Author: The GRC Pundit

The COVID-19 pandemic has caught a lot of organizations by surprise. But, should it have?

We have had pandemics in the past—history teaches us this over and over. The World Economic Forum has regularly reported pandemic risk on their global risk reports over the years. Political and business leaders have warned us of pandemics. 

So, why has it caught so many organizations off guard?

The problem: an unbalanced view of ERM

The reality is that organizations have not had a balanced view of enterprise risk. Too many enterprise risk management programs (including corporate risk management and operational risk management) have been focused on highly visible risks, such as IT security, while not paying attention to the significant, but low-likelihood, risks like a pandemic. 

Risk management will fundamentally change because of the COVID-19 pandemic. We will see a lot of enterprise risk management (ERM) programs become . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE WORKIVA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The past two months have been a crazy whirlwind of webinars, phone calls, and video meetings. Organizations the world over have been asking for calls on how to respond to the pandemic from a GRC perspective, and what the world of GRC will look like and how corporate governance, enterprise risk, and compliance and ethics management will change coming out of the pandemic. From 5:00 am to midnight here in Milwaukee, it has been a full sprint. RFPs, shortlists, strategy calls, competitive analysis of solutions, input on strategy, to market sizing and forecasting of GRC segments for solutions and services . . . it is a crazy time. I have done more webinars in two months than I normally do in an entire year.

One of the fun and unique engagements I did was the GRC Supper Club last week! This is an event that is normally done in person in the United Kingdom and led by my friend Lee Edge. With the pandemic it went virtual. So while the amazing host and many of the attendees were enjoying dinner and drinks in their homes in the UK and Europe, myself and a few others were doing lunch here in the United States.

Lee moderated the event, and I was one of three panelists for the virtual GRC Supper Club (you can access the recording for the virtual GRC Supper Club here). While we were speaking, Lee had an artist capturing the conversation and insight and putting it into the graphic you see above. I love how the graphic turned out! It captures so many of the points and analogies I brought up in the virtual GRC Supper Club. These are (working across the top and then clockwise around the bottom):

• The Pandemic is NOT a Black Swan Event. I stated that being unprepared for risk does not make it a black swan. There were plenty of warning signs, history of events, and people and organizations speaking out on the potential for a pandemic. It does not meet the requirements of a black swan event. I blogged on this here: Being Unprepared for the Crisis Does Not Make it a Black Swan.
• A Tale of Two Futures. Playing on the Charles Dickens novel, Tale of Two Cities, I discussed in the GRC Supper Club how we have a tale of two futures: we are headed toward either a Blade Runner dystopia or a Star Trek future. The choices organizations make today on the environment, climate change, and health and safety impacts what future we are headed toward. I blogged on this here: Tale of Two Futures: Blade Runner or Star Trek?
• The Interconnectedness of Risk & Chaos Theory. Looking at the bat stating, “I am no butterfly but I’ve had a big impact” was in reference to my discussion in the Club about the interconnectedness of risk and how small things matter. I referenced Chaos Theory and the Butterfly Effect in which the flutter of a butterfly’s wings in Amsterdam can influence the development and path of a hurricane in the Gulf of Mexico. What started with a bat at a wet market in China has had a worldwide impact that is more than a health and safety risk but cascades into economic risk, strategic risk, supply-chain third party risk, security risk, geopolitical risk, IT security risk, modern slavery and human rights risk, bribery and corruption risk, and even harassment and discrimination risk (I detail all of this in the Supper Club recording). I have blogged on this here: Navigating Chaos.
• Cover Your Behind & IT Risk. This part of the illustration detailed my discussion on how too many enterprise and operational risk management programs have been operating with a myopic and overly focused view on IT security risk. IT security is a huge risk, but there are other significant risks the organization faces that have not got the same level of attention. Look at the world around you and nothing more needs to be said. IT security has been the dominant risk focus in ERM and ORM programs at the cost of other risks like environmental, health and safety, and quality. I make reference to this in this blog: Forrester GRC Wave = Tsunami of Confusion.
• The Titanic of Risk. Next in the GRC Supper Club illustration and discussion, I referenced the illustration of the Titanic. This is an analogy I have been using in presentations for nearly 15 years. It is about all the risk exposures that contributed to the disaster of the Titanic, including environmental, overconfidence, third party risk issues, lack of control, health and safety, oversight, and more. Further illustrating the interconnectedness of risk. I have blogged on this here: The Titanic: An Analogy of Enterprise Risk.
• Right-Brain & Left-Brain Risk Thinking. In the lower right corner of the illustration you can see my dialogue during the GRC Supper Club in which I shared that good risk management involves both right-brain thinking and left-brain thinking. Too often we focus on the left-brain side of risk models and analytics, but good risk management also involves the out of the box creative thinking on risk and scenarios. I have blogged on this here: Managing Risk in Dynamic & Distributed Business.
• Environment, COVID & The World. This part of the illustration was in reference to my comments on the Economist cartoon from a few weeks back in which the world is fighting COVID in the boxing ring but a much bigger opponent of the environment and climate change is about to step into the ring.
• IT Security and the Home Office Blender. At this point in the GRC Supper Club I was discussing the IT security threats in the home office/work from home environment with the Internet of Things (IoT). I detailed how in my home in Milwaukee I have outlets, TVs, and even a blender that is connected to the Internet. If one of these devices has a vulnerability, or worse, a trojan horse, this could compromise organization data and connections.

It was a great event! There are two upcoming VIRTUAL GRC Supper Clubs you can register for, though I am not speaking on these. Hopefully, it will be back to in-person dinners back in the United Kingdom soon . . .

I am a James Bond fan and eagerly anticipate the next James Bond film, “No Time to Die.” Unfortunately, because of the global crisis we all now face, we have to wait until November 2020 instead of seeing it on the big screen this month. While we wait for this next installment in the 007 sagas, we can still learn and apply what makes the master spy so great to our world of business that is situational awareness.

Today’s organization needs situational awareness. Situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the business but is particularly needed in the context of risk in third-party relationships . . .

The remainder of this article can be found on the SureCloud site where GRC 20/20’s Michael Rasmussen has contributed his thoughts in a guest blog on this site.

In a time of crisis, like what we face with the global pandemic, centralizing compliance and ethics communications and reporting is critical to streamline interactions, maintain corporate culture and integrity, improve employee morale, and communicate expectations.

However, a lot of organizations are finding they are not prepared. Consider that a lot of policies are changing right now, such as remote office worker policies, home office expense policies, and conduct policies. Other policies may not have changed, but employees still need to be reminded of them as they operate in a high-risk environment for fraud, privacy, customer/client communications, health and safety, and security.

In this current crisis, one large organization I was talking to discovered they had over 20 policy portals scattered in different departments. Policies were on different fileshares, Sharepoint sites, and ad hoc technology platforms. Policies looked different on each portal and used language inconsistently. Some policies were out of date.

In a time of crisis when people are working from home, having . . .

[The rest of this blog can be found at the Convercent website where GRC 20/20’s Michael Rasmussen contributed this as a guest blog post]

I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

• World Economic Forum Global Risk Reports. This has been on the chart of top risks by the World Economic Forum for years, including the most recent. It has been a topic of conversation in the past at Davos.
• Business Experts Have Pointed it Out. The most vocal being Bill Gates and his predictions.
• Governments Have Been Reporting On It. Look at this report from the Council of Economic Advisors from the White House.
• History Teaches Us. There has been a recorded history of pandemics, some recent, some going back hundreds of years.

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 

• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies 
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality 
• April 9 @ 12:00 pm – 1:00 pm CEST : Operational Resilience in a Time of Unprecedented Uncertainty
• April 9 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Engaging The First Line Of Defense In A Time Of Crisis
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations 
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit 
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis 
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis 
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management 
• April 28 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Monitoring Risk In The Second Line Of Defense In A Time Of Crisis
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management 
• May 12 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Providing Assurance And The Role Of The Third Line Of Defense In A Time Of Crisis
• May 18 – May 19 : MetricStream GRC Virtual Summit US 2020

Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

• Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
• Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .

• March 31 @ 8:00 am – 9:00 am CDT : How to Maintain a Strong Compliance Culture when Working Remotely
• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management

These are crazy and uncertain times, but this does not mean governance, risk management, and compliance (GRC) comes to a halt in organizations. It is the opposite, this is the time for strong corporate governance, risk management, and compliance. This is what gets organizations through the crisis and allows them to navigate the chaos. As the British taught us in World War II, we all need to “keep calm and carry on.” That last part is critical. Now is not the time for GRC to stall in your organization but to lead. We need to KEEP CALM AND GRC ON!

The official definition of GRC is that GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” [source OCEG GRC Capability Model] Now is the time for greater GRC strategy, practices, and processes to enable your organization to

• reliably achieve objectives, though those may be changing to respond to the environment;
• manage uncertainty, which these times are very uncertain; and
• act with integrity in the face of changing business processes and economic conditions.

GRC strategies and infrastructure will come out of this stronger than ever. I have been a research analyst for 20 years, I saw GRC functions thrive after 9/11 in 2001. I saw them thrive after the 2008 financial crisis. GRC related departments, processes, and technology architecture will be stronger because of the horrible global crisis we face. GRC strategies, solutions, and services are and will be in demand.

Risk management, business continuity, operational resiliency, third party GRC, policy management are all hot topics right now that I am interacting on because of the crisis. Coming out this will see changes to regulations that will cause more demand for compliance management. Strategies related to ESG, EH&S, and CSR will grow in organizations because of this crisis.

How GRC Will Change in Organizations

I have been interacting on a number of inquiries this past week from organizations (across buyers of solutions as well as solution/service providers). Here are my thoughts:

• Risk management will fundamentally change. Too often enterprise and operational risk management programs have been dominated or even consumed with IT security risk focuses. IT risk is huge and an important topic, but our most significant risks are from other areas such as environmental, health and safety.
  • Just a few months back I blogged on this, “Tale of Two Futures: Blade Runner or Star Trek?” While information security will remain a critical risk area, we are going to see more balanced enterprise and operational risk management strategies that include environmental and health/safety risks across industries.
• Operational resiliency – integrating risk and business continuity management. The UK, in financial services, has had a specific regulatory focus on operational resiliency which requires an integrated approach top operational risk and business continuity management (as well as third party risk).
  • This is the buzz word right now and will be a global cross-industry focus coming out of this crisis. In most organizations, business continuity has been overly focused on disaster recovery from an IT focus. There will be a new focus in true business continuity management that is part of an enterprise/operational risk management program. Operational resiliency is what brings this together. 
• Third-party risk management is a necessity. Business today is not defined by employees and brick and mortar walls. It is a complex web of relationships. The crisis is showing this.
  • Organizations need 360° situational awareness of risk and continuity in their third party relationships. This cannot just be an IT security focus but needs to be complete situational awareness of risk and continuity in the extended enterprise. 
• Policy management is in demand. I get a lot of inquiries on policy management, but I am the only analyst that covers it as its own defined area of GRC. I have been getting inquiries on best practices and ideas on how to communicate changing policies, track understanding/acknowledgment, and monitor compliance in times of crisis. The fact is that business operations have changed this past week — this means policies and procedures have changed. The common question is how do we change and manage policies in times of crisis and then bring the organization back to a state of normal (or a new normal)?
  • There are a lot of organizations that have realized how messed up their policies are and that they need a centralized portal for all corporate policies to deal with crisis and change. When an organization has 20 policy portals scattered in different corners of the organization it makes reacting to crisis and change challenging if not impossible.
• Look for CSR/ESG to evolve. Many organizations are doing great things to respond to the crisis, and others are failing miserably.
  • Look for a variety of lessons learned and new perspectives and initiatives in CSR/ESG particularly on matters of social accountability and responsibility in organizations. 

I would love to hear your thoughts . . .

I feel that I am in an alternate reality. This cannot possibly be the real world. Are we living in a DC multi-verse where there are different GRC technology realities and I am just confused as I woke up in the wrong world?

Anyone following me long knows my frustration with Gartner and the Magic Quadrant (see note at bottom on Gartner)^[i]. But now Forrester?

I long praised Forrester for their Wave approach and methodology (full disclosure, I was a VP and ‘top analyst’ at Forrester from 2001 through 2007 and wrote four Waves, including two GRC Waves). Where Gartner is based on secrets and magic (I guess that is truth in advertising), Forrester discloses every criterion, weighting, and scores.

The previous Forrester GRC Wave I only had one major issue with, and I talked to the lead analyst of the previous report about it last June at a conference we were both at. That issue was the fact that Forrester had a criterion that every solution evaluated had to be doing $30 million in GRC revenue, and at least one solution, LogicManager, was not. The analyst explained to me that they were grand-fathered in. I replied that an exception should be documented and footnoted in the research report. Organizations were being left with a false impression that this vendor is much larger than it is. That solution is a Leader in the new GRC Wave, but Forrester dropped the revenue criteria down to $15 million, but I still think that is a stretch. But that was my only issue with the previous Wave.

Now the 2020 Forrester GRC Wave is released, and I feel that I must be in a different reality. It does not make sense. 

Before I get into that, I must state how I loathe two-dimensional representation of winners and losers such as in the Forrester Wave and Gartner Magic Quadrant. These graphics have deep underlying assumptions and criteria that make some solutions winners and other losers in a single graphic. Every solution in the current GRC Wave I can think of situations where they are a good fit. To have a graphic that makes someone the winner and the rest losers leads many down the road to project confusion and often failure. In fact, my last GRC Wave I wrote at Forrester in 2007 had four different Wave graphics as the market back 13 years ago was too complex to represent in one graphic. It is a time for these two-dimensional analyst graphics to die, or at least do them tied to very specific use cases based on the size/complexity of an organization and industry.

Looking at the recently released GRC Wave, my first question is who is this Wave for?

It cannot be a representation of solutions that are delivering true integrated GRC, ERM, or ORM in Fortune 500 companies. The only way the graphic and scoring make sense to me is if it is a GRC Wave for the SMB (small to mid-sized business market). Perhaps this is the ‘undocumented’ focus of the report as their comment on ServiceNow, one of the Leaders, is that it is “a good fit for midmarket companies.” Ironically, ServiceNow does have large enterprise clients for ITSM, but I am personally not aware of any large organization using them for a full enterprise/operational risk management program in all its complexity.

This leads to the question . . . who are Forrester’s clients? From my experience, Forrester subscribers have tended to be large global organizations and not the SMB market. So is this Wave a good fit for Forrester’s actual subscribers/readers . . . I do not believe so. 

While I have a deep respect for the Leaders in the Wave, they all have their strengths and areas of focus, I cannot come up with any client references that I know of where they are truly being used for an enterprise/integrated GRC/ERM/ORM implementation in Fortune 500 companies. Yes, many of the Leaders are in Fortune 500 companies in specific use cases (e.g., audit management, internal controls, ITSM, IT risk management), but I am not aware of any large global organization in the Fortune 500 actually using any of the Leaders for a complex enterprise view of risk that aggregates and normalizes risk across the entire organization (e.g., strategic, operational, financial/treasury, compliance/regulatory, EH&S, IT). I could be wrong, but I talk to a lot of organizations and interact on a lot of RFPs every year in my market research. Forrester does not clarify the scope and since it is GRC, it can only be assumed that a broad focus of enterprise and operational risks would be a primary use case.

I do applaud Forrester for their focus on user experience, ease of implementation, cost of ownership, configurability of the solution, as well as artificial intelligence. These are areas I have carefully defined in GRC 4.0 – Agile GRC as well as the artificial intelligence capabilities coming forth in GRC 5.0 – Cognitive GRC. The next generation GRC 5.0 Cognitive GRC platform I have personally experienced in my interaction with ING in their GRC Orchestrate project in ING Labs.

If I was a Fortune 500 company looking at this Wave, I would ask the following questions:

• What actual client references can a solution provider deliver that are using the solution for a true enterprise view of risk (not an IT-focused view of risk)?
  • You want a solution that has a proven track record at tackling the complexities of GRC/ERM/ORM in large global organizations.
• How do these solutions do risk normalization and aggregation (which is ‘table stakes’ for a true enterprise view of risk)? 
  • Many solutions have a very flat view of risk as they were built for smaller organizations or for a specific department like IT security/risk management. They fail when you have a complex enterprise implementation. One department’s high risk may be another department’s low risk. Large organizations need a legitimate department view of risk as well as an enterprise view of risk in a solution that makes sense. To compare apples to apples and not apples to oranges you need advanced risk aggregation and normalization.
• What are the solution’s capabilities for risk analytics and modeling?
  • Too many solutions have a very flat heat-map approach to risk, and that is a recipe for disaster. Large organizations need a variety of risk analysis techniques that require advanced analytics and modeling. You should understand the range of risk analytics and modeling capabilities in the solution (e.g., bow-tie risk analysis, monte carlo, decision tree, FAIR, and more).
• How does the solution show risk interrelationships or interconnectedness?
  • Risk modeling is complex in today’s dynamic business environment. You cannot depend on a solution that simply allows for a cascading risk hierarchy (e.g, register). Risks have relationships across the hierarchy and any risk may have many-to-many relationships with other risks in the hierarchy.
• How does the solution support a top-down approach to risk management aligned with objectives?
  • The official definition of GRC is that GRC is a “capability to reliably achieve objectives while addressing uncertainty and act with integrity.” Any solution in the GRC space needs to show how it can document and manage the reliable achievement of objectives and manage risk in that context. Whether these are strategic entity objectives down into division, department, process, project, and even asset level objectives. Risk management requires context and it is the strategy and objectives of the organization that provides context for risk assessment. 
• Does the solution have the data and application architecture to scale?
  • Large organizations require a data and application architecture that can scale to their complex environments. This means that the solution needs to be able to address varying complex and distributed organizational structures.
• Does the solution support business process modeling?
  • The complex risk and compliance challenges of today require that organizations look for solutions that support business process modeling. The operational resiliency requirements coming out of the UK, GDPR/CCPA, and even the changes in SOX compliance over the past few years require that organizations have the capability to model and document business processes in a risk and compliance context.
• How does the solution do quantitative risk modeling?
  • There are functional uses for qualitative risk modeling and reporting, but organizations need to be able to quantify risk. Large organizations require actual objective financial numbers to risk that are defensible and not subjective. 
• Does the solution truly integrate and support an enterprise view of risk?
  • This may seem redundant, but it needs to be emphasized. Can the solution actually deliver on a true enterprise view of risk where it can bring together disparate risk areas such as strategic risks in context with the wide array of operational risks across operations, third parties, environmental, health and safety, quality, conduct, compliance/ethics, IT risk, and more. This may require integration with a range of other risk and business solutions.
• How does the solution bring together both a top-down and bottom-up view of risk?
  • Large organizations need an integrated view of risk that aligns with the objectives and strategy of the organization (top-down) as well as the controls and risks down in the bowels of the organization (bottoms-up). Too many solutions only focus on the bottoms-up, and to my previous point, often only one or a few areas. 

If you apply criteria around these questions you will get a completely different ranking of solutions than what Forrester delivers, but you will also find no one solution is perfect and does everything. 

Here are some other thoughts, insights, and experiences on the Forrester GRC Wave:

• Inconsistent criticisms. I do not understand how SAI Global gets called out for having separate platforms under the hood when the dominant ‘Leader’ Galvanize has the same thing? SAI Global is working hard, like Galvanize, to bring about a consistent architecture from their acquisitions. But Forrester downplays Galvanize by referring to ‘modules’ not having the same interface, while SAI Global is criticized for separate applications. The ‘modules’ in Galvanize are separate applications, not modules. These currently are different code bases for the ACL product and Rsam products that form Galvanize HighBond with different user experiences. Galvanize is a great solution, but I find the Wave evaluation not to be consistent in evaluation.
  
  Forrester gives Galvanize a score of 5 on Mobile and yet highlights Mobile as an area of weakness on the commentary of Galvanize. Others, like MetricStream who have some of the largest adoptions of enterprise GRC mobility, get a score of 1. 
  
  Next, consider risk and control management. This is a broad category with many sub-criteria.  One of the sub-criteria for the highest score required a dedicated team to maintain content.  Both ServiceNow and MetricStream are criticized in their profiles for using UCF for content, though ServiceNow still receives the highest score in the category, while others are not. On the topic of content – bringing in content from authoritative sources is critical for GRC and could be a range of criteria.  Large organizations expect integrations with various content sources. A requirement for a GRC vendor to maintain their own content team hardly makes sense except for a few narrow use cases in IT Risk where pre-mapped controls from a couple of common frameworks may be sufficient for the mid-market.
  
  
• What are the full GRC capabilities? I am a fan of Workiva, it is doing some great things in internal control management, audit management, and policy management. But Forrester states that “one-third of customers use Workiva’s full GRC capabilities.” What are they measuring? If Forrester means internal control management, then I can agree with that. Workiva states they have 3,400 clients. Forrester scored them across risk and control management, document management, policy management, audit management, IT risk management, third-party risk management, and risk scoring. That would mean that over 1,100 companies are using Workiva for all of these capabilities? This simply is not true. Internal control management they have had for years. Other modules in their ‘full’ GRC capabilities are newer. There is no way 1,100 companies are using all these use cases scored by Forrester on Workiva. Workiva is doing some great things, but Forrester has the breadth of their use cases wrong.
  
  
• Where are the greatest risks organizations face?  According to the World Economic Forum and Davos, the most significant risks we face are environmental risks (and with that health and safety risks with the current virus threat). Enablon has moved from a strong position in previous Waves to the back of the pack, but it is the one solution tackling and managing the most significant risks organizations are facing. Other analysts that understand this, like Verdantix, put Enablon in a clear-leader position. 
  
  Other analyst firms, like Chartis that understand the range of financial and non-financial operational risk in large organizations, place IBM and MetricStream as leaders in their most recent market quadrant. RSA scores high in IT Risk with Chartis. Galvanize, ServiceNow, and Logic Manager do not even appear on the Chartis quadrant as relevant, but this could be because Chartis if focusing on the challenges of large organizations and not the SMB market. I feel the Forrester scoring in the Wave may be heavily weighted to SMB organizations without clearly stating this or for use cases predominantly focused on IT risk/security that lowers the score and positioning of the systems doing broader enterprise/operational risk management. 

• Conflict of Interest. Another critical issue I have is the fact that this is an official research report and conflicts of interest should be documented. I am not stating there was any wrongdoing, but any conflict of interest should be footnoted for the reader. Part of any compliance program (as well as research) is managing and documenting conflicts of interest on anything that can influence bias. The fact that the lead analyst has six years in a senior role at one of the solutions being evaluated (and the one that ends up being the leader of leaders) should be documented in the report so readers can take this into account. Any research publication from Wall Street financial analysts would require management of conflicts of interest, the same should be true of industry/technology analysts. Besides, there is also experience with the solution. The lead analyst is intimately familiar with the capabilities of the new leader having worked there for 6 years, while other solutions in the Wave get a 90-minute demo?
  
  
• That brings us to Sandbox and demos. Forrester requested a sandbox environment to go into and experience the solution. This was provided, but solutions in the Wave are reporting no logins at all to just a few minutes of activity actually in the solution. Forrester states that they only use the sandbox to validate things and not for scoring. This is a huge issue. Organizations are investing hundreds of thousands and some cases millions on software and much more on implementation and the analysts recommending the solutions are not even kicking the tires themselves. One constant criticism of Forrester in this process is the level of due diligence and response to issues in this research. Eight vendors have complained about this. How can Forrester claim to have the insight by reviewing 80 pieces of functionality in a 90-minute demo? They require a data populated sandbox but audit logs show they do not log in or just spend a few minutes looking at the solution. To make it worse, they allow only 300 characters (not words) to explain each piece of functionality/criterion in their spreadsheet answers to capabilities.

---

^[i] At the heart of it is the fact that Gartner does not disclose any of their criteria and is becoming more dependent on recorded videos than live demos and does not actually get hands on with the products. My latest issues with Gartner were the smoke and mirrors of IRM in which the lead IRM analyst stated GRC technology has failed and now we have IRM technology when the IRM MQ had the same exact technology as GRC. What failed? If Gartner had simply come out and stated that they are now calling GRC by the term IRM, I would not have cared. Call it whatever you want: GRC, ERM, ORM, IRM, ABC, XYZ. What matters is what organizations are doing and not what they are calling it. But Gartner had to say GRC tech failed and promotes IRM technology which was the same exact GRC technology as before. Off to battle I went . . . 

Business today is changing minute-by-minute and second-by-second. Processes and technology and their configurations are changing. Employees and their access into systems is changing as new employees are hired, others change roles and have inherited rights issues, others leave the organization. Transactions and vendors are changing. The pace of change in business today requires new approaches to control automation.

The past involved random sampling, an approach that is dated and out of step for the dynamic nature of business today. Random sampling and monitoring of controls only cover a small fraction of the configuration, master data, segregation of duties/access rights, and transaction controls in the environment. Manual processes for control monitoring focused on random sampling leaves the organization in a false sense of control where the reality is there can be significant control issues that expose the organization to malicious and inadvertent issues and events.

Random sampling of controls results in . . .

[This is continued as a guest blog by Michael Rasmussen of GRC 20/20 on the Greenlight Technologies blog]

Don’t miss the upcoming Webinar How to Achieve an Integrated & Continuous Approach to Managing Controls on March 4th. Click here for more information and to register.