Pitfalls in GRC Software Selection and RFPs

There is a broad array of governance, risk management, and compliance (GRC) related solutions available in the market. In fact, GRC 20/20 has catalogued and mapped over 800 technology solutions and over 300 content/intelligence solutions that organizations use to improve GRC processes in an effort to make them more efficient, effective, and agile. Navigating this array of solutions is not easy and organizations need to understand what there needs today as well as into the future to select the right solution(s) that best fit their needs. GRC 20/20 offers complimentary inquiry to organizations looking for solutions in the market and need some quick guidance as well as deeper RFP assistance and help in our RFP templates and support

GRC 20/20 maps these solutions across the following categories and capabilities:

Some organizations are looking to solve a specific problem, such as addressing a regulatory requirement like Sarbanes Oxley, US Foreign Corrupt Practices Act, UK Modern Slavery Act, UK Senior Manager’s Regime, or PCI DSS compliance (just a random sampling as there are thousands of regulations). Others are looking to address a range of requirements and risks within a specific department or domain like environmental, health and safety, IT security, internal control over financial reporting, HR investigations, or business continuity. Then some organizations look to address a specific area consistently across the organization such as enterprise policy management, third party management, or enterprise investigations management. Then there are organizations looking to address a range of domains and GRC requirements across departments in a single or core common technology backbone, this is what we refer to as Enterprise GRC platforms.

There are two things that are consider when looking at GRC related technologies.

  1. GRC is something you do not something you buy. Yes, there is a wide range of GRC related technologies in the market, but at the end of the day GRC is not about technology it is about organization’s actions, decisions, capabilities, and collaboration on GRC. The official definition of GRC as found in OCEG’s GRC Capability Model that I helped contribute to is that GRC is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Certainly technology can enable this and make it more efficient, effective, and agile – but it is not a silver bullet that accomplishes this magically for the organization. The organization needs a strong culture, established boundaries of controls and policies, and strong processes for GRC to make a technology investment in any GRC related area a success.
  2. There is no one stop shop for all of GRC. Yes, there are GRC platforms that can accomplish a range of capabilities and needs across departments for an organization. However, there is no solution out of the 800+ solutions that does everything GRC. In fact, there are broad solutions that span many areas but they often do not go deep in some areas. Too often I find organizations with failed GRC projects because they try to do everything in one platform and find that in some weak areas of the platform they water things down and lose capabilities they previously had with deeper focused solutions.

Organizations should really be thinking about GRC architecture and not GRC platforms. There can still be a core GRC platform when the organization has the maturity and cross-department collaboration to be successful, but this platform will have constraints. Organizations are best served with understanding these constraints and integrating best of breed solutions when and where they make sense. There are many organizations I interact with and advise that have an Enterprise GRC strategy that have a strong core platform for GRC and operational risk but break off and integrate best of breed solutions that go deeper in areas such as IT GRC/security, third party management, policy management, quality management, or commodity/market risk management. In fact, this past year I interacted with three tier-1 financial services organizations that all used one GRC solution for enterprise GRC and operational risk management and all three had another solution in place for IT GRC and security that went deeper in that area.

The point is that organizations should define their strategy and understand their processes then select the right GRC technologies that provide the information and technology architecture to enable the strategy and process and not handicap it.

Some other common pitfalls in GRC solution selection to be aware of are . . .

  • RFP beauty contests. I work on a lot of RFPs, and get engaged for my RFP templates and support regularly. I have seen a lot of horrible things happen in RFPs. Good solutions get ignored because some sales person did a half-hearted attempt at answering questions while a problematic solution gets selected because they had great but not always honest answers to RFP questions. Also, some solution providers are brutally honest in their RFP responses to their own demise while other solution providers will say anything to win the deal. My job is often to come in and keep these solution providers honest and raise red flags when I see them.
  • Client references are tricky. Understand that client references that solution providers give are often the decision makers that stand behind there decision to invest thousands to hundreds of thousands of dollars in a GRC solution. They will have rosy and glowing things to say about the solution. You need to ask the hard questions to these references and word them in a way they cannot wiggle out of them. Ask them what they like least about the solution. I also thank them for their time and ask if I could talk to someone on their team that works with the solution every day – one of the GRC worker bees. I often get a completely different perspective on the solution. In one situation the Chief Audit Executive loved the product and  only had great things to say about it, while the auditors I talked to that reported to the CAE hated the solution and it was the bane of their workday.
  • Understand what is actually a feature in the solution. There are solution providers that say yes to everything in RFPs. Some do so because they are shady and will do anything it takes to win deal, others do it because they genuinely believe they have a flexible solution that simply can be tailored to meet any need or requirement. Either way, I have seen implementations that have dragged out for over two years because of all the build out and customization required to meet what the organization purchasing the solution thought already existed in the RFP. I assisted one company in their RFP and against my advice they selected a solution I did not recommend. I told them there is a lot that has to be built out for this and it will take a lot longer than they planned. They came back two years later and told me they wished they would have listened to me as they were just rolling out the initial phase of the solution and were seriously behind timeline and over budget. They now are with a different solution in the market.
  • Ease of use is critical. A solution can have tremendous capabilities but if it is complicated to use, lacks intuitiveness, and users simply ignore it . . . the implementation fails. Many solutions in the market are very dated and have interfaces that look like they are 10 to 15 years old. This makes it hard to engage all levels of the organization on GRC. The number one selection criteria I see in organizations moving from one solution that has failed them to another solution is ease of use and intuitiveness. One enterprise policy management implementation I advised after they had an abysmal failure in their implementation because what could be done in one screen took three of four screens and lacked any sense of user friendliness and intuitiveness.
  • Integration and openness is a key to success. Siloed solutions that do not integrate with other solutions are a dead-end. Organizations needs solutions that have a strong API for integration. One global Fortune 100 company I am advising on third party management needs to be able to integrate their third party management platform with their ERP environment to sync master data records. They tried one solution which failed them on this because of data integrity issues in the syncing (and user experience issues as well), they are now seeing success with a different solution that has strong integration capabilities. This is important across GRC areas. For example, policy management solutions should be able to integrate with HR systems to get new and changed employee records to be able to automate the communication of new policies when employees are on-boarded or change roles in the organization.
  • Mobility matters in GRC. In most situations if a solution does not have a mobility strategy it is best be ignored. I am seeing growing demand for using tablets and smart phones for audits, assessments, investigations & case management, policy management and communication, training and clearing, issue reporting, and more.
  • Cloud is everywhere, but be cautious. Everyone has a cloud solution – but this does not mean all cloud solutions are equal. Some use the term cloud and simply mean a hosted model while others refer to it as a multi-tenet architecture. The scalability and cost parameters can make a difference here. Security is to be critically understood and evaluated as well. I do not like the cloud naysayers that avoid it because they are concerned about security. I have seen many cloud environments that are more secure than the organizations evaluating them. This does not mean they all are secure . . . do your homework and evaluation.

I would love to hear your comments and thoughts on GRC related software and strategy. Please post below . . .


  • Have a question about GRC related solutions and strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Looking for GRC related solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over hundreds of requirements for each GRC domain.

Increased Pressure to Control Spreadsheets and Documents

Pervasiveness of End User Computing Brings Risk

Use of end user computing applications such as spreadsheets, emails, and other document types has revolutionized how technology creates value for organizations. However, this brings a significant challenge to govern and control information and technology in a distributed and dynamic environment. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over end user computing applications, particularly spreadsheets used in accounting and finance processes. This specifically has caught the attention of the Public Company Accounting Oversight Board (PCAOB) and external auditors. This scrutiny is leading to new SOX failings for companies that had previously had no such failings.

How does the organization take advantage of the wealth of benefits that end user computing solutions such as documents and spreadsheets deliver while avoiding the compromise of confidentiality, integrity, availability, and auditability of critical business information, increased risk exposure, and potential legal and regulatory actions?

End user computing applications are pervasive in the enterprise. This increases productivity and gives organizations agility that helps them succeed in a complex, dynamic, and distributed business environment. At the same time, risk and compliance issues are compounded by the extensive nature of collaboration and unstructured data. Individuals and departments can quickly set up online collaboration portals and share documents inside and outside the organization, increasing the number of people who can misuse them and simultaneously decreasing the organizations control over them. Consider that information comes in various forms:

  • Structured data is found in databases and consists of master data and transactions. Structured data can expose the organization to significant risk and compliance concerns but is contained within database structures and is to a degree easier to control, monitor, and secure.  However, pathways to export data and access to structured data is a concern to organizations when it is exported and manipulated in spreadsheets and documents.
  • Unstructured data is pervasive and quickly gets out of control. It consists of documents, emails, spreadsheets, as well as communication and collaboration technologies. Data is easily copied, disseminated, and manipulated. In the distribution process, different versions evolve and can conflict with each other. Business critical data is often stored within spreadsheets and communications subjecting the organization to risk and compliance exposure.
  • Dark data that is data that the organization has no clue about or control over. What should have been destroyed still lives on in remote corners of the organization and beyond. An older version of a spreadsheet that relies on bygone assumptions may still be accessed and used resulting in poor business decisions and faulty analytics.
  • Rogue data that is easy to manipulate and present out of context. What is legitimate information may be unintentionally or maliciously altered to present a different story out of context.
  • Duplicated data in which the organization may have understanding and control of areas where information exists, but is not aware how it has been copied and distributed. When the data changes, those changes are not reflected across areas where it has been copied, referenced, and used.
  • Pervasive data that has no boundaries — unless controlled. Employees quickly use social sharing, collaboration portals, and mobile devices to access information from wherever they are, whenever they want it with little thought to risk and compliance.

There is no doubt about it – end user computing applications are a strategic and critical business application. End user computing applications, particularly spreadsheets, represent an essential and strategic application to business, but also are a significant risk if left uncontrolled.

Specific Challenges and Risks in the Use of Spreadsheets

Organizations face a challenge: spreadsheets are a strategic, useful, and flexible business application but require significant amounts of checking and review to mitigate errors and risk. It is not the spreadsheet’s fault; it is the users’ fault. Organizations need to control spreadsheets so that they can in the end control or avoid the problems users introduce in their use – both inadvertent and malicious.

Organizations that have failed to manage and control spreadsheets have faced significant loss as the result of bad decisions from unreliable data. Lack of control can introduce significant loss to the organization: spreadsheets are prone to breaking because of user error in their configuration, values, use, and calculations. The organization, without proper end user computing controls, does not know that spreadsheets are broken and ends up relying on data that is faulty. Bad spreadsheets do not tell you they are broken; they just spit out bad information. Organizations need to have a defined process to ensure the control over end user computing applications used in critical business processes. This includes understanding:

  • Business criticality of end user computing applications. Spreadsheets and documents are business-critical applications. They offer advanced analytics and modeling of numbers, finance, and statistics. They are flexible, used, and cherished by many users. Spreadsheets and documents are here to stay, and the organization must figure out how to control them.
  • Pervasiveness of spreadsheets and documents. Spreadsheets and documents are everywhere; every workstation typically has them installed as a standard application. They electronically breed and multiply by users adapting them for different purposes. They are copied and modified with no accountability or documentation of their use. Little thought has gone into their development and they often have a host of inaccuracies.
  • Complexity and integrity of spreadsheets and documents. Spreadsheets, while a tool in everyone’s electronic toolbox, are often highly complex with bewildering math, configuration, and calculations spanning multiple worksheets. Complexity makes integrity a challenge. The data quality and integrity of spreadsheets is critical, and the more complex they are, the more control, oversight, and diligence is required.
  • Simple mistakes introduce significant errors. Spreadsheet issues resulting in loss and bad decisions come about through simple user error, miscalculations, and manual processes such as copying and pasting data. When spreadsheets and documents are not controlled or vetted, it can be quite some time before the organization realizes the loss, and in the meantime, it has grown exponentially. It is the exponential loss that finally brings attention to the fact that a simple error in a spreadsheet caused it. Organizations also struggle with the fact that as spreadsheets were developed or changed, no testing was done to provide assurance that they functioned correctly.
  • No audit trail, change control, or versioning. Changes to spreadsheets are typically not monitored, and the organization could not tell you who did what, when, how, and why. It is not a difficult task for miscreants to come in and modify numbers to cover a trail and protect themselves. Further, the data in spreadsheets can often be a mystery with no way to trace where it came from. Organizations struggle with versioning and archiving of spreadsheets because of modifications and cannot fall back to a reliable version should an error be found as there is no reliable version available.
  • Lack of accountability and ownership. In general, spreadsheets and documents are unsecured and unmonitored tools. A spreadsheet is developed and then proliferated throughout the enterprise. It may be modified, and calculations changed. Multiple versions end up existing with no single person responsible for their integrity and use. Someone may access a spreadsheet and never realize it was modified and perhaps functions in a different way or has errors in calculations and/or values.
  • Compliance and audit challenges. Organizations are under the microscope from regulators and external auditors to improve control and assurance over the data in their spreadsheets, comply with regulatory requirements, and conform to auditor expectations. Further, the internal control and audit process is cumbersome as it involves manual processes that require significant time to manually check spreadsheet integrity and function – time that constrained resources in internal audit and control staff do not have. They need an automated and reliable approach to meet expectations and requirements while minimizing risk and loss to the business.

Despite these challenges and risks, many organizations lack a thorough understanding of end-user computing solutions that present a risk to an organization’s financial reports.

Increased Pressure to Gain Control over End User Computing

The information within documents and spreadsheets faces a bombardment of risk and compliance challenges from every direction. New methods of collaborating through pervasive access to data introduce serious risk and compliance concerns. Documents shared inside, as well as outside, the organization may not be adequately protected. How does the organization take advantage of the wealth of benefits that end user computing and pervasive access to information promises? While at the same time avoiding the compromise of confidentiality, integrity, and availability of critical business information, increased risk exposure, legal actions, and regulatory actions? With an onslaught of regulations and enforcement actions, the concern of information governance, risk management, and compliance continues to grow.

The creation, integration, consumption, and analysis of information in various forms drives the products, services, operations, and finances of the organization, determines strategy, and impacts operations of organizations. A challenge to organizations is to govern information and use in end user computing applications like word processes and spreadsheets. This requires managing the uncertainty and exposure to risk that documents and spreadsheet use brings to the organization.

Spreadsheets are too often not in the purview of internal control programs, though they support and are an important part of critical business processes. Thus, they often fall below the radar of internal control, oversight, and audit with little to no governance and data standards. This is something the PCAOB and external auditors are focused on rectifying. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over end user computing applications, particularly spreadsheets used in accounting and finance processes. The PCAOB specifically has requested auditors to increase their focus on ‘System Generated Data and Reports’ driving the application of so-called ‘enhanced audits’ of Sarbanes Oxley (SOX) control processes which often involve a predominant and pervasive use of end user computing applications.

This scrutiny is leading to new SOX failings for companies that had previously had no such failings. Enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that spreadsheets are often open to manual manipulation.

 

Organizations have a clear need to ensure that information access and collaboration is controlled and secured. GRC roles have often been in reactive mode to an onslaught of regulations and risk and have failed to develop a sufficient strategy to govern how end user computing is used across the organization. It is the responsibility of an internal control team to work in tandem with GRC functions across areas of IT, security, legal, compliance, risk management, and audit. Together these roles have the responsibility to provide a clear strategy for end user computing controls. In that context they need to clearly define classification, policy, and control of unstructured information, and use of end user computing solutions.  This is not the responsibility of one department, but is a cooperative effort across functions. These collaborative roles need to clearly define the appropriate use of end user computing applications in policies and provide for automated controls needed to govern end user computing applications. GRC technologies that discover, monitor, and enforce control of end user computing solutions are a key component of how to address this growing need.

Information governance is not information restriction. The goal is not to inhibit business, but to protect the business. There is a legitimate need for the access to information and collaboration with others inside and outside the organization using end user computing solutions. It is the role of GRC professionals to provide this control and governance so that those who need it in the context of regulatory boundaries and risk mitigation can access information.

A GRC strategy for end user computing controls helps organizations to:

  • Ensure that ownership and accountability of information governance and collaboration through end user computing technologies is clearly established and enforced.
  • Manage ongoing business impact of risk exposure in the context of end user computing.
  • Integrate intelligence that establishes workflows and tasks when issues arise that impacts the organization in context of improper use of end user computing solutions.
  • Monitor the organization’s environment for the dissemination, access, and control of information across end user computing solutions.
  • Identify changes in risk, compliance, and control profiles spreadsheets that expose information to issues of integrity, confidentiality, availability, and auditability.
  • Visualize the impact of a change on the organization’s processes and operations in the context of information and end user computing use.

GRC 20/20 will be presenting a webinar on this topic on April 26th: The Spreadsheet and SOX: the Never Ending Battle

This post is an excerpt from GRC 20/20’s Strategy Perspective research: Gaining Control Over End User Computing: Increased Pressure to Control Spreadsheets and Documents

  • Have a question about End User Computing & Internal Control Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Internal Control Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Internal Control Management by Design Workshop in your organization.
  • Looking for Internal Control Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Internal Control Management Research includes . . .

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Gartner: Missing the Risk & Compliance (GRC) Target

Gartner, in context of governance, risk management, and compliance (GRC) related research, is ignorant and harmful to organizations that rely on their research publications and advice.

In full disclosure, Gartner is my competitor. I have been an analyst for seventeen of my twenty-four years as a GRC professional. I spent seven years at Forrester Research, Gartner’s primary competitor, and the past ten years on my own as an independent market research analyst and advisor. Forrester I have a lot of respect for, although I wish their research on GRC related areas was deeper and evolving to keep up. Verdantix is another competitor that I have deep respect and admiration in the quality and thoroughness of their research, though they only cover a segment of the GRC market in environmental, health, and safety (EH&S). On the other hand, it is perilous to rely on Gartner’s GRC research.

My rants on Gartner are the most popular commentaries and posts that I do, but also the hardest. I am not trying to take cheap shots at a competitor. I care about this space and find the market for GRC related solutions, content, and services to be as much a passion for me as it is a career. I provide this commentary because organizations need to be wary of what and how Gartner is doing this research. Specifically, I am talking about Gartner’s GRC related research and not all their research. I have former colleagues that I deeply respect that now work for Gartner. I can’t just stay idle on their approach to their GRC related research, it would not be professional on my part.

My issues with Gartner and their approach to GRC related research run deep, these include:

  • The cost of Gartner. They charge organizations tens of thousands of dollars for very basic access to their research and analysts. Solution providers that fare well in their reports pay for redistribution rights at the cost of tens of thousands of dollars. If a solution provider or organization wants a strategy day with Gartner it is typically more than $15,000 for a day of advisory. My issue here is one of context and setting the stage. One would think their research would be deep and thorough as a result. This is not the case. Obviously, organizations are willing to pay for this even though it is outrageous. But the assumption would be that there would be deep methodologies and transparency in their research at these rates. They are trying to automate, streamline, and make more money by cutting corners. Let us now unpack this further . . .
  • Lack of consistency in evaluating solutions in Magic Quadrants. When it comes to several of the Magic Quadrants in GRC related areas, they are primarily asking for video demos. This does vary, as some Magic Quadrants do want live demonstrations. But the fact is that Gartner is inconsistent. For many of these Magic Quadrants they are not actually sitting behind the solution, navigating through it, and figuring it out how it works, all they want is a video submission. This makes their rankings in Magic Quadrants nothing more than a beauty contest in who can provide the best video demo of functionality that may or may not actually be there. They are not engaging solution providers on a fair playing field and validating functionality. Gartner analysts are often not actually working with these solutions they are ranking and scoring. They may fall back and state this is because they have previous experience with these solutions, but this is cutting corners. If you are publishing research ranking solutions then you should go through each solution step by step in a defined methodology and evaluation. A video submission does not cut this.
  • No transparency in Magic Quadrants. When it comes to Magic Quadrants, they are what they say they are . . . MAGIC. No one but Gartner knows how solution providers are measured and scored. Forrester, on the other hand, publishes all their criteria for Waves. With Gartner no one has any idea about the criteria and scores for vendors plotted on their Magic Quadrants. For example, the Operational Risk Magic Quadrant, the only way I can imagine the solutions plotting out the way they do on this is if Gartner is weighting IT security extremely high. If it was true operational risk management capabilities across operational risk areas there is no way the solutions would plot the way they do. But no one can really determine this as Gartner will not reveal criteria or scoring. This is bad research. Evaluations should be fully transparent and allow organizations to see how solutions score on specific criteria and adjust for their own needs.
  • Simplifying client reference checks. This is exacerbated by how they are streamlining client reference checks. They used to get on the phone and talk to client references and ask them the hard questions. Now there is more reliance on sending web surveys to client references. Surveys that solution providers, in some cases I am aware of, are providing pre-populated answers for their references. This is not fair. When I do reference checks I talk to clients of solution providers. Furthermore, I not only talk to the references solution providers provide, I also ask to talk to others on their teams that use the solution every day. Decision makers give glowing references, you often find a different story with the people that use a solution day in and day out. You cannot get to the dirt and issues that organizations need to understand when making purchasing decisions for solutions by sending out a survey form. Deeper conversations with stakeholders are so much more valuable than an automated survey.
  • Putting a new coat of paint on the same thing. My latest issue with Gartner is their relabeling of GRC to IRM (Integrated Risk Management). From my perspective, this is just putting a new coat of paint on the same thing. To me, it makes no sense. Organizations, associations, professional service firms, solution providers, and more have invested in GRC. So, why would they do this? Perhaps to leverage their position, creating some differentiation for Gartner? But let me ask the key question – does this help the market? I see no benefit to this name change, just obfuscation. If they do not like the acronym GRC, then just fall back to ERM (enterprise risk management). As an aside, GRC is a better acronym in my opinion. By the official definition (from OCEG), GRC is an integrated capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance]. There is a natural flow to this and puts risk management and compliance in context of governance and objectives.

Organizations are relying on Gartner to produce quality research. They are spending tens to hundreds of thousands of dollars with Gartner. Worse, they are making investment decisions in GRC solutions with licensing that can costs hundreds of thousands a year for some organizations. Gartner is failing these organizations by cutting corners and not going deep and working with these solutions first hand. Defining proprietary markets and researching them with video demos, web survey references, and opaque scoring criteria is robbery for what Gartner charges both organizations evaluating solutions as well as the solution providers themselves.

I personally wish Gartner would ask about usability. I get so many complaints about Leaders in Magic Quadrants and Forrester Waves that struggle with interfaces that are not intuitive, difficult to use, and often look like they were coded over a decade ago.  I would love to see them say “in a live environment, configure this solution” then have them “demonstrate how the solution works.” This would show the front and back end of the products they are evaluating. They do a terrible job at differentiating products. For example . . . ask them to compare the workflow functionality of four products and they cannot. Ask them how the products differ when importing information and they cannot.

Gartner also has dropped very important areas of GRC related research, particularly Environmental, Health & Safety (EH&S). I am seeing more and more RFPs that are include EH&S as a primary focus of GRC yet Gartner abandoned this a few years back. Largely, Gartner appears to see GRC (or what they now call IRM) related solutions predominantly through an IT security point of view, as I reference with the Operational Risk Magic Quadrant, and is also apparent in their Vendor Risk Magic Quadrant.

Bottom Line on Gartner: Gartner’s approach to their risk and compliance research (e.g., GRC, IRM) is disloyal, dishonest, untrue, treacherous, and unfair from the part of an analyst who is supposed to be a trusted advisor to many. It’s outrageously expensive, but not just that: expensive for no value.

NOTE: While I have greater respect for Forrester, things need to evolve there as well. Forrester publishes their criteria and scoring, thus is transparent. But their criteria is at a high level and has not evolved much over the years. It also concerns me that they rank client satisfaction so low, where someone that scores a 1 out of 5 on client satisfaction can be positioned highly in a Wave while someone that scores a 5 out of 5 does not.

Understanding Risk Management Process & Architecture

The risk management strategy and policy is supported and operationalized through a risk management architecture. Organizations require complete situational and holistic awareness of risks across operations, processes, transactions, and data to see the big picture of risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to risk management architecture. The architecture defines how organizational processes, information, and technology is structured to make risk management effective, efficient, and agile across the organization and its relationships.

There are three areas of the risk management architecture:

  • Risk management process architecture
  • Risk management information architecture
  • Risk management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organization’s requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for risk management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for risk management instead of finding the technology that best fits their process and information needs.

Risk Management Process Architecture

Risk management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing risk environments.

The risk management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together as well as with other enterprise processes.

While risk management processes can be very detailed and vary by organization and industry, there are five that organizations should have in place:

  • Risk identification. This is the collection of processes aimed at automating a standard, objective approach for identifying risk. Understand your surroundings. It is about the internal business context, the external environment that business operates in, and your strategy as to where the business is heading. On an ongoing basis, and separate from monitoring of individual risks, is the ongoing process to monitor risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks that are evolving that impact the overall objectives and performance of the organization. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any organization. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its objectives.
  • Risk assessment. Once an organization identifies risk it then can identify what can happen to help or hinder your objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives. This should go beyond heat maps to include a vareity of risk analysis and assessment techniques (e.g., bow-tie risk assessments, scenario analysis, Bayesian modeling).
  • Risk treatment. After the range of potential possibilities is understood, the organization needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
  • Risk monitoring. This stage includes the array of processes to continuously monitor risks in the organization. These activities are the ones typically done within the organization to monitor and assess risks on an ongoing basis.
  • Risk communications & attestations. Ongoing processes to manage the communications and interactions with risk owners throughout the risk management lifecycle. These are done on a periodic basis or when certain risk conditions are triggered.

Effective risk management processes deliver:

  • Holistic awareness of risk. This means there is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework. The IT architecture in place aggregates risk data and effectively communicates, monitors, and manages risk.
  • Establishment of risk culture and policy. Risk policy must be communicated across the business to establish a risk management culture. Risk policies are kept current, reviewed, and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives. Technology monitors key risk indicators (KRIs) to ensure management of risk policy, and the management of risk against risk appetite, tolerance, and capacity.
  • Risk-intelligent decision-making. This means the business has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders and the organization’s track record should illustrate successful management of risk against established risk tolerances and appetite.
  • Multidimensional risk analysis and planning. The organization needs a range of risk analytics, correlation, and scenario analysis. Various qualitative and quantitative risk analysis techniques must be in place and the organization needs an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation, or transfer — must be effective and monitored for progress.
  • Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of corporate optimization, performance, and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance, and timeliness.

The next post will explore risk management information and technology architecture. I would love to hear your thoughts and comments on risk management strategy and process . . .


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Third Party Risk: Gaining Certainty in Global Relationships

One of the greatest governance, risk management and compliance challenges before organizations is managing the web of third party business relationships.

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. These risks span areas such as:

  • Anti-bribery & corruption
  • Anti-money laundering
  • Code of conduct
  • Conflict minerals
  • Corporate social responsibility
  • Environmental management
  • Health & safety management
  • Human trafficking
  • Import/export compliance
  • Information security
  • Know your customer
  • Labor standards
  • Privacy and data protection
  • Quality management
  • Regulatory requirements
  • Responsible sourcing
  • Sustainability

GRC 20/20 is answering inquiry questions every week from organizations struggling with third party management challenges. We are seeing a range of hot issues such as the UK Modern Slavery Act, US Conflict Minerals, EU Conflict Minerals, EU REACH, OCC Requirements in Banking, PCI DSS, California Transparency in Supply Chains Act, HIPAA, GDPR, and more. Though third party management goes beyond regulations to also achieve corporate social responsibility and alignment of business partner values to the organization’s code of conduct. I have sat on the social accountability advisory board of a major brand guiding them on process and technology areas of child labor, forced labor, working hours, health and safety, and more for tens of thousands of facilities across their supply chain. This challenge and issue is significant for organizations and the burdens are only growing.

Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.

What are your thoughts and concerns on third party management? Please post your comments below. If you have a question on third party management best practices or solutions in the market, please submit an inquiry.


GRC 20/20 is presenting on a webinar on this specific topic later this week . . .

Third Party Risk: Gaining Certainty Amid a Web of Global Relationships

April 6 @ 10:00 am11:00 am CDT

[button link=”http://grc2020.com/event/third-party-risk-gaining-certainty-amid-a-web-of-global-relationships/”]REGISTER[/button]


Third Party Management Research from GRC 20/20 . . .

GRC 20/20 will be releasing a detailed written Market Landscape: Third Party Management Solutions later in April that includes market definition, segmentation, sizing, forecasting, solutions in the space, drivers, trends and more.

Research Briefings on Third Party Management

Strategy Perspectives on Third Party Management

Solution Perspectives on Third Party Management

Case Studies on Third Party Management

GDPR Compliance Requires a Strategy Supported by Process, Information and Technology

As the years go by, there is increasing focus on the protection of personal information around the world. Over time we have seen US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive.

The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and not a directive and does not require further national legislation. Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU residents. It does not matter if the organization resides in the EU. Fines can be stiff, going above €20 million or 4% of global revenues of an organization, whichever is greater.

The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

To be compliant and mitigate the risk of data protection incidents, organizations should . . .

The rest of this blog post can be found as a guest blog at SureCloud:

[button link=”https://www.surecloud.com/blog/gdpr-compliance-requires-strategy-supported-process-information-and-technology”]READ MORE[/button]

Risk Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is also true in risk management. What further complicates this is the exponential effect of risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into risk relationships across the enterprise. Complexity of business and intricacy and interconnectedness of risk data requires that the organization implement a risk management strategy.

Different Approaches Organizations Take in Managing Risk

The primary directive of a mature risk management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of risks in context of organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage risk:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed risk management initiatives never see the big picture and fail to put risk management in the context of organization strategy, objectives, and performance. The organization is not thinking big picture about how risk management processes can be designed to meet a range of needs. An ad hoc approach to risk management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about risk and performance. The organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any silo understood on its own.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of risk management that does not fully understand the breadth and scope of risks and risk management needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing risk with the lowest common denominator and watering down risk management. Further, there is no one-stop shop for everything risk management as there are a variety of pieces to risk management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative risk management, governance, and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in risk management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across risk relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in risk management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

Risk Management Strategic Plan

Designing a federated risk management program starts with defining the risk management strategy. The strategy connects key business functions with a common risk governance framework and policy.  The strategic plan is the foundation that enables risk transparency, discipline, and control of the ecosystem of risk across the enterprise.

The core elements of the risk management strategic plan include:

  • Risk management team. The first piece of the strategic plan is building the cross-organization risk management team (e.g., committee, group). This team needs to work with risk owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in risk management and get them collaborating and working together on a regular basis. Various roles often involved on the risk management team are: enterprise/operational risk management, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the risk management team.
  • Risk management charter. With the initial collaboration and interaction of the risk management team in place, the next step in the strategic plan is to formalize this with a risk management charter. The charter defines the key elements of the risk management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of risk management, the members of the risk management team, and define the overall goals, objectives, resources, and expectations of enterprise risk management. The key goal of the charter is to establish alignment of risk management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on risk management.
  • Risk management policy. The next critical item to establish in the risk management strategic plan is the writing and approval of the risk management policy (and supporting policies and procedures). This sets the initial risk management structure in place by defining categories of risk, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all risks be maintained with appropriate categorizations, approvals, and identification of risks.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Monitoring and Managing Risk Effectively

Challenge to Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Further, risk management is too often seen as a compliance exercies and not truly integrated with decision making and objectives of the organization. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Particularly when risk management is approached from a compliance or audit anlge and not as an integrated displine of decision making that has a symbiotic relationship on performance. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively.

The modern organization is:

  • Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
  • Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.

For some organizations, risk management is only an expanded view of routine financial controls with the result nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this, organizations remain keenly interested in how to improve risk management.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as it intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and decision making, business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations should consider:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective. Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective. Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting that supports business objectives and is integrated with decision making. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Risk Management by Design: A Blueprint for Federated Enterprise Risk Management

  • Have a question about Risk Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Risk Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Risk Management by Design Workshop in your organization.
  • Looking for Risk Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 500 requirements for risk management solutions.

GRC 20/20’s Risk Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Benefits of a Policy & Training Management Strategy and Architecture

The organization requires a policy and training management architecture that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy and training management architecture enables better performance, less expense, and more flexibility.  Core technology capabilities to consider a policy management program are the ability to:

  • Provide a consistent policy management framework for the entire enterprise instead of each department implementing its own policy management system.
  • Manage the policy lifecycle throughout creation, communication, assessment, monitoring, tracking, maintenance, revision, archiving, and record keeping.
  • Train individuals on what is required of them through links to learning systems, modules, quizzing, and attestation.
  • Provide easy access to policy and communicate policy in the language of the reader, as well as to the differently abled.
  • Gather and track edits and comments to policies as they are developed or revised.
  • Map policies to obligations (e.g., regulatory or contractual requirements), risks, controls, and investigations so there is a holistic view of policies as they relate to other areas of GRC.
  • Provide a robust system of record to track who accessed a policy as well as dates of attestation, certification, and read-and-understood acknowledgments.
  • Provide a user-friendly portal for policies in the environment with workflow, content management, and integration requirements necessary for policy management.
  • Provide a calendar view to see the policies being communicated to various areas of the business, and ensure policy communications do not burden the business with too many tasks in any given month.
  • Provide links to hotlines for reporting policy violations.
  • Publish access to additional resources such as helplines and FAQs.
  • Enable cross-referencing and linking of related and supporting policies and procedures so users can quickly navigate to what they need to understand.
  • Create categories of metadata to store within policies and display documents by category so policies are easily catalogued and accessed.
  • Restrict access and rights to policy documents so (a) readers cannot change them, and (b) sensitive documents are not accessible to those who do not need to see them.
  • Keep a record of all the versions and histories of each policy so the organization can refer to them when there is an incident or issue they must defend themselves against or provide evidence for.
  • Maintain accountable workflows to allow certain people to approve policy documents and move tasks to others with full audit trails.
  • Deliver comprehensive reporting with an extensive depth and breadth of reports.

GRC 20/20’s Final Perspective . . .

Effective policy and training management is about delivering value, integration, and alignment of strategy, process, information, and technology throughout the organization in the context of GRC. Organizations need to deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into policies and training that are interactive, engaging, and social. Policy and training solutions need to instruct, inform, and be easy to use at all levels. It engages employees in policies and training without leaving them overwhelmed and confused. It is an integration of policy and training information, processes, and systems to engage employees and agents at all levels of the organization.

  • Getting questions answered. Employees need to be able to ask questions and get them answered. This means that policy and training management processes and architecture should provide contextually relevant information as well as pathways to get questions answered.
  • Provide two-way communication. Employees not only need to be able to ask questions and get them answered, they also come up with ideas and ways to improve policies and training. Perhaps it is an idea on a new initiative related to corporate values, to report a new risk, or make a control more efficient.
  • Sharing information. Getting employees engaged is about sharing information, like the ability to like a training initiative and share it with others in the organization. This allows the organization to see what works and keeps employees engaged. It allows a way for employees to share information they find relevant and interesting. It provides feedback into what does not work.
  • Connecting the dots through collaboration. Often elements of policies and training are done in ways that are not ultimately effective. A common problem is individuals often modify responses based on what they think people want to hear. This cognitive and behavioral bias has an impact on the accuracy of the results.  Policy and training processes and architecture should bypass stakeholder interests by using technology to engage individuals in an environment in which to express true opinion, without fear of consequences. Social and collaborative technologies provide a way for individuals in a workshop to anonymously enter thoughts and opinions to captures unbiased information that builds toward stronger discussions and deeper analysis.

In the end, effective policy and training management is about delivering policy and training that minimizes the perception of getting in the way of business and instead becoming a part of business and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering engaging user experiences that align with the needs of employees, integrates with organization architecture and systems, and delivers relevant content when needed wherever it is needed.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

  • Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Policy Management by Design Workshop. Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.
  • Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes . . .

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Policy Management Information & Technology Architecture

Policy & Training Management Information Architecture

The policy and training management information architecture supports the process architecture and overall policy and training management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy and training processes.

The policy and training management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy and training management information to support policy and training management processes. Categories of policy and training management information that organizations often collect and process include:

  • Master data records. This includes data on individuals and their role and history of interaction and communication with policies and training.
  • Compliance requirements. Listing of compliance/regulatory requirements that are mapped to policies.
  • Policy and training libraries. The indexing and versions of policies and training.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for the policy and training program.
  • Exceptions/exemptions. Documentation of exceptions and exemptions that have been requested, granted, and/or denied.
  • Forms. The design and layout of information needed for specific policies and related processes.
  • Incidents & issues. Record of policy violations and details.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management information architecture will be able to integrate information across the organization. Successful policy and training management requires a robust and adaptable information architecture.  Policies and training come together into a unified employee experience where policies are displayed along with training. Training is more than just playing a video but is interactive, showing employees are behind their desk engaged in the activity and not off to get a coffee. Relevant resources are easily accessible and provided in the same interface without hopping between disconnected systems.

Policy & Training Management Technology Architecture

The policy and training management technology architecture enables and operationalizes the information and process architecture to support the overall policy and training management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy and training management architecture enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform. This can be an enterprise implementation of point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training technology architecture choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):