The GRC Pundit

Rethinking GRC: Analyst Rant, Gartner's 2012 EGRC Magic Quadrant

The GRC Pundit BlogPublished onLeave a Comment on Rethinking GRC: Analyst Rant, Gartner's 2012 EGRC Magic Quadrant

Yes, the latest Gartner EGRC Magic Quadrant is out and I am left questioning what value it provides.  My first impression is that it is best for the compost pile to be used as fertilizer for the garden next spring and not used in organizations that may rely on it to make misinformed GRC technology decisions.

NOTE: this rant is not a reflection of individual vendors in the EGRC Magic Quadrant.  Though I have issues with how some vendors are represented and placed (good night, one in the leaders quadrant almost never comes up in RFPs), my rant is because of Gartner’s flawed understanding of the market and broken process for doing Magic Quadrants.  If you want my analysis on individual vendors then give me an email or call.

For historical purposes, I first defined and modeled the GRC (governance, risk management, and compliance) market back in February 2002 while at GiGa Information Group soon to be acquired by Forrester Research, Inc.  I published the first two Forrester Waves on GRC.  What is important to note is that the 2nd Wave had four different Wave graphics as the market was too complex to represent in a single graphic to compare vendors with integrity.  Some solutions were stronger in audit, other stronger in risk, while others are stronger in compliance. The market has only grown more distributed and complex.  In fairness to Gartner, they recognize this and reference doing a Market Scope next year instead of a Magic Quadrant.

My single greatest issue with the 2012 Gartner EGRC Magic Quadrant is that the Magic Quadrant is very much as it states – MAGIC.  There is no transparency or clarity on how vendors are scored.  It is as if Gartner has a giant Magic Quadrant dartboard and hurls a vendor dart against it to see where they land – yes there is some aim involved but it is not really precise and objective.

The current Magic Quadrant is a mile wide and an inch deep.   I am left asking the question – what practical purpose does it serve?  Right now the graphic itself is misleading.  Those in the upper right quadrant – the leaders quadrant – are often short-listed to RFPs/RFIs but others get very little to no attention even though some have outstanding capabilities and can compete feature for feature with the Leaders.  Then there are those that are not even in the Magic Quadrant that have excellent capabilities, but perhaps they do not have the right revenue or are only operating in a single geography.

The truth is, the MQ does not really help you identify and select GRC vendors that are the right fit for your business.

  • If your need is audit – how do you get a detailed comparison of the audit management features of workpaper management, calendaring, audit planning/scheduling, offline audit capabilities?
  • If your need is compliance – how do you get an understanding of which vendors have the best content, can manage policies and investigations, track regulations, and conduct assessments?
  • If your need is risk management – which vendors support your risk analytics needs?  Some just do heat maps, others do scenario modeling, bow-tie analysis, monte carlo simulations.  Are the risk management features built for risk management at a department level or can they scale because they have risk normalization and aggregation capabilities?
  • If you need policy management – which vendors support versioning of policies and content management?  Which have integrated learning management systems to deliver courses, and which make you work with external systems?
  • If you need regulatory change management – which vendors integrate with content providers for regulatory content?  Do they truly integrate or do they just take in RSS feeds?  What content do they have in the system itself?  How can this content be effectively mapped to policies and other items in the GRC system?  Is this mapping at a document level or can you map statements or paragraphs across documents?

Even basic information such as deployment models – on-premise, hosted, software as a service – are not transparent in the MQ. At least not consistently.  There are gems of insight that can be gathered from the summaries of the vendors, but what you learn about one vendor you have no way to objectively compare it to another vendor as it is not discussed or measured for the other vendor.

If your need is compliance management (or specific issues of compliance like anti-bribery and corruption), I can tell you how one of the vendors in the challengers quadrant can run circles around nearly everyone in the leaders quadrant.  Though if you wanted to do offline audits this vendor should not be in your RFP. If you want deep functionality in risk management how the same vendor will not perform where others in the visionaries quadrant excel at risk management and in many cases do it better than those in the leaders quadrant.

I had one major financial services firm tell me that they never want to see a heat map again as their GRC vendor in the leaders quadrant could not aggregate and normalize risk data properly as it was built for a departmental risk solution and is flawed (in the release they were using) to do proper risk normalization and aggregation.

Friends, the Gartner EGRC Magic Quadrant does not give you the objective detail you need to make informed decisions on the vendors to engage on an RFP/RFI let alone acquire.  It gives you little quips, but not the detail to save you time and money on an RFP/RFI.  In fact, several times this year I have been engaged by organizations after they went through the RFP process using vendors that performed well from last year’s EGRC MQ. Only after spending a lot of time and effort to realize that the vendors they looked at were too expensive, did not serve their industry, or did not have the capabilities they needed.

If Gartner made public their criteria and grading scale then users could dig into the details and see how vendors scored on individual criteria.  If a vendor is not on the MQ then the same criteria can be used to evaluate other vendors objectively. Forrester discloses their criteria.  You can download an entire spreadsheet of everything Forrester evaluated, how each vendor scored on each item, and what the scale was to score the vendor.  Gartner has never provided anything like this. So we are left with a lot of subjectivity instead of objectivity.  The issue is that any organization’s understanding and need for a GRC solution varies from others.  What Gartner has produced is absolutely useless in helping a organization select a vendor for an RFP as these solutions vary greatly in depth and breadth and there are major areas of functionality that are not revealed objectively in the MQ.

Gartner has a script and gives a vendor a short time period to demo their GRC product to Gartner.  They do not allow you to go off script – I have heard this from multiple vendors frustrated with the process.  A vendor may have an absolutely amazing differentiator but if it is off script you have to kick and scream to get even passing attention.  In other words, Gartner has their rigid view of the GRC capabilities of EGRC vendors and if you approach it differently then you are outside their myopic vision.

I also take issue with how Garter defines and presents the GRC market.  While they give lip service to a lot of areas of GRC throughout the document they assume that an EGRC platform is comprised of only the four categories of risk management, audit management, compliance and policy management, and regulatory change management.  I see a much broader definition of the GRC market and define it across 29 categories: with 9 categories being components of enterprise GRC that span across the business and 21 categories being role/function specific GRC areas.  GRC is a broad market – a macro market – with many micro marke
ts that it is comprised of.  EGRC puts several of these micro market segments together into an integrated technology and information architecture platform. There is not a single vendor that can bring all the components of GRC to your organization.

Gartner states that there are many businesses implementing a single EGRC platform.  My market research tells me that 80% of the buying activity in GRC the buying organization is trying to solve specific problems.  Less than 20% have an EGRC strategy, but even those have multiple vendors.  I would state it is less than 5% that are truly trying to consolidate on one platform.  In fact, one large retailer I spoke to a month back stated they have four GRC platforms (in this case Archer, SAP, SAS, and Enviance).  A defense contractor at the same event stated they had all those platforms plus two more (Thomson Reuters and MetricStream).  A financial services firm I have worked with has four different GRC vendors in their environment (Archer, SAI Global, Mitratech, and Wolters Kluwer).

What it means (a term Forrester uses in their research reports):  If you are looking for an objective understanding of how vendors stack up to each other the Forrester Wave process is much better than the Gartner MQ (though Forrester does not consistently update the GRC Wave so organizations are often left with out of date comparisons).  The MQ is fit for the compost pile.  However, what is really needed is objective comparisons that go deeper than either the Forrester Wave and Gartner MQ.  If you need audit functionality – here is how the vendors stack up on audit features (objective and open, not hidden).  If you need compliance – here is a detailed comparison of how the vendors compare on compliance features.  If you want to know which vendors support which type of risk modeling – here is a comparison.  That is the vision I am aiming for.  Objective, open, and straightforward comparisons of feature areas of GRC so organizations do not waste time and money in the vendors they look at.  If you have core requirements that are essential you should be able to mark those requirements and find which vendors support those features.

 

Accountability and Consistency in Policy Development

The GRC Pundit BlogPublished onLeave a Comment on Accountability and Consistency in Policy Development

In my experience, policy management processes are in disarray when operating autonomously, introducing risk in today’s complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy development and governance with an inconsistent maze of templates and processes. Inconsistency in policy management means processes, partners, employees, and systems that behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors of liability, as an organization may be held accountable for policy that is not appropriate or complied with.

Organizations require a consistent governance process to develop and maintain policies and procedures. Policies articulate culture, they establish a duty of care, define expectations for behavior, and establish how the organization is going to comply with obligations. Accountability in policy governance is made possible by three policy governance functions:

  1. Policy Lifecycle Management. Policy Lifecycle Management is the process of managing and maintaining policies throughout their effective use within the organization. Implementation of Policy Lifecycle Management requires process and technology that is rich in content, workflow, process, and task management with a robust audit trail.
  2. Policy Management Committee. The Policy Management Committee governs the oversight and guidance of policies to ensure policy collaboration across the enterprise and provide the structure and connective tissue to coordinate and drive consistency. It is comprised of team members that represent the best interest and expertise of the different parts of the organization.
  3. Policy Manager. An individual should be assigned to the role of Policy Manager to assure accountability across the policy lifecycle to the standards, style, and process defined by the Policy Management Committee.

Critical to the success of policy governance is a “policy on writing policies” supported by a policy style guide and templates. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not consistent. Policy writing that is wordy and confusing is damaging to the corporate image and costs time and money. Every organization should have a structure in place to provide for clear and consistent policies. A significant shortcoming in policy management is the failure to define a policy style guide. A style guide for policies defines standardized:

  • Taxonomy. Policies are to have a logical relationship to each other following a hierarchical categorization taxonomy.
  • Format. Policies are to have a consistent look and feel. Anyone should be able to see a policy and recognize that it is a corporate policy by the consistent format.
  • Structure. Related to format, policies are to have a consistent structured arrangement of the headings/sections.
  • Language. Policies are to have consistent language. Good policies are written in the active voice and easy to read.
  • Definitions. Terms used in policies are to be used consistently across the organization with a common understanding of what they mean.
  • Process. The style guide should outline roles and responsibilities for writing, editing, and approving policies.

Policy lifecycle management that addresses accountability brings integrity and value to policy management. It provides accountability to policy management processes that are often scattered across the organization. It enables policy management to work in harmony across organization functions delivering efficiency, effectiveness, and agility. Well-governed and written policies aid in improving performance, producing predicable outcomes, mitigate compliance risk, and avoid incidents and loss.

I look forward to hearing your thoughts on the policy development and approval process . . .

This post is part of a broader roundtable and GRC Policy Illustration that was published by Compliance Week and hosted by OCEG.  The full piece can be accessed at:  Policy Development and Approval

There is also an webinar on this topic and illustration on October 4, 2012.

Rethinking GRC

The GRC Pundit BlogPublished onLeave a Comment on Rethinking GRC

2012 marks the 10th anniversary since I first modeled a market for technology, content, and professional services and labeled it GRC. It all started with a vendor briefing with a software firm in which they demonstrated an integrated view of controls, policies, and assessments. A light bulb flashed within my head that there is a strategic approach to business combined with services, content, and technology to service it – organizations could achieve an integrated view of information to assist with Governance, Risk Management, and Compliance (GRC). That was February of 2002 and the GRC market was born.

From the beginning I always stated that GRC was about the business first and technology was a foundation for the business to build upon. It was first and foremost about understanding the business – its strategy, risks, obligations, commitments, objectives – and helping the organization manage risk and compliance in the context of business.

Over the years, GRC has grown in conception and understanding. The best thing to happen to GRC was the development of the OCEG GRC Capability Model, and with that the OCEG definition of GRC:

  • GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.

What has been a disappointment with GRC and needs us to cause some rethinking is our technology approach to GRC. It is impossible to define GRC as a package of software. There is not one vendor that can be your GRC band-aid and solve your problems. GRC is not a commodity that you buy from a technology vendor.

GRC is what is achieved in the business and its operations. To that point we need to rethink our understanding of GRC technology.

This means that we need to think of GRC in the context of business architecture. To achieve good GRC processes in our environment requires and understanding of what the business is about, how it operates, and how it should be monitored and controlled through information and technology.

Rethinking GRC is about taking an enterprise/business architecture approach to understanding the business and how it operates. This includes:

  • Strategy architecture. Understanding what the business is about, where it is going, what the goals are. This requires that we understand GRC — and its components of governance, risk management, and compliance – in the context of business performance, strategy, objectives as well as its culture and values.
  • Process architecture. Flowing from strategy are the processes that define the business and how it operates. Good GRC is done in the context of the business – the rhythm of the business. GRC technology and processes should be integrated with business processes and systems. We need a firm understanding of how the business operates and how to manage risk, policies, and controls in the context of business operations. GRC requires that we be able to model the organization, its operations, and its processes to understand GRC in context of the business.
  • Information architecture. To support business operations and processes, we need a good definition of GRC related information. To define standards/schemas of information for risk, policies, controls and how information flows across the business. What GRC information is needed to make sure that the business is reliably achieving objectives while addressing uncertainty and acting with integrity.
  • Technology architecture. Finally, we approach technology. GRC technology needs to be kept in perspective – it is about the business. We need to make sure that the GRC technologies (and I purposely use the plural) integrate with our business operations, systems, and processes. To put GRC before the business is to put the cart before the horse.

What does all of this mean? I will write more on that in the next article. For now, it means we need to take a business approach to GRC and not lead with a technology approach. It means that we should stop thinking that GRC is about one vendor that solves all the business’ problems. It may mean that there is a technology backbone for GRC consolidated to a single vendor, but it most likely means that there will be several vendors that do different parts of GRC well that form a GRC architecture supporting the business, its operations, and its processes.

I look forward to hearing your comments and thoughs on Rethinking GRC . . .

Tracking Change that Impacts Policy

The GRC Pundit BlogPublished onLeave a Comment on Tracking Change that Impacts Policy

In the time it takes you to read this article your business has changed. The economic environment has changed, your employees have changed, and there are constant changes to technology, competition, and processes. Business drifts in a sea of change. One particular area of change that bears down on the organization is the siege of changing laws, regulations, and enforcement actions.

When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Information itself is not enough—organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators. In fact, the vast amount of information is part of the problem. It is not uncommon to have a myriad of subject matter experts doing ad hoc monitoring of legal and regulatory change and sending e-mails with little or no follow- up, accountability, or impact analysis.

The organization needs a defined regulatory change management process—to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organization’s policies, procedures, and controls need to be adjusted to address the change. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.

Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.

Regulatory change management processes include the following components . . .

 

This is the second part of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management Lifecycle.  To access the second installment please click on the following link:  Tracking Change that Impacts Policy

There is an associated webinar with this article as well as the rest of the six articles in the series.  You can access the registration for the webinars at the links below:
Archived webinars in the series:
Additionally, I have am the chair the Policy Management Council at OCEG.  OCEG is a non-profit organization with over 30,000 members aimed at helping companies reliably achieving objectives while addressing uncertainty and acting with integrity.  You can see how policy management is critical to this mission.  We already have over 30 large enterprise organizations on the Policy Management Council.  The goal is to develop and maintain the OCEG Policy Management Guide to be the defining framework for managing policies within organizations.  Once the first version is published later this year we will be working on a policy management certification for the role of the internal policy manager within organizations to help establish and define this critical role.  Other projects are to build templates for a style guide, policy documents, and other related items.  The OCEG Policy Management Council is open to internal policy manager roles within organizations with a premium individual OCEG membership.  Professional service firms, technology vendors, and others that offer services and content around policies can join but it requires the organization to be a GRC Solutions Council member of OCEG (please email me if interested in the GRC Solutions Council membership).

I look forward to hearing your comments and thoughs on Tracking Change that Impacts Policy . . .

P.S. – There are some complimentary seats available to my Effective Policy Management Workshop next week in Boston.  These are ONLY available to internal managers of policies within a corporation.  I typically charge $500 for this workshop – but a sponsor, HITEC,  has covered the costs to allow me to offer this for free this time to those who write and manage policies for their organization. Please register.

Effective Policy Management

The GRC Pundit BlogPublished onLeave a Comment on Effective Policy Management
From time to time, to my surprise, I still hear people asking why policies matter. After all, they argue, aren’t the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their own operations and have case-by-case flexibility? Don’t policies create liability when they aren’t followed? Isn’t it just more unnecessary bureaucracy?
 
My answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths.
 
The longer answer is a bit more complex. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes— the organization states what it will and will not accept and defines the culture of integrity and compliance it expects.
 
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct. . . .

This is the start of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management lifecycle.  To access the first installment please click on the following link:  Effective Policy Management

There is an associated webinar with this article as well as the rest of the six articles in the series.  You can access the registration for the webinars at the links below:
Additionally, I have been appointed to chair the Policy Management Council at OCEG.  OCEG is a non-profit organization with over 30,000 members aimed at helping companies reliably achieving objectives while addressing uncertainty and acting with integrity.  You can see how policy management is critical to this mission.  We already have over 30 large enterprise organizations on the Policy Management Council.  The goal is to develop and maintain the OCEG Policy Management Guide to be the defining framework for managing policies within organizations.  Once the first version is published later this year we will be working on a policy management certification for the role of the internal policy manager within organizations to help establish and define this critical role.  Other projects are to build templates for a style guide, policy documents, and other related items.  The OCEG Policy Management Council is open to internal policy manager roles within organizations with a premium individual OCEG membership.  Professional service firms, technology vendors, and others that offer services and content around policies can join but it requires the organization to be a GRC Solutions Council member of OCEG (please email me if interested in the GRC Solutions Council membership).
I look forward to hearing your comments and thoughs on Effective Policy Management . . . 

GRC Flexibility and Efficiency through Mobile Audits and Assessments

The GRC Pundit BlogPublished onLeave a Comment on GRC Flexibility and Efficiency through Mobile Audits and Assessments

The dynamic and global nature of business is challenging organizations to effectively and efficiently implement processes for governance, risk management, and compliance (GRC). As organizations expand operations, processes, locations, and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by conducting GRC audits and assessments (for both risk and compliance) as needed. This means having the ability to conduct regular/periodic assessments; but also be ready to conduct an assessment as business changes and issues arise.

Greater scrutiny of organizational processes, increased regulation, exposure to significant liability, and demand for shareholders to ensure the organization is properly managed has caused the number and variety of GRC related assessments to grow exponentially. Organizations are scrambling to complete risk and compliance audits and assessments across the business and its operations. GRC roles are limited in their resources to complete assessments and need to focus on efficiency as well as effectiveness. When an organization approaches this in a document-centric (e.g., spreadsheets, word processor documents) approach, assessments fails to actively manage risk in a timely and efficient manner. Information is trapped in documents that are out of sync, have no audit trail, and require a significant amount of time to consolidate and report.

It is not just the number and variety of assessments that burden the organization – but also the diversity. Organizations are conducting regular audits and assessments across the business and its relationships, often bringing the assessors/auditors to remote areas of the business and the world.

Success in today’s dynamic business requires organizations to integrate, build, and support GRC processes that are efficient, effective and agile. This requires that organizations engage technologies that deliver on this. Mobile technology has begun to permeate the enterprise – and is now providing benefits to the world of GRC. Organizations are beginning to look towards mobility for GRC processes such as policy communication, training, attestation, issue reporting, investigations, assessments, and audits. The goal is to make GRC processes more efficient, effective, and agile to the needs of the business.

Mobile GRC for audit and assessment purposes gives the organization flexibility in deploying GRC professionals to conduct assessments. A mobile audit and assessment platform allows for low hardware costs and the ease of conducting assessments in diverse environments.

Mobile devices provide for ready and easy access for assessment personnel to enter information, capture audio interviews, and use without having to find a desk or enter information in awkward locations. The auditor/assessor is able to walk through locations, enter information, and capture evidence without having to sit down and boot up a laptop or scribble notes on a paper/document. Simple drop-down lists can be used for accurate, consistent and efficient information capture. Organizations can leverage the hardware capabilities of mobile devices to use integrated cameras to capture evidence of issues, non-compliant situations, or other evidence collected during assessments. Pictures supporting evidence and findings do not have to be manually processed and imported into the system as they can be directly taken through a tablets camera as part of the application. When conducting interviews, a tablet is less intrusive and provides an environment of greater interaction without being hidden behind a laptop.

CAUTION: not all mobile apps are created equal. In fact, many GRC technology providers advertise mobility and what they mean is that their app may work in a mobile web browser. This may not be the right fit for the organization. The interface itself might be difficult to operate in a mobile browser – and it also requires online access. A true native app allows for greater design and control over the interface, the ability to integrate with the hardware such as cameras and microphones to capture evidence and findings, and allows for offline access if designed correctly. Many audits and assessments are being conducted in location where wireless and cellular access cannot be guaranteed – a true mobile app is most often the best fit for an organization.

The growing demand for GRC assessments and audits requires that organizations be agile in how they are conducted. The use of mobile audit and assessment platforms is a particular way to achieve greater levels of assessment agility, effectiveness, and efficiency.

This blog post was sponsored by CMO Compliance, for more information on how CMO Compliance helps organization’s address mobile audits and assessments click on the link below:

Mitigating Risk in the Era of the Corporate Bounty Hunter

The GRC Pundit BlogPublished onLeave a Comment on Mitigating Risk in the Era of the Corporate Bounty Hunter
Business is global, distributed and dynamic. Organizations of all sizes and industries have global client, partner, vendor and supply-chain relationships. Adding to this complexity is the dynamic nature of business — it is ever changing, with a revolving door of employees, partners, technology, processes, and strategies in an environment where risk, economics and regulations are in a constant state of change. The complexity of today’s global, distributed and dynamic business makes regulatory compliance a challenge.
How does an organization validate that it is current with legal, regulatory and other obligations in the face of an ever-changing business environment?

The era of the corporate bounty hunter

Government is increasingly turning to insiders (e.g., employees), incenting them to report wrongdoing and noncompliance. In the U.S., the SEC and DOJ have extended their compliance monitoring into a firm’s activities by enlisting the eyes, ears, and voice of the organization’s employees. The framework for this is established in the Dodd-Frank Act whistleblower provisions, which entice employees to report violations, such as bribery, corruption, fraud, insider trading, and more to the government. Corporate whistleblowers that provide information which leads to a successful SEC enforcement receive 10 to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for non-compliance, this is a significant concern that keeps executives, the board, legal, and compliance professionals up at night.
 
The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues.
 
In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently.

To mitigate risk in the era of the corporate bounty hunter, organizations needs to:

  • Strengthen ethical and compliance culture: This starts with increasing employee comfort to speak up and report issues and incidents.  It is better to have an employee to report internally than have them go to the government bypassing the organization.  HOWEVER, be prepared to respond – officials will throw the book at an organization if evidence is brought forward that an employee did report internally and the organization did nothing about it. To enable a strong ethical and compliance culture requires that the organization has mechanisms in place for employees to report issues, that they are recorded, and responded to.
  • Understand risk: An organization needs to understand the risk and exposure to non-compliance. This includes periodic assessment (e.g., annual) of exposure to unethical and non-compliant conduct. The risk-assessment process should also be dynamic — conducted when there is significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets).
  • Know who it does business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships. Due-diligence efforts in establishing relationships must make sure the organization contracts with ethical entities. If there is a high degree of risk in a relationship, preventive and detective controls must be established. This means knowing your vendors, partners, suppliers and even your own employees to understand if they are susceptible to corruption and unethical conduct. Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of non-compliance.
  • Established and communicate policies and procedures: Organizations must have documented and up-to-date policies and procedures that address compliance. The code of conduct must filter down to address regulatory requirements and obligations. Requirements and processes must be clearly documented and adhered to.
  • Effective training: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement compliance-training programs to educate employees and business partners. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
Manage business change: The organization must monitor the business environment for changes that introduce risk of non-compliance. The organization must document changes to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that change in business, regulations, and the risk environment be monitored by compliance processes to actively address risk of exposures resulting from change.
Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents corruption risk. This requires the organization to implement technology to manage compliance.

This newsletter was sponsored by DoubleCheck Software, for more information on how DoubleCheck helps organization’s address compliance risk in the era of the corporate bounty hunter click on the link below:

GRC Maturity: Measuring a New Paradigm for Risk and Compliance

The GRC Pundit BlogPublished onLeave a Comment on GRC Maturity: Measuring a New Paradigm for Risk and Compliance
Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.

With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
  • Does the business have the information to make risk-based decisions about the future of the company, when they don’t have a clear view of the risk landscape?
  • Does the business know its risk exposure at the enterprise, business process and control levels, and how they interrelate?
  • How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
  • Can the business accurately gauge the impact of risk-taking on business strategy?
  • Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
  • Does the business monitor key risk indicators across systems, relationships and processes?
  • Is the business optimally measuring and modeling risk?
  • Is the business meeting its regulatory and other obligations?
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
  • Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
  • Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
  • Improve decision-making and business performance through increased insight and business intelligence.
Architect integrated GRC systems and processes 
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”  Effective and mature GRC delivers:
  • Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise GRC framework.
  • Establishment of culture and policy: Policy must be communicated across the business to establish a risk and compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives.
  • Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — must be working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

To understand what GRC is all about, please see these OCEG videos:

This posting is from my most recent paper – GRC Maturity: From Disorganized to Integrated Risk and Performance.

Inevitability of Failure: Managing GRC in Silos

The GRC Pundit BlogPublished onLeave a Comment on Inevitability of Failure: Managing GRC in Silos
Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of governance, risk management, and compliance (GRC).  Without an integrated view of risk and compliance, the scattered and non-integrated approaches of the past fail and introduce expose the business to interrelationships of risk and compliance that were not understood.  A mature GRC program is one in which the organization has an integrated process, information, and technology architecture providing visibility across risk and compliance domains. An integrated approach that allows business managers and executives to leverage GRC data for risk-aware decision making and resource allocation.
 
Multifaceted risk environment
Risk to the business is like the hydra in mythology – organizations combat risks to only find more risks springing to threaten them.  So often risk and compliance strategies are like the ‘whack-a-mole’ game at the county fair.  Executives are constantly reacting to risks appearing about them and fail to become proactive in managing and understanding the interrelationships of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants, staffing) their risk profile grows exponentially.  Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes, internal controls) and externally (e.g., competitive, economic, political, legal, and geographic environments) to stay competitive in today’s market. What may seem as an insignificant risk in one area of the organization can have profound impact on other risks.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. In order to manage corporate performance the organizations needs to understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden business. Organizations face expanding regulations, increased fines & sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to the inevitability of failure. Reactive, document centric, and manual processes for GRC fail to proactively manage risk in the context of business strategy and performance and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure.  The organization is not thinking how GRC processes and controls can be designed to meet a range of risk and compliance needs.  An ad hoc approach to GRC results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other there is no possibility to be intelligent about risk and understanding its impact on the organization.
A non-integrated approach to GRC impacts business performance and how it is managed and executed, resulting in . . .
  • Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
  • Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
  • Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in context of the business. Corporate Integrity finds that organizations that lack a collaborative, integrated, and enterprise approach to GRC have:
  • Inability to gain a clear view of risks and their dependencies
  • High cost of consolidating disparate data silos and documents
  • Difficulty maintaining accurate data
  • Failure to report and trend GRC across assessment/reporting periods
  • Unreliable or irreconcilable risk assessment results because of different formats and approaches
  • Redundancy of risk management and compliance efforts
  • Failure to provide intelligence to support decision-making that crosses risk and compliance areas
  • Inconsistency in approaches to risk/compliance activities
  • Different vocabulary and processes that limit correlation, comparison and integration of information
  • Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

2012 GRC Technology Innovation Awards

The GRC Pundit BlogPublished onLeave a Comment on 2012 GRC Technology Innovation Awards

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

  • AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.
  • Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.
  • CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.
  • HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.
  • LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.
  • Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.
  • QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.
  • QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.
  • SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
    e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.
  • SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .