Compliance Automation: The Role of Technology in Today’s Dynamic Organization

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The dynamic and global nature of business is particularly challenging to compliance management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

Compliance activities managed in silos often lead to the inevitable failure of a compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance across the business. Management is not thinking about how compliance processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment. 

A non-integrated approach to compliance management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient . . .

The rest of this blog post can be found as a guest blog at SureCloud:

[button link=”https://www.surecloud.com/blog/compliance-automation-role-technology-today’s-dy-namic-organization-0″]READ MORE[/button]

GRC 20/20’s Effective Policy Management Process Lifecycle

The policy and training management strategy and policy is supported and made operational through the policy and training management architecture.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy and training management architecture. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

There are three areas of the policy and training management architecture:

  • Policy and training management process lifecycle architecture
  • Policy and training management information architecture
  • Policy and training management technology architecture

It is critical that these architecture areas be initially defined in this order.  It is the process architecture that determines the types of policy and training structures and information needed, gathered, used, and reported.  It is the information architecture combined with process architecture that defines the organizations requirements for the technology architecture.  Too many organizations put the cart before the horse and start with selecting technology for policy and training management first, which then dictates what their process and information architecture will be.  This forces the organization to conform to a technology for policy and training management instead of finding the technology that best fits their process and information needs.

Policy & Training Management Process Architecture

Policy and training management architecture starts with the process architecture.  Processes are used to manage and monitor the ever-changing business, third party relationship, risk, and regulatory environments in context of policy and training programs.

The policy and training management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy and training management processes, each process’s components and interactions, and how processes work together as well as with other enterprise and GRC processes.

The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced.

The stages evaluated in the Effective Policy Management are:

  • Determine Need for New Policies or Updates. Policy should be created only when necessary, such as to establish the values and ethics of the organization, meet regulatory obligations, and manage potential risk or liability. Without some requirement for or exposure of the organization, there is no need for a policy. Too many policies burden the organization and cannot be complied with. Too few policies introduce significant risk and legal exposure. Organizations need a defined change management process to monitor changes that impact policy across the following areas:
    • Corporate environment. Policies change in response to new strategies, objectives, mergers, and acquisitions. Changes in corporate commitments, contracts, values, ethics, risk appetite, and social responsibility statements also drive policy.
    • Risk environment. Ongoing risk intelligence processes are required to monitor geopolitical, environmental, economic, strategic, relationship, and operational risk.
    • Regulatory environment. New laws, changing regulations, litigation, and court rulings (case law) impact organizations and drive policy changes. Organizations need regulatory change management processes in place to monitor the changing legal and regulatory environment in jurisdictions where business is conducted.
  • Policy development and approval. When an organization identifies a change in the corporate, risk, or regulatory environments and determines a new policy is needed, or an existing policy must be updated, it enters the policy development phase. In this stage, policies are drafted, reviewed, and approved. While the Policy Owner is responsible for managing development and works with the policy author and stakeholders, the policy manager champions this process to make sure the policy conforms to corporate style and template requirements and has referential integrity with the other policies in the Policy Portfolio. The policy steering committee, other governing committee, or a designated executive approve policy changes once they go through the development workflow and review process. The policy development steps include:
    • Policy ownership. Every policy in the organization should be assigned to an individual or business role that owns the policy. The owner ensures that the policy remains accurate, is appropriately communicated, and continues to serve the purpose for which it was established. Even if the policy is applied across the entire organization, such as with a code of conduct, the owner must oversee its implementation and monitoring.
    • Policy writing. Once an owner is established, the next step is to write the policy. All policies across the organization should be written in a consistent style, format, and language while following a defined style guide. Policies must be clear and easily understood. They must articulate who the policy applies to, standards, rules, regulations or laws it intends to address, and what, if any, larger program it is associated with.
    • Policy review and approval. Once the initial draft of the policy is written, the owner sends the draft policy to identified stakeholders for review and approval before publication. This phase is iterative, as the stakeholders may send the policy back with changes before it is approved. Leading practice includes reviews by the organization’s policy management office, legal department, and ethics and compliance committee (for policies mandated by law or regulation).
  • Policy publication and awareness. In this stage, individuals become aware of the new or changed policy by clear articulation of individual responsibility to comply with the policy. This includes:
    • Policy publication. After approval, the policy must be published. This is most effectively done with a centralized policy management and communication platform. Unfortunately, many organizations have scattered systems for publishing policies and procedures. This complicates policy management, as multiple publication methods means more policies will become outdated and scattered across the organization. A best practice is to have a single policy system that allows any individual within the environment to login, see all of the policies that apply to a specific role in the organization, and receive automated notification of a changed or new policy.
    • Policy communication and training. Written policy is necessary, but not good enough on its own. Organizations must actively ensure individuals are aware of and understand the policy and what is required of them — appropriate communication and training should be used to facilitate understanding, such as video, LMS courses, surveys, and testing. It is important that training and other resources are linked to policies and are easily accessible. It is also important to preserve records of each individual’s training completion for critical policies so that they are easily accessible by oversight personnel.
    • Policy attestation. It is necessary for individuals to attest to that they have read, understood, and will adhere to critical policies. Policies such as a code of conduct require specific attestation on a regular basis (e.g., annually). Attestations should be dated and time stamped, preserved with the version of the policy, and easily accessible by oversight personnel.
  • Policy adherence and compliance. In this stage, policies are regularly monitored to ensure compliance and that exceptions are documented and managed. This phase involves:
    • Implement procedures and controls. The MetaPolicy states who is responsible for implementing the appropriate procedures and controls to ensure effective implementation, usually the Policy Owner. The procedures and controls should be written using approved templates and embedded within the business operations and processes.
    • Monitor, test, and assess. Carefully monitor, test, and assess activities to ensure that the policy, procedures, and controls are being enforced, are operating as intended, and the business runs efficiently and smoothly while in compliance. Findings of noncompliance and violations provide metrics for policy review and improvement. Enforcement policy is critical, to define levels of infractions and associated actions.
    • Manage exception requests. While policies must be complied with, there are justifiable business situations in which the organization accepts noncompliance. These exceptions must be documented and managed. An exception may be appropriate for a given time period or until a certain event occurs.
  • Policy metrics and maintenance. Policies should not change frequently, but they should go through periodic review. A best practice is to follow an annual review cycle to make sure policies are still appropriate and do not bring unnecessary exposure or liability upon the organization. Unneeded policies should be retired. The major activities of this stage include:
    • Review, update, or retirement. Every policy should have a regular review cycle (ideally annually). During this review, the Policy Owner and stakeholders assess changes to the internal business and external regulatory and business environments, look at incidents of policy noncompliance and approved exceptions, and consider the continued need for the policy. After this analysis the Policy Owner requests the policy approver(s) to reauthorize the policy as-is for another management cycle, to retire it, or to send it back into the Development and Update stage to revise the policy.
    • Policy archives. Every policy and its associated versions must be archived for reference at a later time. The retention period for superseded versions and retired policies should be managed in accordance with the organization’s document and records-retention policies. When an organization becomes aware of an incident, or a regulator has a question, it is necessary to have a full view of the accountability history of a policy: the owner, who read it, who was trained, and who attested and on what version of the policy at a particular date. This level of detail is necessary to defend the organization in a situation involving a rogue employee, where the organization itself is not culpable.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Uncontrolled Spreadsheets, Documents, and Emails, Oh My!

Business is complex. Exponential change in regulations, globalization, distributed operations, processes, competitive velocity, business relationships, and legal matters encumbers organizations of all sizes across industries. Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and document-centric internal control management approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered silos of documents become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, when the business environment requires greater agility.

Use of end user computing applications (EUC) such as spreadsheets, emails, and other document types has revolutionized how technology creates value for organizations. However, this brings a significant challenge to govern and control information and technology in a distributed and dynamic environment. Organizations are facing increased pressures from regulators and auditors to ensure that they have adequate controls over EUC applications, particularly spreadsheets used in accounting and finance processes. This specifically has caught the attention of the Public Company Accounting Oversight Board (PCAOB) and external auditors. This scrutiny is leading to new SOX failings for companies that previously had no such failings. Enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that spreadsheets are often open to manual manipulation.

The reasons spreadsheets fail without controls are . . .

The rest of this blog post can be found as a guest blog at ClusterSeven:

[button link=”http://clusterseven.com/uncontrolled-spreadsheets-documents-emails-oh/”]READ MORE[/button]

GRC 20/20 is also presenting a webinar on this topic, The Spreadsheet and SOX: the Never Ending Battle:

[button link=”http://grc2020.com/event/the-spreadsheet-and-sox-the-never-ending-battle/”]REGISTER[/button]

More detail can also be found in GRC 20/20’s latest Strategy Perspective, Gaining Control Over End User Computing: Increased Pressure to Control Spreadsheets and Documents:

[button link=”http://grc2020.com/product/gaining-control-over-end-user-computing-increased-pressure-to-control-spreadsheets-and-documents/”]ACCESS RESEARCH[/button]

 

 

Developing a Policy Management Strategy

Organizations need a coordinated cross-department strategy for managing policies and training programs across the enterprise.  The goal is to develop a common framework and approach so that policies and training are understood and managed as an integrated whole rather than a dissociated collection of parts.

Policies and training programs that are managed as dissociated documents, data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of policy and training across the enterprise and how it supports the organization’s governance, risk management, and compliance (GRC) responsibilities. The organization needs to have holistic visibility and situational awareness into policy and training across the enterprise. Complexity of business and intricacy and interconnectedness of policies and obligations requires that the organization implement a policy and training management strategy.

Contrasting Policy & Training Management Approaches

The primary directive of a mature policy and training management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of GRC.  This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies and training needs across the extended enterprise.

Organizations have three policy & training management strategies to choose from:

  1. Anarchy – ad hoc department silos. This is when you have different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed policy and training initiatives never see the big picture and fail to put policy and training in the context of the rest of the organization. The result: complexity, redundancy, and failure. The organization is not thinking big picture about how policy and training management processes can be designed to meet a range of needs. An ad hoc approach to policy and training management results in poor visibility into the organization’s obligations and values, as there is no framework for managing policies and training consistently. When the organization approaches policies and training in scattered silos that do not collaborate with each other, there is no possibility to be intelligent and align policies and training initiatives to achieve efficiency, effectiveness, and agility.
  2. Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one platform and framework. However, this has its issues as well. Organizations run the risk of having one department be in charge of policy and training management that does not fully understand the breadth and scope of the needs across departments. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing policies and training programs to the lowest common denominator.
  3. Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance between common policy and training management. It allows for some level of department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in policy and training management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of GRC as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in policy and training management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

A federated model for policy and training management provides a central coordination of the policy management lifecycle to ensure consistency in policies across the organization while there is ownership and management of non-enterprise-wide policies in distributed areas across the organization that align with the central governance. The Federated model is the ideal for large global organizations.  It allows for policy and training management to be centrally coordinated, but allows for distributed management and oversight of the policies to address divisional, legal entity, business unit, and regional needs. These entities must adhere to all mandated enterprise-wide policies and will often design their own procedures in a way that makes the policy fit their operations and supports their compliance with the policy. They may create their own policies and procedures relating to their specific operations, which may be imposed based on federal, state, or local laws. These policies and procedures must be written so that they do not conflict with the overall mission and values of the organization. A federated model often has layers of policy governance in which a policy steering committee is established centrally to define the policy process and templates, while “entity” policy committees oversee the governance of policies within their respective areas.

Policy & Training Management Strategic Plan

Designing a federated policy and training management program starts with defining the strategy.  The strategy connects key business functions with a common policy and training governance framework.  The strategic plan is the foundation that enables policy and training transparency, discipline, and control across the ecosystem of the enterprise.

The core elements of the policy and training strategic plan include:

  • Policy & training governance team. Effective policy management and communication requires policy governance and oversight. The first piece of the strategic plan is building the cross-organization policy and training governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have vested in policy and training management and get them collaborating and working together on a regular basis.  Various roles involved in the policy and training governance team are: compliance, ethics, legal, human resources, finance, information technology, security, audit, quality, health & safety, and business operations. One of the first items to determine is who chairs and leads the policy and training governance team. This committee provides the structure and connective tissue to coordinate and drive consistent policy management. Its team members represent the best interests and expertise of the different parts of the organization. They leverage the knowledge, charter and authority of the committee to benefit their business areas and the whole organization. A large distributed organization may have layers of policy and training committees for different geographies or business units. If a layered approach is in place, the organization still needs a central policy and training governance committee that the rest roll-up to, to enforce consistency and structure.
  • Policy and training management charter.  With the initial collaboration and interaction of the policy and training management team in place, the next step in the strategic plan is to formalize this with a policy and training management charter.  The charter defines the key elements of the policy and training management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of policy and training management, the members of the policy and training governance team, and define the overall goals, objectives, resources, and expectations of enterprise policy and training management.  The key goal of the charter is to establish alignment of policy and training management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on policy and training management. The charter should specifically address:
    • An organized policy & training management committee to govern the oversight and guidance of policies, and ensure policy collaboration across the enterprise.
    • An individual assigned to the role of policy & training manager to assure accountability to the standards, style, and process defined by the policy management committee. The policy manager does not write policy, but is the champion of the policy management process; for ensuring the creation and revision of policies conforms to the policy management lifecycle defined by the organization.
    • The authorization and allocation of resources for program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
  • Policy management policy (e.g., MetaPolicy, Policy on Policies).  The next critical item to establish in the policy and training management strategic plan is the writing and approval of the organization’s MetaPolicy (or policies on writing policies).  This sets the policy management structure in place.  The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The MetaPolicy is the foundation on which to build an effective policy and training management program. It defines the critical elements of the organization’s policy management program. The major components of an effective MetaPolicy are:
    • Roles and responsibilities. Key organizational roles, responsibilities, and accountabilities for policy governance and lifecycle and specifically the scope of governance and influence of the meta-policy itself.
    • Scope of MetaPolicy. Scope of what is and is not under remit/scope of the MetaPolicy (e.g., internal facing policies, client facing policies, policies of subsidiaries, and joint ventures).
    • Definition of terms. Definitions of specifically— for a given organization—what a policy is as well as a procedure, standard, and guideline in addition to other applicable governance documents and resources.
    • Format and structure guidance. Common structure and content of a policy with specific reference to what topics are required (e.g., purpose, scope, accountability, and policy statement) and what is optional (definitions of key terms/acronyms/abbreviations, authoritative sources/obligations, and cross-references to other documents) to establish a policy.
    • Policy writing and layout. Writing style for policies and other documents as well as the layout of policy documents.  Also included by reference are policy template(s), which are absolutely critical for driving consistency across policies.
    • Central repository and indexing of policies. Requirements for central repository as the system of record for policies and related governance documents. This repository must be accessible to all of the organization’s employees and contingent workers.
    • Policy approval. Policy governance rules for approving policy creation/update/retirement, general requirements for exception approval, and definition of maintenance and review cycles with appropriate accountability of roles and responsibilities for policy development and maintenance.
    • Policy assurance and compliance monitoring. Assurance methodologies to ensure that compliance with the MetaPolicy is in place, that exceptions to the MetaPolicy are documented and managed appropriately, and violations are identified and remediated.
    • Style guide. Policy writing that is wordy and confusing damages the corporate image and costs time and money. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies.  It expresses how to use active over passive voice, avoid complicated language and “legalese”, how to write for impact and clarity, use common terms, how to approach gender in writing, and even internationalization considerations.
    • Templates. These are standard templates that the organization can utilize to write policies and supporting documents/resources that are already in the standard format and structure conforming to the MetaPolicy.
    • Exception/exemption request. Provides a standard template for documenting an exception/exemption request to a policy or procedure and how to seek approval for the request.

This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Policy & Training Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition (www.OCEG.org), is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policy and training matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure and liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy & Training Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy and training management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management.  Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.


This post is an excerpt from GRC 20/20’s latest Strategy Perspective research: Policy Management by Design: a Blueprint for Enterprise Policy & Training Management

Have a question about Policy & Training Management Solutions and Strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .

Engage GRC 20/20 to facilitate and teach the Policy Management by Design Workshop in your organization.

Looking for Policy Management Solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over 400 requirements for policy management solutions.

GRC 20/20’s Policy & Training Management Research includes:

Register for the upcoming Research Briefing presentation:

Access the on-demand Research Briefing presentation:

Strategy Perspectives (written best practice research papers):

Solution Perspectives (written evaluations of solutions in the market):

Case Studies (written evaluations of specific strategies and implementations within organizations):

Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Considerations and Lessons Learned from GRC RFPs

The GRC technology market landscape is broad with over 800 solution providers across seventeen segments of GRC (see bottom of this post for a breakout of GRC segments). Approximately seventy solutions can be characterized as Enterprise GRC platforms while hundreds of solutions focus on specific areas/segments of GRC with focused solutions.

In 2016, GRC 20/20 answered 412 inquiries from organizations looking for GRC related solutions and was actively involved in nearly a dozen formal RFPs that leveraged the GRC 20/20 RFP templates and libraries – some for Enterprise GRC, others for policy management, compliance management, risk management, audit management, issue reporting/management, IT GRC, EH&S, and more. Forty-one percent of these came from North America, 28% from Europe, and then rest of world. The most dominant role that interacts with GRC 20/20 is compliance, followed by risk management, then internal audit, and IT/information security. Approximately 30% of these interactions were for Enterprise GRC Platforms while 70% of GRC 20/20’s interactions were for more focused solutions and implementations.

GRC 20/20 is focused on helping organizations navigate solution provider hyperbole to get to the honest features and functionality to ensure the right technology is selected that has the correct capabilities that the organization needs.

One of the greatest challenges and frustrations I have in RFPs is the way many solution providers respond to them. They simply answer yes to every question with the thought that it is something that just needs to be built out and customized on their platform. Every year I hear horror stories of rollouts of a solution that take up to two years to build out and implement – all because the organization chose a solution that promised the world in RFP responses but did not have the functionality and features existing in the solution. Further, analysts like Gartner often rank and score these solutions very highly although their evaluation of solutions is getting lighter and lighter. Some of their recent Magic Quadrants for GRC related areas only want video demos and do not sit down with the solution and go through it feature by feature. I have even heard that one recent Magic Quadrant in a GRC area is not even requiring a video demo and just wants answers to questions in a survey, Gartner will determine if they want to see the product.

The level of customization in these multi-year rollouts have significantly hurt a few major solution providers in the GRC market that find that upgrades are extremely difficult and often break. Leaving clients frustrated and unhappy. Three RFPs that I worked on this past year specifically stated they would not consider solution providers that Gartner and Forrester consistently rank in the top leader position because of their experience with the level of customization, length of rollout, cost of ongoing administration, and had things break on upgrades in previous positions at other companies.

Please note: there are many great solutions across GRC domains/segments. Solutions that have proven great value with strong features that can be rolled out rapidly and not be an engagement the size of an ERP implementation.

To provide clarity on features and functionality, I historically have had drop-down fields in GRC 20/20’s RFP templates that ask if the functionality is a ‘native’ feature in the application or something that has to be ‘built-out’ and customized. To provide greater granularity into solution provider responses, I have now updated the GRC 20/20 RFP template library to have the four-fold drop-down responses that organizations should consider (this is from interaction and collaboration with one major GRC player looking to address these challenges head-on):

  • Personalization. Is this feature something that requires no-code changes and can easily be done by a business user to suit their individual needs and preferences? It is completely upgrade safe?
  • Configuration. Is this a feature that can be easily configured by a power-user or IT developer without coding and is completely safe during upgrades?
  • Extension. Is this a feature that can be done by a power-user or IT developer that requires coding but is upgrade-safe?
  • Customization. Is this a feature that requires working with the solution provider (or professional services) to deliver functionality with coding? Will additional effort be needed for testing during upgrade processes?

This is one careful area of evaluation when looking at solutions across GRC related areas. I will be detailing other considerations in GRC related RFPs and evaluations in future posts.

GRC 20/20 segments the GRC market, with RFP templates, across the following seventeen domains:

  • Enterprise GRC. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
  • Automated Control Monitoring & Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC/Security Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

Supporting Research Briefings on the topic of purchasing GRC technology are:

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research

GRC in Uncertain Times: 2016 and into 2017

In the past month there have been a lot of posts, articles, and discussion on the impact of Trump’s presidency on the GRC market, particularly compliance. Some fear that the need for compliance management within organizations is not going to be as strong as a Trump administration looks to deregulate. My perspective is that compliance management will continue to grow within organizations no matter who is in office. Whether conservative or liberal, regulations have grown and grown over the years. While President-Elect Trump is not your typical candidate, he is already toning down some of the rhetoric that he used during the campaign and coming to reality. There may be shifts in focus in certain areas, but ethics and compliance will remain a strong need within organizations for many years to come.

HOWEVER, the focus of the question should not be on compliance but on what the forecast looks like for risk management. While organizations will continue to need compliance processes and technologies, organizations will see a renewed focus and energy on risk management processes and related technologies.

Times are uncertain. 2016 has brought us Brexit, a forthcoming Trump administration, and turmoil politically around the world, particularly in European election possibilities. Economically things are topsy turvy with the British Pound, European Euro, caution on an outlook in China.

As I look to 2017 one word continues to come to mind: UNCERTAINTY.

If we go to ISO 31000 for a definition of risk, “risk is the effect of uncertainty on objectives.” Organizations face a world of uncertainty in 2017 and need defined risk management processes and systems in place to be able to manage risk in context of objectives. As we close 2016 and move into 2017, GRC 20/20 is seeing growing inquiries from organizations looking to improve risk management related processes and are asking questions related to risk management technologies to enable these processes.

It is interesting, the current OCEG GRC Maturity Survey, that GRC 20/20 Research collaborates on and authors, show a change in the respondents. This survey was fielded over the past two months and has 697 respondents with 578 of them in roles managing GRC internally within their organization. The past several GRC Maturity Surveys had Compliance and Ethics as the primary role responding to the survey, this year (the past few months to be specific) it is Risk Management roles that are the number one responder. Consider joining the webinar to learn more on the findings.

GRC 20/20 is seeing increased interest in enterprise and operational risk management technologies, but also increased interest in solutions for geo-political risk management, third party (vendor/supplier) risk management, IT/information security risk management, EH&S, and business continuity management.

What are your thoughts on 2017 and the outlook for GRC Related processes and systems? I look forward to hearing your thoughts.

How to Identify UBOs in an Unpredictable World

Business operates in a world of chaos, where relationship risk is ever present. What’s the secret to understanding and identifying ultimate beneficial owners?

The modern organization is an interconnected web of relationships and interactions that span traditional business boundaries. Complexity grows as these interconnected relationships and transactions layer themselves in intricacy.

In this context, organizations struggle to identify and govern their relationships with a growing awareness that they can face reputation and economic disaster by establishing or maintaining the wrong business relationships.

When questions of business practice, ethics, and corruption arise, the organization is held accountable for the actions of those who they do business with, and it must ensure adequate due diligence has been done to ensure it is doing business with the right individuals and organizations.

This is particularly critical in the context of knowing the ultimate beneficial owner(UBO) in business relationships.

Poor visibility

The fragmented governance of relationships can lead organizations to . . .

GRC 20/20 was engaged as a guest blogger for this thought piece. The full post can be read at the Inside Financial & Risk blog.

[button link=”http://blog.financial.thomsonreuters.com/identify-ubos-unpredictable-world/ “]READ MORE[/button]