The GRC Pundit

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 5 is C2CSmartCompliance’s Compliance Mapper which showed technology innovation for mind-mapping GRC.  

C2CSmartCompliance’s Compliance Mapper has a powerful GRC content mapping engine that allows an organization to graphically map regulatory and customer-generated content and click to establish bi-directional links.  The organization can graphically map policies and procedures to regulations and standards. Compliance Mapper eliminates the need for generically mapped, document-based approaches and reduces the number of controls needed to validate GRC.  The mapping engine enables ‘anything’ across the GRC spectrum to be linked together such that the relationship(s) many levels deep can be seen. For example, an incident could be mapped to an asset that is linked to a procedure that addresses a policy that meets a requirement (standard or regulatory requirement). Change a policy, regulation, standard or best practice in the GRC framework and see what is affected before making the change. C2C mapping technology highlights both direct mapping and indirect mappings ensuring all affected parties can be notified of possible changes, before a process or supporting document is ‘knocked out’ of compliance. 

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 6 is The Network’s Integrated GRC Suite which showed technology innovation for the user experience: the Apple of GRC.  

The Network’s Integrated GRC Suite is innovative for its design and end user experience. While most GRC applications focus on the back-end complexity of GRC, The Network has delivered a platform that is fresh, beautiful, and simply elegant for the user. It features an intuitive, employee-engaging, social media-style interface for ease of use, collaboration and configurability to an organization’s specific needs to match brand and culture, and is scalable to address global needs. The GRC Suite is positioned to help organizations transform the compliance function from a chore into a valued and valuable business asset. The GRC Suite blends GRC technology with awareness and communications expertise to help drive ethical culture. Where other GRC technology providers focus on the professional side of the equation, The Network’s solution adds interface assets that work to engage employees, while providing administrators and executives with the tools needed to manage compliance. Recognizing that employees are both the greatest asset and the biggest risk toward an ethical culture, the GRC Suite has been developed to enhance how employees consume, retain and apply information, to engrain them in the compliance process.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 7 is Compli Portfolio™ which showed technology innovation for integrating content, experience, and process. 

Think of Compli Portfolio™ as the “electronic binder” that integrates the work of internal and external experts in an elegant user experience to illustrate and manage an organization’s compliance and risk profile. Portfolio allows organizations to take their important disparate systems (which normally generate waste and functional overlap, limiting an organization’s ability to quickly demonstrate a program’s efficacy) and integrate them into a single outlet with a powerful reporting engine thereby “connecting the dots” when it comes to meeting compliance requirements.  Portfolio is an innovative approach to providing the integration of technology, process, and to automate the awareness, training and risk mitigation process. No matter the origin of an organization’s content, Portfolio provides a graceful interface that becomes a GRC binder for policies, procedures, trainings and certifications required of internal and external stakeholders. Portfolio utilizes workflow and content tools that deliver an intuitive, drag and drop interface to quickly create effective awareness, training and reporting campaigns. GRC professionals and subject matter experts can instantly devise complex cross-functional initiatives without requiring additional programming or being technology experts.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 8 is OpenQ’s SafeGuard™ which showed technology innovation for managing risk in social networks. 

OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns. SafeGuard can be used with any social platform and is currently integrated into more than a dozen platforms.  It monitors risk from interactions over social networking platforms for regulated-industries to enforce corporate policy and regulatory compliance. SafeGuard collects and analyzes data, identifying levels of risk and enabling personnel to address any issues with its workflow-driven remediation capabilities. The product analyzes the internal social data streams and external social media to identify, quarantine and enable management of risk. There are similar products on the market that use keyword searches, however, SafeGuard’s social compliance technology uses a policy/signature driven approach, similar to that of antivirus software, which can adapt to industry and company needs.  It is the first and only product for policy-driven social compliance in the health, life science, and financial services ecosystems.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 9 is Blackthorn CaseNotes which showed technology innovation for advancing GRC mobility.

Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available. It enables specialists in a range of GRC fields to collect and manage information. Forms are created and published via a web portal to CaseNotes, which are completed by the mobile user on or offline and then sent back to the server for recording and analysis. CaseNotes enables GRC mobile specialists to take contemporaneous notes, complete forms and associate photos, videos, audio recordings and scanned barcodes with each GRC activity they are managing (e.g. cases, incidents, assessments, audits, reviews) What makes it different from other notes apps is that it uses encryption and hashing to give evidential integrity to the notes, making it ideal for uses where accountability, positive assurance and legal admissibility matter while fully supporting a mobile workforce that is both offline and online.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 10 is Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) which showed technology innovation for their ability to move from GRC idea to “there's an app for that. 

Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) enables their clients to drive innovation, with a particular focus in GRC in the insurance vertical.  Clients define and model new applications that are made available as applications to other clients.  Client innovations are referred to as ideas that are turned into Apps. The Apps are embeeded into the Idea eXchange interface; allowing other CODE users to find, share, and execute value-added Apps.  The Idea eXchange functions for GRC similar to Apple’s App Store.  CIE provides GRC professionals with the ability to “mold” the platform to solve challenges in a variety of relevant domains. The eXchange provides a platform where these new, innovative ideas can be shared and reused by other companies. It empowers clients to harness their own innovative ideas and concepts, and transform them into real-world business and compliance process improvements.  What is different about this approach compared to similar efforts in the past is the depth of focus for apps and content on the insurance vertical specifically.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 11 is SAP's HANA Analytics Foundation for SAP GRC Solutions which showed technology innovation for advancing GRC analytics. 

In the era of ‘Big Data,’ SAP HANA Analytics Foundation for SAP Solutions for GRC shows innovation in addressing the burgeoning velocity, volume, and variety of GRC governance, risk and compliance data in the enterprise. This The SAP HANA® platform leverages in-memory data to speed analysis of large volumes of data to provide insight. SAP HANA speeds the process of gathering, analyzing, and reporting and creates new opportunities for cross-system GRC and business analytics.  It allows for complex analysis by aggregating thousands or even millions of pieces of data across systems that used to be a task that must be run overnight or during off-hours. One example of the value of SAP HANA is in the area of fraud analytics with the ability to take an entirely new approach to fraud detection, prevention and management leveraging in-memory technology to provide insights into fraud, waste, and misuse allowing companies to take action before damage occurs. SAP HANA enables fraud detection in quasi-real-time and prevents transactions from proceeding to avoid loss. It significantly improves the accuracy of fraud identification by reducing the number of false positives and investigation team workload, and leverages predictive analytics to analyze potential fraud scenarios and adapt to changing fraud patterns.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 12 is ControlPanelGRC's AutoAuditor which showed technology innovation for efficiencies in reporting. 

ControlPanelGRC’s AutoAuditor enables companies to be in a state of continuous audit readiness by automating manual reporting processes, and through its intuitive design AutoAuditor adapts to each company’s specific reporting demands. This turnkey solution automates repetitive report generation processes to push the report output to appropriate business or risk owners for review; by eliminating any additional training or tedious setup, once installed AutoAuditor pushes reports directly to those necessary resources rather than needing to be pulled. With AutoAuditor preparing for an audit no longer has to be major cause of stress that requires internal teams to spend weeks researching reports, collating spreadsheets and manually tracking down paper reports buried in filing cabinets. Business or risk owners perform the value add steps of reviewing the output and the workflow engine captures the signoff and exception documentation. The automatic check and balance system not only pushes the necessary report on cue, but also records the mandatory review, which is then automatically saved as future audit evidence. Value is achieved in eliminating human error, missed analysis opportunities, and subsequently, possible penalties if the processes are not executed on a timely basis.

Governance, Risk Management, and Compliance – every organization does it.  There are variations in the opinion of what we call GRC.  Some like it and some do not.  Some use the term ERM in much the same way I use the term GRC, others may call it something else or not even have a name for it.

My position is that every organization does GRC.  You will not find an executive in anorganization that will tell you they do not govern the organization, they do not manage risk, and they do not comply with obligations and policies.  The components of GRC are in every organization.  They may be ad hoc, fly by the seat of our pants approaches.  They may be very mature and integrated.  The question is not if you do GRC but how mature your GRC practices are whether you call it GRC or something else.  GRC, using the only definition in a publicly vetted standard –OCEG’s GRC Capability Model, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Mature GRC practices involve architecture.  Design to integrate and leverage risk and disparate processes, information, and technology.  It is not about a software vendor who provides Enterprise GRC – that may be a component and part but that alone does not mature GRC.  Most organizations have multiple GRC technologies, information, documents, and processes.  Sometimes these work together in harmony producing mature GRC other times it is broken and fragmented leading to redundancy, inefficiency, and failures.

Most organizations suffer with immature GRC architecture.  They remind me of the Winchester Mystery House in San Jose, California.  This house was built in the 1800’s at excessive costs with no overall design or architect.  In fact it had 38 builders and no blueprint.  In the end it has 160 rooms, 47 fireplaces, 6 kitchens, 10,000 windows, 65 doors that open to a blank wall, 25 skylights in floors not ceilings, and 13 abandoned staircases that go up to nothing – or perhaps down to nothing.

This is the reality of immature GRC in many organizations.  The confusion of the Winchester Mystery House are there: 160 different assessment formats; 47 different policy formats; 6 different risk frameworks/taxonomies; 10,000 documents and spreadsheets; 65 risk and compliance management report formats; and 25 different technologies ranging from spreadsheets, custom built risk software, to commercial solutions.  This is a reality for large organizations – one financial services firm I worked with last year on the GRC technology strategy mentioned they had thousands of documents and spreadsheets for risk and compliance assessments and various technologies in place.  A hospital chain told me they had over 18,000 policies that were highly redundant nearly 30 hospitals each with their own risk and compliance programs.  An international financial services and insurance firm told me the line of business was screaming at them because of the number and different formats for risk and compliance assessments.

To solve this, organizations need to understand the maze of GRC processes, information, and technologies in place and architect approach that brings greater levels of effectiveness, efficiency, and agility to the business.  Your GRC architecture should align with your enterprise architecture and fit the way the organization operates.

As we look ahead at 2013 – how are you going to make GRC processes more effective, efficient, and agile?

As we close out 2012 let us roll the years back from 2012 to 1912.  One hundred years a go was the disaster of the Titanic.  What can we learn from it today?

I have been told that Captain E.J. Smith stated before the Titanic set sail, “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”  In fact, the newspapers ran with headlines that stated UNSINKABLE.

What went wrong with the Titanic?  Yes, it hit an iceberg.  What truly went wrong?  The lessons we learn from the Titanic can help us understand and make a case for enterprise risk management today.  I do not claim to be a Titanic historian or expert, but in my limited understanding I have identified the following things that went wrong:

• Overconfidence.  The strategy and design of the ship led to over confidence – the first too big to fail.  Not only with the Captain, but with the media/press and everyone else involved.
• Health and safety.  To my knowledge the Titanic was fully compliant with health and safety requirements of the day – the fact still remains that there were not enough life preservers and life boats for the number of passengers on board.  There was time to get off the boat – but there was no place to go.
• Design.  I understand that the size of the propeller and rudder were to small for the massive size of the ship which limited its maneuverability around objects.
• Quality.  There is speculation that the iron ore in the rivets was of an inferior quality.  The rivets were weak that held the seams of the ship together, when it struck the iceberg the gash opened and the ocean waters flooded in.
• Ignorance.  There were warnings of icebergs in the area that were communicated to the Titanic.  The response from the Titanic was SHUT UP we are tired of hearing about it.
• Inattention.  It is understood that someone was not paying close attention on watch which caused them to confront disaster.
• Strategy.  I have read that the Titanic was designed to stay afloat with four compartments flooded.  They were headed to the iceberg dead on and decided to turn and hit it on the side.  If they would have hit it head on only two compartments would have flooded.  When they hit it on the side six compartments flooded.

The Titanic was a complex operation.  Business today is complex but also distributed and requires a strong enterprise risk management strategy.  One that sees the big picture but can also get down into the “coal face” of the business.  One that can show the relationship of risk and provide analysis at a strategy view as well as specific process or departmental view.  We need to understand the breadth and depth of risk in the context of strategy and operations of the business.

As you enter 2013 and are finalizing your strategic plans have you thought about the range of risks to those plans?  How integrated is risk management with strategic planning?  How integrated is risk management with business operations? Will you be caught by surprise because you failed to see how risk in different parts of the organization can work in concert to bring disaster or failure to meet objectives? I am anxious to hear your thoughts on risk management .