The GRC Pundit

Friend,

Frédéric Bastiat in the 19th century could have been talking (see quote above) about the complexity of managing risk and compliance across business in the 21st century.  So often organizations look at the surface of a relationship and fail to see the significance and exposure that can cascade across the organizations causing severe damage to reputation and exposure to legal and operational risks.

A chain is only as strong as its weakest link . . . in the case of business relationships this could be an organization’s supply-“chain” or other business relationship such as vendors, outsourcers, and service providers that bring increased risk and exposure to the organization.

Today’s organization is a complex diversity of processes and business relationships that span the globe. Organizations struggle to identify, manage, and control Governance, Risk Management, and Corporate Compliance (GRC) across extended business relationships. Whether it is called 3rd party, vendor, or supply-chain – risk and compliance challenges do not stop at the traditional boundaries of the organization. Adding to this is the growth and focus of Corporate Social Responsibility (CSR) initiatives that are forcing organizations to determine if their business partners hold the same values and ethics that the organization communicates to its stakeholders and customers. Further, there are specific pressures within vertical industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).

The issues organizations face in managing risk and compliance across business relationships include:

• Code of conduct. Communicating and validating that the business partner and its employees share the same values and ethics as the organization.
• Labor standards. Managing adherence to a complex array of international laws while validating that the business partner has proper controls to ensure compliance to policies on working hours, forced labor, child labor, wage, discrimination/harassment, and benefits.
• Corporate social responsibility. Ensuring that the business partner is communicating and reporting similar corporate values on social, environmental, and financial practices (e.g., global reporting initiative).
• Anti-corruption. Conveying policies and training while validating compliance to anti-corruption and bribery statutes and standards (e.g., Foreign Corrupt Practices Act, OECD Anti-Bribery Convention).
• Operational risks. Identification, assessment, management, and monitoring of operational risks across business relationships and their impact on the organization.
• Supply-chain risks. The management and monitoring of specific risks within supply-chains and their impact on the organization and its products.
• Environmental. Ongoing monitoring of business partners commitment to environmental standards as well as compliance with laws and regulations that impact environmental responsibility.
• Health and safety. Ensuring that business partners are committed to safe working environments free from hazards.
• Security. Validating that business partners are meeting obligations to protect the physical and information technology environments.
• Privacy. Enforcing privacy requirements on personal information as well as sensitive corporate information across business partner relationships.
• Quality. Providing for ongoing monitoring to ensure that quality and/or service level agreements are met in adherence to contract and expectations of the business relationship.

The ultimate platform to manage risk and compliance across 3rd party relationships has the abilities of:

• Definition and modeling of relationship, risks, compliance issues, and controls across extended business relationships;
• Communication and attestation of policies, procedures, and code of conduct;
• Delivery of training on code of conduct, compliance, policies, and procedures;
• Integration of risk and compliance intelligence that alerts the organization to new developments and issues that could impact specific relationships and/or geographies;
• Self-assessment by each business partner of the risk and compliance requirements within that particular business relationships;
• Providing for independent audits to validate controls, risk, and compliance to laws and contractual requirements; and,
• Scoring of risk based on the business relationship and status of assessment and audit findings. 

Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance obligations. Just in the past few months Corporate Integrity has interacted with over two dozen of the Fortune 500 looking for solutions and professional services to assist them in their 3rd party risk and compliance strategies. Within one organization, I have sat on a social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain. 

This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering allowing organizations to have a software platform hosted on the Internet and not open up internal networks to hundreds or thousands of business relationships. 

Specific solutions in the 3rd party risk and compliance space include:

• Outsourced GRC process management. Organizations such as Intertek are providing a full-service offering to outsource management and monitoring of 3rd party/supply-chain risk and compliance. This includes a software platform hosted in a SaaS model to communicate policies, deliver training, and assess risk while also providing for independent validation through onsite audits.
• Code of conduct and policy communication. Communication, attestation, and training on code of conduct and specific policies is critical to managing compliance across business relationships. Axentis offers the strongest platform for
  the ongoing communication and training of policies and procedures. Integrity Interactive is another vendor offering a subscription platform
• Compliance & risk assessment. To manage risk, organizations need a platform that allows it to push self-assessments on risks, controls, and compliance to business partners. This is further enhanced by allowing independent auditors also use the platform to assess business relationships. Archer Technologies, Axentis, and Compliance 360 have focused solutions to manage a full risk and compliance process across 3rd party relationships.

Third party risk and compliance issues are significant, overwhelming, growing, getting more complex, and not going away. Corporate Integrity sees 3rd party risk and compliance management as one of the most challenging GRC issues facing organizations across industries over the next 18 months.

The Titanic is a study in operational risk management. Unfortunately, many organizations are in the same state – they do not see a complete picture of the risks they face and therefore are ignorant of the significance of the aggregate of a lot of islands of operational risk. And when things did go wrong there were not enough lifeboats . . .

There are a variety of risks the Titanic faced – overconfidence, poorly manufactured rivets, focus on speed while ignoring the external risk environment, inadequate design, and lack of someone diligently watching for icebergs. Organizations are in the same ‘boat’ today.

Deloitte illustrated this very well a few years back in their Value Killers research. In this research they studied the Global 1000 and found that nearly half of these companies had a drop in value of 20% or more in less than a month (this was before this last year). In 80% of these cases (that is 400 out of the Global 1000 for those not following along mathematically) it was because of multiple risk factors creating a greater risk environment but these risks were managed autonomously in different parts of the organization.

Organizations continue to manage operational risk in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics. modeling, frameworks, and assumptions. Operational risk platforms (if deployed) are typically not equipped to capture the complex interrelationship among operational risks that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their own view of risk and not the aggregate picture of risk, failing to recognize substantial and preventable losses.

Increasing demands of Operational Risk Management (ORM) requires effective technology to support a comprehensive system of record to manage operational risk in a systematic way – across the entire business including its business relationship and external risk environment.

The “Ultimate ORM Platform” enables the enterprise to answer the following questions across business lines and aggregate risk to an enterprise perspective:

• Do you know you know your risk exposure at the business process as well as enterprise operations levels?
• How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
• Can you accurately gauge the impact of risk taking on business strategy as well as loss?
• Does the business get the information it needs to take timely action to risk exposure to seize opportunities while mitigate negative events?
• Do you have repetitive and inefficient controls, documentation, processes, testing, and risk measurement / management?
• Are you optimally measuring and modeling risk?

To answer these questions, the ultimate ORM platform will have to cover the following key areas:

• Risk and control assessment. This includes risk identification, assessment, surveying, and analysis. To mange operational risk, an organization will implement a taxonomy of risks and a framework designed to provide a sound and well-controlled operational environment. The ORM solution needs to be able to integrate with multiple-frameworks (e.g., ISO 31000, AS/NZS 4360:2004, COSO). In addition, organizations need to manage the balance between the cost of controls and the reduction in risk that the controls effect. The platform should support a range of assessment styles including qualitative and quantitative assessments, as well as top-down and bottom-up techniques. Risk measurement should cover both inherent and residual risk metrics.
• Internal loss events. Operational losses are increasing in frequency and impact because business has grown more complex, particularly as transaction volumes have increased, organizations have distributed operations, growth in business relationship, and businesses’ reliance on automated systems outpaces their ability to monitor risk. Critical requirements for an ORM process includes capturing loss information. This includes creating a consistent categorization scheme for loss events (e.g. Basel II causal categories for losses), and linking loss to the risk taxonomy. This last requirement is extremely important since it allows an organization to pinpoint the root cause of losses and determine if certain controls are failing. This process facilitates the continual optimization of risk management as well as the control environment. An ORM platform needs to combine assessment data with loss event data to support an ORM process.
• External loss data. External losses are also a key component of the Ultimate ORM Platform. The solution should support automatic up-load and down-load capability for interfacing with external loss consortiums (e.g., ORX) or commercial providers (e.g.,Algorithmics, AON, SAS). In addition, the system should facilitate the use of external loss for capital modelling, scenario analysis and benchmarking.
• Key risk indicators. Continual monitoring and management of key risk indicators – including trending and aggregation of KRIs – is a critical element of an ORM process. An ORM platform is to support automatic notification to risk owners when KRI values reach thresholds. Workflows should automate ORM process such as KRI review and analysis. KRIs must support thresholding and time-trending. The best systems will also allow you to align enterprise performance management with risk management and give you a view into risk optimization as opposed to simply risk mitigation. Organizations take risk – they need assurance they are taking the right risk to meet objectives and that risk is effectively monitored and managed.
• Reporting. An ORM platform needs to provide timely and accurate information to risk managers, risk owners in lines of business, senior and executive management, board, and external constituencies such as auditors and regulators. ORM reports enable management to maintain risk at appropriate levels within line of business, escalate issues and provide consistent data aggregation across business roles and functions. With improved visibility into its risk environment, an organization is in a position to make risk intelligent business decisions. The ORM platform needs to support a variety of ORM reports including high-level dashboards, risk models, and detailed reports. It has to be able to aggregate data across business entities, relationships, risk categories, event types, and time periods.
• Extensible & flexible platform. One size fits all does not apply for an ORM process. Organizations need an adaptable solution and process to meet specific needs, taking into account corporate governance including corporate policies and procedures. When choosing a technology platform organizations need to pick an application that can adjust to its process as opposed to adjusting processes to fit the application. Important areas for extensibility include

• Business hierarchy. Multiple hierarchies (legal, finance, organizational), multiple levels (with no limit), and asymmetrical hierarchies are all essential to conform ORM to the business.
• Localization. As most firms operate in a number of localities around the world, many of which have their own local reporting needs, it is essential that the technology solution you choose can be deployed enterprise-wide and can be effective across all geographies and business functions.
• Risk Framework. The ORM platform must be able to adapt to different risk categorization, taxonomies, measurement schemes, and evolve as risk processes mature over time.

Which vendors provide this breadth and depth of ORM functionality?

Only a handful – and many are still growing to achieve this vision. ORM vendors that I have deep respect for in the ORM area include BWise, CURA, MEGA, OpenPages, and Texert. Each of these vendors has proven capabilities to handle multiple frameworks and integrated processes for ORM.

OpenPages has given a lot of development and thought to the integration of loss information this past year that has recently impressed me. It is impossible to model risk without understanding where your most significant issues have been – historical trends do have an important place in risk modelling. BWise and MEGA have carried the torch in quantitative risk modelling – though not every organization needs this, while some will use an external application or spreadsheet for complex risk modelling.

There are indusry specific ORM solutions for financial services from vendors such as Algorithmics,Oracle Financial Services Suite, and SAS. However, these solutions tend to be more rigid and lack on the extensible/flexible platform requirement. I have had a deep respect for Ci-3 as well over the years but am waiting to see where this heads under the Wolters Kluwer acquisition.

A respected friend, Charles Le Grand, recently posted this on a mailing list we belong to . . . 

The global economy is driving many organizations to develop enterprise risk management strategies.  Unfortunately for many they often interpret this as SOX on steroids and fail to deliver a true enterprise view of risk.  ERM often is trapped in an internal control view of risk that fails to comprehend and interpret the complexities of global business.

For this reason I am introducing a critical area of risk management that should be part of enterprise risk strategies for organizations that are susceptible to risk in the availability and pricing of commodities. 

Organizations are in an ongoing effort to achieve sustainability, consistency, transparency, accountability, and efficiency across risk and compliance initiatives. The fact of the matter is: organizations need complete visibility into the portfolio of risks spread across distributed and complex business processes and relationships. A spectrum of organizations are susceptible to uncertainty and risk in relation to commodities. Rising demand for commodities, limited supplies, complex supply chains, international relations, hedging, and exchange rates – all have a large impact on the ability of organizations to produce and deliver goods to their clients profitably.

As organizations define their enterprise risk and GRC strategies it is essential that they gain an understanding of the central relevance that commodity risk management plays. 
Risk management is ultimately about managing uncertainty in business. While there are a number of risk management initiatives that are part of a GRC or ERM program (e.g., treasury, operational, strategic risk), commodity risk management is often overlooked and poorly managed across a number of siloed roles in the organization which are focused on specific commodities.

If an organization’s bottom line is subject to extensive variability because of fluctuating commodity prices, it becomes paramount that the organization develop and implement processes and systems to manage commodity risk centrally on a holistic basis.

To learn more about Commodity Risk Management I encourage you to download (no charge) my latest research on the topic from my website:  Foundations of GRC: Commodity Risk Management.

Chalres Dickens might as well have been speaking about the risk and compliance market (GRC market) when he stated “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness.” 

What was considered foolish a few years back – basically conservatively running a business – now is reaping rewards and once again shows the wisdom in living within ones means (in this case a business).  Vendors that took on too much debt and went to the well of venture funding time and time again now find themselves sinking slowly into the abyss with a millstone of expensive operations and stakeholder expectations sinking them to its depths.

However, those that ran a very conservative business are reaping rewards and seizing opportunity in the current economic environment.  Two such vendors that have publicly come forward with this are Archer Technologies andCompliance 360.  There are others succeeding as well, but there are far more that are treading water hoping some ship of acquisition passes by in the next few months.  Others are sinking with that millstone of debt and excessive expectations.

2009 will bring renewed focus on corporate governance, enterprise risk, and compliance management (GRC).  Organizations will continue to seek help from professional service firms to implement GRC and ERM strategies.  Further, in a tight economy, organizations will continue to implement processes and technology that assist in streamlining risk and compliance operations at lower costs.

Interestingly, while compliance will remain a priority I see enterprise risk management pulling ahead in 2009.  This is because of the economy and the fact that organizations need to have a transparent view of risk and performance across the organization.  It also is a result of the complexity and distributed nature of business as well as current challenges such as  Standard & Poor’s risk evaluations impacting enterprise risk strategy. This is driving the risk consulting market more than the technology market at this point.  I see a greater technology spend on enterprise risk management solutions/technology in the 2nd half of 2009.  Right now organizations are recovering from economy shock, a new administration (in the U.S.), and seeking advice on enterprise risk strategy.  My newsletters illustrate a broader trend in risk over compliance – I have a 10% higher read rate on my mailing list of 5500+ subscribers on the Ultimate ERM Platform than I did on the Ultimate Compliance Platform – despite the ERM newsletter went out between Christmas and New Years (bad-timing for a newsletter).

Compliance though remains a priority for organizations.  The SEC in particular has been very vocal that organizations should not cut corners on compliance.  Organizations are struggling to gain an understanding on how they can streamline processes for management of policies as well as communication of them.  There is increased interest in automating compliance and control monitoring within business systems and processes.  Further, organizations desire to get an enterprise view into loss, issues, and incidents – which is a necessity to truly manage and measure enterprise risk.

The single focus area of risk and compliance that will get the most attention in 2009 is managing risk and compliance across extended business relationships (e.g., 3rd parties, supply chain, vendors, outsourcers, service providers).  This focus area of risk and compliance has been my busiest over the last several months. I have had well over a dozen conversations with large international organizations trying to figure out how to manage employment/labor, code of conduct, anti-corruption, quality, safety, and security across extended business relationships.

This is just a quick summary of the complexity, challenges, and potential for the risk and compliance(GRC) market in 2009. For those interested, I will be doing an online 2-hour workshop on this topic February 2nd – 2009 Fundamentals, Trends, & Market Directions.

INQUIRY: Among the companies you speak with, which organizational departments (finance, operations, legal, HR, etc.) appear to have the most to gain from GRC automation?

RESPONSE: GRC is about collaboration across these roles – so all have a lot to gain from GRC technology enablement and automation.  However I would state that business operations has the most to gain.  The reason being is that it is the line of business that suffers most from a wide array of demands to assess, train, and respond to silos of GRC.  I have been in numerous organizations in which they are looking at GRC technology to bring together varied assessment processes for operational risk, business continuity, SOX, IT, compliance and others.  The reason being is that the business is fighting back – often stating that these silos of GRC are asking them similar questions every week. This week it is a Basel II operational risk assessment, next it is a business continuity assessment, then it is an IT risk assessment, after that is a SOX 404 assessment, and then compliance is sending something.  Business operations wants a single platform to harness information and stop them from responding to similar questions week after week.  Further, it is business operations that would desire a common portal into policies and procedures instead of a dozen different internal websites that store policies and procedures for varying functions.

 INQUIRY:  What are the 3 most critical areas for further GRC automation in 2009 – and why?

RESPONSE:

1. The top of my list is what I am calling “Next Generation Policy & Procedure Management.”  This may not be on everyone’s radar – but it is a significant area to drive efficiency, consistency, as well as consolidate spending across the business.  The typical organization – large and small – is in a mess as to how they define, manage, and train on corporate policies and procedures.  Add to this the fact that regulators, new laws, and the courts (USSC) are pushing that individuals not only be aware of policies but that they be trained on them.  The typical organization has policies and procedures scattered across internal websites and no consistent approach to managing their life-cycle not concerted effort to train employees.  Best practice organizations that I am monitoring are beginning to consolidate dozens of different policy and procedure systems (typically intranet sites) into a single policy and procedure management platform owned by legal or compliance.  The best of these systems is able to present and communicate policies and procedures with the training courses delivered in the same user interface.  One single platform for managing corporate policies and procedures.
2. Next on my list is the critical area of loss & investigations management.  Like policies and procedures, this is a mess of hodge podge systems – or even no systems at all.  To manage risk effectively, as well as manage sensitive investigations, it is time for organizations to consolidate on a single investigations, loss, event, complaint, issue management platform (you pick the term that best suits your organization).  A single platform for managing loss and investigations allows for greater transparency in where issues are across the organization and feeds the risk management process which needs to understand historical loss data to effectively build risk models.
3. The third area of criticality is managing business relationships.  Organizations are complex entities that extend to hundreds or thousands of business relationships around the world.  These business relationships need to comply with your respective regulatory requirements, corporate culture, statements of corporate social responsibility/sustainability, and business practices.  Thus organizations need to use GRC technology to extend policy & procedure communication and training, assessments, and even investigations to their extended enterprise/relationships.  As I have mentioned previously, this is a significant opportunity for the Software as a Service/on-demand GRC solutions.