GDPR in Third Party Relationships Stretches Resources

As the years go by, there is increasing focus on the protection of personal identity information around the world. Over time we have seen new regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the Regulation. GDPR is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).

The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and does not require further national legislation.

Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU data subjects. It does not matter if the organization resides in the EU. Fines can be stiff, going as high as €20 million or 4% of global revenues of an organization, whichever is greater.

The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

To be compliant and mitigate the risk of data protection incidents, organizations should:

  • Establish a Data Processing Officer. In fact, this is required in the regulation (Articles 37-39) for all public authorities and organizations that are processing more than 5,000 data subjects in a 12-month period. This role is also called a Chief Privacy Officer.
  • Define & Communicate Policies & Procedures with Training. The foundational component of any compliance program is outlining what is expected of individuals, business processes, and transactions. This is established in policies and procedures that need to be communicated to individuals and proper training.
  • Document Data Flows & Processes. Organizations should clearly document how individual data is used and flows in the organization and maintain this documentation in context of organization and process changes. This is a key component of managing information assets of individuals.
  • Conduct Data Privacy Impact Assessments. The organization should do regular privacy impact assessments to determine risk of exposure to non-compliant management of personal identity information. When events occur, the regulation specifically requires (Article 35) a data protection impact assessment.  A new data privacy impact assessment is required if there is a change in the nature, scope, context or purposes of the organization’s processing of PII.
  • Implement, Monitor & Assess Controls. Define your controls to protect personal data and continuously monitor to ensure these controls are in place and operating effectively.
  • Prepare for Incident Response. The regulation requires data breach notification to supervisory authorities within 72 hours of detection. Organizations need defined processes in place and be prepared to respond to, contain, and disclose/notify of breaches that occur in the organization or those that may have occurred by the data processor.
  • Data Privacy by Design.  Each new service or business process that makes use of personal identity information within your organization must take the protection of such data into consideration when designing new or updating operational processes and technology builds.
  • Ensure Third Parties are Compliant. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, law firms, and service providers). Organizations need to make sure their third parties are compliant as well and follow strict policies and controls that are aligned with the organizations policies and controls. These data processors now have legal liability under GDPR and have direct legal compliance obligations.  One additional requirement is the data processor cannot use a ‘fourth party’ to process any personal identity information without obtaining prior authorization from their client (i.e. data controller).

It is this last bullet, the requirement to ensure third parties are compliant, that is becoming one of the most challenging elements for organizations in GDPR compliance. The dependence on third parties processing data for organizations is becoming critically important and common. Competitive markets are forcing companies to evaluate and potentially outsource more processing to specialist and cost efficient providers to improve margins and/or become more agile in product and service delivery. These third parties who either process employee or customer data need to safeguard this information, particularly in the scope of GDPR. Third party suppliers represent some of the weakest links to a company’s employee and customer data. More than 63% of data breaches can be attributed to third parties, but the organization is still accountable and liable for these breaches.

Organizations will need to take a much stricter approach when dealing with third parties in context of GDPR as they need to ensure that potential contractors handle data privacy and security in a way that is compliant to the regulation. Organizations need to complete due diligence and question their third parties’ data handling practices, how they store and delete data, who has access, their encryption policies, and essentially anything relevant to how applicable structured and unstructured digital data is handled and processed. This will also require more documentation and audit trail capabilities in order to be able to demonstrate compliance to the regulators and their EU data subjects.

This is a program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation in context of third party relationships. Organizations that attempt to manage this in documents, spreadsheets, and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.

The Bottom Line: To address GDPR compliance in third party relationships, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the assessment, communication, and awareness of GDPR requirements and processes in and across third party relationships to manage compliance consistently and continuously in the context of distributed and dynamic business.


GRC 20/20 GDPR Resources

Upcoming Webinar

On-Demand/Recorded Webinar

Research Papers

Internal Control Management by Design

Business is complex. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, and business data impedes organizations. Keeping complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance (GRC) functions throughout the business. Business is no longer defined by traditional brick-and-mortar walls. Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Distributed business operations complicates the organization as it attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world.

Managing control activities in disconnected silos leads the organization to inevitable failure. What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored. Organizations with siloed and manual processes for control management rely on a range of documents, spreadsheets, and emails that are inefficient, out-of-sync, ineffective, lack agility, and are inadequate to manage internal controls. Reactive, document-centric, and manual processes fail to actively manage controls in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Organizations fail and are encumbered by unnecessary complexity because they manage controls around specific issues, without regard for a common integrated strategy and architecture.

Organizations are tasked to provide an integrated view of internal controls across finance, IT, and business processes and operations. A scope that provides a single internal control management function that coordinates and manages controls across operations and finance. This is what is covered in my Internal Control Management by Design workshops.

At the recent workshops in Washington D.C. and Houston (which were fully booked), the attendees interacted in breakout sessions on the challenges they are facing in internal control management. Their specific issues and challenges are:

  • Providing an integrated strategy and view of financial and operational controls across the organization.
  • Increasing confidence in risk coverage and the complexity of interconnectedness of risk and controls
  • Capturing business changes with updated and changing controls
  • Combining finance and operational control teams and revamping processes
  • Focusing on key controls that could cause the organization to overlook other controls
  • Managing the human element in controls management
  • Expanding regulatory requirements for internal control management such as GDPR, FPCA, PCAOB pressures
  • Addressing a lack of resources while being tasked with more internal control responsibilities across operational controls
  • Keeping controls aligned with business processes and a changing environment
  • Implementing a system/technology to manage ALL controls across the organization
  • Integrating controls into daily workflow particularly when transitions occur with staff and turnover

Controls are critical throughout business strategies, operations, and processes. Internal control management has become a critical foundation for enterprise GRC. The correct controls that are operationally effective are the linchpin to assure that the organization can reliably achieve objectives while addressing uncertainty and acting with integrity (OCEG definition of GRC). As organizations mature their approach to internal control management they are seeing more intersections with risk, compliance, and audit processes which require a more thorough strategy for managing controls in the context of the organization.

Reactive and stovepiped approaches to internal controls management leave the organization not seeing the big picture of how controls interrelate with each other, risks, and compliance obligations. This means the organization wastes resources on managing controls as separate assessments and projects instead of as an integrated whole. Defining strategy, managing operations, and addressing organization change requires agility in internal control management to provide assurance to boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile internal control management. This requires organizations to design internal management into the organization as an integrated part of strategy and operations supported by an integrated internal control information architecture that allows organizations to have a 360° situational awareness of internal controls in context of business strategy and operations.

GRC 20/20’s Internal Control Management by Design workshop provides a blueprint for attendees on effective internal control management strategies in a dynamic business and risk environment. Attendees learn and collaborate/interact on internal control management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Upcoming By Design Workshops include:

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

I get a lot of inquiries from organizations looking for policy management platforms. Some for a department focused need (e.g., IT security, health and safety, Human Resources), others for a regulatory need (e.g., GDPR, FCPA), but most for an enterprise policy management strategy spanning the organization as it attempts to gain control of a Wild West of policies in disarray and confusion.

Policy & Training Management platforms mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy to employees and extended business relationships.  Elements of gamification, eLearning, learning management, document/content management are part of this segment.  Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.

With over 100 solutions for policy and training management in the market it can be difficult, which is why GRC 20/20 gets engaged for our policy management RFP question library. The most common requirement organizations are looking for is an engaging and intuitive user experience. The growing request, one that comes in every month is on the integration of policy and training management into a single platform and user experience. Every month organizations are stating that their employees go out to Facebook and can watch a YouTube video in Facebook and do not need to bounce out to YouTube. They want to know why their employees cannot watch the training in the policy portal?

This is part of what I call Next Generation Policy & Training Management and is a growing need in the market and one of the most active inquiry areas that I advise organizations looking for solutions on. Other needs are mobility, such as tablet devices that can act as policy and training kiosks for employees that do not have computers. Employee engagement is critical. The ability to plan and calendar a range of policy communication tasks and activities to build campaigns.

These and more are covered in the newly published and reworked on-demand Research Briefing, How to Purchase Policy & Training Management Platforms. This is further supported in the GRC 20/20 written research paper, Policy Management by Design and corresponding workshop.

Critical Capabilities & Considerations for Evaluation of Policy & Training Management Platforms

One of the hottest segments of the GRC market is for solutions to manage, maintain, and communicate policies. Organizations are scrambling to get a grip on the identification, approval, management, and awareness of policies amidst a growing environment of legal and compliance exposures to policy mismanagement and growing regulations.

Whether for a department policy portal or to manage the range of policies across the enterprise, policy management solutions are in demand. Historically the demand has been more on the backend management and maintenance of policies. However, recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for the front-end employee portal and engagement on policies, often with integrated training and learning management.

Where there used to be just a few solutions to choose from there are now over eighty with vary capabilities and approaches. They offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for your organization.

In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering policy management solutions.

Agenda

  1. Defining & Understanding Policy Management
    Definition, Drivers, Trends & Best Practices
  2. Critical Capabilities of a Policy Management Platform
    What Differentiates Basic, Common, & Advanced Solutions
  3. Considerations in Selection of a Policy Management Platform
    Decision Framework & Considerations to Keep in Mind
  4. Building a Business Case for Policy Management
    Trajectory of Value in Effectiveness, Efficiency & Agility

[button link=”http://grc2020.com/product/how-to-purchase-policy-training-management-platforms/”]LEARN MORE[/button]

Objectives

The GRC Pundit helps organizations . . .

  • Define and scope the policy & training management market
  • Understand policy & training management drivers, trends, and best practices
  • Relate the components of what makes a policy management platform
  • Identify core features/functionality of basic, common, and advanced policy management platforms
  • Map critical capabilities needed in a policy management platform
  • Predict future directions and capabilities for policy & training management
  • Scope how to purchase policy management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate policy management solutions

Who Should Attend

This Research Briefing is aimed to assist . . .

  • GRC professionals with the responsibilities to identify, author, review, evaluate, approve, communicate, and maintain policies and related documents and training
  • GRC solution providers offering policy & training management solutions
  • GRC professional service firms advising organizations on policy management
  • GRC content & intelligence providers that provide policy and training content and templates

Instructor

rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.

 

How Technology Enables Enterprise Risk Management

Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture and overall risk management strategy. With processes defined and structured the organization can now define the information architecture needed to support risk management processes. The risk management information architecture involves the structural design, labeling, use, flow, processing, and reporting of risk management information to support risk management processes.

Successful risk management information architecture will be able to integrate information across risk management systems and business systems. This requires a robust and adaptable information architecture that can model the complexity of risk information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and external data.

The risk management technology architecture operationalizes the information and process architecture to support the overall risk management strategy. The right technology architecture enables the organization to effectively manage risk and facilitate the ability to document, communicate, report, and monitor the range of risk assessments, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for risk management that connects the fabric of the risk management processes, information, and other technologies together across the organization. Many organizations see risk management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://goo.gl/eWTTtP”]READ MORE[/button]

How to Purchase Policy & Training Management Platforms

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

The haphazard department and document centric approaches for policy and training management of the past compound these issues. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.  The policy and training management strategy and policy is supported and made operational through the policy and training management technology.  The organization requires complete situational and holistic awareness of policies and related training across operations, processes, employees, and third party relationships to see the big picture of policy and training performance and risk. The architecture defines how organizational processes, information, and technology is structured to make policy and training management effective, efficient, and agile across the organization.

Policy and training management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  Successful policy and training management requires a robust and adaptable information and technology architecture. Policies and training need to come together in a unified employee experience where policies are displayed along with training. Policy management technology enables and operationalizes the overall policy and training management strategy. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitate the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for policy and training management that connects the fabric of the policy and training management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions. Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Dedicated policy and training management platform. This is an implementation of a point solution dedicated to policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes. These systems often can integrate with other systems to provide broader context of GRC and business intelligence.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have policy and training management modules. These solutions enable the integration of policy information with other areas of GRC such as case/investigation management (showing violations of policies), issue reporting on potential policy violations, risks which policies govern, obligations such as regulations that mandate policies, and controls which policies authorize. However, these solutions can be more costly to purchase, implement, and manage over dedicated policy solutions.

The right policy and training technology choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration, correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology platform for policy and training management can enable a common policy and training framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, an architecture approach to policy management enables better performance, less expense, and more flexibility.

Some of the core capabilities organizations should consider in a policy and training management platform will be considered in this weeks live Research Briefing (which will be recorded and available on-demand):

GRC 20/20 has a detailed research piece that goes through why policy management is critical to organizations and their GRC strategies:

This same topic will be explored deeply in an interactive workshop in Houston on May 30th:

GRC Critical Capabilities and Purchasing Considerations

There is a broad array of governance, risk management, and compliance (GRC) related solutions available in the market. In fact, GRC 20/20 has catalogued and mapped over 800 technology solutions and over 300 content/intelligence solutions that organizations use to improve GRC processes in an effort to make them more efficient, effective, and agile. Navigating this array of solutions is not easy and organizations need to understand their needs today as well as into the future to select the right solution(s) that best fit their needs.

Some organizations are looking to solve a specific problem, such as addressing a regulatory requirement like GDPR, US Foreign Corrupt Practices Act, UK Modern Slavery Act, UK Senior Manager’s Regime, SOX, or PCI DSS compliance (just a random sampling as there are thousands of regulations). Others are looking to address a range of requirements and risks within a specific department or domain like environmental, health and safety, IT security, internal control over financial reporting, HR investigations, or business continuity. Then some organizations look to address a specific area consistently across the organization such as enterprise policy management, third party management, or enterprise investigations management. Then there are organizations looking to address a range of domains and GRC requirements across departments in a single or core common technology backbone, this is what we refer to as Enterprise GRC platforms.

There are two things that are consider when looking at GRC related technologies.

  1. GRC is something you do not something you buy. Yes, there is a wide range of GRC related technologies in the market, but at the end of the day GRC is not about technology it is about organization’s actions, decisions, capabilities, and collaboration on GRC. The official definition of GRC as found in OCEG’s GRC Capability Model that I helped contribute to is that GRC is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Certainly technology can enable this and make it more efficient, effective, and agile – but it is not a silver bullet that accomplishes this magically for the organization. The organization needs a strong culture, established boundaries of controls and policies, and strong processes for GRC to make a technology investment in any GRC related area a success.
  2. There is no one stop shop for all of GRC. Yes, there are GRC platforms that can accomplish a range of capabilities and needs across departments for an organization. However, there is no solution out of the 800+ solutions that does everything GRC. In fact, there are broad solutions that span many areas but they often do not go deep in some areas. Too often I find organizations with failed GRC projects because they try to do everything in one platform and find that in some weak areas of the platform they water things down and lose capabilities they previously had with deeper focused solutions.

Organizations should really be thinking about GRC architecture. There still is a core GRC platform when the organization has the maturity and cross-department collaboration to be successful, but this platform will have constraints. Organizations are best served with understanding these constraints and integrating best of breed solutions when and where they make sense. There are many organizations I interact with and advise that have an Enterprise GRC strategy that have a strong core platform for GRC and operational risk but break off and integrate best of breed solutions that go deeper in areas such as IT GRC/security, third party management, policy management, quality management, or commodity/market risk management. In fact, this past year I interacted with several organizations that all used one GRC solution for enterprise GRC and operational risk management and all three had another solution in place for IT GRC and security that went deeper in that area.

The point is that organizations should define their strategy and understand their processes then select the right GRC technologies that provide the information and technology architecture to enable the strategy and process and not handicap it.

Some other common pitfalls in GRC solution selection to be aware of are . . .

  • RFP beauty contests. I work on a lot of RFPs, and get engaged for my RFP templates and support regularly. I have seen a lot of horrible things happen in RFPs. Good solutions get ignored because some sales person did a half-hearted attempt at answering questions while a problematic solution gets selected because they had great but not always honest answers to RFP questions. Also, some solution providers are brutally honest in their RFP responses to their own demise while other solution providers will say anything to win the deal. My job is often to come in and keep these solution providers honest and raise red flags when I see them.
  • Client references are tricky. Understand that client references that solution providers give are often the decision makers that stand behind there decision to invest thousands to hundreds of thousands of dollars in a GRC solution. They will have rosy and glowing things to say about the solution. You need to ask the hard questions to these references and word them in a way they cannot wiggle out of them. Ask them what they like least about the solution. I also thank them for their time and ask if I could talk to someone on their team that works with the solution every day – one of the GRC worker bees. I often get a completely different perspective on the solution. In one situation the Chief Audit Executive loved the product and  only had great things to say about it, while the auditors I talked to that reported to the CAE hated the solution and it was the bane of their workday.
  • Understand what is actually a feature in the solution. There are solution providers that say yes to everything in RFPs. Some do so because they are shady and will do anything it takes to win deal, others do it because they genuinely believe they have a flexible solution that simply can be tailored to meet any need or requirement. Either way, I have seen implementations that have dragged out for over two years because of all the build out and customization required to meet what the organization purchasing the solution thought already existed in the RFP. I assisted one company in their RFP and against my advice they selected a solution I did not recommend. I told them there is a lot that has to be built out for this and it will take a lot longer than they planned. They came back two years later and told me they wished they would have listened to me as they were just rolling out the initial phase of the solution and were seriously behind timeline and over budget. They now are with a different solution in the market.
  • Ease of use is critical. A solution can have tremendous capabilities but if it is complicated to use, lacks intuitiveness, and users simply ignore it . . . the implementation fails. Many solutions in the market are very dated and have interfaces that look like they are 10 to 15 years old. This makes it hard to engage all levels of the organization on GRC. The number one selection criteria I see in organizations moving from one solution that has failed them to another solution is ease of use and intuitiveness. One enterprise policy management implementation I advised after they had an abysmal failure in their implementation because what could be done in one screen took three of four screens and lacked any sense of user friendliness and intuitiveness.
  • Integration and openness is a key to success. Siloed solutions that do not integrate with other solutions are a dead-end. Organizations needs solutions that have a strong API for integration. One global Fortune 100 company I am advising on third party management needs to be able to integrate their third party management platform with their ERP environment to sync master data records. They tried one solution which failed them on this because of data integrity issues in the syncing (and user experience issues as well), they are now seeing success with a different solution that has strong integration capabilities. This is important across GRC areas. For example, policy management solutions should be able to integrate with HR systems to get new and changed employee records to be able to automate the communication of new policies when employees are on-boarded or change roles in the organization.
  • Mobility matters in GRC. In most situations if a solution does not have a mobility strategy it is best be ignored. I am seeing growing demand for using tablets and smart phones for audits, assessments, investigations & case management, policy management and communication, training and clearing, issue reporting, and more.
  • Cloud is everywhere, but be cautious. Everyone has a cloud solution – but this does not mean all cloud solutions are equal. Some use the term cloud and simply mean a hosted model while others refer to it as a multi-tenet architecture. The scalability and cost parameters can make a difference here. Security is to be critically understood and evaluated as well. I do not like the cloud naysayers that avoid it because they are concerned about security. I have seen many cloud environments that are more secure than the organizations evaluating them. This does not mean they all are secure . . . do your homework and evaluation.
Upcoming live GRC 20/20 live Research Briefings to assist organization in critical capabilities and buying considerations of GRC related solutions are:

I would love to hear your comments and thoughts on GRC related software and strategy. Please post below . . .


  • Have a question about GRC related solutions and strategy? GRC 20/20 offers complimentary inquiry to organizations looking to improve their policy management strategy and identify the right solutions they should be evaluating. Ask us your question . . .
  • Looking for GRC related solutions? GRC 20/20 has mapped the players in the market and understands their differentiation, strengths, weaknesses, and which ones best fit specific needs. This is supported by GRC 20/20’s RFP support project that includes access to an RFP template with over hundreds of requirements for each GRC domain.

Components for Developing an ERM Strategy

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is also true in risk management. What further complicates this is the exponential effect of risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into risk relationships across the enterprise. Complexity of business and intricacy and interconnectedness of risk data requires that the organization implement a risk management strategy.

Different Approaches Organizations Take in Managing Risk

The primary directive of a mature risk management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of risks in context of organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage risk . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/key-components-of-an-erm-strategy/?utm_source=GRC%202020&utm_medium=link%20on%20GRC2020&utm_campaign=ERM%20blog3%20link%20-%20GRC%202020&utm_term=Enterprise%20Risk%20Management&utm_content=ERM%20blog3%20-%20GRC%202020″]READ MORE[/button]

Technology Priorities for Compliance & Ethics

Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance with a proper system of record and audit trail. With no auditable system of record, compliance information can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.

Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.

Value Organizations Needed from Compliance & Ethics Technology

In a recent survey GRC 20/20 did in conjunction with OCEG (Technology Priorities for Compliance & Ethics: Aligning Technology to Changing Requirements), we asked the question, “Which of the following options align MOST with the value you would derive from an integrated ethics and compliance software solution?” The respondents indicated that their five most critical values for a compliance software platform are as follows:

  1. Regulatory Compliance and Defensibility. Ensure your company satisfies regulatory requirements and demonstrates ethical behavior by clearly documenting policy attestations, training completions, and investigations.
  2. Align Corporate Goals with Ethics and Values. Update business processes such as policy attestation, training, procurement, and employee communication to operationalize ethics and values. Analyze helpline issues and campaigns to identify and close gaps.
  3. Manage Your Complete Program with One Platform. One user interface via single-sign on for hotline/case, disclosures, training, policy and third-party risk, and reduced reporting time with pre-built dashboards to visualize and analyze compliance data with HR, procurement and travel data.
  4. Protect Your Brand. Increase employee engagement through helpline responsiveness and surface risks through centrally managed disclosures. Gaining employee trust mean issues are reported internally and not to external media.
  5. Frictionless Employee Engagement. Easy-to-use multi-channel intake methods via hotline (phone), web, text (SMS), proxy, and disclosures allows for accessible ways for employees to report workplace issues ensuring the employee voice is heard.

While all of these values were critical, it was having the robust system of record to defend compliance and the ability to align corporate goals with the ethics and values of the organization that was ranked the most critical.

Broad Capabilities Needed from Compliance & Ethics Technology

Next, we focused on the capabilities organizations desired from technology to automate compliance and ethics processes. The top five capabilities that organizations ranked were:

  1. Compliance Reporting. Standard reporting that shows the number of reported issues by type and region, tracks policy attestations and online training completions, and shows disclosures up for review. The capability to export data for analysis in spreadsheets or business intelligence (BI) software.
  2. Policy Management. Distribute policies and track attestations with the option of targeting specific employee groups based on HR attributes, archiving older policy versions automatically, and quick search and retrieval of attested policies by employee.
  3. Learning Management. Distribute online training courses and track course completions, allow use of any standard training content (in-house or externally sourced) without depending on any one vendor.
  4. Disclosure Management. Distribute conflict of interest and gifts, travel and entertainment disclosure questionnaires for review, approval or conditional approval. Allow employee self-service and disclosure updates, and track all Yes and No answers for proactive risk management.
  5. Helpline and Case Management. Multilingual, global, and 24/7 incident reporting via anonymous phone, text, web, or proxy that allows investigators to manage simple or complex cases with multiple allegations and parties within the same case.

Upcoming Events . . .

Latest Research . . .

What Effective Risk Management Looks Like

This is Part Two of a four-part blog series on ERM . . .
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual risk (the tree) as well as the interconnectedness of risk (the forest). Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business, risk is exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Risk management processes are used to manage and monitor the ever-changing risk environments as a part of overall business processes, transactions, and systems. This requires that organizations have a risk management function that brings together risk management and business processes with an integrated risk management information architecture with embedded business intelligence and analytics.

An enterprise risk management program needs a structural design of risk management processes, including their components of inputs, processing, and outputs. This inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together in context of other enterprise processes.

Effective risk management processes deliver . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/what-effective-risk-management-looks-like/”]READ More[/button]

Why Enterprise Risk Management (ERM) is Critical to Modern Business

Organizations take risks all the time but fail to monitor and manage risk effectively for the enterprise. A cavalier approach to risk-taking results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. Enterprise Risk management, in this context, is an integrated part of everyone’s job and not just for the back office of risk management.

The modern organization is . . .

[GRC 20/20’s, Michael Rasmussen, is the author of this blog as a guest blogger at the following link]

[button link=”https://www.doublechecksoftware.com/why-enterprise-risk-management-erm-is-critical-to-modern-business/”]READ MORE[/button]