Compliance & Ethics in the Year 2020

Compliance and ethics is not the same today as it was a few years ago, and it’s safe to say that it will continue to evolve in 2020.

In the past, compliance and ethics was distributed and disconnected. The result was a maze of processes, reporting, and information. Compliance functions spent more time managing the volume of documents than it did actually managing and improving compliance.

Compliance and ethics today is in the midst of transformation.  The pressure upon organizations is requiring them to rethink the approach and role of compliance across the organization.  The organization is looking for greater compliance effectiveness while being more efficient with human and financial resources.

What do these many factors, trends and forces suggest for the future of ethics and compliance?

In 2020, Compliance will no longer be the ‘corporate cop’ as it shifts to focus on the integrity of the organization. Compliance and ethics are becoming how we do business as opposed to obstacles of business.  As with any transformation – the road of change will have speed bumps. Change is inevitable.  The business environment – along with the risk and regulatory environment – is constantly changing.  This will force ethics and compliance to evolve to meet organizational requirements for corporate integrity throughout the business and its relationships.

Compliance operations will become federated to overcome the inefficiencies of the decentralized approaches of the past.  While compliance and ethics oversight is centralized under the role of a CECO with stronger executive and board relationships, the islands of compliance scattered throughout the business will begin to coordinate and work together under the leadership of the CECO.  It will not be a completely centralized organization as there are many domains of compliance that work best with business operations and close to the “coal face” of the organization, but compliance information, activities and processes will be coordinated across these departments.

The Shift to a New Ethics and Compliance Information-Based Architecture

All of the above trends point in one clear direction, toward a new ethics and compliance architecture that is dynamic, proactive and information-based. That is, a new model for ethics and compliance that:

  • Is aligned with stakeholder demands for transparency and accountability;
  • Functions as a strategic partner with leadership;
  • Takes full advantage of emerging technologies to improve efficiencies; and
  • Will allow ethics and compliance practitioners to better target their resources.

This shift enables the ethics and compliance organization of tomorrow to have greater efficiency in processing and managing information, effectiveness in ensuring corporate integrity, and agility in addressing rapidly changing business, regulatory, legal and reputational risks. In particular, this new architecture will transform every one of the current elements constituting an ethics and compliance program. Codes, policies and training will all be changed. For example:

  • Risk management. Ethics and compliance will have an active seat at the table of risk management.
  • Code(s) of conduct. A standalone code will be a thing of the past; employees will have an interactive code environment.
  • Policy and procedure management. Similar to the code, policies will be accessed in a user-friendly environment through a portal aligned with the organization brand.
  • Training. As a result of the interactive policy management portal, learning management and delivery of training will be an integrated part of the portal itself and not require disconnected platforms to be integrated.
  • Monitoring & assessment. The ethics and compliance department will have access to data-mining and benchmarking resources that will allow for predictive modeling and serve as a tool for targeting training, security and mitigation efforts.
  • Investigations.  The organization will have a single system to record and capture issues, incidents, and events that integrate with helplines.
  • Change management. Ethics and compliance will be able to integrate processes and technology with information from content providers to rapidly assess changing laws, regulations, and developments around the world and understand how they impact policy and the integrity of the organization.
  • Mobility. There’s an app for ethics & compliance! Ethics and compliance will embrace mobile technology on tablets and other devices to do: issue reporting; deliver policies, training, and other interactive content; and, conduct investigations, audits and assessments.
  • 3rd-party management. Across the range of the items above, ethics and compliance will more effectively manage and communicate integrity across its business relationships with vendors, suppliers, distributors, outsourcers, contractors, consultants, service providers and temporary workers.
  • Metrics and benchmarking.  With a strong information architecture integrated with external content, the ethics and compliance organization will have an optimized infrastructure to report on metrics, trends and benchmarking to track performance and how it is aligned with business strategy and execution.

As with any transformation, the road of change will have speed bumps. Some individuals are naturally resistant to change.  They like the consistency of knowing they have mastered their field and find comfort in performing the job the same way they have in decades past. But change is inevitable. The business environment—along with the risk and regulatory environment—is constantly changing.  This will force ethics and compliance to evolve to meet organizational requirements for corporate integrity throughout the business and its relationships.

I would love to hear your thoughts on compliance management yesterday, today, and tomorrow . . . please comment below.

Michael Rasmussen, The GRC Pundit

Michael Rasmussen is an internationally recognized thought leader and pioneer in governance, risk management, and compliance (GRC). With over 30 years of experience, he has extensive expertise in enterprise GRC strategy and processes supported by robust information and technology architectures. Known as the “Father of GRC,” Michael was the first to define and model the GRC market in February 2002 while at Forrester, setting the foundation for the modern understanding of GRC.

Michael helps organizations build and refine their GRC strategies, ensuring alignment with business objectives to deliver effective, efficient, resilient, and agile operations. He is a highly sought-after keynote speaker, author, and advisor. His influential work has contributed to U.S. Congressional reports and committees. Michael is an OCEG GRC Fellow, serves on the Leadership Council of OCEG, and chairs the OCEG Technology Council.

Michael is frequently quoted in the press and respected for his expert commentary on broadcast news channels. He is an Honorary Life Member and Global Ambassador of Risk Management with The Institute of Risk Management for his contributions to risk management and GRC. Treasury & Risk recognized him as one of the 100 most influential people in finance, highlighting his work in “Governance and Compliance: Saving the Planet and the Corporation” and naming him a “Rising Star in Rocky Times: Corporate America’s Outstanding Executives.”

Before founding GRC 20/20 Research, Michael was a vice president and ‘Top Analyst’ at Forrester Research, Inc. He also led the risk and compliance consulting practice at a professional services firm and gained experience managing compliance and risk within commercial organizations before that.

Michael’s educational background includes a Juris Doctorate in law and a Bachelor of Science in Business. He holds a Master’s in Church History with a focus on Medieval Church History from Trinity Evangelical Divinity School and has a Master’s in Pastoral Ministry at Nashotah House. He is certified as a GRCP (GRC Professional), iPMP (Integrated Policy Management Professional), CCEP (Certified Compliance and Ethics Professional), and CISSP (Certified Information Systems Security Professional). OCEG has recognized him as an OCEG Fellow for his global contributions and advancement of GRC practices.

Certifications & Designations

  • OCEG Fellow
  • Honorary Life Member & Global Ambassador of Risk Management, Institute of Risk Management (IRM)
  • GRC Professional (GRCP)
  • Certified Compliance & Ethics Professional (CCEP)
  • Certified Information Systems Security Professional (CISSP)

Degrees

  • Master of Pastoral Ministries, Nashotah House
  • Master of Arts, Church History – focus medieval church history
  • Juris Doctorate, Oakbrook College of Law & Government Policy
  • Bachelor of Science, Business, University of Phoenix

Association Involvement

  • Open Compliance and Ethics Group (OCEG)
  • Chicago Regional Business & Ethics Network (CRBEN)
  • Institute of Risk Management (IRM)
  • Society of Corporate Compliance & Ethics (SCCE)
  • Professional Risk Manager’s International Association (PRMIA)
  • Information Systems Security Association (ISSA)
  • Institute of Internal Auditors (IIA)
  • Information Systems Audit & Control Association (ISACA)

Business Networking:

2013 GRC Drivers & Trends

With March upon us, 2013 is well underway. GRC related activities – process and technology – is increasing as organizations look for better ways to do things while they face distributed and dynamic risk and regulation.  Fresh budgets, new resolutions, growing risk and regulatory burdens, understanding risk in the context of strategy, dynamic and distributed business: all lead to process reengineering for governance, risk management, compliance, legal, security and audit functions across the business.

GRC Process & Strategy Drivers

The bulk of GRC spending is happening at the department level to address specific issues or department level GRC process and technology improvement.  GRC 20/20 Research is following several enterprise GRC strategies and implementations, but this represents less than twenty percent of the overall GRC market.

The number-one driver for improving GRC is dealing with the explosive growth of GRC “Big Data” in documents, spreadsheets, paper trails, and emails with no audit trails to validate who did what, when, how, where, and why.  One RFP that GRC 20/20 worked on for a financial services firm revealed that the risk, compliance and audit staff were spending 80% of their time managing documents and reconciling information and only 20% of their time in actually managing risk and compliance.

Organizations are swamped from the amount of regulatory change— new laws, changing regulations, administrative decisions to court cases.   Keeping current on regulations, documenting impact assessments, and maintaining compliance has been a critical driver within several industries to adopt stronger GRC approaches to manage regulatory change.  Specific focus is on anti-bribery and corruption (e.g., US FCPA, UKBA, OECD).

GRC 20/20 is seeing significant activity in the area of managing vendor/supplier risk, compliance, and performance across extended business relationships.  This includes seeking improved third-party governance because of anti-bribery and corruption, conflict minerals, vendor assessments and attestations, security, and privacy.  This includes the need to do due diligence and provide assessments, audits, policy communication, training, forms, and attestations across third-party relationships.  Specifically, there is a particular growing need to manage risk and compliance around international labor standards across third party relationships. GRC 20/20 has seen increased activity from organizations developing strategies and RFPs to address social accountability across extended busines.

Critical 2013 GRC Process and Technology Trends

GRC, properly defined, is “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” To address this understanding of GRC, and what OCEG calls Principled Performance, GRC approaches are evolving to address the mature the           matrix of enterprise strategy, process, information, and technology.   This is what GRC 20/20 defines as GRC 3.0 – where GRC becomes pervasive across the business and its operations.  Where GRC extends from the risk and compliance departments to the executives as well as the “coal-face” of the organization.

The major trends GRC 20/20 is researching and monitoring in 2013 are as follows. GRC 20/20 major trends identify game changing GRC trends and identify significant shifts in GRC strategy and technology.

  • GRC Architecture. The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  Organizations are leveraging enterprise architecture concepts and applying them to GRC.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – leading to an enterprise architecture approach to GRC.
  • Risk Socialization & Collaboration.  Organizations are recognizing that effective risk management includes those on the front lines of the business – the “coal-face.”  To execute on this, GRC leaders are exploring ways to make risk management social and collaborative, easy to understand and engage across all levels of the organization.  One of the emerging methods is to utilize social technology to facilitate risk collaboration and gameification across the risk management process.
  • Engaged Employee.  On the topic of socialization, GRC is part of everyone’s job description.  Forward-thinking companies are looking for the user experience: getting employees involved and providing elegant interfaces that employees enjoy working with. A lot of work has been done on GRC technology and process to manage the back-end of GRC—the processes and operations of audit, compliance, and risk management.  However, little has been done to improve the front-end of GRC: engaging employees and providing them with interface, content and collaboration technologies to participate in GRC without feeling intimidated and lost.
  • Operationaling GRC.  Operationalizing GRC is taking GRC to the business.  This ties into the above trends of GRC Architecture, Risk Socialization/Collaboration, and the Engaged Employee, but is more than that.  It is about enabling GRC across business systems and processes.  It is bringing GRC to the process and ERP fabric of the business to improve real-time insight into business decisions, operational intelligence, and monitoring of the business environment.
  • MobilityThere’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting will readily be done through mobile devices.  Tablets will be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access.  Mobile devices will be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.
  • Business, Risk, & Regulatory Change Management.  GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.  When the business changes, such as through mergers and acquisitions, GRC is getting involved to assess and harmonize policies, controls, and processes impacted by business change.

Other significant trends in 2013, but not categorized as major trends, that GRC 20/20 continues to research and monitor closely are:

  • 3rd Party Management.  Do you really know who you are doing business with? GRC is being used to more effectively manage and communicate integrity across its business relationships with vendors, suppliers, outsourcers, contractors, consultants, service providers, third party intermediaries, and other non-employee roles.  The goal is holistic management of third-party relationship performance, integrity, risk and compliance throughout the business ecosystem.
  • Business Process Modeling.  Leading GRC solutions are adopting more business process modeling capabilities.  This allows the organization to see how business processes function and information flows combined with control and risk areas. Organizations w
    ant to see a visual representation of a business process and where it is having issues and incidents—in other words, to see a graphical dashboard of the process in a GRC context.
  • Policy & Procedure Management.  Organizations are driven to replace ad hoc approaches to policy management.  The goal is a user-friendly environment policy portal.  Employees will easily be able to find the current policy with interactive tools to explain the policy. Policy resources and related forms will be part of the portal. Learning management and delivery of training will be an integrated part of the portal itself and not require disconnected platforms to be integrated. There are over a dozen policy management deals that GRC 20/20 is monitoring at the moment in Fortune 500 companies—and more beyond that.
  • Corporate Compliance Management.  In the past GRC focused on financial controls/compliance and IT risk and control.  Then it moved to enterprise/operational risk and audit management.  Now GRC 20/20 is seeing growing demand for compliance management platforms that bring together regulatory change management, policy management, compliance assessments, reporting/hotlines, training and investigations.
  • Anti-bribery and corruption. Growing anti-bribery and corruption laws, requirements and enforcement actions challenges organizations.  Organizations are looking for a mixture of process, technology and content to effectively address anti-bribery and corruption compliance requirements on a global basis. Organizations are looking for a mixture of solutions to address process, policies, training, screening, due diligence, and transaction monitoring.
  • Identity & access governance.  Who forgot identity?  Identity and access governance is a critical enterprise GRC technology.  Many risk and compliance issues boil down to who has access to what in both the physical and logical environments and whether that access is rational and justified.  This includes making sure individuals are trained and aware of policies for the access they are given. 2013 will show greater awareness and integration of identity and access governance and technologies as part of a GRC strategy. Significant focus will be on compliance reporting and risk exposure.

Defining a GRC Strategy and Blueprint that Bridges GRC Silos

Governance, risk, and compliance (GRC) is not a single role in the organization. Effective GRC requires collaboration across business areas that have historically operated as introverted silos. This comprehensive three-hour workshop walks you through the process of defining a central GRC strategy that encompasses all areas of your business. By attending, you learn how to:

  • Bring together disparate views of risk and compliance along with the roles and stakeholders involved in GRC
  • Formulate strategies to begin and maintain collaboration on GRC across the organization
  • Incorporate IT to drive sustainability, consistency, efficiency, and transparency into enterprise risk and compliance initiatives
  • Assess the complex landscape of applications and technologies that need to start working together to provide a coherent picture into enterprise GRC
  • Incorporate the taxonomy of applications and technologies used for GRC into blueprint architecture
  • Build a roadmap for a successful GRC strategy with a firm technology foundation
  • Stay abreast of dynamic environments, risks, regulations, and case law across multiple jurisdictions

Wrapping Up Effective Policy Management Loose Ends

Many of you have closely followed my commentary over the past few years on Effective Policy Management and its role in a broader GRC architecture. It is apparent that I am an advocate for technology to manage policies.  Document centric approaches fail.  When we manage policies in word processors and distribute them in email or intranet sites we quickly lose control.

The fact is – organizations struggle with out of date policies.  As soon as I make a policy revision and distribute it, there are still perhaps hundreds (depending on organization size) of versions of the old policy scattered in file shares, email inboxes, local hard-drives, mobile/tablet devices, SharePoint sites, etc.

What is worse is that any employee (or worse yet, a business partner such as a contractor) can create a document and call it a policy.  This puts the organization at risk.  Policies can establish a duty of care to the organization.  Rogue policies that are not officially approved/authorized may throw the doors of liability and legal exposure wide open to the organization.

Organizations need better technology to effectively manage the development, distribution, communication, and maintenance of policies throughout the enterprise.  Technology is enhanced when the organization has standard templates and development/lifecycle process for policy management.  Any employee should be able to open a policy and be able to validate that it is an official policy by comparing it to the current official version on the centralized policy management portal.  They should be able to know if it is an official policy by the template it is in and the fact that it is properly catalogued.

Further, to defend the organization we need audit trails on who interacted with any specific policy.  Organizations need audit trails around interactions with policy – who read/accessed it, when did they access it, where did they access it, how often did they access it – to defend themselves in the current legal/regulatory climate.  Want proof – consider the Morgan Stanley FCPA case in 2012 when they were the first company in 35 years of FCPA history to not be prosecuted.  If you read the DoJ/SEC press release you will find that Morgan Stanley maintained policies (kept them current), and could defend their compliance program by telling how many times Mr. Petersen in their Asian real-estate business was communicated a policy, reminded of one, was trained, etc.

How does an organization go about selecting a policy management solution?  Should they build one in house on tools such as SharePoint? Should they purchase a policy management solution built on SharePoint? What about stand-alone policy management software? What value do these offerings bring that a SharePoint implementation cannot achieve?  When does an enterprise GRC platform make sense that can cross-reference policies to issues, investigations, risks, controls, and even regulatory change management to manage policies when regulations change?

GRC 20/20 Research tracks approximately sixty different solutions providers in the policy management space.  This is among the over 500+ solution providers in the broad GRC market with its various market segments. Some of these solutions are what is understood as an enterprise GRC platform where policy management is one module/app integrated with a series of others to provide insight and intelligence across policies and broader GRC.  Other solutions are policy management pure-plays that focus exclusively (or nearly so) on policy management.  Still others are solutions that are built upon content management systems such as SharePoint.

How does an organization make sense of all this?  It can be challenging.

GRC 20/20 Research is happy to interact with any organization looking for solutions in the GRC space – and in this context, policy management solutions.  This ranges from ½ hour email or phone inquiries to discuss the market, players in the market, and what differentiates them. for organizations evaluating or implementing solutions.  GRC 20/20 provides open access to our research analysts to any organization looking to purchase GRC technologies.  If deeper help is needed, GRC 20/20 can be engaged on projects to help you develop/customize an organization’s RFP and select the right vendors to evaluate based on your organization size, locations, industry, and other demographics.  Every solution provider has its strengths and weaknesses – you need to end up with the one that best fits your business.

Some additional things to consider:

  • Later in February, GRC 20/20 Research will be releasing two market research reports.  One will be a GRC 20/20 Market Landscape: Policy Management Solutions that defines the market, size, growth/direction, drivers, trends, and key players.  The other will be a GRC 20/20 Buyer Perspective: Selection Criteria for Policy Management Solutions focused to help organizations in developing RFPs for policy management solutions.
  • My Effective Policy Management Lifecycle and workshops have been very popular – and continue to do them in public and private formats.  The eBook combining my commentary and work with OCEG, Compliance Week, and several solution providers is also available for download.  The OCEG GRC Policy Management Illustrated series is contained in the eBook.
  • GRC 20/20 is proud to announce that Lisa Hill is now a contributing analyst of GRC 20/20 Research.  Lisa is the former policy manager at VISA – and has built one of the most mature approaches to policy management process and lifecycle that I have encountered.  She has her own consulting business, PolicyScape, that works directly with organizations to help them define and build their policy management process.  As a contributing analyst, she works through GRC 20/20 Research as an analyst in the GRC technology market to assist with GRC/policy technology RFPs, deliver GRC 20/20 policy training, and assist solution providers in their strategies.
  • I chair the OCEG Policy Management Group.  While some collaboration started in 2012, the group (comprised of policy managers and others interested in policy management) is ready to fully launch with activities later in February.  OCEG has established a collaboration management platform that we will be utilizing to develop the OCEG policy management guide; provide templates for a style guide, policy on writing policies, and a library of policies themselves that is contributed to by members.  Further, we will be working on a Policy Manager certification to help establish this critical role in organizations.  If interested in this group, please contact me.

register-now GRC 20/20 is providing the following (paid) research webinar on this topic: Policy Management Market Landscape & Selection Criteria.  This is a one-hour webinar to layout the policy management market size, players, differentiators, and direction.  We will also explore the core selection criteria organizations should be considering when purchasing a policy management solution.  While the webinar does not go into specific comparisons of individual vendors, we will present a model that characterizes the market into basic, mature, and advanced offerings.

2013 GRC Technology Innovation Awards

GRC and technology. Every organization does GRC, not every organization does GRC well.  You will not find an organization that states it lacks governance, does not care about risk, and forgets about compliance.  Organizations may not call it GRC – but they have GRC processes from the ad hoc to the mature.  What makes a mature GRC approach – either at the departmental or enterprise level – different from an immature approach is how the organization utilizes process, technology, and information.  Technology makes GRC and its individual components of governance, risk management, and compliance more effective, efficient, and agile.

Over the years GRC technology has evolved and changed. There is not one vendor that delivers all of GRC, there are many market segments and niches.  In 2012, GRC 20/20 recognized ten vendors from a few dozen submissions in the 2012 GRC Technology Innovation Awards.   To recognize how technology is evolving, GRC 20/20 Research is proud to announce the 2nd annual GRC Technology Innovation Awards. 

The 2013 GRC Technology Innovation Award process was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.  Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and innovative solutions.

Particular trends to note in the 2013 selections are:

  • Delivering a GRC marketplace for the exchange of ideas, content, and apps (note RSA Archer started this trend a few years back, but other vendors have picked up on it and have advanced it to new levels);
  • Socializing GRC and risk management by utilizing social technologies to facilitate risk collaboration/gameification across the business and engage everyone in GRC and risk management (note BPS Resolver started this trend several years back – but it is just now gaining momentum and a few companies selected are really advancing this concept);
  • GRC architecture and integration – it is not about one GRC vendor that can do everything.  GRC requires the integration of different types of applications and content to make it work.  This requires that we understand the business, how the business operates, and take an enterprise architecture approach to GRC.
  • Engaging the employee, at the end of the day GRC is part of everyone’s job description.  Forward thinking companies are looking for the user experience and how to get employees more involved and providing elegant interfaces that employees enjoy working with.

Not every vendor selected for the 2013 award fits into one of thee buckets completely, but all this year’s award recipients touch one or more of them with where they are taking GRC technology.

The 2013 GRC Technology Innovation Award recipients are (please follow hyperlinks to see more detail on each recipient):

  1. The GRC Marketplace: the Force.com of GRC. MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community.
  2. Risk collaboration: socializing risk in the enterprise. Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves. 
  3. Engaging Risk: providing a social GRC architecture. Integrc’s "Engaging Risk” is a combination of integrated GRC knowledge solutions that helps organizations achieve greater understanding and interaction.
  4. Delivering GRC Architecture. MEGA’s Holistic Operational Excellence platform (HOPEX) integrates enterprise architecture (EA) capabilities with GRC capabilities into one platform.
  5. Mind-mapping GRC. C2CSmartCompliance’s Compliance Mapper has a powerful GRC content mapping engine that allows an organization to graphically map regulatory and customer-generated content and click to establish bi-directional links.
  6. The user experience: the Apple of GRC.  The Network’s Integrated GRC Suite is innovative for its design and end user experience.
  7. Integrating content, experience, and process. Think of Compli Portfolio™ as the “electronic binder” that integrates the work of internal and external experts in an elegant user experience to illustrate and manage an organization’s compliance and risk profile.
  8. Managing risk in social networks. OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns.
  9. Advancing GRC mobility. Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available.
  10. From GRC idea to “there’s an app for that.”  Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) enables their clients to drive innovation, with a particular focus in GRC in the insurance vert
    ical. 
  11. Advancing GRC analytics. In the era of ‘Big Data,’ SAP HANA Analytics Foundation for SAP Solutions for GRC shows innovation in addressing the burgeoning velocity, volume, and variety of GRC governance, risk and compliance data in the enterprise.
  12. Efficiencies in reporting. ControlPanelGRC’s AutoAuditor enables companies to be in a state of continuous audit readiness by automating manual reporting processes, and through its intuitive design AutoAuditor adapts to each company’s specific reporting demands.

GRC 20/20 wishes we could recognize more – but we had to put a cap somewhere.  Twelve seemed like the appropriate number.  There were many great submissions – some more innovative than others.  The 2014 award nomination process will begin in October of 2013.  Further, GRC 20/20 will be doing another award process called the GRC Value Awards.  Nominations will be accepted starting in April 2013 and award recipients will be selected and announced in July 2013.  That process will look to find who has the best-substantiated value proposition in various categories of GRC software.  Stay tuned.

 
 
 
 

 

1 – The GRC Marketplace: the Force.com of GRC, MetricStream’s Zaplet

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 1 is MetricStream’s Zaplet which showed technology innovation for the GRC Marketplace: the Force.com of GRC.

MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community. This enables the broadest GRC ecosystem of partners and content providers to deploy GRC applications and content. At its core is the GRC App Store, a web-based marketplace, where customers can browse, learn about, license, and run GRC apps and integrated content. Each app has its own data models, workflows, information flows, content, reports, dashboards, and templates that are fully tailored to specific requirements around a business process, industry mandate, or regulatory requirement. These apps are rich in content and functionality as they are designed and developed by GRC subject matter experts. Developers build applications using the AppStudio suite of development tools, which provides a visual environment with web-based drag-and-drop tools for defining workflows and information routing rules, forms, business reporting processes, and the underlying business logic that controls the interactions between various elements. Developers and partners can provide customer demos, free trials, and upgrades, while accessing critical customer feedback and any new requirements via the GRC App Store. 

 
 
 

 

2 – Risk collaboration: socializing risk in the enterprise, Riskflo’s Discovery™

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 2 is Riskflo’s Discovery™ which showed technology innovation for risk collaboration: socializing risk in the enterprise.

Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves.  This knowledge is fragmented across the organisation, business processes and from management to the ‘coal face.’  Riskflo’s suite of applications provide a new approach to risk workshops and facilitation so that the knowledge locked away inside the heads of those that are closest to business process and risk are captured.  Riskflo has moved beyond risk voting tools to support a rich interactive discussion between facilitator and participants in an environment where participant identity can firewalled. Riskflo address the core problem of eliciting and aggregating expert opinion from multiple participants – navigating cognitive and behavioral bias through technology that delivers risk facilitation, group learning, knowledge elicitation and group estimate aggregation methodologies.  This approach transforms the quality of the risk assessment information while providing a rich and engaging experience for both facilitator and participants alike.  Riskflo has developed a new paradigm for engaging all levels of the organization in risk management activities in a deep and lasting way and in the process providing a means to transform the risk management culture.

 

3 – Engaging Risk: providing a social GRC architecture, Integrc’s "Engaging Risk”

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 3 is Integrc’s "Engaging Risk” which showed technology innovation for engaging Risk: providing a social GRC architecture.

Integrc’s "Engaging Risk” is a combination of integrated GRC knowledge solutions that helps organizations achieve greater understanding and interaction. The common aspiration for organizations is to change how they interact, adopt, perceive and embed GRC technologies and initiatives and Engaging Risk achieves this through a portfolio of user facing technologies that include dashboards, apps, adobe forms, and internal tools for GRC. Engaging Risk promotes "social GRC” (gamification) and helps organizations improve participation in risk management. Historical GRC solutions are designed primarily with the risk community in mind; Engaging Risk takes a broader approach by recognizing that successful GRC initiatives engage the users and other stakeholders, encouraging participation, explaining benefits and embedding  into standard processes. Engaging Risk does not replace the core GRC engine but focuses on delivery of the GRC benefits through the wider user community. Engaging Risk increases the participation in the processes and the perception of GRC processes by breaking down the silos and making GRC relevant to the wider community. The core goals are applied; to hunt down the pain for GRC users, to encourage adoption by lowering the participation barriers and embed GRC in the DNA of the business.

 

4 – Delivering GRC Architecture, MEGA’s Holistic Operational Excellence platform (HOPEX)

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 4 is MEGA’s Holistic Operational Excellence platform (HOPEX) which showed technology innovation for delivering GRC Architecture. 

MEGA’s Holistic Operational Excellence platform (HOPEX) integrates enterprise architecture (EA) capabilities with GRC capabilities into one platform. This enables an organization to manage a GRC program that delivers value, aligns with core business strategy and objectives, and drives operational performance and process execution. The HOPEX platform empowers organizations to gather and understand enterprise strategy, capabilities, business processes, organizational structure and assets, including IT assets, risks, and controls. GRC programs and initiatives can now include modeling capabilities, on top of which assessment and governance capabilities can be used by a large number of employees in the organization to assess and monitor business performance.  By leveraging EA and GRC capabilities on the same platform, GRC Architects can utilize architecture capabilities to understand how their organization works and plan transformations, with execution capabilities to get the transformation implemented and assessed, in a continuous improvement approach. This fosters the alignment with strategies, business processes, information systems and corporate objectives. GRC professionals will then have a clear, detailed vision into the business and the direct results of managing, testing, and monitoring can be shared to improve the organization.