The Role of Technology in Compliance Risk Management

Organizational exposure to compliance risk is rising while the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular obligations, resulting in multiple redundant initiatives working in isolation to respond to each obligation. These isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through unreliable spreadsheets, documents and email. This reactive methodology makes it difficult to adapt to new regulatory requirements and while increases pressure on management, employees, and third parties.

Business requires a common compliance risk management process, information, and technology architecture that is context-driven and adaptable to the enterprise and operational risk management strategy. Compliance must be an active, living part of the organization and culture that can detect and prevent issues as a continuous process to be monitored, maintained and nurtured in the context of governance, risk, and compliance management. Today’s organizations require integrated compliance risk management strategies as an integration function for effective enterprise risk management.

Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance. With no record, assessments can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage risk and compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.

Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.

A compliance technology architecture to support compliance risk management includes capabilities to perform:

  • Compliance risk management. Technology to manage compliance risk surveys, assessments, and related risk information; report, analyze and model risk of compliance and ethics.
  • Regulatory change management. Technology to track, document and manage regulatory changes and their business impact.
  • Learning and training management. Technology to communicate and document training programs related to compliance – includes delivery of training, testing of attendees, and maintenance of training records.
  • Policy and procedure management. Technology that maintains policy lifecycle management across development, maintenance, communication and attestation. Provides a robust audit trail and content management capability to ensure policies are current and communicated.
  • Investigations management. Technology that enables incident management, facilitates collaboration, and documents investigation processes. The ability to record the range of issues reported from all mechanisms, actions taken, and results of the investigation.
  • Issue reporting and hotlines. Technology that makes it easy for individuals to report issues and non-compliance, including a system to document reports made directly to all levels of management.
  • Survey and assessment. Technology that delivers a consistent experience for conducting compliance surveys and assessments.
  • Benchmarking, metrics, and dashboarding. Technology that produces reports of assurance to management that compliance is not only designed properly but also operating properly to address compliance risks in a dynamic business environment assure executives and the board that their fiduciary obligations for compliance are being met.
  • Due diligence management. Technology that facilitates due diligence efforts to validate the hiring of the right people and partnering with ethical vendors that share the same commitment to compliance and corporate values.
  • Forms automation and processing. Technology that creates and automates forms to manage processes such as interactions for gifts, entertainment, and facilitated payments through online forms, plus workflows for approval/disapproval.
  • Compliance program/project management. Technology that brings compliance risk management together in a cohesive system to manage compliance activities, metrics, and reports. All compliance management personnel and employees should have access to the system and see the relevant tasks that pertain to their job.

Check Out These GRC 20/20 Compliance Management Resources . . .

 

Compliance: An Integral Part of Risk Management

Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.

Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors.

Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.

Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive risk management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established risk management and governance processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.

Building Relationships Across the Business

The compliance function faces a big challenge today: encouraging executives to work together to revamp siloed, haphazard risk management systems and turn them into an integrated process that provides greater transparency, reliability and value.

It is critical that the compliance function play a key role in risk management strategy. To do so, it must first understand compliance and ethical risk facing the organization. Then focus on opportunities to control cost, improve resource utilization and create sustainable scalability and alignment with organization goals. In order to champion corporate compliance and ethics goals, compliance should be prepared to:

  • Articulate to the board why having a clear and conformed view of compliance risk is critical to the organization’s culture, performance, and fiduciary responsibilities.
  • Demonstrate how centralized oversight and supporting technologies for compliance risk management drives predictable behaviors and performance results.
  • Communicate the benefits of including compliance risk management within business change initiatives.
  • Influence key executives to support the compliance role in the achievement of business objectives.
  • Collaborate with key executives in developing compliance processes that allow measurable evaluation of effectiveness, efficiency, and support business agility.
  • Assist the CEO in evaluating opportunities and preventing adverse effects from regulatory compliance and ethical risks.
  • Help management appreciate how integrated compliance risk management processes can improve operations while reducing redundancies that can be leveraged across assessment, training, awareness, investigations, and policy management.
  • Incorporate compliance risk management and assurance across extended third-party business relationships

Understanding and Approaching Compliance Risk Management

Historically, the compliance function did not understand how to manage risk. Compliance was understood as: documenting and meeting requirements and finding and resolving issues. Modeling compliance risk to determine business impact and prioritization of resources was done on a limited basis, if at all. Non-existent was a proactive function tasked with interpreting and predicting compliance risk and developing corrective plans to mitigate damage. Most often, compliance was a reactive function trying to put out fires.

Compliance is now challenged to take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the context of dynamic and distributed business, and model risk and present and future business impact.

The core principles of compliance risk management are:

  • Understand your risk. An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic – done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and markets).
  • Approach compliance in proportionality of risk. How an organization implements compliance procedures and controls is to be based on the proportionality of the risk it faces. If a certain area of the world or a business partner scores as a higher risk to corruption or ethical issues, the organization is to respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business – smaller organizations are not expected to have the same measures as large enterprises.
  • Monitor the risk and regulatory environment. Content and information on changes to risk and regulatory environments is critical to understanding ever-changing compliance risk. New laws, changed regulations, court rulings and amended standards  change the organization’s compliance requirements. A defined process with accountability to monitor risk of changing regulatory environments is essential.
  • Tone at the top. The compliance risk management program should be fully supported by the Board of Directors and C-suite. Communication to top-level management must be bidirectional. Leadership is to communicate their definition of acceptable and unacceptable risk and their support for the compliance program. To fulfill their fiduciary obligations, executives and Board members should always be informed about the effectiveness and operations of the compliance risk management program.
  • Know who you do business with. Know your business relationships. This requires an established risk-monitoring framework that catalogs all third-party relationships, markets, and geographies. Strict due diligence ensures the organization is contracting with ethical partners. If there is a high degree of risk to corruption, compliance, and ethical issues, implement additional preventive and detective controls in accordance with the risk. Also, know your employees and conduct background checks to determine if they are susceptible to corruption or unethical conduct.
  • Keep information current. Due diligence and risk assessment efforts are to be kept current. These are not point in time efforts that happen once; perform assessments on a regular basis or when you become aware of conditions that point to increased risk due to ethics and compliance issues.
  • Compliance oversight. Make a trusted executive responsible for the oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to an independent monitoring body, such as the audit committee.
  • Manage change. It is essential to monitor the business for changes that can impact its compliance program or introduce greater risk to corporate ethics. Document changes required to business practices as a result of observations and investigations. Implement changes to address deficiencies through a deliberate program of change management. This requires that changes be monitored by compliance to be proactive in preventing corruption.

Check Out These GRC 20/20 Compliance Management Resources . . .

Compliance and Risk Bear Down on the Organization 

Compliance in Dynamic and Distributed Business

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to compliance risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations? 

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance risk management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance risk in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency and agility. The organization ends up with a variety of processes, applications and documents to meet individual compliance needs. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple risk and compliance assessments asking the same questions in different formats. Limited visibility across the risk landscape ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive risk and compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide co-dependencies. This fragmented view creates gaps that cripple compliance management and a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Risk Management: Does Your Organization Walk its Talk?

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance risk management boils down to defining – and maintaining – corporate integrity.

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar.

Today’s business entity must ensure compliance risk is understood and managed company-wide. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure.

The Bottom Line: Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

Check Out These GRC 20/20 Compliance Management Resources . . .

Complexities of IT GRC Hinders Organizations 

Organizations operate in a complex environment of risk, compliance requirements, and vulnerabilities that interweave through departments, functions, processes, technologies, roles, and relationships. What may seem as an insignificant IT risk in one area can have profound impact on other risks and cause compliance issues. Understanding and managing IT governance, risk management, and compliance (IT GRC) in today’s environment requires a new paradigm in managing these interconnections and relationships.

IT departments are scrambling to keep up with multiple initiatives that demand greater oversight of risk and compliance across the IT infrastructure, identities, processes, and information. Most organizations approach these issues reactively — putting out IT fires wherever the flames are hottest. It is time for IT to step back and think strategically; to figure out how to streamline resources and use technology efficiently, effectively, and agilely to manage and monitor IT GRC.  As these pressures mount, IT often fails to think strategically as it is too busy reacting to issues.  What gets attention is where the pain is the greatest. A reactive approach to IT risk is not only sustainable in an environment of growing pressures, but is also a recipe for disaster, and leads to:

Higher cost, from . . .

  • Wasted and/or inefficient use of resources. Silos of IT GRC lead to wasted resources. Instead of leveraging controls and resources to meet a range of risks and compliance requirements, controls are developed haphazardly to address specific pain with no thought for leverage across pains.  Organizations often try to relieve the symptoms instead of thinking how to address the root cause. IT ends up with different internal processes, systems, controls, and technologies ‘in play’ to meet individual risk and compliance needs.
  • Unnecessary complexity. Multiple IT risk and compliance approaches introduce complexity. With complexity comes an increase of inherent risk. Controls are impossible to streamline and manage consistently, introducing more opportunities for controls to fail or go unmonitored. Inconsistent controls also produce inconsistent documentation, which further confuses IT, regulators, and the line of business.

Inability to align with the business, resulting in . . .

  • Lack of agility. Complexity drives inflexibility. IT GRC becomes so wrapped up in spinning individual risk and compliance plates that support of the business is degraded. IT staff along with the business is bewildered by a maze of varying methodologies and control requirements that are not designed with any consistency or logic.
  • Vulnerability and exposure. A reactive approach leads to more exposure and vulnerability. Complexity means departments are focused on their own silo of risk, and no one sees the big picture. No one looks at IT GRC holistically or contextually, with regard for what is good for the business in the long run. Varying and independent efforts around IT GRC lead to difficulty demonstrating control with a result in confusing audits and assessments.

Not only does a reactive approach to IT GRC lead to greater vulnerability and exposure, it also means higher costs for the business. Addressing IT GRC across a series of disconnected projects and assessments leads to inefficiency in IT management and operations, wasted spending on redundant approaches, and a greater burden to the business.

The bottom line: When organizations approach IT GRC in scattered silos of documents and disconnected solutions and processes there is no possibility to be intelligent about IT GRC decisions that impact the broader organizations and its operations. Organizations need an integrated IT GRC architecture that delivers 360º contextual intelligence on IT security, risk, and compliance.

Check out GRD 20/20’s additional IT GRC resources . . .

Workshop: IT GRC by Design Workshop in San Diego, November 1st

  • Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Research Briefing: How to Purchase IT GRC Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting IT GRC management solutions and technologies. It reviews critical capabilities needed in IT GRC management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on IT GRC Management

  • The challenge is: how do you find the right IT GRV management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: IT GRC Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our IT GRC RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Research Briefing: How to Purchase Business Continuity Management Solutions & Platforms

  • This is GRC 20/20’s live Research Briefing that advises organizations on what to consider in evaluating and selecting business continuity management solutions and technologies. It reviews critical capabilities needed in business continuity management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Policy Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Check out GRD 20/20’s additional policy management resources . . .

Workshop: Policy Management by Design Workshop in Dallas, October 11th

  • This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.

Research Briefing: How to Purchase Policy Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on Policy Management

  • The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: Policy Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Written Research on Policy Management

Information Security in Context: The CISO as a Transformational Role in Risk Management

Information Security at the Center of Risk Chaos

Inevitable Failure: Managing Information Risk in a Silo

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

The dynamic, distributed, and disrupted nature of business is particularly challenging to information risk management. It is like the hydra in mythology: the organization combats risk only to find more risk springing up to threaten it. As an organization expands operations and business relationships (e.g., vendors, outsourcers, service providers, consultants, and staffing) it’s risk profile grows exponentially because of the interconnected multifaceted risk environment. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Managing information security and other risk activities in disconnected silos leads the organization to inevitable failure. Information risk has a compounding and exponential impact on the business. Business operates in a world of chaos. Risk exposure is an intricate web of risk and vulnerability interrelationship that interweaves through departments, functions, processes, technologies, roles, and relationships. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wing creates tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. What may seem as an insignificant IT or information risk in one area of the organization can have profound impact on other risks.  Information security is at the center of the organizations most significant risk and compliance issues and has become a critical and interrelated business challenge that transcends just the IT department.

When the organization approaches information risk as a silo disconnected from other enterprise risk areas that do not collaborate with each other there is no possibility to be intelligent about risk decisions that could impact business strategy and operations. Siloed initiatives never see the big picture and fail to put information security in the context of organization strategy, objectives, and performance; resulting in complexity, redundancy, and failure. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization. A nonintegrated approach to risk management with information risk as a foundation impacts business performance and how it is managed and executed, resulting in:

  • Redundant and inefficient processes. Organizations take a Band-Aid approach and manage risk in disconnected silos instead of seeing the big picture of risk, and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent risk systems: projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach with siloed initiatives results in an organization that never sees the big picture. It ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk assessments asking the same questions in different formats. The result is poor visibility across the organization and its environment.
  • Overwhelming complexity. Varying risk frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently: introducing more points of failure, gaps, and unacceptable risk. Inconsistent risk management not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A disconnected risk management strategy handicaps the organization as it manages systems and processes encumbered with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This is exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic.
  • Greater exposure and vulnerability. The result, the organization does not see risk holistically. The focus is on what is immediately before each department and not getting a handle on the complex relationship and interdependencies of information risk intersecting with other risks. This creates gaps that cripple risk management, and an organization that is ill-equipped for aligning risk management to the business.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.

Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

The Bottom Line: Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Given the pervasive use of information and technology across the organization, it is a natural path for information security to step up to lead enterprise risk management strategies. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, and data) and externally (e.g., threat, competitive, legal, and geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

GRC 20/20 Related Resources on this topic are . . .

The GRC Economy

I am often asked, “What do you do?” My simple answer, that I do not like, is to say that I am a consultant. This does not always help as the next question is “What type of consultant?”, or “What do I consult on?” I end up having to explain that what I actually am is an analyst and not a consultant. Then it goes into, “What does an analyst do?”

I have found a more interesting answer to this question. I am an economist for the market for governance, risk management, and compliance (GRC) solutions and services. My job is to research and understand what pressures and challenges organizations in different industries and geographies are facing and what processes, approaches, and solutions help them meet these challenges. Particularly I forecast the needs and requirements of organizations, identify which solutions have stronger capabilities over others, and help organizations navigate the world of hyperbole to find solutions that provide real world value.

For organizations looking for solutions to meet their GRC related challenges, I offer complimentary inquiry in which organizations can ask me specific questions on their challenges and what I am seeing from other organizations in meeting those challenges.

In a nutshell, my job is research. That is why I do not like the title of consultant. Often I am being asked what consultants organizations should consider and engage to help them meet their needs. I research the challenges organizations face, identify best practices to address those challenges, and differentiate solutions and services in their capabilities to meet these needs.

The GRC economy (market) has had a very busy Summer. Usually I see a slowdown in activity in June, July, and August . . . but not this year. Consider that . . .

Then there are the several transactions in which private equity and venture firms have invested in GRC providers. I just finished another project with a private equity firm doing market sizing, segmentation, and due diligence on a potential target investment. This is happening on a frequent basis.

Now that we move into Fall, I am in my busiest time I have ever seen in September and October. Lots of activity and interactions are happening. Interest in this space at its highest in the 16 years I have been an analyst covering this market.

My work at GRC 20/20 is defined as follows . . .

20/20 vision is perfect clarity in sight: clarity to see and process surrounding context and achieve situational awareness — to observe the world around you, be aware of risks, and react accordingly.

Clarity of Governance, Risk Management & Compliance

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.

GRC 20/20 advises the entire ecosystem of GRC solution purchasers within organizations, professional service firms, and solution providers. We serve the needs of organizations that seek clarity, guidance and advice in dealing with a dizzying array of disruptive issues, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Whether focused on a specific risk, regulation, department, or enterprise GRC strategy, organizations seek clarity through GRC 20/20. This clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and an array of GRC solution providers who require our research and advise to apply strategies and technology to meet the GRC challenges they face.

GRC 20/20 is a:

  • Buyer advocate. We assist those purchasing GRC solutions to help them navigate hyperbole to select solutions that are practical and deliver on requirements.
    • Simply, we help buyers select the right solution(s) for their needs and get the most out of their investment.
  • Solution strategist. We guide GRC solution providers in understanding the demand and needs of buyers and improve product, marketing, competitive, sales, partner, content, and growth strategies.
    • Simply, we make good GRC solutions into great GRC solutions.
  • Market evangelist. We educate and evangelize GRC strategies that deliver value and results through advocacy of technology, content, and services in making GRC processes efficient, effective and agile.
    • Simply, we define the future of GRC and understand where it is headed.

IT GRC Management by Design, New York

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

September 13th in New York, NY USA

[button link=”http://grc2020.com/event/it-grc-management-by-design-workshop-chicago/”]REGISTER[/button]

The Critical Foundation of Third Party Management is Technology

In previous posts we looked at the following:

  1. How to Develop a Third Party Management Strategy
  2. How to Define a Third Party Management Process Lifecycle

Now we turn our attention to the foundation of information and technology that supports and enables a third party management strategy and process . . .

Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes. The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes.

Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. This requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records. This includes data on the third party such as address, contact information, and bank/financial information.
  • Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third party relationships.
  • Contracts. The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
  • Third party databases. The information connections to third party databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third party forms and approvals.

Third Party Management Technology Architecture

The third party management technology architecture operationalizes the information and process architecture to support the overall third party management strategy. The right technology architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.

There can and should be be a central core technology platform for third party management that connects the fabric of the third party management processes, information, and other technologies together across the organization. Many organizations see third party management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships.
  • Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP and procurement solutions. There is a range of solutions that are strong in the ERP and procurement space that has robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall third party governance, risk management, and compliance.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
  • Third party management platforms. These are solutions that are built specifically for third party management and often have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of third party governance and management that includes performance of third parties as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern third party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.

Some of the core capabilities organizations should consider in a third party management platform are:

  • Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

Third Party Networks – Streamlining Third Party Management

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business third party management risks is exponential. Business is chaos theory realized. The small flutter of third party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

The challenge is that third parties are getting inundated with request for information, assessments, and more.  The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile. Organizations are looking to subscribe to a network(s) that provide validated third party profile management and data sharing they can trust.  If further information is needed they can send that request to their third parties, but rely on what has already been submitted for the core of what they do. This reduces the time, cost, and complexity of managing and gathering third party profile information and streamlines third party management for all involved.

When looking at third party management solutions to support the third party management strategy and architecture, organizations should evaluate and keep in mind what the solutions they are evaluating are doing in context of third party networks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management strategy, process, and information/technology architecture. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Define a Third Party Management Process Lifecycle

The third party management strategy and policy is supported and made operational through a third party management architecture. The organization requires complete situational and holistic awareness of third party relationships across operations, processes, transactions, and data to see the big picture of third party performance and risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to third party management architecture. The architecture defines how organizational processes, information, and technology is structured to make third party management effective, efficient, and agile across the organization and its relationships.

There are three areas of the third party management architecture:

  • Third party management process architecture
  • Third party management information architecture
  • Third party management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for third party management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for third party management instead of finding the technology that best fits their process and information needs.

Third Party Management Process Architecture

Third party management architecture starts with the process architecture. Third party management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.

The third party management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third party management processes, each process’s components and interactions, and how third party processes work together as well as with other enterprise processes.

While third party processes can be very detailed and vary by organization and industry, there are four general third party management process areas that organizations should have in place, these are:

  1. Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
  2. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the ongoing process to monitor external risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
    • Purpose & identification. This is the process to identify new third parties or existing third parties to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, and compliance requirements and concerns in the relationship so the proper relationship can be identified.
    • Qualification & screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through due diligence steps to ensure that the third party is the right fit for the organization. Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
    • Contracting & negotiation. Upon passing initial qualification and screening, the next sets of processes are contracting and negotiation processes to come to terms and establish the relationship.
    • Registration & onboarding. When contracting and negotiation processes are complete the organization moves into registration and onboarding. The registration process may have already started in the qualification and screening phase to gather information, but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of code of conduct and related policies, getting attestations to these, completing associated training requirements, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
  3. Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
    • Policy communications & reminders. The regular communication and reminders to third parties about code of conduct and related policies and procedures they need to follow.
    • Training. The regular training of third parties on matters of conduct, policies, and procedures.
    • Attestation. The regular attestation by third parties to their behavior and conformance to policies and contractual requirements.
    • Self-assessments. The regular surveys and assessments sent to third parties for them to evaluate themselves and send back to the organization.
    • Reporting. The regular reporting on third parties on aspects of the relationship and in that context of performance, risk, and compliance.
  4. Third party monitoring & assessment. This stage includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party relationship on an ongoing basis.
    • Issue reporting & resolution. Even the most successful business relationships encounter issues. This is the process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
    • Performance monitoring. Performance monitoring processes are in place to monitor the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
    • Risk monitoring. Risk monitoring processes identify and evaluate potential risks relevant to each third party relationship throughout their lifecycle in the organization.
    • Compliance monitoring & ongoing due diligence. The processes in place to monitor relationships for ongoing conformance to compliance requirements. This includes ongoing due diligence and screening processes.
    • Audit & inspections. The processes in place to exercise right to audit clauses and do onsite inspections of third party premises and facilities.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
    • New vendor/supplier request.
    • Gifts, hospitality & entertainment.
    • Political & charitable contributions.
    • Facilitated payments.
  6. Metrics & reporting.  Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
  7. Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
    • Relationship renewal. Managing the process of renewing contracts and relationships under existing, revised, or new terms.
    • Off-boarding & retirement. The off-boarding/retire relationships that are no longer needed.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include: