Michael Rasmussen

• Does the business have the information to make risk-based decisions about the future of the company, when they don’t have a clear view of the risk landscape?
• Does the business know its risk exposure at the enterprise, business process and control levels, and how they interrelate?
• How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
• Can the business accurately gauge the impact of risk-taking on business strategy?
• Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
• Does the business monitor key risk indicators across systems, relationships and processes?
• Is the business optimally measuring and modeling risk?
• Is the business meeting its regulatory and other obligations?

• Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
• Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
• Improve decision-making and business performance through increased insight and business intelligence.

• Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise GRC framework.
• Establishment of culture and policy: Policy must be communicated across the business to establish a risk and compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives.
• Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
• Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
• Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — must be working and monitored for progress.
• Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

To understand what GRC is all about, please see these OCEG videos:

• http://www.nextslide.com/oceg/principled-performance-and-grc

This posting is from my most recent paper – GRC Maturity: From Disorganized to Integrated Risk and Performance.

• Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
• Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
• Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
• Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
• Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.

• Inability to gain a clear view of risks and their dependencies
• High cost of consolidating disparate data silos and documents
• Difficulty maintaining accurate data
• Failure to report and trend GRC across assessment/reporting periods
• Unreliable or irreconcilable risk assessment results because of different formats and approaches
• Redundancy of risk management and compliance efforts
• Failure to provide intelligence to support decision-making that crosses risk and compliance areas
• Inconsistency in approaches to risk/compliance activities
• Different vocabulary and processes that limit correlation, comparison and integration of information
• Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

• AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.

• Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.

• CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.

• HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.

• LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.

• Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.

• QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.

• QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.

• SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
  e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.

• SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

• Audit and Assurance Management
• Board and Entity Management
• Brand and Reputation Management
• Business Continuity Management
• Compliance Management
• Contract Management
• Control Activity, Monitoring, and Assurance
• Corporate Social Responsibility
• Discovery/eDiscovery Management
• Environmental Monitoring and Reporting
• Environmental, Health, and Safety
• Finance/Treasury Risk Management –
• Fraud & Corruption Detection, Prevention & Management
• Global Trade Compliance/International Dealings
• Hotline/Helpline
• Information/IT Risk & Security
• Insurance and Claims Management
• Intellectual Property Management
• Issue and Investigations Management
• Matter Management
• Physical Security & Loss Management
• Policy Management, Communication, & Training
• Privacy Management
• Quality Management and Monitoring
• Reporting and Disclosure
• Risk Management (Enterprise & Operational)
• Strategy, Performance, and Business Intelligence
• Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

• For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
• The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
• Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
  pporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!

Organization exposure to compliance risk is rising at the same time the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular issues or obligations, which often resulted in multiple initiatives working in isolation. Isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, documents, and email, which is costly and unreliable. This makes it difficult to adapt to new regulatory requirements while increasing pressure and anxiety for management, employees and business relationships.

Without a business process view to manage compliance risk, organizations will continue to be burdened with the data overload and complexity of compliance data. Organizations need complete visibility into a portfolio of compliance processes spread across a distributed and complex business.  Organizations need information and not just data.

Success in compliance risk management begins with a strategy — how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes to mitigate these risks. In compliance business process architecture, accountability and compliance is effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues. Compliance needs to be an active and living part of the organization and culture to prevent and detect issues across the business. It is a continuous and ongoing process to be monitored, maintained and nurtured. This challenge is taking on a new paradigm that focuses on establishing compliance processes that move from a reactive fire-fighting mode to one that actively manages, monitors, mitigates, prevents, and detects compliance-related risks.

Using the OCEG GRC Capability Model as a basis and integrating compliance risk management requirements from experience as well as guidance from USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806:2006, there are common core processes that compliance can establish to manage compliance risk. A business process framework to manage compliance risk in the 21st century enables an organization to manage and monitor compliance risk through:

• Compliance program management: This is the core process that everything else revolves around. It integrates all the other functions to provide a single cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks. An effective program delivers a 360-degree view of compliance risk management activities.

• Compliance risk identification and assessment: Risk assessments are foundational to compliance initiatives. In addition to a periodic risk assessment, the organization must have regular compliance risk assessment and monitoring activities to ensure policies and controls that maintain integrity are in place and working. The compliance risk identification and assessment process drives every aspect of a successful program as it identifies and models compliance risk that all the other processes build upon.

• Regulatory and risk intelligence: To keep current on compliance risk requires that the organization have a process to continuously monitor changes to the regulatory and risk environments impacting the business, and to monitor the business for change. This involves identifying subject matter experts for each compliance risk area that are accountable for monitoring internal changes and external change from regulators, courts, legislatures, and other sources to identify new and developing compliance risks that will impact the business.

• Policy definition, communication, and maintenance: Organizations must have documented and up-to-date policies and procedures that both address the compliance and ethical risks and are in accordance with the culture, values, and obligations of the organization. Compliance requirements and processes must be clearly documented within policies and procedures. The policy definition, communication, and maintenance process provides proof that the program is sound and controls are adequate.

• Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, responsibility for compliance risk management falls to the CECO, and is delegated across a variety of business processes and functions. To effectively provide assurance to the board and executives, an effective GRC approach requires that a process of compliance risk governance, accountability, and reporting be in place. This requires collaboration with other roles such as internal audit, and establishes lines of communication throughout the business.

• Due diligence efforts: An established process to document due diligence efforts shows that employees and business partners are properly screened, and assures the business that it is not engaging with individuals or organizations that have a bent toward unethical behavior. It also assures the organization that individuals have the right background, resources, and experience to do the job they are engaged for.

• Training and communication: Written policies are not enough — individuals need to know what is expected of them day-to-day and their business operations. Organizations are increasingly using online training in addition to discussion-led training to raise compliance and ethics awareness. There is also a trend toward using interactive technologies and learning simulations. The training and communication process is key to communicating the corporate culture, obligations, and expectations across the organization and to business partners.

• Ongoing compliance assessment: The organization needs ongoing assessment of compliance policies and controls. This involves surveys, self-assessments, and automated assessments for regular compliance risk and control monitoring. Successful organizations conduct assessments not just on a periodic basis but whenever significant business change might impact compliance.

• Enforcement of the control environment: While policies and procedures may define how the organization behaves, enforcement ultimately depends on controls. The organization should implement preventive and detective controls that support compliance obligations and policies. The organization needs to ensure these controls are in place and operating as designed. When there are issues, the organization must address these with corrective controls.

• Record and report issues: Clearly defined processes must be in place for individuals to report concerns, weaknesses and wrongdoing. Reporting is often done anonymously via call centers or Weblines. Clearly defined processes must be communicated and maintained for management to document reports made directly to them as well so that one database can be maintained and audited.

• Conduct investigations: Even in the best organization things go wrong. Investigative processes (e.g., hotline analysis, surveys, management reports, exit interviews) must be in place to quickly identify potential incidents of wrongdoing and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.

• Implement communication and reporting processes: The organization must have channels of communication where employees can ask questions
  on policies and procedures to avoid misunderstanding as well as issues of noncompliance. Possible systems include help lines, interactive intranets with FAQs and ‘ask a question’, and forms processing where approvals are requested.

• Third-party relationships: Central to an integrity and compliance program is the ability to identify and manage the risk of third-parties. Technology enables the ongoing due diligence effort to monitor and score vendor and third-party risk, communicate a supplier code of conduct and other policies to vendors and track attestations, and deliver surveys and assessments.

Throughout all of these processes, compliance risk management needs to have a clearly defined lessons-learned process to make sure the organization is not a repeat offender. Organizations with a history of noncompliant conduct will find that they are not treated favorably by courts and regulators.

The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.

How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?

Before I give some guidance on this – let me first state that GRC software is needed in organizations.  Using a document centric approach done in spreadsheets and word processing documents is prone to issues.  Issues in consolidation and reporting – both errors and time it takes.  Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization.  Issues in efficiency as document centric approaches take more resources to manage.

The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.

My advice on buying GRC (and related risk and compliance software):

• Get to know the vendor.  I have spent nearly twenty years in this space.  There are good vendors and bad vendors.  There are good sales people and bad sales people.  A successful software implementation is going to require a relationship.  Make sure that the vendor and sales person you are considering doing business with is someone you want to work with.  Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform.  Pick the vendor that appears to have your best interest in mind and not theirs.
• Understand who the vendor typically sells to – industry and role.  Every vendor in this space has a history and track record.  Some have strengths in audit or risk or compliance or information security or some other role.  Some have a history in financial services while another is healthcare.  While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
• Use caution with Forrester Waves and Gartner Magic Quadrants.  Too many organizations see whoever is in the upper right quadrant and pick them for their short list.  THIS IS A MISTAKE.  These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization.  That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital.  They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization.  There may be a vendor not even in the research that is the ideal fit for you.
• Check references.   Require that the vendor give you references – and check them.  Grill the references.  Ask questions on what they like least about the vendor and the solution. Ask them what they would change.  Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor.  I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others.  Talk to analysts and insist on knowing the good, the bad, and the ugly.  If the analyst does not have much to offer – go to one that has experience.
• Control the vendor.  A huge issue with GRC software projects is when the vendor sees $$$.  I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for.  In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues.  This kills GRC projects.  Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
• Get in the drivers seat.  A HUGE ISSUE is that some vendors are great at demos.  They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime.  It is important that you demo the solution and get behind it yourself.  Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it.  This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
• Test your enterprise needs.  Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management).  I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.

Understanding and Approaching Compliance and Ethics Risk

Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.

The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).

Regardless of the complexity of the analysis, the principles of compliance risk management are the same:

• Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
• Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
• Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
• Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
• Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
• Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
• Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
• Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.

• The court found Frederic Bourke, Jr. was willfully blind and as an investor he should have done more due diligence and should have known that the energy company he invested in bribed foreign officials.
• The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.
• The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.
• The U.S. Department of Justice assessed nearly $2 billion in fines in 2010. Eight of the top 10 FCPA settlements occurred in 2010. BAE Systems was the third largest fine at $500 million. Daimler AG had $185 million in fines and disgorgements. Snamprogetti had $365 million in fines (the fourth-largest).
• Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison.
• Siemens spent $850 million in fees and expenses to investigate anticorruption. Daimler had a five-year investigation that cost over $500 million.

• Commitment
• Implementation
• Monitoring and measuring
• Continual improvement
• In addition, mandates such as those provided by the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) broaden the scope and compliance requirements for listed organizations or those within the financial services industry.

This is the second in my series on Compliance Management in the 21st Century. The previous ones have been:

• From Finding and Fixing Problems to Compliance Risk Management 

I would love to hear your thoughts as well – please share them.

For those that cannot wait for all of my upcoming posts – you can read my thoughts and perspectives in my most recent written report:  Compliance Risk Management in the 21st Century.

Before even getting into technology and vendors it is necessary to understand what GRC is about.  I argue that GRC is nothing new – we have been doing GRC long before we had an acronym that I first started using back in 2002. The truth is organizations have governance, risk management, and compliance (GRC) practices and processes in place.  Your organization is doing GRC whether you call it GRC or not.  These processes are most likely siloed and scattered across the organization.  They may be formal processes or informal, they may be defined and written down or ad hoc.  You will not find an executive that states we lack governance, do not manage risk, and can care less about compliance.  Whatever you may call it – the truth is that GRC exists in your organization.

So why all this fuss over GRC?  There are better ways of doing things.  The goal is to make GRC processes that already exist in the environment more effective at meeting obligations and managing risk, more efficient in use of financial and human resources, and more agile to the needs of a dynamic and distributed business environment.

Thus enters technology – GRC technology is used to go bring greater effectiveness, efficiency, and agility to GRC processes across the organization.  One goal is to move beyond documents and spreadsheets that have there issues (such as no audit trail, difficulty reporting). Another goal is to share information and provide a framework for collaboration across risk and compliance roles.  Finally, a goal is to provide shared processes and technology.

I often hear the line of business screaming “ENOUGH.”  This week it is a SOX assessment, next week an oprisk assessment, the week after that a business continuity assessment, and then five others.  Several come in spreadsheets formatted differently, others in web survey tools, others in software applications.  There are a dozen of more file shares or intranet sites claiming to have corporate policies – where is the correct one? How come they are in different formats?  Who is controlling this?  Investigations, incident, and issue systems are scattered across several areas as well.

Organizations are waking up to the fact that GRC can be more effective, efficient, and agile.  Thus enters technology to enable it.  GRC technology is very much like CRM (client relationship management) technology back in the 1980’s which are a core part of business today.  Before we had CRM we still managed client relationships.  The issue is that we had out of sync data and no one had the complete picture of the client.  Sales had their view, marketing theirs, and then service theirs.  CRM systems came in to provide a holistic view of the client – one complete and accurate picture that all these roles in their respective capacities can access.  The same for GRC technology – there are a variety of roles across the business doing aspects of risk and compliance that have very similar information and process needs though they maintain their individual subject expertise.

I will state that there is no single vendor that does all of GRC from a technology perspective.  There are over 400 vendors that do aspects of GRC.  I model the market around 28 categories of GRC software (this will be released in a few weeks in the updated OCEG Solutions Guide for GRC).  Several of these technology categories span needs across the enterprise others address needs within specific functions.

In my work in GRC market research, education/training, and advisory I get involved in over 200 interactions each year with organizations looking for GRC technology.  Most, as much as 90%, are focused on specific issues while about 10% are truly focused on enterprise GRC initiatives.  However, even those focused on specific issues want to invest in technology that can address other issues and grow and expand into enterprise GRC over time.

Looking over the past two years of interactions with buyers of GRC software, the top five GRC vendors that I see most often in RFPs/RFIs are (in alphabetical order):  BWise, MetricStream, OpenPages, RSA Archer, and Thompson Reuters Accelus.  Of these it is BWise and RSA Archer that most often come up in interactions.

This does not necessarily mean that these vendors are the best for you.  There are aspects of the 28 categories of GRC that they do not do.  Every vendor has their strengths and weaknesses.  Depending on organization size, industry, complexity, and needs the vendor you want to engage will vary.  In fact, several organizations I have interacted with have four or more GRC vendors in place doing different parts of GRC.

Other vendors that I frequently encounter include (in alphabetical order): ActiveRisk, Compliance 360, CMO Compliance, CURA, Easy2Comply, EthicsPoint, Lockpath, Mitratech, Oracle, QUMAS, SAI Global, SAP,  SAS, and Wolters Kluwer.

Beyond this group are vendors such as Agiliance, AlineAlytics, AssurX, BPS Resolver, Chase Cooper, Continuity Logic, Global Compliance, MEGA, Methodware, Modulo, Policy Technologies, The Network, Pilgrim Software, Process Unity, and RSAM.

Here I have only touched on a few dozen of the 400 vendors in this space.

If this topic interests you, I would encourage you to consider my upcoming online training on the GRC technology market.

State of the GRC Market Q4-2011 FRIDAY, OCTOBER 14, 2011 EASTERN TIME 12:00 PM – 2:00 PM / PACIFIC TIME 9:00 AM – 11:00 AM / GMT 4:00 PM – 6:00 PM

Today’s complex and competitive GRC market demands that you be at the top of your game.  Corporate Integrity is the leading GRC market research and education firm.

This webinar is Corporate Integrity’s quarterly uddate on the State of the GRC Market.  This is the summary of Corporate Integrity’s market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year.  It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market.  It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.

Attendees will be able to answer the following questions:

• Who are the leading (most active) GRC technology providers?
• Why are organizations buying GRC technology?
• What differentiates the GRC technology providers?
• How do you categorize and define the GRC technology market?
• What is the market size of the GRC technology market?  Where will it grow?
• What are the leading risk and compliance drivers for buying GRC technology?
• What is the value that organizations have achieved by implementing GRC technology?
• Where is GRC technology headed?
• What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
• Who are some of the up and comers in GRC technology that I should be watching and why?