GRC Reference Architecture: Making Sense of the GRC Technology Landscape

 

While GRC is ultimately about collaboration and communication between business roles and processes, technology provides the backbone that enables GRC. To describe this technology, Corproate Integrity has defined the GRC Reference Architecture (this is closely aligned to the second version of the Open Compliance & Ethics Group (OCEG) GRC Technology Blueprint).

This model is meant to be a practical and applicable tool for organizations trying to understand and implement technology for GRC.

GRC today is akin to customer/client relationship management (CRM) in the 1980s. Before CRM systems and processes entered the organization, client information and relationships were being managed. The challenge was that there were scattered silos that created inconsistent and redundant data, with no view into the entire profile of the client and its interaction with the business. CRM systems create a single view of customer information and interaction across business processes and roles. GRC systems and processes aim to achieve the same thing — to provide an integrated picture of governance, risk, and compliance information and processes across the business. This requires an integrated view of GRC business process and technology architecture.

A high-level view of the GRC Reference Architecture comprises the following areas:

  • Information architecture: Conceptualizes the interrelationship of GRC-related information that bring agility, efficiency, and effectiveness to the entire organization.
  • Enterprise GRC applications: Represents solution areas that span risk and compliance roles and processes. These solutions are not locked to a single business role, function, and process, but are leveraged among all of them.
  • GRC role and process-specific applications: Describes GRC-role specific applications. These are solutions designed for a specific business role or function to accomplish a specific set of tasks. These applications are typically used predominantly by one area of the organization.

 

 

A firm GRC foundation is built upon solid information architecture. The burden, inefficiency, and ineffectiveness — as opposed to agility, efficiency, and effectiveness — of risk and compliance processes results from a lack of integrated and interrelated information architecture.

An intricate relationship of information from across the organization is the heart of a successful GRC technology strategy. All policies, risks, controls, events, requirements, enterprise assets and processes, responsibilities, and objectives interrelate and support each other. When managed in information silos, each of these areas bring inefficiency to the risk and compliance processes.

For example, organizations must understand which policies set management thresholds for specific risks; which events violate specific policies, materialize risk, and cause infractions of regulatory requirements; which controls are established for specific policies and are defined to control certain risks; and which business objectives involve risk, and how their controls allow pursuit of the objective but stay within acceptable risk-tolerance levels.

Enterprise GRC applications interact, share, and leverage the information model to deliver sustainable, consistent, efficient, transparent, and accountable GRC processes. This requires the application to be used across the business as a platform that touches and interacts with a variety of business roles and information. These foundational applications must deliver on the GRC philosophy of a common architecture and collaboration across business roles and interests.

Dozens of application categories fall outside the enterprise GRC application core — these applications focus on specific business roles and functions, such as quality, environmental, health, and safety (EH&S ), and matter management. The enterprise GRC application core consists of the following applications:

  • Audit and assurance management: Audit and assurance management systems manage audit cycles and output — this includes audit resource scheduling and calendaring, audit work paper management, and audit process management.
  • Case and investigations management: Case and investigations management software is used to manage investigations, issues, incidents, events, or cases. It specifically provides consistent documentation and management of events — from reporting to managing and documenting the investigation, to recording the loss and business impact.
  • Compliance management: Corporate compliance systems support the overall coordination of legal, regulatory, contractual, and corporate policy requirements and responsibilities with associated tasks and records of adherence.
  • Control activity and monitoring: Control management and monitoring systems provide the ability to define, record, map, monitor, change, alert and report on information processing (financial and operational data). This includes the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation.
  • Hotline/helpline: Employee hotline and helpline systems are confidential, independent information intake and response systems for reporting potential internal fraud, negligence or impropriety by co-workers, partners or contractors. Employees can also use them to seek clarification on policies, and procedures.
  • Policy and procedure management: Policy and procedure management systems help develop, record, organize, modify, maintain, communicate, and administer organizational policies and procedures in response to new or changing requirements or principles, and correlate them to one another.
  • Risk & Regulatory intelligence and monitoring: Regulatory intelligence and monitoring systems monitor external and internal changes, and alert the organization to regulatory and legal conditions that can impact their business. Risk intelligence and monitoring systems monitor external and internal changes, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.
  • Risk management: ERM systems mange implementation of frameworks and processes that apply parameters, indicators, measures, consequential outcomes and business scenarios related to financial and non-financial risks. Operational risk management systems and applications implement and monitor risk processes that define parameters, indicators, consequential analysis and “what-if?” scenarios that stem from performing tasks and from passive activities. Risk analytics and modeling systems help identify specific causes of risk, given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. These tools execute historical reviews, simulations, interpretations and project impacts to operations, assets, or individuals.
  • Strategy, performance, and business intelligence: BI, strategy, and performance systems examine the systems, processes and applications that manage collection, integration, analysis, and presentation of all layers of planning, strategy, performance, operational, procedural, and decision-making information.
  • Training a
    nd awareness:
    Training and awareness systems manage the learning and understanding of compliance, policy, and risk areas to employees and extended business relationships. They combine training content with learning management system capabilities.

The enterprise GRC application core provides the foundation of GRC across the business. All of these applications can be leveraged from one side of the business to the other, to provide a consistent approach to GRC across silos of risk and compliance. However, a variety of business functions and roles have specific needs that demand applications aimed at their business function. These applications plug into the broader GRC Reference Architecture.

GRC is a federated effort. There is no such thing as one group of the organization that “does” GRC. While there may be a role in leading the collaboration, GRC must extend throughout the business. Business role and function-specific applications predominantly focus on the needs of a specific business function, process, or role in the enterprise. Applications in this area may have significant risk and compliance relevance and impact on the enterprise — but 80% (or more) are used by a specific user or role subset. The enterprise application core represents applications that span GRC business users and roles across the business.

The business roles and functions with specific need for GRC technologies and applications are scattered across the enterprise. In one sense, every part of the business touches on GRC as it relates to different aspects of performance, risk, compliance, values, and control. Primary, not all-inclusive, business function/role application categories include:

  • 3rd/vendor/supply-chain risk and compliance
  • Board and entity management
  • Brand and reputation management
  • Business continuity management
  • Contract management
  • Corporate social responsibility
  • Discovery/e-discovery management
  • Environmental monitoring and reporting
  • Environmental, health, and safety
  • Fraud detection and prevention
  • Global trade compliance/international dealings
  • Information/IT risk and compliance
  • Insurance and claims management
  • Intellectual property management
  • Loss management
  • Matter management
  • Physical security management
  • Privacy
  • Quality management and monitoring
  • Risk management – finance and treasury

These roles represent a significant but not exhaustive look at the categories of risk and compliance software solutions targeted at specific areas of the business. The applications must be able to report and feed information into broader GRC reporting systems and dashboards to maintain a 360-degree view of GRC. All are very relevant, and part of a broad GRC strategy.

 

The GRC Reference Architecture is a model of the technology landscape of GRC solutions. Currently there are more than 400 different technology providers delivering solutions for narrow to broad aspects of governance, risk, and compliance. The GRC Reference Architecture is part of Corporate Integrity’s broader GRC EcoSystem, which catalogs more than 1,300 technologies, professional service firms, and information/content providers. This posting has been just an excerpt of Corporate Integrity’s published research, GRC Reference Architecture: Understanding the GRC Technology Landscape.

I would love to hear your thoughts on the topic of GRC Software. Please feel free to comment in this forum, or send me an email. Please comment on this blog or send me an e-mail.

ONLINE WORKSHOP: The GRC Reference Architecture

Understanding & Approaching GRC Technology for Your Business

GRC – Governance, Risk, & Compliance. Whether you use this specific acronym or not the fact is your organization does GRC. There is not a single executive that will tell you that they lack corporate governance, do not manage risk, and completely ignore compliance. The truth of the matter: GRC has been a part of business since the dawn of business. In this 2 hour online workshop, Corporate Integrity defines and communicates The GRC Reference Architecture. This GRC Reference Architecture is part of my broader GRC EcoSystem of technology, consultants, and information providers (over 1300 firms cataloged to date). And is synchronized to the OCEG GRC IT Blueprint

The GRC Reference Architecture is comprised of: information framework, enterprise core GRC application(s), role/business function specific applications, as well as industry and geographic/jurisdiction specific applications.

The goal is to assist organizations in understanding the breadth of the GRC technology landscape, how different GRC technologies can and should work together, and provide the foundation for developing a GRC technology plan to support your organization’s risk and compliance process requirements.

ONLINE WORKSHOPThe GRC Reference Architecture

Date: Thursday, July 01, 2010 from 11:00 AM – 1:00 PM (CT)

Enterprise Risk Management Policy Structure

 

I am amazed at the number of risk management programs I encounter that lack an organized structure and approach. So often what we know as ERM (enterprise risk management) is a hodge-podge of processes and assessments that somebody tagged the ERM label on without much thought for what they were doing. In fact, most of the ERM processes I encounter are nothing more than a slightly expanded view of SOX and financial controls: they are not truly an enterprise view of risk across the organization and its operations.

Most ERM programs lack the fundamental building blocks for a risk management program. This begins with a well written charter for ERM and a supporting ERM policy.

A recent client of mine, looking to engage me in the development of an ERM policy, asked what the main components of an ERM policy are.

MY ANSWER: ERM policies are organization specific; no two ERM policies are identical. However, there is a logical structure that works well as a starting block for most organizations. These include the following structural components for an ERM policy (note: these same components can be used for other risk management policies besides ERM such as IT/information risk management):

  • Objective/Purpose. As with any policy it is necessary that the policy begin with the organization and purpose of the policy. This is nothing more than writing out the charter for ERM and establishing the authority of this policy to establish and govern the ERM program.
  • Risk Governance Structure. It is critical that the organization establish the governance structure for risk management. This is a big area of failure for most ERM programs when it is often the case that risk management operates as an island with very little to know interaction with the board and executives. A solid ERM policy will identify how the board and its committees interact with ERM as well as senior executives.
  • Roles & Responsibilities. Once the governance structure is in place, the policy should get into specific roles and responsibilities for ERM. This includes a clear understanding of the roles of a Chief Risk Officer, executive management, business operations, risk management staff, and the role of audit in the assurance oversight of risk management.
  • Risk Culture. The single greatest hurdle to successful ERM is articulating and integrating risk management into the organization’s culture. In one sense risk management is part of the culture no matter what is articulated in policy – an organization can have a cavalier approach to risk taking, a structured approach to risk taking and oversight thereof, or anywhere in between. The organization needs to clearly spell out how the organization approaches risk taking, management, and ongoing monitoring of risk in the organization.
  • Risk Strategy. Following on the heels of risk culture, the ERM policy should next deal with how ERM aligns and integrates with corporate performance, objective, and strategy management. ERM often is disconnected from these areas which makes it of little practical use to the organization.
  • Risk Tolerance & Appetite. The next logical sequence in the ERM policy is to establish the boundaries of risk taking in articulating the organization’s approach and boundaries to risk tolerance and appetite. It is hear that the policy discusses what is acceptable and unacceptable risk. This provides the high-level boundaries and approach to risk taking, though most of the specifics on these boundaries will be found in supporting policies (e.g., credit risk policy).
  • Risk Taxonomy. The ERM policy needs to authorize and give authority to the development and ongoing maintenance of the organization’s risk taxonomy. The highest level structure for risk management should be included in the policy – such as the establishment of risk oversight for areas such as financial/treasury, operational, and legal/compliance risks. The policy should reference and give authority to the establishment of another document that defines the depth of the structure of risk categories that the organization recognizes and manages.
  • Risk Ownership. You cannot hold anyone accountable for risk unless clear ownership of risk id defined. While specific ownership of individual risks are found in supporting risk management policies (e.g., vendor risk policy, privacy policy, credit risk policy, information risk policy) – the ERM policy should state the ownership of risk at the high-level categories defined in the risk taxonomy. It should also be clear on the point that the risk management function does not own risk, the business and process owners are the ones that own risk. The ERM process is there to communicate and provide the infrastructure to manage and monitor risk to support the risk owners across the business.
  • Risk Assessment Process. The ERM policy is to authorize the formation of risk assessment processes in the organization. The policy itself should outline the expectations of required periodic assessments such as an annual ERM assessment process, and is to authorize the establishment of more specific risk assessments that are established in supporting risk management policies. This section of the policy should identify the approval needed to establish a risk assessment, what structure is provided, and how the assessment gets communicated and integrated into the ERM structure.
  • Risk Infrastructure, Documentation. & Communication. Documentation of risk, risk taking, as well as assessment, management, and monitoring activities for risk are critical to a successful ERM program. An organization cannot hold individuals accountable for risk taking if there is not clear documentation on the risk. This section should authorize the establishment of an enterprise platform to monitor ongoing risk management processes across the organization. It should also establish a warning against the use of technologies such as spreadsheets for risk assessments that lack proper audit trails.
  • Mitigation & Response. The ERM policy should articulate the proper response plans to risk such as risk transfer, risk acceptance, risk mitigation, and risk avoidance. While much of the details of this will be worked out in supporting risk policies, it is in the ERM policy that the are defined at a high level.
  • Key Risk Indicators. Ongoing monitoring for risk is critical to a successful ERM program. This involves the authorization and establishment of a process to gather metrics on Key Risk Indicators that are further defined in supporting policies. The ERM policy should provide guidance on how KRI information is collected, how often, and establish that KRI’s are to be relevant to the business and mapped to Key Performance Indicators of the business.
  • Risk Training. Everyone in the organization has some role in risk management – it is necessary that risk culture, risk taking, and risk responsibilities be clearly understood at all levels of the business for the various business roles and the risks they encounter and manage. The ERM policy establishes an ongoing risk training and awareness program to communicate and educate risk to employees, stakeholders, and business partners.
  • Risk Budgets/Funding. The ERM policy should establish and authorize the financing for risk management and oversight activities. This ties into other sections of the ERM policy as well as supporting policies to clearly define what budget areas various risk activities will be financed from.
  • Risk Activities (calendar). The
    ERM policy should establish what activities are required of ERM on an ongoing/calendar basis. This should include monthly/quarterly/annual reports and assessments, the individuals responsible for them, and who they get communicated to. One of the best examples I have seen of this is at Microsoft in what they have called ‘The Rhythm of Risk’ in which risk management is aligned to the needs of the board and executives based on their quarterly and monthly calendars.
  • Definitions. Finally, as with all policies, a section is needed that clearly defines definitions related to risk and risk management. I highly encourage the use of standard definitions such as those in ISO 31000:2009 and ISO:IEC 73.

As I stated before, no two risk management policies are alike. What I have provided here is some guidance on the sections I most often include in developing an ERM policy (as well as supporting risk policies). There are other standard sections to policies such as revision history I have not included for the sake of simplicity.

I would love to hear your thoughts on the topic of ERM policies. Please feel free to comment in this forum, or send me an e-mail. If anyone seeks further help in writing, reviewing, and/or revising their risk policies please do not hesitate to contact me.

ERM vs GRC? Response to Steven Minsky's Blog

My response to Steven Minsky’s blog on: ERM vs GRC? SEC Says No to Myopic Approach: Costly Example from Goldman Sachs

 
Steve,

You are struggling with understanding GRC. Everything you describe about ERM represents the R in GRC. ERM is the R in GRC if GRC processes (and supporting technologies) are done right. That is the simple truth of it. In fact, ERM that is disconnected from Governance is a failure. Boards and executives need to govern risk. ERM done separate from compliance fails. Risk appetite and tolerance, as well as the culture, of risk taking, is established in policies. I recently interacted with one large bank that had 200 credit risk policies that they are looking to consolidate and track compliance to.

Notice I have not brought up GRC technology. GRC is about collaboration and cooperation between grovernance, risk, and compliance activities. Technology can support and enable this. However, there are bad technologies out there. And some are stronger in one area than another.

Your post leads me to believe that goverance of risk and monitoring compliance to risk policies and culture are irrelevant. I am sorry to hear this from you.

GRC Professional Certification: Call to Action

 

Whether you use the term or not – the fact is organizations do GRC. You will not get one organization to stand up and state they lack governance, do not manage risk, and can care less about compliance to mandated (e.g., regulatory) and voluntary (e.g., social responsibility) boundaries.

The question is: are your organization’s GRC related processesresponsive (agile), efficient (lean), and effective (sound)?

One of the most common questions I get: is there a GRC professional certification? Unfortunately my answer to date has been: none that I endorse.

In fact, there has been only one GRC certification offered that I am aware of. This has been done by a training/education firm to promote their training. Unfortunately this is not the proper place for a certification to belong.

A good professional certification will be based on two requirements:

  1. It has to be established and maintained by a non-profit organization focused on advancing the area of expertise.
  2. It has to be based on a publicly vetted common body of knowledge.

To date there has not been a non-profit organization offering a professional GRC certification based on a comprehensive and vetted GRC common body of knowledge.

The good news: OCEG is in development of a GRC professional certification. This certification is based on the Red Book 2: GRC Capability Model: the only comprehensive GRC common body of knowledge available. It will compliment and not conflict with domain specific certifications offered by other associations that specialize in areas of GRC such as audit, compliance, risk, IT, and others.

OCEG will be launching the full certification this summer. In the meantime, those attending theOCEG/Corporate Integrity GRC Fundamentals, Strategy, & Technology Bootcamps (based on Red Book 2) will have the opportunity to help define the scope of this certification, contribute to design of its test, and be among the first to receive this important professional designation. OCEG will be engaging GRC Bootcamp attendees to propose test questions and format.

A firm foundation of knowledge is the critical element for a professional certification. The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks. Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”

There is only one framework that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC. These practices address the many elements that make up a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them enable an organization to:

 

  • Achieve business objectives
  • Enhance organizational culture
  • Increase stakeholder confidence
  • Prepare and protect the organization
  • Prevent, detect and reduce adversity
  • Motivate and inspire desired conduct
  • Improve responsiveness and efficiency
  • Optimize economic and social value

The GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. The OCEG GRC Capability Model™ is organized in eight components:

 

  1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
  2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
  3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
  4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
  5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
  6. RESPOND & RESOLVE. Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
  7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
  8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.

OCEG’s GRC Capability Model™ is the Rosetta Stone framework that brings a holistic enterprise view of GRC together. It works from the board of directors down into the management and process of an organization. It’s goal is not to replace other frameworks and standards but to give them a common language and context to operate within and thus provide enterprise collaboration and communication across governance, risk, and compliance.

I sat on the OCEG Steering Committee (with over 100 other contributors) to define this valuable work and am encouraged by a number of global organizations that are using it and and seeing benefits achieved. There is nothing else available in scope and practicality to implement a GRC program around. For those interested in rolling up your sleeves further – whether an organization implementer, technology provider, or professional services provider – I encourage
you to get involved with OCEG, Red Book: GRC Capability Model, and the GRC professional certification.

Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

I would love to hear your thoughts, experiences, and approaches to effective policy management. Please comment on this blog or send me an e-mail.

BOOTCAMP: GRC Fundamentals, Strategy, & Technology

Join Corporate Integrity, LLC in a three-day basic training exercise in GRC Fundamentals, Strategy, and Technology. Attendees will receive value in understanding and defining a GRC strategy. This bootcamp is authorized and endorsed by OCEG. The objective of this bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently design a GRC program. Attendees will learn about defining a GRC Strategy aligned with Red Book 2 through lectures and practical group interaction, discussions, and exercises. Others, such as technology providers and professional service firms, also benefit from understanding the issues and approaches to GRC challenges that organizations across industries are grappling with.

Chicago, IL, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, April 21, 2010 at 8:00 AM – Friday, April 23, 2010 at 5:00 PM (CT)

London, UKGRC Fundamentals, Strategy, & Technology

Date: Monday, June 7, 2010 at 8:00 AM – Wednesday, June 9, 2010 at 5:00 PM(GMT)

San Diego, CA, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, June 23, 2010 at 8:00 AM – Friday, June 25, 2010 at 5:00 PM (PT)

New York, NY, USAGRC Fundamentals, Strategy, & Technology

Date: Monday, August 9, 2010 at 8:00 AM – Wednesday, August 11, 2010 at 5:00 PM (ET)

2010 Compliance Trends & Directions – A Corporate Integrity Research Survey

Good research and information is the core of a successful strategy. As organizations seek to understand how their corporate compliance program stacks up against others it is necessary to get good data. Good data allows you to compare the direction of your current corporate compliance initiatives to others.

To compliance officers/managers understand how their programs stack up, Corporate Integrity invites individuals who are responsible for managing a compliance program to participate in a survey being undertaken by OCEG Fellow & CCEP – Michael Rasmussen of Corporate Integrity, LLC.

If you are responsible for managing compliance within an organization Corporate Integrity invites you to do two things (preferably both):

1 – A personal phone interview. If Corporate Integrity could have a half-hour of your time to ask you some open-ended questions about the trends, directions, and technology needed to execute on your compliance strategy it would be appreciated. In fact, Corporate Integrity will return the favor by offering an additional 30 minutes for you to ask questions on best practices and approaches Corporate Integrity is seeing in its research of successful corporate compliance strategies.

2 – Online web survey. Please take the related online survey 2010 Compliance Trends & Directions.

All those who take the survey will get a summary report in the next few weeks so they can compare how their program, trends, direction, and approach stacks up against others. Any data you contribute to the online survey or phone interview is held as confidential and is used in aggregate – your company will not be identified in the report.

For more information contact:
Michael Rasmussen, J.D., CCEP & OCEG Fellow
Risk & Compliance Lecturer, Writer, & Advisor
Corporate Integrity, LLC
+1.888.365.4560
[email protected]

Providing Consistent Policies Through a Style and Language Guide

 

I have stated it before and I will state it again: the typical organization is a mess when it comes to managing policies and procedures. Organization size does not matter – I have seen small to large organizations that have horrible policy management practices. Policies are scattered across the business, reside in a variety of formats ranging from printed documents to Intranet sites, are out of date, not integrated into other GRC processes such as investigations or risk management, and are poorly written.

Policies articulate culture, they establish a duty of care, define expectations for behavior (for individuals, processes, and business relationships), and establish how the organization is going to comply with regulatory and contractual requirements. Policies are an integral part of corporate governance, enterprise risk, and compliance management. They support a range of other GRC processes: corporate social responsibility, legal, human resources, business operations, security, environmental, health & safety, quality . . . .

A significant short coming in policy management is the failure to define a style guide. A style guide for policies defines standardized:

 

  • Taxonomy. Policies are to have a logical relationship to each other following a hierarchical categorization taxonomy – this is usually done through a numbering system mapped to policy areas across the business.

 

  • Format. Policies are to have a consistent look and feel. Anyone should be able to see a policy and recognize that it is a corporate policy without reading the document.
  • Structure. Related to format, policies are to have a consistent structured arrangement of the headings/sections.
  • Language. Policies are to have consistent language. Good policies are easy to read and written in the active voice. This includes paragraph, sentence, punctuation, and word guidance for policies.
  • Definitions. Policies are consistent in how they use words. Terms used in policies are to be used consistently across the organization with a common understanding of what they mean.
  • Process. Policies are to be written and revised following a standardized process. The style guide should outline roles and responsibilities for writing, editing, and approving policies.

Leading organizations are establishing a policy manager responsible for the style guide and consistency of policies. One major brand, who attended my Effective Policy Management & Communication Workshop, has established the role of “Internal Policy Manager.” This person is responsible for managing the development and maintenance of all policies to assure their consistency and relevance to the organization. This role does not own or write policies. In fact, this role has only written one policy – the policy on how to write a policy (in other words a style guide).

BOTTOM LINE: Policy writing that is wordy and confusing is damaging to the corporate image and costs time and money. Every organization should have a policy style guide in place to provide for clear and consistent policies. Leveraging a style guide increases effectiveness.
Good policy writing:

  • Articulates corporate culture
  • Demonstrates professionalism in the organization
  • Shows the organizations cares
  • Avoids expensive misunderstandings
  • Provides consistency across the organization

This provides a quick summary view of the need and implementation of a style guide for policies. Over the next several weeks we will dive into specific portions of Effective Policy Management & Communication, including:

 

  • Policy writing best practices
  • What is the right number of policies?
  • Establishing policy ownership and accountability
  • Communicating policies across extended business relationships
  • Tracking policies attestation and delivering effective training
  • Managing policy incidents and exceptions
  • Monitoring metrics to establish effectiveness and/or issues with policies
  • Relating policy management to risk, issue/case, and other GRC areas
  • Using technology to manage and communicate policies

Previous blogs on this topic are:

 

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Effective Policy Management and Communication.

I would love to hear your thoughts, experiences, and approaches to effective policy management. Please comment on my blog or send me an e-mail

GRC Achievement Awards & Compliance Week 2010

 

There are good conferences and bad conferences. Having spent seventeen professional years attending various GRC, risk, compliance, and security conferences – most are categorized in my poor to bad category with only a handful making the good.

There are a few conferences that I deeply respect – some put on by vendors others by media or professional associations. However, there is one conference that is my must attend event every year – Compliance Week. In my opinion this is the leading GRC conference available. It attracts the best audience with the most interesting sessions derived from practical experience. While vendors attend there is no opportunity for free reign vendor fluff during the sessions. Every year I have attended I come back inspired and ready to march forward a fresh with new GRC thoughts, perspectives, and new relationships that impact my research.

I highly recommend that you attend Compliance Week’s 5th Annual Conference which will be held May 24-26, 2010 at the Mayflower in Washington D.C.

I also recommend Matt Kelly’s blog on the conference if you want to learn more what will be featured this year.

GRC Achievement Awards at Compliance Week:

This year brings something new to the Compliance Week conference – the 2010 OCEG GRC Achievement Awards. Nominations are due shortly, and I highly recommend that you consider submitting a nomination for a leading GRC program that you are aware of. If you need advice or help drafting a nomination – please let me know.

The Awards recognize the great strides that many companies, government agencies and other organizations have made in improving and integrating their approaches to governance, risk management and compliance (GRC) to achieve Principled Performance®.

Nominations are being accepted through March 21, 2010. The Awards will be presented at Compliance Week’s 5th Annual Conference, May 26, 2010, in Washington, D.C.

Awards will be presented to organizations that demonstrate achievements in any (or several) areas including:

  • Structure: Establishing a strong GRC organizational structure to ensure adequate oversight and coordination of efforts;
  • Information: Improving management, use and transparency of GRC relevant information;
  • Effectiveness: Gaining greater confidence in the effectiveness of compliance controls;
  • Processes: Coordinating risk assessment processes to develop a clearer enterprise view of risk;
  • Performance: Streamlining aspects of GRC capability to reduce cost and improve performance.

Here are some examples of achievements you may want to nominate:

  • Culture & Context: Achievement in better understanding or changing organizational culture, including ethical culture, risk culture, workforce culture and governance culture.
  • Organize & Oversee: Success in establishing a clear mission and vision for the organization’s GRC efforts, or in integrating GRC management and oversight across and throughout the enterprise.
  • Assess & Align: Successes in streamlining, coordinating, or strengthening risk assessments; or improvements in risk identification and monitoring
  • Prevent & Promote: Achievements might address improvements in effectiveness and performance in any of the core elements of an effective compliance program: Code of Conduct, Policies, Awareness & Education, Human Capital Incentives and more.
  • Detect & Discern: Successes in hotline/helpline design and operation, workforce survey or other information gathering techniques, or effective use of detective controls.
  • Respond & Resolve: Achievements might address how an organization manages investigations, implements corrective controls, or integrates GRC efforts with crisis management and business continuity efforts.
  • Monitor & Measure: Achievements in various aspects of monitoring, measuring and improving program performance, including providing assurance to the Board or oversight committees.
  • Inform & Integrate: Achievements might address any aspect of information management, technology improvement, or usage for GRC efforts, including systems for enhancing communication internally or to external stakeholders about GRC expectations and outcomes.

To apply simply send a Microsoft Word document entitled GRC Achievement Award Nomination to [email protected]. The nomination should include the following sections:

  1. Name of Project/Achievement
  2. Name of Organization
  3. Primary Contact Name/email/phone number
  4. Brief Description of Project (50-150 words per section below); should include:
    1. Challenge addressed
    2. Desired outcome(s)
    3. Process undertaken and roles involved
    4. Outcome(s) achieved, which may be operational, financial and/or other
    5. Optional – planned next steps

Nominations must be submitted by March 21, 2010, for consideration.

Award winners will be notified by April 10th and will be asked to submit a more detailed description (instructions to be provided), a number of which will be selected for review by participants at Compliance Week’s 5th Annual Conference at The Mayflower Hotel in Washington, D.C., May 24-26, 2010. Voting at the conference will determine the winners of thePeer Choice Prize for GRC Accomplishment, an additional award highlighting the “best of the best” as selected by the diverse group of GRC professionals who attend the Compliance Week conference.

The Achievement Awards will be announced at the conference and the Peer Choice Prize will be presented in a ceremony on the closing day of the conference, May 26th. OCEG and Compliance Week also will feature award recipients in future articles and webcasts.

Contact: For more information please contact OCEG at [email protected].

 

Upcoming Corporate Integrity Bootcamps & Workshops:

BOOTCAMP: GRC Fundamentals, Strategy, & Technology

Join Corporate Integrity, LLC in a three-day basic training exercise in GRC Fundamentals, Strategy, and Technology. Attendees will receive value in understanding and defining a GRC strategy. This bootcamp is authorized and endorsed by OCEG. The objective of this bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently design a GRC program. Attendees will learn about defining a GRC Strategy aligned with Red Book 2 through lectures and practical group interaction, discussions, and exercises. Others, such as technology providers and professional service firms, also benefit from understanding the issues and ap
proaches to GRC challenges that organizations across industries are grappling with.

Chicago, IL, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, April 21, 2010 at 8:00 AM – Friday, April 23, 2010 at 5:00 AM (CT)

London, UKGRC Fundamentals, Strategy, & Technology

Date: Monday, June 7, 2010 at 8:00 AM – Wednesday, June 9, 2010 at 5:00 AM(GMT)

San Diego, CA, USAGRC Fundamentals, Strategy, & Technology

Date: Wednesday, June 23, 2010 at 8:00 AM – Friday, June 25, 2010 at 5:00 AM (PT)

New York, NY, USAGRC Fundamentals, Strategy, & Technology

Date: Monday, August 16, 2010 at 8:00 AM – Wednesday, August 18, 2010 at 5:00 AM (ET)

WORKSHOP: Effective Policy Management & Communication

Attendees of the Effective Policy Management & Communication workshop will specifically learn:

  • Defining a process lifecycle for managing policies
  • Establishing policy ownership and accountability
  • Providing consistency in policies through consistent style and language
  • Communicating policies across extended business relationships
  • Tracking policies attestation and delivering effective training
  • Monitoring metrics to establish effectiveness and/or issues with policies
  • Relating policy management to risk, issue/case, and other GRC areas

Seattle, WA, USA – Effective Policy Management & Communication

Date: May 6, 2010 – 8:00 AM to 5:00 PM (PT)

Boston, MA, USAEffective Policy Management & Communication

Date: July 13, 2010 – 8:00 AM to 5:00 PM (ET)

 

WORKSHOP: Developing a Risk Assessment & Management Process

Attendees of the Developing a Risk Assessment & Management workshop will specifically address answers to the following questions perplexing business:

  • Alignment of risk in the context of business.
  • Risk intelligent decision-making.
  • Establishment of risk culture and policy.
  • Risk monitoring and metrics.
  • Communication of business relevant risk information.
  • Defining ownership of risk within the business.
  • Multi-perspective risk analysis.
  • Effective risk treatment in context of business objectives.
  • Governance of risk within the business.
  • Consistent ranking and measurement of risk.

Milwaukee, WI, USADeveloping a Risk Assessment & Management Process

Date: February 31, 2010 – 8:00 AM to 5:00 PM (Central Time)

Seattle, WA, USADeveloping a Risk Assessment & Management Process

Date: May 7, 2010 – 8:00 AM to 5:00 PM (PT)

Boston, MA, USADeveloping a Risk Assessment & Management Process

Date: July 14, 2010 – 8:00 AM to 5:00 PM (ET)

 

Other Events Corporate Integrity is Engaged In:

Subscribe to receive notifications of future events by Corporate Integrity, LLC.

  • 3/1
    0: Research Board Conference, Atlanta, GA, USA
  • 3/23: Archer WEBINAR: GRC in Healthcare
  • 4/28: EMC/RSA/Archer WEBINAR: GRC Value Proposition
  • 5/11-13: OpenPages OPUS:
  • 5/20: Institute of Internal Auditors, Los Angeles Chapter, Risk Conference III, Los Angeles, CA, USA

 

GRC, Risk, & Compliance Strategy Planning

Corporate Integrity is actively engaged in helping organizations plan their risk and compliance strategies. If you need a few hours of advisory time on the phone or in person to help plan your strategic approach to risk and compliance and need to understand drivers, trends, best practices, benchmarks, assessments, and the landscape of professional services and technology providers – contact me.

Sincerely,


Michael Rasmussen, J.D., CCEP, OCEG Fellow
Risk & Compliance Lecturer, Writer, & Advisor
[email protected]
LinkedIn · Twitter

Corporate Integrity LinkedIN Group

Everything I Need to Know About Risk Management I Learned In . . .

 

Multiple interests require multiple threads to weave into the intricate pattern of GRC. I will keep the articles coming on Effective Policy Management & Communication but also have sufficient requests to write more on risk management. So here we begin another series (which runs parallel to policy management) on Developing a Risk Assessment & Management Process. It is in this series we will look at risk management basics, what it is, how it is done, and best practices to implement risk management within your organization.

Everything I need to know about risk management I learned in . . . drivers education. Yes – it is true. Do not leave me now, I am serious. Well sort of serious. There is a lot of depth to risk management and how to conduct it in business that drivers education did not educate me on. But the basics, the fundamentals, of risk management were there.

This past year I have had the opportunity (or should we say threat or vulnerability or exposure) of sending my first two teenage sons to drivers education. One now has his license the other is just getting his permit. The older one who got his license six months a go already has his first accident under his belt (first snow of the year led to increased risk exposure which ended up in loss).

Risk management lessons for me (and anyone else) began at a very young age. One quickly learns not to touch hot things. There is the balance of opportunity and loss. As a toddler we do not get wrapped in protective bubble away from risk. Mom and dad guide us in our achievements and growth while monitoring and managing risk around us. The goal is to be able to function and thrive in a very risky world. Just as in business, risk management is something everyone does it is part of life. It is also part of business. Judge Mervyn King of the Infamous King 2 report on Corporate Governance stated it very well “Enterprise is the undertaking of risk for reward.” Basically business is about taking an managing risk to make money.

Back to drivers education . . . while mom and dad integrated risk management training into my child rearing, drivers education class was my first introduction into a formal risk assessment/management methodology. I was quite happy when my oldest son came home from drivers education a year a go and told me about IPDE. It took me back nearly 25 years (I am 39 and in Montana where I grew up you could drive at 14 and a half). IPDE was same acronym I learned in drivers education many years a go. It got me thinking as to how this first lesson in risk management has stood the test of time. It also integrates and can be mapped into broader risk management frameworks such as the new ISO 31000 standard. It is the functional basis for risk assessment.

The IPDE process is as follows:

  • Interpret. Understand your surroundings. From a driving perspective it requires you understand your internal surroundings (the car), the external surroundings (what is happening in traffic and everything else around you), and your destination (where you are going and how that applies to the surroundings). In business it is about your internal business context, the external environment that business operates in, and your strategy as to where the business is heading.
  • Predict. Once you understand your surroundings – the 360-degree situational awareness of your internal and external environment – you then can identify what can happen to help or hinder your objectives. The ISO 31000 definition of risk is the effect of uncertainty on objectives. An organization wants to identify the possibilities of outcomes to what can impact it achieving objectives.
  • Decide. After the range of potential possibilities is understood, the organization (or the driver from the drivers education perspective) needs to decide what to do. What is going to be the best route for the organization to achieve objectives while minimizing loss/harm. This gets into risk measurement activities of understanding inherent and residual risk while looking at risk strategies of risk acceptance, risk transfer (insurance), risk avoidance, or risk mitigation (controls). The goal is to optimize value and return while keeping risk within acceptable levels of risk tolerance and appetite.
  • Execute. The final step is to take action. I have seen a lot of risk assessments done with no follow through – a waste of time and resources. The decide process means nothing if there is no execution on the decision. Implementing the risk treatment and monitoring plans.

There is a lot more depth to risk management in business than these basic steps – but they do provide the most basic framework to think of risk management within.

One more fun tidbit from my drivers education experience as a teenager. As stated earlier, in Montana you can drive at 14 and a half (at least back in the 1980’s). The risk environment in Montana was also interesting with its approach to speed limit laws/regulations. Until 1974 Montana did not have speed limits, it was at this time the Federal Government threatened to withhold highway funds so Montana created a special ticket. If you were going below 90 on a highway during the day it was a $5 ticket called ‘wasting of public resources’ and did not go on your record. A teenage boys driving paradise – but also a risky one. Oh to be young and adventurous.

In addition to this series on policy management, Corporate Integrity is also offering a full-day workshop on the topic of Developing a Risk Assessment & Management Process.

 

What is GRC?

The Atlanta GRC bootcamp is going well! One discussion/interaction point was to define GRC – the group came up with some excellent points. They include:

  • GRC is about how to better run a business and provides the foundation for growth based on principles.
  • GRC is ensuring you have a well run and sustainable business.
  • GRC is about fostering corporate integrity and trust.
  • GRC represents the risk bearing capacity and direction from the board on down into the organization.
  • GRC is about how to make money while staying out of trouble.
  • GRC is a de-siloized perspective of risk and compliance.
  • GRC involves an integrated platform to identify and respond to risks.
  • GRC is a proactive approach to managing risk and compliance that replaces the reactive approach of the past.
  • GRC involves a methodology to manage business objectives and stay out of trouble.
  • GRC requires a warehouse of risk and compliance information and relationships.
  • GRC is a cohesive, ethical, and centralized approach to minimize loss and adverse events.
  • GRC requires a common vocabulary and collaboration across business roles.
  • GRC is about the tone at the top of the organization
  • GRC represents a common framework, methodology, and tools that support it.
  • What is GRC, depends who you talk to?