelligence for Compliance Management
Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). GRC professionals spend significant time and resources researching which regulatory mandates they must follow and struggling to keep up with new requirements. The Unified Compliance Framework’s® (UCF®) Common Controls Hub™ enables organizations to scope, define, and maintain regulatory demands online in minutes to dramatically improve the efficiency, effectiveness, and agility of their GRC program as well as business operations. GRC 20/20 sees this as a compelling offering for compliance management in the context of regulatory change that will advance GRC technology and make organizations more efficient, effective, and agile.
- Webinar: Common Controls Hub Innovations Break New Ground in Regulatory Management
LockPath Keylight Ambassador: Innovation in Enterprise GRC Integration
Organizations need to move beyond the concept of a GRC platform and focus on an integrated view of GRC data and systems through a GRC architecture that is a cohesive part of the broader business fabric of the organization. This is what GRC 20/20 refers to as 360° GRC contextual awareness. Where risk and compliance is monitored and understood in the course of business operations, changing risks and regulations, and interactions. Delivery of GRC contextual awareness requires that GRC be a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of business. LockPath Keylight Ambassador is a GRC solution that offers a hybrid agent architecture that enables organizations to collect distributed GRC related data from applications installed across the organization and in the cloud. Keylight’s Ambassador innovation and advancement of GRC technology is its ability to securely and automatically transmit on premise data to the cloud from business systems and information security tools.
- Webinar: GRC 20/20 Innovation Award: LockPath Keylight Ambassador
- 2015-10-14 , 12:00 pm – 1:00 pm CDT
- REGISTER FOR WEBINAR
MetricStream Mobile Middleware Architecture: Innovation in Enterprise GRC Mobility
Mobility solutions for GRC are growing in demand have been adopted across industries (e.g., retail, manufacturing, logistics, airlines). They enable a variety of use-cases for a distributed GRC workforce and enable a variety of GRC field operations and audits. They are used by the front-lines of organizations to interact with policies, provide training, and report issues. GRC mobility enables users to complete field work, gather evidence, performing rapid assessments, respond to questionnaires, or record incidents. There are a variety of stand-alone mobile GRC Apps connected to GRC platforms to do this. MetricStream is showing innovation in developing a fully integrated multi-device, multi-OS, and real-time mobile technology architecture to enable GRC mobility and take it to new levels. The MetricSream Mobile Middleware Architecture is the enabling layer over the MetricStream GRC platform to provide users with GRC features and functionalities on tablets and mobiles across mobile operating systems.
- Webinar: 5 Key Capabilities of Next Generation GRC Platforms
Quantivate: Innovation in Enterprise GRC Data Architecture
Decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization. Many legacy, and leading, GRC platforms also fail as they have rigid data structures and take significant time and money to implement. GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of GRC information and relationships. Organizations require complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy. The Quantivate platform is different due to a technology they call “Linked Resources”. Quantivate’s Linked Resources allows for a dynamic data model. Quantivate administrators can create relationships whenever and wherever needed within their GRC data architecture and model. This means that GRC is no longer a one size fits all solution, but can be implemented in any size organization and grow and evolve over time.
- Webinar: Enterprise GRC Architecture: Innovation Through Dynamic Linking of GRC Data Relationships
Segmantics Risk Store: Innovation in Enterprise GRC Content Store
The integration of actionable content and intelligence into technology is the core of GRC today and into tomorrow. This involves the delivery of content from knowledge/content providers through GRC technology solutions to rapidly assess changing regulations, risks, industry and geopolitical events. This integration of actionable content with GRC technology delivers on GRC maturity through achievement of risk and regulatory intelligence. GRC is not just about great technology, but it is also about having the right intelligence and content. Segmantics is innovating by providing an intuitive and easy to use content store as part of their GRC platform. Segmantics includes risk assessment content, risk frameworks and analysis methods in a Risk Store that is an integrated part of the GRC solution. The Risk Store enables the users to select hundreds of risk assessments, risk standards and best practice from 22 industrial and commercial sectors.
Environmental, Health & Safety
Ideagen’s Gael Enlighten: Innovation in EH&S Technology
EH&S solutions are maturing to provide an integrated architecture that is intuitive and easy to use. Where EH&S is focused on providing 360° contextual awareness of risk and compliance that is monitored and understood in the course of business operations, changing risks and regulations, and interactions. Delivery of contextual awareness requires an EH&S solution to be a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of business. The Gael Enlighten product is focused on providing 360° contextual awareness of EH&S information and processes. A seamlessly integrated and scalable cloud software product, Gael Enlighten makes information available to the users who need it, where they need it, when they need it. Critical information such as a recently changed procedures or an updated risk assessment is available across the application rather than being stuck in a document management or risk management silo. Gael Enlighten is providing a next generation platform for managing EH&S with an interface that is engaging, intuitive, and easy to use.
Internal Control Management
ACL’s Interpretive Visual Remediation: Innovation in Internal Control Management Technology
Most business intelligence tools provide users a data visualization view that simply leaves the GRC professional desiring more to understand the context of internal control management. Data visualization is powerful to interpret data analysis results and locate areas requiring further follow up. The frustration is when organizations cannot take action from data visualization and have to perform extra steps to separate records of interest and find a way to assign them to the correct stakeholders for remediation. ACL’s Interpretive Visual Remediation takes data visualization to the next level by making it actionable within the application. Data visualization is combined with automated remediation workflow that can be used to automatically trigger remedial actions from the data visualization to address issues in internal controls. ACL GRC’s innovation is that it enables the users to take action right from the data visualization view. This is helpful in customer environments that rely heavily of data analytics for control monitoring where the users need to streamline their ability to process, visualize, interpret, and remediate data analysis test exceptions.
Issue Reporting & Management
Integrc’s Exception Based GRC: Innovation in Issue Reporting & Management
GRC solutions have typically existed in silos with separate deployments in different departments creating a complex landscape of technology, taxonomy and end user processes with little integration. As GRC requirements have evolved, solutions have developed that are capable of integration as well as having increased sophistication including data analytics. Integrc, recently acquired by EY, delivers Exception-Based GRC as part of RouteOne, an innovation that enables a high-performing GRC capability. Exception-based GRC makes GRC easy for the users by doing all the hard work in the background. With Exception-based GRC, the user receives intelligent and timely notifications on GRC issues and events with supporting real-time analytics so they can focus on making key business decisions more quickly. Integrc’s model leverages the latest SAP technology and approaches to deliver world class GRC outcomes whilst minimizing the load on the business users.
Rsam Platform Exemption Management: Innovation in IT GRC Technology
Scattered manual processes of IT GRC lead to exemptions and exceptions that go undocumented and expose the organization to significant risk. IT GRC programs need to integrate an array of security and IT operations technology to detect and automate the identification of non-conformance and the process of documenting, approving, and managing exemptions and exceptions. Utilizing Rsam’s capabilities to build out and extend the solution, Sungard worked with Rsam to create a unique and highly automated and centralized exception management process that encompasses input from the following areas: vendor security assessments; application security assessments; site security assessments; audit findings; host vulnerabilities; source code analysis; and, compliance exemption tracking. Rsam enables their clients to extend and integrate a range of technologies to automate exemption and exception management processes. In this context, GRC 20/20 has recognized Rsam with a 2015 GRC Innovation Award for the best technology innovation for IT GRC in 2015.
- Webinar: Trends in IT GRC
- 2015-11-12 , 1:00 pm – 2:00 pm CDT
- REGISTER FOR WEBINAR
WK ELM Solutions’ LegalView Analytics: Innovation in Legal Management Technology
The legal industry is going through a transformation in how they manage legal processes and utilize technology in that context. Legal departments are now being required to justify budgets, forecast expenditures, and define the value that outside counsel provides. This puts significant pressure to focus on cost controls, efficiency, process, risk avoidance, and other business drivers that have become mainstream in almost every other discipline and department in the organization. Corporate legal departments now require greater insight into their legal spend and legal operations so that they can make informed, data-driven decisions. Wolters Kluwer ELM Solutions LegalView Analytics is showing innovation by enabling legal departments to be strategically managed. The solution integrates and consolidates data from a variety of internal business and legal systems into easy-to-read and customizable LegalView Dashboards that allow legal departments to quickly obtain a full view of their legal costs.
Policy & Training Management
Compli’s Compligo: Innovation in Policy & Training Management
Organizations often use manual compliance processes that are prone to human error and are costly in terms of time and money spent to maintain. Compli’s Complígo automates compliance processes so organizations no longer need to rely on email, spreadsheets, documents, or an intranet site to manage and track compliance management activities. While many compliance solutions focus on the experience of compliance management professionals, Compligo is focused on the workforce experience. Complígo streamlines compliance for employees, managers and third parties by providing a one stop shop for the workforce. For every initiative across the organization, the right person gets the right information at the right time, every time until the activity is completed. Nothing slips through the cracks and managers and compliance staff no longer have to nag.
MetricStream’s Quality Management Apps: Innovation in Quality Management
Organizations are challenged to address quality audits in context of varying and dynamic risk and compliance requirements. The more distributed and dynamic the organization the greater this issue is. In this context, quality audits have often been disconnected from broader enterprise and operational risk management initiatives. MetricSream’s Quality Audit Management has shown innovation in being able to empower quality audit departments through enhanced risk assessment capabilities. This helps quality auditors to prioritize and short-list auditable entities based on risk assessments results, and enables them to focus their efforts only on high-risk entities, instead of all entities at once. The solution supports configurable risk assessments for quality audit planning purpose and an audit advisor which help users define the enterprise quality audit strategy.
MEGA’s Solutions for Model Risk Management: Innovation in Risk Management
Models are used across industries to analyze, predict, and represent performance and outcomes that impact operations and business strategy. By definition, a model is a mathematical approximation of scenarios that is used to analyze and forecast prices, events, risks, relationships, and future outcomes. The expanding use of models in the organization reflects the extent to which models can improve business decisions, but models come with risks when internal errors or misuse results in bad decisions. Organizations need to provide a structured approach for model risk management that addresses model governance, lifecycle, and architecture to manage models and mitigate the risk they introduce while capitalizing on the significant value of models when properly used. MEGA’s solutions for Model Risk Management allows organizations to gain control and understand model risk through an ability to not only inventory but to diagram how models are to function. The platform leverages the ability of MEGA’s enterprise architecture capabilities to capture business and enterprise knowledge (via business models), to capture model logic (modeling the models), and, above all, to put the models in their actual use case and business context.
Strategy & Performance Management
Thomson Reuters Valuation Navigator: Innovation in Strategy & Performance Management
Financial services organizations require complete situational and holistic awareness of market data and positions across the organization to see the big picture and its impact on pricing, performance and strategy. Most financial services organizations have access to market data that is adequate to support their operations, but they still struggle with market, valuation, and pricing data when it comes to transparency, accessibility, and audit support activites. Thomson Reuters Valuation Navigator collects scattered financial data into a single, searchable repository; supports a building-block approach to modeling; is extensible for complex workflows; and enables shared insight across your entire organization. Their unique approach makes organizations more efficient, effective, and agile in gathering distributed sets of data and presenting it that replaces manual processes built on spreadsheets and time.
Third Party Management
Thomson Reuters World-Check One: Innovation in Third Party Management
The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include customers, suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Thomson Reuters’ World-Check One demonstrates a compelling offering for managing an integrated process for third party due diligence to meet a range of risk and regulatory areas. The unique approach helps make organizations more efficient, effective, and agile in managing a range of due diligence concerns in a single integrated portal. World-Check One has a range of innovative features that enable customers to apply a risk-based approach to due diligence and customize screening policies to mitigate risk in an efficient, effective, and agile approach. GRC 20/20 finds that World-Check One clients save significant amounts of time and money in staff resources and operating costs while leveraging the benefits of World-Check risk intelligence data with extensive global research.