Michael Rasmussen

Compliance disclosures are a critical element of an organization’s compliance and ethics management program. The organization requires structured approaches to managing disclosures such as conflicts of interest, and a way to address compliance related forms and processing for gifts, entertainment, and travel or facilitated payments. This requires the ability to intake information, route it for review and approval or denial, document exceptions, and provide a strong defensible system of record of the entire process.

The traditional approach to disclosure management has been manual processes involving print or electronic forms that thread compliance disclosures, like conflicts of interest, through time-consuming manual processes where things often get missed, slip through cracks, or mistakes are made. Manual processes or older software treat disclosures as static entities, making it difficult, if not impossible, for employees to access or update previously filed disclosures. This results in static disclosures that are filed and forgotten, rather than living documents that contain accurate, up-to-date insight into relationships and their potential impact on the business.

The next phase of disclosure management

There is a growing demand for compliance disclosure management solutions that can be more dynamically managed to address Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas of compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.

I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:

Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.

There are two primary items missing from traditional vendor and third-party risk management:

1. Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
2. Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.

What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.

What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.

How do you get there? Here are some simple steps:

1. Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
2. Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
3. Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
4. Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.

Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.

Organizational exposure to compliance risk is rising while the cost of compliance soars. Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with obligations and value. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

However, compliance is not easy. Organizations are complex and dynamic. The modern organization changes by the minute or even second. The organization can go from a state of compliance to non-compliance in a blink of an eye. Processes change. Technology changes. Employees change. Business relationships change. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations?

To maintain compliance, an organization must . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CURA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Accountability is More Than Responsibility

There is a difference between accountability and responsibility. An individual or organization can outsource or delegate responsibilities, but one cannot do so with accountability. To address the breadth of compliance and ethics failures, as well as risk management, in financial services there have been a growing array of accountability regulations sweeping the world.

It all started with the United Kingdom’s Senior Manager Regime & Certification Regime (UK SMCR). This put accountability on senior management functions (SMFs) for failures in risk, compliance, control, and ethics. If there is willful wrongdoing these SMFs can go to jail. If there is negligence or lack of due diligence in compliance, risk, control, or ethics these SMFs can be personally fined from their personal bank accounts. This framework has sped around the world in Australia’s Banking Executive Accountability Regulation (BEAR), Ireland’s Senior Executive Accountability Regulation (SEAR), Hong Kong’s Managers in Charge Regulation (MIC), and now the stringent requirements in Singapore’s Monetary Authority’s Guidelines on Individual Accountability and Conduct (GIAC). These regulations have a global impact, I have talked to several financial services headquartered in the USA that are struggling with compliance with accountability regulations as they have operations in these countries.

I am a J.R.R. Tolkien fan, so I have characterized accountability regulations as the one ring in Tolkien’s Lord of the Rings. It is the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them. Accountability regulations are the uber regulation that puts the sharp teeth of personal accountability to enforce other regulations and ethical practices. I will be presenting on this in the webinar Escaping the SMCR Quagmire.

There are various stages of compliance. In the context of UK SMCR (noting there are other regimes I have mentioned) solo-regulated firms are just coming into the spotlight. Larger firms have been dealing with this for the past few years but at various stages. Even these large firms have a looming requirement coming up (postponed by the FCA from December 2020 to March 2021) to communicate conduct rules (which are policies) to all employees (except ancillary staff like receptionists and caterers). This requires communicating a policy(ies) to every employee and documenting communication (e.g., attestation). Already these firms have had to document SMFs, certify staff, get approval from regulators, and regularly communicate conduct rules to SMFs and certification staff. Now it extends to all employees (except ancillary staff).

Making Accountability Compliance Efficient, Effective, and Agile

What is becoming apparent is that the ongoing management of accountability regulations, the reporting to regulators, the certification of SMFs, the communication of conduct rules on a regular basis with documentation of communication and attestation, the definition and maintenance of accountability and responsibility maps . . . this is not going away. As financial services firms grapple with ongoing and continuous compliance they are now looking for ways to automate the process.

The approach many firms have taken to accountability regulations is very typical of other regulations, such as when Sarbanes Oxley first hit us in 2002. For the first year or two firms use manual processes involving lots of documents, spreadsheets, and emails. Then as they build their process, address compliance, and realize that this obligation for oversight and reporting is not going away but continuing, they then start to look for technology to automate the process and make it more efficient, effective, and agile. The regulators also crackdown as the audit trails (system of record) are weak and not defensible in manual processes when relying on documents, spreadsheets, and emails. On top of this, business is changing minute-by-minute and second-by-second. Processes change, management changes, employees change, risk changes, regulations change. This all means that accountability compliance has to be agile in a dynamic, distributed, and disrupted business environment. Manual processes with documents, spreadsheets, and emails are cumbersome, slow the organization down, and certainly are not agile.

Technology for accountability compliance falls into three areas:

1. Solutions focused on aspects of the regulations. Organizations here look for solutions to manage and automate aspects of the regulation, but not the entire regulation. This most often is a policy management solution to communicate conduct rules and track attestations to those rules to provide a documented system of record of these communications. Think about it, if you are a firm with thousands of employees, then manually communicating, tracking, monitoring, and reporting on the communication of conduct rules becomes very time consuming quickly.
2. Solutions for full accountability compliance. These are solutions built for the regulations (e.g., UK SMCR, BEAR, SEAR, MIC, GIAC). The solutions are designed to manage the process of defining senior management/accountable functions, building responsibility/accountability maps, certifying functions and staff, reporting and interacting with the regulators for approvals of staff, and communicating conduct rules/policies to all employees.
3. Solutions BECAUSE of accountability compliance. This is the interesting one that has come up a lot this past year. These are not solutions to manage the specific requirements of compliance in the accountability regulation. These are solutions BECAUSE of the regulation. Think about it, if you are an SMF that is personally accountable for an area of ethics, compliance, risk, control – such as vendor risk, GDPR, or operational resiliency – then you will want to make sure your organization is properly managing this area and want visibility into this. After all, it is your personal bank account on the line (or possible prison time).

The good news is that technology delivers across these functions. Technology relieves the burden of ongoing compliance monitoring and reporting. It makes accountability compliance efficient in reduction of human and financial resources, more effective in a strong system of record and audit trail with fewer things sipping through cracks, and agile to keep compliance current in a dynamic business environment where risks, processes, regulations, and particularly employees such as SMFs are changing constantly. Again, I will be presenting on this in the webinar Escaping the SMCR Quagmire (which the details here can also be applied to BEAR, SEAR, MIC, and GIAC).

How is your organization approaching accountability compliance?

Information governance has become a critical objective for organizations. In the context of the pervasive use of information throughout the enterprise, operational reliance on information, and increased regulation and liability of information, organizations are building structured approaches to information governance. This is to ensure the proper collection, use, and control of sensitive information – intellectual property, proprietary information, regulated data, personal information – across the organizations. Privacy regulations such as the California Consumer Protection Act (CCPA) and the EU Global Data Protection Regulation (GDPR) are making information governance even a greater priority.

Over the years we have seen a lot of definitions for ‘Information Governance.’ From the straightforward, like . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

It is finally here! For the past year, I have been working hard with OCEG on the Policy Management Illustrated eBook. I have spent countless hours behind Adobe Illustrator working hard on doing the design, layout, concepts, and process of policy management in these illustrations in collaboration with OCEG and many other firms. Below is my lead article in the eBook (which you can download for free). Please enjoy the Illustrations I have labored on in my passion for policy management. I look forward to hearing your thoughts as you go through these.

Michael Rasmussen

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting with the policy of all policies – the code of conduct – they filter down to govern the enterprise at all levels.

GRC, by definition, is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”

OCEG GRC Capability model

Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies:

• Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization. Without a policy, there are no consistent rules and the organization goes in every direction.
• Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
• Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of the corporate culture. Without a policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

A policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and non-compliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecutors, and plaintiff attorneys use policy violations and noncompliance to place culpability.

An organization must establish a policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, but it cannot achieve a strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Despite the value of policy, many organizations have:

• Policies managed in documents and fileshares
• Reactive and inefficient training programs
• Policies that do not adhere to a consistent style
• Rogue and out of date policies
• Policies without lifecycle management
• Policies that do not map to exceptions or incidents
• Policies that fail to cross-reference standards, rules, or regulations

Inevitable Failure of Ad Hoc Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The haphazard department and document-centric approaches for policy and training management of the past compound the problem. It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

---

Here are some other resources:

OCEG Policy Management Resources

OCEG GRC Resources

The world has changed, business has changed. A worldwide pandemic has caused restructuring of processes, employees, and activities. It has forced organizations to look for agile ways to manage a dynamic business environment.

As organizations went into lockdown and moved employees to a work from home environment they were confronted with issues, such as:

• Reduced workforce. There were layoffs and restructuring. Business processes and roles had to adapt. Employees needed clear guidance and understanding of what is required of them as they had multiple roles and responsibilities in a different environment.
• Shifting requirements. Regulations and business strategy changed impacting the way organizations needed to conduct themselves. Policies changed to meet these requirements and address new risks.
• Increased risk exposure. The pandemic . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE METACOMPLIANCE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The value of a third-party risk management strategy

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define your organization. The modern organization is the extended enterprise: an interconnected maze of relationships and interactions that span traditional business boundaries. These relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships.

The challenge today is that issues of integrity in your extended business relationships are your organization’s issues. You stand in the shoes of your third-party relationships. Third-party integrity problems are the organization’s integrity problems and directly impact the brand, as well as reputation while increasing exposure to risk and compliance matters. Compliance and ethics challenges do not stop at organizational boundaries.

An organization can face reputation and economic disaster by establishing or maintaining the wrong third-party relationships, or by allowing good business relationships to sour because of weak governance of the relationship. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.

Third party risk management challenges

Maintaining integrity across the extended enterprise is challenging, as your organization faces . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Risk management is a hot topic and focus within organizations. We are surrounded with acronyms of GRC (governance, risk management, and compliance), ERM (enterprise risk management), ORM (operational risk management), and now IRM (Gartner’s integrated risk management). We hear other terms like operational resilience, strategic risk management, and more.

Risk management strategies (pick your favorite acronym or buzzword) lead to RFPs for technology to support the risk management strategy and processes. HOWEVER, not all risk technology is created equally. Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey. This involves a clear understanding of where you are now with risk management and where you want to be. The current pandemic is demanding attention to this, which I also wrote about before the pandemic.

The problem with many risk management programs is that they struggle with documents, spreadsheets, and emails. I talked to one organization that was spending over 200 hours to build a report for the board of directors because it required them to go through hundreds to thousands of documents, spreadsheets, and emails to aggregate and report on risks and risk events. In an RFP I advised on for a mid-sized bank, they did an internal study that found that 80% of their risk management resources was nothing more than document/data reconcilers and aggregators and only 20% of the time was managing risk, they wanted to change that with a solution and did. This recent article in the BBC caught my attention in the limitations and risk exposure in using spreadsheets: Excel: Why using Microsoft’s tool caused Covid-19 results to be lost.

So organizations look for risk management solutions and get sucked in by marketing and sales hyperbole. There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. The market is an interesting time right now as older solutions rearchitect to meet the demands of Agile GRC 4.0, while newer solutions are already there. 

My question to you: Can your risk management technology you have (or are considering) truly deliver on the needs and concerns of risk management.

There was a ton of interest in my recent article on the Role of Business Process Modeling in GRC Requirements. This week I turn my attention to risk management requirements. In 2020 I have interacted on several RFPs for enterprise and operational risk management solutions and engaged to advise on several more as we enter 2021. In addition to these formal engagements, I answer inquiry questions from organizations looking at solutions throughout every week. I am seeing a lot of activity for risk management in North America, Europe, the Middle East, and Australia right now.

In these interactions, I have found that the following requirements/functional areas for GRC, ERM, ORM, IRM RFPs are core to maturing a risk management function within an organization. If you want to build a true risk management program that goes beyond tick-box compliance exercises, then you should strongly consider:

• Performance/Objective-View of Risk. This is where risk management should start. ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. I recently finished advising on an RFP for a global European firm that this became the deciding factor in their choice of a solution, and am and starting another RFP that is centered on this. It comes up regularly, but in these two situations, it was table stakes.
• Front Office Engagement. Organizations desire the depth and breadth of capabilities and complexity of risk analytics for the back-office (2nd and 3rd line) risk functions for risk modeling, analysis, mapping, and monitoring. But I am seeing increased requirements for front-office (1st line) engagement on risk ownership, accountability, and reporting. These interfaces for back-office and front-office are not the same and need to be very role/context-specific so it does not overwhelm front-office operations. I am interacting with a financial services firm right now looking specifically for this dichotomy of simple and intuitive front-office engagement on risk with the depth and analytics for the back-office.
• Risk Interrelationships. Risks cannot be understood and managed in isolation. I wrote about this last year in my article in Enterprise Risk magazine. 2020 proves this point with COVID-19. What is a health and safety risk that has an interrelated impact on performance, resiliency, third-party/supply-chain, IT security, human resources, fraud & corruption, and even social accountability and human rights risks? Organizations need to be able to map and understand risk relationships and interrelationships/dependencies. Measuring a risk exposure also requires understanding the exposures and impacts with related risks.
• Risk Aggregation & Normalization. This is a critical factor, particularly for large organization.s One department’s high-risk might be another department’s low-risk in quantifiable exposure. Departments, projects, functions want a legitimate view of risk at their operational level. Within their view of the world, they need to know what is high-risk to low-risk. But as this gets rolled into enterprise risk reporting they strong risk normalization and aggregation that is meaningful. This is one key requirement I am seeing in Germany in the context of the IDW PS 340 audit standard driving enterprise risk reporting. I had a corporate secretary for a global brand on a panel I was moderating at a conference who stated their board of directors never wants to see a heatmap from their leading IRM solution ever again because it lacked risk normalization and aggregation (don’t get me started on the issues of heatmaps, that is another blog in itself).
• Risk Frequency & Distribution. I am seeing more and more risk management programs mature to want risk frequency and distribution models, like Monte Carlo simulations. An immature approach to risk might plot risk as a point on a heat map (which has many issues), but real risk has a range of scenarios, frequencies, and impacts that need more complex modeling to analyze and understand. Organizations are looking for more advanced ways to do risk quantification and modeling. Monte Carlo simulations, Bayesian modeling, and more are becoming more frequent in RFPs.
• Risk Visualization. There is a growing demand for greater risk visualization and analytic techniques. Organizations want fresh and modern user interfaces (UX). I am seeing an increased demand for bow-tie risk analysis across industries. RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!! This also ties back into the point above on risk interrelationships as well as risk quantification and using risk visualization to communicate and analyze.
• Cost of Ownership. Organizations are looking for Agile GRC 4.0 solutions that deliver solutions in rapid timeframes and value to the organization. They are tired of dated solutions (10 to 20-year-old code) that take a year or more to role out. For example, I am interacting with one organization looking to replace a Gartner IRM Leader that they purchased 3 years ago and still have no users on the platform. Modern solutions should be agile and have a low cost of ownership to implement and maintain.

Can your risk management technology deliver on these broader risk management capabilities? These are just some buckets of functionality that I get much more specific with in my risk management RFP requirements library.

What do you see as critical in technology to deliver on maturing your risk management strategy?

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

E. F. Schumacher

Governance, risk management, and compliance (GRC) is as much or more the responsibility of the front-office (1^st line employees and management) as it is the back-office (2^nd and 3^rd line risk, compliance, security, control, and audit functions).

Think about it . . . risk, compliance, and control decisions are being made every day by the frontlines of the organization. The doctor or nurse in the hospital are making patient privacy and safety decisions; the teller at the bank is making decisions on fraud, customer privacy, security, and money-laundering; the miner in the coal mine is making environmental and health and safety decisions.

Risk exposure is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE 360inControl BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]