Tag: Compliance Management

GRC Architecture to Manage Regulatory Change

The GRC Pundit BlogPublished on1 Comment on GRC Architecture to Manage Regulatory Change

This is part 4 on the topic of regulatory change management.  In the previous posts we explored:

In this post I detail the information and technology architecture needed to support an efficient, effective, and agile regulatory change management process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change

Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.

 

Regulatory Change Management Architecture Goals

A GRC information and technology architecture helps the organization to manage regulatory change to:

  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.

The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.

Regulatory Change Management Architecture Considerations

In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following three questions:

  1. How adaptable is the regulatory taxonomy?  The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
  2. How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feeds that the solution offers. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
  3. How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper in the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. Of particular importance is the user experience.  SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural.
    • Deficient technology involves documents and spreadsheets with email used as a workflow and task management tools. The organization struggles with things getting missed and not having a structured system of accountability.
    • Moderate technology provides a system of accountability with basic workflow and task management, but the integration of regulatory developments/updates is a manual entry system that is time-consuming and taxing on resources.
    • Strong technology for regulatory change management has enterprise content, workflow and task management capabilities with integration to actionable regulatory content.  It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements.

Regulatory Change Management Architecture Capabilities

All of these elements are critical and are why they come together in a GRC architecture or platform for regulatory change management. Some solutions in the GRC space are delivering across these three elements and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in mature systems it provides direct integration with regulatory content aggregators. These aggregators manage regulatory profiles, and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process.

Specific capabilities to be evaluated in a GRC solution for regulatory change management, include:

  • Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide the interface to content to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
  • Content management. The solution should be able to catalog and version regulations, policies, risks, controls and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria, within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods, and obsolescence rules that can be set for regulations.
  • Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations.
  • Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact, and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed or deactivated, the solution assesses the impact of the change, and sets up the appropriate responsive actions.
  • Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications.
  • Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
  • Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are and more. Additionally, by linking regulatory requirements to the various other aspects of the platform including risks, policies, controls and more, the reporting should provide an aggregate view of a regulatory requirement across multiple organization units and business processes.
  • Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

Defining a Regulatory Change Management Process

The GRC Pundit BlogPublished on4 Comments on Defining a Regulatory Change Management Process

This is part 3 on the topic of regulatory change management.  In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.

processOrganizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:

  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud).  Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
    • Rules & regulatory events
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
  • Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.

Types-of-Metrics-&-Examples

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process they expect to be:

  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change.  This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.

The full paper on this topic in the context of financial services can be found here.

2014 GRC Technology Innovation Award: Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The Be Informed GRC-solution is based on the Be Informed business process platform, which is a platform using innovative semantic technology which can be understood as a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. It is fully model-driven, which means that requirements and specifications are expressed in semantic models, which can be directly executed, i.e. without transformation to another (programming) environment. This constraint-based process approach allows for dynamic processes, by which every individual transaction has its own process flow, depending on the data and context of that transaction.

The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment.  This allows organizations to stay current with the ever-continuing stream of new and changing regulations.  Organizations will find that regulatory change alongside business change and risk change becomes easier to manage, control, and traceable. Semantic models determine behavior of the business within rules. With Be Informed, the rules of business are modeled, not coded, in a visual and very comprehensible way for business users. This enables users to easily understand and change business rules, making the Be Informed business process platform an agile solution.

Be Informed through its semantics engine allows organizations to be in full control. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.  This is enhanced by audit trails that demonstrate accountability to customers, employees, shareholders and supervisory authorities.

By using the semantic models, you can define the requirements in an accurate, concise and machine executable format. Semantic models are used to make decisions, to classify what is applicable (and/or needed) and to calculate values. These outcomes are used to determine which controls are applicable, which data is needed to perform activities, how to drive the workflow process and even to determine which components of a report must be generated.

The Be Informed framework consists of three parts. The first part is the Definition part by using semantic models. Here Regulations and Policies are translated into regulatory and risk controls.  Second, once a control is defined it can be executed as a service in any of the core processes of the organization as represented. A transaction can only be completed if all necessary controls have resulted in a positive outcome. And third, Be Informed supports the review and evaluation of the effectiveness of the controls by planning, scheduling and executing of all kinds of assessments with the GRC-Workplace.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Convercent Delivers Agile Compliance Reporting

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: Convercent Delivers Agile Compliance Reporting

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Convercent Delivers Agile Compliance Reporting

Nearly every business function in today’s organization has benefitted from a transformational shift in how data is used to enable business agility – the ability to deliver meaningful intuitive information at a moment’s notice and enable accessibility across devices from computers, laptops, tablets, and mobile devices. However, compliance has struggled with systems in which information is neither agile nor mobile. The effect is a blurred or inaccurate picture of compliance risk. In today’s business, understanding a true picture of compliance at any point in time is critical. Compliance programs struggle with mountains of data in documents and emails or with expensive and non-intuitive solutions that create challenges to managing compliance effectively. Technology is a limiting factor to many ethics and compliance programs and is manifested in:

  • Increased exposure. Inability to make rapid decisions, and inability to draw historical benchmarks or predictive analysis based on integrated trends
  • Reduced efficiency. Time inefficiency to aggregate information into board/audit/executive reports
  • Increased cost. Utilizing manual processes to do what technology can streamline, centralize and automate.

Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline and investigations to enable effective compliance risk monitoring and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed.  With Convercent it becomes easy to rapidly report on issues and understand what trainings and policies an employee has received and attested to at a moment’s notice. The ability to drill down to the individual level allows organizations to track and monitor developing compliance risks, and proactively analyzes and reports on information that highlights compliance efforts.

Convercent provides three layers of reporting and analytics, ranging from at-a-glance dashboards that enable program monitoring to effective oversight at the board level through the ability to use Microsoft Office tools to create a “two-click board report” in real time. Convercent allows for business agility within compliance departments and a reduction in costs associated with manual processes that is supported by three levels of reporting and analytics capabilities:

  • Dashboard Reporting provides the ability to understand performance at a glance. Compliance managers can monitor case management, policy and training health to get a high level overview on how the organization’s ethics and compliance program is performing.
  • Web-Based Reporting provides rapid understanding of issues that are occurring in real time. A variety of prebuilt case management reports are available for the compliance manager to present the information the way it needs it.
  • Convercent Data Services puts powerful and customizable reports at the organization’s fingertips. It provides the ability to collect real time ethics and compliance data in Convercent and immediately transfer it into Microsoft Excel and PowerPoint utilizing open standard oData technology.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

ngCompliance’s innovation is the ability to automate the analysis of regulatory changes against the organizations policies and procedures. The solution is called Sherlock and it makes regulatory change management and mapping elementary and deductive.  Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. This mapping can be used to demonstrate whether the organization operates in line with regulatory requirements and it can disclose gaps. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign. Amazingly, the system does so cross lingual that allows the organizations to map and analyze policies written in other languages, for example Chinese against regulations written in English.

This automates what has historically been a manual process of cross-referencing policies to regulations within GRC solutions or within documents and spreadsheets to prove to regulators that all policies and procedures are in line with rules and regulations. ngCompliance’s innovation significantly reduces the manual work as initial mapping is generated by their Sherlock system. The mapping should be reviewed by subject matter experts, but it significantly reduces the work of building mappings manually.

Organizations that adopt this innovation, no longer need to allocate this task to a big workforce. This allows for reduced cost and time spent in administrative activities of compliance, regulatory change, and policy maintenance. Once Sherlock creates a mapping, it allows the user to evaluate the mapping and confirm correctness or make adjustments. Any time there is a regulatory change, the system submits to the user an impact analysis on which policies or steps in procedures are impacted. Because the user sees both the policy text as the related legislation or regulation changes, the user can immediately give the appropriate advice on the required changes and start necessary change management workflows.

As the regulatory mapping functionality can also be used to verify norms against contracts, the system can also be used to identify the most high risk contracts and pull those up, in combination with analytics analyzing the risk in third party relationships, it will alert on high risk third parties that need review and facilitate mitigating controls on the relationship (e.g. change management on the contract).

The system reads the regulation and analyzes the text. Based on text-analytics, definitions based on financial and legal terms are extracted from the article and converted into a tree representation. The same is done on paragraphs of policies and steps of procedures. Because they are converted back to a definitions structure it takes into account synonyms and differences in languages. A mapping engine compares the definition trees and builds appropriate connections between legislation/regulation text and policy/procedure text. When employees look at policies they are able to also see the related regulations. The context that is built during analysis of texts is used to make sure the connections match the contexts, e.g. articles applicable to organizations with a banking license are only shown once the process is within the organization of a bank.

Sherlock keeps track of all history that can be used to look back in time and verify alignment of organizational procedures with applicable legislation and regulation. In this way it is easy to demonstrate the level of compliance of the organization at any given moment in the past. Sherlock comes with a unique feature that can create the initial mapping from rules to internal policies and procedures, regardless of the number of jurisdictions it has to take into account or the number of languages it has to deal with. This way Sherlock contributes to a significant decrease of the organizations administrative burden.

The Sherlock solution allows for adding web locations that are used by regulators or other organizations that publish regulatory information, in addition to your normal regulatory feeds. The synchronization functionality ensures that the regulatory information stored in the database is always accurate without the need to maintain this manually. In addition, a historical trail on the regulatory developments is maintained. Any information that is found on the web and seems to be of relevance for Compliance can be included in the legal framework, either by means of the synchronization functionality or the quick-browse-and-add feature of Sherlock. When any regulatory change enters the legal framework in Sherlock, or when the legal framework detects a change from a regulator’s site it is monitoring, the solution will notify this to the user according to specified needs on the dashboard, in the task inbox, by email or compliance wiki. The solution can filter and sort on relevance, and can even distribute to different users based on jurisdiction, language, topic or expertise.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent.

The Unified Compliance Framework has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.

The Unified Compliance Framework has received the first ever patent for a compliance requirement segmentation and mapping framework. The patent was granted rapidly as the US Patent and Trademark Office stated that there has been nothing like it filed. This means that the UCF is the only GRC framework that has patented SNED values that can instruct GRC solutions as to which records are the Same, New, Edited, and Deprecated by using a single character to manage regulatory and requirement change.  This is supported by an end to end process that reaches from the Authority Document (AD) on one end, through the Authority Document’s Citations, to harmonized Common Controls, and out to Audit/Assessment Questions with supporting evidence. The UCF has a hierarchical structure wherein a parent and sort value can be assigned to any hierarchical record. This allows GRC solutions to plug into the UCF and automatically be able to display a list in original form, replicating legal or even “book” structures of original regulatory/requirement documents. GRC solutions utilizing UCF will be able to automatically discern how to handle audit questions and the necessary “skip logic” used when presenting hierarchical audits. Further, the schema allows for the breaking down of Citations and Common Controls into primary verb-noun pairs to “prove” the mapping of the Citation to the Common Control.

The business functionality is simple: any organization building out a GRC database or GRC solution can leverage the UCF’s patented structure to jump start their GRC strategy. There are already other firms such as Accenture that are now filing derivative work patents on top of the UCF’s patent.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients