Understanding the Variety of GRC Intelligence & Content Solutions

There are lots of GRC solutions available in the market, most of which do not even call themselves GRC as they are laser focused in specific GRC areas. In fact, I have mapped 843 GRC technology solution providers into and across 17 primary segments of the GRC market (and may sub-segments).

Competition in RFPs, RFI, general sales situations can be tough. When it gets down to it, what can make or break a sale in an organization can often depend on what content you provide in your solution. GRC content and intelligence has become a critical differentiator in GRC opportunities across the board. I have seen enterprise GRC, IT GRC, EH&S, policy management, risk management, and audit management opportunities that were won or lost based on what content was provided and included in the solution.

Content and intelligence integration has become one of the determining factors in selecting GRC related technologies. I am amazed at the number of GRC technology solutions that do not pay much attention to this.

One recent organization I interacted with thought they had a technology winner in the RFP only to find out that the content they thought was there was dated and not kept current. Despite promised feeds for updates, they simply were behind and the content was not current.

Another RFP that is just going out has it as mandatory that the GRC solution (focused on compliance and EH&S) have a very detailed range of compliance regulatory content that is provided and kept current as part of the solution (or integrated with it).

GRC 20/20 has just finished the 2016 update and mapping of GRC content and intelligence solutions. There are 139 GRC content and intelligence providers that combined have over 425 distinct GRC related content and intelligence offerings. GRC solution providers can spend days trying to identify and map potential content partners (it takes me weeks every year keeping data current in this market area).

Or you can attend Monday’s Research Briefing on 2016 Market Overview of GRC Content & Intelligence Providers which will segment, detail, and list providers of GRC Content & Intelligence solutions that supplement GRC related technologies across the following categories (this is essential to solutions looking to expand GRC intelligence and content relationships in their technology solutions, do not miss it):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries
REGISTER NOW

GRC 20/20 Research Briefings are highly educational.

On demand Research Briefings in this series include:

How to Develop a Third Party Management Strategy

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

Third Party Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent. (Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.)

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Different Approaches Organizations Take in Managing Third Parties

The primary directive of a mature third party management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage third party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed third party initiatives never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third party management processes can be designed to meet a range of needs. An ad hoc approach to third party management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about third party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third party performance and strategy leading to greater exposure than any silo understood by itself.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third party management that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing third party relationships with the lowest common denominator and watering down third party management. Further, there is no one-stop shop for everything third party management as there are a variety of pieces to third party management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third party management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC  – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives [governance], while addressing uncertainty [risk], and act with integrity [compliance]” across the organization’s third party relationships.

Third Party Management Strategic Plan

Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables third party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

The core elements of the third party strategic plan include:

  • Third party management governance team. The first piece of the strategic plan is building the cross-organization third party governance team (e.g., committee, group). This team needs to work with third party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third party management and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party management charter. With the initial collaboration and interaction of the third party management team in place, the next step in the strategic plan is to formalize this with a third party management charter. The charter defines the key elements of the third party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of third party management, the members of the third party governance team, and define the overall goals, objectives, resources, and expectations of enterprise third party management. The key goal of the charter is to establish alignment of third party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party management policy. The next critical item to establish in the third party management strategic plan is the writing and approval of the third party management policy (and supporting policies and procedures). This sets the initial third party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all third party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Related upcoming webinars, that build on How to Develop a Third Party Management Strategy, include:

Enabling 360° Insight & Control of Third Party Relationships    

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Mess of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.[1]

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: “No organization is an island unto itself, every organization is a piece of the broader whole.”

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations now struggle to adequately govern third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance across the organization’s third party business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of the third party relationship. Silos leave the organization blind to the intricate relationships of risk and compliance that do not get aggregated and evaluated in context of the value of relationships and the organization’s goals, objectives, and performance.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others still require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible.  The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. The organization lacks an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches.  When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different solutions and processes for on-boarding and managing third parties, monitor third party risk and compliance, and manage relationships; the organization can never see the big picture.  This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on periodic or continual basis.
  • Inadequate processes to monitor changing dynamics. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Often, metrics through service level agreements (SLAs) and established key performance indicators (KPIs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework.

The bottom line: A haphazard and Wild West approach to third party management compounds the problem and does not solve it.  It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships.  Organizations often need to wipe the slate clean and approach third party management by design with an integrated process, information, and technology architecture that manages the ecosystem of third party relationships with real-time information about performance, risk, and compliance on the organization’s ability to reliably achieve its objectives.

Consider registering for one of these upcoming webinars on Third Party Management that GRC 20/20 is speaking on:

If you are looking for Third Party Management solutions to more effectively manage third party risk and compliance (e.g., vendor, supplier), check out the following Research Briefing (available on demand):

[1] English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Providing 360° Contextual Awareness of Risk

Monitoring and Managing Risk Effectively

A Challenge for Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations.  Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business.

Organizations Need to Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls, is nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this misperception, organizations remain keenly interested in how to improve risk management.

Risk is pervasive throughout organizations; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at project and department levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/ regulatory, third party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Selecting the Correct Risk Technology Is Crucial to Success

In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. Indeed, for many industries risk management is so fundamental to the success of their business model that it is indoctrinated throughout their core policies and operating procedures.

Organizations have adopted a wide range of technologies for risk management. Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as Monte Carlo tools or Bayesian modeling.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on an information architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations must evaluate:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common information and technology architecture to support overall risk management activities from the project level up through an enterprise view. Whether for a project or department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Organizations need to clearly understand the breadth and depth of their risk management technology requirements and select the solution that is agile and flexible to meet the range of the organizations risk management needs today and into tomorrow.

Watch on demand GRC 20/20’s guidance on the Risk Management technology market and what makes a basic, common, and advanced risk management solution or platform . . .

Enabling an Integrated Compliance Lifecycle

Inevitability of Failure

Ineffective Processes to Manage Regulatory Change and Compliance

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year, making change the single greatest challenge for organizations in the context of compliance. Each vortex of change is hard to monitor and manage individually, let alone to gain an understanding of how they impact each other.

Keeping current with regulatory change and keeping the organization’s policies and procedures up to date and linked to compliance requirements is not easy. Regulators across industries and jurisdictions are requiring that compliance is not just operationally effective, but is well documented. However, organizations often do not have adequate processes or resources in place to monitor regulatory change and maintain compliance. Organizations struggle to be proactive and intelligent about regulatory developments, failing to prioritize and revise impacted policies as needed. Instead, most organizations end up firefighting trying to keep the flames of regulatory change controlled.

Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to processes and resources:

  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory content  that require time-intensive analysis in order to properly understand the potential impact on the business and determine the actions required to comply.
  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions were taken as a result, or if the task was transferred to someone else. This environment produces a lack of visibility into the status of compliance obligations—there is uncertainty regarding ownership of initial review and an inability to sufficiently track what actions were taken as a result, let alone obtain reliable information on which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit trails, which regulators require. This leads to gaps in accountability and a lack of integrity in compliance records regarding who reviewed which change and what action was taken as a result. The lack of an audit trail can be conducive to deception: individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks an overall information architecture and thus is inadequate to effectively report on the number of changes, ownership of the review process, the status of business impact analysis, and courses of action. An inability to make sense of data collected in manual processes and thousands of documents exposes the organization to significant risks.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change management without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization lacks a full perspective of regulatory change and business intelligence. As a result, the organization struggles with inefficiency and cannot adequately prioritize the most important and relevant issues in order to make informed decisions.
  • No accountability and structure. Ultimately, there is insufficient accountability for regulatory change management, and the process fails to be agile, effective, and efficient in its use of resources. The regulatory change process must install strict accountability for subject matter expert review and analysis, compliance obligation task ownership and the ongoing monitoring of outstanding tasks to ensure that compliance deadlines are met.

The bottom line: Processes for managing regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders.  Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management.

Enabling 360° Insight & Control of Third Party Relationships

The Extended Enterprise Demands Attention

Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Two decades ago the term insider was synonymous with employee, now over half of the insiders in many organisations are not employees; they are contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more.

The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third party risk has risen to be a significant regulatory, contractual, and board level governance mandate. Organisations need to be fully aware of the risks in third party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.

Third party risks that are of primary concern to organisations include:

  • Bribery, Corruption, & Fraud
  • Conflict Minerals
  • Corporate Social Responsibility
  • Environmental, Health & Safety
  • Information Security
  • International Labour Standards (e.g., child labour, forced labour)
  • Physical Security
  • Privacy
  • Slavery & Human Rights

These risks poise significant reputational, financial, and operational concerns. They also poise a growing burden of regulatory concern and oversight (e.g., UK Modern Slavery Act, UK Anti-Bribery Act).

As organisations confront the growing exposure in third party risks they soon realise that the scattered redundant ad hoc approaches of the past are not sustainable. Third party risk can no longer be managed by different departments doing similar things in different ways, often with a mountain of emails, documents, and spreadsheets that are out of date and cost a significant amount of employee time to keep on top of. Managing third party risk requires a structured and integrated process that is supported by an information and technology architecture that can address the range of third party risks consistently without things slipping through the cracks.

An effective third party risk management process enables . . .

The rest of this post can be found as a guest blog on the SureCloud Blog . . .

[button link=”https://www.surecloud.com/blog/enabling-360-degree-insight-control-third-party-relationships”]READ MORE[/button]

Legal at the Center of GRC Leadership and Strategy

Legal Challenges in a New Era

Today’s global business environment presents a broad spectrum of economic, political, social, legal and regulatory changes, which continually increase strategic and tactical complexity, and create commensurate pressures on business performance and exponential growth of often conflicting and overlapping legal and business requirements alongside global operations. The enterprise must reliably achieve business objectives while addressing uncertainty and act with integrity – all the while remaining within mandatory legal requirements. It must also manage and maintain legal risk within the limits that the organization has established.

Legal risks include:

  • Regulatory risk: The risk associated with myriad laws, rules and regulations. It includes common regulatory risks associated with labor laws, information privacy and anticorruption, as well as risks specific to industries such as banking, pharmaceuticals, energy and utilities and health care.
  • Entity management and corporate filings risk: The risk associated with keeping the entity in good standing with governing agencies, and filing information with regulators and government agencies.
  • Litigation risk: The risk associated with ongoing, imminent and potential litigation.
  • Contract risk: The risk involved in vetting contracts and monitoring compliance with contract requirements and provisions.
  • Transaction risk: The risk associated with mergers and acquisitions, including the legal risks of the acquired organization.
  • Intellectual property (IP) risk: The risk involved with copyrights, trademarks and patent infringements, as well as leakage and/or loss of confidential corporate information.

Most organizations try to address and effectively manage legal risks, IP protection, contracts, business requirements and compliance obligations. But both internal and external stakeholder forces and events have caused the organization to increase legal risk monitoring and reporting, particularly with regard to changing laws and regulations.

The Role of the Legal Department in GRC

In many organizations, the significance of the legal department is growing. Today, the department guides the enterprise beyond putting out fires in legal matters. It is being tasked to take on a proactive role in legal risk management and preventive law, while functioning as a critical pillar in an organization’s risk management strategy. This requires that legal be

The rest of this post can be found a guest blog on Wolters Kluwer ELM Solutions Blog . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/legal-center-grc-leadership-and-strategy?mkt_tok=eyJpIjoiWlRaaE9EZGtORGhoWVdSbSIsInQiOiJqYlpRd1V0dnd2aXB3dXVuR3BFT0R2bSthdGZrSHRBeDF2Q3FPU2NYaGI3Yk9WQlRrNVlic2VTeE5Xc016aHNJVGpISitGWUlTSWpoQm4zeUV1UG0xaEFib0xBM3I2Q1h0SG4xNTNzOU5nWT0ifQ%3D%3D”]READ MORE[/button]

Managing Change is the Greatest GRC Challenge

Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and intricate web of change and how it impacts the organization is driving organizations toward improving their approach to governance, risk management, and compliance (GRC) in the context of the organization’s enterprise architecture.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive. Consider the scope of change organizations have to keep in sync:

  • External risk environments. External risks such as market, geo-political, societal, competitive, industry, and technological forces are constantly shifting in nature, impact, frequency, scope, and velocity.
  • Internal business environments. Within, the organization has to stay on top of changing business environments that introduce a range of operational risks such as employees, 3rd party relationships, mergers & acquisitions, processes, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat.

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other and the organization. Change in risks bear down on the organization, regulator oversight and requirements increase, and all of this has a direct impact on the organization’s internal processes, people, and technology. As internal processes, systems, and employees change this impacts compliance and risk posture. Change is an intricate machine of chaotic gears and movements that make the aspects of GRC challenging in organizations. Keeping current with change and keeping the organization aligned is the most significant challenge in a GRC strategy.

Broken Process and Insufficient Resources to Manage Change

Change is overwhelming organizations across industries. Organizations are past the point of treading water as it actively drowns in organization, risk, and regulatory change. GRC alignment and reporting is a moving target as organizations are bombarded with thousands of changes. The amount of change coming at organizations is staggering.

The typical organization does not have adequate processes or resources in place to monitor change that impacts GRC. Organizations struggle to be intelligent about risk and regulatory developments, and fail to prioritize and revise policies, and take actionable steps to be proactive. Instead, most organizations end up fire fighting trying to keep the flames of change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing external and internal organization landscape. Organizations that GRC 20/20 has interviewed in the context of GRC change management reference the following challenges to process and resources:

  • Insufficient headcount and subject matter expertise. Change related to GRC areas has tripled in the past five years. The effort to identify all of the applicable regulatory, risk, and organization changes is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in change.
  • Frequency of change and number of information sources overwhelms. The frequency of GRC information sources and updates is challenging to sort through and find what is relevant and significant to the organization. Organizations often subscribe to and utilize multiple sources of GRC intelligence that take time to go through and process to identify what is relevant.
  • Limited workflow and task management. Organizations rely on manual processes dependent on documents, spreadsheets and emails that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing GRC management—the organization has no idea of who is reviewing what and suffers with an inability to track what actions were taken, let alone which items are “closed.” GRC documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to GRC change lacks defensible audit/accountability trails that regulators and external auditors require. This leads to regulator and auditor issues who find there is no accountability and integrity in GRC records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception, individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc GRC change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc GRC change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources, unable to respond to change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned organization and GRC agility. GRC change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of change and business intelligence. The organization is spinning so many GRC plates it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for GRC change that is strategically coordinated and the process fails to be agile, effective, and efficient in use of resources. Accountability is critical in a change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who change is assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.

Providing 360° Contextual of GRC and the Organization

Mature GRC requires an understanding of the business – its strategy, organizational structure, processes, risks, obligations, commitments, and objectives.  The goal of GRC is to enable the organization to govern the organization and manage risk and compliance in the context of business.

Achieving GRC maturity requires a GRC architecture that leverages an understanding of the organization and how it operates. GRC architecture is a process by which the organization has a structured understanding of the organization’s business, capabilities, processes and business context, and use it as a foundation to ensure that GRC processes are executable, repeatable, cost effective and in line with risk appetite. In doing so, the organization has the means to assess the efficiency of their programs and align them with the organization’s strategy. The mature GRC program will define and understand GRC as a process to translate business vision and strategy into effective enterprise-wide GRC oversight and alignment.

GRC 20/20 Resources to Assist In GRC Design & Maturity

The following research resources are available to assist organizations in GRC design and architecture choices:

Inevitability of Failure: Flawed Use of Spreadsheets in GRC

Spreadsheets, and their associates documents and emails, are the most prevalent GRC tool used by organizations. Their use comes at a significant cost if not controlled, monitored, and used properly.

In my research, organizations utilize spreadsheets for a variety of purposes. They are used to:

  • Conduct risk, compliance, and control surveys, questionnaires, and assessments
  • Inventory policies and manage related tasks
  • Conduct investigations and remediate issues
  • Document and assess controls
  • Model and assess risk and finance
  • Report on finance or GRC
  • Manage the financial close process

I am simply scratching the surface, the use of spreadsheets is pervasive in GRC and business processes. In GRC strategies I am continuously told that the primary reason the organization is looking to improve GRC related areas is to get away from the negative impact the use of spreadsheets has on GRC.

One organization in which I wrote their GRC RFP told me that 80% of their risk, compliance, control, audit, and security FTE resource time was nothing more than spreadsheet reconcilers. They were swamped trying to reconcile and report on thousands of spreadsheets and at the end of the day found the reports filled with errors from manual reconciliation. They wanted this to flip so that 80% of their staff time was managing and improving GRC and only 20% on reconciliation and reporting.

Organizations are facing increased regulatory and audit pressures to ensure that they have adequate controls over end user computing controls, particularly spreadsheets. This is very apparent when spreadsheets are used as part of accounting processes. The Public Company Accounting Oversight Board (PCAOB) has requested auditors to increase their focus on ‘System Generated Data and Reports’ driving the application of so-called ‘enhanced audits’ of Sarbanes Oxley (SOX) control processes. This scrutiny is leading to new SOX failings for companies that had previously had no such failings. In particular these enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that such spreadsheet controls are often open to manual manipulation.

One mid-sized bank that GRC 20/20 has interviewed stated that one of  their regulators told them that the use of spreadsheets for compliance, risk, and control assessments was inadequate as they did not provide the right audit trails and integrity of what was assessed, who assessed it, and control any modifications to the assessment. Anyone could come back and paint a different picture, cover up a trail, and get themselves or the organization out of trouble. They demanded that the organization have a full audit trail of assessment activity.

Or consider the JP Morgan’s London Whale incident with its associated $6 billion loss. The significant contributing factor was a spreadsheet error in the models used. Consider this excerpt from page 124 of the report:

During the review process, additional operational issues became apparent. For example, the model operated through a series of Excel spreadsheets, which had to be completed manually, by a process of copying and pasting data from one spreadsheet to another… in a January 23, 2012 e-mail to the modeler, the trader to whom the modeler reported wrote that he should “keep the pressure on our friends in Model Validation and [Quantitative Research].” There is some evidence the Model Review Group accelerated its review as a result of this pressure, and in so doing it may have been more willing to overlook the operational flaws apparent during the approval process.

As a result, regulators have been cracking down on how organizations govern models and manage model risk.

Spreadsheets, left uncontrolled, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – left to themselves – do not meet par.

The reasons spreadsheets fail for GRC are as follows:

  • No audit trail.  By themselves, without some additional tools/solutions and significant configuration, spreadsheets do not have inherent audit trails.  You cannot go back and state that you know with a specific level of certainty that those answers were gathered from that specific individual on this date and time and represent their actual, unaltered, authenticated answer to that survey, assessment, analysis, policy attestation or audit.
  • Easy to manipulate.  It is a simple task for anybody to go back and manipulate responses to paint a rosier picture to get himself or herself, someone else, or the organization out of hot water.  Someone can easily go back and cover their trail when there is no audit trail and authentication happening that tracks changes, what those changes were, who made them, and keeps a record of all changes.
  • Slipping through the cracks.  There is no structure of required workflow and task management.  Things quickly become impossible to manage in spreadsheets and emails asking for assessments to be done, audit findings to be responded to, policy attestations to be made . . . and no one gets it done.  It ends up in the trash, junk folder, filed away, and never responded to until someone is screaming.
  • No consistency.  It is hard to make assessments, surveys, attestations, policies and other GRC related information consistent.  If a new assessment is needed – we just open up a spreadsheet and create a new assessment from scratch and fail to realize that there is another assessment asking the same people half of the same questions as our new assessment.  Further, different spreadsheets are formatted in different ways and each requires its own learning curve.
  • Compilation nightmares.  Have you ever been asked to compile reports involving hundreds or even thousands of spreadsheets?  If you are a GRC professional the odds are you have.  My research and interviews with organizations find that it often takes 80+ man-hours to compile GRC (risk/compliance/audit) reports from mountains of spreadsheets.  There is a significant amount of time needed to integrate and compile information.  Myself, I would not be interested in a job very long where 80% of my time is cut, paste, manipulate data for reports.  My interest is in analysis and managing risk and compliance not in cut and paste – that is what I did in kindergarten.
  • Compilation errors.  At the end of the day, all this work compiling and integrating hundreds to thousands of spreadsheets is inevitable failure.  Odds are there is something wrong.  That much manual reporting is bound to have serious errors.  Not malicious, but inadvertent.  It happens all the time.

This is why spreadsheets by themselves fail in GRC.  There are ways to fix this. Solutions that provide and enforce consistency and audit trails within spreadsheets. Organizations need a stronger GRC architecture that brings efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed) to GRC. Spreadsheets left uncontrolled work against this not for it.

What are your thoughts and experiences with spreadsheets  in GRC processes and reporting?

If you are dealing with spreadsheets in context of internal controls over financial reporting (ICFR), SOX and PCAOB pressures on end-user computing controls, please take the GRC 20/20 research survey and find out how your concerns and approach compare with your peers . . .

[button link=”http://www.surveygizmo.com/s3/2448771/Spreadsheet-Controls”]Take Survey[/button]

Making Sense of GRC Related Technology & Solutions

Every organization does GRC (governance, risk management, and compliance), but it does not mean that every organization does GRC well. Complicating this is a maze of GRC technologies. Some are built to solve very specific problems, others focus on department/function wide management of GRC related activities, some are enterprise platforms for a specific purpose (e.g., enterprise policy management, third party management, risk management). And some are Enterprise GRC platforms to try to bring everything together in a single architecture. But then many fail, often watering down GRC to the lowest common denominator and frustrating those in the trenches of business and the back-office of GRC. As a result, many organizations have begun approaching GRC architecture and allowing for a core system to be the hub that integrates with best of breed GRC solutions where they make sense.

Adding to this is the maze of over 800 GRC technology solutions in the market across 17 primary segments of GRC domains with many sub-segments in each. The primary segments are:

  • Enterprise GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture (see How to Purchase Enterprise GRC Platforms).
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics (see How to Purchase Audit Management Solutions & Platforms).
  • Automated Control Enforcement & Monitoring. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report (see How to Purchase Compliance Management Solutions & Platforms).
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance (see How to Purchase IT GRC Management Solutions & Platforms).
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities (see How to Purchase Policy Management Solutions & Platforms).
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects (see How to Purchase Risk Management Solutions & Platforms).
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring (see How to Purchase 3rd Party Management Solutions & Platforms).

While there is such a breadth of GRC related solutions in the market, many organizations are still encumbered by a labyrinth of chaos in manual processes using documents, spreadsheets, and emails for many of these areas. The disconnected silos of manual GRC processes encumbered with documents, spreadsheets and emails are not sustainable and lead to exposure, failure, and loss. Unfortunately, organizations are quick to react to this and often find themselves neck deep in a GRC platform rollout before thinking through their overall strategy, process, information, and technology needs.

The problem with how many organizations approach GRC (remember, everyone does GRC whether you use the acronym or not) is that it has not been designed properly, particularly when it has been designed around the capabilities of a specific platform. Too often organizations are letting a GRC platform define their GRC strategy instead of letting their GRC strategy shape their GRC platform and architecture. Organizations end up with significant risk gaps within their operating models despite significant investment in ‘leading’ GRC platforms that are scattered and disconnected across the business. This has resulted in a poor return on investment in GRC related projects that fail to drive value or opportunity that GRC transparency should create.

GRC projects fail when:

  • Lack of a GRC strategy and understanding of processes.
  • Letting a GRC solution/platform define your GRC strategy, processes, and information.
  • GRC platforms that under deliver to the range of needs and processes.
  • Trying to meet the needs of departments with a solution that is not flexible that forces everyone to manage GRC to the lowest common denominator.
  • The needs of one department with budget overshadow the needs of other departments.
  • GRC platform implementation that goes over budget and misses deadlines while draining resources.
  • GRC platforms that require extensive and costly build-out to achieve capabilities the organization thought were native in the product.
  • GRC platform that does not integrate well with other systems.

Organizations that have went down the wrong path with a GRC technology strategy may be ready to throw in the towel and call it quits. The truth is the organization can never abandon GRC as it is something every organization does.  It may be done poorly, it may be done well, but every organization does GRC if they call it GRC or something else. While a technology strategy and GRC platform may be scrapped and the organization may retreat to old manual processes, it does not change the fact that the organization has a duty and responsibility for GRC.

There are a couple of key upcoming events to be aware of that can assist organizations on their GRC strategy and the role of technology in that strategy, these are:

  • Findings from the OCEG GRC Technology Strategy Survey. OCEG engages GRC 20/20 to design this survey, analyze the findings, and build the written report. The webcast for this survey is on January 21st.
  • State of the GRC Market Research Briefing. This is GRC 20/20’s flagship Research Briefing that is 2 hours in length and goes into the details of drivers and trends in GRC, market segmentation and forecasting, RFP scopes and trends, and buyer inquiries and what organizations are looking for. This is on February 1st.
  • Enterprise GRC by Design Workshop. This workshop aims to provide a blueprint for attendees on effective enterprise GRC strategies in a dynamic business, regulatory, and risk environment. Attendees will learn enterprise GRC strategies and techniques that can be applied across the organization. The next one is in Rhode Island, CT, USA on February 18th.

Spreadsheets in Financial Control Processes

Also GRC 20/20 is working on a specific research project focusing on the regulatory scrutiny (e.g., SOX) of spreadsheets in financial control processes.  Organizations are facing increased pressures to ensure that they have adequate controls over end user computing controls, particularly spreadsheets. This is very apparent when spreadsheets are used as part of accounting processes. The Public Company Accounting Oversight Board (PCAOB) has requested auditors to increase their focus on ‘System Generated Data and Reports’ driving the application of so-called ‘enhanced audits’ of Sarbanes Oxley (SOX) control processes. This scrutiny is leading to new SOX failings for companies that had previously had no such failings. In particular, these enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that such spreadsheet controls are often open to manual manipulation.

This survey is intended to gather organization awareness and concern of spreadsheet controls in context of ICFR, audits and PCAOB scrutiny.

[button class=”kopa-button big-button color-button” link=”http://www.surveygizmo.com/s3/2448771/Spreadsheet-Controls” target=””]TAKE SURVEY[/button]