2012 GRC Technology Innovation Awards

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

  • AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.
  • Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.
  • CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.
  • HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.
  • LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.
  • Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.
  • QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.
  • QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.
  • SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
    e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.
  • SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .

 

State of the GRC Market, Q1-2012

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

  • Audit and Assurance Management
  • Board and Entity Management
  • Brand and Reputation Management
  • Business Continuity Management
  • Compliance Management
  • Contract Management
  • Control Activity, Monitoring, and Assurance
  • Corporate Social Responsibility
  • Discovery/eDiscovery Management
  • Environmental Monitoring and Reporting
  • Environmental, Health, and Safety
  • Finance/Treasury Risk Management –
  • Fraud & Corruption Detection, Prevention & Management
  • Global Trade Compliance/International Dealings
  • Hotline/Helpline
  • Information/IT Risk & Security
  • Insurance and Claims Management
  • Intellectual Property Management
  • Issue and Investigations Management
  • Matter Management
  • Physical Security & Loss Management
  • Policy Management, Communication, & Training
  • Privacy Management
  • Quality Management and Monitoring
  • Reporting and Disclosure
  • Risk Management (Enterprise & Operational)
  • Strategy, Performance, and Business Intelligence
  • Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

  • For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
  • The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
  • Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
    pporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!

Process Framework for Managing Compliance Risk

Organization exposure to compliance risk is rising at the same time the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular issues or obligations, which often resulted in multiple initiatives working in isolation. Isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, documents, and email, which is costly and unreliable. This makes it difficult to adapt to new regulatory requirements while increasing pressure and anxiety for management, employees and business relationships.

Without a business process view to manage compliance risk, organizations will continue to be burdened with the data overload and complexity of compliance data. Organizations need complete visibility into a portfolio of compliance processes spread across a distributed and complex business.  Organizations need information and not just data.

Success in compliance risk management begins with a strategy — how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes to mitigate these risks. In compliance business process architecture, accountability and compliance is effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues. Compliance needs to be an active and living part of the organization and culture to prevent and detect issues across the business. It is a continuous and ongoing process to be monitored, maintained and nurtured. This challenge is taking on a new paradigm that focuses on establishing compliance processes that move from a reactive fire-fighting mode to one that actively manages, monitors, mitigates, prevents, and detects compliance-related risks.

Using the OCEG GRC Capability Model as a basis and integrating compliance risk management requirements from experience as well as guidance from USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806:2006, there are common core processes that compliance can establish to manage compliance risk. A business process framework to manage compliance risk in the 21st century enables an organization to manage and monitor compliance risk through:

  • Compliance program management: This is the core process that everything else revolves around. It integrates all the other functions to provide a single cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks. An effective program delivers a 360-degree view of compliance risk management activities.
  • Compliance risk identification and assessment: Risk assessments are foundational to compliance initiatives. In addition to a periodic risk assessment, the organization must have regular compliance risk assessment and monitoring activities to ensure policies and controls that maintain integrity are in place and working. The compliance risk identification and assessment process drives every aspect of a successful program as it identifies and models compliance risk that all the other processes build upon.
  • Regulatory and risk intelligence: To keep current on compliance risk requires that the organization have a process to continuously monitor changes to the regulatory and risk environments impacting the business, and to monitor the business for change. This involves identifying subject matter experts for each compliance risk area that are accountable for monitoring internal changes and external change from regulators, courts, legislatures, and other sources to identify new and developing compliance risks that will impact the business.
  • Policy definition, communication, and maintenance: Organizations must have documented and up-to-date policies and procedures that both address the compliance and ethical risks and are in accordance with the culture, values, and obligations of the organization. Compliance requirements and processes must be clearly documented within policies and procedures. The policy definition, communication, and maintenance process provides proof that the program is sound and controls are adequate.
  • Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, responsibility for compliance risk management falls to the CECO, and is delegated across a variety of business processes and functions. To effectively provide assurance to the board and executives, an effective GRC approach requires that a process of compliance risk governance, accountability, and reporting be in place. This requires collaboration with other roles such as internal audit, and establishes lines of communication throughout the business.
  • Due diligence efforts: An established process to document due diligence efforts shows that employees and business partners are properly screened, and assures the business that it is not engaging with individuals or organizations that have a bent toward unethical behavior. It also assures the organization that individuals have the right background, resources, and experience to do the job they are engaged for.
  • Training and communication: Written policies are not enough — individuals need to know what is expected of them day-to-day and their business operations. Organizations are increasingly using online training in addition to discussion-led training to raise compliance and ethics awareness. There is also a trend toward using interactive technologies and learning simulations. The training and communication process is key to communicating the corporate culture, obligations, and expectations across the organization and to business partners.
  • Ongoing compliance assessment: The organization needs ongoing assessment of compliance policies and controls. This involves surveys, self-assessments, and automated assessments for regular compliance risk and control monitoring. Successful organizations conduct assessments not just on a periodic basis but whenever significant business change might impact compliance.
  • Enforcement of the control environment: While policies and procedures may define how the organization behaves, enforcement ultimately depends on controls. The organization should implement preventive and detective controls that support compliance obligations and policies. The organization needs to ensure these controls are in place and operating as designed. When there are issues, the organization must address these with corrective controls.
  • Record and report issues: Clearly defined processes must be in place for individuals to report concerns, weaknesses and wrongdoing. Reporting is often done anonymously via call centers or Weblines. Clearly defined processes must be communicated and maintained for management to document reports made directly to them as well so that one database can be maintained and audited.
  • Conduct investigations: Even in the best organization things go wrong. Investigative processes (e.g., hotline analysis, surveys, management reports, exit interviews) must be in place to quickly identify potential incidents of wrongdoing and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Implement communication and reporting processes: The organization must have channels of communication where employees can ask questions
    on policies and procedures to avoid misunderstanding as well as issues of noncompliance. Possible systems include help lines, interactive intranets with FAQs and ‘ask a question’, and forms processing where approvals are requested.
  • Third-party relationships: Central to an integrity and compliance program is the ability to identify and manage the risk of third-parties. Technology enables the ongoing due diligence effort to monitor and score vendor and third-party risk, communicate a supplier code of conduct and other policies to vendors and track attestations, and deliver surveys and assessments.

Throughout all of these processes, compliance risk management needs to have a clearly defined lessons-learned process to make sure the organization is not a repeat offender. Organizations with a history of noncompliant conduct will find that they are not treated favorably by courts and regulators.

What are your experience and thoughts on the breadth of processes needed to build a strong compliance risk management program?

How to Buy GRC (Risk & Compliance) Software

The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.

How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?

Before I give some guidance on this – let me first state that GRC software is needed in organizations.  Using a document centric approach done in spreadsheets and word processing documents is prone to issues.  Issues in consolidation and reporting – both errors and time it takes.  Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization.  Issues in efficiency as document centric approaches take more resources to manage.

The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.

My advice on buying GRC (and related risk and compliance software):

  • Get to know the vendor.  I have spent nearly twenty years in this space.  There are good vendors and bad vendors.  There are good sales people and bad sales people.  A successful software implementation is going to require a relationship.  Make sure that the vendor and sales person you are considering doing business with is someone you want to work with.  Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform.  Pick the vendor that appears to have your best interest in mind and not theirs.
  • Understand who the vendor typically sells to – industry and role.  Every vendor in this space has a history and track record.  Some have strengths in audit or risk or compliance or information security or some other role.  Some have a history in financial services while another is healthcare.  While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
  • Use caution with Forrester Waves and Gartner Magic Quadrants.  Too many organizations see whoever is in the upper right quadrant and pick them for their short list.  THIS IS A MISTAKE.  These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization.  That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital.  They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization.  There may be a vendor not even in the research that is the ideal fit for you.
  • Check references.   Require that the vendor give you references – and check them.  Grill the references.  Ask questions on what they like least about the vendor and the solution. Ask them what they would change.  Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor.  I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others.  Talk to analysts and insist on knowing the good, the bad, and the ugly.  If the analyst does not have much to offer – go to one that has experience.
  • Control the vendor.  A huge issue with GRC software projects is when the vendor sees $$$.  I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for.  In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues.  This kills GRC projects.  Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
  • Get in the drivers seat.  A HUGE ISSUE is that some vendors are great at demos.  They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime.  It is important that you demo the solution and get behind it yourself.  Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it.  This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
  • Test your enterprise needs.  Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management).  I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.
If you have questions or need help on understanding the GRC software space – I am happy to help.
If you are a vendor, a few things you may be interested in are:
  1. GRC Technology Innovation Awards.  I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February.  If you have something revolutionary that changes the landscape of GRC for the future – contact me for a nomination form.  This is not for ‘me too’ functionality but is something that is really unique and game changing.
  2. Ultimate [GRC] Platform Designation.  If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces.  Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label.  Please contact me for more information. The ultimate platform designation can be pursued in the following categories:
  • The Ultimate Enterprise GRC Platform
  • The Ultimate Risk Management Platform
  • The Ultimate Compliance Management Platform
  • The Ultimate Audit Management Platform
  • The Ultimate Policy Management Platform
  • The Ultimate Legal Management Platform
  • The Ultimate IT Risk & Compliance Platform
  • The Ultimate 3rd Party/Vendor/Supplier Platform

Principles of Compliance Risk Management

Understanding and Approaching Compliance and Ethics Risk

Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.

The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).

Regardless of the complexity of the analysis, the principles of compliance risk management are the same:

  • Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
  • Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
  • Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
  • Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
  • Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
  • Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.
What are your thoughts on the core principles of compliance risk management?

Regulations and a Demand for Integrity Bear Down on the Organization

Managing an organization’s ethics and values is challenging enough. A legion of laws, regulations, contractual obligations, judgments, and fines bear down on the organization and the CECO in the 21st century. There is a difficult path ahead for ethics and compliance management. Compliance is particularly difficult, as business is bombarded with thousands of new regulations each year.

U.S. Perspective
At the U.S. federal level (not including U.S. state or local jurisdictions) there were more than 3,500 new regulations issued last year. This brings the total number of regulations issued since 1995 to nearly 60,000. Another 4,000 new laws and regulations are pending, waiting for approval. The sheer volume is staggering. FCPA is a particular hotbed of compliance in the U.S.:
  • The court found Frederic Bourke, Jr. was willfully blind and as an investor he should have done more due diligence and should have known that the energy company he invested in bribed foreign officials.
  • The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.
  • The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.
  • The U.S. Department of Justice assessed nearly $2 billion in fines in 2010. Eight of the top 10 FCPA settlements occurred in 2010. BAE Systems was the third largest fine at $500 million. Daimler AG had $185 million in fines and disgorgements. Snamprogetti had $365 million in fines (the fourth-largest).
  • Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison.
  • Siemens spent $850 million in fees and expenses to investigate anticorruption. Daimler had a five-year investigation that cost over $500 million.
European Perspective 
Europe has been known for a principles-based (or outcomes-based) approach to compliance — which originates from the United Kingdom’s Financial Services Authority. They have turned their focus away from specific requirements toward understanding and interpreting compliance in light of the risk the organization faces, requiring a risk-based approach to compliance. Adding to compliance mandates, the U.K. approved the U.K. Bribery Act (UKBA) legislation in 2010, which went into enforcement in July 2011.  This brings broader scope and implications to anticorruption compliance. Both the FCPA and the UKBA are country-specific initiatives in support of the Organization for Economic Cooperation and Development’s (OECD) anticorruption initiatives in 34 countries.  The OECD has released Good Practice Guidance for internal controls, ethics, and compliance to combat corruption around the world.
Australian Perspective
Australia, through the ASNZ 3806 standard, takes a principles-based approach to compliance. The 12 principles provide guidance to organizations designing, developing, implementing and maintaining an effective compliance program, encompassing:
  • Commitment
  • Implementation
  • Monitoring and measuring
  • Continual improvement
  • In addition, mandates such as those provided by the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) broaden the scope and compliance requirements for listed organizations or those within the financial services industry.
The Era of the Corporate Bounty Hunter
Government is cracking down on organizations that lack integrity in their ethics and compliance practices. The current environment is seeing increased actions and judgments for noncompliant behavior such as corruption, insider trading, antitrust abuse, harassment, discrimination, fraud, and privacy violations. Fraud and unethical behavior is not tolerated — government and society have had enough. One aspect of this change is the government focus on initiatives that establish rewards for corporate whistleblowers. This heralds the era of the corporate bounty hunter.
The U.S. government recently introduced its most extensive regulation to uncover corporate wrongdoing in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111-203, H.R. 4173).  Title IX Subtitle B gives the SEC powers to enforce a “whistleblower bounty program.”  This program allocates a 10 percent to 30 percent reward to corporate whistleblowers who provide information leading to a successful government enforcement action with monetary sanctions of more than $1 million. In an era of increased scrutiny and judgments for anticorruption, insider trading, and other areas, this significant concern keeps executives, the board, legal, and compliance professionals up at night.
This just scratches the surface of the regulatory burden on organizations amidst thousands that span areas of employment, quality, health and safety, environmental, business transactions, privacy, security, and many other areas. Distributed businesses that cross jurisdictions in transactions and relationships have a great deal to answer for when it comes to regulatory oversight. The burden is so great it demands companies use limited resources and a risk-based approach to understand where its greatest ethics and compliance risks are. A risk-based approach complements a values-based approach and enhances corporate culture. While culture and values ultimately drive compliance, an organization must understand where its greatest compliance exposure is and allocate resources accordingly.

This is the second in my series on Compliance Management in the 21st Century. The previous ones have been:

I would love to hear your thoughts as well – please share them.

For those that cannot wait for all of my upcoming posts – you can read my thoughts and perspectives in my most recent written report:  Compliance Risk Management in the 21st Century.

 

The Leading GRC Technology Vendor Is . . .

Before even getting into technology and vendors it is necessary to understand what GRC is about.  I argue that GRC is nothing new – we have been doing GRC long before we had an acronym that I first started using back in 2002. The truth is organizations have governance, risk management, and compliance (GRC) practices and processes in place.  Your organization is doing GRC whether you call it GRC or not.  These processes are most likely siloed and scattered across the organization.  They may be formal processes or informal, they may be defined and written down or ad hoc.  You will not find an executive that states we lack governance, do not manage risk, and can care less about compliance.  Whatever you may call it – the truth is that GRC exists in your organization.

So why all this fuss over GRC?  There are better ways of doing things.  The goal is to make GRC processes that already exist in the environment more effective at meeting obligations and managing risk, more efficient in use of financial and human resources, and more agile to the needs of a dynamic and distributed business environment.

Thus enters technology – GRC technology is used to go bring greater effectiveness, efficiency, and agility to GRC processes across the organization.  One goal is to move beyond documents and spreadsheets that have there issues (such as no audit trail, difficulty reporting). Another goal is to share information and provide a framework for collaboration across risk and compliance roles.  Finally, a goal is to provide shared processes and technology.

I often hear the line of business screaming “ENOUGH.”  This week it is a SOX assessment, next week an oprisk assessment, the week after that a business continuity assessment, and then five others.  Several come in spreadsheets formatted differently, others in web survey tools, others in software applications.  There are a dozen of more file shares or intranet sites claiming to have corporate policies – where is the correct one? How come they are in different formats?  Who is controlling this?  Investigations, incident, and issue systems are scattered across several areas as well.

Organizations are waking up to the fact that GRC can be more effective, efficient, and agile.  Thus enters technology to enable it.  GRC technology is very much like CRM (client relationship management) technology back in the 1980’s which are a core part of business today.  Before we had CRM we still managed client relationships.  The issue is that we had out of sync data and no one had the complete picture of the client.  Sales had their view, marketing theirs, and then service theirs.  CRM systems came in to provide a holistic view of the client – one complete and accurate picture that all these roles in their respective capacities can access.  The same for GRC technology – there are a variety of roles across the business doing aspects of risk and compliance that have very similar information and process needs though they maintain their individual subject expertise.

I will state that there is no single vendor that does all of GRC from a technology perspective.  There are over 400 vendors that do aspects of GRC.  I model the market around 28 categories of GRC software (this will be released in a few weeks in the updated OCEG Solutions Guide for GRC).  Several of these technology categories span needs across the enterprise others address needs within specific functions.

In my work in GRC market research, education/training, and advisory I get involved in over 200 interactions each year with organizations looking for GRC technology.  Most, as much as 90%, are focused on specific issues while about 10% are truly focused on enterprise GRC initiatives.  However, even those focused on specific issues want to invest in technology that can address other issues and grow and expand into enterprise GRC over time.

Looking over the past two years of interactions with buyers of GRC software, the top five GRC vendors that I see most often in RFPs/RFIs are (in alphabetical order):  BWise, MetricStream, OpenPages, RSA Archer, and Thompson Reuters Accelus.  Of these it is BWise and RSA Archer that most often come up in interactions.

This does not necessarily mean that these vendors are the best for you.  There are aspects of the 28 categories of GRC that they do not do.  Every vendor has their strengths and weaknesses.  Depending on organization size, industry, complexity, and needs the vendor you want to engage will vary.  In fact, several organizations I have interacted with have four or more GRC vendors in place doing different parts of GRC.

Other vendors that I frequently encounter include (in alphabetical order): ActiveRisk, Compliance 360, CMO Compliance, CURA, Easy2Comply, EthicsPoint, Lockpath, Mitratech, Oracle, QUMAS, SAI Global, SAP,  SAS, and Wolters Kluwer.

Beyond this group are vendors such as Agiliance, AlineAlytics, AssurX, BPS Resolver, Chase Cooper, Continuity Logic, Global Compliance, MEGA, Methodware, Modulo, Policy Technologies, The Network, Pilgrim Software, Process Unity, and RSAM.

Here I have only touched on a few dozen of the 400 vendors in this space.

If this topic interests you, I would encourage you to consider my upcoming online training on the GRC technology market.

State of the GRC Market Q4-2011 FRIDAY, OCTOBER 14, 2011 EASTERN TIME 12:00 PM – 2:00 PM / PACIFIC TIME 9:00 AM – 11:00 AM / GMT 4:00 PM – 6:00 PM

Today’s complex and competitive GRC market demands that you be at the top of your game.  Corporate Integrity is the leading GRC market research and education firm.

This webinar is Corporate Integrity’s quarterly uddate on the State of the GRC Market.  This is the summary of Corporate Integrity’s market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year.  It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market.  It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.

Attendees will be able to answer the following questions:

  • Who are the leading (most active) GRC technology providers?
  • Why are organizations buying GRC technology?
  • What differentiates the GRC technology providers?
  • How do you categorize and define the GRC technology market?
  • What is the market size of the GRC technology market?  Where will it grow?
  • What are the leading risk and compliance drivers for buying GRC technology?
  • What is the value that organizations have achieved by implementing GRC technology?
  • Where is GRC technology headed?
  • What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
  • Who are some of the up and comers in GRC technology that I should be watching and why?

Role of Technology in Anti-corruption Compliance

With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

Technology can help organizations manage and monitor anti-corruption compliance by enabling and automating:
  • Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.
  • Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.
  • Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.
  • Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.
  • Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.
  • Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.
  • Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.
  • Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.
This is the second installment on a three part series on Anti-Coruption.  The first article can be found at:

I would love to hear your thoughts on the role of technology in anti-corruption compliance. This series is a collection of pieces from a published paper – the rest of the paper can be found at:

Meeting Anti-Corruption Obligations

With increased exposure to anti-corruption laws and investigations, how does an organization respond to anti-corruption compliance obligations?

The best offense in anti-corruption is a good defense. Organizations must be prepared to show that they have a strong compliance program in place to mitigate or avoid exposure to penalties. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures to prevent and detect issues of corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.

While there are different laws around the world aimed at anti-corruption, the compliance aspects to these laws are based on common requirements that are the backbone of any good compliance program. From a U.S. perspective, the best defense is to show that the organization has met the elements of an effective compliance program as established by the United States Sentencing Commission Organizational Guidelines.[2] The U.S. guidelines compliment and coordinate well with the U.K.’s guidance requiring a company to demonstrate adequate procedures to prevent bribery. It is a full defense in the U.K. Bribery Act when an organization proves that despite a particular incident of bribery it nevertheless has proper compliance practices in place to prevent corruption and bribery. Both the U.S. and U.K. guidance aligns with and supports OECD Good Practice on Internal Controls, Ethics, and Compliance.

An integrated view of the U.S., U.K., and OECD guidance requires that an organization have the following compliance elements in place:

  • Understand your risk: An organization must have a risk-based approach to managing anti-corruption. This includes periodic assessment (e.g., annual) of the exposure to the organization for corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies, and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners, and geographies.
  • Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or business partner carries a higher risk for corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication to and from top-level management must be bidirectional. Management must communicate that they support the anti-corruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anti-corruption initiatives.
  • Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your own employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts need to be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of corruption.
  • Compliance oversight: The organization needs someone who is responsible for the oversight of anti-corruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
  • Established policies and procedures: Organizations must have documented and up-to-date policies and procedures that address corruption. The code of conduct is the governing policy that filters down to other policies that address anti-corruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments, and solicitation and extortion. Compliance requirements and processes must be clearly documented and adhered to.
  • Effective training and communication:Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anti-corruption training programs to educate employees and business partners at risk of exposure to bribery, corruption, and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
  • Implement communication and reporting processes:The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
  • Assessment and monitoring:In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
  • Investigations:Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports, and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Internal accounting controls: Organizations must keep detailed books, records and accounts that fairly and accurately reflect transactions and disposition of assets that could be implicated in corruption issues. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable payments, financial account reconciliation, and commission payments.
  • Manage business change: The organization must monitor the business environment for changes that introduce greater risk of corruption. The organization must document changes required to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to proactively prevent corruption.
This is the second installment on a three part series on Anti-
Coruption.  The first article can be found at:

I would love to hear your MEETING ANTI-CORRUPTION OBLIGATIONS. This series is a collection of pieces from a published paper – the rest of the paper can be found at:

Accountability in Policy Management

 

Organizations often lack an auditable means of policy communication, attestation and training. There are various processes and approaches to tracking policy attestation and certification (making sure policy documents are read and understood), and corresponding quizzing and training. The organization must provide full visibility into who accessed a policy, accepted it, was trained on it, and passed or failed quizzes to gauge understanding — all things that provide the organization with a stronger defensible situation with regulators and in legal actions.

Organizations that approach policy without clear accountability face significant risk to their business. This accountability applies to policy owners for their ongoing review and maintenance of policy, the process of granting exceptions, monitoring incidents and violations of policies and extends to policy governance to track reading, acceptance, and training on an individual basis.

When the organization is under a microscope, having a detailed trail of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, what other incidents violated the policies all provide grounds for defending the organization. An ad hoc “dust in the wind” approach to policy management may expose the organization to significant liability. This liability is further exacerbated by the fact that today’s compliance programs affect every person involved in supporting the business both internally, and for third parties. If policies look different, use words with different meanings, are located in different places and don’t offer a mechanism to gain clarity (e.g., a policy helpline), organizations are not positioned to drive desired behaviors or enforce accountability which aid in improving performance, producing predicable outcomes, mitigate compliance risk, and avoid incidents and loss.

Most organizations fail to manage the lifecycle of policy, resulting in policies that are out-of-date, ineffective, and not aligned to business needs. It opens the doors of liability, as an organization may be held accountable for policy in place that is not appropriate or properly enforced. Organizations require a consistent process to develop, communicate, monitor, and maintain corporate policy and procedures. This requires collaboration across business roles with clear accountability throughout the process.

Accountability in policy compliance and enforcement is made possible by three primary key functional capabilities:
  1. A well designed Policy Lifecycle Management process.
  2. An organized Policy Management Committee to govern the oversight and guidance of policies and ensure policy collaboration across the enterprise.
  3. An individual assigned to the role of Policy Manager to assure accountability across the policy lifecycle to the standards, style, and process defined by the Policy Management Committee.

Policy Lifecycle Management is the process of managing and maintaining policies throughout their effective use within the organization. It involves defined stages of monitoring business change for policy development, communication, and maintenance. Implementation of Policy Lifecycle Management requires a technology architecture that is rich in content management, workflow management, process management, task management, notifications, and has a robust accountability audit trail. The lifecycle is defined in five primary stages: Environment Change, Policy Development, Policy Communication, Policy Management, and Policy Maintenance.

The Policy Management Committee provides the structure and connective tissue to coordinate and drive consistency across the organization and is comprised of team members that represent the best interest and expertise of the different parts of the organization. They leverage the knowledge, charter and the authority of the committee to benefit their business areas and, at the same time, benefit other business areas and the organization as a whole.

The policies and procedures contained within the system documents accountabilities, provides audit trails, links to internal and external mandates, manages training and attestations, and specifies monitoring activities, review cycles, enforcement policies and responsibilities over time.

Policy lifecycle management that addresses accountability brings integrity and value to policy management. It provides accountability to policy management processes that are often scattered across the organization. It enables policy management to work in harmony across organization functions delivering efficiency, effectiveness, and agility. In today’s environment, ignoring a accountability in policy management means processes, partners, employees, and systems that behave like leaves blowing in the wind. Policy management processes are constantly in disarray when operating autonomously, introducing risk in today’s complex, dynamic, and distributed business environment. Organizations require an enterprise view of policy accountability and collaboration that not only brings together silos, but integrates them into a common policy-management process.