The GRC Pundit

2014 GRC Technology Innovation Award: Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence

Managing risk and compliance across 3rd party relationships has become a significant challenge to organizations. Surveys and questionnaires given to 3rd parties are necessary, but also prove unreliable and difficult to receive high quality responses containing accurate and fully completed information. The cost of follow up and inherit reliance on vendors to be responsive reduces effectiveness and increases the cost of due diligence. Many 3rd party risk and compliance approaches lack scalability as they are labor intensive and time consuming –the resource requirements of managing the “back and forth” and due diligence process typically results in less than 20% of vendors being properly vetted.  Surveys and questionnaires are can also be outdated and audit-based assessments are point-in-time evaluations. After-the-fact changes in risk may not be documented and factored into 3rd party risk scores.

Third-party breaches and regulations are increasing drastically, but effective third-party security risk management is expensive, time consuming, and resource intensive. As a result, many organizations have programs that do not provide full coverage, or provide a false sense of security.  Corl’s vendorsecurityRM provides organizations with the information they need to effectively focus their vendor due diligence efforts on those vendors who present the most risk.  Data breaches can be costly due to the cost of remediation, regulatory fines, and reputation damage. Corl’s risk-based approach helps organizations focus their vendor security risk management efforts where they will have maximum impact and value.

Corl’s vendorsecurityRM solution is an innovative approach to supplement surveys, questionnaires, and due diligence processes.  It enables organizations to intelligently understand and reduce risk attributable to a 3rd party relationship with a particular focus on data breaches. The vendorsecurityRM solution provides a vendor score and supporting information to effectively address the question of “can my organization have confidence in this 3rd party’s ability to protect sensitive data from an unauthorized breach?” The solution overcomes the traditional barriers of transparency, 3rd party collaboration, and resource capacity to effectively deliver 3rd party vendor security risk management.

The vendorsecurityRM solution is comprised of three primary components that combine to make it innovative: 1, a comprehensive and sophisticated patent-pending algorithm to assess vendor security confidence, which was developed by a PHD led team over two years in collaboration with Fortune 500 to small size organizations; 2, big data analytics of industry specific vendor behavior, benchmarks and best practices that encompass people, process and technology and supported by dedicated research teams; and 3, community/industry collaboration through Corl’s collaboration platform.

The vendorsecurityRM solution changes the paradigm for managing vendor security risk. It demonstrates that traditional risk assessment methods may be effective at gathering data but only go so far at rating confidence, managing risk and holding vendors accountable.  The solution delivers reliable indicators of risk in a significantly more timely and efficient manner than traditional approaches. Most importantly, these indicators are actionable for effectively mitigating and continuously managing vendor risk. The solution also reduces regulatory compliance exposure for organizations that do not consistently follow through on vendor assessment and remediation processes.

Corl’s vendorsecurityRM supports a comprehensive vendor security program comprised of 4 steps:

  1. Profiling. Identify and document information security risks for existing and prospective vendors (e.g. RFP respondents)
  2. Due Diligence. Corl’s vendorsecurityRM reports are the basis for an effective due diligence process, allowing organizations to focus efforts on vendors that present the least confidence to protecting sensitive information such as PHI.
  3. Risk Strategy. Corl’s vendorsecurityRM program monitors and reports on required or recommended remediation to be completed by the vendor based on due diligence findings.
  4. On-going Monitoring. Corl’s vendorsecurityRM program continuously monitors vendors for changes that affect information security risk, and provides clients with automatic alerts when such changes are detected.

Corl’s vendorsecurityRM solution is a multi-tenant SaaS-based solution built on Microsoft technology and is currently in production with some large healthcare firms, both providers (hospitals) and payers (health insurers), and plans to roll out additional industry solutions in the future.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Digital Reasoning Provides Intelligence on Communications, Relationships and Risks

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: Digital Reasoning Provides Intelligence on Communications, Relationships and Risks

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Digital Reasoning Provides Intelligence on Communications, Relationships and Risks

Financial institutions are seeking a more complete picture of the people and organizations that pose risks or promise opportunities. In some cases, financial institutions have decided not to service entire industries, because they’re concerned that they don’t know enough about the entities and individuals within these markets. The game-changing innovations delivered in Synthesys 3.8 provide real-time situational awareness for decision makers within financial services organizations, because they can rapidly examine human communication and uncover relationships and risks that may have been intentionally concealed.

Synthesys reads and understands vast volumes of data at blazing-fast speeds. It reads through data and highlights important people, places, organizations, events and facts. It takes those highlighted points and determines what’s important, connecting the dots together.. Synthesys is a machine-learning platform, which understands human communication (emails, social media, chat, documents, etc.) on a massive scale and identifies and visualizes complex relationships. In its most recent release, version 3.8, Digital Reasoning has introduced innovations that allow financial services institutions to aggregate and visualize knowledge in real time. Specifically, it identifies and aggregates knowledge about people and organizations to make relevant predictions about future behavior of employees, customers or bad actors.

The platform is designed to identify relationships and risks that are being intentionally concealed. Without the use of keywords and/or fragile rule engines, Synthesys schematically analyzes data and determines what relationships and activities are risky. This approach significantly decreases risk and compliance based false positives while increasing the potential of identifying true positives (real risks), as Synthesys continually learns from business and data context, allowing Synthesys to stay one step ahead of evolving risks within the financial institution.

In addition to its core analytics, Synthesys provides real-time query capabilities, which allows organizations to explore a wealth of aggregated, categorized and prioritized knowledge on employees, customers and market information from news, social media and many other public sources of information. Using Digital Reasoning’s new web application, called Synthesys Glance™, analysts can interactively browse and analyze various profiles of people and organizations to discover valuable patterns and relationships.

Synthesys has a surprising understanding of human language. It understands time and place, learns the meaning of words based on how they’re used and can read and understand different languages. It determines how people, places and organizations are connected. It understands not just the words being said, but what they actually mean in context. It’s always on the lookout for information related to the answers. It can provide answers to questions an organization never thought to ask, or tip you off to relationships you never knew existed. It delivers data insights to your organization in an easy-to-digest format. Through app integration, data insights can be visualized for quick understanding and easy sharing. Alarms and alerts can also be set up to notify the organization when important findings turn up in data. Its knowledge graph gets smarter and grows with the organization. Synthesys teaches itself to draw conclusions based on what the organization has been looking for in its data.

For example, Synthesys can analyze suspicious activity reports (SARs), wire instructions and other unstructured descriptions and narratives. It reveals employees who have become ethically exposed, involved in bribery, unauthorized trading and fraudulent activities and other traffic for related behaviors and assertions. With the Digital Reasoning Synthesys platform, users can uncover relationships between employees that are on a restricted trading list, and examine their communications. This approach allows financial institutions to reveal intentionally concealed risks and relationships, before reputations are compromised or regulatory penalties are levied.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ERP Maestro Delivers Automated Security & Access Controls Through the Cloud

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: ERP Maestro Delivers Automated Security & Access Controls Through the Cloud

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ERP Maestro Delivers Automated Controls Through the Cloud

Automated Segregation of Duty and Access Control solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. Requiring large software fees, hardware costs, consultant fees and complex training projects, and being overcome by large organizations; they remain a challenge today for organizations of all sizes, particularly the small to medium sized organizations.

ERP Maestro’s Access Analyzer™ solution provides Segregation of Duty and Sensitive Access Analytics and reporting over a completely cloud based architecture.  Their unique utilization overlay reporting graphically identifies risks and remediation paths. With a cloud based delivery mechanism of an Access Controls solution, not a hosted solution technology, customers receive cost benefits of a multi-tenant environment and the exclusivity and security of a dedicated server. The cost savings associated with on demand allocation of servers is passed on to the subscribing customer, allowing small to medium enterprises to afford an enterprise Access Control solution.

The solution is truly innovative as it pools a massive amount of cloud resources to provide on demand server allocation as a dedicated server when needed by the client, while dormant servers are deactivated or recycled to other customers. The solution is contained within a deployment that dynamically grows and shrinks based on its demand (number of organizations using the system).

Interestingly, this can also serve as a bridge for companies implementing SAP GRC10. Large companies want a stopgap solution for the complex implementation process that represents GRC10. Some companies are waiting for budget approvals and/or developing a business case. ERP Maestro’s solution price point allows it to serve as that stopgap solution to address SoD needs until the major SAP GRC solution is implemented.

The model is of particular interest to small and medium sized organization that can now afford the implementation of an enterprise Access Control Solution because of ERP Maestro’s model. The entire process is no longer expensive, complex and drawn out, allowing funds to be focused on remediation efforts. The simplicity of their subscription-based service empowers companies that traditionally would not pursue an Access Controls solution, to now proliferate the capability and manage the risk of Segregation of Duties more effectively.

End users have anywhere, anytime access to a web interface that allows them to connect to their ERP system (SAP is the only ERP currently supported by ERP Maestro). The data is securely analyzed using an on demand, dedicated server located in a server farm, then the results are compiled in to multiple reports for consumption. While cloud technology isn’t new, ERP Maestro’s ability to process analytics on hundreds/thousands of client simultaneously based on it’ analytics engine is indeed new and innovative technology which empowers them to offer a premium service, at a low subscription fee.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation

The cost and time to implement enterprise GRC solutions has been a barrier to many organizations, paritcularly those integrated with an ERP environment such as SAP. This often means that SAP GRC projects feel like necessary overheads that are difficult, costly and drag-on.  Integrc is an innovative service provider that enables organization to achieve the rich value of SAP GRC but in a way that is radically different. Their goal is to implement SAP GRC ten-times faster. With Integrc’s innovative RouteONE, many elements of an SAP GRC deployment have been reduced from weeks to minutes.

RouteONE is inspired by Michael Hewitt-Gleeson’s x10 thinking, which has been the mantra of Google CEO, Larry Page. Most companies would be happy to improve a product by 10%. But as Page sees it, a 10% improvement means that you’re basically doing the same thing as everybody else. That’s why Page expects Google employees to create products and services that are 10 times better than the competition. It works on the basis that ten heads are better than one, so rather than having top management provide inspiration, you enable your employees to do it. It’s a concept also referred to as ‘Bottom-up innovation’. X10 is one hundred times 10% – and that radical objective changes the approach from modify to re-design from scratch.

RouteONE has become a revolutionary way to deploy SAP GRC solutions faster and cheaper. For organisations with a SAP centric application strategy, this now brings an integrated technology solution within reach in a way that has not been affordable or manageable before. RouteONE unlocks GRC automation, enabling organisations to bring IT enablement to enhance their GRC business practices. RouteONE is centered around an innovative automated configuration engine combined with an accelerated methodology, a library of pre-built content and an award-winning end-user adoption framework – Engaging Risk (recognized last year in GRC 20/20’s 2013 GRC Innovation Awards). When used by experienced SAP GRC consultants, RouteONE typically halves thetime and cost of implementing SAP GRC but delivers the tailored outcomes expected from a traditional approach.

The core of the RouteONE capability is the QuickBuilder engine, which automates the necessary configuration components of the SAP GRC products. It also automates the configuration of the SAP suite using business design workshops based on the customers own environment. The Quickbuilder is supplemented with the Quickloader tools, which enable the related master and transactional data to be managed via Excel spreadsheets. When compared to either a templated or traditional approach to deploying SAP GRC, RouteONE provides significant gains in efficiency, effectiveness, and agility. Customers no longer have to compromise any of their requirements or accept a long and potentially expensive project. RouteONE is transformational in that it delivers a solution specific to their unique needs, but goes beyond accelerators and basic knowledge transfer materials and enables the automation of key tasks throughout the implementation. This means organisations wanting an integrated system, tailored to their exact GRC needs, now have a much faster, more manageable and more affordable option.

RouteONE is game-changing because it unlocks the potential of integrated SAP GRC, which for many SAP customers was previously out of reach. Now they can dismantle many of their technology, cost and time-related barriers, roll-out SAP GRC far more quickly and cost-effectively than ever before and focus more effort on business change and end-user adoption. In short, it makes GRC automation more possible for many more organisations.

RouteONE has a continual emphasis on benefits realisation and on ensuring business users embrace the new system.Automation not only reduces human error, enables Integrc’s clients to go faster and saves them money – it also frees up time for more value-added activities, which is where Integrc’s change management framework – EngagingRISK comes into play. RouteONE can also provide a draft build of the system within 24 hours of starting a project, giving customers the benefit of hindsight in advance. So all in all, not only can faster outcomes be achieved, these outcomes are often better as well.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis

Lexer’s innovation is a solution to integrate and visualize streams of data to manage reputation risk across social media content.  Lexer does this by producing highly accurate geographic insights used as the conduit between the various data sources such as census, socio-economic, transactional, CRM, and customer support.. This unified data set offers businesses a new perspective on reputation and brand risk since it offers a wealth of detail on data previously inaccessible.

In 2013, Lexer invested greatly in the enrichment process of the data it collects and, as previously outlined, the introduction of geographical enrichment as a highly accurate and reliable conduit between many external data sources. Using these new data sets, Lexer now has the ability to create complex personas based on behavioral, social and economic profiles – ensuring their data sets align with brand segments, key audiences and most importantly, stakeholders. Whether it’s in prediction, reaction or reflection, Lexer’s enriched data sources give businesses a new perspective on the way consumers react, engage and change in brand incidents. Moments of crisis regularly impact organizations, digital media has accelerated the speed at which information about a crisis can spread and during times of crisis, poor decisions are made due to inexperience, pressure and the lack of hard data. These poor decisions result in enhanced financial, reputational, health, safety and environmental risks.

Lexer uses integrated datasets to deliver routine reports on the details of incidents and the aftermath that includes influencer analysis, trend data and trajectories, topic and sentiment analysis – but most intriguingly, they are able to track the incident right to the root.

Lexer’s prime technical innovation is the ability to collect, process and unify unstructured data sources in real time. The technical focus for 2013 was to identify and develop into the core of the Lexer platform a common point of reference in which other data sources; such as CRM, Transactional and Socio-Economic data could integrate.

After extensive research and prototyping it was clear that geospatial detail was required to create a clear conduit between sources. As such, Lexer invested its efforts in being able to determine the location of social media users even when they didn’t share details such as longitude and latitude. Their enrichment process uses Machine Learning and Real-Time Data Processing infrastructure to analyze language, physical reference points and trends for each piece of data consumed by the Lexer platform. They are now able to obtain 3rd party data and integrate that geospatial data to map once abstract sources together, allowing more specific querying of data, clearer segmentation that’s relative to the organization’s segments, and insights that take in the whole picture. Their core ability is to help organizations understand the cost of making a wrong decision.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

MetricStream’s GRCIntelligence.com is an innovative cloud-based content portal that enables GRC professionals to access and integrate the latest GRC content from a variety of knowledge providers and information sources through a single online content store – GRCIntelligence.com.  GRCIntelligence.com makes curated intelligence available to all users within the enterprise adding significant value and increasing the effectiveness of the GRC program within the organization. The portal is integrated with MetricStream GRC Platform, thus providing subscribers with content updates and notifications directly within the MetricStream GRC application.

GRCIntelligence includes:

  • Curated content store. The GRCIntelligence.com portal serves as a one-stop shop for curated intelligence sources from partners and domain experts across industries for all GRC needs.
  • Direct delivery model. Automatically delivers subscribed content from the GRCIntelligence.com content store into the subscriber’s MetricStream GRC application through the GRCIntelligence application.
  • Content recommendations engine. Content recommendations engine within the MetricStream application based on user activity and social profiles.

GRCIntelligence.com enables GRC practitioners across the enterprise to purchase contextually relevant GRC content via credit card or purchase orders and have the content delivered automatically into their MetricStream GRC application for immediate use. This paradigm shift enables organizations to source and integrate GRC content from multiple sources across risk, compliance and audit with their MetricStream GRC applications in real-time. It also allows content updates to be notified to end-users via RSS feeds, system alerts or email.

The GRCIntelligence.com portal currently offers content from more than 50 content partners and sources including Unified Compliance Framework (UCF), Risk Spotlight, Shared Assessments, Code of Federal Regulations (CFR), and Clear Market Practices, and is adding new content partners and sources to its portfolio. A subscriber can choose from a range of content sources including regulatory updates, risk and control libraries, policy updates, market intelligence, and news feeds to receive periodic updates. The portal allows users to identify relevant content by leveraging features such as capability to filter results by content type, industry, role, and function with an intuitive and user-friendly interface.

The content is delivered into the subscriber’s MetricStream GRC application through channels that are setup in the GRCIntelligence application layer within the client installation of MetricStream. Once the content is in, MetricStream users have the capability to review the content, identify internal action items, log issues, trigger workflows, and notify users. The incoming content is stored in the Big Data store within the MetricStream client application and it can be selectively pushed into operational data store within MetricStream applications.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

ngCompliance’s innovation is the ability to automate the analysis of regulatory changes against the organizations policies and procedures. The solution is called Sherlock and it makes regulatory change management and mapping elementary and deductive.  Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. This mapping can be used to demonstrate whether the organization operates in line with regulatory requirements and it can disclose gaps. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign. Amazingly, the system does so cross lingual that allows the organizations to map and analyze policies written in other languages, for example Chinese against regulations written in English.

This automates what has historically been a manual process of cross-referencing policies to regulations within GRC solutions or within documents and spreadsheets to prove to regulators that all policies and procedures are in line with rules and regulations. ngCompliance’s innovation significantly reduces the manual work as initial mapping is generated by their Sherlock system. The mapping should be reviewed by subject matter experts, but it significantly reduces the work of building mappings manually.

Organizations that adopt this innovation, no longer need to allocate this task to a big workforce. This allows for reduced cost and time spent in administrative activities of compliance, regulatory change, and policy maintenance. Once Sherlock creates a mapping, it allows the user to evaluate the mapping and confirm correctness or make adjustments. Any time there is a regulatory change, the system submits to the user an impact analysis on which policies or steps in procedures are impacted. Because the user sees both the policy text as the related legislation or regulation changes, the user can immediately give the appropriate advice on the required changes and start necessary change management workflows.

As the regulatory mapping functionality can also be used to verify norms against contracts, the system can also be used to identify the most high risk contracts and pull those up, in combination with analytics analyzing the risk in third party relationships, it will alert on high risk third parties that need review and facilitate mitigating controls on the relationship (e.g. change management on the contract).

The system reads the regulation and analyzes the text. Based on text-analytics, definitions based on financial and legal terms are extracted from the article and converted into a tree representation. The same is done on paragraphs of policies and steps of procedures. Because they are converted back to a definitions structure it takes into account synonyms and differences in languages. A mapping engine compares the definition trees and builds appropriate connections between legislation/regulation text and policy/procedure text. When employees look at policies they are able to also see the related regulations. The context that is built during analysis of texts is used to make sure the connections match the contexts, e.g. articles applicable to organizations with a banking license are only shown once the process is within the organization of a bank.

Sherlock keeps track of all history that can be used to look back in time and verify alignment of organizational procedures with applicable legislation and regulation. In this way it is easy to demonstrate the level of compliance of the organization at any given moment in the past. Sherlock comes with a unique feature that can create the initial mapping from rules to internal policies and procedures, regardless of the number of jurisdictions it has to take into account or the number of languages it has to deal with. This way Sherlock contributes to a significant decrease of the organizations administrative burden.

The Sherlock solution allows for adding web locations that are used by regulators or other organizations that publish regulatory information, in addition to your normal regulatory feeds. The synchronization functionality ensures that the regulatory information stored in the database is always accurate without the need to maintain this manually. In addition, a historical trail on the regulatory developments is maintained. Any information that is found on the web and seems to be of relevance for Compliance can be included in the legal framework, either by means of the synchronization functionality or the quick-browse-and-add feature of Sherlock. When any regulatory change enters the legal framework in Sherlock, or when the legal framework detects a change from a regulator’s site it is monitoring, the solution will notify this to the user according to specified needs on the dashboard, in the task inbox, by email or compliance wiki. The solution can filter and sort on relevance, and can even distribute to different users based on jurisdiction, language, topic or expertise.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: True Office Engages Employees Through Interactive GRC Learning Experience

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Technology Innovation Award: True Office Engages Employees Through Interactive GRC Learning Experience

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

True Office Engages Employees Through Interactive GRC Learning Experiences

Impacting and driving true learning to the employees/consultants/partners of major firms around compliance and risk management is the “last mile” of GRC. The missing link in organizational training is two-fold: 1), are people truly learning, and 2), how do you measure not only the learning, but the potential risk to the organization if complex policies are not understood. After considerable investment is made in managing risks and controls, it is important that an organization’s work force — the front line of the business — is able to learn the policy and its effect on the company’s business outcomes in order to ‘walk the walk’ on a daily basis.

True Office is demonstrating innovation in impactful, gamified training solutions applied to compliance & risk management, professional development and customer proficiency. True Office, because of its ability to bring dry policy to life, engage learners and measure their efficacy through rich, comprehensive analytics, and is paving the way for a new era of Policy & Training Management.

True Office’s current focus enlarges their overall scope to bring greater satisfaction through “content transformation” of existing client content based on four interactive learning frameworks. A customer engagement may consist of training on topics such as Anti-corruption, Workplace Harassment and Data Privacy. However, clients also possess their own unique policies and processes which True Office is able to bring to life, through an impactful experience, in which employees that must execute these policies can truly learn.

The solution offers proof that improved efficacy is actually happening as well as highlight the “hot-spots” requiring additional learning and development.

The True Office solution has already seen a “real-world” application with characteristics of over 90,000 users, 12 languages, and multiple industries. Modules are designed to encompass 10-20 minutes across True Office’s 4 Interactive Learning Frameworks. Based on the learning framework and corresponding business outcome, the learner will be placed in different situations where “they” take an active role in the learning—through dialogue, trend analysis, making decisions, or answering questions. By interacting with the module, the underlying analytics indicate their level of understanding of the policy.

True Office is a cloud-based software solution, compatible with a client’s own Learning Management System (LMS) interfacing with the True Office Analytics server. Individual users are presented a web-based login either on their desktop/laptop computer or through HTML5 via an iOS device (e.g., mobile or tablet).

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The GRC Pundit BlogPublished on1 Comment on 2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent.

The Unified Compliance Framework has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.

The Unified Compliance Framework has received the first ever patent for a compliance requirement segmentation and mapping framework. The patent was granted rapidly as the US Patent and Trademark Office stated that there has been nothing like it filed. This means that the UCF is the only GRC framework that has patented SNED values that can instruct GRC solutions as to which records are the Same, New, Edited, and Deprecated by using a single character to manage regulatory and requirement change.  This is supported by an end to end process that reaches from the Authority Document (AD) on one end, through the Authority Document’s Citations, to harmonized Common Controls, and out to Audit/Assessment Questions with supporting evidence. The UCF has a hierarchical structure wherein a parent and sort value can be assigned to any hierarchical record. This allows GRC solutions to plug into the UCF and automatically be able to display a list in original form, replicating legal or even “book” structures of original regulatory/requirement documents. GRC solutions utilizing UCF will be able to automatically discern how to handle audit questions and the necessary “skip logic” used when presenting hierarchical audits. Further, the schema allows for the breaking down of Citations and Common Controls into primary verb-noun pairs to “prove” the mapping of the Citation to the Common Control.

The business functionality is simple: any organization building out a GRC database or GRC solution can leverage the UCF’s patented structure to jump start their GRC strategy. There are already other firms such as Accenture that are now filing derivative work patents on top of the UCF’s patent.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

How are you addressing access control risks?

The GRC Pundit BlogPublished onLeave a Comment on How are you addressing access control risks?

The fact is: business is dynamic, distributed, and complex.  The pace of change to risk, regulations, employees, partners, and technology requires organizations to approach governance, risk management, and compliance in a way that is efficient, effective, and agile to the needs of today’s dynamic business environment.  

Organizations do not operate in a static environment that slowly evolves.  Today’s organization is in a continuous state of change as with shifting employees: new ones are hired, others change roles, still others leave or are terminated.   There are changing business partner relationships, including those with suppliers, vendors, contractors, outsourcers, service providers, and temporary workers  – all of whom may have access to internal systems.  These business partners also have constantly changing employees that impact the organization.  On top of this, business processes and the technology change at a rapid pace.

This means that organizations cannot rely on manual, ad hoc, and document-centric approaches to manage access to critical business systems.  The issues of segregation of duties, inherited rights, critical and super user access, compliance, risk management, and general change to roles is too much for today’s organization to manage adequately in spreadsheets and e-mail. Growing exposure to risk and increasing regulations compound this as they require greater oversight of access to critical systems with audit validations of access control.  

However, access control is not just about regulatory compliance; it is also about consistent operations.  The organization needs distributed responsibilities and processes that are reliable and behave consistently.  Strong access control delivers a structured system of access governance that enables processes to work as intended without anyone maliciously or inadvertently causing an issue.

Surprisingly, many organizations still use manual processes and documents to manage access and the associated risk upon the organization.  This is primarily done by spreadsheets, word processing documents, and email.  Not only are these approaches inefficient and ineffective, slowing the business down, but they introduce greater exposure to risk and non-compliance, as it is nearly impossible to keep up with risk.  By automating the access management process and embedding risk analysis and mitigation into user and role maintenance, organizations take a proactive approach to avoiding risk while cutting down the cost and time required to maintain compliance.

Organizations need to establish a strategy and processes supported by technology to build and maintain an access control program that balances business agility with control and security in order to mitigate risk, reduce loss/exposure, and satisfy both auditors and regulators while enabling users to perform their jobs. 

In an ERP environment, the business challenge of managing access control is burdensome when done with manual and document centric approaches.  The inefficient, ineffective, and non-agile organization runs a combination of ERP security and access reports, and then compiles access information into documents and spreadsheets that are sent out via e-mail as an improvised workflow tool for review and analysis.  At the end of the day, significant time is spent running reports, compiling information, and integrating that information into documents and spreadsheets to send out via e-mail for review.  This manual and document-centric process ends up costing organizations significantly more in wasted resources, errors in manual reporting, and audit time drilling into the process than an automated solution costs. Worse, organizations often miss things as there is no structure of accountability and workflow and audit trails do not exist. This approach is not scalable and becomes unmanageable over time.  It leads to a false sense of security due to reliance on inaccurate and misleading results from errors produced by manual processes.

The situation:  manual approaches to managing access in the ERP environment are time-consuming, prone to mistakes and errors, and leave the business exposed.  

This challenge grows when you consider the complex interrelationship of different ERP instances and access to those across the business environment.   To reconcile access across different systems and see the big picture of access risk becomes complicated as the ERP environment grows.  Organizations struggle to manage access risk within one instance of ERP; managing access across multiple ERP systems causes an exponential growth in time and resources when done by a manual and document-centric approach.  In a heterogeneous environment, these challenges only become more complicated.

There are a variety of solutions on the market to manage access control in ERP environments. GRC 20/20 is focused researching, evaluating, and differentiating the solutions in this segment of the GRC market to assist organizations with their decisions to acquire the right solution to deliver value across efficiency, effectiveness, and agility.  

Organizations looking for automated control, segregation of duty, user access, and broader GRC solutions can engage GRC 20/20 through our complimentary inquiry process to get your questions answered on the solutions in this space.  Send an email to [email protected] with a focused question of what you are looking at and we will respond with our view of solutions that address your need.