2015 GRC Innovation Awards: Technical Innovations

2015-GRC-Innovation-AwardThe fourth annual GRC Innovation Awards recognize GRC solutions that are revolutionizing the Governance, Risk Management and Compliance (GRC) market. Thirty-three awards are given this year  out of 119 applicants across fifteen GRC solution categories. These are broken into two innovation areas:

  1. User Experience Innovation
  2. Technology Innovation (below)

Over the years GRC technology has evolved and changed. The GRC Technology Innovation Awards process for 2015 recognizes this evolution and represents the most competitive pool of nominations to date. GRC 20/20 closely evaluated all of the written nominations and selected recipients to receive this honor. Some of these recognitions go to established solution providers — others go to up-and-comers. Some have mature offerings, others are still being polished — but all are advancing GRC into new areas. The current award recipients show thought leadership that take GRC in new directions.

These awards are challenging as there is a strong subjective element to them.  There are many great technologies nominated that GRC 20/20 desires to recognize but did not quite make the award process.  Unlike GRC 20/20’s Value Awards which are focused on quantitative value organizations have received from solutions, the innovation awards are based on what really captivates and intrigues GRC 20/20 analyst attention as new possibilities and directions in GRC technology.  These awards are not for who has a better solution.  They are for who is thinking outside the box and taking GRC in new technology directions as well as who is delivering better user experiences in GRC.

Below are the 2015 GRC Innovation Award Winners for Technology Innovation.  The award winners for User Experience Innovations are found in the post: 2015 GRC Innovation Awards: User Experience Innovations.

2015 GRC Innovation Award Winners for Technology Innovation

GRC cannot be managed in isolation.  Decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization.  Complexity of business and intricacy and interconnectedness of GRC data requires that we have an integrated approach to business systems, data, and GRC.

In 1996, Fritjof Capra made an insightful observation on living organisms and ecosystems that rings true when applied to GRC and broader business today:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent." 
Fritjof Capra, The Web of Life

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of the ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in business.  Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise. What further complicates this is the exponential effect of risk on the business.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.

Organization requires complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy.   Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to GRC architecture.  GRC fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole.  GRC also fails when it is thought of as a single platform to manage workflow and tasks.  GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.

The 2015 GRC Technology Innovation Award recipients are. . .

Audit Management

ACL GRC Mobile's Scan to PDF: Innovation in Audit Management

The traditional audit workflow to capture evidence involves fieldwork, gathering of paperwork, working a copy machine, using a scanner, and then hours of endless file management. With so many steps to capture audit evidence, an auditor's job begins to look like that of a file clerk. Auditors frequently work in remote areas, with limited access to equipment or lack of internet connectivity. Additionally, certain types of evidence require the capture of multi-media, beyond the traditional paper documentation. Wouldn’t it be nice if there was a way to provide auditors with a capability to capture audit evidence as easy as it is to post to Facebook or Instagram. The ACL GRC mobile app innovates the way auditors are able to capture information quickly by using built-in, smartphone multi-media features, which includes a built in PDF scanner to capture real-time evidence. Using smartphones or tablets, auditors can capture multi-media evidence and upload it to the cloud-based audit file.

Automated Controls

ACL GRC's ScriptHub: Innovation in Automated Controls Architecture

Auditors and business process owners have long realized the value of data analytics, only to be overwhelmed by the technical complexities of extracting, analyzing, and interpreting data. This is the most challenging obstacle to automated control analytics and implementation. In our tech savvy day and age, shouldn’t configuring data analytic tests for controls be as simple as building with Lego blocks? ACL’s innovative ScriptHub library delivered as part of the ACL GRC platform allows organizations to do just that. Script Hub is a repository of ready to use scripts for risk based analytics. The library of scripts contains numerous powerful code snippets to help automate such tasks as data imports from Concur, SAP, SAM lists; analytics to look for trends or anomalies; and various utility scripts to help you harmonize address fields, perform keyword searches, calculate distances b/w zip codes, compute the number working days between dates, and hundreds of others. Essentially, it provides users with access to pre-written data analysis scripts like Lego blocks to build analytic tests.

  • Webinar: How ScriptHub is Revolutionizing Automated Controls
    • 2015-10-26 , 1:00 pm - 2:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/how-scripthub-is-revolutionizing-automated-controls/" color="default"]REGISTER FOR WEBINAR[/button]

ControlPanelGRC Dynamic Security with HR Analyzer: Innovation in Automated Controls for Human Resources

The world of automated controls has been largely focused on the financial side of ERP. Very little attention has been given to HR management systems. This is an issue as HR systems house critical and sensitive data that is governed by privacy laws around the world. The confidentiality, integrity, and availability of HR data is critical to organizations. ControlPanelGRC has demonstrated innovation by automating two critical HR processes that before were completed manually.  Access Controls Suite’s HR Analyzer with Dynamic Security maps critical HR data to security by automatically tracking and removing sensitive access when job changes occur within the organization as well as provides reconciliation when tied to certain job changes. In large organizations this process was once executed by several employees that can be completed automated by ControlPanelGRC’s Dynamic Security with HR Analyzer.

CSI Tools' Emergency Request: Innovation in Automated Controls for Privacy

Safeguarding human resources data in the context of strict privacy regulations (e.g., Germany, Belgium) is a significant challenge to organizations. This is particularly true when giving emergency access to critical HR systems and their data. CSI Emergency Request provides insight into who saw and/or who manipulated HR employee data. CSI Emergency Request is an ABAP4 based solution consisting of two components. The first component is a solution to manage and control emergency activities in SAP systems. The second component is a new and innovative solution to comply with the strict privacy regulations that are applicable in countries like Germany and Belgium. CSI Emergency Request enables organizations to have an efficient and effective solution for emergency access while safeguarding HR data access and complying with privacy laws.

Greenlight's Access Violation Management: Innovation in Automated Controls for Access Management/SoD

Automated segregation of duties and access management technologies have been highly successful in automating controls, but to date they have not taken a risk-based approach based on the financial impact to the business. Access Violation Management by Greenlight enables organizations to manage user access and segregation of duties through a risk-based evaluation of the financial impact to the organization. This is accomplished through exception-based monitoring of actual access violations, reducing the need for manual controls to mitigate segregation of duties issues and eliminates false positives. When exceptions are identified, the solution tracks investigation and resolution until issues are resolved in a intuitive user interface designed for business users. The solution brings business context to SoD by quantifying the financial impact of these violations and drives change in access assignments and business processes where the materiality of risk may be too high for an organization to accept.

Business Continuity

Continuity Logic's FrontLine Live: Innovation in Business Continuity Management for Healthcare

Many healthcare organizations rely on an outdated system of "binders" and printed physical documents for business continuity plans. Static continuity plans created in documents are not likely to be relevant in unpredictable threats and disruptions. Even continuity plans created in a database rarely have mapped "interdependencies" between data elements to manage the ripple effects in emergency and crisis. Continuity Logic’s Fronline Live solution is showing innovation in offering a healthcare specific Business Continuity Management Planning (BCMP) and GRC system for Health Plans and Hospitals. The Frontline solution, has incorporated controls for HIPAA, HITRUST and compliance with meaningful use to transform both the process and experience of business continuity within hospitals and health systems. Frontline connects people, processes, technology, assets, third party relationships and other "interdependencies" - into a single, unified business continuity governance database that is dynamic and helps organizations be agile as disruptive situations unfold.

[button link="http://grc2020test.cloudaccess.host/research-documents/continuity-logic-frontline-live-for-healthcare/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Continuity Logic Frontline Live for Healthcare[/button]

Compliance Management

UCF Common Controls Hub: Innovation in Regulatory Intelligence for Compliance Management

Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). GRC professionals spend significant time and resources researching which regulatory mandates they must follow and struggling to keep up with new requirements. The Unified Compliance Framework’s® (UCF®) Common Controls Hub™ enables organizations to scope, define, and maintain regulatory demands online in minutes to dramatically improve the efficiency, effectiveness, and agility of their GRC program as well as business operations. GRC 20/20 sees this as a compelling offering for compliance management in the context of regulatory change that will advance GRC technology and make organizations more efficient, effective, and agile.

[button link="http://grc2020test.cloudaccess.host/research-documents/ucf-common-controls-hub/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: UCF Common Controls Hub[/button]

  • Webinar: Common Controls Hub Innovations Break New Ground in Regulatory Management
    • [button link="https://www.unifiedcompliance.com/articles/education-article/webinar-common-controls-hub-innovations-break-new-ground-regulatory-management/" color="default"]ACCESS WEBINAR RECORDING[/button]

Enterprise GRC

LockPath Keylight Ambassador: Innovation in Enterprise GRC Integration

Organizations need to move beyond the concept of a GRC platform and focus on an integrated view of GRC data and systems through a GRC architecture that is a cohesive part of the broader business fabric of the organization. This is what GRC 20/20 refers to as 360° GRC contextual awareness. Where risk and compliance is monitored and understood in the course of business operations, changing risks and regulations, and interactions.  Delivery of GRC contextual awareness requires that GRC be a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of business. LockPath Keylight Ambassador is a GRC solution that offers a hybrid agent architecture that enables organizations to collect distributed GRC related data from applications installed across the organization and in the cloud. Keylight’s Ambassador innovation and advancement of GRC technology is its ability to securely and automatically transmit on premise data to the cloud from business systems and information security tools.

[button link="http://grc2020test.cloudaccess.host/research-documents/lockpath-keylight-ambassador/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: LockPath Keylight Amassador[/button]

  • Webinar: GRC 20/20 Innovation Award: LockPath Keylight Ambassador
    • 2015-10-14 , 12:00 pm - 1:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/grc-2020-innovation-award-lockpath-keylight-ambassador/" color="default"]REGISTER FOR WEBINAR[/button]

MetricStream Mobile Middleware Architecture: Innovation in Enterprise GRC Mobility

Mobility solutions for GRC are growing in demand have been adopted across industries (e.g., retail, manufacturing, logistics, airlines). They enable a variety of use-cases for a distributed GRC workforce and enable a variety of GRC field operations and audits. They are used by the front-lines of organizations to interact with policies, provide training, and report issues. GRC mobility enables users to complete field work, gather evidence, performing rapid assessments, respond to questionnaires, or record incidents. There are a variety of stand-alone mobile GRC Apps connected to GRC platforms to do this.  MetricStream is showing innovation in developing a fully integrated multi-device, multi-OS, and real-time mobile technology architecture to enable GRC mobility and take it to new levels. The MetricSream Mobile Middleware Architecture is the enabling layer over the MetricStream GRC platform to provide users with GRC features and functionalities on tablets and mobiles across mobile operating systems.

[button link="http://grc2020test.cloudaccess.host/research-documents/metricstream-mobile-middleware-architecture/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE:MetricStream Mobile Middleware Architecture[/button]

  • Webinar: 5 Key Capabilities of Next Generation GRC Platforms
    • [button link="https://metricstream.webex.com/metricstream/lsr.php?RCID=6b3030af156d0a34e71ee87045260133" color="default"]ACCESS WEBINAR RECORDING[/button]

Quantivate: Innovation in Enterprise GRC Data Architecture

Decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization. Many legacy, and leading, GRC platforms also fail as they have rigid data structures and take significant time and money to implement. GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of GRC information and relationships.  Organizations require complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy. The Quantivate platform is different due to a technology they call “Linked Resources”. Quantivate’s Linked Resources allows for a dynamic data model. Quantivate administrators can create relationships whenever and wherever needed within their GRC data architecture and model. This means that GRC is no longer a one size fits all solution, but can be implemented in any size organization and grow and evolve over time.

[button link="http://grc2020test.cloudaccess.host/research-documents/quantivate/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Quantivate[/button]

  • Webinar: Enterprise GRC Architecture: Innovation Through Dynamic Linking of GRC Data Relationships
    • [button link="http://quantivate.com/resources/webinar-enterprise-grc-architecture/" color="default"]WATCH THE WEBINAR[/button]

Segmantics Risk Store: Innovation in Enterprise GRC Content Store

The integration of actionable content and intelligence into technology is the core of GRC today and into tomorrow.  This involves the delivery of content from knowledge/content providers through GRC technology solutions to rapidly assess changing regulations, risks, industry and geopolitical events. This integration of actionable content with GRC technology delivers on GRC maturity through achievement of risk and regulatory intelligence. GRC is not just about great technology, but it is also about having the right intelligence and content. Segmantics is innovating by providing an intuitive and easy to use content store as part of their GRC platform. Segmantics includes risk assessment content, risk frameworks and analysis methods in a Risk Store that is an integrated part of the GRC solution. The Risk Store enables the users to select hundreds of risk assessments, risk standards and best practice from 22 industrial and commercial sectors.

Environmental, Health & Safety

Ideagen's Gael Enlighten: Innovation in EH&S Technology

EH&S solutions are maturing to provide an integrated architecture that is intuitive and easy to use. Where EH&S is focused on providing 360° contextual awareness of risk and compliance that is monitored and understood in the course of business operations, changing risks and regulations, and interactions.  Delivery of contextual awareness requires an EH&S solution to be a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of business. The Gael Enlighten product is focused on providing 360° contextual awareness of EH&S information and processes. A seamlessly integrated and scalable cloud software product, Gael Enlighten makes information available to the users who need it, where they need it, when they need it. Critical information such as a recently changed procedures or an updated risk assessment is available across the application rather than being stuck in a document management or risk management silo. Gael Enlighten is providing a next generation platform for managing EH&S with an interface that is engaging, intuitive, and easy to use.

Internal Control Management

ACL's Interpretive Visual Remediation: Innovation in Internal Control Management Technology

Most business intelligence tools provide users a data visualization view that simply leaves the GRC professional desiring more to understand the context of internal control management. Data visualization is powerful to interpret data analysis results and locate areas requiring further follow up. The frustration is when organizations cannot take action from data visualization and have to perform extra steps to separate records of interest and find a way to assign them to the correct stakeholders for remediation. ACL’s Interpretive Visual Remediation takes data visualization to the next level by making it actionable within the application. Data visualization is combined with automated remediation workflow that can be used to automatically trigger remedial actions from the data visualization to address issues in internal controls. ACL GRC's innovation is that it enables the users to take action right from the data visualization view. This is helpful in customer environments that rely heavily of data analytics for control monitoring where the users need to streamline their ability to process, visualize, interpret, and remediate data analysis test exceptions.

Issue Reporting & Management

Integrc's Exception Based GRC: Innovation in Issue Reporting & Management

GRC solutions have typically existed in silos with separate deployments in different departments creating a complex landscape of technology, taxonomy and end user processes with little integration. As GRC requirements have evolved, solutions have developed that are capable of integration as well as having increased sophistication including data analytics. Integrc, recently acquired by EY, delivers Exception-Based GRC as part of RouteOne, an innovation that enables a high-performing GRC capability. Exception-based GRC makes GRC easy for the users by doing all the hard work in the background. With Exception-based GRC, the user receives intelligent and timely notifications on GRC issues and events with supporting real-time analytics so they can focus on making key business decisions more quickly. Integrc's model leverages the latest SAP technology and approaches to deliver world class GRC outcomes whilst minimizing the load on the business users. 

IT GRC

Rsam Platform Exemption Management: Innovation in IT GRC Technology

Scattered manual processes of IT GRC lead to exemptions and exceptions that go undocumented and expose the organization to significant risk. IT GRC programs need to integrate an array of security and IT operations technology to detect and automate the identification of non-conformance and the process of documenting, approving, and managing exemptions and exceptions. Utilizing Rsam’s capabilities to build out and extend the solution, Sungard worked with Rsam to create a unique and highly automated and centralized exception management process that encompasses input from the following areas: vendor security assessments; application security assessments; site security assessments; audit findings; host vulnerabilities; source code analysis; and, compliance exemption tracking. Rsam enables their clients to extend and integrate a range of technologies to automate exemption and exception management processes. In this context, GRC 20/20 has recognized Rsam with a 2015 GRC Innovation Award for the best technology innovation for IT GRC in 2015.

[button link="http://grc2020test.cloudaccess.host/research-documents/rsam-platform-exemption-management/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Rsam Platform Exemption Management[/button]

  • Webinar: Trends in IT GRC
    • 2015-11-12 , 1:00 pm - 2:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/trends-in-it-grc/" color="default"]REGISTER FOR WEBINAR[/button]

Legal Management

WK ELM Solutions’ LegalView Analytics: Innovation in Legal Management Technology

The legal industry is going through a transformation in how they manage legal processes and utilize technology in that context. Legal departments are now being required to justify budgets, forecast expenditures, and define the value that outside counsel provides. This puts significant pressure to focus on cost controls, efficiency, process, risk avoidance, and other business drivers that have become mainstream in almost every other discipline and department in the organization. Corporate legal departments now require greater insight into their legal spend and legal operations so that they can make informed, data-driven decisions. Wolters Kluwer ELM Solutions LegalView Analytics is showing innovation by enabling legal departments to be strategically managed. The solution integrates and consolidates data from a variety of internal business and legal systems into easy-to-read and customizable LegalView Dashboards that allow legal departments to quickly obtain a full view of their legal costs.

[button link="http://grc2020test.cloudaccess.host/research-documents/wolters-kluwer-elm-solutions-legalview-analytics/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Wolters Kluwer ELM Solutions LegalVIEW® Analytics[/button]

Policy & Training Management

Compli's Compligo: Innovation in Policy & Training Management

Organizations often use manual compliance processes that are prone to human error and are costly in terms of time and money spent to maintain. Compli’s Complígo automates compliance processes so organizations no longer need to rely on email, spreadsheets, documents, or an intranet site to manage and track compliance management activities. While many compliance solutions focus on the experience of compliance management professionals, Compligo is focused on the workforce experience. Complígo streamlines compliance for employees, managers and third parties by providing a one stop shop for the workforce. For every initiative across the organization, the right person gets the right information at the right time, every time until the activity is completed. Nothing slips through the cracks and managers and compliance staff no longer have to nag.

Quality Management

MetricStream's Quality Management Apps: Innovation in Quality Management

Organizations are challenged to address quality audits in context of varying and dynamic risk and compliance requirements. The more distributed and dynamic the organization the greater this issue is. In this context, quality audits have often been disconnected from broader enterprise and operational risk management initiatives.  MetricSream’s Quality Audit Management has shown innovation in being able to empower quality audit departments through enhanced risk assessment capabilities. This helps quality auditors to prioritize and short-list auditable entities based on risk assessments results, and enables them to focus their efforts only on high-risk entities, instead of all entities at once.  The solution supports configurable risk assessments for quality audit planning purpose and an audit advisor which help users define the enterprise quality audit strategy.

Risk Management

MEGA’s Solutions for Model Risk Management: Innovation in Risk Management

Models are used across industries to analyze, predict, and represent performance and outcomes that impact operations and business strategy. By definition, a model is a mathematical approximation of scenarios that is used to analyze and forecast prices, events, risks, relationships, and future outcomes. The expanding use of models in the organization reflects the extent to which models can improve business decisions, but models come with risks when internal errors or misuse results in bad decisions. Organizations need to provide a structured approach for model risk management that addresses model governance, lifecycle, and architecture to manage models and mitigate the risk they introduce while capitalizing on the significant value of models when properly used. MEGA’s solutions for Model Risk Management allows organizations to gain control and understand model risk through an ability to not only inventory but to diagram how models are to function. The platform leverages the ability of MEGA's enterprise architecture capabilities to capture business and enterprise knowledge (via business models), to capture model logic (modeling the models), and, above all, to put the models in their actual use case and business context.

[button link="http://grc2020test.cloudaccess.host/research-documents/megas-solutions-for-model-risk-management/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: MEGA’s Solutions for Model Risk Management[/button]

Strategy & Performance Management

Thomson Reuters Valuation Navigator: Innovation in Strategy & Performance Management

Financial services organizations require complete situational and holistic awareness of market data and positions across the organization to see the big picture and its impact on pricing, performance and strategy. Most financial services organizations have access to market data that is adequate to support their operations, but they still struggle with market, valuation, and pricing data when it comes to transparency, accessibility, and audit support activites. Thomson Reuters Valuation Navigator collects scattered financial data into a single, searchable repository; supports a building-block approach to modeling; is extensible for complex workflows; and enables shared insight across your entire organization. Their unique approach makes organizations more efficient, effective, and agile in gathering distributed sets of data and presenting it that replaces manual processes built on spreadsheets and time.

[button link="http://grc2020test.cloudaccess.host/research-documents/thomson-reuters-valuation-navigator/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Thomson Reuters Valuation Navigator[/button]

Third Party Management

Thomson Reuters World-Check One: Innovation in Third Party Management

The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include customers, suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Thomson Reuters' World-Check One demonstrates a compelling offering for managing an integrated process for third party due diligence to meet a range of risk and regulatory areas.  The unique approach helps make organizations more efficient, effective, and agile in managing a range of due diligence concerns in a single integrated portal. World-Check One has a range of innovative features that enable customers to apply a risk-based approach to due diligence and customize screening policies to mitigate risk in an efficient, effective, and agile approach. GRC 20/20 finds that World-Check One clients save significant amounts of time and money in staff resources and operating costs while leveraging the benefits of World-Check risk intelligence data with  extensive global research.

[button link="http://grc2020test.cloudaccess.host/research-documents/thomson-reuters-world-check-one/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Thomson Reuters World-Check One[/button]


2015 GRC Innovation Awards: User Experience Innovations

2015-GRC-Innovation-AwardThe fourth annual GRC Innovation Awards recognize GRC solutions that are revolutionizing the Governance, Risk Management and Compliance (GRC) market. Thirty-three awards are given this year  out of 119 applicants across fifteen GRC solution categories. These are broken into two innovation areas:

  1. User Experience Innovation
  2. Technology Innovation

Over the years GRC technology has evolved and changed. The GRC Technology Innovation Awards process for 2015 recognizes this evolution and represents the most competitive pool of nominations to date. GRC 20/20 closely evaluated all of the written nominations and selected recipients to receive this honor. Some of these recognitions go to established solution providers — others go to up-and-comers. Some have mature offerings, others are still being polished — but all are advancing GRC into new areas. The current award recipients show thought leadership that take GRC in new directions.

These awards are challenging as there is a strong subjective element to them.  There are many great technologies nominated that GRC 20/20 desires to recognize but did not quite make the award process.  Unlike GRC 20/20’s Value Awards which are focused on quantitative value organizations have received from solutions, the innovation awards are based on what really captivates and intrigues GRC 20/20 analyst attention as new possibilities and directions in GRC technology.  These awards are not for who has a better solution.  They are for who is thinking outside the box and taking GRC in new technology directions as well as who is delivering better user experiences in GRC.

Below are the 2015 GRC Innovation Award Winners for Innovation in User Experience.  The award winners for Technology Innovation are found in the post: 2015 GRC Innovation Awards: Technical Innovations.

2015 GRC Innovation Award Winners for Innovation in User Experience

It has been stated that (attribution goes to either Einstein or Schumacher):

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction. 

A primary innovation of GRC  is to provide GRC solutions that are simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC innovation goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2015 GRC Technology Innovation Award recipients are. . .

Audit Management

Quest CE’s Branch Audit Tool: Innovation in User Experience for Audit Management

Internal Audit departments have been under a significant metamorphosis as they have had to conduct more audits for different purposes. This is particularly true in context of financial services when auditors have to go to a branch for an audit that is constantly expanding to encompass more areas of evaluation. Auditors still heavily rely on spreadsheets and documents while many of the audit solutions available on the market are difficult to use. Quest CE’s Branch Audit Tool helps firms efficiently execute branch audits through a powerful workflow engine that automates the entire audit lifecycle. Users can schedule audits, assign pre-audit/branch audit questionnaires, and track results from one secure platform. Quest CE’s platform is completely mobile compatible, allowing users to access the tool from any internet accessible device. Whether working in the corporate office or a branch location, auditors can document observances as they occur in real time, avoiding the time consuming and error prone process of manual intervention. Featuring a reactive design layout, menu items and audit questionnaires can expand and collapse as needed, allowing tablet users to efficiently utilize screen space.

Business Continuity Management

ContinuityLogic's FrontLine Live: Innovation in User Experience for Business Continuity Management

In today's dynamic, distributed, and complex business environment, business continuity management is necessary for public and private corporate. Most organizations have approached business continuity management in documents, spreadsheets or emails; a mix of homegrown solutions; or narrowly focused and difficult to use business continuity products. Overall the user experience for business continuity has been poor and suffers out-of-date information and a lack of user adoption, making it difficult for the organization to access a real-time enterprise-wide view of continuity plans and risks. Continuity Logic's FrontLine Live is taking user experience in business continuity platforms to a new level. Specifically, the solution improves risk-reward decision making at all levels of the organization by ensuring the right information is available in the right format, whenever and wherever it is needed. Their interface is intuitive and easy-to-use, with a self-service model that allows users to design their own data capture, workflows, and reporting formats with no programming –all accessible anytime, anywhere, on any device via secure cloud.

[button link="http://grc2020test.cloudaccess.host/research-documents/continuity-logic-frontline-live/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Continuity Logic Frontline Live[/button]

  • Webinar: Transform Your BCP Program with an Engaging User Experience Design
    • 2015-10-22 , 2:00 pm - 3:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/transform-your-bcp-program-with-an-engaging-user-experience-design/" color="default"]REGISTER FOR WEBINAR[/button]

Compliance Management

Convercent's Disclosure Manager: Innovation in User Experience for Compliance Management

Though conflicts of interest (COI) can present a major risk area for any company, regardless of size or industry, organizations in high-risk industries especially have a history of COI-driven regulatory actions. Traditionally, disclosure management has been done through ad-hoc forms (whether electronic or paper-based) and basic solutions that allowed for simple form completion and workflow. This approach left compliance teams with imperfect solutions that did not accurately capture the nature of relationships or their effect on organizational risk. Convercent’s Disclosure Manager delivers a unique framework for employees to make conflict of interest disclosures. It is specifically intended to break away from traditional approaches that leave employees feeling like they are reporting wrongdoing, when in fact that is often not the case. Convercent’s Disclosure Manager is designed to encourage open and honest reporting and communication and increase the likelihood that employees will self-report relationships that could potentially present conflicts of interest—or worse, ultimately lead to misconduct. It provides compliance teams with an easy-to-use interface to communicate with disclosing parties, review disclosures and record and communicate decisions and stipulations.

[button link="http://grc2020test.cloudaccess.host/research-documents/convercent-disclosure-manager/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Convercent Disclosure Manager[/button]

Environmental Health & Safety

Rivo: Innovation in User Experience for EH&S

The environmental, health & safety (EH&S) market is a mature market that has established technology solutions that go back decades. This also means that the EH&S software market often struggles with solutions that are dated, particularly in user experience. Rivo is recognized with a GRC Innovation Award in User Experience for EH&S. GRC 20/20 sees innovation in the intuitiveness and ease of use in reporting incidents and risk events to provide faster visibility for greater risk mitigation and increased safety. Through advanced analytics for trending, Rivo drives intelligent decision making. Rivo is also advancing in mobility for EH&S with their offline mobile capability with an intuitive design that allows reporting of incidents with auto-GPS location of incidents and near misses, which once synced trigger notification workflows and immediately pins location onto maps within the incident application, displaying associated photos, videos, and details on hover.

Enterprise GRC Platforms

Resolver GRC Cloud: Innovation in User Experience for Enterprise GRC

The user experience for GRC has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality and lack of central coordinated efforts for GRC communications. GRC for the average employee of the organization has been confusing and disconnected from what they do. Too often they see GRC activities as a burdensome task that gets in the way of real work with no real value provided. Resolver’s GRC Cloud delivers an intuitive and engaging user experience that makes organizations more efficient, effective, and agile. Resolver GRC Cloud’s primary innovation and benefit is found in their approach to GRC Programs and Activities. This enable the organization to reduce their documentation, improve navigation through the application, and simplify the end user experience. GRC 20/20 is finding that Resolver GRC Cloud is establishing itself as a next generation GRC platform that is breaking free of the rigidity, complexity, and cost of legacy GRC platforms of the past decade.

[button link="http://grc2020test.cloudaccess.host/research-documents/resolver-grc-cloud/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Resolver GRC Cloud[/button]

Internal Control Management

Workiva Wdesk: Innovation in User Experience for Internal Control Management

Keeping complexity and change in sync is a significant challenge for boards, executives, and governance, risk management, and compliance professionals (GRC) throughout the business. Complexity of business breeds an element of chaos and uncertainty as the organization manages silos of risk and control in scattered departments that have redundant processes and disconnected information. Relying on spreadsheets, documents, and emails to assess, audit, manage, and monitor internal controls leads to GRC failure. Organizations need GRC solutions for internal control management that actively engage and are useable at all levels of the organization, in addition to supporting the needs of audit, risk and compliance professionals. Workiva Wdesk is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in changing, distributed, and dynamic business environments.  Their innovation lies in the fact that Workiva has addressed a compelling user experience through a set of common functionality all within the context of productivity and usability and have provided users with flexibility in configuring the platform.

[button link="http://grc2020test.cloudaccess.host/research-documents/the-wdesk-platform-by-workiva/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: The Wdesk Platform by Workiva[/button] 

  • Webinar: GRC’s Positive Impact on Internal Control Management
    • 2015-11-03 , 1:00 pm - 2:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/grcs-positive-impact-on-internal-control-management/" color="default"]REGISTER FOR WEBINAR[/button]

Issue Reporting & Management

Convercent Predictive Analytics: Innovation in User Experience for Issue Reporting & Management

In the past, compliance management was manual and disconnected. Compliance functions spent more time managing the volume of documents than it did actually managing and improving compliance. Currently, most compliance reporting is tied together by document, file sharing, spreadsheets and manual processes. As a result, compliance professionals spend a disproportionate amount of time collecting data, versus time spent adding strategic value to the business through analyzing and trending the data collected. To truly assess and report on effectiveness, organizations need to provide a 360° contextual intelligence and awareness of compliance information. Compliance data needs to become federated into a compliance intelligence and analytics warehouse to overcome the inefficiencies of the manual and document-centric approaches of the past. Convercent’s Predictive Analytics is a GRC solution that organizations are using in distributed, and dynamic business environments. GRC 20/20 finds Predictive Analytics to be a compelling compliance data analytics and reporting platform that delivers actionable insight and intelligence into compliance issues and trends enabling 360° contextual awareness of compliance.

[button link="http://grc2020test.cloudaccess.host/research-documents/convercent-predictive-analytics/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Convercent Predictive Analytics[/button]

IT GRC

LockPath Bulk Operations: Innovation in User Experience for IT GRC

Information security operations often are encumbered by processes that take extensive time to modify and update. When mass changes need to take place, it is time consuming to go into each record and modify and manipulate data. For example, when vulnerability scanners report on finding assets that are about to be decommissioned, action items in remediation will be a waste of time. Another example is when a business division splits or is dissolved and IT assets and security records needs to be reassigned to one division or another. LockPath Bulk Operations is an innovative solution that makes it easy and intuitive for organizations to manage bulk changes to IT GRC data.  LockPath clients can now easily identify data that needs some sort of change, whether it’s a change in the value of a single or multiple fields, the addition of new fields, the removal/deletion of existing fields, or shifting workflow and tasks. This saves organizations hours of work. Because the feature is built into the ad hoc reporting engine, organizations can easily and quickly filter data sets they want to edit.

[button link="http://grc2020test.cloudaccess.host/research-documents/lockpath-bulk-operations/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: LockPath Bulk Operations[/button]

  • Webinar: GRC 20/20 Innovation Award: LockPath’s Bulk Operations
    • [button link="http://lockpath.com/events/webinar/2015-11-03-keylight-bulk-operations/" color="default"]ACCESS WEBINAR[/button]

Legal Management

WK ELM Solutions Passport: Innovation in User Experience for Legal Management

Corporate legal departments have struggled with the manual and paper-intensive nature of their jobs. Huge inefficiencies existed with little to no visibility into or control over legal costs. To address these pain points, companies began implementing various solutions, including systems for managing matter information and for managing the spend associated with matters. Today, the lack of visibility into all legal and risk-related data has become a critical issue. Organizations need an improved user experience for their corporate legal department staff, more flexibility in the management and configuration of their systems, and fewer legal vendors to manage. WK ELM Solutions Passport consolidates legal and risk-related data onto a single platform, as well as enables clients to integrate with and use existing best-in-class legal applications as a part of an overall solution rather than replicating and competing with existing best-in-class solutions. GRC 20/20 finds that Passport simplifies the way staff work and improves collaboration across internal teams and with external service providers through an intuitive and easy to use interface.

[button link="http://grc2020test.cloudaccess.host/research-documents/wolters-kluwer-elm-solutions-passport/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE:WK ELM Solutions Passport[/button]

Policy & Training Management

NAVEX Global’s Agile Code of Conduct: Innovation in User Experience for Policy & Training Management

The user experience for policies has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality and lack of central coordinated efforts for communications. Organizations are recognizing that effective GRC includes those on the front lines of the business. Compliance and ethics needs to communicate the Code of Conduct in a way that delivers an exceptional end-user experience: getting employees involved by providing intuitive interfaces into the Code of Conduct that are interactive, engaging and social. NAVEX Global’s Agile Code of ConductTM is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in dynamic business environments. GRC 20/20 sees this as a compelling offering for engaging employees on the Code of Conduct. Through an integration of web technologies into a unified user experience, the Agile Code of Conduct makes compliance and ethics communications more efficient, effective, and agile.

[button link="http://grc2020test.cloudaccess.host/research-documents/navex-globals-agile-code-of-conduct/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE:NAVEX Global’s Agile Code of Conduct[/button] 

Risk Management

Sword Active Risk ARM Risk Express: Innovation in User Experience for Risk Management

Risk management can be overwhelming for many and not practical to use. Too often risk management technologies are not adopted across the enterprise because they are complex and overwhelming, they fail to deliver intuitive risk management that all levels of the organization can utilize and gain value from. The Sword Active Risk ARM Risk Express is an innovative new user interface designed specifically for risk owners in the line of business. It is aimed at business and process owners who need a light touch yet fully featured risk management solution to identify and manage risks that could negatively or positively impact their business performance objectives. Risk Express is designed specifically to replace the use of spreadsheets, with a much easier and more intuitive way for business users to manage risk. GRC 20/20 see that the ARM Risk Express solution has the intuitive interface and user experience needed for enterprise wide adoption to every part of the business by engaging the business leaders themselves into the risk network.

Strategy & Performance

SAP GRC Strategy Selector App: Innovation in User Experience for Strategy & Performance

The primary challenge of the organization is a need to be agile in a distributed, dynamic, and disrupted environment. In the past, GRC focus was on the back office: risk management, finance, security, compliance and audit. GRC needs to move to engage all levels of employees in the organization. GRC needs to deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into GRC that are interactive, engaging and social. It delivers an intuitive and engaging user experience that engages all levels of the organization in GRC strategy in the form of a mobile app. GRC 20/20 sees the innovation in the SAP GRC Strategy Selector App in its ease of use and intuitiveness to engage all levels of management in understanding risk and strategy through the lens of consequence, likelihood, and acceptance. While other solutions can deliver these capabilities, the innovation is in a mobile app that simplifies this in an intuitive and easy to use format.

[button link="http://grc2020test.cloudaccess.host/research-documents/saps-grc-strategy-selector-app/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: SAP GRC Strategy Selector App[/button] 

Third Party Management

Source Intelligence Network: Innovation in User Experience for Third Party Management

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Organizations need a scalable approach that enables them to manage the ecosystem of supplier and third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization. GRC 20/20 sees the Source Intelligence Network as a compelling offering for managing risk and compliance in organizations with complex and distributed third party relationships.  The Source Intelligence innovation is the platform's core capability in cloud-based information sharing and analytics that simplifies supply chain transparency and traceability. GRC 20/20 particularly sees the innovation in user experience as the solution empowers users to manage supply chain risks and leverages the information gathered from others to provide a 360° contextual awareness of third party relationships and the risk to the organization.

[button link="http://grc2020test.cloudaccess.host/research-documents/source-intelligence-network/" color="default"]DOWNLOAD SOLUTION PERSPECTIVE: Source Intelligence Network[/button]

  • Webinar: Innovating Supply Chain Risk Management
    • 2015-10-07, 1:00 pm - 2:00 pm CDT
    • [button link="http://grc2020test.cloudaccess.host/events/innovating-supply-chain-risk-management/" color="default"]REGISTER FOR WEBINAR[/button]

Now Accepting 2015 GRC Innovation Award Nominations

2015-GRC-Innovation-Award

GRC 20/20 is accepting nominations for the 2015 GRC Innovation Awards!

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction. 

A primary directive of innovation is to provide experience that is simple yet complete. Like Apple with its innovative technologies, GRC solutions must approach solutions in a way that re-architects the way it works as well as the way it interacts. The goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right context, in the right place, when needed. It’s about bringing interaction and engagement to GRC process and information. GRC solutions should be intuitive.

2015 GRC Innovation Award nominations will be accepted through July 12th (no exceptions, nomination form closes down at midnight CDT on July 12th).

NOTE: the 2015 GRC Value Award process (our other award process) will begin on August 1st. Nominations have to be in before the end of August.  Recipients will be determined by end of October with announcements in November.

To establish a proper perspective, please understand what the GRC Innovations Awards are NOT:

  • It is NOT to recognize how one product has a better feature or feature set than a competitor
  • It is NOT to recognize competitive differentiators
  • It is NOT like a comparison or endorsement of solutions overall (like a Forrester Wave of Gartner Magic Quadrant)

The GRC Innovation Awards are to recognize innovations in GRC related solutions that are revolutionizing Governance, Risk Management, and Compliance (GRC).  GRC Innovation Awards are to recognize  solutions that show something truly unique, game changing, revolutionary, and new. If what you are proposing has been in your feature set for more than 12 months – it is not new and fresh.

The 2015 GRC Innovation Awards are considered across 17 categories of GRC functional areas and from two perspectives in each.  The two perspectives awards can be submitted from are:

  • User Interface & Experience. GRC 20/20 is putting specific focus on the fact that GRC solutions do not have to be ugly and cumbersome.
  • Other Innovation. Any innovation that is not tied to user interface & experience.

The seventeen categories for submission are:

  • Audit Solutions
  • Automated / Continuous Control Management
  • Business Continuity Solutions
  • Compliance Management Solutions
  • Enterprise GRC Architecture & Platforms
  • Environmental, Health &; Safety Solutions
  • Information & Technology GRC Solutions
  • Internal Control Management Solutions
  • Issue Reporting & Case Management Solutions
  • Legal Management Solutions
  • Physical Security Solutions
  • Policy & Training Solutions
  • Quality Management Solutions
  • Reputation & Responsibility Management Solutions
  • Risk Management Solutions
  • Strategy & Performance Management Solutions
  • Third Party Management Solutions

To be innovative requires that the submission be game changing and completely unique from what the competition is doing. Any submission that is just another “me too,” or “we are better than the rest” type of submission will not cut it and will quickly go to the digital trash bin.  We want to recognize vendors that are thinking outside of the box to boldly take GRC where no solution provider has gone before.

Please submit nominations before midnight on July 12, 2015.  Nomination forms will be reviewed in July, finalists selected and deeper dives in August, with recipients selected by end of August and announced in early September.  Award recipients will be announced to vendors at the end of August so that coordinated announcements/press releases can go out in the beginning of September.

[button link="http://grc2020test.cloudaccess.host/2015-grc-innovation-award-nomination-form/" color="default"]NOMINATION FORM[/button]


2014 GRC Technology Innovation Awards

The third annual GRC Technology Innovation Awards recognize technologies that are revolutionizing the Governance, Risk Management and Compliance (GRC) market. Fifteen technologies were selected out of 62 applicants after being carefully evaluated for their innovation.

Over the years GRC technology has evolved and changed. The GRC Technology Innovation Awards process for 2014 recognizes this evolution and represented the most competitive pool of applicants to date. GRC 20/20 closely evaluated all of the written nominations and selected 15 recipients to receive this honor. Some of these recognitions go to established solution providers — others go to up-and-comers. Some have mature offerings, others are still being polished — but all are advancing GRC into new areas. The current award recipients show thought leadership that take GRC in new directions.

These awards are challenging as there is a strong subjective element to them.  There are many great technologies nominated that GRC 20/20 desires to recognize but did not quite make the award process.  Unlike GRC 20/20's Value Awards which are focused on quantitative value organizations have received from solutions, the innovation awards are based on what really captivates and intrigues GRC 20/20 analyst attention as new possibilities and directions in GRC technology.  These awards are not for who has a better solution.  They are for who is thinking outside the box and taking GRC in new technology directions.

There are some specific themes to be award of in the 2014 GRC Technology Innovation Award recipients.  These track into trends GRC 20/20 is seeing in the broad GRC market.  Some themes to look for when reviewing the recipients are (note, these themes do not apply to every recipient but do show some trends that influence selection in 2014):

  • GRC Engagement.  GRC solutions do not have to be ugly.  Organizations are frustrated with interfaces that lack intuitiveness and ease of use; that fail to engage employees at all levels of the organization.  Many of the leading GRC solutions in the market look and operate with interfaces that are a decade old - several of the award recipients show that GRC can be engaging and use current trends in interface design and intuitiveness.
  • Regulatory Change Management. Several award recipients were selected for their innovations in managing regulatory change which has become one of the significant issues bearing down upon organizations. GRC 20/20 has seen the number of regulatory changes more than double in the past five years in some industries and organizations are strained to a breaking point in trying to manage regulatory change and need new approaches to deliver efficiency, effectiveness, and agility.
  • GRC Analytics & Reporting.  Some of the recipients were selected for new directions in data analytics and reporting.  The intuitiveness and eas of use alongside visualization capabilities were critical here.  The ability to pull in a variety of data sets from both internal and external sources and show relationships and provide meaningful information and analysis is critical.
  • GRC Cloud. Many of the recipients offer cloud (SaaS) based solutions.  GRC 20/20 continues to see the adoption of GRC solutions in the cloud as a predominant trend in the GRC market.  Despite security naysayers, some of the most significant and sensitive business information is being managed and stored in the cloud.  Some of the greatest innovations in GRC come from cloud-based solutions.

It has been stated that (attribution goes to either Einstein or Schumacher):

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction. 

A primary innovation of GRC  is to provide GRC solutions that are simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC innovation goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2014 GRC Technology Innovation Award recipients are (please follow hyperlinks to see more detail on each recipient):

  • 360factors Empowers Organizations to Stay Current in the Midst of Change.  360factors' innovation is in change management with an elegant and intuitive user interface for mapping GRC. This mapping solution seamlessly maps policies & procedures, permits and their requirements, controls, risks, legislation, regulations, and more. While there are many GRC solutions that allow tagging and mapping of content the innovation by 360factors is the elegance and intuitiveness in their interface.  They simplify a process that in other solutions requires going through multiple screens and drop-down menus.  This is core to GRC that requires an information architecture that maps risks, policies, controls, assessments, training, and more to the underlying requirements that drive them.
  • ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires.  ACL delivers an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation. At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.
  • ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC.  ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices. There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc.
  • Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change.  The Be Informed GRC-solution uses innovative semantic technology to deliver a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment.  This allows organizations to stay current with the ever-continuing stream of new and changing regulations. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.
  • Convercent delivers agile compliance reporting.  Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline, and investigations, to enable more effective compliance risk monitoring, management and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed.  With Convercent, it becomes easy to rapidly report on the effectiveness of compliance efforts; drill down to track, monitor and remediate developing compliance risks. Convercent delivers layers of reporting and analytics, with the ability to use Microsoft Office tools to create a “two-click board report,” updatable in real time.
  • Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence.  Third-party breaches and regulations are increasing drastically, but effective third-party security risk management is expensive, time consuming, and resource intensive. As a result, many organizations have programs that do not provide full coverage, or provide a false sense of security.  Corl’s vendorsecurityRM provides organizations with the information they need to effectively focus their vendor due diligence efforts on those vendors who present the most risk.  Data breaches can be costly due to the cost of remediation, regulatory fines, and reputation damage. Corl’s risk-based approach helps organizations focus their vendor security risk management efforts where they will have maximum impact and value.
  • Digital Reasoning provides intelligence on communications, relationships and risks.  Financial institutions are seeking a more complete picture of the people and organizations that pose risks or promise opportunities. Digital Reasoning’s Synthesys 3.8 provides real-time situational awareness for decision makers as it can rapidly examine human communication and uncover relationships and risks that may have been intentionally concealed. Synthesys is a machine-learning platform, which understands human communication (emails, social media, chat, documents, etc.) on a massive scale and identifies and visualizes complex relationships and risk. Specifically, it identifies and aggregates knowledge about people and organizations to make relevant predictions about future behavior of employees, customers or bad actors.
  • ERP Maestro Delivers Automated Security & Access Controls Through the Cloud.  Automated Segregation of Duty and Access Control solutions are known to be exorbitantly expensive and take a considerable amount of consulting resource and time to implement. ERP Maestro’s Access Analyzer™ solution provides Segregation of Duty and Sensitive Access Analytics and reporting over a completely cloud based architecture. With a cloud based delivery mechanism of an Access Controls solution, not a hosted solution technology, customers receive cost benefits of a multi-tenant environment and the exclusivity and security of a dedicated server. The solution is truly innovative as it is contained within a deployment that dynamically grows and shrinks based on its demand (number of organizations using the system).
  • Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation.  The cost and time to implement GRC solutions has been a barrier to many organizations, paritcularly those integrated with an ERP environment such as SAP. Integrc is an innovative service provider that enables organization to achieve the rich value of SAP GRC but in a way that is radically different. With Integrc’s innovative RouteONE, many elements of an SAP GRC deployment have been reduced from weeks to minutes. RouteONE is game-changing because it unlocks the potential of integrated SAP GRC, which for many SAP customers was previously out of reach. Now they can dismantle many of their technology, cost and time-related barriers, roll-out SAP GRC far more quickly and cost-effectively than ever before and focus more effort on business change and end-user adoption.
  • Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis.  Lexer’s innovation is a solution to integrate and visualize streams of data to manage reputation and continuity risk across social media and other 3rd party content providers.  Lexer does this by producing highly accurate geographic insights used as the conduit between the various data sources such as census, socio-economic, transactional, CRM, and customer support.. This unified data set offers businesses a new perspective on reputation and brand risk since it offers a wealth of detail on data previously inaccessible.  Lexer now has the ability to create complex personas based on behavioral, social and economic profiles that give businesses a new perspective on the way consumers react, engage and change in brand incidents.
  • MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources.  MetricStream’s GRCIntelligence.com is an innovative cloud-based content portal that enables GRC professionals to access and integrate the latest GRC content from a variety of knowledge providers and information sources through a single online content store – GRCIntelligence.com. GRCIntelligence.com offers a marketplace to source a wide array of content around regulatory updates, risk and control libraries, policy updates, market intelligence and news feeds. The portal is integrated with MetricStream GRC Platform, thus providing subscribers with content updates and notifications directly within the MetricStream GRC application.
  • Modulo Enables Intuitive Reporting and Analytics through GRC Intelligence Integration.  Modulo’s innovation is in enhanced reporting and analytics with its GRC Intelligence module.  GRC Intelligence acts as a portal for integrating real-time information from any data source – including IT security, physical security and incident management tools; vendor surveys; social and mobile analytics and more – in context of GRC management programs through the reporting capabilities of Microsoft Business Intelligence tools. Using SharePoint and PowerPoint 2013, GRC Intelligence facilitates the process of sharing by allowing users to access GRC data directly on interactive PowerPoint slides - ensuring real-time data.
  • ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive.’  ngCompliance’s innovation is the ability to automate the analysis of regulatory change against the organizations policies and procedures. Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign.
  • True Office engages employees through interactive GRC learning experiences.  Impacting and driving learning around compliance and risk management is the “last mile” of GRC. After considerable investment is made in managing GRC risks and controls, it is important that an organization’s work force — the front lines of the business, is able to effectively learn the policy and its impact on the company’s business outcomes. True Office is demonstrating innovation in interactive, gamified training solutions applied to compliance & risk management, professional development and customer proficiency. True Office, because of its ability to bring dry policy to life, engage learners and measure their efficacy through rich, comprehensive analytics, is paving the way for a new era of Policy & Training Management.
  • UCF Demonstrates it is the Science of Compliance Through its Recent Patent to Map Requirements. The Unified Compliance Framework® is the science of compliance that has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.

GRC 20/20 wishes we could recognize more – but we had to put a cap somewhere.  Fifteen seemed like the appropriate number.  There were many great submissions – some more innovative than others.


2014 GRC Technology Innovation Award: 360factors Empowers Organizations to Stay Current in the Midst of Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

360factors Empowers Organizations to Stay Current in the Midst of Change.

360factors' innovation is in regulatory change management with an elegant and intuitive user interface for mapping GRC. This mapping solution seamlessly maps policies & procedures, permits and their requirements, controls, risks, legislation, regulations, and more. While there are many GRC solutions that allow tagging and mapping of content the innovation by 360factors is the elegance and intuitiveness in their interface.  They simplify a process that in other solutions requires going through multiple screens and drop-down menus.  This is core to GRC that needs a complete information architecture that maps risks, policies, controls, assessments, training, and more to the underlying requirements that drive them at the site/location and asset level.

Requirements can be a regulation, risk, company objective, internal requirement, or a standard. The organization can simply connect and map policies and procedures, evidence, risk frameworks, risk assessments, training to the requirement. Further, the solution is configurable where it allows the organization to configure the regulatory matrix to add additional items that they would like to map. The settings module allows the organizations to create training plans and map them to requirements, add assets and apply the requirements/regulations that apply to those assets and structure compliance. This allows individuals to only view compliance tasks and issues at the site, geo-location, or assets they represent.

Policies are mapped and appear in the requirements knowledge base and can be viewed as you pull up each requirement. The mapping of policies and procedures allows individuals to view which and how many policies get impacted in the event a requirement (standards or regulations) changes. This simplifies the task of regulatory change and policy management for a compliance officer within the organization.

Organizations often have multiple locations with onshore presence in various countries, multiple sites with different types of assets, and multiple functions that are subject to regulatory compliance through multiple jurisdictions, all bearing down on the organization and providing a daunting compliance. 360Factors applicability feature automates this complex process of managing and demonstrating compliance across a variety of jurisdictional regulatory requirements.  The mapping technology allows organizations to predict risks and issues. They have architected their mapping technology in such an intuitive and user friendly way it enables the organization to pull reports and dashboards that can help predict how change in each requirement can impact risks, compliance, controls, sites and assets. This unprecedented mapping and applicability feature creates a compliance matrix that enables organizations to manage complex regulatory, business and standards while providing visibility and control over management of change.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients


2014 GRC Technology Innovation Award: ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

In November 2013, ACL delivered an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation.

At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. It meaningfully blends the capabilities of data analytics with surveying to provide the analyst with a simple, integrated toolkit for monitoring and remediation.

At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. With the ability to seamlessly blend “human data” with “systems data”, a new world of analysis is possible to identify red flags, as well as serve as the basis for rich visualization of blended data.

Prior to this innovation, control monitoring and other data analytics were loosely integrated into broader GRC risk & control platforms and GRC architecture. Results of analytics were often simply attached as files to serves as control evidence. This new approach fully integrates into a unified GRC architecture with analytics so GRC evaluations, assessments, and decisions can be made seamlessly in real-time using the most up-to-date information available in the organization. Introducing the surveying/questionnaire piece allows ACL users to feed the same control monitoring engine with survey data (“human data”) and drive the same remediation actions as could be done from transactional data.

The core functionality of the technology is to take the results of control monitoring analytics and bring those into a centralized, easy-to-use web environment where it is integrated into the overall GRC information and process architecture. It provides an intuitive questionnaire builder to develop questionnaires when a “trigger” condition happens that allows for automatic triggering of questionnaires based on data analysis criteria. It blends data analysis records with the questionnaire results to provide a consolidated dataset that the organization may use to drive remediation, act as control evidence, or provide executive reporting.

The key technical functionality is the “Big Data” engine that lies at the heart of the ACL GRC Results Manager module. This data engine uses an innovative data store that is capable of storing unstructured and arbitrary data. This is critical for several reasons but primarily because 1) organization need to analyze different types of data that a traditional database system cannot effectively ingest the “arbitrary” data needed for analysis, 2) these organizations need to be able to “blend” a transaction record with a survey response on the fly without doing traditional database table joins, and 3) the ability operate at cloud scale to drive the fastest performance and response times. Layered on top of the big data engine is ACL GRC’s development stack and intuitive user interface built in HTML5, CSS3, and high performance JavaScript. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients


2014 GRC Technology Innovation Award: ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices including:

  • User Interface.  Touch, gestures, responsiveness, hardware rotation, etc.
  • Multimedia evidence capture. Create and attach photos, videos, sound recordings, geo-location, etc. from within an audit procedure, control walkthrough, control test, etc.
  • Scan to PDF. Use the app to “scan” hard copy documents directly into the system without leaving a given audit step or control test by taking a picture of the document. The app’s PDF generation engine will automatically convert to a document-quality PDF.
  • Cloud connected. Built to enable connectivity and integration to their native multi-tenant software as a service ACL GRC platform so that none of the typical connectivity challenges to on premise server infrastructures impede easy access and use.

This is the first GRC mobile app to bring the full power of design delivered through powerful and capable devices, to the problem of audit management. GRC 20/20 sees a major shift beginning occurring where document, spreadsheets, and paper binders are being replaced by multimedia including audio, video, photo, data visualization, geo-location, etc.

There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. ACL has now fully engaged the capability of the device to leverage multimedia capabilities of the devices as well as redesigned the application from the ground-up to take advantage of the incredible power available in the iOS SDK. The platform was expanded to enable complete enterprise risk assessment and reporting in a fully touch interactive environment.

The historic reality after fieldwork finished there would be an additional two weeks of work to be completed compiling notes, transcribing, documenting, etc. after leaving the field, then another two weeks of report writing and revisions. Progressively leveraging ACL GRC for iOS and its multimedia capability, the auditors can potentially walk out of the field completely done and documented with multimedia backing up a clean, engaging audit report. This enables users to work in an environment where they are able to create and capture both interactive media and structured data to accomplish existing audit goals while not relegating themselves to countless hours of tedious document preparation only to end up with all of their data forever “trapped” by documents.

The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc. This provides a faster, better, more beautiful, and more tightly integrated experience for the user than a mobile web app or a wrapper for the web that pretends to be an app.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients


2014 GRC Technology Innovation Award: Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The Be Informed GRC-solution is based on the Be Informed business process platform, which is a platform using innovative semantic technology which can be understood as a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. It is fully model-driven, which means that requirements and specifications are expressed in semantic models, which can be directly executed, i.e. without transformation to another (programming) environment. This constraint-based process approach allows for dynamic processes, by which every individual transaction has its own process flow, depending on the data and context of that transaction.

The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment.  This allows organizations to stay current with the ever-continuing stream of new and changing regulations.  Organizations will find that regulatory change alongside business change and risk change becomes easier to manage, control, and traceable. Semantic models determine behavior of the business within rules. With Be Informed, the rules of business are modeled, not coded, in a visual and very comprehensible way for business users. This enables users to easily understand and change business rules, making the Be Informed business process platform an agile solution.

Be Informed through its semantics engine allows organizations to be in full control. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.  This is enhanced by audit trails that demonstrate accountability to customers, employees, shareholders and supervisory authorities.

By using the semantic models, you can define the requirements in an accurate, concise and machine executable format. Semantic models are used to make decisions, to classify what is applicable (and/or needed) and to calculate values. These outcomes are used to determine which controls are applicable, which data is needed to perform activities, how to drive the workflow process and even to determine which components of a report must be generated.

The Be Informed framework consists of three parts. The first part is the Definition part by using semantic models. Here Regulations and Policies are translated into regulatory and risk controls.  Second, once a control is defined it can be executed as a service in any of the core processes of the organization as represented. A transaction can only be completed if all necessary controls have resulted in a positive outcome. And third, Be Informed supports the review and evaluation of the effectiveness of the controls by planning, scheduling and executing of all kinds of assessments with the GRC-Workplace.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients


2014 GRC Technology Innovation Award: Convercent Delivers Agile Compliance Reporting

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Convercent Delivers Agile Compliance Reporting

Nearly every business function in today’s organization has benefitted from a transformational shift in how data is used to enable business agility – the ability to deliver meaningful intuitive information at a moment’s notice and enable accessibility across devices from computers, laptops, tablets, and mobile devices. However, compliance has struggled with systems in which information is neither agile nor mobile. The effect is a blurred or inaccurate picture of compliance risk. In today’s business, understanding a true picture of compliance at any point in time is critical. Compliance programs struggle with mountains of data in documents and emails or with expensive and non-intuitive solutions that create challenges to managing compliance effectively. Technology is a limiting factor to many ethics and compliance programs and is manifested in:

  • Increased exposure. Inability to make rapid decisions, and inability to draw historical benchmarks or predictive analysis based on integrated trends
  • Reduced efficiency. Time inefficiency to aggregate information into board/audit/executive reports
  • Increased cost. Utilizing manual processes to do what technology can streamline, centralize and automate.

Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline and investigations to enable effective compliance risk monitoring and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed.  With Convercent it becomes easy to rapidly report on issues and understand what trainings and policies an employee has received and attested to at a moment’s notice. The ability to drill down to the individual level allows organizations to track and monitor developing compliance risks, and proactively analyzes and reports on information that highlights compliance efforts.

Convercent provides three layers of reporting and analytics, ranging from at-a-glance dashboards that enable program monitoring to effective oversight at the board level through the ability to use Microsoft Office tools to create a “two-click board report” in real time. Convercent allows for business agility within compliance departments and a reduction in costs associated with manual processes that is supported by three levels of reporting and analytics capabilities:

  • Dashboard Reporting provides the ability to understand performance at a glance. Compliance managers can monitor case management, policy and training health to get a high level overview on how the organization’s ethics and compliance program is performing.
  • Web-Based Reporting provides rapid understanding of issues that are occurring in real time. A variety of prebuilt case management reports are available for the compliance manager to present the information the way it needs it.
  • Convercent Data Services puts powerful and customizable reports at the organization’s fingertips. It provides the ability to collect real time ethics and compliance data in Convercent and immediately transfer it into Microsoft Excel and PowerPoint utilizing open standard oData technology.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients


2014 GRC Technology Innovation Award: Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence

Managing risk and compliance across 3rd party relationships has become a significant challenge to organizations. Surveys and questionnaires given to 3rd parties are necessary, but also prove unreliable and difficult to receive high quality responses containing accurate and fully completed information. The cost of follow up and inherit reliance on vendors to be responsive reduces effectiveness and increases the cost of due diligence. Many 3rd party risk and compliance approaches lack scalability as they are labor intensive and time consuming –the resource requirements of managing the “back and forth” and due diligence process typically results in less than 20% of vendors being properly vetted.  Surveys and questionnaires are can also be outdated and audit-based assessments are point-in-time evaluations. After-the-fact changes in risk may not be documented and factored into 3rd party risk scores.

Third-party breaches and regulations are increasing drastically, but effective third-party security risk management is expensive, time consuming, and resource intensive. As a result, many organizations have programs that do not provide full coverage, or provide a false sense of security.  Corl’s vendorsecurityRM provides organizations with the information they need to effectively focus their vendor due diligence efforts on those vendors who present the most risk.  Data breaches can be costly due to the cost of remediation, regulatory fines, and reputation damage. Corl’s risk-based approach helps organizations focus their vendor security risk management efforts where they will have maximum impact and value.

Corl’s vendorsecurityRM solution is an innovative approach to supplement surveys, questionnaires, and due diligence processes.  It enables organizations to intelligently understand and reduce risk attributable to a 3rd party relationship with a particular focus on data breaches. The vendorsecurityRM solution provides a vendor score and supporting information to effectively address the question of “can my organization have confidence in this 3rd party’s ability to protect sensitive data from an unauthorized breach?” The solution overcomes the traditional barriers of transparency, 3rd party collaboration, and resource capacity to effectively deliver 3rd party vendor security risk management.

The vendorsecurityRM solution is comprised of three primary components that combine to make it innovative: 1, a comprehensive and sophisticated patent-pending algorithm to assess vendor security confidence, which was developed by a PHD led team over two years in collaboration with Fortune 500 to small size organizations; 2, big data analytics of industry specific vendor behavior, benchmarks and best practices that encompass people, process and technology and supported by dedicated research teams; and 3, community/industry collaboration through Corl’s collaboration platform.

The vendorsecurityRM solution changes the paradigm for managing vendor security risk. It demonstrates that traditional risk assessment methods may be effective at gathering data but only go so far at rating confidence, managing risk and holding vendors accountable.  The solution delivers reliable indicators of risk in a significantly more timely and efficient manner than traditional approaches. Most importantly, these indicators are actionable for effectively mitigating and continuously managing vendor risk. The solution also reduces regulatory compliance exposure for organizations that do not consistently follow through on vendor assessment and remediation processes.

Corl’s vendorsecurityRM supports a comprehensive vendor security program comprised of 4 steps:

  1. Profiling. Identify and document information security risks for existing and prospective vendors (e.g. RFP respondents)
  2. Due Diligence. Corl’s vendorsecurityRM reports are the basis for an effective due diligence process, allowing organizations to focus efforts on vendors that present the least confidence to protecting sensitive information such as PHI.
  3. Risk Strategy. Corl’s vendorsecurityRM program monitors and reports on required or recommended remediation to be completed by the vendor based on due diligence findings.
  4. On-going Monitoring. Corl’s vendorsecurityRM program continuously monitors vendors for changes that affect information security risk, and provides clients with automatic alerts when such changes are detected.

Corl’s vendorsecurityRM solution is a multi-tenant SaaS-based solution built on Microsoft technology and is currently in production with some large healthcare firms, both providers (hospitals) and payers (health insurers), and plans to roll out additional industry solutions in the future.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients