Blog

2019 GRC User Experience Award Nominations

The GRC Pundit BlogPublished onUpdated onLeave a Comment on 2019 GRC User Experience Award Nominations

GRC 20/20 is accepting nominations for the 2019 GRC User Experience Awards!

Governance, risk management and compliance (GRC) is a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of GRC in the organization. The user experience for GRC related solutions has been typically poor in most organizations, resulting in time-consuming and redundant processes.

The core of GRC related technologies is operationalizing GRC across the fabric of business. This involves employee engagement in GRC related solutions with systems that are simple, mobile and easy to use from the frontline of the business to the back-office operations of GRC.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Efficient:GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Effective:At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context.
  • Agile:GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner.

Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of GRC related technologies is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The  goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2019 GRC User Experience Award nominations will be accepted through 31 January 2019 (no exceptions, nomination form closes down at midnight CDT on 31 January). Recipients will be determined by end of March, write-ups for each recipient (one per category) will be completed in April and May with announcements in June 2019. Each recipient of an award will be written up and acknowledged.

The seventeen categories for submission are:

  • Audit Management & Analytics User Experience
  • Automated / Continuous Control User Experience
  • Business Continuity Management User Experience
  • Compliance & Ethics Management User Experience
  • Enterprise GRC User Experience
  • Environmental, Health &; Safety User Experience
  • IT GRC/Information Security User Experience
  • Internal Control Management User Experience
  • Issue Reporting & Case Management User Experience
  • Know Your Customer User Experience
  • Legal Management User Experience
  • Physical Security Management User Experience
  • Policy & Training Management User Experience
  • Quality Management User Experience
  • Reputation & Responsibility User Experience
  • Risk Management Value User Experience
  • Strategy & Performance User Experience
  • Third Party Management User Experience

Please submit nominations before midnight on 31 January  2019.

2019 GRC User Experience Nomination Form

Improving Policies Through Metrics

Policy & Training Management Solutions, The GRC Pundit BlogPublished onUpdated on1 Comment on Improving Policies Through Metrics

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization.

Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review.

A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization.

Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:

  • Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
  • Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
  • Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
  • Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.

Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change.

When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

I am presenting in detail on this specific topic in the following webinar . . .

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Policy Management Requires Attention

Policy & Training Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on Policy Management Requires Attention

Policies: A Foundation in GRC Strategies

Policies are critical to organizations as they establish boundaries of behavior for individuals, processes, relationships, and transactions. An organization must establish policy it is willing to enforce – but it also must clearly train and communicate the policy to ensure that individuals understand what is expected of them.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” [note: this definition is from the GRC Capability Model at www.OCEG.org] Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies accomplish the following:

  • Provide a framework of governance. Policy defines the organization’s governance culture and structure. Without good policy as a guide, corporate culture and control morphs, changes, and takes unintended paths.
  • Identify and treat risk. Policy articulates a culture of risk. Policy addresses risk and establishes risk responsibility, communication, appetites, tolerance, and risk ownership. Without clearly written policy, risk governance is ineffective.
  • Define compliance. Policy establishes a culture of compliance. Policy details how an organization meets its obligations and commitments and how it will stay within legal, regulatory, and contractual boundaries to avoid exposure to liabilities.

Hordes of Policies Scattered Across the Organization

Policies matter. However, the way the typical organization manages policies would leave the impression they are irrelevant and considered a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files are dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures.There is no single place where an individual can see all the policies in the organization and those that apply to specific roles – thus, limiting defense of legal liability.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
  • Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face exposure and liability with any misaligned, mismanaged, and unauthorized rogue policies.
  • Out-of-date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies that do not adhere to a consistent style. The typical organization has policies that do not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g. active voice, concise language, and reading level).
  • Policies without lifecycle management. Many organizations maintain an ad-hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations. The organization has no information about where policy is breaking down or how it can be addressed.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.

Inevitable Failure of Policy ManagementExposes the Organization to Significant Liability

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved in supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital. It enables an organization to effectively develop and maintain the wide scope of policy it needs to govern with integrity and limit corporate liability.

The Bottom Line: The haphazard department and document-centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and implement a centralized strategy and approach to authoring, approving, maintaining, and communicating policies across the organization.

GRC 20/20 Policy Management Resources . . .

Upcoming Policy Management Workshop

Upcoming Policy Management Webinars

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Why it Makes Sense to Manage Retention with Privacy and GDPR

The GRC Pundit BlogPublished onLeave a Comment on Why it Makes Sense to Manage Retention with Privacy and GDPR

There is increasing focus on the protection of personal identity information around the world. Over the past two decades, we have seen increasing regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the regulation. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).

Full compliance for organizations . . .

The rest of this article by GRC 20/20 can be found at the following link as a guest blog on the INFOGOTO blog . . .

[button link=”https://infogoto.com/why-it-makes-sense-to-manage-retention-with-privacy-and-gdpr/”]READ MORE[/button]

GDPR in Third Party Relationships Stretches Resources

IT GRC Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on GDPR in Third Party Relationships Stretches Resources

As the years go by, there is increasing focus on the protection of personal identity information around the world. Over time we have seen new regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the Regulation. GDPR is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).

The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and does not require further national legislation.

Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU data subjects. It does not matter if the organization resides in the EU. Fines can be stiff, going as high as €20 million or 4% of global revenues of an organization, whichever is greater.

The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

To be compliant and mitigate the risk of data protection incidents, organizations should:

  • Establish a Data Processing Officer. In fact, this is required in the regulation (Articles 37-39) for all public authorities and organizations that are processing more than 5,000 data subjects in a 12-month period. This role is also called a Chief Privacy Officer.
  • Define & Communicate Policies & Procedures with Training. The foundational component of any compliance program is outlining what is expected of individuals, business processes, and transactions. This is established in policies and procedures that need to be communicated to individuals and proper training.
  • Document Data Flows & Processes. Organizations should clearly document how individual data is used and flows in the organization and maintain this documentation in context of organization and process changes. This is a key component of managing information assets of individuals.
  • Conduct Data Privacy Impact Assessments. The organization should do regular privacy impact assessments to determine risk of exposure to non-compliant management of personal identity information. When events occur, the regulation specifically requires (Article 35) a data protection impact assessment.  A new data privacy impact assessment is required if there is a change in the nature, scope, context or purposes of the organization’s processing of PII.
  • Implement, Monitor & Assess Controls. Define your controls to protect personal data and continuously monitor to ensure these controls are in place and operating effectively.
  • Prepare for Incident Response. The regulation requires data breach notification to supervisory authorities within 72 hours of detection. Organizations need defined processes in place and be prepared to respond to, contain, and disclose/notify of breaches that occur in the organization or those that may have occurred by the data processor.
  • Data Privacy by Design.  Each new service or business process that makes use of personal identity information within your organization must take the protection of such data into consideration when designing new or updating operational processes and technology builds.
  • Ensure Third Parties are Compliant. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, law firms, and service providers). Organizations need to make sure their third parties are compliant as well and follow strict policies and controls that are aligned with the organizations policies and controls. These data processors now have legal liability under GDPR and have direct legal compliance obligations.  One additional requirement is the data processor cannot use a ‘fourth party’ to process any personal identity information without obtaining prior authorization from their client (i.e. data controller).

It is this last bullet, the requirement to ensure third parties are compliant, that is becoming one of the most challenging elements for organizations in GDPR compliance. The dependence on third parties processing data for organizations is becoming critically important and common. Competitive markets are forcing companies to evaluate and potentially outsource more processing to specialist and cost efficient providers to improve margins and/or become more agile in product and service delivery. These third parties who either process employee or customer data need to safeguard this information, particularly in the scope of GDPR. Third party suppliers represent some of the weakest links to a company’s employee and customer data. More than 63% of data breaches can be attributed to third parties, but the organization is still accountable and liable for these breaches.

Organizations will need to take a much stricter approach when dealing with third parties in context of GDPR as they need to ensure that potential contractors handle data privacy and security in a way that is compliant to the regulation. Organizations need to complete due diligence and question their third parties’ data handling practices, how they store and delete data, who has access, their encryption policies, and essentially anything relevant to how applicable structured and unstructured digital data is handled and processed. This will also require more documentation and audit trail capabilities in order to be able to demonstrate compliance to the regulators and their EU data subjects.

This is a program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation in context of third party relationships. Organizations that attempt to manage this in documents, spreadsheets, and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.

The Bottom Line: To address GDPR compliance in third party relationships, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the assessment, communication, and awareness of GDPR requirements and processes in and across third party relationships to manage compliance consistently and continuously in the context of distributed and dynamic business.

GRC 20/20 GDPR Resources

Upcoming Webinar

On-Demand/Recorded Webinar

Research Papers

Internal Control Management by Design

Audit Management & Analytic Solutions, Internal Control Management & Automation Solutions, The GRC Pundit BlogPublished onLeave a Comment on Internal Control Management by Design

Business is complex. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, and business data impedes organizations. Keeping complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance (GRC) functions throughout the business. Business is no longer defined by traditional brick-and-mortar walls. Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Distributed business operations complicates the organization as it attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world.

Managing control activities in disconnected silos leads the organization to inevitable failure. What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored. Organizations with siloed and manual processes for control management rely on a range of documents, spreadsheets, and emails that are inefficient, out-of-sync, ineffective, lack agility, and are inadequate to manage internal controls. Reactive, document-centric, and manual processes fail to actively manage controls in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Organizations fail and are encumbered by unnecessary complexity because they manage controls around specific issues, without regard for a common integrated strategy and architecture.

Organizations are tasked to provide an integrated view of internal controls across finance, IT, and business processes and operations. A scope that provides a single internal control management function that coordinates and manages controls across operations and finance. This is what is covered in my Internal Control Management by Design workshops.

At the recent workshops in Washington D.C. and Houston (which were fully booked), the attendees interacted in breakout sessions on the challenges they are facing in internal control management. Their specific issues and challenges are:

  • Providing an integrated strategy and view of financial and operational controls across the organization.
  • Increasing confidence in risk coverage and the complexity of interconnectedness of risk and controls
  • Capturing business changes with updated and changing controls
  • Combining finance and operational control teams and revamping processes
  • Focusing on key controls that could cause the organization to overlook other controls
  • Managing the human element in controls management
  • Expanding regulatory requirements for internal control management such as GDPR, FPCA, PCAOB pressures
  • Addressing a lack of resources while being tasked with more internal control responsibilities across operational controls
  • Keeping controls aligned with business processes and a changing environment
  • Implementing a system/technology to manage ALL controls across the organization
  • Integrating controls into daily workflow particularly when transitions occur with staff and turnover

Controls are critical throughout business strategies, operations, and processes. Internal control management has become a critical foundation for enterprise GRC. The correct controls that are operationally effective are the linchpin to assure that the organization can reliably achieve objectives while addressing uncertainty and acting with integrity (OCEG definition of GRC). As organizations mature their approach to internal control management they are seeing more intersections with risk, compliance, and audit processes which require a more thorough strategy for managing controls in the context of the organization.

Reactive and stovepiped approaches to internal controls management leave the organization not seeing the big picture of how controls interrelate with each other, risks, and compliance obligations. This means the organization wastes resources on managing controls as separate assessments and projects instead of as an integrated whole. Defining strategy, managing operations, and addressing organization change requires agility in internal control management to provide assurance to boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile internal control management. This requires organizations to design internal management into the organization as an integrated part of strategy and operations supported by an integrated internal control information architecture that allows organizations to have a 360° situational awareness of internal controls in context of business strategy and operations.

GRC 20/20’s Internal Control Management by Design workshop provides a blueprint for attendees on effective internal control management strategies in a dynamic business and risk environment. Attendees learn and collaborate/interact on internal control management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Upcoming By Design Workshops include:

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

Policy & Training Management Solutions, The GRC Pundit BlogPublished onUpdated onLeave a Comment on Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

I get a lot of inquiries from organizations looking for policy management platforms. Some for a department focused need (e.g., IT security, health and safety, Human Resources), others for a regulatory need (e.g., GDPR, FCPA), but most for an enterprise policy management strategy spanning the organization as it attempts to gain control of a Wild West of policies in disarray and confusion.

Policy & Training Management platforms mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy to employees and extended business relationships.  Elements of gamification, eLearning, learning management, document/content management are part of this segment.  Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

With over 100 solutions for policy and training management in the market it can be difficult, which is why GRC 20/20 gets engaged for our policy management RFP question library. The most common requirement organizations are looking for is an engaging and intuitive user experience. The growing request, one that comes in every month is on the integration of policy and training management into a single platform and user experience. Every month organizations are stating that their employees go out to Facebook and can watch a YouTube video in Facebook and do not need to bounce out to YouTube. They want to know why their employees cannot watch the training in the policy portal?

This is part of what I call Next Generation Policy & Training Management and is a growing need in the market and one of the most active inquiry areas that I advise organizations looking for solutions on. Other needs are mobility, such as tablet devices that can act as policy and training kiosks for employees that do not have computers. Employee engagement is critical. The ability to plan and calendar a range of policy communication tasks and activities to build campaigns.

These and more are covered in the newly published and reworked on-demand Research Briefing, How to Purchase Policy & Training Management Platforms. This is further supported in the GRC 20/20 written research paper, Policy Management by Design and corresponding workshop.

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

One of the hottest segments of the GRC market is for solutions to manage, maintain, and communicate policies. Organizations are scrambling to get a grip on the identification, approval, management, and awareness of policies amidst a growing environment of legal and compliance exposures to policy mismanagement and growing regulations.

Whether for a department policy portal or to manage the range of policies across the enterprise, policy management solutions are in demand. Historically the demand has been more on the backend management and maintenance of policies. However, recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for the front-end employee portal and engagement on policies, often with integrated training and learning management.

Where there used to be just a few solutions to choose from there are now over eighty with vary capabilities and approaches. They offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for your organization.

In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering policy management solutions.

Agenda

  1. Defining & Understanding Policy Management
    Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Policy Management Platform
    What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Policy Management Platform
    Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Policy Management
    Trajectory of Value in Effectiveness, Efficiency & Agility

[button link=”http://grc2020.com/product/how-to-purchase-policy-training-management-platforms/”]LEARN MORE[/button]

Objectives

The GRC Pundit helps organizations . . .

  • Define and scope the policy & training management market
  • Understand policy & training management drivers, trends, and best practices
  • Relate the components of what makes a policy management platform
  • Identify core features/functionality of basic, common, and advanced policy management platforms
  • Map critical capabilities needed in a policy management platform
  • Predict future directions and capabilities for policy & training management
  • Scope how to purchase policy management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate policy management solutions

Who Should Attend

This Research Briefing is aimed to assist . . .

  • GRC professionals with the responsibilities to identify, author, review, evaluate, approve, communicate, and maintain policies and related documents and training
  • GRC solution providers offering policy & training management solutions
  • GRC professional service firms advising organizations on policy management
  • GRC content & intelligence providers that provide policy and training content and templates

Instructor

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

 

How Technology Enables Enterprise Risk Management

Risk Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on How Technology Enables Enterprise Risk Management

Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.

Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.

The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://goo.gl/eWTTtP”]READ MORE[/button]

How to Purchase Policy & Training Management Platforms

Policy & Training Management Solutions, The GRC Pundit BlogPublished on1 Comment on How to Purchase Policy & Training Management Platforms

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.  The policy and training management strategy and policy is supported and made operational through the policy and training management technology.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.

The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.

Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):

GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:

This same topic will be explored deeply in an interactive workshop in Houston on May 30th:

GRC Critical Capabilities and Purchasing Considerations

The GRC Pundit BlogPublished onLeave a Comment on GRC Critical Capabilities and Purchasing Considerations

There is a broad array of governance, risk management, and compliance (GRC) related solutions available in the market. In fact, GRC 20/20 has catalogued and mapped over 800 technology solutions and over 300 content/intelligence solutions that organizations use to improve GRC processes in an effort to make them more efficient, effective, and agile. Navigating this array of solutions is not easy and organizations need to understand their needs today as well as into the future to select the right solution(s) that best fit their needs.

Some organizations are looking to solve a specific problem, such as addressing a regulatory requirement like GDPR, US Foreign Corrupt Practices Act, UK Modern Slavery Act, UK Senior Manager’s Regime, SOX, or PCI DSS compliance (just a random sampling as there are thousands of regulations). Others are looking to address a range of requirements and risks within a specific department or domain like environmental, health and safety, IT security, internal control over financial reporting, HR investigations, or business continuity. Then some organizations look to address a specific area consistently across the organization such as enterprise policy management, third party management, or enterprise investigations management. Then there are organizations looking to address a range of domains and GRC requirements across departments in a single or core common technology backbone, this is what we refer to as Enterprise GRC platforms.

There are two things that are consider when looking at GRC related technologies.

  1. GRC is something you do not something you buy. Yes, there is a wide range of GRC related technologies in the market, but at the end of the day GRC is not about technology it is about organization’s actions, decisions, capabilities, and collaboration on GRC. The official definition of GRC as found in OCEG’s GRC Capability Model that I helped contribute to is that GRC is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Certainly technology can enable this and make it more efficient, effective, and agile – but it is not a silver bullet that accomplishes this magically for the organization. The organization needs a strong culture, established boundaries of controls and policies, and strong processes for GRC to make a technology investment in any GRC related area a success.
  2. There is no one stop shop for all of GRC. Yes, there are GRC platforms that can accomplish a range of capabilities and needs across departments for an organization. However, there is no solution out of the 800+ solutions that does everything GRC. In fact, there are broad solutions that span many areas but they often do not go deep in some areas. Too often I find organizations with failed GRC projects because they try to do everything in one platform and find that in some weak areas of the platform they water things down and lose capabilities they previously had with deeper focused solutions.

Organizations should really be thinking about GRC architecture. There still is a core GRC platform when the organization has the maturity and cross-department collaboration to be successful, but this platform will have constraints. Organizations are best served with understanding these constraints and integrating best of breed solutions when and where they make sense. There are many organizations I interact with and advise that have an Enterprise GRC strategy that have a strong core platform for GRC and operational risk but break off and integrate best of breed solutions that go deeper in areas such as IT GRC/security, third party management, policy management, quality management, or commodity/market risk management. In fact, this past year I interacted with several organizations that all used one GRC solution for enterprise GRC and operational risk management and all three had another solution in place for IT GRC and security that went deeper in that area.

The point is that organizations should define their strategy and understand their processes then select the right GRC technologies that provide the information and technology architecture to enable the strategy and process and not handicap it.

Some other common pitfalls in GRC solution selection to be aware of are . . .

  • RFP beauty contests. I work on a lot of RFPs, and get engaged for my RFP templates and support regularly. I have seen a lot of horrible things happen in RFPs. Good solutions get ignored because some sales person did a half-hearted attempt at answering questions while a problematic solution gets selected because they had great but not always honest answers to RFP questions. Also, some solution providers are brutally honest in their RFP responses to their own demise while other solution providers will say anything to win the deal. My job is often to come in and keep these solution providers honest and raise red flags when I see them.
  • Client references are tricky. Understand that client references that solution providers give are often the decision makers that stand behind there decision to invest thousands to hundreds of thousands of dollars in a GRC solution. They will have rosy and glowing things to say about the solution. You need to ask the hard questions to these references and word them in a way they cannot wiggle out of them. Ask them what they like least about the solution. I also thank them for their time and ask if I could talk to someone on their team that works with the solution every day – one of the GRC worker bees. I often get a completely different perspective on the solution. In one situation the Chief Audit Executive loved the product and  only had great things to say about it, while the auditors I talked to that reported to the CAE hated the solution and it was the bane of their workday.
  • Understand what is actually a feature in the solution. There are solution providers that say yes to everything in RFPs. Some do so because they are shady and will do anything it takes to win deal, others do it because they genuinely believe they have a flexible solution that simply can be tailored to meet any need or requirement. Either way, I have seen implementations that have dragged out for over two years because of all the build out and customization required to meet what the organization purchasing the solution thought already existed in the RFP. I assisted one company in their RFP and against my advice they selected a solution I did not recommend. I told them there is a lot that has to be built out for this and it will take a lot longer than they planned. They came back two years later and told me they wished they would have listened to me as they were just rolling out the initial phase of the solution and were seriously behind timeline and over budget. They now are with a different solution in the market.
  • Ease of use is critical. A solution can have tremendous capabilities but if it is complicated to use, lacks intuitiveness, and users simply ignore it . . . the implementation fails. Many solutions in the market are very dated and have interfaces that look like they are 10 to 15 years old. This makes it hard to engage all levels of the organization on GRC. The number one selection criteria I see in organizations moving from one solution that has failed them to another solution is ease of use and intuitiveness. One enterprise policy management implementation I advised after they had an abysmal failure in their implementation because what could be done in one screen took three of four screens and lacked any sense of user friendliness and intuitiveness.
  • Integration and openness is a key to success. Siloed solutions that do not integrate with other solutions are a dead-end. Organizations needs solutions that have a strong API for integration. One global Fortune 100 company I am advising on third party management needs to be able to integrate their third party management platform with their ERP environment to sync master data records. They tried one solution which failed them on this because of data integrity issues in the syncing (and user experience issues as well), they are now seeing success with a different solution that has strong integration capabilities. This is important across GRC areas. For example, policy management solutions should be able to integrate with HR systems to get new and changed employee records to be able to automate the communication of new policies when employees are on-boarded or change roles in the organization.
  • Mobility matters in GRC. In most situations if a solution does not have a mobility strategy it is best be ignored. I am seeing growing demand for using tablets and smart phones for audits, assessments, investigations & case management, policy management and communication, training and clearing, issue reporting, and more.
  • Cloud is everywhere, but be cautious. Everyone has a cloud solution – but this does not mean all cloud solutions are equal. Some use the term cloud and simply mean a hosted model while others refer to it as a multi-tenet architecture. The scalability and cost parameters can make a difference here. Security is to be critically understood and evaluated as well. I do not like the cloud naysayers that avoid it because they are concerned about security. I have seen many cloud environments that are more secure than the organizations evaluating them. This does not mean they all are secure . . . do your homework and evaluation.
Upcoming live GRC 20/20 live Research Briefings to assist organization in critical capabilities and buying considerations of GRC related solutions are:

I would love to hear your comments and thoughts on GRC related software and strategy. Please post below . . .

  • Have a question about GRC related solutions and strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Looking for GRC related solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over hundreds of requirements for each GRC domain.