The GRC Pundit

Governance, risk management and compliance (GRC) are a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of the organization. This misperception is a critical issue organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations. They cross partner, vendor and supplier relationships throughout the extended enterprise.

The user experience for GRC has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality and lack of central coordinated efforts for GRC communications. Organizations have ended up with multiple sources of policy, training, surveys, assessments and issue reporting hotlines. Interaction with these systems has consumed human and financial capital. Interaction is often inconsistently logged in documents and spreadsheets, if they are logged at all. There is no coordination of GRC communication and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten.

GRC is not just for back-office risk experts. For GRC to be successful, organizations must engage employees. It is no longer good enough to just have well documented policies and controls. Organizations must demonstrate GRC is active and operational across the organization.

GRC processes and technology can be contrasted with the past experience of employees to the present needs that build the future of GRC:

• Past GRC approaches offered disconnected systems where an employee gets an email about a new policy, clicks on a link to go to the policy and read it in a text-heavy interface, then has to click on a link to take training on another system, and then has to link to a survey to test their understanding, and in all of this there are no places provided to ask questions or find other relevant resources. GRC for the average employee of the organization has been confusing and disconnected from what they do.
• Present into the future of GRC is about integrating technologies and content to deliver an engaging experience that is interactive and connected. Where an employee clicks on the new policy and the training is delivered right in the same interface with the policy actually embedded into the same page as the policy flows around it. Other interactive content is delivered such as games that illustrate the policy.

The bottom line: GRC is only as good as your front-line understanding, participation and alignment with GRC. It is no longer enough to have the right GRC documentation; you have to show it is operationally effective. This requires employee engagement in GRC. This involves bringing GRC to the coal-face. The term coal-face is a term the British use to define frontline operations of the organization. It comes from miners deep in mineshafts at the coal-face harvesting coal. Every organization has a coal-face — the front line employees engaged in business operations. To maintain integrity and execute on strategy, the organization must be able to engage GRC in the context of its coal-face.

GRC solutions in the enterprise should deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into GRC that are interactive, engaging and social. GRC solutions need to instruct, inform and be easy to use at all levels. It engages employees in GRC without leaving them overwhelmed and confused. Employee engagement happens through:

• GRC intuitive interface design: GRC is using leading concepts in interface design to make user experience of GRC applications simpler, easy to navigate, aesthetically appealing and minimizing complexity.
• GRC socialization and collaboration: GRC collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business and get individuals involved in GRC at all levels of the organization.
• GRC gamification: GRC gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making.
• GRC mobility: GRC is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring GRC to all levels of business operations.

The result: Backend management and oversight of risk and compliance is still needed, however the frontend user experience is dramatically improved to engage employees and stakeholders to ensure they are connected to GRC in the context of their role and responsibilities. For GRC to provide value, employee engagement is critical, not optional.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.^[1]

A primary directive of GRC is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive. 

 

 

Uh Oh, It’s Magic, Gartner’s Got a Hold On You . . .

Tossing and turning, anxiety is stirring me.  I am trapped in a labyrinth of quadrants with flying dots that do not make any sense coming at me from all directions.  One appears in front of me, I am startled.  I remark, “you do not belong here, that does not make any sense, you should really be over in that quadrant.”  All around me I eerily here the 80’s group The Cars singing “Uh Oh, It’s Magic, Gartner’s Got a Hold On You . . . “.  I tremble.  I am overwhelmed . . . I wake up screaming, covered in sweat.  My wife once again, as she has done so many times this past month, looks over at me and offers me a Xanax, yet again.

OK, it is not quite that extreme – but it is bad.  I have lay awake in bed until two in the morning many nights over the past four weeks pondering the black magical depth of the Gartner GRC Magic Quadrant.  Perhaps depth is not the right word – more like the mysterious shallows.  Actually, I cannot tell you how deep or shallow it is as Gartner gives me no indication of the depth of their analysis.  We are left to assume Gartner has depth and objective criteria and detail to their analysis.  Where is it? I am unable to reconcile how Gartner came to this place yet again.   It is like Gartner is playing mind games with me – intentional infliction of emotional distress.

GRC.  I take it seriously.  The GRC market is something I have been tending and caring for since February of 2002 in my early days at Forrester.  I have watched the market for GRC solutions, services, and content grow and mature.  I watched it grow in GRC 1.0 (2002-2006) as it grappled with SOX and internal controls but yet I knew it was going to do much more than that.  The breadth was apparent in the Forrester GRC Wave that I wrote and and it grew rapidly into GRC 2.0 (2007-2012).  In the second Forrester Wave it had advanced so much there were four separate Wave graphics as it could not be contained and represented in just one two-dimensional graphic any longer.

Then it happened – the separation.  Forrester and I parted ways six years back.  The GRC market (which is technology, services, and content that supports GRC strategy and processes) became a joint custody arrangement between Forrester, Gartner, and myself.  I continued to see that GRC is a broad market with a lot of segments and sectors within those segments.  The proper way to understand the GRC market is as an ecosystem of offerings and as a GRC architecture within a specific organization and not as a single platform. However, the other custodians – they kept GRC back into one two-dimensional graphic.  Where I used four graphics before leaving Forrester, Forrester went back to a single graphic.  Gartner did the same, but worse.  While Forrester objectively tries to model GRC in a way that is transparent and publishes the criteria and scores used, Gartner simply states here is the grade I think you should have and gives us no transparency into how GRC solutions are objectively measured.  There is a lot of truth to the Magic Quadrant being Magic – it is beyond our comprehension.

This is my third rant against Gartner on GRC Magic Quadrant.  For the past four weeks I have been pursued by many to respond to the new version released in September 2013.  I guess I have a loyal following of GRC groupies that are crying foul, down with injustice to GRC!  I struggled with responding yet again. I do not want a reputation as an aggressor – it does not interest me.  However, I am an idealist to the core and have a soft heart for the mistreated and maligned . . . so I lay awake late into the night fretting over Gartner and their 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms.

For those interested in the historical back and forth, my previous rants are:

• Round 1 (2009): Gartner’s EGRC “Arcane” Magic Quadrant 
• Round 2 (2012): Rethinking GRC: Analyst Rant, Gartner’s 2012 EGRC Magic Quadrant and a recap of the back and forth between French Caldwell and myself Concluding the GRC Analyst Rant 

In all fairness, I do really like French Caldwell.  He is a very gracious nemesis and we have some great discussions.  While we debate, and at times collaborate, he is always very engaging and polite.  I tell myself it is not French it is Gartner and their confounded approach and process to the Magic Quadrant.  That allows me to continue to be cordial and attempt to be half as gracious as French is toward me when my hackles are raised and I am screaming at the injustice done to the GRC market.

There is a lot I would like to say about vendor positioning in the Magic Quadrant, but most of it I will not.  Perhaps if you take me out for pint in a nice British Pub (going to London next week) you will get the depth of my thoughts with the dirt and praise on specific vendors.  I hold back particularly because I accuse Gartner of not showing objective criteria and scores that map vendors on their graphic and would be doing the same if I tell you where vendors should be positioned and do not give you specific criteria and scores.  While I provide my commentary below, I will be agnostic when it comes to specific vendor names.

My grievances with the 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms are:

• Consistency.  When you read the strengths and cautions on the vendors in the MQ and know these products personally as an analyst you see issues.  For example, when one (actually a few) is beaten up because a few clients have referenced implementations greater than six months yet several in the Leaders quadrant have implementations on a regular basis greater than a year and some for over two years – we are not comparing apples to apples.  One RFP I assisted with selected a prominent Leader against my recommendation.  I specifically told them the Leader does some good things but they will come in well over budget and well beyond their six month implementation plan.  Two years later . . . guess what, still rolling out and way over budget.  Or consider when I have to tell attendees (from three different organizations) at my GRC workshops (recent) to stop complaining about their GRC solution (again in the Leaders) because they keep turning the workshop into a gripe session about the vendor’s missed expectations, length of implementations, being over budget, and the amount of staff and services needed to maintain what they were told was so simple and easy to configure.  It irritates me as this gets referenced as a caution for some, with an implication that it lowered their score, but for the greatest offenders it does not appear to be an issue.  And some get dinged for just over a six month implementation as opposed to years for others. I do not get it.  I want transparency in the MQ.  

• Where’s the Beef?  One would assume that Gartner assesses solutions against a defined set of required functionality (that is the assumption and very words of my friend Norman Marks in his rant with Gartner).  It would be nice to believe – but I am not sure it is true. Honestly Gartner, give us details.  Yes, this goes back to the transparency point.  This is a huge market with billions being spent.  Organizations are making huge financial commitments to solutions based on this two-dimen
  sional diagram.  How do they stack up? The MQ states solutions were evaluated around risk management, audit management, compliance and policy management, regulatory change management, and incident or case management.  That isa great; they are in my taxonomy of the GRC market along with more.  Gartner, tell us who is better at each of these and why?  I cannot find any detail on how one vendor is better at risk against another.  I cannot find any real detail on how one vendor is better at a range of GRC areas against another.  So what does your MQ really prove?  This is wrong.  I can tell you who is better in risk management, audit, or any of these areas whether you were looking for just that solution area or or a GRC implementation that combines these areas.  Gartner it is your bloody report; you give us a misleading graphic and no details to back it up.  Forrester gives you a spreadsheet with all of the criteria and scores so you can see how vendors score in different areas.  This alone makes the MQ not only useless but also absolutely dangerous. Gartner, show us the criteria you measured, the grading scale used , and the scores for each criteria given to each vendor!  Forrester does it.  The MQ is rubbish without this.  I challenge you to be transparent.  Good grief, the price organizations pay for your research you would think the depth of criteria and scoring would be made available.

• Depth.  I challenge you, my reader, look at the breadth of areas that Gartner states it covers in the MQ:  risk management, audit management, compliance and policy management, regulatory change management, and incident or case management.  The Gartner MQ for GRC gives vendors a few hours to demo their solution to cover all these use case areas.  Gartner, you cannot be serious?  I myself could not do justice to the market presenting a comparative ranking of vendors with just a few hours to demo all these areas together.  Two hours in just one of these areas would not be acceptable – particularly when it impacts a market that is over a billion dollars and this is the go to report for decisions on who to engage.  How does Gartner do it?  It must be all the time Gartner analysts spend up on those ivory towers where they are endowed with unnatural wisdom from on high and gives them amazing ninja like perception abilities to distinguish solutions in a short demo covering the range of use cases.  That must be why they call it Magic as Gartner analysts are really omniscient beings from another dimension. 

• Fairness.  In fact, I challenged French in person at a vendor conference in Las Vegas last spring on the issue of expecting vendors to cover all of these areas in a short demo and basing a MQ that is the key report by which organizations make significant spending decisions.  He said that is the way it works and that GRC vendors have all year to engage him through strategy days to show the depth of their offerings in these areas.  That is a serious issue of fairness.  There is an unfair advantage toward those willing to fork out the $10,000 to $15,000 a day to educate Gartner on their offerings that others in the Magic Quadrant do not do and some do not have the means to do.  Some of this cannot be prevented as vendors seek to gain Gartner’s insight.  However, the playing field can become much more fair by allowing vendors a half-day to a full-day to go through their GRC solution.  For what Gartner makes from reprints vendors pay to distribute the MQ you think they would invest more time with each solution to go deep into it.  Perhaps Gartner would uncover that some in the Leaders quadrant have issues with normalization and aggregation of risk in an enterprise perspective.  That some may have issues with the complexity of their platform and how much time it takes to configure.  Or how weak one of the existing Leaders is in risk analytics and modeling.  Perhaps they may even discovered what they were told was functionality in the system and the demo they saw was smoke and mirrors and not reality in functionality.  

• Breadth.  Vendors with the broadest use cases covering things like product quality, environmental monitoring, health and safety, legal matter management, 3rd party GRC (vendor/supplier), global trade compliance, automated controls, corporate social responsibility did not seem to have the breadth of these GRC offerings considered.  Some of the Leaders do not have as much breadth of GRC coverage as solutions in other quadrants.  Even in the Leaders quadrant solutions with broader use cases and functionality seem to have not faired as well.  There appears to be a biased toward a field of dreams approach in which solutions that promise to be all things to all organizations and anything can be built and configured on the platform get rated higher than vendors that have working real-world solutions with domain expertise and industry depth for addressing a variety of challenges that do not have to be built or configured (but are still highly adaptable).  How is Gartner handling diverse GRC scenarios? Success in a few functional areas is great, but there any consideration for breadth of use across a range of functional areas? And depth of use getting into content and industry specific needs?  This is critically important as organizations are headed towards an integrated GRC architecture.  Some Leaders seem to have a narrow focus in specific solution areas, yet they appear to be the strongest “broad” GRC platform in the MQ, which they are not. I also do not see proper evaluation of content integration as a factor of consideration in GRC offerings, particularly depth of content across compliance and risk areas.

• Requirements to play.  Another sore point I have is Gartner’s requirements to be in the MQ.  There are a lot of very capable GRC solutions that would love to be in the Magic Quadrant but will never get in because they do not fit Gartner’s specific mold of GRC or they do not meet the every increasing ceiling of requirements.  To get in you a vendor has to have a solution that delivers across compliance, risk, and regulatory change management as a minimum (interesting, I see regulatory change management as part of compliance).  They need to have at least $12 million in revenue, one-hundred or more customers with live implementations, reference customers for corporate governance activities (seriously, I would like to know how many board members or corporate secretaries Gartner actually talked to though Gartner in the MQ relates ERM and financial reporting compliance as governance), be in multiple industries with a worldwide presence.  That simply means only large GRC players will be represented in the MQ.  And very capable GRC solutions that are new and innovative, operate in just one geography or industry, and have good traction and are growing but have not hit the right level of customers or revenue will not be considered.  This cuts out some really great solutions that end up not getting to the decision table because Gartner did not include them.  This ends up with very frustrated organizations that come to me and ask about solutions to meet their specific industry challenges.  I had a tier 1 bank tell me that they did not think Gartner could spell FCPA because every time they asked about it they were sent the Gartner GRC MQ and Gartner could not interact with them on solutions to address FCPA specifically (which every solution in the MQ would tell you they do).

Honestly, the Gartner GRC Magic Quadrant really does not provide what is needed to make business decisions on GRC solutions.  It is not complete, is not consistent, and has issues.  The best use for it I have found is to start a fire in my fireplace on this cool autumn day.  Sorry French, I know it is a lot of work.  The whole process seems like a reality show for GRC . . The Gartner Bachelor with a bunch of GRC solution providers in a beauty contest trying to pull off t
he slickest short demo (remember just a few hours) to woo the Gartner Bachelor.  I say roll up the sleeves and get involved in the solutions, build relationships, be easy to approach and engage, interact on a detailed basis.  Go deep.  

Let’s now see if I can get some sleep tonight . . .

 

Compliance and ethics is not the same today as it was a few years ago. The forces shaping compli­ance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compli­ance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches tax­ing the business. This resulted in a maze of processes, reporting, and information. Each department relied on doc­ument-centric and manual ap­proaches that did not integrate, and compliance professionals spent more time managing the volume of documents than it did actually managing compliance. There were inconsistent formats for policies and procedures, is­sue/incident reporting, and as­sessments.

Like battling the multi-headed hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compli­ance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient pro­cesses led to overwhelming complexity that slowed the business, even as the busi­ness environment required more agility.

Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while address­ing uncertainty and acting with integrity.”

Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do busi­ness as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with federated compliance functions throughout the business. Orga­nizations are looking to monitor and measure integrity of the organization through information, activities and processes coordi­nated across the organization.

These trends point in one clear direction: a compliance architec­ture that is dynamic, proactive, and information-based. That is, a new model for ethics and compliance that:

• Is aligned with stakeholder demands for transparency and accountability;
• Functions as a strategic partner with executives and aligns with organiza­tion strategy and values;
• Takes full advantage of emerging technologies to improve efficiencies;
• Provides an easy-to-use and engag­ing interface to get information and participate in compliance process; and,
• Measures integrity through an inte­grated framework of metrics.

The result is an approach to ethics and compliance that not only delivers demonstrable proof of compliance effectiveness, but at the same time shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-look­ing. This shift enables compliance to mon­itor integrity by processing and managing metrics across the organization in the con­text of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.

Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and under­stand compliance in the context of busi­ness strategy and execution. Measuring integrity requires that the organization have clear insight into metrics support­ing the development and communica­tion of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these sys­tems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.

GRC 20/20 Research awarded ACL GRC and their client Traina & Associates its 2013 GRC Value award in the Audit Management category. ACL is an all-in-one cloud-based GRC process management solution. Since ACL GRC’s implementation at the Traina & Associates CPA firm two years ago, their average audit elapsed time went from about 60 days to 30 days; audit management efficiency increased by 25 percent; and audit revenues increased by 10 percent without increasing staffing.

Traina & Associates is a CPA firm providing IT audit services. For two years Traina & Associates has performed 100 percent of their audit work using ACL GRC and has achieved:

• Increased productivity, and removal of the backlog of work they had experienced for over seven years thanks to the ability to divide the audit work into sections that can be signed off by the auditor, making work immediately available for review.
• Increased audit revenues by 10 percent without increasing staffing — auditors work less and produce more work.
• Improved information security by eliminating the risk of lost or stolen laptops containing confidential client information and discontinuing the sharing of confidential information through internal email.
• Ability to work anytime from anywhere with cloud-based access and mobile apps — and soon may be ready to close the physical office completely, resulting in additional savings.
• Ability to immediately update audit procedures to keep up with fast-moving technology within client businesses.
• Retained a highly valuable employee across the country thanks to cloud-based collaboration.

The ACL GRC solution

ACL™ GRC eliminates the headaches and fragmentation associated traditional on-premise audit, risk and compliance management systems. There’s no software to install, servers to buy or resource-intensive implementation projects. With ACL GRC, everything is integrated and managed. A comprehensive set of controls guarantee data is protected.

Within one year of implementation, Traina & Associates experienced increased productivity and efficiency, including lower staffing costs, lower information security risk, increased telecommuting and reliability. For example, in addition to field work and documentation, it took about 1.5 hours to complete a final report. Using the new system, the same report can be generated in 30 minutes.

Implementation effort was minimal, and was completed in less than one month. During the next five years, the firm expects to continue to experience increased employee retention and satisfaction

The security and agility features of the ACL GRC solution are important to a firm like Traina & Associates: Because the data is securely accessible via cloud, client data is no longer stored on the auditor laptops. This eliminates the major risk of exposure due to a lost or stolen laptop with confidential client information. Client audit data is also no longer shared between team members through internal email, since it is available to everyone 24×7 in ACL GRC; a lost or stolen phone containing email has much less of an impact if there is no client data involved.

SaaS delivery also means ACL GRC clients no longer have to worry about an internal system going down, or the need to be updated or patched or backed-up. All auditors need is something with a browser and Internet access. This delivery also means the majority of employees can work virtually; in the future, the firm expects additional savings because the office space may not be needed. Change is a constant with Traina & Associates’ IT database: And ACL GRC’s management and delivery approach also makes this easy, since policy and procedure changes can be done globally and simply, via the cloud.

A homegrown system with a backlog of work

Traina & Associates previously used custom-developed software combined with a separate system of email and a number of spreadsheets to track and manage work. Traina was growing at a fairly rapid pace and auditors often faced very long work hours. In addition to doing audit work, all members of the team helped with development of new programs to keep up with new client technology. Efficiency is paramount for this small company.

Traina & Associates badly needed a cost-effective solution to improve workflow, automate the audit process and help the team stay ahead of industry advancements. The firm previously relied on its own proprietary audit management software, but questioned the wisdom of committing additional resources to develop an upgrade. Migrating from a proprietary system required identifying an alternative tool that was affordable, flexible, easy-to-use, encouraged collaboration and increased audit efficiencies. Traina & Associates did not expect that just one solution could meet all of their criteria.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity & Access GRC category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation (see exhibit, below).

Value Drivers	Technical Baseline/ Benchmarks	Estimated Improvements (%)	Estimated Benefit ($)
Improve compliance and audit FTE efficiency	10 FTEs allocated for 6 months	12%	$150,000
Improve IT FTE efficiencies for enterprise security	(IT + physical + SCADA) = 10 FTE	15%	$200,000
Reduce noncompliance penalties (NERC/CIP)	Avoid reg. fines ($1M max/violation)	10%	$100,000
Reduce O&M costs (truck rolls, etc.)	$2,000 per incident	10%	$300,000
Reduce incident response costs	10 FTEs allocated	15%	$150,000
Reduced costs due to an integrated platform	Converged security and compliance	15%	$200,000
Total Annual Benefits (Recurring/One-Time)			$1,000,000

Source: AlertEnterprise, Inc. and GRC 20/20, 2013

The main short-term benefits include immediate identification of risk and conformity with regulatory standards. AlertEnterprise helped the utility remain complaint with NERC CIP regulations via automation of various business processes and procedures.

Enterprise Guardian leverages IT-OT convergence capabilities by linking SAP and other IT applications with physical access control systems and SCADA/operational systems to deliver critical infrastructure protection by eliminating organizational silos. Industry-specific content packs deliver fast and effective means to meet regulations, automate contractor-employee onboarding/offboarding, identity, access and role lifecycle management, simplify badging process and leverage identity analytics while reducing the complexity of provisioning across all these systems.

Customer challenges

As one of the largest electric utilities in the United States, the company required an all-encompassing enterprise access management system and solution. Primary challenges included:

• Multiple legacy applications lacking common centralized processes to assign and monitor access
• Large identify and access management application deployment from major vendor that did not link to internal applications
• Contractor access to applications tracked manually, lacking documentation and evidence
• Decentralized process for NERC CIP 004 access management
• Tracking of certification required for CIP access is manual and time-consuming systems (PACS)

AlertEnterprise’s solution delivers these capabilities to address these challenges:

• More efficient access management of individuals within the company
• Establishment of one integrated system with oversight over multiple departments and systems
• Establishment of a central repository of contractors (contract management system)
• Complete integration for onboarding and offboarding across SAP, IAM application from major vendor, and multiple legacy applications
• Overall, centralizing processes, automating manual tasks and providing efficiencies around compliance activities for NERC CIP 004 R1, R2, R3 and R4

A legacy system that become ungovernable

For more than a decade, the utility built a variety of tools and applications to manage identity and access within its organization. The utility also incorporated an identity and access management (IAM) system from a major vendor. The utility soon faced challenges bridging its home-grown system with this system, which created a conflict when trying to manage access across logical systems, or when it attempted to customize workflow and enforce policies. Adding to the challenge was that none of the utility’s homegrown systems could be retired as planned.

Before the implementation of AlertEnterprise solution, the process was managed manually by various teams, which were mostly technical in nature. This was due to the fact that multiple systems operated in silos with no interconnectivity or insight. These processes were expensive and time consuming, and the result was unsatisfactory.

Instead of spending days requesting various departments to reconcile user access via spreadsheets, AlertEnterprise allows the utility users to pull a report of user access at any time. AlertEnterprise also automates manual tasks, and drives these processes through a quality-driven application. AlertEnterprise helped the utility cut costs and human capital needed to operate its complex IT solutions. The unified solution allows business, as well as technical users to operate IT related tasks. Fewer resources are needed to ensure compliance regulations are met and duties are completed across systems.

A bright future outlook

AlertEnterprise will allow the utility continue its day-to-day processes and automatically enforce policies in place to meet NERC CIP compliance and other regulatory requirements. The utility can also expect these features in long term across IT, Physical and OT (Industrial Control/SCADA ) systems:

• Automated user and access lifecycle management
• Automated user and role certifications
• Unified identity warehouse
• Comprehensive audit and reporting
• Automation of processes for security, compliance, internal audit and business enablement

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded ClusterSeven ESM its 2013 GRC Value award in Information and Data Governance. With the help of the ClusterSeven Enterprise Spreadsheet Manager (ESM) solution, the global European banking and financial services company was able to meet regulatory demands to demonstrate control over its core financial operations. In the process, the bank projects a 3.5x ROI on ClusterSeven ESM based on risk avoidance.

As part of improving controls over its core financial processes, the bank was required to demonstrate control over business-critical spreadsheets in trading, risk management, product control and finance. ClusterSeven ESM was implemented to provide the required control and transparency. Short-term benefits of the implementation were a 1.5x ROI on ClusterSeven within one year, and a 3.5x expected return projection based on risk avoidance figures. Other benefits included:

• Implementation of a tool that could facilitate spreadsheet best practices — primarily spreadsheet consolidation
• A more organized and streamlined process
• An improved, more rigorous change control over VBA Macro codes within spreadsheets
• Addition of electronic sign-off provides improved workflow and enhanced visibility

Before the ClusterSeven ESM solution, the bank performed this process by manual controls only.

Real data on ClusterSeven’s value

The bank’s backup team calculates that they receive about 12 requests for retrieval of historical spreadsheet versions per day. Snapshots of file servers are taken every three hours during the day. On average, about 1.5 hours of work is lost on work done in between backups. This, in addition to the wait for the restoration of the spreadsheet and support time to retrieve the old version, about 21 hours of employee time per day was lost to retrieval of historical spreadsheet versions. With ClusterSeven, no support time is required, the time used to process the retrieval is negligible, and the average gap between snapshots is about 30 minutes — adding up to 1.5 hours lost per day. This is a time savings of 19.5 hours of company time, per day because of the ClusterSeven ESM solution.

In a similar scenario, the bank calculates ClusterSeven ESM’s SOX compliance process uses 750 hours of company time per year, compared to 3,125 hours per year with the old process — the equivalent of four FTE positions.

The bank also calculates many softer benefits of the ClusterSeven ESM solution, detailed in the table below.  

               

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded CMO COMPLIANCE its 2013 GRC Value award in the Environmental Health and Safety category. The CMO COMPLIANCE HSEQ solution was implemented for a contractor. and replaced numerous department and division solutions with a central solution, streamlining ISO certification, and saving them at least one month worth of additional FTE that would have been dedicated to ISO Certification management.

CMO COMPLIANCE is a Web-based and mobile enterprise GRC and health, safety, environment and quality (HSEQ) management system, offering a variety of modules and solutions to clients across multiple verticals (mining, oil and gas, energy, healthcare, infrastructure, transportation, government, manufacturing, construction, food and retail and more).

The contractor continues to discover new ways to streamline and save with the solution. Efforts to measure different ways CMO COMPLIANCE is saving money, including reduction of the number of incidents, are still developing and will continue.

Measurable change

As a result of the CMO COMPLIANCE solution, the contractors audit and inspection to reporting process has been reduced by 80 percent with the deployment of the mobile solution. Field employees can now perform their audits and inspections offline, sync the information back to CMO COMPLIANCE and reports are then automatically generated and sent out to appropriate personnel. This used to be done in the field, then entered into a system back in the office.

Audit performance time has been decreased by 25 percent with the creation of automated workflows and default responses to pick from drop-downs, reducing data entry time.

Incident reporting, investigation and closure process has been decreased by 15 percent. This has been mostly aided by the workflow and notification process afforded by CMO COMPLIANCE, that routes information to the appropriate parties, and escalates overdue items, thus increasing accountability.

The contractor  estimates automatic report generation has meant a reduction in 51 FTE hours per month. CMO COMPLIANCE also offers the ability to design its own forms and workflow — a process that takes an average 200 hours for a MS Developer in SharePoint can now be completed in 30 minutes to 1 day depending upon complexity and user knowledge.

A fast, efficient management solution

The contractors ISO certification body, when brought in to do initial assessment of their management systems were shown CMO COMPLIANCE. The solution made the process particularly easy, since the solution is also used by the auditors. CMO COMPLIANCE streamlined ISO certification for the contractors ongoing effort with ISO management and renewal. The initial estimated savings associated with this process was one month worth of additional FTE that would have been dedicated to ISO Certification management.

The contractor also uses the solution to centralize and standardize incident and investigation management, audit and inspection management, permit management, compliance management, environmental monitoring and reporting, and contract change management.

CMO COMPLIANCE is allowing the contractor to achieve its initiative, which is the centralization of multiple systems into single systems — including EHS but also quality, and compliance. Future phases include integration with SharePoint and SAP.

More than 20 solutions, down to one

CMO COMPLIANCE replaced more than 20 solutions across multiple departments and divisions. The replacement has meant a ROI savings of $2 million per year, but the ROI is not yet completed and this number will likely grow. This not only includes the reduction in annual support and maintenance fees for other solutions, but also a reduction in IT infrastructure and resourcing costs.

The value of having everyone use the same system means that all employees, contractors, and clients are speaking the same language when it comes to EHS, quality and compliance management. This allows the contractor  to have companywide user groups and drive process improvement and information sharing to continually enhance the way it operates.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients