The GRC Pundit

GRC 20/20 Research awarded Datacert Passport its 2013 GRC Value award in the Legal GRC category. Datacert’s Passport® technology platform provides an integrated legal and GRC ecosystem that allows organizations to respond to the cost of compliance and non-compliance.

Datacert’s Passport application breaks down information and process silos between a variety of legal and GRC stakeholders, and allows organizations to better understand their internal and external legal/compliance-related expenditure by activity type, business unit, geography, regulatory topic, etc. Additionally, at MMC, Passport identifies key data points and associated expenditures required to address incidents and data protection policies. This visibility brings unique value by providing the information organizations need to effectively budget for and demonstrate ROI on GRC-related expenditure.

Risk management that’s strategic, not just responsive

Marsh & McLennan Companies, Inc. (MMC) is one of the world's largest professional services, risk management and insurance brokerage firms and is headquartered in the United States with offices all over the world. Datacert’s Passport solution was implemented by MMC in April 2012 for Legal and Risk Management to manage key litigation and global insurance risks.  In 2013, MMC increased the use of the application to manage data incidents and data privacy related matters, thus leading to a combined Legal and GRC solution for the organization.  

Prior to Passport’s tracking data privacy incidents and their associated spend, MMC had to pull data manually across its Marsh and Mercer operating companies and manually determine key severity codes, root causes and remediation through steering committee meetings to ensure organizational consistency. During Q3 2013, MMC was able to generate these compliance incident spend and risk metrics in less than 20 minutes with Passport.

In addition to the above, MMC has gained significant quantitative value from utilizing Passport to optimize its outside counsel operations. Examples include:

• From 2008 through 2012, partly via Datacert’s technology, the MMC’s legal department reduced outside counsel fees by 56 percent, its lowest spend since 2007.
• MMC estimates it saved an additional $10 million since July 2011, aligned to mandatory discounts, 2010 rates, fixed-fee pricing and competitive bidding.
• MMC notified all law firms that it would not be moving to 2013 billing rates, which MMC anticipates will result in savings of approximately $6 million.
• MMC kept its global lawyer count to 140 across 26 countries and 209 total resources.
• MMC has determined that maintaining a global legal department is key when evaluating total legal expense as a percentage of revenue. Its goal is to maintain its total legal spend at less than 1 percent of revenue, which it is able to do using Datacert’s Passport technology.
• Improved reporting and dashboard capabilities provide a more detailed global view of spend by line of business, region, law firm and matter. With Passport, MMC is able to generate better and richer reports than it could previously, reducing time spent running these reports by 25 percent
• By utilizing preferred providers tracked and managed in Passport, MMC lawyers can select the firm best positioned for a particular matter while building long term relationships, allowing MMC to reduce its preferred provider list from 150 to 50.

MMC's Legal and Risk & Compliance teams are still identifying opportunities to expand the use of the Passport application to manage data and analytics around GRC. In the longer term, MMC is planning to extend the reach of its Passport implementation into a broader spectrum of proactive GRC-related activities, providing additional spend intelligence in areas like operational risk assessment, internal audit, policy management, and 3rd-party risk management.

A legacy system that was costly and often ineffective

Prior to its implementation of Passport, MMC’s visibility into spend was limited to legal matters (it did not include compliance-related incidents), and legal spend data was difficult to consolidate across multiple business units and global regions within the legal function. With Passport, MMC can integrate spend management across its legal department, providing the visibility required to increase its influence over its outside service providers.

Another benefit of Passport for MMC is the improved management of outside legal service providers. Prior to the implementation of Passport, MMC was managing hundreds of law firm relationships, which it has since culled with the help of Passport to a streamlined population of high-value relationships, reducing operational overhead and allowing it to focus its efforts on increasing the value of its remaining outside counsel relationships.

Passport’s effectiveness is most notable in the area of reduced human capital cost. Greater visibility into its risk and compliance spend allows MMC to address hotspots and better project its risk and compliance-related expenditure into the future, allocating budget and resources to areas where they are most likely to be needed.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Hiperos 3PM its 2013 GRC Value award in the Third-Party GRC category for their implementation at a regional bank holding company.  The client specifics are anonymous in this publication, but GRC 20/20 has verified the factual accuracy with the bank.  After the implementation of Hiperos 3PM solution at the bank, it was able to triple the number of its third-party investigations without any increase in headcount. The number of days needed to assess the inherent risk of a third party also dropped dramatically — from 7.55 in 2011 to 5.22 in 2012 to 3.95 in 2013. Hiperos continues to deliver efficiencies.

The bank is a large U.S. bank holding company in the S&P 500. They have 11,000+ employees and their Vendor Management Team manages some 20,000 third parties. Following a regulatory examination, the bank was told that while their processes for third-party assessment and third-party risk assessment were sufficient, they needed to apply them to a number greater number of third parties to ensure the business adequately demonstrate knowledge of vendor risk and consistently apply to managed vendors. The bank had a choice: add headcount or look at technology. Hiperos was selected and contracts signed at the end of 2013. Hiperos 3PM was implemented in 87 days.

The bank is highly focused on ensuring that they address their regulatory obligations in the most cost effective and efficient manner possible. As a result of implementing Hiperos, the bank has been able to triple the number of assessments it completes on third parties with same number of people. Following the implementation of Hiperos, the bank reformulated all of its risk models, at the CEO’s request. All of the third-party risk models were redone internally, with no need for IT help or additional consulting from Hiperos.

Going from their largely spreadsheet-based approach, the bank saw similar savings across several different processes, including:

• AML assessment — the average number of days to complete assessment went from 41.52 in 2011 to 6.86 in 2012, which is an 83.47 percent decrease in the number of days. For the same period, the bank reported a 34.55 percent increase in volume.
• Business continuity assessment — the average number of days to complete assessment went from 23.45 in 2011 to 12.65 in 2012, which is a 46.05 percent decrease in the number of days. For the same period, the banks reported a 15.64 percent increase in volume.
• Compliance assessment – the average number of days to complete assessment went from 66.78 in 2011 to 23.3 in 2012, a 65.01 percent decrease in the number of days. For the same period, the bank reported a 58.44 percent increase in volume.
• Information security – the average number of days to complete assessment went from 37.12 in 2011 to 16.93 in 2012, a 54.39 percent decrease in number of days. For the same period, the bank reported a 20.88 percent increase in volume.

The bank also was able to add 5,392 assessments in 2012 compared to 2,879 in 2011, with the same number of staff.

Five-year expectations and beyond

During the next give years, the bank expects to have the ability to adapt quickly to changing business environment (growth in bank/number of third parties) as well as changing regulatory environment (changes in regulation/different expectations from inspectors). The bank recognizes that one of the advantages of Hiperos 3PM is the ability to make changes to programs quickly and easily vs. requiring IT to make changes for them. They also expect to expand the scope and value of currently implemented solution, including initial on-boarding of vendors, ongoing due diligence, and managing the implications of exiting third-party relationships. They plan to expand scope to include nontraditional vendor relationships, and improve their understanding and intelligence around the data created by the program. The bank expects to make use of the analytics capabilities of 3PM, which will allow them to do business modeling and run what-if scenarios and gain a clearer picture of trends.

The bank has seen great agility in its process since implementation in its ability to respond to changes in business environment (when the bank buys another bank or entity), its ability to quickly add new third parties to a relationship, and the ease in changing information about an existing third party. It also has vastly improved its ability to respond to changes from the regulator — to manage the potential customer impact risk or a third party, and to meet the requirements of the CFPB.

The bank, the business environment, regulations and regulators — as well as third parties — are constantly changing. This approach allowed the bank to adapt to changes quickly and efficiently, which ensuring continued optimal and risk-based, appropriate management of third parties. 

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Hitec Laboratories Ltd and Markel International its 2013 GRC Value award in the Policy Management category for its PolicyHub® solution. Markel International’s implementation of PolicyHub impressed them with its enhanced ability to demonstrate compliance to regulators. Markel International can demonstrate a 100 percent compliance rate for relevant staff, and can take action on noncompliant areas of the organization, which was previously not possible.

Markel International was challenged with numerous versions of a policy, and version control. Markel International is a global insurance company providing designed solutions for a wide range of professions and sectors. After deployment of Hitec’s PolicyHub solution, Markel International was thrilled with response rates. The first PolicyHub publication generated an 85 percent completion rate within 10 days — an accomplishment not previously possible to measure. Some Policies are combined with test assessments, issued through PolicyHub’s Assessment module. The test ensures the recipient has read and understood the policy and identifies any training requirements. The response rate achieved on the first PolicyHub publication using the Assessment module was 95 percent within two weeks of rollout. This assessment feature provides Markel International with complete confidence that employee compliance knowledge and expertise can be measured and enhanced.

PolicyHub® is an end-to-end Policy and Procedure Management solution that integrates Best Practice workflow for policy creation, collaboration, approval, distribution, auditable employee signoff, attestation and reporting. It is a multilingual solution that incorporates full Microsoft Office functionality with an advanced notification system and advanced reporting features. It is available as an on-premise system or as a SaaS solution.

Future gains expected

With the growing demands of regulatory obligations, financial services organizations must provide documentary evidence that Policies and Procedures are in place and adhered to. PolicyHub dramatically changed the delivery of policies and compliance communications at Markel International. Implementation involved a collaborative team of compliance and IT professionals from Markel International and Hitec, which guaranteed smooth delivery of the project, including uploading and availability of existing documentation.

Markel International uses the flexibility of PolicyHub to provide a communications channel and create management information reports to senior executives and auditors. Markel International can clearly demonstrate a record of which staff have received, read and understood each policy and when they agreed to them. It also highlights staff who have not complied. “How do you know if they have read this policy?” is no longer a concern.

Each user has access to their own library of documents relevant to their particular role. Policies and Procedures can be updated with minimum effort and replaced within each user’s library in seconds.

With the previous solution, compliance was almost impossible to measure

The compliance team at Markel International wanted to ensure they could distribute, manage and guarantee key policies were received, read and understood by all staff. This was a logistical challenge, particularly with a growing number of locations outside its home office in the U.K.

Prior to implementing PolicyHub, policy documents were generally communicated by email, posted on the company intranet and supplemented by periodic face-to-face training. Where positive affirmation was required from each employee, compliance or HR spent inordinate time chasing signatures. For other policies, it was only possible to show a policy had been issued — but they were unable to demonstrate it had been read and fully understood.

As PolicyHub is such an improvement over Markel International’s old system, no direct cost comparison can be calculated: it’s apples to oranges. They can now show a 100 percent compliance rate for relevant staff, and more importantly take action on noncompliant areas of the organization which were not visible before.

A new world of efficiencies

Markel International experienced increased efficiencies in many areas:

• Reduced reporting times; previously, Markel International could only report a policy had been published. Now it can report the percentage of staff that have read and acknowledged each policy;
• Response times have also improved. The first PolicyHub publication generated an 85 percent completion rate within just 10 days;
• Assessment times have improved; for example, the response rate achieved on the first PolicyHub publication using the Assessment module was 95 percent within two weeks of rollout;
• Improved accuracy means Markel International can demonstrate 100 percent of relevant staff acknowledge adherence to each compliance policy. Previously there was no such audit trail;
• Reduced errors means Markel International can show results based on accurate data.

Hitec Laboratories feedback on PolicyHub from Markel International elicits comments from users such as, “We wonder how we ever got along without it.” PolicyHub makes compliance Policy and Procedure communication easy and provides a simple and straightforward process for extracting management information for the board, auditors and regulators. Strengths of the PolicyHub approach include:

• Simple and easy-to-navigate interface;
• Consistent, centralized management of compliance Policies and Procedures;
• A compliance audit trail to prove staff keep up-to-date with changes in policy;
• Reduced administration, leading to immediate time and cost savings;
• Flexible assessment module;
• Detailed reporting;
• Demonstrable evidence of Best Practice and good governance;
• No passwords to remember with single sign-on;
• Full version control and tamper-proof documents.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded LockPath its 2013 GRC Value award in the IT & Information Risk, Security, and Compliance category. A leading manufacturer of medical devices recently extended its use of LockPath's Keylight platform, including several applications. During the first year, the implementation has meant an 80 percent reduction in IT audit preparation time with five weeks of work reduced to one week, improved clarity and efficiency related to security functions, and improved insight companywide through dashboards and reports.

The manufacturer of medical devices recently extended their use of LockPath's Keylight platform, including the Risk Manager (Rm) and Compliance Manager (Cm) applications, as well as its Audit Manager (Am), Security Manager (Sm) applications, for streamlining internal and external audit processes, as well as operational control environment. They now have linkages to all of this data (vulnerabilities, audits) to assets, which is expected to unlock further valuable insight.

A disparate system with poor visibility

Prior to the LockPath implementation the organization's audits were managed on a SharePoint site, using spreadsheets, emails and individual or manual item tracking. No direct numbers were available, other than through spreadsheet manipulation. Vulnerabilities, penetration tests and Web application assessments were all maintained as separate efforts and tracked separately, without historical linkage or other insight. The company rarely had a solid view of GRC, and results were rarely reported or even visible to leadership.

Internal security teams managed tracking of audit requests to internal controls, and all communication between the organizations personnel and external auditors. The last midterm audit consumed the corporate team of two for six weeks or more, in addition to other teams at each location.

Adding safety and accountability, application-by-application

The medical device manufacturer first purchased Rm and Cm to manage control activities of one division, to map policies to requirements and to manage risk tracking and exceptions. Next, they added the Sm application, and more recently nearly automated management of its vulnerability management process, cataloged its assets and tagged them with responsible owners, and provided a near-real time dashboard for its risk posture. The organization has also included its Web apps and penetration tests from this year and the past two years into the system to track back findings and systems to historical information. The workflow transitions phases of vulnerability, alerts owners of any need to remediate, automatically reminds them if a task overdue, and automatically verifies a completed patch.

In late August of 2013, while preparing for a sizable (1,300-item) roll-forward audit, the organization quickly added Am to handle external audit requests. In only days, they entered these requests via an upload file, and set up their external audit team with specialized Keylight accounts that allowed it to review responses. Using built-in workflow, employees are alerted to items that require a response; and auditors receive notifications when requests were submitted for review. This eliminates inefficient back-and-forth dialog that typically accompanies an audit. A single dashboard allowed many views of audit progress and breakdowns providing real-time tracking and brand new insight.

The new LockPath system has enabled this medical device manufacturer to:

• Save at least 10 weeks of corporate-internal personnel time managing the audit (two people at five weeks consumed time).
• Save billing time from the external auditors on nonvalue transactions and coordination.
• Shorten audit duration and speed results since they are directly available, and automatically turn into a remediation project with tasks.
• Avoid costs associated with exploited vulnerabilities.

Qualitatively, staff feels the system has meant:

• Reduction in risks that result in fines, litigation and reputation loss.
• A shift to highly productive and effective tasks such as detailed analysis and discovery of opportunities, business efficiencies and true risk-analysis.
• Audits can be managed by a central group of administrators for all locations.
• Efficiency across all audit participants, improved morale and better cooperation.
• Multiple views of real-time information and can be presented as desired via dashboards.
• Better leadership confidence of management and direct insight via dashboards and tracking.

Expected benefits, five years on

This organization expects to add additional audit tasks due to increased efficiency, expanding analysis and consulting provided by its internal audit team, and also expects reduction in negative findings and remediation required from external audits, and increased opportunities recommended by internal audit team, resulting in fraud reduction, risk reduction and additional cost savings.

Enhanced security features are expected to provide improved efficiency and operations of the control environment. Security analyst work is just a fraction of what the work used to be, since it is a matter of running the tools and adding the output to the GRC system for any of several operational tasks. This means more can be done done as a team and a view can be continually maintained into organizational effectiveness through the reporting inherent in the tool.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition from using hundreds of spreadsheets created every year to complete audits, credit reviews and risk assessments in addition to hundreds of other documents compiled to report on findings and risk summaries. Today’s system is a single-source GRC solution that integrates governance, risk and compliance functions and brings strong scores from regulators.

Sterling successfully used MetricStream’s single-source GRC solution suite, which consolidates various GRC functions, including enterprise risk management, internal audit, issue management, policy management, business-line risk assessment, regulatory compliance self-assessments and internal asset review, into one enterprisewide view. Benefits received in the short term (within one year) of implementation included:

• Automated end-to-end GRC workflow, eliminating the need for cumbersome spreadsheets, saving time and costs and minimizing error
• Ability to perform detailed risk self-assessments, define and assess controls, track loss incidents along with root causes and ownership, and quickly resolve any issues that arise
• Established a single risk framework and nomenclature within the GRC system, and a single source of truth
• Strong risk management grade from regulators
• Better board reporting and focus on the risks that matter
• Risk management is now 1 of the top-line corporate goals, raising awareness about its value

A long-term GRC vision

Among Sterling Bank’s long-term goals for the product is to push risk management down to the first line of defense, to ensure issues are identified as early as possible. This top-to-bottom approach should also involve the board of directors and actively engage them in GRC issues.

The MetricStream solution will be used for active monitoring of audit processes, risks and incidents, and ensure compliance with regulations such as SOX, GLBA, FDIC and FFIEC by all business units — and not just by the efforts of the risk and compliance staff. The solution provides a single and unified view into actionable business intelligence, active responses to risk and facilitates corresponding changes to strategy, all of which provides the bank with a competitive edge.

Risk, compliance, audit and policy in one enterprisewide view

Before MetricStream Enterprise GRC solutions was implemented, the various GRC initiatives at Sterling Bank — risk, compliance, audit, policy, etc. — were managed as separate programs, and as a result, due dates for issues could be missed and when reorganizations occurred, issues could fall between the cracks. A number of standalone software applications and point solutions catered to these individual programs and functions. There were serious challenges in ownership and transparency, which resulted from a prior inability to aggregate GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

Sterling Bank used several data sources and manual processes that were labor intensive. GRC functions were spread across multiple unrelated departments. Consolidating all GRC programs and processes into a single platform enables the organization and every employee to work more collaboratively and more efficiently, while reducing costs and eliminating redundant activities.

MetricStream GRC solutions foster communication, collaboration and information sharing between business units and corporate functions. The bank can ensure ownership and transparency while aggregating GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

A change in GRC culture

Sterling’s fraud risk assessment process previously contained over 300 different risks, many of them applicable to only one department. By rationalizing these risks for population into the MetricStream GRC solution, Sterling was able to eliminate and consolidate fraud risks into 70 risk categories companywide. This library of risks, controls, processes, assets, issues, regulations, products, policies and objectives enhances Sterling Bank’s risk management capabilities. Business managers have real-time access to the status of audit and exam issues rather than waiting to receive a periodic spreadsheet.

The GRC program facilitates a reduced-touch approach to GRC; business units no longer have to generate as many as eight risk assessments a year, since the GRC program provides multiple automated risk assessments in a single session. The following efficiency improvements have also been realized by the new approach, supported by MetricStream GRC solutions:

• Automated end-to-end GRC workflows eliminate the need for hundreds of documents and spreadsheets, saving time and costs and minimizing errors.
• Provides a single-source-of-truth for risk information with a universal risk taxonomy and nomenclature.
• Has served as a catalyst for establishing a sustainable risk culture across the enterprise.
• Promotes tracking and trending data for management committee and board reporting.
• Ability to isolate changes in self-assessment testing for immediate action.
• Risk is now embedded within decision making processes, and coordinated across business units.
• Empowering individuals and committees to be accountable in owning and/or escalating existing and emerging risks to management.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Modulo Risk Manager its 2013 GRC Value award in the Enterprise Risk Management category. The financial services company used Modulo Risk Manager to help it comply with HIPAA, PCI and SOX, and its consolidation of its 350 independently chartered bank branches, with 6,700 employees and a heterogeneous environment spanning a variety of operating systems, servers and application platforms as well as legacy systems for each of the back-end core banking platforms. Benefits from the first phase of its Modulo Risk Manager implementation included:

• Creating efficiencies and consistency by unifying silos of data into one automated governance, risk and compliance program
• Completed 40 percent more risk assessments without adding any additional resources
• Finished risk assessments two months ahead of schedule
• Accomplished twice as much work with the same resources
• Attained a complete picture of the company-wide risk posture for improved business decision making

The second phase of the implementation, now in progress, is developing and integrating processes for GLBA compliance assessments, business continuity management and vendor risk management.

A new system that brings together scattered ERM

The financial services company was challenged with finding an automated GRC process to eliminate manual costs associated with risk assessments, consolidate GRC data into a common format and automate workflow. It wanted a system that could communicate risk in a timely and consistent fashion with different information for different stake holders, as appropriate. The solution needed to rationalize IT controls and create efficiencies around design, testing and reporting to meet increased regulatory scrutiny across all disciplines including HIPAA, PCI and SOX.

Modulo Risk Manager enabled the company to achieve its GRC audit goals on time, on budget and do twice as much with the same resources. It is also leveraging Modulo to mature its information risk process into an operational discipline, providing a more complete picture of the companyʼs risk posture.

Modulo’s Risk Manager™ software solution helped streamline the company’s risk assessments, reduced its control testing and expenses, and improved its communication of risk to various lines. The solution helps manage complex and dynamic dependencies of IT resources to supports critical system availability and confidentiality. The company’s feedback is that they regard Modulo as a strategic partner with extremely well trained and responsive staff.

Looking forward with a clearer view

With close to $30 billion in assets, this regional financial services company’s banking divisions provide commercial and retail banking, investment and mortgage services. It recently consolidated its 350 independently chartered bank branches. With 6,700 employees at the time and a heterogeneous environment spanning a variety of operating systems, servers and application platforms as well as legacy systems for each of the back end core banking platforms, the infrastructure of the multi-bank model was complex. As a result of this consolidation as well as an increasing number of regulations to comply with — from PCI, HIPPA, FFIAC, OCC, SOX, GLBA, FFIEC and SECISO to FDIC as well as other federal and state government requirements — the company was responsible for completing twice the number of audits with the same resources, and streamlining its overall GRC program.

Faced with increased regulatory scrutiny and an exponentially more complex environment, the company was under pressure to complete more risk assessments. Additionally, it was in the process of evolving its information risk practice into a broader, more mature operational risk discipline in order to get a complete picture of the organizationʼs risk posture.

The company’s team expects to continually find new uses for the flexible Modulo Risk Manager platform that streamlines and improves security, risk and compliance management initiatives. It will extend the program to tie company policies and industry controls (such as those for COBIT and SOX) to the Modulo framework for more efficient rationalization. It also plans to integrate data from third-party vulnerability scanning systems into the model for a more complete picture of gaps and risks. They also plan to record and report data losses due to process and technology failures or fraud to identify exposures before they impact the business. With the Modulo Risk Manager Web-based platform, the financial services company can easily customize and scale to meet the growing needs of the organization and integrate it with existing processes and technologies.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Riskonnect RMIS and the State of Utah its 2013 GRC Value award in the Insurance & Claims Management category. Riskonnect RMIS’s fully automated insurance risk management software platform addresses insurance claims, litigation, exposure, and policy management.

The Utah Division of Risk Management (DRM) chose Riskonnect RMIS (risk management information system) to replace its legacy vendor's basic claim system. Within one year of implementation of Riskonnect RMIS the Utah DRM estimates it saved $1 million on reconciliation of insurance premium billing, and saw an 82 percent increase in efficiency in processing high dollar payments. Other short-term gains included:

• High-dollar payment process reduced from 17.1 days to one day
• Bill processing (acceptance/authorization/payment) reduced form 29.3 days to two days
• Complete integration of relevant risk data removed need for five hours per week of reconciliation between source systems
• Consolidation of the contact database produced significant reduction in resources because if its consistent, accurate linking to appropriate contacts for all risk-related activities
• Reduced time to generate current risk status reports and reduced travel time to home office, with remote Web access to risk system
• Reduction in fees for redundant systems of over $30,000

During the next five years, because of its Riskonnect RMIS implementation, the Utah DRM expects:

• More effective management and response to risk-related issues
• Improved ability to make decisions about risk, based on real data, not estimates
• Continued cost savings and efficiencies due to ongoing and expanded use of the Riskonnect RMIS system

The previous solution

The State of Utah Risk Fund managed by the State of Utah DRM insures State government agencies, school districts, institutions of higher education and charter schools. The fund insures more than $28 billion worth of property, 7,000 buildings, 13,000 vehicles and liability coverage for over 120,000 employees. The division also offers claims adjusting, loss control services, insurance procurement and policy management.

Before the Riskonnect implementation, Utah’s Risk Management division managed the process via a legacy system with limited functionality with multiple sets of disparate data. The system was incomplete and expensive.

Riskonnect RMIS, a comprehensive risk management work platform, includes a central repository to house previously separate databases and to easily incorporate workflow and automate business processes into the system. Qualitatively, the Riskonnect system provides substantially greater levels of confidence in the data and related processes. In addition, the reputation of the user group with its stakeholders is enhanced substantially because of the huge reduction in processing times. Additional savings continue to accrue.

New speed and agility and best of all, better data

The speed of responding appropriately to a wide range of risk related activities has greatly enhanced the reputation and support for the Utah DRM. In addition, the substantial increase in the quality of the related risk data has meant the negotiations with mitigation providers has been far better with significant savings in effort and price.

Being able to provide quality data for decision-making has been a huge benefit.  Utah DRM has been able to provide its insured entities and other interested stakeholders in real-time loss data that has been critical in management policies and priorities. Loss control activities can be targeted towards specific and current trends and audit queries are processed seamlessly.

The new system has given rise to new levels of agility. For instance, today changes in configuration can occur during a conference call — particularly changes in system reports. This means the Utah DRM can respond much more quickly and accurately than previously. Flexibility and ease of most system changes has been a significant benefit.

To the Utah DRM, the greatest strengths of the current approach is the new accuracy and consistency produced by integrated workflow, its built-in validation rules and the approval processes. Going forward, it expects resources can be freed up to focus more on risk decisions and less on day-to-day reconciliations.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded RSA® and Equifax its 2013 GRC Value award in the Business Continuity Management category. After implementing RSA Archer’s Business Continuity Management solution, U.S. consumer credit reporting agency Equifax experienced an immediate 60 percent reduction in time to create business continuity and disaster recovery plans, and a 20 percent OPEX savings for 2013.

Equifax expanded its use of the RSA® Archer solution in 2012 to include the Business Continuity Management (BCM) functionality, and it now also manages business impact analysis, business continuity planning and IT disaster recovery planning on a global scale. RSA Archer helps Equifax drive new initiatives on revenue and risk analysis; cross-reference business process related risk with the associated IT applications and service delivery to customers; and understand how each customer is potentially affected by long-term Equifax operations and systems outages.

Immediate and continued benefits of the RSA Archer solution include a standardized business process terminology that follows the ITIL model and allows Equifax to tie each process to an associated IT managed application; clean executive-level dashboards that show risk exposure and opportunities for investment; comprehensive impact analyses and plans; and risk data reports that the CFO can use to make informed decisions on risk management and risk investment.

During the next five years, Equifax projects additional benefits from the RSA Archer solution, including 20 percent OPEX depreciation and amortization savings from 2013 to 2016, 30 percent reduction in time to create business impact analysis reports (BIAs), business continuity planning reports (BCPs) and DR plans through ease of use of RSA Archer Business Continuity Management, and a substantial increase in overall maturity level of both BC and DR programs as measured by COBIT model against DRII 10 Professional Practices.

A mix of industry tools and spreadsheets

Before the RSA Archer solution was implemented in 2012, BCPs and BIAs were done with another industry tool. DR planning was performed in spreadsheets and word documents. In-depth analysis on the BCM program maturity was performed by an independent auditor in Q4 2010, and was followed up internally in 2011. The following challenges with the former BCM tool were documented in the findings:

• BC/DR tool could not scale to meet Enterprise Risk Management objectives
• No cross departmental standardization of BC/DR program or documentation existed
• No alignment of business process risk with IT application risk existed
• Overall BC/DR program maturity was not visible or measurable within the existing functionality

The RSA Archer Business Continuity solution has helped Equifax to reduce projected annual operational costs by $400,000.

New BCM efficiencies radiate through other processes

The RSA Archer Business Continuity Management process at Equifax is now sharing information from its BIA Risk assessments back to other GRC processes, which has had a positive impact on other organizational risk aversion efforts. Equifax is able to make risk decisions based on real risk assessment and BIA data rather than subjective input from business units, and business leaders can refer to dashboards in RSA Archer to get real-time status on the maturity of their respective BC and DR responsibilities within the enterprise BC framework, making processes simpler and less time-consuming. Consistent, intuitive layouts and workflows also minimize training efforts year-over-year, which have resulted in broader engagement and buy-in from business users.

Risk decisions are based on objective data that connect with BC and DR investments in the U.S., Argentina, Chile, and Canada with pending decisions in Russia and India. Users of the RSA Archer Business Continuity Management solution are complimentary of the process because it is far less time consuming for them to create plans and BIAs than in previous years. BC and DR teams are working more efficiently and now feel that they have more control over their own destiny due to a marked reduction in operational overhead. 

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded SAI Global and HealthPlus its 2013 GRC Value award in the Investigations Management category. With the help of the SAI Global solution called Compliance 360®, HealthPlus, a Michigan health and wellness organization, reduced its average days to complete investigations cases by 56 percent. Average days to complete cases has been reduced from nine days to four days. In spite of ever-rising caseload numbers, the SAI Global team was able to complete the implementation two months ahead of schedule.

Compliance 360 is a comprehensive software solution that streamlines the GRC process for organizations of all sizes and geographic diversity.  SAI Global’s Compliance 360 solution is designed to make compliance, risk and audit management easier, less costly, and much more manageable – even for organizations in highly regulated industries.  Compliance 360 is a highly configurable set of modules that help identify gaps and risks, eliminate duplicate efforts and easily maintain the records needed to demonstrate full control of compliance, risk and audit programs.

HealthPlus of Michigan (HealthPlus) provides customized, nationally recognized health plans that meet the needs of large and small employers, and families and individuals, through a variety of programs including Medicare Advantage and Medicaid. Organizations including HealthPlus that participate in Medicare and Medicaid programs face significant and unique compliance challenges. In this environment, the regulating entity is also the payer, providing funding for the services provided to health plan members. Because of this unique situation compared to other regulated industries, compliance gaps and breaches can not only result in fines and sanctions, but also in withholding of payments and termination of participation in the program.

A manual, inefficient system stymies a growing organization

Prior to 2011, HealthPlus was managing their cases using manual tools including an MS Access database and e-mail. With over 4,000 cases in the system, they were challenged with difficulty in managing and tracking case status and visibility when needed for escalation. They also needed to improve efficiency.

These objectives were very important in order to ensure rapid response and resolution of cases including allegations of fraud, waste, abuse, privacy, security and other compliance requirements. Failure to do so can result in increased scrutiny and potential fines for health plan organizations.

The Compliance 360 GRC System

The Compliance 360 GRC system from SAI Global was chosen to facilitate regulatory change management and incident management. In spite of an 8 percent increase in case volume in 2011, the implementation of Compliance 360, including the conversion of all cases and all user training, was completed two months ahead of schedule. The implementation at HealthPlus reduced the average days to complete cases by 56 percent. Average days to complete cases has been reduced from, from nine days to four days.

Overall, the system provides improved visibility and flexibility in the form of:

• Support for establishing standard and consistent processes through workflow automation
• Ability to ensure security of access to potentially sensitive information — very important in healthcare
• Monitor and report on trends based on incident types and utilize information to proactively initiate corrective actions for recurring issues
• Ensure a continual audit-ready state with all incidents, investigations and outcomes in a central system of record

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring & Assurance category. When SAP was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to remove roles from users if the role is not used within 120 days, and decrease license maintenance costs by identifying and removing unused access assignments for users and roles.

SAP Access Control automates the process of detecting, remediating and ultimately preventing access risk violations. Automation with SAP Access Control extends beyond risk analysis to automation of user and role assignments with these features:

• Automatic detection and remediation of access risk violations across SAP and non-SAP systems
• Automated review of user access, role authorization, risk violation and control assignment
• Periodic access reviews and centralized closed-loop super-user management
• Process-embedded compliance checks and mandatory risk mitigation
• Self-service workflow-driven access requests and approvals
• Comprehensive audit trails of user and role management activities

The SAP Access Control solution is suitable for any business of any size that requires real-time visibility into their current risk position. Users can accurately manage reduce unauthorized access, fraud and the cost of compliance.

Moving from a scattered system to a precision tool

SAP Access Control's success with the leading multinational beverage corporation meant the company could move away from its legacy disparate provisioning processes spread over multiple systems. The old system had a lack of visibility, so the company could not get a handle on how roles were used or who held which roles – in fact, they had found that there were a high number of roles being maintained in the system that were no actually used by any users — thousands of inactive roles were removed from users, and about 4,000 unused system IDs were removed as well.

In the old system, it took two to four weeks to provision user access to perform their primary work tasks. The provisioning system was scattered across the enterprise in disparate systems, with little real visibility. This lack of visibility also meant the different parts of the business had poor awareness of the importance of identity and access management, and didn't have much involvement in the process.

A new solution that works, and drives down risk

This leading multinational beverage corporation has standardized their user provisioning and user access review processes, resulting in decreased time to provision access, decreased risk exposure, and decreased software licensing maintenance costs. The new system provides a sustainable process for measuring accurate access assignments, automation and consolidation of of processes, increased analytics for maintaining efficient user and role assignments and continued and increased insight and visibility to risk.

The new system decreases time to provision a new user from two to four weeks to about three days. This change in process also resulted in a decrease in the number of roles and users maintained by the system.

To prevent the buildup of unused roles and save on license maintenance costs, the system implemented a process to remove roles from users if the role is not used within 120 days. The beverage giant was also able to sunset a number of tools be moving to one standardized provisioning process.
Standardization of processes areas made possible by the SAP Access Control solution brought efficiencies and effectiveness. Risks are addressed in a more controlled manner, and provides increased visibility and insight into risk across multiple systems. Standardized processes also improved decision-making abilities and increases users' ability to do their job in a timely manner due to decreased provisioning time.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients