Inevitable Failure: Disconnected Risk & Policy Management

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.

The modern organization is:

  • Distributed.  The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations.  An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization.  Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
  • Dynamic.  Organizations are in a constant state of flux.  Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe.  Regulatory change has more than doubled in some industries in the past five years and has grown for all industries.  Managing risk, regulatory and business change on numerous fronts has buried many organizations.
  • Disrupted.  The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.”  Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate.  Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events.  The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points. 

A backbone of GRC is risk management.  Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together.  To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value. 

Isolated Risk and Policy Initiatives Introduce Greater Risk

Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.  

The official definition of GRC is:

The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance.  All three of these provide a natural flow.  Governance provides strategy and objectives that deliver the context for risk management.  Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives.  Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives. 

The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization. 

A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:

  • Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other.  Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address. 
  • Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
  • Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners. 
  • Lack of business agility. The organization is constantly changing and  therefore its risk profile is changing.  The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic. 
  • Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the
    job done.  This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.

What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework. 

More on this topic can be found in the following items from GRC 20/20 . . .

 

The GRC Pundit Discusses ERP Maestro's 2014 Innovation Award

GRC 20/20 Discusses the reasons behind ERP Maestro’s 2014 Innovation Award from ERP Maestro® on Vimeo.

GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet

All organizations do GRC (governance, risk management, and compliance).  It does not matter if the organization uses the acronym or not, every organization has some approach to the elements of governance, risk management and compliance whether it is non-integrated and siloed across scattered areas of the organization or a federated GRC strategy that links GRC activities into a strategy, process, information, or technology architecture.  GRC by definition (OCEG) is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

GRC maturity is highly dependent on technology.  To be clear, you cannot buy GRC — GRC is something you do, not purchase.  You can buy GRC technology that assist in managing GRC related processes, analytics, reporting, and more.  Every organization uses technology for GRC; pens and paper are a form of technology, so is email, spreadsheets, and documents.  The correct selection and use of GRC technology is one aspect in maturing the organization’s approach to GRC.  In fact, GRC maturity cannot be achieved without improving your information and technology architecture for GRC.  However, I cringe when organizations tell me they just bought GRC and now need to figure out what to do.  Strategy and process comes before technology.

The coverage of GRC technology by other analysts is frustrating.  For full disclosure, I am a research analyst.  I research and monitor GRC best practices, benchmark organizations, and define/model the market for GRC solutions, content, and services.  I review solution provider offerings, assist organizations in selection and write/manage RFPs.  While an independent research analyst for the past seven years, I previously spent seven years at Forrester Research where I was the first analyst to define and model the market for GRC solutions and services and label it GRC (February 2002).  I wrote the first two Forrester GRC Waves comparing solutions. Since leaving Forrester I have spent the last seven years bewildered by the way my analyst competitors cover the market for GRC technology.  I respect that in some cases they are handicapped by internal research boundaries of other analysts.  However, the coverage of the GRC market by other analysts firms is confusing and damaging.  

Before I critique my competitors, let me state my position. GRC, approached correctly, involves a strategy, process, information, and technology architecture.  The GRC market is comprised of a wide range of solution categories.  Some of these are represented in a GRC platform that tries to accomplish several areas of GRC in one neat little package.  Caution though, the idea of a single ‘GRC Platform’ to meet all your needs has challenges. There is no one-stop show for GRC. There can be a core backbone for GRC, but GRC often requires integration of a range information and technology.  Some of today’s complex governance, risk, and regulatory reporting requirements are only done through significant integration and analytics of data across the business. Organizations are best served to approach GRC as an architecture and throw away this idea of a single platform that promises to do everything.  I still reference GRC platforms as there can be a backbone that brings things together. Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs.  I will be discussing my representation of the GRC market in next week’s 2014-Q2 State of the GRC Market Research Briefing.

Now that you understand my position, let’s review how GRC 20/20’s competitors approach the GRC market from the perspectives of Gartner, Forrester, Chartis, and Market to Markets:

Gartner

Gartner is the largest market research firm covering a wide range of technology and services.  Their GRC research I have ranted on in the past:

In these posts I have critiqued Gartner’s GRC Magic Quadrant stating it is not transparent and does not represent the real world of GRC buying as 80% is focused on specific areas of GRC and less than 20% on enterprise GRC platforms. Gartner has responded to my critiques and changed course (though they would never confess).  In a blog entry, French Caldwell announced their new approach: A Revolution in GRC Affairs at Gartner (or burning the EGRC mq).  To me it reads that French is saying ‘GRC is dead, long live GRC.’  In this post Gartner recognizes what I have been preaching form may analyst pulpit for seven years that the GRC market is a broad market with solutions that do different things. 

Gartner has responded by breaking up the Magic Quadrant and analyzing solutions on use cases.  This analysis is just starting and covers the aspects of: 

  • Use case 1: IT Risk Management (ITRM). 
  • Use case 2: Operational risk management (ORM). 
  • Use case 3: Audit management. 
  • Use case 4: Vendor risk management (VRM). 
  • Use case 5: Business continuity management (BCM). 
  • Use case 6: Corporate Compliance and Oversight. 

Further Gartner has scoped a wide range of other GRC market research:

  • Market Guide for Audit Management 
  • Magic Quadrant for Operational Risk Management 
  • Magic Quadrant for Security & IT Risk 
  • Magic Quadrant for Business Continuity Planning 
  • Magic Quadrant for Vendor Risk Management 
  • Market Guide for Corporate Compliance and Oversight 
  • Critical Capabilities of GRC Vendors 

Gartner is to be commended for this shift in research and is my most formidable competitor. I do appreciate the interactions I have with French despite our online debates.  We make a great nemesis team — protagonist and antagonist — Batman and The Joker, Superman and Lex Luthor (I will let you decide who is who).

Despite this tremendous change in strategy I am here to say it has some issues in the definition of the use cases.  Basically, some of the use cases do not accurately represent the breadth of market requirements.  I have looked them over carefully.  As an independent analyst I get engaged to assist solution providers in how to approach and manage their relationships with the major analyst firms.  I am asked to play the role of French Caldwell and review their responses and watch their demos to improve how they present their solutiosn to analysts.  It is quite fun.  The past few weeks, several solution providers have reached out to seek my assistance in strategizing responses to Gartner’s new GRC use cases.  My concerns are as follows:

  • Use case 1: IT Risk Management (ITRM). This use case I find interesting: its criteria covers the basics, but I am surprised on the limitation of the compliance mapping.  It makes no reference to ISO 27000, NIST, or other popular standards and only references US-based regulations (note: PCI is not a regulation, but a contractual requirement).  I take particular issue in Gartner Analys
    t Paul Proctor’s blog Gartner Resets Approach to GRC. What Paul states is counter to Gartner having a use case in this area, he says, “The delineation of IT-GRC vs EGRC is almost meaningless because all of the IT-GRC vendors claim to do everything the EGRC vendors do and vice versa.” My point of view: IT-GRC solutions have an expanded data architecture to cover information and IT assets (e.g., logical, physical, relational, process), vulnerability and threat information, and hooks into the security architecture (e.g., vulnerability scanners, configuration management, security event/information management).  There is a difference between IT-GRC and EGRC.  Yes, some EGRC solution providers make a lot of claims and can tell Gartner all day long they do IT-GRC, it is Gartner’s job (and mine) to hold them to account on this and not just cave in.  Some vendors state they can do anything, and with a significant amount of money and services they can do some interesting things, it will just cost you money and time.  It is the job of analysts to analyze solutions and tell the world who actually has the features, who has the track record of success, who simply has capabilities that can be built out at a cost, and who lacks it all together. In my view it is easier for an IT-GRC solution to be an EGRC solution than an EGRC solution to become an IT-GRC solution.  Gartner – you appear to be speaking out both sides of your mouth stating that delineation is almost meaningless and putting the time and effort into a use case in this area. 
  • Use case 2: Operational risk management (ORM). This use case has many of the high-level core criteria I would expect.  I would like to see more on risk identification and collaboration. It could be more thorough in the variety of risk models solutions can do.  There are over a dozen different risk analysis/assessment techniques that I review in my Risk Management Workshop. The international standard ISO 31010 (which provides supporting guidance to ISO 31000) has thirty different approaches.  I often get asked which solutions support which of these risk assessment and analysis techniques when other analyst firms cannot answer this question.  Another area for improvement in this use case is the ability to map/relate risks to show how risk interrelates with other risk not just vertically in hierarchies but horizontally across hierarchies. A particularly big issue in this area, and lacking in the use case, is the ability to aggregate and normalize risk.  Some in the Magic Quadrant are quite flawed.  They break down when different departments have different risk models and scoring.  To overcome this, vendors have significant implementation time lines (at great financial cost) to build out rulesets and logic for risk normalization and aggregation because it is not a native feature to the solution. Risk normalization and aggregation is critical and necessary so risk reporting across department/operational areas to enterprise risk reporting makes sense.
  • Use case 3: Audit management. Someone has done their homework.  Compared to the other use cases, the audit management use case is far more detailed.  Makes one wonder why Gartner goes deep in a few use cases while the rest are very light.  My minor issues with this is an ability to build dynamic audit plans based on changes to business/regulatory/risk environments and the ability to build the more traditional three or five year audit plans.  It could be stronger by listing the ability for external auditors to use the platform, and flexibility of the solution to perform a range of operational audits including those across vendor and supply-chains (where external auditors are often used).
  • Use case 4: Vendor risk management (VRM). This one is a big disappointment.  They scope the use case to be vendor risk management, and strongly lean it toward security.  It should be 3rd party management (though in the commentary it does discuss applicability to supply chain, I suspect the narrow scope of this is due to internal politics and research boundaries with other Gartner analysts covering supply chain, if so it is a disservice to clients that are thinking more holistically).  I do not see anything in the use case that identifies: a portal for 3rd parties, self-registration, communication of code of conduct and other policies, delivery of training, and ability for internal or external auditors to use the solution and record findings when exercising right to audit clauses.  It is weak on detail about integration with 3rd party content for due diligence and monitoring activities — organizations are looking for solutions with a lot of depth in this area and the brief criteria statement is rather . . . light.  In summary, from one industry perspective, this use case would end up with analysis of solutions that does not meet the needs of financial services institutions responding to the latest OCC requirements for more holistic vendor governance.  The use case only partially fits the criteria needed by banks in this area.
  • Use case 5: Business continuity management (BCM). Similar to audit management, Gartner has a lot more detail on the BCM use case and makes you wonder why the other four use cases are so light in comparison.  A pretty thorough job in BCM.
  • Use case 6: Corporate Compliance and Oversight. My greatest disappointment. This one is long and needs to be broken into subbullets:  
    • Compliance risk. Compliance risk assessments go beyond prioritization and planning. It is an integral part of the elements of a compliance program defined by the United States Sentencing Commission and is referenced by regulators as well as mentioned in some consent decrees, corporate integrity agreements, non-prosecution agreements, and more.  It is part of board’s fiduciary obligations of compliance oversight. Compliance assessments are more than control assessments.  Control is a term used by auditors, financial compliance, and IT.  Compliance assessments, which can include control, also cover the state of policy development, maintenance, and communication.  Compliance assessments review hotline reports and cases.  Compliance assessments look at training programs.  To do a proper compliance assessment looks at compliance process as well as controls.  
    • Exception management. Gartner’s coverage of exception management does not reference policy exceptions.  
    • Regulatory intelligence. I would expect to see deeper criteria on regulatory intelligence and the ability to not only integrate but provide content and in what areas content is provided (list the areas Gartner, break it out and measure solution providers on depth and breadth of regulatory content).  Some solutions are deep in industry verticals like insurance, banking, health and safety – let your readers know which areas of content depth solutions deliver through relationships or directly themselves.  Have a taxonomy in the criteria so solutions have to show the range of regulatory intelligence coverage – and I pray Gartner understands that this is more than the Unified Compliance Framework (I am not critiquing UCF, just recognizing that they only have a small slice of the regulatory world).  
    • Policy management. For policy management, Gartner should break this out in its own use case.  There are a lot of enterprise and department policy management RFPs and projects that are not part of a broader compliance platform selection process. Gartner could spell out detail in policy lifecycle management capabilities, and it is missing exception management for policies as previously noted.  There also is nothing in the criteria that covers the communication plan and campaigns for policies and training.  
    • Issue reporting and ca
      se management.
      Under the incident criteria there should be an item that reviews the ability of the solution to stand up in court with proper evidence tagging and non-repudiation.  
    • Compliance forms & disclosure management. The use case criteria is missing forms management such as disclosures for conflict of interest; gifts; entertainment; hospitality – this is critical functionality for a solution for corporate compliance and ethics, particularly if you want to help your clients with FCPA and other regs. 
    • Due diligence. The criteria is void on integration with due diligence and other content databases (beyond regulatory intelligence) to fulfill due diligence requirements on internal personnel as well as 3rd parties.  
    • More compliance content. Some of the strongest compliance solution providers in the space provide content themselves and there is no coverage or the range of content – regulatory analysis, policies, controls, training/elearning courses, standardized assessments, 3rd party due diligence.
    • Defensibility. Most significantly, there is nothing on a defensible audit trail.  There is a reference to history in the use case – but organizations need more than that and solutions need to prove it to you Gartner.  Look at the DoJ memo on Morgan Stanley and how they were praised for the ability to demonstrate policy maintenance, communication and training activities, assessments, monitoring, due diligence. Organizations need defensible compliance with clear audit trails of who did what, how, when, and why.  Regulators are starting to tell banks that spreadsheets/documents do not have the right integrity in audit trail to use for assessments (something I have been stating for a decade).  The November 2012 FCPA guidance by the DoJ and SEC states that they often encounter compliance programs that look good on paper but fail operationally and they are sick and tired of it.  We need defensible compliance.

These are the use cases GRC solution providers have to prepare for, Gartner is just beginning their process.  They could explore much of what I discuss throughout the process, but it would be best if it was apparent up front in the use cases themselves.  There also is still time to revise these use cases as analysis is just starting. This matters as organizations invest a lot of money in solutions and need the deepest insight into the solutions they are purchasing.  When requirements are not met it hurts the market as a whole.  Gartner has a log of influence and is the biggest brand in the business.  While we compete in market research, their approach can cast a shadow that hurts the rest of us. I dive deep into the functionality of these solutions and care that organizations select the right solution for their needs. 

One more thing – Paul Proctor’s blog I referenced above.  He critiques the acronym of GRC as being the most overused term confusing things.  For clarity, the individual parts of GRC – governance, risk management, and compliance are all very overused terms across the business with many different interpretations.  This is the area of  research each of our firms cover and the one our clients engage us to make sense of.

Forrester

Compared to the long Gartner post, the brevity of this discussion may come across as letting Forrester off lightly.  There is some serious misalignment between Forrester on one-side and myself and Gartner on the other.  I cannot even go into the detail that I did with Gartner as Forrester just lacks the same point of view of the GRC market. I cut my GRC teeth at Forrester, defined the GRC market before anyone else, wrote the first two Forrester GRC Waves (as well as the first two ERM Consulting Waves).  I recognized in 2007 with the 2nd GRC Wave that this market was too complex to represent in one two-dimensional graphic.  As a result, my Wave had four graphics representing the aspects of: 1, overall GRC; 2, governance (audit); 3, risk management; and 4, compliance management. I reference Forrester in some of the blog entries I link to above discussing Gartner, but also have discussed Forrester in the following:

Previously I have given praise to Forrester for transparency. The Wave process gives clarity into scoring and criteria that Gartner’s Magic Quadrant does not (but these use cases are getting there). In the past seven years Forrester has collapsed the GRC Wave and failed to expand it.  The four GRC Wave graphics went to one graphic. To make matters worse, Forrester combined a separate Wave on IT-GRC into the Enterprise GRC Wave (I discuss my views on the differences of IT-GRC and Enterprise GRC above in the Gartner analysis).  Further consolidating research analysis of solutions where I have been expanding it and now Gartner is as well. Forrester – what GRC market are you covering?  Certainly not the one I am covering, and not the one Gartner is covering. 

Chartis

Chartis is not as well known as Gartner or Forrester. They provide market research with a predominant focus on financial services.  They cover a range of GRC topics that I would all put under the umbrella of GRC, but their approach is to split GRC into its own category of multi-functional platforms distinct from other areas of their risk and compliance coverage.  

My approach is that the entire market is called GRC and there are a lot of segments in this market of different types of solutions.  Like IT security which has segments for firewalls, intrusion detection, anti-virus, and more . . . GRC has segments for risk, audit, compliance, policy, health & safety, quality management and many more areas.  To me, GRC is the macro-market, an umbrella that covers a range of solutions. Chartis and I talk “apples and oranges” as we are representing GRC as different things. Their approach fails as it aligns more with Forrester than myself.  Though if you take the scope of what they cover as ‘risk technology’ we become more “apples to apples.” It is how we name the high-level market category that everything cascades from that differentiates us.  They call it risk technology, I call it GRC.

What really sets me off about Chartis is their recent statement in Enterprise GRC – Time for GFRC?  Chartis states, “To drive a behavior-driven approach to GRC, firms need to incorporate performance and remuneration measurements into GRC. Chartis believes that firms should replace ‘GRC’ as a concept with ‘GFRC’ – Governance, Finance, Risk, and Compliance . . . Traditional GRC is outdated and fails to manage risk and prevent serious compliance breaches . . . Firms need to move beyond traditional GRC and take a more dynamic approach to governance, risk, and compliance.”

We are actually aiming for the same trajectory that there is more than a GRC platform and GRC platforms by themselves are not enough and can force an organization to the lowest common denominator in managing risk. Later in the article they state, “Chartis also believes that firms should do more to incorporate areas currently overlooked by GRC, including model risk, conduct risk, reputational risk, and stress testing.”  These areas of risk are covered in the GRC 20/20 market model for GRC.  I am writing a paper right now on model risk management, GRC 20/20 has a segment of the GRC market that catalogs solutions for reputation/brand risk, conduct risk falls into our coverage of compliance management solutions (e.g., market conduct exams for insurance), and stress testing is in the coverage of risk management technologies.  Where GRC 20/02 defines a range of solutions in the market GRC and Chartis calls the same over
all market ‘risk technology,’ Chartis is using the GRC label similar to Forrester by collapsing a platform down to the lowest common denominator and then taking the perspective Gartner and I have stating it is missing something.  Technically, Chartis and GRC 20/20 is aligned as we see a range of technologies that define a category.  I call it GRC.  Chartis calls it risk technology.  We are pointing at the same thing in this sense.  

I take issue with Chartis trying to create GFRC – that just confuses things.  The GRC market started growth in financial controls as a fallout of SOX and some back in 2003 and 2004 tried to add Finance then.  I don’t understand what Chartis is trying to communicate. Adding finance into the mix is a step back and not a step forward. One of the problems with traditional strategic planning is that it is really about financial planning and budgeting. In the UK there’s an entire movement around something called “beyond budgeting.”  Finance, as well as operations, falls under the pervasive umbrellas of governance, risk management, and compliance.  If not, do we start adding HR for human resources for the human element of GRC, IA for internal audit, H&S for health & safety.  The nice thing about the GRC acronym is that these words are adaptable across the organization and provides a good umbrella. GRC defines the flow and context for the solutions in the market.  GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.  Risk needs governance to set the objectives and strategy to give risk management context. We measure and monitor risk as it relates to performance, objectives, strategy with a focus on uncertainty.  Part of risk management is setting boundaries that get established in policies, procedures, and controls that compliance ensures we adhere too – acting with integrity.

Markets to Markets

This company should not even be referenced in this post, but I do as they have been brought to my attention by solution providers a few times in concern. You can request their sample GRC report for free, but they charge thousands for the full report – the sample has anything of value redacted.  Why I bring them up is their flagrant disregard for intellectual property and copyright. Their GRC market report takes some of my GRC content, particularly on GRC 3.0, the market timeline for GRC 3.0 in an exact representation of my work, and other GRC points and they source it back to themselves and not to GRC 20/20.  Be wary of the analyst firm that fails to have an original thought of their own and takes the intellectual property of others.  It came to my attention after solution providers in the GRC space (more than one) pointed out my IP being referenced as theirs. Still waiting for a confession and apology . . .

ERP Maestro: Automated Security & Access Controls Through the Cloud

Executive Summary 

Organizations face increased pressure to ensure business applications such as Enterprise Resource Planning (ERP) systems are secure and access control risks are managed in the context of a dynamic business environment. Segregation of Duties (SoD), inherited rights, critical and super user access, and changes to roles are too much for today’s organization to manage adequately in manual processes involving spreadsheets, documents, and email as they are time-consuming, prone to mistakes and errors, and can leave the business exposed.  By automating access controls, organizations take a proactive approach to avoiding risk while cutting down the cost and time required maintaining controls, being compliant, and mitigating risk. However, automated access control/SoD solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. ERP Maestro is an innovative access control/SoD solution that GRC 20/20 has researched that takes a cost effective approach by using the cloud to make automated access control/SoD efficient and agile as well as effective. ERP Maestro has proven that it is as or more effective in access control and SoD as its competitors but it does this at a fraction of the cost to implement and maintain.  

{rsmembership id=”1,2″}

You may access this research below . . .

{rsfiles path=”2014-02_Solution-Viewpoint_ERPMaestro_Web-Version.pdf”}{else}

Access to GRC 20/20 published research requires a subscription.  There are two primary tiers of research subscription:

  1. GRC 20/20 Basic Subscriber (Free).  This gives you access to a broad range of content at no cost.  This includes Strategy Perspectives (best practice research), Vendor Viewpoints (research documents on specific solution providers), Case Studies, and more.
  2. GRC Advisor Access.  This is a paid subscription that starts at $5,000.  This level of membership gives you access to more detailed market research such as Market Landscapes and Buyer Guides.  It also gives you inquiry access to GRC 20/20 research analysts to get your questions answered as well as four longer strategy calls that can be combined into a single strategy day.

To access this document please  REGISTER or LOGIN using the buttons in the upper right corner of the page.{/rsmembership}

 

2014 GRC Technology Innovation Award: ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

In November 2013, ACL delivered an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation.

At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. It meaningfully blends the capabilities of data analytics with surveying to provide the analyst with a simple, integrated toolkit for monitoring and remediation.

At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. With the ability to seamlessly blend “human data” with “systems data”, a new world of analysis is possible to identify red flags, as well as serve as the basis for rich visualization of blended data.

Prior to this innovation, control monitoring and other data analytics were loosely integrated into broader GRC risk & control platforms and GRC architecture. Results of analytics were often simply attached as files to serves as control evidence. This new approach fully integrates into a unified GRC architecture with analytics so GRC evaluations, assessments, and decisions can be made seamlessly in real-time using the most up-to-date information available in the organization. Introducing the surveying/questionnaire piece allows ACL users to feed the same control monitoring engine with survey data (“human data”) and drive the same remediation actions as could be done from transactional data.

The core functionality of the technology is to take the results of control monitoring analytics and bring those into a centralized, easy-to-use web environment where it is integrated into the overall GRC information and process architecture. It provides an intuitive questionnaire builder to develop questionnaires when a “trigger” condition happens that allows for automatic triggering of questionnaires based on data analysis criteria. It blends data analysis records with the questionnaire results to provide a consolidated dataset that the organization may use to drive remediation, act as control evidence, or provide executive reporting.

The key technical functionality is the “Big Data” engine that lies at the heart of the ACL GRC Results Manager module. This data engine uses an innovative data store that is capable of storing unstructured and arbitrary data. This is critical for several reasons but primarily because 1) organization need to analyze different types of data that a traditional database system cannot effectively ingest the “arbitrary” data needed for analysis, 2) these organizations need to be able to “blend” a transaction record with a survey response on the fly without doing traditional database table joins, and 3) the ability operate at cloud scale to drive the fastest performance and response times. Layered on top of the big data engine is ACL GRC’s development stack and intuitive user interface built in HTML5, CSS3, and high performance JavaScript. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices including:

  • User Interface.  Touch, gestures, responsiveness, hardware rotation, etc.
  • Multimedia evidence capture. Create and attach photos, videos, sound recordings, geo-location, etc. from within an audit procedure, control walkthrough, control test, etc.
  • Scan to PDF. Use the app to “scan” hard copy documents directly into the system without leaving a given audit step or control test by taking a picture of the document. The app’s PDF generation engine will automatically convert to a document-quality PDF.
  • Cloud connected. Built to enable connectivity and integration to their native multi-tenant software as a service ACL GRC platform so that none of the typical connectivity challenges to on premise server infrastructures impede easy access and use.

This is the first GRC mobile app to bring the full power of design delivered through powerful and capable devices, to the problem of audit management. GRC 20/20 sees a major shift beginning occurring where document, spreadsheets, and paper binders are being replaced by multimedia including audio, video, photo, data visualization, geo-location, etc.

There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. ACL has now fully engaged the capability of the device to leverage multimedia capabilities of the devices as well as redesigned the application from the ground-up to take advantage of the incredible power available in the iOS SDK. The platform was expanded to enable complete enterprise risk assessment and reporting in a fully touch interactive environment.

The historic reality after fieldwork finished there would be an additional two weeks of work to be completed compiling notes, transcribing, documenting, etc. after leaving the field, then another two weeks of report writing and revisions. Progressively leveraging ACL GRC for iOS and its multimedia capability, the auditors can potentially walk out of the field completely done and documented with multimedia backing up a clean, engaging audit report. This enables users to work in an environment where they are able to create and capture both interactive media and structured data to accomplish existing audit goals while not relegating themselves to countless hours of tedious document preparation only to end up with all of their data forever “trapped” by documents.

The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc. This provides a faster, better, more beautiful, and more tightly integrated experience for the user than a mobile web app or a wrapper for the web that pretends to be an app.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The Be Informed GRC-solution is based on the Be Informed business process platform, which is a platform using innovative semantic technology which can be understood as a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. It is fully model-driven, which means that requirements and specifications are expressed in semantic models, which can be directly executed, i.e. without transformation to another (programming) environment. This constraint-based process approach allows for dynamic processes, by which every individual transaction has its own process flow, depending on the data and context of that transaction.

The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment.  This allows organizations to stay current with the ever-continuing stream of new and changing regulations.  Organizations will find that regulatory change alongside business change and risk change becomes easier to manage, control, and traceable. Semantic models determine behavior of the business within rules. With Be Informed, the rules of business are modeled, not coded, in a visual and very comprehensible way for business users. This enables users to easily understand and change business rules, making the Be Informed business process platform an agile solution.

Be Informed through its semantics engine allows organizations to be in full control. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.  This is enhanced by audit trails that demonstrate accountability to customers, employees, shareholders and supervisory authorities.

By using the semantic models, you can define the requirements in an accurate, concise and machine executable format. Semantic models are used to make decisions, to classify what is applicable (and/or needed) and to calculate values. These outcomes are used to determine which controls are applicable, which data is needed to perform activities, how to drive the workflow process and even to determine which components of a report must be generated.

The Be Informed framework consists of three parts. The first part is the Definition part by using semantic models. Here Regulations and Policies are translated into regulatory and risk controls.  Second, once a control is defined it can be executed as a service in any of the core processes of the organization as represented. A transaction can only be completed if all necessary controls have resulted in a positive outcome. And third, Be Informed supports the review and evaluation of the effectiveness of the controls by planning, scheduling and executing of all kinds of assessments with the GRC-Workplace.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Convercent Delivers Agile Compliance Reporting

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Convercent Delivers Agile Compliance Reporting

Nearly every business function in today’s organization has benefitted from a transformational shift in how data is used to enable business agility – the ability to deliver meaningful intuitive information at a moment’s notice and enable accessibility across devices from computers, laptops, tablets, and mobile devices. However, compliance has struggled with systems in which information is neither agile nor mobile. The effect is a blurred or inaccurate picture of compliance risk. In today’s business, understanding a true picture of compliance at any point in time is critical. Compliance programs struggle with mountains of data in documents and emails or with expensive and non-intuitive solutions that create challenges to managing compliance effectively. Technology is a limiting factor to many ethics and compliance programs and is manifested in:

  • Increased exposure. Inability to make rapid decisions, and inability to draw historical benchmarks or predictive analysis based on integrated trends
  • Reduced efficiency. Time inefficiency to aggregate information into board/audit/executive reports
  • Increased cost. Utilizing manual processes to do what technology can streamline, centralize and automate.

Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline and investigations to enable effective compliance risk monitoring and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed.  With Convercent it becomes easy to rapidly report on issues and understand what trainings and policies an employee has received and attested to at a moment’s notice. The ability to drill down to the individual level allows organizations to track and monitor developing compliance risks, and proactively analyzes and reports on information that highlights compliance efforts.

Convercent provides three layers of reporting and analytics, ranging from at-a-glance dashboards that enable program monitoring to effective oversight at the board level through the ability to use Microsoft Office tools to create a “two-click board report” in real time. Convercent allows for business agility within compliance departments and a reduction in costs associated with manual processes that is supported by three levels of reporting and analytics capabilities:

  • Dashboard Reporting provides the ability to understand performance at a glance. Compliance managers can monitor case management, policy and training health to get a high level overview on how the organization’s ethics and compliance program is performing.
  • Web-Based Reporting provides rapid understanding of issues that are occurring in real time. A variety of prebuilt case management reports are available for the compliance manager to present the information the way it needs it.
  • Convercent Data Services puts powerful and customizable reports at the organization’s fingertips. It provides the ability to collect real time ethics and compliance data in Convercent and immediately transfer it into Microsoft Excel and PowerPoint utilizing open standard oData technology.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients