Blog

Defining & Communicating a Culture of Risk

The GRC Pundit BlogPublished onLeave a Comment on Defining & Communicating a Culture of Risk
I am baffled by the ignorant that are happy with their blinders and do not see how governance, risk, and compliance interrelate and support each other to form GRC. Today we will look at how the R (risk) in GRC needs governance and compliance.
 
Risk professionals can suffer with a myopic view of their work – a lack of imagination, foresight, or intellectual insight. They are comfortable with their quantification work and love Monte Carlo simulations, Bayesian modeling, and Value at Risk algorithms. They do not always understand how risk interacts with governance and compliance to properly steer and direct the organization to stay within mandatory boundaries of laws and regulations as well as the voluntary boundaries of risk culture, tolerance, appetite, and values.
 
Risk by the OCEG definition in Red Book 2 is defined as . . .
 
“. . .the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.”

Risk management does not happen in a vacuum – it needs Culture & Context (the first elements of the GRC Capability Model). The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined. That is where risk needs governance. The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. If the governance function does not do this – risk taking is up to individuals and the integrity of the organization is in jeopardy.
 
Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures. This is where risk needs compliance. Compliance is more than adhering to laws and regulations – it is making sure that risk culture, policies, procedures, and controls are being adhered to. In the case of risk management, compliance plays a critical role in communicating policies and validating that the organization is staying within proper boundaries of risk taking established by the governance roles in the organization.
 
The elements of governance, risk, and compliance are three legs of the GRC stool. You take any one away and the stool becomes unstable. They need and depend on each other.
 
My advice . . . organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite. The complex interrelationship of risks requires that an organization gain an enterprise view of risk by overcoming the silos of risk management. Risk management should develop relationships with corporate compliance to help communicate policies and monitor adherence and enforcement of them.
 
A well defined GRC system and process will not only do risk assessment and modeling, but also will deliver the definition, communication, and training on policies and procedures. The system will map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets, and logical assets), as well as incidents & loss.

Gartner's EGRC "Arcane" Magic Quadrant

The GRC Pundit BlogPublished onLeave a Comment on Gartner's EGRC "Arcane" Magic Quadrant

My apologies. Along with my commentary on Forrester’s GRC Ripple (OOOPS . .. I Mean Wave) I had promised to provide my thoughts on Gartner’s EGRC Magic Quadrant once it was publicly available. Needless to say – August was a busy month, between end of summer trips, preparing for the fall, and kicking off the highly successful OCEG Red Book, GRC Strategy, & IT Bootcamps nearly a month has gone by without my comment. Better late than never . . .

 
As for process – the best definition of Gartner’s Magic Quadrant in my mind is either ‘black magic’ or more preferably ‘arcane.’ According to my Macintosh dictionary, arcane is defined as:
  • arcane |ärˈkān|(adjective) -understood by few; mysterious or secret
Unfortunately that is where I end up understanding the Gartner process. Unlike Forrester who publishes score, scales, weightings, and explanations thoroughly in a comprehensive spreadsheet – Gartner does not reveal in detail what happens behind the curtain. One is left hoping that the analysts approached it objectively and understand the space. That gives me a lot less to critique because Gartner does not expose as much.
 
Gartner’s ‘arcane’ magic must be working though. Overall, with some minor tweaks, I feel the current Gartner Magic Quadrant was a fairly well representation of the players, the market, and where they compete. I do get concerned in some of their ‘strengths’ and ‘cautions’ for each vendor as it is not consistently applied. It makes you feel they are digging to put something in the spots. For example, OpenPages is given a caution because they do not provide content. This does not appear on any of the other caution lists – but I know for a fact that several of the vendors represented do not provide content. They did not get the same warning. That is where a model like Forrester’s is more fair (but time consuming often leading to out of date content by the time the process is done). With Forrester you can see each criteria, such as content, get an explanation and a score comparing the vendors.
 
Gartner has earned more respect from me as their Magic Quadrant is a good representation of the players. This is a change. I remember previous Magic Quadrants where the players came from different parts and niches of the GRC space and often did not compete with each other. It was like comparing apples and oranges. This is sad when so many use these research reports to pick short lists of vendors for RFPs/RFIs. They need to be competitive with each other.
 
SAP is not in the report – which it was in Forrester’s. This is good and bad for SAP. They had a poor representation in the Forrester report, had they been represented in Gartner’s they may have had the same. Though this is largely do to the fact that SAP is focusing and doing very innovative things in the GRC space that pushes the envelope significantly and challenges the vendors represented in these analyst reports. SAP is focused on making GRC a part of business.
 
To borrow a Forrester term . . . now for the WIM (What It Means). Whether it is a Forrester Wave or a Magic Quadrant understand that it is one organization’s perspective and may not represent the players for your specific needs and requirements (though the Forrester Wave model allows you to change the weightings for your own needs). It also may not represent all the players you may want to engage for your specific requirements. Use the documents for what they are – a research perspective from one point of view. Do not treat them as authoritative.
 
My advice to Gartner: while you have a good representation in this Wave, your process and applicability to buyers is far behind Forrester’s. Reveal your criteria and scoring and deliver a tool to help organizations make buying decisions.

Who Defines Your Corporation's Values?

The GRC Pundit BlogPublished onLeave a Comment on Who Defines Your Corporation's Values?
Values and ethics define an individual – as well as families, societies, and culture in general. Everyone puts a stake in the ground as to what is important to him or her and what is not. We interact with others based on our values: which acts much like two magnets. If the right polarity exists the magnets attract each other, if the wrong polarity exists then the magnets repel each other.
 
Corporations have values and ethics as well – which are either formally defined and managed or are left to be defined by a variety of pressures and influences. From a legal perspective a corporation is an entity – it can be interacted with, sued in court, and even taxed (depending on the type of corporation) just as an individual can.
 
Who defines the corporation’s values and ethics? The answer really stems from the corporation’s overall culture – but that too has to be modeled and defined somewhere.
 
There are several places that a corporation can have its values and ethics molded for it, these are:
 
  • Directors and executive management. Ultimately the board and management have a key stake in establishing the culture, ethics, and values of the organization. It is at this level that code of conduct should be defined and enforced from the top down. The board also plays a key role in establishing risk appetite and tolerance levels that impact how an organizations takes and manages risk. This is what is meant by tone at the top.
  • Employees. If executives fail to define and communicate an organization’s culture, ethics, and values employees are left to define it. Even when executives have defined and communicated values it is employees that mold, shape, and make it reality or fiction. People tend to hire and relate well to those that have similar interests – political, religious, social, etc. The discussion in break rooms, meetings, and even interviews often acts like a magnet to attract similar systems of belief and value.
  • Business partners. An organization is no longer an entity unto itself – it is impossible to define where the culture and boundaries of an organization start and stop. The extended enterprise of business partners, supply chain, outsourcers, service providers, contractors, consultants, temporary staffing, and customers all influence and mold the values of an organization. Organizations, particularly in this era of corporate social responsibility, want to make sure they are doing business with other businesses that share the same values. No organization wants to be in the spotlight of media for partnering with unethical business – those that engage in such things as child labor or corrupt practices.
  • Customers. Ultimately an organization exists to provide value. For commercial organizations this is financial value and not just ethical value. In order to achieve financial value it is necessary to attract customers. Customers obviously want to achieve value in quality and service from the organization – though they are also becoming more selective in doing business with organizations that share the same ethical and social values.
  • Governments. Through regulation, legal liability, and plain old pressure, governments are able to extend great influence on the culture and values of the organization. This current economic crisis has given us many examples of government’s influence and control over entire industries as well as practices within those industries (e.g., salary & bonuses).
  • Non-government organizations. Non-profits, lobbyists, and associations all influence power over an organization and how it defines its culture, value, and ethics. NGO’s are quick to wield great political, social, and media pressure upon organizations to manipulate them to the purposes they value.
The net result of all of this – an organization is going to have its values defined somewhere. Either management is going to lead this charge or other pressures will influence it. Where values and ethics are not centrally defined and communicated as a part of corporate culture – the organization risks going in a direction it never intended. Additionally, an ad hoc approach to defining corporate values leaves the door wide-open for corruption.
 
Values and culture also influence risk management through how the organization and its employees take risk and stay within boundaries of risk tolerance and appetite. Without sound values defined the organization can and most often will enter reckless risk taking and poorly defined boundaries of acceptable and unacceptable risks (the financial crisis of the past few years are a great example of reckless risk taking and willingness to put aside defined boundaries of risk tolerance and appetite).
 
The area of corporate values and ethics is very real to me. I left a former employer because of a significant difference in values. Management allowed one group in the organization to move forward with a conference that included a keynote speaker from an organization branded for adult entertainment (I do not want to use specific words that I feel better describe this so this post is not blocked by filters). I spoke up stating this was a slap in the face to the women of the organization. I also expressed that there are many people within the organization that have had families devastated by this industry – something I can speak personally to in my extended family. My voice to management fell on deaf ears and I was brushed aside. They ignored the issue and allowed this group in the organization to further define the culture and direction of what was acceptable. Though a top performer (and I had recently received an award for this) I resigned.
 
Organizations need to define their values from the top down. In this day and age you are not going to appease everyone. The pressures of conservative, liberal, environmental, social, and other factors are real and significant upon the organization – and can even be in conflict with stakeholders.
 
If this topic interests you – and you want to know how to make culture, values, and ethics defined, managed, and monitored in your organization – I would point you to the Open Compliance & Ethics Group (OCEG) Red Book 2 and the GRC Capability Model™. This delivers the only full framework that I am aware of that drives an organization toward Principled Performance™. Later in August I am delivering a multi-day bootcamp specific to this topic – GRC Strategy & Red Book 2 Bootcamp. This is directly followed by another bootcamp aimed at using technology to enable a culture of ethics, compliance, and risk management – Developing Your GRC Technology Improvement Bootcamp.
 
Please reply back with your feedback and thoughts. How do you see/recommend that an organization define and communicate its values, culture, and ethics? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.
 
“To understand the religion of a people is to understand the people. For their religion expresses what they take to be the ultimate values of human life, underlying their whole attitude to everything else.”
J. Geddes MacGregor (1909 – 1998)

Framework Approach to Governance, Risk Management, & Compliance

The GRC Pundit BlogPublished onLeave a Comment on Framework Approach to Governance, Risk Management, & Compliance
The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks. Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as the language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”
 
There is only one framework that I see that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC. These practices address the many elements that make up a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them enable an organization to:
  • Achieve business objectives
  • Enhance organizational culture
  • Increase stakeholder confidence
  • Prepare and protect the organization
  • Prevent, detect and reduce adversity
  • Motivate and inspire desired conduct
  • Improve responsiveness and efficiency
  • Optimize economic and social value
The GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. The OCEG GRC Capability Model™ is broken into eight components:
  1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
  2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
  3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
  4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
  5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
  6. RESPOND & RESOLVE. Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
  7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
  8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.
OCEG’s GRC Capability Model™ is, in my opinion, the best umbrella framework to bring a holistic enterprise view of GRC together that works from the board of directors down into the management and process of an organization. Its goal is not to replace other frameworks and standards but to give them a common language and context to operate within and thus provide enterprise collaboration and communication across governance, risk, and compliance.
 
I sat on the OCEG Steering Committee to define this valuable work and am encouraged by several Fortune 1000 companies that are now seeing it used and benefits achieved. There is nothing else available in scope and practicality to implement a GRC program around. For those interested in rolling up your sleeves further – whether an organization implementer, technology provider, or professional services provider – I encourage you to take a close look at the upcoming Bootcamp training (OCEG members get a significant discount). There is also a consecutive Bootcamp on defining a GRC technology architecture.
 
Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

Wolters Kluwer Aquires the Gem in Policy Management – Axentis

The GRC Pundit BlogPublished onLeave a Comment on Wolters Kluwer Aquires the Gem in Policy Management – Axentis

Wolters Kluwer Tax & Accounting announced today that it acquired Axentis. This acquisition further extends Wolters Kluwer role in the GRC (Governance, Risk, & Compliance) technology and content/information market.

 
Axentis, according to Corporate Integrity research, has a leading policy and procedure management platform. The company has done an excellent job at addressing investigations management and has specific addressed a broad array of GRC issues aimed to address corporate integrity agreements, risk management, ethics, code of conduct, corporate compliance, financial controls management, IT risk and compliance, regulatory intelligence/management, privacy, and vendor/supplier/3rd party compliance. Axentis has also been a pioneer of addressing GRC through a Software as a Service (SaaS) model.
 
Wolters Kluwer has been on track in acquiring a portfolio of GRC related products. Axentis adds to their line of acquisitions which include TeamMate, Sword, and MediRegs (ComplyTrack). Wolters Kluwer also has a range of other GRC related products that tackle issue of matter management as well as board & entity management. However, the most significant differentiator for Wolters Kluwer is the integration of content/information related to regulations and risks into these suite of products as they provide a competitive information and knowledge offering that competes against the like of Thomson, Lexis, and SAI Global. Some of these knowledge providers also see the value of GRC technology solutions integrating with content – Thomson Reuters acquired Paisley last November, and SAI Global acquired 80/20 Software among a few others.
 
The challenge now for Wolters Kluwer is to bring things together. To date they have focused on different solutions across their technology line and does not promote a single all-encompassing GRC application. This can work for as well as against them. If they can bring together a common back-end data architecture and deliver a consistent interface across individual products – I believe that organizations will buy this. If they fail to do this, other vendors will when the GRC game. Organizations do not necessarily need a single application interface for GRC – but they do need a common data architecture. I also see that many GRC vendors lose out because they try to oversell instead of addressing the specific needs set before them. Wolters Kluwer can sell to the specific need with the specific product and expand. This also helps penetrate deals as GRC involves multiple roles. Without confusing the buyer, Wolters Kluwer can sell the products to the meet the needs of the specific business buyer before them (e.g., legal, compliance, enterprise risk, operational risk, finance, audit).
 
As Thomson, SAI Global, and Wolters Kluwer have all demonstrated significant commitment to the GRC space, I am particularly curious about Lexis Nexis‘ reaction as to how they will approach this space.
 
The end game of the GRC market breaks down as follows:
  • Enterprise technology providers. CA, Oracle, and SAP are all committed to the GRC space. These providers, as well as some to change focus to GRC again, will continue to expand and grow in the market. Their value proposition will be the integration of technology into a broader technology architecture.
  • Information/knowledge providers. The likes of Wolters Kluwer and Thomson will focus on using technology to integrate with content – delivering on what I call risk and regulatory intelligence.
  • Boutique providers. There will remain a number of GRC providers that utilize their smaller size to be nimble and react first to changing m
    arket demands and grow to be a solid GRC player, several of these players will differentiate themselves by delivering solutions aimed at specific GRC issues (e.g., environmental, health & safety, matter management) as well as roles (e.g., audit, legal, compliance, risk, IT).

The Forrester GRC ‘Ripple’ (OOOPS . . . I Mean, ‘Wave’)

The GRC Pundit BlogPublished onLeave a Comment on The Forrester GRC ‘Ripple’ (OOOPS . . . I Mean, ‘Wave’)
Analyst firms provide value as well as harm to markets. What they define, model, and predict affects billions of dollars and influences the course of organizations of all sizes and industries. I’ve had a unique perspective on this during my nine years in the market research and analyst world and for seventeen years of professional life.
 
I have particular frustration with the major analyst firms (such as Gartner and Forrester) when it comes to governance, risk, and compliance (GRC) issues. This is particularly meaningful viewed through the lens of my seven years at Forrester Research, Inc. where I was a vice president, and was recognized as a ”Top Analyst” the day before I resigned. I was the original analyst to define and model a market for GRC technology and consulting services.
 
Today’s release of The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009 made me throw my hands up in despair. I can see one organization after another making bad technology choices, based on where a vendor’s icon falls on an analyst’s graphic. My experience with this speaks for itself – I authored four Waves in my tenure at Forrester, two of them being the predecessor to this third-generation GRC Wave.
 
Before I get too critical, some positive thoughts: The Forrester Wave process is stronger than Gartner’s Magic Quadrant. The criteria for evaluation and measurement are much more transparent. I never had a vendor tell me they prefer Gartner’s process. I also have deep respect for Chris McClean, the author of the current GRC Wave. Chris and I have known each other for years. I trained Chris on GRC on his entry into Forrester, and my transition from Forrester went smoothly because we are like-minded. Chris is a respected thought leader on business GRC issues and solutions, particularly when it relates to Corporate Social Responsibility. However, Chris’ handicap, like mine was, is Forrester itself.
 
Further, several of the vendors in the Wave deserve their placement. I have respect and agreement for the leadership position of BWise, OpenPages, and Thomson Reuters. Axentis has the best policy management solution on the market, and a competitive investigations platform – though their high placement baffles me, as they do not come close to the others on deeper risk and audit management capabilities. However, MetricStream does surprise me in their leader position.
 
The current version of the GRC Wave concerns me because:
  • It is out-of-date the day it is published. This particular Wave process took six months. Several of the platforms evaluated have new and improved versions on the market, some of which have been available for several months. The Wave process takes much too long to be relevant to buyers.
  • The Wave criteria have not evolved. The GRC market and technology changes rapidly. There was a significant difference in criteria between the first GRC Wave and the second, which I authored while at Forrester. This time, however, the criteria remain nearly identical to what I authored on the last Wave, despite how dynamic the market and technology have been during the last 18 months. In this new Wave, several vendors were hurt on their positions because they are moving beyond the box assigned to them by the Wave criteria. In the second Wave, I broke the Wave into four graphics to represent different areas of GRC – with vendors plotting differently, based on buyer needs. This latest GRC Wave should have expanded, not eliminated that feature. The Wave should have broken into several independent Waves to measure specific buyer roles of GRC solutions such as risk, audit, IT, finance, corporate compliance, and legal.
  • It reaches the wrong audience. It is interesting to note that some vendors in previous GRC Waves are not in the current one – even when they scored high in the previous Wave. Why did they not participate? For a few it was because the Wave takes a tremendous amount of time and resources and reaches the wrong buyer. Companies like Compliance 360 and Mitratech are doing well reaching buyers who are not in IT, where Forrester is focused. In fact, some vendors report that reference to the previous Wave(s) did not come up with prospects and clients. This is one of two reasons why I left Forrester: They fail to reach the business buyer of GRC. Forrester is successful at reaching the IT-GRC buyer focused on IT risk and compliance issues, and to some degree the finance buyer. However, Forrester fails to get its research in front of enterprise buyers focused on risk, corporate compliance, legal, audit, quality, environmental, health and safety, and corporate social responsibility (which is Chris’ sweet spot).
  • It misses major GRC vendors. It is alarming that the current Wave misses significant GRC vendors such as Oracle and CA, as well as smaller players such as Neohapsis (formerly Certus). Some declined because of bad timing; others, if I understand it correctly, were simply not invited. Oracle and CA are coming up regularly in competitive GRC deals – more so than several of the small and poorly performing players in the Contender and Strong Performer categories. Even if a vendor refuses to participate, Forrester still has a process to plot a vendor and note that they did not willingly participate in the Wave.
This is bad news for a GRC buyer. While it gives them some perspective of players in the GRC market, the perspective is out-of-date and incomplete. Specifically, beside the vendors that do not appear in the Wave, I feel the following are poorly represented:
  • Archer Technologies: Archer is the most disruptive force in the GRC market today. They are entering and consistently winning deals against many of the leaders in the GRC Wave. They offer, in my opinion, the most versatile and easily customizable platform on the market that can be swiftly tailored to meet any GRC process and content issue. During the past 18 months I have seen them come up consistently in GRC RFP/RFIs and win, and their clients have moved them into a position where they have one of the broadest arrays of unique GRC uses. Forrester overlooked Archer’s unique approach to integrating content (Archer Exchange), users (Archer Community), wide array of GRC solutions modules (Archer Solutions), all on a flexible platform (Archer SmartSuite Framework). Archer’s clients speak for themselves, having received top honors in the Wave for client references (which I noted a few months back on my blog). I expected Archer to appear in the Leader category.
  • MEGA: MEGA has an excellent platform for risk, control, and audit management – one, in my opinion, that has become very competitive in its feature functionality. They are wanting on the content management side, which impacts their ability to meet the needs of corporate compliance around policy management and communication, but they have deep risk, audit, and control functionality. Their greatest weakness is slow momentum in North America, though they are making significant market progress in Europe. I would have expected MEGA to have a higher position in the
    Strong Performer category.
  • SAP: SAP is the innovation thought-leader for GRC. Their position as a Contender is a slap in the face and illustrates just how the GRC Wave in its current version misses the target. On one side, SAP could have declined to be involved, as the dated criteria did not fare well for them – but they have built a leading GRC brand in this space and are committed to seeing it move forward — which requires their participation in the WAVE. SAP should have been a Leader (if the criteria had evolved to where it should be) because they are focused on the integration of GRC into business processes and transactions. No other vendor in the Wave is as deeply focused on business issues of GRC and delivering integration and control complex business areas such as global trade compliance, supply-chain risk, environmental GRC, and segregation of duties within business applications. SAP has the best story out there on the integration of GRC, particularly risk management, into corporate performance and strategy. When GRC means business is where SAP excels. The Wave did not address this, which is unfortunate for SAP. Where the other Wave vendors provide an oversight band-aid and audit layer to GRC, SAP delivers value to the core of business through its GRC solutions.
My greatest concern about technology market-analyst firms is that there is too much focus on the IT department and technology. Don’t get me wrong; technology is the backbone that enables GRC. However, the analyst firms have it wrong because they focus on IT and the technology instead of business processes, and the business buyer and user of technology.
 
My recommendations to Forrester:
  • Streamline the Wave process to make it more relevant to the product versions on the market.
  • Split the Wave into several smaller Waves that target unique business-buyer roles of GRC.
  • Focus on the business: IT is already in the bag. Stretch your GRC thought leadership into business roles. Chris McClean has what it takes to shine in this area.
If you have specific questions on GRC vendor solutions or professional service firm offerings in this space please submit an inquiry@Corp-Integrity.com. You may also be interested in the following discussion on the Corporate Integrity LinkedIN Group: Do industry analysts have too much influence on software vendors, who call their products GRC or CCM/T – terms used by analysts.

Thoughts from Compliance Week '09 Day 1

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from Compliance Week '09 Day 1

Compliance Week remains the highlight of GRC events throughout the year. As one Tweet states at the beginning of the conference: “dougcorneliusStarting the “Davos” of compliance.”

Sure there are many events I enjoy for networking and catching up with others. However, Compliance Week is one of the few events I attend that actually stretches me intellectually. This has a lot to do with the format. I have low expectations for most conferences as vendors have invaded and product pitches remain the same. Compliance Week remains one of those conferences that holds vendors at bay and requires practitioners to present (though vendors may present alongside practitioners). Granted, there is an occasional presentation that is a poorly disguised product pitch – according to the Twitter traffic (#CW2009) this is the case with Oracle co-presented session Proactive Risk and Compliance Strategies for Uncertain Times (NOTE: I did not attend this session).
Much of the general conference discussion focused on the value of risk management and control in difficult economic times. There was also a lot of discussion taking place on Senator Schumer’s (D-NY) Bill S.1074 which would require new corporate governance standards involving a board risk committee to oversee the establishment and evaluation of risk management in the organization.
Other thoughts and perspectives I noted throughout the day . . .
  • SEC Commissioner Louis Aguilar’s opening keynote was thought provoking on The Regulatory Agenda was thought provoking. While supporting regulatory reform and a new financial regulation I also saw caution in too quickly consolidating the 5 U.S. financial regulators that are specialized and focus. Rolling things up without proper forethought may cause regulatory oversight to become too generic. How do we strike the right balance of regulatory oversight remains a common thought with me as I pondered the presentation. Consider Commissioner Aguilar’s statement “Government currently helps keep us safe from things like exploding toasters but not from disastrous mortgages.”
  • The Paisley and Computershare session Implementation Case Study—Embracing a Common, Integrated Approach to Audit, Risk and Compliance was a good overview of the value in times of economic turmoil that integrated GRC processes deliver efficiency and support collaboration. In fact, much of the conference chatter was focused on value and return from solid risk and compli
    ance processes.
  • PricewaterhouseCoopers and Schering Plough did an excellent session on privacy – Integrated Compliance Frameworks for Privacy, Security and Identity Theft Prevention. However, from my experience most corporate compliance departments do not pay enough attention to privacy. Privacy has grown in stature within many organizations, but it still plays second fiddle to other compliance and risk issues in most firms I come across. My prediction is that we will continue to see privacy compliance concerns grow over the next few years as well, as risk from litigation and brand damage, that will bring privacy to a more prominent role in corporate compliance programs. The presenters advocated a build a program to the highest common denominator – which is much like the 80/20 perspective that I have recommended in building a baseline that gets you most of the way their across jurisdictions and realize there will be some areas of the world where exceptions abound and privacy is managed differently in some aspects. PwC also promoted an integrated framework for privacy – however still more discussion needs to be had on integrating the integrated frameworks with a common backbone (or Rosetta Stone) such as OCEG’s Red Book 2.0.
  • The Starting an ERM Program from Square One session presented by Eastman Kodak was a good risk management starter kit. I would state, from the presentation, that Eastman Kodak has implemented a slightly above average ERM program. Say a 3.25 on a maturity scale of 1 to 5. The missing element is a focus on value of ERM and alignment of risk management to corporate performance management. Too many ERM programs miss the mark as they are focused on avoiding the nasty and fail to realize that organizations take risk all the time to make money. Maximizing return and optimizing corporate value is what the most mature ERM programs are about. The presentation did a good job at pointing out the drivers for ERM including: NYSE listing requirements, SEC disclosures, Standard & PoorsERM evaluations, USSC requirement for risk assessment for potential wrong doing, insurance impact, as well as fiduciary obligations.
  • The final session I attended of Day 1 was the KPMG and Office Depot session on Tone at the Top and In the Middle—Enhancing Regulatory Compliance through Your ERM Program. This was the best non-keynote session of the day. It provided the most mature view of ERM with a focus on value and impact on corporate objectives and performance. It was then brought to a practical compliance point by showing FCPA compliance through an ERM perspective.
 

Thoughts from the OCEG Leadership Council

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from the OCEG Leadership Council

A Proverb states: “Where there is no guidance, a people falls, but in an abundance of counselors there is safety.”  Much of the GRC world – with its various professional stovepipes – has struggled for guidance and direction on how to effectively integrate and define common processes for Governance, Risk, & Compliance.  Sure, we have a variety of GRC related professions (e.g., legal, risk, compliance, finance, IT, audit, investigations, ethics, etc.) with their corresponding associations (many of which are superb).  The issue has been integration, communication, and collaboration between these processes to bring a sustainable, consistent, efficient, accountable, and transparent view across GRC roles and processes.

 
I am happy to communicate – we are passing the dawn of GRC inspiration into the world of GRC practicality.  The last several years we have seen the philosophy and content of GRC being defined with little practical guidance on how to implement GRC and make it efficient and effective within the organization.  Yesterday’s meeting of the Open Compliance and Ethics Group Leadership Council demonstrated significant maturity in thought leadership and practice to bring GRC to a reality in organizations.
 
Some specific highlights brought forth today in the meeting were:
  • The GRC Rosetta Stone in the OCEG Red Book 2.0.  OCEG has delivered the most comprehensive and practical process model for managing GRC and its interrelationships within business processes.  Varying roles across the organization can leverage and integrate their specific frameworks and standards into a common GRC methodology.  This provides a common framework to support collaboration, accountability, and transparency across the organization.
  • User experience and validation.  Not only has Red Book 2.0 been released, but OCEG has been hard at work building the validation framework for GRC in the Burgundy Book.  Specifically, organizations such as AON, Archer Daniels Midland, Dell, Staples, Ventura Foods, and WalMart demonstrated their measurement and use of Red Book for GRC through validation of the Burgundy Book model.
  • Upcoming release of the online GRC Directory.  OCEG announced its partnership with yours truly (Corporate Integrity, LLC) on the July release of an online directory to catalog GRC technology and service/consulting providers.  The taxonomy for the technology providers will be based around the OCEG IT Blueprint ‘Technology Arenas.’  Currently, Corporate Integrity has cataloged over 1100+ technology and service provider firms in the GRC EcoSystem that will be part of this online directory.
  • Product validation of technology vendor GRC claims.  With the OCEG GRC IT Blueprint providing practical guidance to the relevance and taxonomy of IT to support GRC business processes, OCEG also brought forth plans to have independent validation of products mapped to the GRC IT Blueprint.  This provides value to organizations looking for technology to vet vendor claims to deliver specific functionality.
  • Providing workshops and bootcamps to educate the GRC community.  To help kickstart GRC programs and initiatives – and provide common education and guidance on OCEG Red Book and other materials – OCEG announced its plans to roll out online GRC Fundamentals training as well as in person GRC Fundamental & Red Book 2.0 BootCamps.  In conjunction with OCEG, Corporate Integrity will be delivering one of the first GRC Fundamentals & Red Book 2.0 BootCamp in August.
  • Expansion of the GRC community.  With the release of the new OCEG website scheduled for late June/early July, OCEG will also be delivering online GRC communities where individuals and organizations can interact in online (as well as physical) forums around specific risk/interest, role, geography, and industry areas.
  • Globalization of OCEG.  Since its inception, OCEG has met the needs of U.S companies including large multi-national organizations operating globally.  Over the past few years OCEG has seen growing interest from around the world as it now has members in over 68 countries.  OCEG has revealed the next steps to provide for online communities that support geographies and international issues and guidance development, and is also partnering with other associations around the world to bring together a community of associations to work to bring GRC guidance to the diverse GRC roles within business. The goal is to provide an international hub of information as well as interaction with other GRC related associations and professionals.
OCEG has demonstrated strong growth over the years and continues to articulate a solid vision for GRC.  Further, it does not see itself as a one stop shop or replacing other function/role specific associations.  Instead, OCEG sees its role as a hub – a Rosetta Stone – enabling communication and collaboration across business GRC functions.  I strongly encourage organizations to look at OCEG’s thought leadership and framework, implement it in their organization, and participate in OCEG on an ongoing basis.

'Lean' GRC – Good Concept, Poor Choice of Word

The GRC Pundit BlogPublished onLeave a Comment on 'Lean' GRC – Good Concept, Poor Choice of Word

 

A recent discussion on the Corporate Integrity LinkedIN Group was started by Norman Marks when he stated: How would you go about applying Lean principles to making sure your GRC processes, organization, and systems are not only effective but efficient? 

Personally, I do not like the word ‘lean’ as an adjective for GRC. Yes, I understand lean principles for business (particularly manufacturing). From a language perspective though it leaves a negative perception of GRC – look lean up in thesaurus. Such as (references taken from Apple Mac OS X dictionary/thesaurus). . .

lean (adjective)

  • 1 a tall, lean man slim, thin, slender, spare, wiry, lanky, skinny. See note at thin . antonym fat.
  • 2 a lean harvest meager, sparse, poor, mean, inadequate, insufficient, paltry, scanty, deficient, insubstantial. antonym plentiful, abundant.
  • 3 lean times hard, bad, difficult, tough, impoverished, poverty-stricken. antonym prosperous.

or a dictionary

lean |lēn| |lin| |liːn| (adjective)

 

  • 2 (of an activity [GRC is a set of business activities] or a period of time) offering little reward, substance, or nourishment; meager : the lean winter months | keep a small reserve to tide you over the lean years.

 

Anyways, I understand the principle and what it is getting at. From that perspective, Lean GRC needs to start with an understanding of where ‘fat’ can be trimmed. This is started by conducting an assessment to determine:

 

  • # of GRC processes
  • # of GRC process owners/roles
  • # of assessments
  • # of frameworks
  • # of policies
  • # of incident/loss systems
  • # of GRC related technology
  • # of GRC related spreadsheets & documents  

 

 

Angus Passmore also had some great insight to the ‘lean’ concept’:

If the “product” as defined by the Lean Principles is considered to be the delivery of correct and validated Governance and Compliance reporting/BI, the foundation of these should be a fully structured and correctly inter-related data environment that has all the required data elements and relationships clearly defined for the total organisation that will be subject to the GRC process (The Enterprise). Having this founding structure allows an accurate tactical delivery based on a pre-defined Enterprise GRC strategy which should encompass Lean principles.

What are your thoughts?

Developing a GRC Strategic Plan

The GRC Pundit BlogPublished on1 Comment on Developing a GRC Strategic Plan
Governance, Risk, and Compliance can be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of an organization:
  • Does the organization properly managed and have sound governance? 
  • Does the organization take risk within risk appetite and tolerance thresholds?
  • Does the organization meet its legal/regulatory compliance obligations?
  • Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.
 
It is easier to define what GRC is NOT. 
  • GRC is NOT about silos of risk and compliance operating independently of each other. 
  • GRC is NOT solely about technology – though technology plays a critical role. 
  • GRC is NOT just a label of services that consultants provide. 
  • GRC is NOT just about Sarbanes-Oxley compliance. 
  • GRC is NOT another label for enterprise risk management (ERM), although GRC encompasses ERM.
  • GRC is NOT about a single individual owning all aspects of governance, risk, and compliance. 
GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It IS about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose IS to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC IS a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, accountability, and transparency across the organization.
 
GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization. In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind — GRC aligns them to be more efficient and manageable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.
 
Governance, risk, and compliance are diverse and complex with their individual intricacies and issues ready to frustrate the organization. Organizations that attempt to build a GRC strategy with home-grown solutions, spreadsheets, or islands of technology not built to meet a range of needs are left in the dark and boxed into a view of the world that they will find limiting down the road. 
 
The current business environment requires a new paradigm and approach to GRC – requiring a common framework, integrated processes, and platform that span across the organization and its individual risk and compliance issues.  This is brought together in a GRC strategy ready to take the tackle issues at their roots through core GRC processes that are leveraged across the organization.
 
A company’s strategy for GRC success starts with a simple five-step plan. This plan draws on the lessons learned from Corporate Integrity working with a numerous large corganizations around the world with complex business operations and relationships. Here are the steps that prepare you to deliver a sustainable GRC program:
  1. Identify the interrelated processes, problems, & issues. An understanding of the scope of GRC issues, processes, technology, and requirements is the beginning. Organizations should start with a survey assessment aimed at identifying and cataloging the number of processes, technologies, methodologies, and frameworks used for risk and compliance across all business operations. This assessment is best aligned with the OCEG Red Book 2.0 Capability Model.
  2. Establish GRC program goals and objectives. Once the organization has identified the scope of GRC across the organization it can establish the goals needed to achieve GRC. This starts with establishing a vision and mission statement for GRC that the goals stem from. Central to these goals will be a determination on GRC program structure – centralized, federated, or some form of deliberate but ad hoc collaboration. This structure will determine many other goals – particularly the consistent and relevant use of technology.
  3. Develop your short term strategy for fulfilling GRC requirements. With your goals in mind, identify the “quick wins” that will demonstrate GRC success and improvement. Aim for tackling the items that immediately show a return to the organization and build greater buy-in to the GRC strategy across business operations. This short-term plan should not be longer than 12 months.
  4. Conduct a comprehensive organizational risk assessment. Part of the short-term plan should be a detailed risk assessment that provides a common framework and catalog of corporate risks across GRC management silos. This risk assessment is used to further identify and feed into the long-term comprehensive GRC strategy to help the organization better understand, manage, and monitor risk exposure. 
  5. Provide a comprehensive action plan. With the short-term plan in place – focused on the easy wins and pr
    ocess improvement – the organization can begin working on the long-term strategic plan that develops a comprehensive GRC strategy focused on process improvement. The harder and more challenging components of GRC should be brought into this plan. This plan is optimal when it covers a three-to-five year period.
Further advice . . . prioritization of risk and compliance activities needs to be decided at an enterprise level. This can be difficult as silos of risk and compliance can function buried within different functions of the business. To overcome this and facilitate a top-down approach, a sustainable GRC strategy requires that the organization get executive buy-in and support. This provides endorsement of the effort and overcomes obstacles of silos wanting to work independently and do things their own way.
 
One thing is a certain – risk and compliance burdens are not going away. Government regulators continue to influence control upon organization practices through tighter regulation. Business partners are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization. The time is now for organizations to define and implement a sustainable GRC strategy that drives sustainability, consistency, efficiency, accountability, security, and transparency of GRC across the organization.