Year: 2012

• Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
• Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
• Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
• Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
• Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.

• Inability to gain a clear view of risks and their dependencies
• High cost of consolidating disparate data silos and documents
• Difficulty maintaining accurate data
• Failure to report and trend GRC across assessment/reporting periods
• Unreliable or irreconcilable risk assessment results because of different formats and approaches
• Redundancy of risk management and compliance efforts
• Failure to provide intelligence to support decision-making that crosses risk and compliance areas
• Inconsistency in approaches to risk/compliance activities
• Different vocabulary and processes that limit correlation, comparison and integration of information
• Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

• AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.

• Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.

• CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.

• HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.

• LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.

• Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.

• QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.

• QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.

• SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
  e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.

• SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

• Audit and Assurance Management
• Board and Entity Management
• Brand and Reputation Management
• Business Continuity Management
• Compliance Management
• Contract Management
• Control Activity, Monitoring, and Assurance
• Corporate Social Responsibility
• Discovery/eDiscovery Management
• Environmental Monitoring and Reporting
• Environmental, Health, and Safety
• Finance/Treasury Risk Management –
• Fraud & Corruption Detection, Prevention & Management
• Global Trade Compliance/International Dealings
• Hotline/Helpline
• Information/IT Risk & Security
• Insurance and Claims Management
• Intellectual Property Management
• Issue and Investigations Management
• Matter Management
• Physical Security & Loss Management
• Policy Management, Communication, & Training
• Privacy Management
• Quality Management and Monitoring
• Reporting and Disclosure
• Risk Management (Enterprise & Operational)
• Strategy, Performance, and Business Intelligence
• Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

• For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
• The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
• Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
  pporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!