[button link=”http://community.mega.com/t5/Blog/Mature-Governance-Risk-Management-amp-Compliance-needs-an/ba-p/9315″ color=”default”]READ MORE[/button]
The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization.
Whether technology, content, or professional service providers – all can submit an award about a solution or service. However, the nomination must be on a specific implementation/project in a verifiable client. No generalizations or consolidations of multiple clients. The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance. Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission. Only the top nominations in each category will go through the validation process.
All award submissions are based on a single real-world implementation. Factual accuracy and integrity is necessary. GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms. We are looking for hard facts not just soft bullet points. Time saved, dollars saved, FTEs reduced. Numbers win, generalizations lose. Every submission must have contact information of the organization that claims to have received this value. These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed. Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.
Each recipient of an award will be written up and acknowledged. Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.
Nominations must be received by June 30, 2014. Recipients will be notified in August 2014 at least two weeks before formal announcements/publications are made in early September 2014.
Download the nomination form:
{rsfiles path=”2014 GRC Value Nomination Form.docx”}
Business is complex. Gone are the years of simplicity in business operations. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.
The modern organization is:
Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate. Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events. The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points.
A backbone of GRC is risk management. Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together. To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value.
Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.
The official definition of GRC is:
The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance. All three of these provide a natural flow. Governance provides strategy and objectives that deliver the context for risk management. Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives. Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives.
The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization.
A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:
What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework.
More on this topic can be found in the following items from GRC 20/20 . . .
All organizations do GRC (governance, risk management, and compliance). It does not matter if the organization uses the acronym or not, every organization has some approach to the elements of governance, risk management and compliance whether it is non-integrated and siloed across scattered areas of the organization or a federated GRC strategy that links GRC activities into a strategy, process, information, or technology architecture. GRC by definition (OCEG) is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”
GRC maturity is highly dependent on technology. To be clear, you cannot buy GRC — GRC is something you do, not purchase. You can buy GRC technology that assist in managing GRC related processes, analytics, reporting, and more. Every organization uses technology for GRC; pens and paper are a form of technology, so is email, spreadsheets, and documents. The correct selection and use of GRC technology is one aspect in maturing the organization’s approach to GRC. In fact, GRC maturity cannot be achieved without improving your information and technology architecture for GRC. However, I cringe when organizations tell me they just bought GRC and now need to figure out what to do. Strategy and process comes before technology.
The coverage of GRC technology by other analysts is frustrating. For full disclosure, I am a research analyst. I research and monitor GRC best practices, benchmark organizations, and define/model the market for GRC solutions, content, and services. I review solution provider offerings, assist organizations in selection and write/manage RFPs. While an independent research analyst for the past seven years, I previously spent seven years at Forrester Research where I was the first analyst to define and model the market for GRC solutions and services and label it GRC (February 2002). I wrote the first two Forrester GRC Waves comparing solutions. Since leaving Forrester I have spent the last seven years bewildered by the way my analyst competitors cover the market for GRC technology. I respect that in some cases they are handicapped by internal research boundaries of other analysts. However, the coverage of the GRC market by other analysts firms is confusing and damaging.
Before I critique my competitors, let me state my position. GRC, approached correctly, involves a strategy, process, information, and technology architecture. The GRC market is comprised of a wide range of solution categories. Some of these are represented in a GRC platform that tries to accomplish several areas of GRC in one neat little package. Caution though, the idea of a single ‘GRC Platform’ to meet all your needs has challenges. There is no one-stop show for GRC. There can be a core backbone for GRC, but GRC often requires integration of a range information and technology. Some of today’s complex governance, risk, and regulatory reporting requirements are only done through significant integration and analytics of data across the business. Organizations are best served to approach GRC as an architecture and throw away this idea of a single platform that promises to do everything. I still reference GRC platforms as there can be a backbone that brings things together. Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs. I will be discussing my representation of the GRC market in next week’s 2014-Q2 State of the GRC Market Research Briefing.
Now that you understand my position, let’s review how GRC 20/20’s competitors approach the GRC market from the perspectives of Gartner, Forrester, Chartis, and Market to Markets:
Gartner is the largest market research firm covering a wide range of technology and services. Their GRC research I have ranted on in the past:
In these posts I have critiqued Gartner’s GRC Magic Quadrant stating it is not transparent and does not represent the real world of GRC buying as 80% is focused on specific areas of GRC and less than 20% on enterprise GRC platforms. Gartner has responded to my critiques and changed course (though they would never confess). In a blog entry, French Caldwell announced their new approach: A Revolution in GRC Affairs at Gartner (or burning the EGRC mq). To me it reads that French is saying ‘GRC is dead, long live GRC.’ In this post Gartner recognizes what I have been preaching form may analyst pulpit for seven years that the GRC market is a broad market with solutions that do different things.
Gartner has responded by breaking up the Magic Quadrant and analyzing solutions on use cases. This analysis is just starting and covers the aspects of:
Further Gartner has scoped a wide range of other GRC market research:
Gartner is to be commended for this shift in research and is my most formidable competitor. I do appreciate the interactions I have with French despite our online debates. We make a great nemesis team — protagonist and antagonist — Batman and The Joker, Superman and Lex Luthor (I will let you decide who is who).
Despite this tremendous change in strategy I am here to say it has some issues in the definition of the use cases. Basically, some of the use cases do not accurately represent the breadth of market requirements. I have looked them over carefully. As an independent analyst I get engaged to assist solution providers in how to approach and manage their relationships with the major analyst firms. I am asked to play the role of French Caldwell and review their responses and watch their demos to improve how they present their solutiosn to analysts. It is quite fun. The past few weeks, several solution providers have reached out to seek my assistance in strategizing responses to Gartner’s new GRC use cases. My concerns are as follows:
These are the use cases GRC solution providers have to prepare for, Gartner is just beginning their process. They could explore much of what I discuss throughout the process, but it would be best if it was apparent up front in the use cases themselves. There also is still time to revise these use cases as analysis is just starting. This matters as organizations invest a lot of money in solutions and need the deepest insight into the solutions they are purchasing. When requirements are not met it hurts the market as a whole. Gartner has a log of influence and is the biggest brand in the business. While we compete in market research, their approach can cast a shadow that hurts the rest of us. I dive deep into the functionality of these solutions and care that organizations select the right solution for their needs.
One more thing – Paul Proctor’s blog I referenced above. He critiques the acronym of GRC as being the most overused term confusing things. For clarity, the individual parts of GRC – governance, risk management, and compliance are all very overused terms across the business with many different interpretations. This is the area of research each of our firms cover and the one our clients engage us to make sense of.
Compared to the long Gartner post, the brevity of this discussion may come across as letting Forrester off lightly. There is some serious misalignment between Forrester on one-side and myself and Gartner on the other. I cannot even go into the detail that I did with Gartner as Forrester just lacks the same point of view of the GRC market. I cut my GRC teeth at Forrester, defined the GRC market before anyone else, wrote the first two Forrester GRC Waves (as well as the first two ERM Consulting Waves). I recognized in 2007 with the 2nd GRC Wave that this market was too complex to represent in one two-dimensional graphic. As a result, my Wave had four graphics representing the aspects of: 1, overall GRC; 2, governance (audit); 3, risk management; and 4, compliance management. I reference Forrester in some of the blog entries I link to above discussing Gartner, but also have discussed Forrester in the following:
Previously I have given praise to Forrester for transparency. The Wave process gives clarity into scoring and criteria that Gartner’s Magic Quadrant does not (but these use cases are getting there). In the past seven years Forrester has collapsed the GRC Wave and failed to expand it. The four GRC Wave graphics went to one graphic. To make matters worse, Forrester combined a separate Wave on IT-GRC into the Enterprise GRC Wave (I discuss my views on the differences of IT-GRC and Enterprise GRC above in the Gartner analysis). Further consolidating research analysis of solutions where I have been expanding it and now Gartner is as well. Forrester – what GRC market are you covering? Certainly not the one I am covering, and not the one Gartner is covering.
Chartis is not as well known as Gartner or Forrester. They provide market research with a predominant focus on financial services. They cover a range of GRC topics that I would all put under the umbrella of GRC, but their approach is to split GRC into its own category of multi-functional platforms distinct from other areas of their risk and compliance coverage.
My approach is that the entire market is called GRC and there are a lot of segments in this market of different types of solutions. Like IT security which has segments for firewalls, intrusion detection, anti-virus, and more . . . GRC has segments for risk, audit, compliance, policy, health & safety, quality management and many more areas. To me, GRC is the macro-market, an umbrella that covers a range of solutions. Chartis and I talk “apples and oranges” as we are representing GRC as different things. Their approach fails as it aligns more with Forrester than myself. Though if you take the scope of what they cover as ‘risk technology’ we become more “apples to apples.” It is how we name the high-level market category that everything cascades from that differentiates us. They call it risk technology, I call it GRC.
What really sets me off about Chartis is their recent statement in Enterprise GRC – Time for GFRC? Chartis states, “To drive a behavior-driven approach to GRC, firms need to incorporate performance and remuneration measurements into GRC. Chartis believes that firms should replace ‘GRC’ as a concept with ‘GFRC’ – Governance, Finance, Risk, and Compliance . . . Traditional GRC is outdated and fails to manage risk and prevent serious compliance breaches . . . Firms need to move beyond traditional GRC and take a more dynamic approach to governance, risk, and compliance.”
We are actually aiming for the same trajectory that there is more than a GRC platform and GRC platforms by themselves are not enough and can force an organization to the lowest common denominator in managing risk. Later in the article they state, “Chartis also believes that firms should do more to incorporate areas currently overlooked by GRC, including model risk, conduct risk, reputational risk, and stress testing.” These areas of risk are covered in the GRC 20/20 market model for GRC. I am writing a paper right now on model risk management, GRC 20/20 has a segment of the GRC market that catalogs solutions for reputation/brand risk, conduct risk falls into our coverage of compliance management solutions (e.g., market conduct exams for insurance), and stress testing is in the coverage of risk management technologies. Where GRC 20/02 defines a range of solutions in the market GRC and Chartis calls the same over
all market ‘risk technology,’ Chartis is using the GRC label similar to Forrester by collapsing a platform down to the lowest common denominator and then taking the perspective Gartner and I have stating it is missing something. Technically, Chartis and GRC 20/20 is aligned as we see a range of technologies that define a category. I call it GRC. Chartis calls it risk technology. We are pointing at the same thing in this sense.
I take issue with Chartis trying to create GFRC – that just confuses things. The GRC market started growth in financial controls as a fallout of SOX and some back in 2003 and 2004 tried to add Finance then. I don’t understand what Chartis is trying to communicate. Adding finance into the mix is a step back and not a step forward. One of the problems with traditional strategic planning is that it is really about financial planning and budgeting. In the UK there’s an entire movement around something called “beyond budgeting.” Finance, as well as operations, falls under the pervasive umbrellas of governance, risk management, and compliance. If not, do we start adding HR for human resources for the human element of GRC, IA for internal audit, H&S for health & safety. The nice thing about the GRC acronym is that these words are adaptable across the organization and provides a good umbrella. GRC defines the flow and context for the solutions in the market. GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity. Risk needs governance to set the objectives and strategy to give risk management context. We measure and monitor risk as it relates to performance, objectives, strategy with a focus on uncertainty. Part of risk management is setting boundaries that get established in policies, procedures, and controls that compliance ensures we adhere too – acting with integrity.
This company should not even be referenced in this post, but I do as they have been brought to my attention by solution providers a few times in concern. You can request their sample GRC report for free, but they charge thousands for the full report – the sample has anything of value redacted. Why I bring them up is their flagrant disregard for intellectual property and copyright. Their GRC market report takes some of my GRC content, particularly on GRC 3.0, the market timeline for GRC 3.0 in an exact representation of my work, and other GRC points and they source it back to themselves and not to GRC 20/20. Be wary of the analyst firm that fails to have an original thought of their own and takes the intellectual property of others. It came to my attention after solution providers in the GRC space (more than one) pointed out my IP being referenced as theirs. Still waiting for a confession and apology . . .
Organizations face increased pressure to ensure business applications such as Enterprise Resource Planning (ERP) systems are secure and access control risks are managed in the context of a dynamic business environment. Segregation of Duties (SoD), inherited rights, critical and super user access, and changes to roles are too much for today’s organization to manage adequately in manual processes involving spreadsheets, documents, and email as they are time-consuming, prone to mistakes and errors, and can leave the business exposed. By automating access controls, organizations take a proactive approach to avoiding risk while cutting down the cost and time required maintaining controls, being compliant, and mitigating risk. However, automated access control/SoD solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. ERP Maestro is an innovative access control/SoD solution that GRC 20/20 has researched that takes a cost effective approach by using the cloud to make automated access control/SoD efficient and agile as well as effective. ERP Maestro has proven that it is as or more effective in access control and SoD as its competitors but it does this at a fraction of the cost to implement and maintain.
You may access this research below . . .
{rsfiles path=”2014-02_Solution-Viewpoint_ERPMaestro_Web-Version.pdf”}{else}
Access to GRC 20/20 published research requires a subscription. There are two primary tiers of research subscription:
To access this document please REGISTER or LOGIN using the buttons in the upper right corner of the page.{/rsmembership}
The 2014 GRC Technology Innovation Awards was filled with competition. Nominations increased to 62 over last year’s awards, and fifteen winners were selected. GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.
ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires
In November 2013, ACL delivered an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation.
At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. It meaningfully blends the capabilities of data analytics with surveying to provide the analyst with a simple, integrated toolkit for monitoring and remediation.
At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. With the ability to seamlessly blend “human data” with “systems data”, a new world of analysis is possible to identify red flags, as well as serve as the basis for rich visualization of blended data.
Prior to this innovation, control monitoring and other data analytics were loosely integrated into broader GRC risk & control platforms and GRC architecture. Results of analytics were often simply attached as files to serves as control evidence. This new approach fully integrates into a unified GRC architecture with analytics so GRC evaluations, assessments, and decisions can be made seamlessly in real-time using the most up-to-date information available in the organization. Introducing the surveying/questionnaire piece allows ACL users to feed the same control monitoring engine with survey data (“human data”) and drive the same remediation actions as could be done from transactional data.
The core functionality of the technology is to take the results of control monitoring analytics and bring those into a centralized, easy-to-use web environment where it is integrated into the overall GRC information and process architecture. It provides an intuitive questionnaire builder to develop questionnaires when a “trigger” condition happens that allows for automatic triggering of questionnaires based on data analysis criteria. It blends data analysis records with the questionnaire results to provide a consolidated dataset that the organization may use to drive remediation, act as control evidence, or provide executive reporting.
The key technical functionality is the “Big Data” engine that lies at the heart of the ACL GRC Results Manager module. This data engine uses an innovative data store that is capable of storing unstructured and arbitrary data. This is critical for several reasons but primarily because 1) organization need to analyze different types of data that a traditional database system cannot effectively ingest the “arbitrary” data needed for analysis, 2) these organizations need to be able to “blend” a transaction record with a survey response on the fly without doing traditional database table joins, and 3) the ability operate at cloud scale to drive the fastest performance and response times. Layered on top of the big data engine is ACL GRC’s development stack and intuitive user interface built in HTML5, CSS3, and high performance JavaScript. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.
To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients
The 2014 GRC Technology Innovation Awards was filled with competition. Nominations increased to 62 over last year’s awards, and fifteen winners were selected. GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.
ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC
ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices including:
This is the first GRC mobile app to bring the full power of design delivered through powerful and capable devices, to the problem of audit management. GRC 20/20 sees a major shift beginning occurring where document, spreadsheets, and paper binders are being replaced by multimedia including audio, video, photo, data visualization, geo-location, etc.
There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. ACL has now fully engaged the capability of the device to leverage multimedia capabilities of the devices as well as redesigned the application from the ground-up to take advantage of the incredible power available in the iOS SDK. The platform was expanded to enable complete enterprise risk assessment and reporting in a fully touch interactive environment.
The historic reality after fieldwork finished there would be an additional two weeks of work to be completed compiling notes, transcribing, documenting, etc. after leaving the field, then another two weeks of report writing and revisions. Progressively leveraging ACL GRC for iOS and its multimedia capability, the auditors can potentially walk out of the field completely done and documented with multimedia backing up a clean, engaging audit report. This enables users to work in an environment where they are able to create and capture both interactive media and structured data to accomplish existing audit goals while not relegating themselves to countless hours of tedious document preparation only to end up with all of their data forever “trapped” by documents.
The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc. This provides a faster, better, more beautiful, and more tightly integrated experience for the user than a mobile web app or a wrapper for the web that pretends to be an app.
To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients
