Category: The GRC Pundit Blog

Internal Control Management by Design

Audit Management & Analytic Solutions, Internal Control Management & Automation Solutions, The GRC Pundit BlogPublished onLeave a Comment on Internal Control Management by Design

Business is complex. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, and business data impedes organizations. Keeping complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance (GRC) functions throughout the business. Business is no longer defined by traditional brick-and-mortar walls. Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Distributed business operations complicates the organization as it attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world.

Managing control activities in disconnected silos leads the organization to inevitable failure. What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored. Organizations with siloed and manual processes for control management rely on a range of documents, spreadsheets, and emails that are inefficient, out-of-sync, ineffective, lack agility, and are inadequate to manage internal controls. Reactive, document-centric, and manual processes fail to actively manage controls in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Organizations fail and are encumbered by unnecessary complexity because they manage controls around specific issues, without regard for a common integrated strategy and architecture.

Organizations are tasked to provide an integrated view of internal controls across finance, IT, and business processes and operations. A scope that provides a single internal control management function that coordinates and manages controls across operations and finance. This is what is covered in my Internal Control Management by Design workshops.

At the recent workshops in Washington D.C. and Houston (which were fully booked), the attendees interacted in breakout sessions on the challenges they are facing in internal control management. Their specific issues and challenges are:

  • Providing an integrated strategy and view of financial and operational controls across the organization.
  • Increasing confidence in risk coverage and the complexity of interconnectedness of risk and controls
  • Capturing business changes with updated and changing controls
  • Combining finance and operational control teams and revamping processes
  • Focusing on key controls that could cause the organization to overlook other controls
  • Managing the human element in controls management
  • Expanding regulatory requirements for internal control management such as GDPR, FPCA, PCAOB pressures
  • Addressing a lack of resources while being tasked with more internal control responsibilities across operational controls
  • Keeping controls aligned with business processes and a changing environment
  • Implementing a system/technology to manage ALL controls across the organization
  • Integrating controls into daily workflow particularly when transitions occur with staff and turnover

Controls are critical throughout business strategies, operations, and processes. Internal control management has become a critical foundation for enterprise GRC. The correct controls that are operationally effective are the linchpin to assure that the organization can reliably achieve objectives while addressing uncertainty and acting with integrity (OCEG definition of GRC). As organizations mature their approach to internal control management they are seeing more intersections with risk, compliance, and audit processes which require a more thorough strategy for managing controls in the context of the organization.

Reactive and stovepiped approaches to internal controls management leave the organization not seeing the big picture of how controls interrelate with each other, risks, and compliance obligations. This means the organization wastes resources on managing controls as separate assessments and projects instead of as an integrated whole. Defining strategy, managing operations, and addressing organization change requires agility in internal control management to provide assurance to boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile internal control management. This requires organizations to design internal management into the organization as an integrated part of strategy and operations supported by an integrated internal control information architecture that allows organizations to have a 360° situational awareness of internal controls in context of business strategy and operations.

GRC 20/20’s Internal Control Management by Design workshop provides a blueprint for attendees on effective internal control management strategies in a dynamic business and risk environment. Attendees learn and collaborate/interact on internal control management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Upcoming By Design Workshops include:

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

Policy & Training Management Solutions, The GRC Pundit BlogPublished onUpdated onLeave a Comment on Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

I get a lot of inquiries from organizations looking for policy management platforms. Some for a department focused need (e.g., IT security, health and safety, Human Resources), others for a regulatory need (e.g., GDPR, FCPA), but most for an enterprise policy management strategy spanning the organization as it attempts to gain control of a Wild West of policies in disarray and confusion.

Policy & Training Management platforms mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy to employees and extended business relationships.  Elements of gamification, eLearning, learning management, document/content management are part of this segment.  Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

With over 100 solutions for policy and training management in the market it can be difficult, which is why GRC 20/20 gets engaged for our policy management RFP question library. The most common requirement organizations are looking for is an engaging and intuitive user experience. The growing request, one that comes in every month is on the integration of policy and training management into a single platform and user experience. Every month organizations are stating that their employees go out to Facebook and can watch a YouTube video in Facebook and do not need to bounce out to YouTube. They want to know why their employees cannot watch the training in the policy portal?

This is part of what I call Next Generation Policy & Training Management and is a growing need in the market and one of the most active inquiry areas that I advise organizations looking for solutions on. Other needs are mobility, such as tablet devices that can act as policy and training kiosks for employees that do not have computers. Employee engagement is critical. The ability to plan and calendar a range of policy communication tasks and activities to build campaigns.

These and more are covered in the newly published and reworked on-demand Research Briefing, How to Purchase Policy & Training Management Platforms. This is further supported in the GRC 20/20 written research paper, Policy Management by Design and corresponding workshop.

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

One of the hottest segments of the GRC market is for solutions to manage, maintain, and communicate policies. Organizations are scrambling to get a grip on the identification, approval, management, and awareness of policies amidst a growing environment of legal and compliance exposures to policy mismanagement and growing regulations.

Whether for a department policy portal or to manage the range of policies across the enterprise, policy management solutions are in demand. Historically the demand has been more on the backend management and maintenance of policies. However, recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for the front-end employee portal and engagement on policies, often with integrated training and learning management.

Where there used to be just a few solutions to choose from there are now over eighty with vary capabilities and approaches. They offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for your organization.

In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering policy management solutions.

Agenda

  1. Defining & Understanding Policy Management
    Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Policy Management Platform
    What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Policy Management Platform
    Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Policy Management
    Trajectory of Value in Effectiveness, Efficiency & Agility

[button link=”http://grc2020.com/product/how-to-purchase-policy-training-management-platforms/”]LEARN MORE[/button]

Objectives

The GRC Pundit helps organizations . . .

  • Define and scope the policy & training management market
  • Understand policy & training management drivers, trends, and best practices
  • Relate the components of what makes a policy management platform
  • Identify core features/functionality of basic, common, and advanced policy management platforms
  • Map critical capabilities needed in a policy management platform
  • Predict future directions and capabilities for policy & training management
  • Scope how to purchase policy management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate policy management solutions

Who Should Attend

This Research Briefing is aimed to assist . . .

  • GRC professionals with the responsibilities to identify, author, review, evaluate, approve, communicate, and maintain policies and related documents and training
  • GRC solution providers offering policy & training management solutions
  • GRC professional service firms advising organizations on policy management
  • GRC content & intelligence providers that provide policy and training content and templates

Instructor

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

 

How Technology Enables Enterprise Risk Management

Risk Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on How Technology Enables Enterprise Risk Management

Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.

Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.

The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://goo.gl/eWTTtP”]READ MORE[/button]

How to Purchase Policy & Training Management Platforms

Policy & Training Management Solutions, The GRC Pundit BlogPublished on1 Comment on How to Purchase Policy & Training Management Platforms

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.  The policy and training management strategy and policy is supported and made operational through the policy and training management technology.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.

The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.

Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):

GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:

This same topic will be explored deeply in an interactive workshop in Houston on May 30th:

GRC Critical Capabilities and Purchasing Considerations

The GRC Pundit BlogPublished onLeave a Comment on GRC Critical Capabilities and Purchasing Considerations

There is a broad array of governance, risk management, and compliance (GRC) related solutions available in the market. In fact, GRC 20/20 has catalogued and mapped over 800 technology solutions and over 300 content/intelligence solutions that organizations use to improve GRC processes in an effort to make them more efficient, effective, and agile. Navigating this array of solutions is not easy and organizations need to understand their needs today as well as into the future to select the right solution(s) that best fit their needs.

Some organizations are looking to solve a specific problem, such as addressing a regulatory requirement like GDPR, US Foreign Corrupt Practices Act, UK Modern Slavery Act, UK Senior Manager’s Regime, SOX, or PCI DSS compliance (just a random sampling as there are thousands of regulations). Others are looking to address a range of requirements and risks within a specific department or domain like environmental, health and safety, IT security, internal control over financial reporting, HR investigations, or business continuity. Then some organizations look to address a specific area consistently across the organization such as enterprise policy management, third party management, or enterprise investigations management. Then there are organizations looking to address a range of domains and GRC requirements across departments in a single or core common technology backbone, this is what we refer to as Enterprise GRC platforms.

There are two things that are consider when looking at GRC related technologies.

  1. GRC is something you do not something you buy. Yes, there is a wide range of GRC related technologies in the market, but at the end of the day GRC is not about technology it is about organization’s actions, decisions, capabilities, and collaboration on GRC. The official definition of GRC as found in OCEG’s GRC Capability Model that I helped contribute to is that GRC is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Certainly technology can enable this and make it more efficient, effective, and agile – but it is not a silver bullet that accomplishes this magically for the organization. The organization needs a strong culture, established boundaries of controls and policies, and strong processes for GRC to make a technology investment in any GRC related area a success.
  2. There is no one stop shop for all of GRC. Yes, there are GRC platforms that can accomplish a range of capabilities and needs across departments for an organization. However, there is no solution out of the 800+ solutions that does everything GRC. In fact, there are broad solutions that span many areas but they often do not go deep in some areas. Too often I find organizations with failed GRC projects because they try to do everything in one platform and find that in some weak areas of the platform they water things down and lose capabilities they previously had with deeper focused solutions.

Organizations should really be thinking about GRC architecture. There still is a core GRC platform when the organization has the maturity and cross-department collaboration to be successful, but this platform will have constraints. Organizations are best served with understanding these constraints and integrating best of breed solutions when and where they make sense. There are many organizations I interact with and advise that have an Enterprise GRC strategy that have a strong core platform for GRC and operational risk but break off and integrate best of breed solutions that go deeper in areas such as IT GRC/security, third party management, policy management, quality management, or commodity/market risk management. In fact, this past year I interacted with several organizations that all used one GRC solution for enterprise GRC and operational risk management and all three had another solution in place for IT GRC and security that went deeper in that area.

The point is that organizations should define their strategy and understand their processes then select the right GRC technologies that provide the information and technology architecture to enable the strategy and process and not handicap it.

Some other common pitfalls in GRC solution selection to be aware of are . . .

  • RFP beauty contests. I work on a lot of RFPs, and get engaged for my RFP templates and support regularly. I have seen a lot of horrible things happen in RFPs. Good solutions get ignored because some sales person did a half-hearted attempt at answering questions while a problematic solution gets selected because they had great but not always honest answers to RFP questions. Also, some solution providers are brutally honest in their RFP responses to their own demise while other solution providers will say anything to win the deal. My job is often to come in and keep these solution providers honest and raise red flags when I see them.
  • Client references are tricky. Understand that client references that solution providers give are often the decision makers that stand behind there decision to invest thousands to hundreds of thousands of dollars in a GRC solution. They will have rosy and glowing things to say about the solution. You need to ask the hard questions to these references and word them in a way they cannot wiggle out of them. Ask them what they like least about the solution. I also thank them for their time and ask if I could talk to someone on their team that works with the solution every day – one of the GRC worker bees. I often get a completely different perspective on the solution. In one situation the Chief Audit Executive loved the product and  only had great things to say about it, while the auditors I talked to that reported to the CAE hated the solution and it was the bane of their workday.
  • Understand what is actually a feature in the solution. There are solution providers that say yes to everything in RFPs. Some do so because they are shady and will do anything it takes to win deal, others do it because they genuinely believe they have a flexible solution that simply can be tailored to meet any need or requirement. Either way, I have seen implementations that have dragged out for over two years because of all the build out and customization required to meet what the organization purchasing the solution thought already existed in the RFP. I assisted one company in their RFP and against my advice they selected a solution I did not recommend. I told them there is a lot that has to be built out for this and it will take a lot longer than they planned. They came back two years later and told me they wished they would have listened to me as they were just rolling out the initial phase of the solution and were seriously behind timeline and over budget. They now are with a different solution in the market.
  • Ease of use is critical. A solution can have tremendous capabilities but if it is complicated to use, lacks intuitiveness, and users simply ignore it . . . the implementation fails. Many solutions in the market are very dated and have interfaces that look like they are 10 to 15 years old. This makes it hard to engage all levels of the organization on GRC. The number one selection criteria I see in organizations moving from one solution that has failed them to another solution is ease of use and intuitiveness. One enterprise policy management implementation I advised after they had an abysmal failure in their implementation because what could be done in one screen took three of four screens and lacked any sense of user friendliness and intuitiveness.
  • Integration and openness is a key to success. Siloed solutions that do not integrate with other solutions are a dead-end. Organizations needs solutions that have a strong API for integration. One global Fortune 100 company I am advising on third party management needs to be able to integrate their third party management platform with their ERP environment to sync master data records. They tried one solution which failed them on this because of data integrity issues in the syncing (and user experience issues as well), they are now seeing success with a different solution that has strong integration capabilities. This is important across GRC areas. For example, policy management solutions should be able to integrate with HR systems to get new and changed employee records to be able to automate the communication of new policies when employees are on-boarded or change roles in the organization.
  • Mobility matters in GRC. In most situations if a solution does not have a mobility strategy it is best be ignored. I am seeing growing demand for using tablets and smart phones for audits, assessments, investigations & case management, policy management and communication, training and clearing, issue reporting, and more.
  • Cloud is everywhere, but be cautious. Everyone has a cloud solution – but this does not mean all cloud solutions are equal. Some use the term cloud and simply mean a hosted model while others refer to it as a multi-tenet architecture. The scalability and cost parameters can make a difference here. Security is to be critically understood and evaluated as well. I do not like the cloud naysayers that avoid it because they are concerned about security. I have seen many cloud environments that are more secure than the organizations evaluating them. This does not mean they all are secure . . . do your homework and evaluation.
Upcoming live GRC 20/20 live Research Briefings to assist organization in critical capabilities and buying considerations of GRC related solutions are:

I would love to hear your comments and thoughts on GRC related software and strategy. Please post below . . .

  • Have a question about GRC related solutions and strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Looking for GRC related solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over hundreds of requirements for each GRC domain.

Components for Developing an ERM Strategy

The GRC Pundit BlogPublished onLeave a Comment on Components for Developing an ERM Strategy

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is also true in risk management. What further complicates this is the exponential effect of risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into risk relationships across the enterprise. Complexity of business and intricacy and interconnectedness of risk data requires that the organization implement a risk management strategy.

Different Approaches Organizations Take in Managing Risk

The primary directive of a mature risk management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of risks in context of organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage risk . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/key-components-of-an-erm-strategy/?utm_source=GRC%202020&utm_medium=link%20on%20GRC2020&utm_campaign=ERM%20blog3%20link%20-%20GRC%202020&utm_term=Enterprise%20Risk%20Management&utm_content=ERM%20blog3%20-%20GRC%202020″]READ MORE[/button]

Technology Priorities for Compliance & Ethics

Compliance Management Solutions, The GRC Pundit BlogPublished onUpdated onLeave a Comment on Technology Priorities for Compliance & Ethics

Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance with a proper system of record and audit trail. With no auditable system of record, compliance information can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.

Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.

Value Organizations Needed from Compliance & Ethics Technology

In a recent survey GRC 20/20 did in conjunction with OCEG (Technology Priorities for Compliance & Ethics: Aligning Technology to Changing Requirements), we asked the question, “Which of the following options align MOST with the value you would derive from an integrated ethics and compliance software solution?” The respondents indicated that their five most critical values for a compliance software platform are as follows:

  1. Regulatory Compliance and Defensibility. Ensure your company satisfies regulatory requirements and demonstrates ethical behavior by clearly documenting policy attestations, training completions, and investigations.
  2. Align Corporate Goals with Ethics and Values. Update business processes such as policy attestation, training, procurement, and employee communication to operationalize ethics and values. Analyze helpline issues and campaigns to identify and close gaps.
  3. Manage Your Complete Program with One Platform. One user interface via single-sign on for hotline/case, disclosures, training, policy and third-party risk, and reduced reporting time with pre-built dashboards to visualize and analyze compliance data with HR, procurement and travel data.
  4. Protect Your Brand. Increase employee engagement through helpline responsiveness and surface risks through centrally managed disclosures. Gaining employee trust mean issues are reported internally and not to external media.
  5. Frictionless Employee Engagement. Easy-to-use multi-channel intake methods via hotline (phone), web, text (SMS), proxy, and disclosures allows for accessible ways for employees to report workplace issues ensuring the employee voice is heard.

While all of these values were critical, it was having the robust system of record to defend compliance and the ability to align corporate goals with the ethics and values of the organization that was ranked the most critical.

Broad Capabilities Needed from Compliance & Ethics Technology

Next, we focused on the capabilities organizations desired from technology to automate compliance and ethics processes. The top five capabilities that organizations ranked were:

  1. Compliance Reporting. Standard reporting that shows the number of reported issues by type and region, tracks policy attestations and online training completions, and shows disclosures up for review. The capability to export data for analysis in spreadsheets or business intelligence (BI) software.
  2. Policy Management. Distribute policies and track attestations with the option of targeting specific employee groups based on HR attributes, archiving older policy versions automatically, and quick search and retrieval of attested policies by employee.
  3. Learning Management. Distribute online training courses and track course completions, allow use of any standard training content (in-house or externally sourced) without depending on any one vendor.
  4. Disclosure Management. Distribute conflict of interest and gifts, travel and entertainment disclosure questionnaires for review, approval or conditional approval. Allow employee self-service and disclosure updates, and track all Yes and No answers for proactive risk management.
  5. Helpline and Case Management. Multilingual, global, and 24/7 incident reporting via anonymous phone, text, web, or proxy that allows investigators to manage simple or complex cases with multiple allegations and parties within the same case.

Upcoming Events . . .

Latest Research . . .

What Effective Risk Management Looks Like

The GRC Pundit BlogPublished onUpdated onLeave a Comment on What Effective Risk Management Looks Like
This is Part Two of a four-part blog series on ERM . . .
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual risk (the tree) as well as the interconnectedness of risk (the forest). Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business, risk is exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Risk management processes are used to manage and monitor the ever-changing risk environments as a part of overall business processes, transactions, and systems. This requires that organizations have a risk management function that brings together risk management and business processes with an integrated risk management information architecture with embedded business intelligence and analytics.

An enterprise risk management program needs a structural design of risk management processes, including their components of inputs, processing, and outputs. This inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together in context of other enterprise processes.

Effective risk management processes deliver . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/what-effective-risk-management-looks-like/”]READ More[/button]

Why Enterprise Risk Management (ERM) is Critical to Modern Business

Risk Management Solutions, The GRC Pundit BlogPublished onUpdated onLeave a Comment on Why Enterprise Risk Management (ERM) is Critical to Modern Business

Organizations take risks all the time but fail to monitor and manage risk effectively for the enterprise. A cavalier approach to risk-taking results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. Enterprise Risk management, in this context, is an integrated part of everyone’s job and not just for the back office of risk management.

The modern organization is . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/why-enterprise-risk-management-erm-is-critical-to-modern-business/”]READ MORE[/button]

Compliance in Dynamic and Distributed Business

Compliance Management Solutions, The GRC Pundit BlogPublished onUpdated on2 Comments on Compliance in Dynamic and Distributed Business

The hot topic for 2018 is certainly compliance. Compliance is more than adherence to laws and regulations, it is about the integrity of the organization to it’s ethics, values, social responsibility, policies, commitments, contracts, and controls. I have been stating for over a decade that the best executive title for a compliance executive is a Chief Integrity Officer, but we already have a CIO in the executive suite. A particular focus right now is on sexual harassment. I am having a lot of conversations on this front with organizations looking to communicate policies and deliver training. While this is critical to compliance, it needs to be lived and breathed by all levels of management as well.

Individual ethics and values also have to align with corporate ethics and values. It was just over a decade a go that I left a former employer. Why? A difference in values on a topic that is so critical today. The organization paraded at a company meeting how they were having a senior executive of an ‘adult entertainment’ company keynote at one of our conferences. Though I am a man, I thought this was a slap in the face to the women that worked in the company and were our clients. I protested and it was the foundational reason I left. Things need to change, and compliance is critical in changing it.

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

Compliance is not easy. The larger the organization the more complex its operations and corresponding compliance obligations are. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees start, others change roles, some leave the organization. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to a corporate compliance and ethics program. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal compliance risk and external compliance risk. What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and ethical obligations?

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of compliance data. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos of technology often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, and siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance processes can provide greater insight into the state of the integrity of the organization. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance information results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency, and agility. The organization ends up with a variety of processes, applications, and documents to meet individual compliance mandates. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple compliance assessments asking the same questions in different formats. Limited visibility across the compliance risk exposure ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide inter-dependencies. This fragmented view creates gaps that cripple compliance management and creates a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Management: Does Your Organization Walk its Talk?

Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.

Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases, regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors. Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.[1]

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar of being the bastion and champion of corporate integrity.

Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive GRC management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.

Today’s business entity must ensure compliance is understood and managed company-wide; that its obligations are more than written policies, but part of the fabric of operations; and that a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance, whether its activities are effective, and how they are enhancing shareholder value and providing assurance on the integrity of the organization. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance from the top down. The breadth and depth of compliance bearing down on companies today requires a robust compliance program operating in the context of integrated processes and information.

[1] USSC – http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm

Upcoming Events . . .

Latest Research . . .