Considerations When Purchasing GRC Solutions

As a market research analyst, I get involved in a lot of inquiries and interactions with organizations looking to purchase GRC solutions.  On average, GRC 20/20 handles about five interactions a week – some weeks more and some weeks less.  These can range from simple questions via email or phone to detailed help in writing and managing RFPs.

Please note: I define GRC (governance, risk management, and compliance) as a broad market with a lot of different types of solutions in this market.  While there is a concept of a GRC platform, most the vendors in the space are very focused.  The GRC solution market has over 500 providers in it and some are very specific to areas of quality, environmental, health & safety, security, legal management, and more.  However several solutions market themselves as platforms that tie a view of compliance, risk, audit, policy, and incident management into a cohesive information and technology architecture (whether this is reality or fiction is the focus of my points below).  Some use the term GRC some do not – the discussion I give below is valid across the range of focused solutions to enterprise GRC platforms.

Over the past twenty years I have seen a number of mistakes and issues organizations have made in purchasing GRC solutions, and have noted many considerations when organizations evaluate and select solutions.  Organizations are best served to keep the following points in mind when looking to purchase a GRC solution (these points are items to keep in mind and not meant to scare you away from solutions, there are great solutions out there – but all are not equal is the point) . . . 

  • Is that really a feature?  Some solution providers will promise you the world and then after they close the deal inform you they have to build it.  I have seen some amazing shenanigans in this market – which should alarm you, as an aspect of GRC is ethics.  I have encountered situations in which solution providers tell you they do something when they do not and inform you they have to build it after you have signed a contract. In fact, there are times I have found solution providers doing demos when the demo they are showing is not their solution.
  • Field of dreams.  Many solution providers will woo you with how flexible and configurable their platforms are.  They will captivate you with possibilities of customization and configurability.  After all they have the most magical solution that you can do anything with – buy it and the rest of the organization will align.  The truth is that some of these solutions lack specific depth in given GRC areas and love to take on long services engagements to build out and deliver.  One organization that I provided RFP support for chose a leading GRC solution against my recommendation.  I told them it would be over budget and well out of bounds of project timelines.  They told me two years later when they were just starting to roll it out (seriously two years of building the GRC field of dreams) that they wished they had listened to my advice.
  • Feature or customization?  Related to these first two points is the common promise of a solution provider to say they do anything – after all they have a platform that you can build anything upon.  A recent interaction illustrates this.  A financial services organization had two different solutions doing an aspect of GRC (3rd party management).  There was a push to standardize on one solution provider.  One had a specific feature to do vendor self-registration; the other stated they could do that too.  When you pushed the other solution you found out it was not a feature and would require services to build out and the last organization they built something similar for took six months to build.  
  • Customization breaks things.  I have seen many organizations struggle because they bought into the GRC field of dreams that they can build and customize the solution.  The field of dreams became a trap – a sticky pit of tar that is impossible to get out of. After significant investment in customization many have discovered that upgrades break things.  At a GRC workshop I taught this past year I had several attendees present wanted to pour forth with their rants in how their GRC solution has not served them, cost them more in services than could be imagined, takes so many FTEs to manage, and customizations hindered upgrades. Others in the room had wonderful experiences with other solutions.
  • Be careful with references.  Solution providers always have a great set of references (OK, nearly always – I have been on a few calls where the references did not have anything good to say about the solution provider . . . those are always very interesting).  When a solution provider gives you a reference understand that they are most likely giving you the decision maker – the person that made the purchasing decision.  This person is paraded at the solution provider’s events and in materials.  The decision maker stands behind their decision and loves the lime light of publicity¬ — basking in the praise of how wise they were to choose this solution.  Talk to these references but ask them the hard questions – insist they answer; there is not perfect bed of roses.  More importantly, be polite but ask to talk to someone on his or her team that uses the solution.  You will often find that the people in the trenches using the solution every day have a completely different story to tell. And NEVER talk to the reference with the solution provider present and on the phone.
  • Do not solely rely on major analyst reports. For full disclosure I spent seven years at Forrester and wrote the first two Forrester GRC Waves and ERM Consulting Waves.  Gartner and Forrester tend to have an IT bent that fails to connect with those looking for solutions for problems outside of IT.  The biggest issue is the Wave and Magic Quadrant itself (note, Gartner has stated they are going more broad with use cases to address this in the future).  You cannot represent the market in a single two-dimensional comparison of solutions.  The solution provider in the upper right may be a worse fit for you than the provider in the lower left.  In fact, the provider that is not even in the report may be the best fit for you.  These reports cover up to 20 solution providers in a market that has hundreds. The threshold to get in these reports means only a very few get covered.  
  • GRC platforms and the lowest common denominator.  There are many solutions that tell you they can do everything including solving world hunger.  Be careful in where you put your faith in a GRC platform.  I do believe there can be a core platform that provides the backbone of GRC management and integration – but that is not the end all of GRC.  I have not found one GRC solution provider that excels or even delivers on all aspects of GRC.  You run the risk of forcing the organization to one view of GRC and requiring everyone to use the same approach.  There are great and flexible solutions in the market, but there are also handicaps in any solution.  Think of GRC architecture instead of platform.  There can be a core backbone but you may need to integrate different technologies to achieve the GRC strategy, process, and information architecture needed to optimize value to the business.
  • Be careful of department solutions masquerading as enterprise.  There are dozens of GRC solution providers telling you they are an enterprise GRC platform – not all are the same.  Some are departmental solutions that were never designed with the enterprise in mind. I had one financial services executive on a panel at a conference that stated the board never wants to see a risk report again from their ‘leading’ GRC solution.  The solution was designed for a department and then moved to market an enterprise platf
    orm.  The issue is that it lacked any idea of risk normalization and aggregation.  What was one department’s high risk was another department’s low risk.  The result was a mess.  Different departments need their risk scoring scales with rules for risk normalization and aggregation for enterprise reporting – many do not do this well.  Some ‘leading’ GRC solutions address this directly, others tell you they do but it is not designed into their product and takes a year of services to configure, and others do nothing about it.
  • Consider intuitiveness.  I know many organizations right now struggling through the pains of the complexity of their GRC solutions.  Some of the leading providers in this space have a lot of features but using the system takes a PhD in chaos to begin to make sense of.  When approaching GRC solutions make sure that you really do your evaluation of the intuitiveness and ease of use of solutions.

I could go on with more – but that is probably enough to digest for now.  Please share your comments and experiences below for the benefit of all (solution providers, readers do not want product pitches so please avoid those in comments).  My thoughts are notes of caution in evaluating solutions.  There are great GRC solutions in the market – and the right solution for one organization is not the right solution for another.  GRC 20/20 is here to help sort this all out – that is what we do, market research.  We are not a consulting firm but an market research/analyst firm.

Expanding Role of Audit Stretches Resources and Capabilities

The role of the audit is taking on greater significance to guide the enterprise beyond traditional attitudes about financial controls; toward assuring that the organization is managing risk appropriately and meeting obligations across a range of high-risk business processes, operations, and regulatory requirements.  Today’s audit department must have a full understanding of the risks the organization faces and how they relate to each other across processes and activities.  The auditor must be able to rely on well constructed and performed evaluations of risk management, control, and governance processes to provide assurance that controls are designed appropriately and operating as designed.  The Chief Audit Executive is challenged to provide help to lead the organization to higher levels of performance while assuring the Board and stakeholders that the organization can both anticipate adverse events and take full advantage of opportunities that will help it meet its objectives.

Over the past two decades audit has changed.  Audit still has a strong focus over financial risks and controls over financial reporting.  However, the role of information technology audits has seen steady growth for the past fifteen years.  Today, audit is being challenged to cover enterprise risk management, a broad array of operational audits, increasing regulatory compliance audits, and expanding demand for 3rd party (e.g., vendor, supplier, agent) audits across a dynamic and distributed business. Therefore audit itself needs to have a strategy that encompasses both the dynamic need for audits as well as the planned and cyclical. There is growing interest in dynamic audits – but the best approach is a hybrid in which there are regularly scheduled and planned audits yet there are resources available for the dynamic needs of business for audits when risk and situations require them. This grows particularly challenging as business is constantly changing and distributed across a mesh of business relationships.  Providing assurance to stakeholders in the modern organizations has become a real challenge to audit and has increased audits role and visibility while stretching its resources.  To effectively manage audit requires new paradigms in managing audit, audit processes, analytics, and the role of technology to make audit successful.  

The issues facing audit are more challenging than ever before.  The audit department is being asked to do more audits across more areas of business operations with limited resources.  It has become an ongoing challenge to document and maintain auditor skill sets, develop and deliver audit work papers, and provide assurance across business operations and relationships.  The business has grown in diversity, complexity, and processes that challenge audit to build an audit program that is sustainable, efficient, effective, and agile to the needs of a distributed and complex business environment.  The need for resources and tools to drive efficient and effective audits through audit analytics of vast sets of data further adds to the challenges facing audit.

Audit needs to provide assurance and lead the organization to align and provide assurance on the governance, risk management, and compliance (GRC) strategy by understanding, communicating, and providing assurance on the risks the organization faces as well as the importance of including the audit interaction across GRC related activities. Audit needs to be prepared to: 

  • Articulate to the Audit Committee and the full Board why having a clear and conformed view of risk across the enterprise is critical to providing assurance
  • Demonstrate how strong objective, independent assessments and audits can be used to evaluate all aspects of performance from strategic to financial and operational 
  • Communicate the need for dynamic audits alongside cyclical audits in coordination of a complex web of related risks impacting an expanding array of dynamic business operations and relationships 
  • Influence other key functional executives to align with audit’s risk and audit strategy and the organization’s achievement of business objectives 
  • Collaborate with other GRC executives as well as business operations in developing auditable processes that allow for measurable evaluation of effectiveness and efficiency
  • Assure the executives, the board, and other stakeholders that controls are in place and operational to prevent adverse effects from identified risks
  • Help the stakeholders appreciate how audit aligned risk management can protect and grow value to the organization
  • Deliver to the executives and the board clear and reliable information about risks that will drive strategic decisions and future outcomes 
  • Allocate limited resources to audits and controls evaluations to provide assurance 
  • Utilize technology to maximize these limited resources that have ever increasing demands for more audits in expanding risk, regulatory, and business environment that is constantly changing.
  • Address need for audits and audit analytics that do not disrupt operations, and have coordinated schedules and content 
  • Provide for improved efficiencies and reduced risks throughout the extended enterprise

Equipping Audit to be Ready for the Challenge Before It

The demand upon audit to do more with limited resources is a daunting challenge.  Internal auditors have the skill set, interest and focus to be able to look at things in a measurable way across the business and its operations.  Audit has a broad understanding of many facets of the organization. However, audit has limited budgets and resources available to assess controls across business processes and relationships and therefore needs to be able to efficiently manage assignments and resources to provide the greatest value to the organization. This is particularly challenging in a dynamic business environment. If the audit function is not consistent and measurable, audit will have trouble assessing processes and provide assurance to the Board. 

To address this complex web of challenges, audit needs an  approach that drives an integrated and coordinated effort of audit management and analytics across the organization and its audit plan. An audit plan that has the flexibility to met the needs of dynamic audits when needed, but allows for the cyclical and routine as well. This includes the ability to:

  • Define and manage the “audit aligned risk universe” – consisting of an alignment of audit with enterprise risk in which audit plans are prioritized by risk allowing for dynamic audits as the organization encounters greater risk exposure in areas or reacts to events.  
  • Plan and manage a flexible five-year audit plan from which annual audit schedules are prepared. Including ability to plan and schedule routine/cyclical audits. Yes, the business needs audit resources for the dynamic audits more than ever – but the need for the cyclical will remain as well as there are some audits that are routine and just have to be done.  The audit plan is critical to ensure that cyclical audits get done but is more important to ensure that audit also has resources available for the dynamic audits that come up. 
  • Prioritize the audit by risk and support a risk-based approach to auditing that is driven by the enterprise risk register with the ability to auto-populate the audit plan with data from corporate and divisional risk registers.
  • Estimate total resources (e.g., labor hours, cost and manpower) required to complete an audit based on estimated time required for each audit engagement in the audit plan.  
  • Define and manage detailed checklists and tasks
     for each section and sub-section that need to be performed for executing the audit along with evaluation and pass/fail criteria.
  • Schedule audits with the ability to monitor audit tasks, send appointments, define and track requirement dates. 
  • Break audits into parts and assign to different groups/individual auditors with the ability to distribute audit tasks to internal and/or external auditors
  • Create, store, and share standard audit workpapers, checklists, and questionnaires with ability to assign a weight factor to the items or sections on the audit checklist.
  • Send audit questionnaires and monitor their completion and record information received.
  • Provide mobile capabilities to allow auditors to enter findings in remote sites and deliver agility to conduct audits when and where needed..
  • Maintain a library of workpaper templates, customize workpapers, and manage changes to the structure of audit workpapers managed to respective templates.
  • Track the status of the audit and measure progress against milestones including the capability to assign staff to audit projects and specific tasks and manage/monitor them through completion.
  • Monitor and measure audit metrics: who worked on an audit, progress of audits, time spent on an audit, and remaining time needed to complete an audit.
  • Map risks, obligations, and audits to policies, internal controls, operational processes/maps, system assessments, system scans, system screen shots, vendor documents or other supporting documents to audit workpapers and questionnaires.
  • Provide integrated audit analytics across a wide spectrum of information to provide assurance and insight on processes, operations, and transactions across the business and the state of control of the same.

The bottom line: This is not your father’s audit program.  Audit today is different than it was twenty to thirty years a go.  Today’s audit department has growing demands to do more audits across operations and relationships while still being constrained by limited resources to fulfill these demands.  To effectively conduct audits, efficiently manage limited audit resources, and meet the agility required of a dynamic business environment requires a top-down approach to audit that is driven by risk-based priorities and technology is utilized to manage resources, analyze data, and streamline audit operations.

GRC Federalist Papers: A Call to Action

Business is complex. Gone are the years of simplicity in business operations. Exponential growth and change in risk, regulations, globalization, distributed operations, processes, competitive velocity, business relationships, disruptive technology, technology, and business data encumbers organizations of all sizes. Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business. 

GRC cannot be managed in isolated silos that lead to the inevitability of failure. This is what I call ‘anarchy’ architecture where decentralized, disconnected, and distributed GRC processes catch the organization off guard to risk and exposure. Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture. In this approach the organization takes a one-size-fits-all approach to GRC and tries to implement GRC processes through a single GRC platform all are required to use. This forces the organization to adapt and manage GRC to the lowest common denominator. 

The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach. 

In the end, GRC architecture, and particularly technology, should not get in the way of business. The primary issue is overhead in extensive services and technology implementation to integrate and develop massive GRC implementations that end up slowing the business down and delaying value (if value is ever achieved). The problem is that by what GRC vendors call integration they really mean consolidation, replication, and redundancy. There is a huge gap between being functional and agile. 

Organizations should aim to define a GRC architecture that effectively reconciles organization strategy, process, information, and technology into what I call a ‘federated’ GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. Allow for diversity while providing integration, discipline, and consistency. Note the word “centralization” is being avoided. To “centralize” immediately imposes alien constructs that undermine agility. Federated GRC goes beyond functional to be agile and valuable to the business by delivering a harmonious relationship of GRC and the business. GRC is to enable enterprise agility by creating dynamic interactions of GRC information, analytics, reporting, and monitoring in the context of business. Federated GRC enables agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed nature of the modern enterprise.

This blog article is part of the OCEG GRC Illustrated Series that GRC 20/20 is engaged as a thought leaders and designer: The Federated GRC Approach

Our Perspective

Our Perspective on the GRC Market and GRC Solutions

The GRC market is a macro-market that encompasses several smaller market segments.  Major analyst firms treat the GRC market as a micro-market they think can be rolled-up and covered in a two-dimensional plot comparing less than 20 solutions.  Their market model and sizing is nothing more than adding up projected revenues for a small group of select vendors and perhaps making some adjustments.  This is absurd. GRC solutions and services are varied and have a variety of functions. The major analyst firms have it wrong. The GRC market cannot be defined in a single comparative report with a two-dimensional graphic. GRC 20/20 understands this and helps organizations perceive the panorama of issues and challenges organizations face and identify the right solutions to meet their specific requirements.

GRC 20/20 has mapped over 500 solution providers into our GRC market model that is broken into segments and sectors.  We are the ONLY market research and analyst firm monitoring market size, demand, growth, and trends at both the sector and segment level, in addition to the high-level roll-up of the GRC market.  We specialize in differentiating solutions on their value and capabilities within segments of the GRC market and not just paying attention to a few. 

GRC 20/20 specializes in the details of the GRC market. We help buyers of GRC solutions to identify the solutions they should consider given their specific requirements. Whether it is criteria for RFPs in specific areas of GRC to broad solutions that provide the backbone of an enterprise GRC architecture – we deliver depth. On the other side, our insight enables solution providers to hone their product, service, marketing, sales, content, partner, and growth strategies to move from being good to being great.  We help solution providers to understand their competitive differentiators and how to win deals and articulate value in how they make clients more efficient, effective and agile.

GRC 20/20 is focused on delivering high-value relationships with GRC solution provider clients. Services are typically ¼ of what major analyst firms charge and value is achieved through personal accessibility to get you answers when you need them. GRC 20/20 wants to be part of your team and not some cloistered ivory tower that is hard to contact and even harder to connect to.  Working with GRC 20/20 is about engagement – to be an objective and independent advisor while still a part of your team. 

Our Differentiators

Our Differentiators

GRC 20/20 is collaborative.  We like to roll-up our sleeves and get involved in details.  We thrive on interaction and engagement.  To be successful in understanding and predicting the GRC market requires that we listen and learn and not merely pontificate and make ourselves untouchable.  Unlike major market research and analyst firms, we recognize the need to involved.  

GRC 20/20 is:

  • Affordable.  Our rates are comparable to an experienced consultant rather than of major analyst firms who charge more than high-end Wall Street attorneys.  Organizations do not need to pay $1,000+ an hour for analyst time; that is robbery, and in some cases extortion.  GRC 20/20 is often ¼ the cost of major analyst firms.
  • Deep. The GRC market cannot be represented in a single two-dimensional comparison of a handful of select GRC solutions. We are the only market research firm to provide detailed buying criteria, comparisons, market sizing, and growth for the entire GRC market as well as specific segments of the GRC market covering more than 500+ solutions.
  • Pragmatic. We understand that organizations have a range of GRC roles and processes focused on aspects of governance, risk management and compliance.  While an enterprise GRC strategy and architecture is ideal, most organizations are addressing department needs as well as specific risk and compliance issues and must learn to crawl before they can run. 
  • Grounded. GRC 20/20 prides itself on analysts with real-world experience from the trenches of organizations.  We know what works and does not work as well as how to get the job done. Our analysts do not sit back in cloistered offices and avoid getting involved in the real world.
  • Collaborative.  Collaboration requires engagement in discussion, debate, and thought leadership in GRC professional communities and associations.  GRC 20/20 actively engages organizations, non-profit associations, solution providers, professional service firms, and others in research collaboration to gain perspective and clarity into aspects of the GRC market.  This breadth of interaction feeds into our market models, advice, and forecasts. 
  • Reachable.  We are easy to access.  Clients of GRC 20/20 can call, email, text / message, tweet, Skype, or use a palantir (should you have one) to get answers when they are needed.  We offer complimentary inquiries/answers to GRC purchaser questions on strategy and solutions to provide the clarity they need to take the next step.  GRC 20/20 fields hundreds of buyer inquiries each year looking for GRC solutions and services to address a range of GRC challenges from broad to specific.
  • Transparent.  GRC 20/20 represents and works with the ecosystem of buyers as well as GRC solution and service providers.  Our revenue comes from a mixture of these elements and we are fully committed to objectivity in research and not afraid to disclose our relationships or criteria on how we recommend and evaluate solutions. We evaluate GRC solutions using transparent, consistent, and objective criteria. 

Business Agility Across the Extended Enterprise

No company is an island. Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations struggle to identify, manage, and govern extended business relationships. The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight. 

Organizations tend to look at the formation of a business relationship and fail to foresee that issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. They make two common mistakes: 

  • Risk is only considered during the on-boarding process: Risks in extended business relationships are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship. 
  • Partner performance evaluations neglect risk: Metrics and measurements often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations. 

Organizations need an integrated approach to third-party management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility. The building blocks of an effective, efficient, and agile third-party management program are: 

  1. Define Your Program. The first step is to define the third-party management program. While an individual needs to lead the program it also necessitates that different parts of the organization work with this role. Defining your program includes understanding board oversight and reporting for third-party risk and compliance and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place. 
  2. Establish Framework. The third-party management framework is used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. The framework starts with developing a list of third-party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices. 
  3. Onboarding. Evaluation of risk and compliance needs to be integrated with the process of procurement and vendor/supplier/partner relations. A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements. 
  4. Ongoing Monitoring. A variety of environmental and geo-political factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships. 
  5. Resolve Issues. Even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution. 

Manual spreadsheet- and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. 

Third-party management is enabled at an enterprise level through implementation of an integrated third-party management platform. This offers the adaptability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. 

This blog article is part of the latest GRC Illustrated Series: Integrated Third-Party Management

2014 GRC Drivers, Trends & Directions

I trust the New Year is off to a great start and your governance, risk management, and compliance (GRC) initiatives are fruitful.  Myself, I have been quiet in communications this last month wrapping up 2013 projects, redoing much of the www.GRC2020.com website, and planning for 2014.

It is important to note that every organization does GRC.  Every organization has some approach to governance, risk management, and compliance processes.  These may be siloed or integrated, centralized or federated.  They may be fly by the seat of your pants or defined and disciplined.  GRC is not just technology; it is about people, strategy, process, information and technology.  GRC maturity is measured by how this is integrated, aligned with the business, and provides business value.  GRC is not only about a strategy that spans the enterprise – GRC happens in different departments and functions throughout the business.  There are top down enterprise-wide GRC initiatives, but a lot of GRC happens in the trenches throughout the organization in disconnected departments.

As with any New Year initiative – it is good to be forward looking to see what the future beholds us in GRC.  As a market research analyst I dust off my palantir (that is a crystal ball for the non-Tolkien enthusiasts) and tell you what is important for 2014 as we look ahead.

The future depends on the past and the events that drive us toward the trends that lay before us. The drivers impacting organizations to improve their GRC related processes are:

  • Rapid pace of change. Business itself is changing rapidly (e.g., employees, partners, technology, processes, strategy).  Risk environments are changing (e.g., geo-political, financial, environmental, competitive). Regulatory and legal requirements are changing.  Trying to keep business, risk, and regulatory change in sync is not easy.  The greatest challenge for GRC is to coordinate all of this change and ensure that the organization achieves its objectives while addressing uncertainty and acting with integrity (see blog:  Tracking Change that Impacts Policy).
  • Increased risk, regulation, and scrutiny.  Not only is risk and regulatory change happening faster than organizations can keep, risk, regulations, and scrutiny of business governance and operations are also increasing.  This results in an exponential GRC impact on organizations as we manage increasing new risk and new regulation in an environment where existing risk and existing regulation is also rapidly changing.
  • Extended enterprise adds layers of complexity.  It is one thing to manage all of the change bearing down on business in a contained environment.  When you begin to think of the hundreds to thousands to tens-of-thousands of business relationships impacting the organization you face GRC terror.  Suppliers, vendors, outsourcers, service providers, contractors, agents, temporary workers, partners . . . they all impact your business (see blog:  Growing Risk Exposure in Business Relationships).  Your risk and regulatory issues are their risk and regulatory issues, however you are the one left in the spotlight when things go wrong and fines are imposed and your organization is on the front page of news in a negative way.
  • GRC addressed in silos.  We talk a lot about Enterprise GRC.  It is a great idea – how perfect the world would be if we had one single integrated view of GRC information and processes.  Reality is different.  Organizations have GRC processes and data scattered across the organization with several “GRC platforms” installed.  Sort of makes you think of the ERP world.  We talk about how wonderful business will be with one instance of ERP when in reality the organization has several.  Right now 80% of the spending on GRC solutions happens at the department or issue level and less than 20% on top-down enterprise GRC strategies. Some of the 80% is moving toward the enterprise view but are still on the journey.
  • Herding cats.  There are those that have vision for an enterprise approach to GRC and bringing everything together.  Many times these roles are a voice crying in the wilderness.  Worse, there are several with a vision but internal political strife rises within the business over who controls enterprise GRC strategy.  Needless to say, getting people on board and cooperating is a lot like herding cats (see my favorite cat herding video).
  • Multiple GRC solutions in house.  As stated, most organizations have many GRC solutions in house.  Some are home grown, others are commercial software.  Every week I am told how such and such a vendor is the GRC platform for some organization and I reflect back to last week when someone else told me they were for the same organization and the week before that . . .
  • Documents, Emails & Spreadsheets. Oh My!  Despite multiple solutions in house, much of the business is still struggling with manual and document centric approaches to aspects of GRC.  Yes, some solutions have been purchased – but many areas of GRC are still encumbered by the inefficiency and ineffective use of documents, spreadsheets, and emails (see blog:  GRC Spreadsheets, Documents & Email, OH MY!).  Not to mention that this approach is often not defensible in a growing legal landscape that requires auditable and defensible GRC.
  • Policies are a cornerstone to successful GRC.  There is growing awareness that policies are the cornerstone of a successful GRC initiative whether focused on a specific issue, department, or enterprise.  Policies need to be properly written, communicated, and maintained.  They address risk, define how to comply with obligations, and establish culture (at least properly written, managed, and enforced policies).  Policies are essential to successful GRC.
  • GRC to the scale of ERP cost and complexity. Every week I am hearing the weeping from organizations as they tell me tales of GRC initiatives that are burying them. Monstrous and costly initiatives that are over budget and past deadlines.  I taught a workshop in 2013 in which I had to rein attendees in three times throughout the day as they wanted a GRC psychiatrist to listen to their PTSD stories of GRC implementation. Ironically, the GRC solution providers are not the only culprits for selling complex and cumbersome GRC initiatives; large consulting firms that love the services revenue from these projects also drive it. I had one client I helped with an RFP (who chose a solution against my recommendation) tell me it took them two years to roll out and was significantly over budget . . . they now wished they had listened to me.
  • Unintuitive and difficult to use GRC solutions. I am regularly told about the frustrations on easy of use of GRC solutions.  Many of the leading GRC solutions are very complex, lack intuitiveness and ease of use, and have dated interfaces. Interesting, you talk to some vendor references and you hear glowing reports.  However, these references tend to be the decision maker who is thrilled to be paraded at conferences, given press, and like to bask in the light of their ever so wise decision of a GRC solution.  Instead, if you talk to the users of the platform in the same organization you often get a completely different point of view.
  • Major analyst firms offer poor GRC advice.  The GRC market is a macro-market with a lot of segments.  It includes categories like risk management, audit management, compliance management, policy management, security, health
    and safety, and more.  You cannot collapse this market into a two-dimensional graphic that gives a perception of leaders and losers.  There are 500+ solution providers GRC 20/20 tracks in the market and the major analyst reports only cover 10 to 20.  The last Forrester GRC Wave I wrote in 2007 before going independent had four different Wave graphics, as the market was complex then. Forrester is in retreat.  Subsequent Waves went to one graphic.  Now they are collapsing two separate Waves (IT GRC and Enterprise GRC) into a single Wave graphic.  This does not make sense and organizations are frustrated.  I had one large organization tell me that they do not think Gartner could spell FCPA as they had no clue and kept throwing broad GRC platforms at them with no context of how it addressed anti-bribery and corruption (see blog: Gartner GRC Magic Quadrant Rant, Part 3).

Before I get to the GRC trends that spring from these GRC drivers, I want to address the GRC naysayers.  I use the term GRC broadly to bucket a range of terms and approaches to risks and regulations.  GRC includes ERM, and some would define ERM the way I would define GRC.  So the issues listed above are not the result or because of GRC.  I can do a find and replace of GRC with ERM and we have the same truth.  These are acronyms that cover a wide range of processes, information, and approaches.  The pain expressed above is the growing pains of maturity in GRC, ERM, and many other acronyms and terms we use.  It is the result of misguidance from major analyst firms and organizations taking on more than they can accomplish.

The answer to the pain that is burdening organizations in the GRC drivers above are the trends that are happening in the GRC market and will be reflected in GRC 20/20’s research throughout 2014.  These trends are:

  • GRC by Design.  Organizations are realizing they cannot buy GRC.  You cannot go to a vendor and buy a platform and get GRC and bring it home to the office.  Successful GRC is an architecture (see blog: The Rise of GRC Architecture in GRC 3.0).  It requires design and planning.  It requires structure.  There will not be one GRC platform that solves all your problems. There can, and often should, be a core GRC platform that is the backbone of GRC integration, processes, and reporting.  However, there are solutions that are built for very specific purposes of IT security/GRC, health & safety, quality, matter management, and more.  All these are in the GRC space – but one platform does not do all these categories well. Mature GRC requires a strategy that applies architecture design to GRC processes (aligned and integrated with business processes), information, and technology.  This is GRC by Design.
    • Over the course of 2014, GRC 20/20 will be working on a series of research on GRC by Design supported by research on Audit by Design, Compliance by Design, Risk by Design, and more.
    • The GRC 3.0 Marketecture is a representation of the GRC market across a range of categories. There are over 500 solutions in the GRC market that GRC 20/20 maps into the GRC 3.0 Marketecture (e.g., there are 81 policy & training management solutions, 75 3rd party management solutions).  This is coming together in the GRC Directory being launched in February on the www.GRC2020.com website.
  • Measuring GRC Maturity & Building a Business Case. The first decade of GRC solutions and strategy is past and we are in the maturing phase.  Organizations are looking to compare themselves and demonstrate maturity against peers.  They are looking at how do we articulate the value of GRC and build a business case for improvement.
    • GRC 20/20 is supporting this trend through our GRC Benchmark projects that includes a GRC Benchmark for enterprise GRC as well as focused benchmarks on policy, risk, audit, and compliance.
    • Further, our 2014 research will have a series of pieces on GRC Archetypes that define the different approaches organizations can take, how maturity is measured and value articulated, and building a business case for improvement.
  • GRC Intelligence & Analytics. To manage the amount of change impacting organizations requires intelligence. This is more than raw data, but the integration (and not necessarily consolidation) of information to bring knowledge and insight.  Much of this intelligence is in information sources feeding information on regulatory change, geo-political risk, environmental factors, financial risks, world developments, 3rd party screening and due diligence.  The organization needs to integrate a changing business with changing risk and regulatory environments.  This requires that organizations rethink GRC data and have the ability to integrate multiple sources of data for analysis and reporting.  It also requires us to rethink how we address Big GRC Data.  Monolithic and expensive GRC data warehouses are not necessarily the answer, nor are they needed.  It is a matter of connecting the right information sources where they are at – harvesting what is needed – and bringing together this information into actionable GRC intelligence.
    • GRC 20/20 is supporting this trend with a variety of research and projects focused on GRC information and data architecture and reporting.
  • Getting a Handle on the Extended Enterprise.  This is the fastest growing segment of the GRC market (currently has 76 solutions in it that GRC 20/20 tracks to size, segment, and forecast this market).  Organizations are struggling with issues like conflict mineral compliance (see blog:  Where does conflict minerals fit into your broader 3rd party GRC strategy?), social accountability, privacy, security, code of conduct, ethics, environmental responsibility, health and safety, quality, and more.  They are looking for integrated solutions that help them manage risk and compliance across their 3rd party relationships (see blog:  3rd Party GRC: Business Agility in a Dynamic and Distributed Environment).
    • GRC 20/20 will be releasing our Market Landscape and Buyers Guide for 3rd Party Management solutions shortly as soon as infrastructure work on the www.GRC2020.com website is complete.
    • GRC 20/20 is also managing the design and layout of the OCEG GRC Illustrated series on 3rd Party Management.  The first illustration is complete and published and work has begun on the 2nd.  This will come together in an eBook later this year.
  • Getting Your Policy House in Order.  The busiest segment of the GRC space for GRC 20/20 has been policy management.  Throughout 2013 GRC 20/20 has been actively involved in many RFPs and GRC buyer inquiries looking for policy management solutions.  The trend is toward enterprise policy management. There is growing demand for platforms to manage policies across the enterprise.  2014 is showing a whole new range of RFPs just starting to open up in enterprise policy management (as noted above, there are 81 solutions in this space).  Organizations are being held under greater regulatory scrutiny for how they manage and communicate policies and find that their current approaches do not provide a defensible position when under legal and regulatory scrutiny. Organizations are also looking for guidance on how to build a business case and articulate value of policy management.
    • GRC 20/20 has a lot of published research in this space and will be updating
      much of it in 2014.  We have a policy management business justification and value tool we use with organizations to articulate the value of an enterprise policy management strategy and a policy management benchmark as to tell them how they compare to their peers in maturity.
  • The Year of the GRC David/Underdog.  There are lots of solutions in the GRC market.  Some focused on very specific issues (e.g., FCPA, conflict minerals, PCI), others on departments/roles (e.g., IT, audit, compliance, risk), and some are solutions that transcend across a range of departments and address a variety of issues.  Many, in fact the majority, cannot be found in major analyst reports.  With growing frustration with large complex GRC projects that under deliver, are over budget, and have missed deadlines, organizations are becoming more interested in the new breed of GRC solutions.  There are some great solutions that offer very elegant and intuitive user interfaces that are easy to deploy and use (see blog: Employee Engagement in the Context of GRC: Bringing GRC to the Coal-Face).
    • GRC 20/20 is covering the range of solutions in the GRC market from the established major players that have been racking up market share and brand recognition for years to the nimble start-ups that offer a fresh perspective on GRC technology and ease of use.
  • Growth in GRC Software as a Service.  Related to the previous point, GRC 20/20 is seeing a massive and growing interest in Software as a Service (SaaS or cloud) for GRC.  Yes, we still have security naysayers that seem to want to shut down the cloud.  The reality is that some of the most sensitive business information is in the SaaS cloud.  Most board portal solutions managing board papers, calendars, and board voting is cloud-based.  GRC 20/20 is seeing significant growth in cloud-based solutions for legal matter management and many other sensitive areas of GRC.
    • GRC 20/20 is committed to publishing research in 2014 focusing on cloud adoption for GRC solutions.

There you have it – a synopsis (though a lengthy one) of the drivers and trends impacting GRC in 2014.  More detail will be given in next week’s Q1 State of the GRC Market Research Briefing.  GRC 20/20 is also working on publishing a range of Buyers Guides for categories of GRC solutions as well as Market Landscapes of GRC solutions.  These will cover GRC solution categories of policy, 3rd party, compliance, audit, and risk management to begin with and expand into other categories of GRC solutions over time.  These will be supported by research on value and business case justification and a variety of case studies.

Bottom Line:  GRC 20/20 is focused on providing you the deepest and broadest insight into the GRC solution market covering a range of solutions, buying criteria, market growth dynamics, projections, and business/value justification throughout 2014.

 

GRC Spreadsheets, Documents & Email, OH MY!

Why Spreadsheets, Documents & Emails Fail for GRC

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past decade has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after a decade of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows:

  • No audit trail.  By themselves, without some additional tools/solutions and significant configuration, these solutions do not have inherent audit trails.  You cannot go back and state that you know with a specific level of certainty that those answers were gathered from that specific individual on this date and time and represent their actual, unaltered, authenticated answer to that survey, assessment, analysis, policy attestation or audit.
  • Easy to manipulate.  Building on the first point, there is no audit trail or history of changes made.  It is a simple task for anybody to go back and manipulate responses to paint a rosier picture to get himself or herself, someone else, or the organization out of hot water.  Someone can easily go back and cover their trail when there is no audit trail and authentication happening that tracks changes, what those changes were, who made them, and keeps a record of all changes.
  • Slipping through the cracks.  There is no structure of required workflow and task management.  Things can be configured in email systems, but most often people fire off emails asking for assessments to be done, audit findings to be responded to, policy attestations to be made . . . and no one gets it done.  It ends up in the trash, junk folder, filed away, and never responded to until someone is screaming.
  • No consistency.  It is hard to make assessments, surveys, attestations, policies and other GRC related information consistent.  If a new assessment is needed – we just open up Excel and create a new assessment from scratch and fail to realize that there is another assessment asking the same people half of the same questions as our new assessment.  Further, different documents and spreadsheets are formatted in different ways and each requires its own learning curve.
  • Compilation nightmares.  Have you ever been asked to compile reports involving hundreds or even thousands of documents, spreadsheets, and emails?  If you are a GRC professional the odds are you have.  I have had one financial services organization tell me in an RFP project (I was writing the RFP for them) that 80% of their GRC resources (FTEs) were nothing more than document reconcilers.  In surveys and webinar pulls you find that it often takes 80+ man-hours to compile GRC (risk/compliance/audit) reports.  There is a significant amount of time needed to integrate and compile information from a mountain of documents, spreadsheets, and emails.  Myself, I would not be interested in a job very long where 80% of my time is cut, paste, manipulate data for reports.  My interest is in analysis and managing risk and compliance not in cut and paste – that is what I did in kindergarten.  
  • Compilation errors.  At the end of the day, all this work compiling and integrating hundreds to thousands of documents, spreadsheets and emails is inevitable failure.  Odds are there is something wrong.  That much manual reporting is bound to have serious errors.  Not malicious, but inadvertent.  It happens all the time.  In fact, one of the primary contributing factors to the multi-billion dollar JP Morgan Whale loss was an error in a spreadsheet.  

Those are my primary reasons why documents, spreadsheets and emails by themselves fail in GRC.  There are ways to fix this. Solutions that provide and enforce consistency and audit trails within spreadsheets, but these do not account for workflow and task management needs.  The best approach to address these limitations is to implement GRC management solutions that provide for audit trails, consistency, and integrated reporting. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed).

What are your thoughts and experiences with spreadsheets, documents and emails in GRC processes and reporting?

 

3rd Party GRC: Business Agility in a Dynamic and Distributed Environment

GRC 20/20 is providing a specific focus on 3rd Party Governance, Risk Management & Compliance (GRC) in the month of December.  This is the fastest growing part of the GRC market as organizations struggle with issues of conflict minerals, anti-bribery & corruption, social accountability, privacy, security, and more . . . 

No company is an island unto itself: Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern extended business relationships as they stand in the shoes of their agents, vendors, partners, suppliers, and relationships. Business partner problems and issues are the organizations problems that directly impact the organization’s brand and reputation. When questions of business practices, compliance, and controls arise, the organization is held accountable, and it must ensure that business partners behave appropriately.

Businesses must understand business relationships in the context of the governance, risk and compliance (GRC) issues that impact business operations and brand. The challenge before organizations is: “Can you attest that risk and compliance is managed across extended business relationships?”  The head of procurement, for example, is often left with managing supplier risk across these business relationships but has inadequate processes and information to effectively monitor them.

This is challenging enough with the distributed and extended nature of business, but it becomes particularly challenging in the current dynamic ever-changing business environment.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be current in its governance, risk management, and compliance processes across business relationships. Manual email, spreadsheet, and document centric processes are prone to failure, as they bury procurement and other areas of 3rd party risk/compliance resulting in mountains of documents that are difficult to maintain, aggregate, and report on: consuming valuable resources in data management instead of managing 3rd party risk and compliance.  Organizations need an integrated solution to manage 3rd party risk and compliance that brings together frameworks, content, and technology to deliver not only efficiency and effectiveness but also agility.  

Extended business relationships — supply chain, value chain, vendors, service providers, outsourcers, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits and controls, and other business practices. Organizations need to actively demonstrate an in-compliance and in-control status throughout the extended business environment. Anything that impacts business relationships can taint the organization’s brand — such as child labor, quality issues, fraud, privacy violations, or other misconduct.

Procurement, and other parts of the business, tend to look at the formation of a business relationship and fail to foresee issues that can cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship itself.

The list of exposure areas impacting business relationships can be categorized as . . . 

  1. Operational risk.  The organization needs to ensure that business processes and information are managed to limit risk exposure to the business.  This can cover areas such as health and safety, continuity of operations, redundancy in supply chain, quality issues, and security.
  2. Financial risk & performance.  The organization needs to make sure it is doing business with stable organizations that can be relied upon.
  3. Reputation.  The organization’s brand is on the line. To make sure that the corporate brand is not tarnished the organization needs to ensure that its vendors and business relationships hold to appropriate commitments to labor standards, environmental protection, fiscal responsibility, and social responsibility.
  4. Compliance.  The organization needs assurance that its vendor and business relationships are complying with local laws and regulations as well as the laws and regulations that bear down upon the business around the world.  This covers a wide spectrum of compliance to labor, anti-bribery and corruption, quality, import/export, security, privacy, and health and safety regulations and laws.

Organizations tend to look at the formation of a business relationship and fail to foresee these issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. There is a common failure to manage risk across the lifecycle of business relationships for the following reasons:

  1. Risk is only considered during the on-boarding process: Risks in extended business relationships are usually only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship.
  2. Relationship performance evaluations neglect an integrated view of GRC: Metrics and measurements for ongoing business relationships often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. Organizations must actively manage and monitor risk and compliance across the lifecycle of a business relationship. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak and unmonitored oversight.

In the past, risk in extended business relationships was predominantly focused on the on-boarding process. After that point, individual business areas may conduct routine audits and assessments or require attestation to a code of conduct, but it is not a coordinated or collaborative function and often lacks accountability.

Document centric processes bury the organization with mountains of out of sync data that takes time to reconcile and report.  The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. Business needs defined processes, information, frameworks, and solutions to effectively and efficiently manage 3rd party extended business relationships. The goal is to enable business agility by providing defined and integrated accountability processes that can manage risk and compliance in the context of performance and change across  business relationships. A clearly defined approach to managing GRC across extended business relationships requires a consistent lifecycle and program supported by a common information and technology architecture. 

Upcoming Research Briefings on this topic are . . . 

 

Examples of GRC Engagement

In my previous article I made the argument that GRC (Governance, Risk Management & Compliance) is as relevant to the front office as it is to the back office.  That the front lines of the business use GRC systems and need engaging user experiences. 

It is not just the front lines though.  All levels of the organization interact and use GRC technologies from taking assessments, reading policies, going through training, reporting incidents, evaluation reports, diving through dashboards, and more.

Employee engagement in GRC 3.0 requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

A primary directive of GRC 3.0 is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC 3.0 goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

I have been evaluating GRC technologies for twelve years now and find that many have average to poor user experiences.  Even some of those who are recognized as GRC leaders who would have you believe that their platform could solve the worlds problems have interfaces that are overly complex, non-intuitive, confusing, and at times downright confounding.  

What I am doing today is drawing attention to some examples of Engaging GRC – solutions that I think are delivering cutting edge interface design focused on intuitiveness, aesthetics, and engaging employees at all levels.  However, this is not a blanket endorsement of these products.  Some are very strong in what they do others are early on the journey of building out breadth and depth.  Please do not see this as a blanket endorsement – it is not.  I am happy to answer questions on any of these vendors listed and anyone else being considered by buyers in the GRC ecosystem of technologies.

Examples of the latest in GRC Engagement delivering intuitive and easy to use interfaces are as follows (in alphabetical order, there are other vendors that I think excel in GRC Engagement – these were selected as they had publicly accessible video that at some point in the video in these links has a view into their product I could comment on):

    • ACL.  This is one of my favorites – you have to click on the video icon to get the video that demos the product.  Great use of white space, sidebars, clean interface, fonts, and graphics for navigation and context.  Very clean interface.  I particularly like the drag and drop risk tagging and moving things to different buckets/stages.  Great reporting and dashboards with intuitive drill down capability for GRC intelligence.
    • BitSight.  The first minute and a half is one of the most brilliant marketing videos I have come across, once you get through this you get to the interface.  I love the crispness of the reports, the different ways of representing data, the clean interface, and use of graphics in navigation and context.
    • Compli.  I wish this video showed more of the product other than a few quick glimpses. There is so much more to it.  Clean interface.  Great use of fonts and numbers.  They have a video animation showing the drag and drop workflow but does not show the product itself and elegance of their implementation of this feature.
    • Convercent.  Beautiful interface with intuitive navigation and drill-down.  Good use of white space, clean fonts, attractive colors, and clean graphics and reporting.
    • CoreStream.  Notice the clean use of fonts, not an overly busy interface, and the use of graphics icons for navigation and context.
    • LockPath.  This solution is delivering some very innovative and graphical concepts of interactive data visualization and relationship.  The top panel has a play button where you can see innovation in the relationship and management of GRC data..
    • StratexSystems.  You have to scroll down to the bottom of the screen to get to the videos of the product itself.  There is a lot in this product that makes it average from GRC Engagement, but it stands out in some of its navigation, use of fonts, graphics, and I particularly like the business organization layout and use of colors and shapes.
    • The Network. Delivers a clean, elegant, and intuitive interface that minimizes the complexity of policy management.  Great use of graphics, easy tagging, integration of video, interactive content with the written policy itself in the same interface.
    • TrueOffice.  This solution stands out as a prime example of GRC Gamification and connecting to employees through interactive content.  I love what this company is doing in the niche of GRC that it delivers.
    • TRUSTe.  Great interface design, intuitive navigation, good use of fonts and white space as well as graphics.
    • 360factors.com.  This one unfortunately does not have a video and I about did not include it. It does have some screenshots that show the interface, good use of graphics for navigation and context, clean use of fonts and balance.