Mistakes & Challenges in Risk Management Technologies and Strategies

Risk management is pervasive throughout organizations. There are many departments that manage risk with a variety of approaches, models, needs, and views into risk. This makes enterprise and operational risk management a challenge. Organizations often fail in enterprise risk management strategies when they force everyone into one flat view of risk, they also fail when they allow different views of risk but do not consider risk normalization and aggregation as they roll-up risk into enterprise reporting.

Organizations have adopted a wide range of technologies for risk management. There are several hundred solutions in the risk management market (a segment of the GRC market). Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as monte carlo tools or Bayesian modeling.

The challenge is that there is not a one-stop solution for all of an organizations risk management needs. There is no a solution provider out there that addresses every area and need of risk management across the organization. In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. HOWEVER, organizations are frequently failing in these implementations as they encounter the following issues in risk management:

  • Failing to provide top-down and bottoms up risk perspective. This is a controversial topic in the risk community, and one that I am sure I will get hammered on by opponents on either side. There are those that see that risk is all about strategy and objectives and you should do a top-down analysis of risk that starts with strategy and objectives. The other side are approaches that see risk management as a bottoms up by identifying risk at the lowest level of operations, transactions, and processes and rolling it up. My perspective is that both are needed. Risk management has to be in context of strategy and objectives, but so often something unseen down in the weeds of processes can rear its ugly head and devastate the organization. This may often have been missed in a pure top-down strategy.
  • No multi-dimensional mapping of risk relationships and impacts. A single risk can impact the organization in different ways and have exponential impact when considered in context of other risks managed in other areas but no one sees the range of related risks. Organizations fail to map risks into different hierarchies of relationships and show a multi-dimensional view of risk, impact, and relationships as it intersects with other risk categories not in the same risk hierarchy (see my post The Titanic: an Analogy of Enterprise Risk).
  • Forcing everyone into a one-size fits all risk analysis methodology. Organizations too often select risk solutions for enterprise or operational risk management that require a one-size fits all approach to risk analysis that ends up watering down risk assessments to the lowest common denominator. Well established approaches for managing risk in areas of the organization get pushed aside and the particular specialized views and details are lost leading to greater exposure. Where health & safety may have been using bow-tie risk analysis they are not forced to use heatmaps and stoplight diagrams. The organization loses depth in risk management by selecting solutions that do not have the breadth of capabilities the organization needs.
  • Lack of risk normalization and aggregation. Organizations attempt enterprise or operational risk management by utilizing solutions that lock them into a single flat view of risk scoring and appetite that creates issues when identifying and managing localized operational threats and opportunities as everything is scaled to an enterprise view. What happens when IT security’s high risk is actually lower than finance’s low risk? Either different departments have to measure all their risks in a single context that fits the entire organization, and they lose a department level perspective that is of value. Or they measure everything at a department, function, process, or project level and fail in enterprise risk reporting as they compare apples and oranges. Very few solutions on the market offer a capability to do risk normalization and aggregation. For effective risk normalization and aggregation, risks must be assessed both qualitatively and quantitatively with standardized methodologies that allow for a view of risk at an enterprise level as well as lower localized levels.
  • Overreliance on heat maps. I have written about my frustration with heat maps for the past 13 years. They provide a false view of risk. The standard two-dimensions are likelihood and impact with the upper right being perceived as the greatest risk of high-likelihood and high-impact. This is false. What organization is having billion-dollar loss events on a regular basis? They are out of business. The greatest risk exposure often is the low likelihood and high-impact events that heat maps fail to call out properly.
  • Lack of supportive risk data. Too often I see very subjective responses to risk assessments. When asked to measure risk in dimensions of likelihood and impact (there are more but we will stick to these as it is most often seen), it is often complete guess work. The organization fails to provide a history of risk events that have materialized top be an event with loss on the organization. When assessing and modeling risk, organizations need a history to mine to see how this risk has materialized in the past within their organization and with peers to be able to objectively score dimensions of likelihood and impact.

Many of these failures in enterprise and operational risk management are the result of organizations selecting GRC and risk platforms that are inadequate for the job. They rely on Gartner and Forrester reports that have a bias toward IT risk management and score and rank risk management solutions in a way that makes no sense. Gartner often only wants to see a ½ hour video demo and sends web surveys to client references. Yet organizations of all sizes are basing their enterprise and operational risk management platform purchases on analyst reports that lack depth (Forrester Waves are very broad in scope), or lack published criteria (Gartner Magic Quadrants are what they say they are, magic as the criteria, and results, are a complete mystery).

Organizations need to start thinking about risk management architecture. Organizations are often best served to take a federated approach to risk management that allows different departments some level of autonomy and supports their department level risk management strategies but also enable a common information and technology architecture to support overall enterprise and operational risk management activities and reporting.

There is no one-stop risk management solution that does everything risk management for the entire organization. Which solution can provide the best core for enterprise and operational risk management that has the right range of risk mapping, modeling, and analytic needs for the majority of the organization. But then also needs to be able to integrate with best of breed risk solutions that offer specific functionality in areas where needed.

Whether for a department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for integrated cross-department risk management solutions. There are several hundred solutions available in risk management with varying capabilities and approaches.  Organizations need to clearly understand the breadth and depth of their requirements, map these into risk solutions capabilities, and understand that there is no one size fits all solution for risk management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization.

Organizations looking for risk management solutions and intelligence can get objective insight through:

GRC 20/20’s next Research Briefing is on How to Purchase Risk Management Solutions & Platforms. Organizations looking for risk solutions should attend to help them scope their requirements and approach the market.

AGENDA . . .

  1. Defining & Understanding Risk Management
    • Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Risk Management Platform
    • What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Risk Management Platform
    • Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Risk Management
    • Trajectory of Value in Effectiveness, Efficiency & Agility

The GRC Pundit will help organizations . . .

  • Defineand scope the risk management market
  • Understandrisk management drivers, trends, and best practices
  • Relatethe components of what makes a risk management platform
  • Identifycore features/functionality of basic, common, and advanced risk management platforms
  • Mapcritical capabilities needed in a risk management platform
  • Predictfuture directions and capabilities for risk management
  • Scopehow to purchase risk management platforms in a decision-tree framework
  • Discernconsiderations to keep in mind as you evaluate risk management solutions

[add_single_eventon id=”3028″ show_exp_evc=”yes” open_as_popup=”yes” ]

Manage Third Party Risk Exposure in an Interconnected World

Realize that everything connects to everything else.
Leonardo da Vinci

The world is flat, risk is pervasive, and organizations have no boundaries. We operate in a global and interconnected world. Organizations are no longer defined by brick and mortar walls nor by employees. The term insider used to be a synonym for employee. Today, more than half of insiders in many organizations are not employees. Organizations are a complex web of vendors, suppliers, contractors, consultants, temporary workers, service providers, outsourcers, brokers, dealers, intermediaries and agents.

In this interconnected world; governance, risk management, and compliance (GRC) are no longer defined by traditional organization boundaries that no longer exist. The organization must holistically look at the web of relationships that form the organization and nest in deep supply chains and subcontractor relationships. Third party risk is the organizations risk. Their issues are your issues. Their compliance and ethics problems are your problems.

Consider the wit of Douglas Adams in this context . . .

The connections between causes and effects are often much more subtle and complex than we with our rough and ready understanding of the physical world might naturally suppose . . . Let me give you an example. If you go to an acupuncturist with a toothache, he sticks a needle instead into your thigh. Do you know why he does that . . .?
― Douglas Adams, Dirk Gently’s Holistic Detective Agency

The exposure organizations face from third party relationships is significant. These include:

  • Bribery, Corruption & Fraud
  • Business Continuity
  • Contractual
  • Financial
  • Environmental
  • Ethical
  • Geo-Political
  • Health & Safety
  • Human Rights, Trafficking & Slavery
  • Import/Export & Customs
  • Labor Standards
  • Legal
  • Privacy
  • Operational
  • Regulatory Compliance
  • Reputational
  • Sanctions
  • Security
  • Strategic
  • Sourcing

Third party regulation and legislation has been particularly active over the past few years. Consider a fraction of what is happening:

  • Bribery & Corruption. We have seen expanded and increased enforcement of the US FCPA, with a focus on effective compliance. The UK Bribery Act has been in place for a few years with enforcement happening. There also is expanding regulation globally on bribery and corruption.
  • Conflict Minerals. As part of the Dodd Frank Act, thousands of companies have gone through two years of compliance with conflict mineral requirements and reporting. US publicly traded companies have to trace tin, tantalum, tungsten, and gold to see if they come from the Democratic Republic of the Congo or nine surrounding countries known for crimes against humanity and report on this.
  • FTC Power to Sue in Data Breach. This past August the U.S. Court of Appeals for the Third Circuit affirmed in FTC v Wyndham the FTC powers to sue organizations in the event of a data breach. Given over half of insiders in many organizations are third parties and the variety of breaches that involved a third party, this is going to cause increased scrutiny and attention in third party risk management.
  • OCC Regulations of Third Party Risk Management. The OCC has significantly expanded vendor risk management requirements in financial services over the past several years, making this a board level issue. Besides a legion of banks asking me questions, I am getting regular inquiries for third party relationships of banks that are responding to the greater scrutiny of the banks they do business with.
  • PCI DSS. In version 3 of PCI DSS we have seen expanded requirements on IT vendor risk assessments in context of contractual requirements if you accept major credit cards. I fully expect this to expand further in the next version after the Target incident that exposed millions of credit cards and the doorway into the breach was a heating and air-conditioning vendor that had a connection to the Target network. A hacker breached this vendor, got into Target IT systems and compromised point of sale systems across Target.
  • U.K. Modern Slavery Act. This really surprises me as I am not seeing organizations reacting to it. This past October the Modern Slavery Act went into effect and impacts a wide range of organizations. Basically, if you supply goods or services, have any connection into the United Kingdom, such as a single employee, and do £36 million or more in revenue regardless of size of your UK operations, you need to prepare an annual Slavery and Human Trafficking statement detailing the steps it is taking to prevent slavery and human trafficking throughout its business and third party relationships (down into the depth of supply chains). The guidance given on this statement requests organizations detail:
    • Organization structure, operations, and map of supply chains
    • Policies and procedures related to slavery and human trafficking
    • Due diligence processes to prevent slavery and human trafficking
    • Risk assessment of the organization and suppliers where there is risk of slavery and human trafficking
    • Key performance indicators that the organization uses to benchmark effectiveness in preventing slavery and human trafficking
    • Training conducted with employees and third parties/suppliers in context of anti-slavery and human trafficking

These risks are complex and interconnected themselves. Third party risk cannot be managed in isolated and disconnected silos. It requires an integrated process of third party governance, risk management, and compliance throughout the lifecycle of third party relationships. However, many organizations manage third party risk in ad hoc siloed manners with different departments doing things in different ways, disconnected and redundant. These processes are usually inefficient and costly as they require significant amount of time compounded as the number of third party relationships grows in organizations.

An integrated and effective third party management process enables the organization to consistently manage the lifecycle of third party relationships across:

  1. On-boarding. Automate the process of standardizing the identification of third parties to work with and moving them through registration and on-boarding while collecting required third party information and conducting appropriate due-diligence in context of the nature of the relationship. This includes third party:
    • Identification
    • Qualification
    • Contracting
    • On-boarding
  2. Ongoing communication processes. The organization manages the ongoing periodic tasks of communications, attestations and interactions with third parties. This includes cyclical and event driven interactions with each third party on:
    • Policies
    • Training
    • Attestation
    • Self-assessments/questionnaires
    • Reporting
  3. Monitoring processes. Enable the management and automation of the array of processes to continuously monitor third party relationships over their lifecycle in the organization. This includes third party:
    • Performance monitoring
    • Risk monitoring
    • Compliance monitoring
    • Ongoing due diligence monitoring
    • Issue reporting & resolution
    • Audit & inspections
  4. Forms & approvals. Manage the development and automation of internal processes to collect and report information and route things for approval in context of third party relationships. This includes:
    • New vendor/supplier request
    • Gifts, hospitality & entertainment
    • Political & charitable contributions
    • Facilitated payments
  5. Metrics & reporting. Through a solid information architecture and reporting engine, the organization brings together the data elements of the entire lifecycle to provide end-to-end reporting and metrics on third party relationships at the relationship level, risk area, or in aggregate.
  6. Renewal or Off-boarding. Utilizing the detailed history of interactions, issues, performance, non-conformance, and evolving risk scenarios, the organization manages the processes to evaluate, maintain, and renew third party relationships. All good things must come to an end, the third party management lifecycle is concluded by managing the tasks and details many organizations neglect, or forget, in off-boarding relationships that are no longer needed.

To accomplish an integrated third party management process requires that the organization formulate an overall third party management strategy and process that spans roles and functions involved. This is supported by an integrated and consistent third party information and technology architecture to provide a holistic system of record and accountability across internal functions and third parties.

However, the market has a maze of solutions to offer organizations. GRC 20/20 current tracks and monitors over 130 third party management technology solutions and over 50 third party information/content offerings. Some of these solutions are broad and meant to support a holistic integrated third party management program while others are very function and issue specific. Navigating the maze of offerings and selecting the right elements to build a third party information and technology architecture is not a trivial task. GRC 20/20 is here to help organizations understand the range of solutions available and select the right solution(s) for each organization specific third party management strategy and process, whether this is an integrated third party management strategy as proposed, or for a specific function or issue. Organizations looking for third party management solutions and intelligence can get objective insight through:

[add_single_eventon id=”2691″ show_exp_evc=”yes” open_as_popup=”yes” ]

FCPA: Change is in the Air

The past few months have seen some interesting developments in context of the U.S. Foreign Corrupt Practices Act (FCPA). I get more questions on anti-bribery and corruption than any other compliance topic in my GRC research, these developments particularly should interest compliance professionals.

The change is not a brand new direction, but a continual evolution of focus on FCPA enforcement. In a nutshell, the US Department of Justice (DoJ) in the recent Yates Memorandum stated a renewed focus on prosecuting individuals over corporations in context of bribery and corruption. If organizations self-report wrong-doing, cooperate with investigators, and can demonstrate that they have an effective compliance the focus shifts to prosecuting the individuals and not the corporation (though in cases in which corruption is pervasive and executive management is involved this may not be the case).

The element of an organization having an effective compliance program actually comes from the DoJ recently hiring a compliance counsel to facilitate the evaluation of compliance programs to support the shift in focus.

These changes have a significant impact on legal risk and corporate liability for organizations governed by FCPA. While self-reporting and cooperation are somewhat easily understood, the grey area that many are asking about is what constitutes an effective compliance program?

The standard answer is to point to the seven elements of an effective compliance program as established in the U.S. Sentencing Commission Organizational Sentencing Guidelines. This is good and something organizations should be familiar with. At a more practical level, I would encourage organizations to look at the details of the one company that the DoJ did not prosecute and went after the individual, Mr. Peterson. This is the Morgan Stanley case in 2012.

Consider this excerpt from the press release on the DoJ website:

Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials.  Morgan Stanley’s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment.  Morgan Stanley frequently trained its employees on its internal policies, the FCPA and other anti-corruption laws.  Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based personnel on anti-corruption policies 54 times.  During the same period, Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times.  Morgan Stanley’s compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments.  Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners.

Using this real-world example of a company that was not prosecuted and was praised for having an effective compliance program, we learn that an effective compliance program has the following elements:

  • Internal controls. The organization has to have a system of internal controls to address compliance and that is maintained.
  • Policies. The organization has to have established written policies that are kept current as regulations and risk change.
  • Training. The organization has to train relevant employees on policies and how to comply.
  • Reminders/awareness. Beyond training, the organization should show that it regularly reminds individuals of their responsibilities to follow policies and comply.
  • Compliance evidence/audit trail. The organization should be ready to demonstrate how often policies are communicated, training completed, and reminders sent.
  • Compliance monitoring. The organization needs to monitor transactions and activities for improper behavior.
  • Compliance audits. The organization should provide audits of compliance.
  • 3rd party due diligence. The organization should conduct due diligence on business partner relationships.
  • 3rd party controls. The organization should impose controls on transactions and activities in context of 3rd party relationships.

These changes should have organizations evaluating their compliance programs and determining how their compliance program maps to what is understood as effective in both the USSC Organizational Sentencing Guidelines and the Morgan Stanley detail from the DoJ.

In the next few weeks, GRC 20/20 is teaching in several activities that reinforce these concepts, these include:

From Backcountry Ranger to GRC Pundit

BenjiMontanaIt is the Thanksgiving holiday here in the United States, so I thought I would make this post a little more personal. I am grateful for all of my clients, followers/subscribers, and the many I get to interact with in the range of my travels at conferences, workshops, and other events. Each and everyone of you make GRC worthwhile.

As I have often stated, GRC is something organizations do it is not something organizations buy. There is a range of technology solutions that help improve GRC processes and can make GRC more effective, efficient, and agile. But purchasing a GRC solution does not get you GRC. GRC is something every organization does. Some well, others not so well. You will not find an organization that states they lack governance, do not manage risk, and can care less about compliance. Whether the organization uses the GRC acronym, something else, or no label at all . . . all do GRC in some form or fashion. At the end of the day it is actually individuals that do GRC. We all play our part and participate in the machine of strategy and operations of the organization(s) we serve. Each of you plays a part in GRC in one or many organizations.

Oddly enough, becoming a GRC professional is not something I ever strategically planned to pursue. We often talk about organizations being on a GRC journey and it is not a particular destination. As a professional it has been a journey, one that I have enjoyed but not one that was intended.

I grew up in the Northwest corner of Montana near Glacier National Park. Montana is in my blood. I echo the words of John Steinbeck, in Travels with Charley: In Search of America, “I’m in love with Montana. For other states I have admiration, respect, recognition, even some affection. But with Montana it is love. And it’s difficult to analyze love when you’re in it.” From the age of four until I was seventeen my desire was to be a backcountry ranger. I loved, and still love, the outdoors. I spent my teenage years backpacking, rock-climbing, skiing, and doing anything outdoors. I was fascinated with all aspects of nature, ecology, botany, and the variety of animals that surrounded me. The mountains themselves beckoned to me and my heart leaps when I get to see mountains, particularly those in Northwest Montana. My middle son, one of three who is twenty-one years old, lives where I grew up. His friends often chide him as he will wake up and look at the mountains and be amazed. They will remind him he has been living there for over two years; it does not matter to him as every day mountain vistas strike his heart with a fresh flood of admiration and amazement. I understand my son.

The only thing that could move me from my pursuit of the outdoors and becoming a backcountry ranger was my greater love for the Creator of all that I loved so dearly. At age seventeen I decided to pursue theology in college to become a pastor/minister. It was my first year of college that I met a wonderful young lady and fell in love. We got married two years later while still in college, and a year later got pregnant with our first child. I was serving in ministry while still trying to finish my degree, it was not enough to support a young family. We moved to Milwaukee, Wisconsin (where my darling wife is from) and I pursued work in technology, with a focus in information risk and compliance. I worked in a manufacturing organization, then in a healthcare and life science research organization, and then led a risk and compliance consulting practice in the Chicago and Milwaukee area for several years throughout the 1990’s.

During this time, I finished my undergrad degree in business, not theology, and went on to complete a Juris Doctorate. Though my passion for theology has not changed as I have finished my coursework and am writing my thesis for a Masters in Church History. My thesis is on the influence of medieval theology on J.R.R. Tolkien (another passion of mine). My favorite theologian and philosopher from church history is Anselm (11th/12th century Archbishop of Canterbury), who stated my life’s purpose so well in his Proslogium, “One who strives to lift his mind to the contemplation of God, and seeks to understand what he believes.”

As for my professional life, I started the Milwaukee chapter of the ISSA and was appointed to serve on the International Board of Directors for the ISSA serving in several capacities, first the VP of Chapter Relations, then VP of Marketing, and finally the VP of Standards & Public Policy representing the many ISSA members on public policy matters and standards impacting information security, risk, and compliance. I was able to have some of my works published in Congressional reports as well as serve on special Congressional committees.

It just so happened that the Chicago chapter president of the ISSA, and friend, was Steve Hunt, an analyst at GiGa Information Group (note the two capital G’s in GiGa, it actually stands for Gideon Gartner and not Gigabyte, Gideon left Gartner which he established to form a new bread of analyst firm in GiGa). Steve kept throwing his client inquiries/questions on compliance and policy over the fence to me for my insight and answers. One day he said, why don’t you just come work here. So my next part of my journey started – I became an industry/market research analyst at GiGa which shortly thereafter got acquired by Forrester Research.

I guess my claim to fame, should Wikipedia or something else remember me for a few months after I am gone, is on a snowy day in February 2002 at the GiGa offices in Chicago. During my consulting years in the late 1990’s I had pondered that there had to be a better way to manage risks, policies, controls, compliance requirements, and do this in context of each other. A solution provider named Telos (with their solution Xacta), focused on government, demoed a solution to me that did just that on that snowy day in Chicago. It struck me that this is exactly what I had envisioned and was looking for in the 1990’s. I saw a great demand for this type of solution and decided that it needed its own market segment and name (little did I know that the events unfolding with Enron at that time would lead to SOX which would see this market take off very rapidly).

The question before me: what do I call this market. My next briefing after Telos was with PwC. They were reviewing the range of their services with me. They had lots of slides in their presentation categorizing their services from broad to industry specific. But three separate slides stood out to me, their Governance services, their Risk Management services, and their Compliance services.  GRC. That was it. So on a snowy day in Chicago in February 2002 I first defined and labeled a market GRC.  I went on to further define and model this market, but also have worked closely with OCEG over the years in contributing to and collaborating on the GRC Capability Model as at the end of the say GRC is something organization do, not something they buy.

Thus the GRC market was born. During my tenure at Forrester I was a VP and led their GRC research, often getting their Top Analyst award. I wrote the first two Forrester GRC Waves comparing solutions in the market, as well as the two ERM Consulting Waves comparing risk management consultants. I spent seven years at Forrester and then went on my own as an independent market research analyst under my company name, GRC 20/20 Research, LLC.

The GRC market has grown over the years and I love researching and following it. I have mapped over 700 technology solution providers into different segments of the GRC market, and have now mapped over 115 providers of GRC intelligence and content solutions with over 500 content offerings into the market as well. It is a passion of mine to understand the different solutions, what differentiates each, and to model and forecast the market.

I trust this Thanksgiving holiday is a good one for each and everyone of you. I am thankful for all of you as you make my research meaningful, and I love interacting with all of you! I would love to hear about your GRC professional journey, feel free to comment on the road you took to where you are at now . . .

 

 

 

The Agile Organization: GRC in Context of Regulatory Change

Managing this dynamic and intricate nature of change is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.

GRC Regulatory activity

What further complicates this is the exponential effect of regulatory change on the business. Business operates in a world of chaos and in that context regulatory chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Instead . . .

The rest of this post can be found a guest blog on MEGA’s Corporate Governance Blog . . .

[button link=”http://community.mega.com/t5/Blog/The-Agile-Organization-GRC-in-Context-of-Regulatory-Change/ba-p/11248″ color=”default”]READ MORE[/button]

IT GRC > IT Security

If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security.

IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed.  However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage.

Consider . . .

  • IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
  • IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
  • IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).

What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management.

To put it in a formula:

IT GRC ≠ Security Management

IT GRC > Security Management

What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities.

IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management.

As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context.

On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management.

The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations.

If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-it-grc-platforms/” color=”default”]REGISTER:How to Purchase IT GRC Platforms[/button]

NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.

Now Accepting 2015 GRC Value Award Nominations

2015 GRC Value AwardGRC 20/20 is accepting nominations for the 2015 GRC Value Awards!

Successful governance, risk management, and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment with agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, and a less costly, more flexible business environment. Clients engage GRC solutions with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Effective: At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored, and managed at all levels of the organization?
  • Efficient: GRC engagement provides efficiency and savings in both human and financial capital. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Agile: GRC engagement delivers business agility where organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes.

The 2015 GRC Value Award nominations will be accepted through October 5th (no exceptions, nomination form closes down at midnight CDT on October 5th). Recipients will be determined by mid-October with announcements in November.

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization. The nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  These are cold hard facts that empirical, measurable, and objective. Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process.

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.  So the client reference case study does not have to be named and can be anonymous, but GRC 20/20 must be able to know who the client case study is and validate the facts.

The seventeen categories for submission are:

  • Audit Value Case Study
  • Automated / Continuous Control Value Case Study
  • Business Continuity Value Case Study
  • Compliance Management Value Case Study
  • Enterprise GRC Value Case Study
  • Environmental, Health &; Safety Value Case Study
  • IT GRC Value Case Study
  • Internal Control Value Case Study
  • Issue Reporting & Management Value Case Study
  • Legal Management Value Case Study
  • Physical Security Value Case Study
  • Policy & Training Value Case Study
  • Quality Management Value Case Study
  • Reputation & Responsibility Value Case Study
  • Risk Management Value Case Study
  • Strategy & Performance Value Case Study
  • Third Party Management Value Case Study

Please submit nominations before midnight on October 5 2015.  Nomination forms will be accepted until this date, finalists selected and deeper dives in mid-October, with recipients selected by end of October and announced in the beginning of December.  Award recipients will be announced to vendors end of  October so that coordinated announcements/press releases can go out in the beginning of December.

2015 GRC Value Nomination Form

NOTE: You must be logged in (with a free account or GRC Advisor account) to see the 2015 GRC Value Nomination Form below.  There is a save and continue button at bottom of form.

Quick Start to a GRC RFP

So far 2015 has been the busiest year I have seen in the GRC market. There is increased demand for GRC solutions in all varieties, across industries and geographies.

The GRC market is a broad market with a variety of segments. It is not all about Enterprise GRC Platforms. In fact, only about 25% of the inquiries GRC 20/20 gets from organizations are for Enterprise GRC strategies and platforms. A good 75% of the market is aimed at solving department and specific regulatory or risk area needs. There are over 700 technology solution providers in the GRC market across 16 primary market segments. In addition to this there are over 90 GRC intelligence (content) providers offering over 350 GRC intelligence solutions of various capabilities.

The challenge is: how do you find the right GRC solution for your organization?

This is where GRC 20/20 comes in. If you are looking for GRC solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website. I will do my best to see that you are responded to quickly and efficiently. GRC 20/20 is currently answering between 5 and 10 inquiries each week from organizations looking for GRC related solutions.

The next step is building out the requirements for a GRC RFP. Whether this is for an enterprise GRC platform or a very specific segment of GRC, GRC 20/20 has detailed RFP criteria for many domains of GRC. These involve over 200 requirements (sometime many more) in a given segment of GRC that are broken into basic, common, and advanced functionality. This allows organizations to select the criteria that best fits their needs as require only simple functionality while others require advanced functionality.

GRC RFP Criteria is available, in an engagement, in the following areas:

  • Enterprise GRC Solutions
  • Audit Management Solutions
  • Policy & Training Management Solutions
  • Risk Management Solutions
  • Third Party Management Solutions (e.g., vendor, supplier)
  • Compliance Management Solutions
  • IT GRC Management Solutions
  • Internal Control Management Solutions
  • Automated/Continuous Control Management Solutions
  • Business Continuity Management Solutions
  • Environmental, Health & Safety Management Solutions
  • Issue Reporting & Management Solutions
  • Quality Management Solutions

GRC 20/20 can be engaged on RFP projects to rapidly enable organizations to developing RFPs based on our RFP criteria library. Simply email me at [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

How to Purchase Policy Management Solutions

The policy and training management technology enables and operationalizes effective, efficient and agile policy management and awareness. The goal of this technology is to operationalize the policy management processes and communication. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There should be an enterprise platform for policy and training management that connects the fabric of the policy management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements.

Organizations have the following policy management choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions.  Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organizations end up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms.  Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform.  This can be an enterprise implementation of a point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training solution choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration and correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple departments, or just one department as appropriate. Organizations need a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy management platform approach enables better performance, less expense and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

More on this topic will be presented next week’s Research Briefing: How to Purchase Policy Management Solutions

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop, maintain, communicate, and train on policies. This is why organizations are aggressively looking at policy management platforms to address this challenge, and is apparent in the number of RFPs and inquiries GRC 20/20 is involved in with organizations looking for policy management platforms.

In this Research Briefing, 2015 How to Purchase Policy Management Solutions, GRC 20/20 will provide a synthesis of what organizations should consider when purchasing policy management solutions. Attendees will learn what a policy management system does and what are basic, common, and advanced features of a policy management platform. This will be supported by a framework (decision-tree) of considerations to guide an organization when purchasing policy management solutions.

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-policy-management-solutions/” color=”default”]REGISTER[/button]

Demand & Market for GRC Content & Intelligence Offerings

Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture.

A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure.

To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market.  This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions.  While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology.

The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment.

On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market.

GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries

The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market.  Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.