Compliance in Dynamic and Distributed Business

The hot topic for 2018 is certainly compliance. Compliance is more than adherence to laws and regulations, it is about the integrity of the organization to it’s ethics, values, social responsibility, policies, commitments, contracts, and controls. I have been stating for over a decade that the best executive title for a compliance executive is a Chief Integrity Officer, but we already have a CIO in the executive suite. A particular focus right now is on sexual harassment. I am having a lot of conversations on this front with organizations looking to communicate policies and deliver training. While this is critical to compliance, it needs to be lived and breathed by all levels of management as well.

Individual ethics and values also have to align with corporate ethics and values. It was just over a decade a go that I left a former employer. Why? A difference in values on a topic that is so critical today. The organization paraded at a company meeting how they were having a senior executive of an ‘adult entertainment’ company keynote at one of our conferences. Though I am a man, I thought this was a slap in the face to the women that worked in the company and were our clients. I protested and it was the foundational reason I left. Things need to change, and compliance is critical in changing it.

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

Compliance is not easy. The larger the organization the more complex its operations and corresponding compliance obligations are. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees start, others change roles, some leave the organization. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to a corporate compliance and ethics program. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal compliance risk and external compliance risk. What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and ethical obligations?

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of compliance data. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos of technology often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, and siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance processes can provide greater insight into the state of the integrity of the organization. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance information results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency, and agility. The organization ends up with a variety of processes, applications, and documents to meet individual compliance mandates. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple compliance assessments asking the same questions in different formats. Limited visibility across the compliance risk exposure ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide inter-dependencies. This fragmented view creates gaps that cripple compliance management and creates a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Management: Does Your Organization Walk its Talk?

Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.

Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases, regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors. Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.[1]

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar of being the bastion and champion of corporate integrity.

Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive GRC management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.

Today’s business entity must ensure compliance is understood and managed company-wide; that its obligations are more than written policies, but part of the fabric of operations; and that a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance, whether its activities are effective, and how they are enhancing shareholder value and providing assurance on the integrity of the organization. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance from the top down. The breadth and depth of compliance bearing down on companies today requires a robust compliance program operating in the context of integrated processes and information.

[1] USSC – http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm


Upcoming Events . . .

Latest Research . . .

Addressing the Challenges of Third Party Management/GRC

The governance, risk management, and compliance (GRC) across third party relationships (e.g., vendors, suppliers, contractors, agents) is a significant challenge for organizations. Organizations today are not defined by brick and mortar walls or traditional employees. The modern organization is a complex web of nested business relationships and transactions. GRC 20/20, in our research, is interacting with organizations around the world that are developing strategies, processes, and implementing information and technology to address GRC of third party relationships. The challenges are many faceted and organizations are finding that they need a federated and consistent approach to third party management that addresses the needs of a range of departments and issues. These span:

  • Anti-bribery and corruption (e.g., US FCPA, UKBA, France’s Sapin II)
  • Human rights and slavery (e.g., UK Modern Slavery Act, Conflict Minerals, California Transparency in Supply Chains Act)
  • Information security and privacy (e.g., GDPR, OCC Vendor Risk Management, PCI DSS)
  • Labor standards (e.g., child labor, forced labor, working hours, wages)
  • Environmental (e.g., traceability, sustainability, CSR)
  • Health and Safety (e.g., disasters, injuries, loss of life)
  • Financial stability
  • Business continuity
  • Operational risk
  • Ethics and Code of Conduct
  • And the list goes on . . .

I am in the United Kingdom this week and have interacted with organizations over here on many of these topics. Big issues impacting third party management include Brexit, GDPR, UK Modern Slavery Act, UK Bribery Act, France’s Sapin II has come up a few times.

GRC 20/20 defines Third Party Management as:

Third party management is the capability to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across the organizations third party relationships/extended enterprise (adapted from the OCEG GRC definition).

Needless to say, the breadth and scope of third party risk and compliance concerns are legion. Last week I taught my Third Party Management by Design workshop in Philadelphia (this workshop is being done next week in New York City as well). There were about 20 companies registered and they identified the following challenges at the beginning of the workshop:

  • Understanding who are our 3rd Parties? Status? Rank? Active contracts?
  • Managing third parties across distributed departments and business units
  • Across Which Business Units
  • Validating that third parties have controls in place
  • Managing compliance across a range of regulatory requirements
  • Developing a culture of third party trust but verify
  • How to manage data breach and incident notification? How do we know when a third party has an issue?
  • Measuring financial impact and potential damage/exposure of third parties
  • Remediation verification of control gaps and inspection issues of third parties
  • How to manage changes in scope of the 3rd party services
  • Managing third parties across mergers and acquisitions
  • Building a business case for time and resources to manage third parties
  • Managing right to audits and inspections effectively and efficiently.
  • How do we provide validation and risk rating
  • Defining who are critical third parties are that can cause us the most exposure
  • Managing 4th parties down through nested supply chain and subcontracting relationships
  • Identifying and fully mapping all 3rd party relationships

These topics and more were discussed and collaborated on by participants in last weeks workshop and the discussion will begin anew with next weeks workshop in New York City.

Too often departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third-party management across the enterprise. Organizations manage third-parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third-party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third-party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third-party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

When the organization approaches third-party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third-party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third-party management results in poor visibility across the organization, because there is no framework or architecture for managing third-party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third-party relationships that is supported and automated with information and technology.

Third Party Management Workshop

GRC 20/20 will be leading an interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Management: Benefits of Case Management Software

Over the past several weeks, I have been exploring the challenges and strategic approaches and processes for issue reporting and case management. Previous posts include:

With processes defined and structured the organization can now define the information architecture needed to support issue reporting and case management processes. Issue reporting and case management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a structured and coordinated whole. The issue reporting and case management information architecture involves the structural design, labeling, use, flow, processing, and reporting of information to support issue reporting and case management processes. This architecture supports and enables the process structure and overall issue reporting and case management strategy.

Successful issue reporting and case management information architecture will be able to integrate, manage, and report on issues and cases across the organization. This requires a robust and adaptable information architecture that can model the complexity of information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and data.

The issue reporting and case management technology architecture operationalizes information and processes to support the overall strategy. The right technology architecture enables the organization to effectively manage issues and facilitate the ability to document, communicate, report, and monitor the range of investigations, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for issue reporting and case management that connects the fabric of the processes and information together across the organization. Many organizations see issue reporting and case management initiatives fail when they purchase technology before understanding their process and information requirements. The “best” systems are the ones that are highly configurable to a client’s situation and can be adapted to the company’s forms, processes, technical architecture. The system should not run the business, the business should run the system. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring. This is where most organizations have focused in managing issues and cases. There is increased inefficiency and ineffectiveness as this document centric and manual approach grows too large and limits the amount of information that can be managed.
  • Custom built databases. Organizations also have built custom internal databases to manage issues and cases. The challenge here is that the organization ends up maintaining a solution that is limited in function and costly to keep current. Many companies go from the document and spreadsheet approach to building a custom database that is limited in features, reporting, and scalability at a cost of internal IT resources and maintenance.
  • Issue reporting and case management platforms. These are solutions deployed for issue reporting and case management and have the broadest array of built-in (versus built-out) features to support the breadth of case management processes. In this context, they take a full-lifecycle view of managing the entire process of issue reporting and case management. These solutions allow an organization to govern incidents and issues throughout the lifecycle and enable enterprise reporting.

Most homegrown systems are the result of starting with tools that are readily available and easy: documents, spreadsheets, emails, and desktop databases. Too many organizations take an ad hoc approach to issue reporting and case management by haphazardly using documents, spreadsheets, desktop databases, and emails, which then dictates and limits what their issue reporting and case management process will be limited to. This approach then grows and expands quickly outgrowing these desktop tools to the point where it grows cumbersome. Organizations suffer when they take a myopic view of issue reporting and case management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in. The right issue reporting and case management technology architecture choice for an organization involves an integrated platform to facilitate the correlation of issue and case information, analytics, and reporting.

GRC 20/20 Resources on Issue Reporting & Case Management:

Value Perspective

On-Demand Webinar

On-Demand Research Briefing

Case Study

Solution Perspective

Governance, Risk Management and Compliance of Third Party Relationships

One of the greatest challenges upon organizations today is governing third party relationships, particularly the risk and compliance aspects of these relationships. Organizations today are dynamic, distributed, and face constant disruption and this is exponentially impacted by the number and variety of third party relationships in an organization.

Consider that over half of many organizations ‘insiders’ are no longer traditional employees. Brick and mortar walls no longer define the organization. An employee no longer defines the organization. The organization itself is mesh of nested business relationships, transactions, connections, and interactions. Organizations consist of vendors, suppliers, outsourcers, service providers, consultants, contractors, temporary workers, brokers, deleters, intermediaries, agents, and more. These often nest themselves in layers of relationships that impact the organization. The issues down the supply chain are the organizations issues and risks.

This is compounded by the ongoing change organizations are facing. Changing business, changing regulations, and changing risks. As much as the core organization is changing, all of these relationships are constantly changing as well. They might have been the right organization to contract with three years a go, but they have changed and may not be today.

There are a growing array of regulations and legal liabilities impacting organizations in context of third parties. Consider . . .

  • Anti-bribery and corruption (e.g., US FCPA, UK Bribery Act, Sapin 2)
  • Human rights/slavery (e.g, US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act)
  • Privacy and information security (e.g., GDPR, PCI DSS, HIPAA, GLBA, PIPEDA)
  • International labor standards (e.g., child labor, forced labor, working hour, working hours)
  • Quality
  • Environmental
  • Health & safety
  • Geo-political risk
  • Business continuity
  • And more . . .

Organizations cannot haphazardly manage third parties, they need a structured and governed process to see that risk and compliance is addressed in these relationships. GRC 20/20 is interacting in our research with organizations around the world developing third party risk management strategies and looking to define processes and solutions to address the growing challenge of third party governance, risk management, and compliance (GRC). This includes working with large global organizations on their social accountability and third party advisory boards, to helping companies develop strategies and select the right technology to manage third party risk, to identifying business value for an integrated and cross functional team on third party risk GRC.

GRC 20/20’s definition of Third Party Management/GRC is adapted from the OCEG GRC definition. It is . . .

Third party management is a capability that enables an organization to: reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT, act with integrity [COMPLIANCE] in and across it’s third party relationships.

GRC 20/20 offers a variety of resources to organizations looking at developing their Third Party Management/GRC strategy. This includes our foundational written piece of research, Third Party Management by Design.

GRC 20/20 will be facilitating two upcoming (and complimentary) workshops on Third Party Management by Design in the next month. Complimentary registration is open to individuals responsible or part of a strategy for managing their organizations array of third party relationships. The format is a workshop and collaboration. While there are lecture portions to the day, the goal is learn through collaboration with peers and interaction on workshop activities. The upcoming workshops are:

  • Third Party Management by Design Workshop, Philadelphia, November 2. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a… Find out more »
  • Third Party Management by Design Workshop, New York, November 14. Blueprint for an Effective, Efficient & Agile Third Party Management Program. Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organization is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a range of… Find out more »

GRC 20/20 also offers a recorded Research Briefing to guide organizations on how to purchase Third Party Management/GRC solutions:

As part of GRC 20/20’s research, we offer complimentary inquiry to organizations working on strategies and exploring technology solutions. Simply ask GRC 20/20 your questions on third party management strategy, process, as well as information and technology solutions that we monitor in the market as part of our research.

Other GRC 20/20 Third Party Management resources can be found at: http://grc2020.com/product-category/grc-functional-area/third-party-management/

GRC Innovation, Simplicity & Directions

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.[1]

A primary directive of GRC 4.0 is to provide GRC processes and information that is innovative, contextually intelligent, assessable, an engaging. GRC done right minimizes its impact on the business while still maintaining insight and control of risk across the business. GRC should be intuitive to the business and GRC technology should provide the right information in a way that works for the business.

GRC architecture, and particularly technology, should never get in the way of business. Why do some enterprise GRC projects take two years for just the initial implementation to be built out?  The primary issue is overhead in extensive services and technology customization to integrate and develop massive GRC implementations that end up slowing the business down and delaying value (if value is ever achieved).  There is a huge gap between being functional and agile in some legacy GRC technology solutions on the market.  GRC architecture is to be beyond functional to be agile and valuable to the business. GRC architecture is to deliver harmonious relationship or GRC information that supports the business. GRC is to enable enterprise agility by creating dynamic interactions of GRC information, analytics, reporting, and monitoring in the context of business.

Like Apple with its innovative technologies, organizations must approach GRC in a way that re-architects the way it works as well as the way it interacts. The GRC 4.0 goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right contextually relevant GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

GRC 4.0 is about delivering innovative, intuitive, and agile GRC to the business in context of business. It delivers 360° contextual GRC intelligence through the use of artificial intelligence, cognitive computing, machine learning, and natural language processing. It provides engaging and user friendly experiences that minimize process overhead while enabling the organization to reliably achieve objectives, while addressing uncertainty, and act with integrity.

GRC 20/20 will be defining GRC 4.0 and listing the latest in GRC technology innovations, user experiences, inquiry and RFP analysis from organizations looking at solutions, and overall market drivers and trends. GRC 20/20 will be specifically recognizing the solutions in the space that have delivered on GRC innovation and user experiences through the 2017 GRC Innovation and User Experience Awards.

  • 2017 GRC Market 4.0: The Good, The Bad & The Ugly in GRC Drivers & Trends
    October 23 @ 10:00 am – 12:00 pm CDT. Analysis & Details on GRC Buying Trends & Needs GRC 20/20’s latest market drivers, trends, inquiries, and RFP analysis for GRC 4.0. The most current look at the next generation of the GRC market for the next five years. 2017 has been the busiest year to date in the GRC market. GRC 20/20 has seen a record number of inquiries and RFPs across GRC domains in 2017 and forecasts increased activity into 2018.  This research briefing provides a breakdown of…
  • 2017 GRC 4.0 Market Sizing, Forecasting, Analysis & Segmentation
    October 30 @ 10:00 am – 12:00 pm CDT
    GRC 20/20’s latest market sizing and segmentation for GRC 4.0. The most current look at the next generation of the GRC market with new segmentation, sizing, and forecasting for the next five years. This Market Research Briefing is a two-hour briefing that delivers an analysis of the GRC market segmentation, drivers, trends, sizing, growth, forecasting, and market intelligence. GRC 20/20 has spent the last several months doing a complete overhaul of our market data, models, segmentation and mapping of solutions, sizing, and forecasting.…

  • [1] This quote has been attributed both to Einstein and E.F. Schumacher.

GRC 4.0 – the Next Generation of Cognitive GRC Technology

For those that follow my research, governance, risk management, and compliance (GRC) is something every organization does though not every organization does well. Every organization has some approach to GRC whether they call it GRC or something else. Many do not have a name for it. It can be an unstructured, reactive, non-integrated, fire fighting approach to a structured, integrated, collaborative approach. From my perspective, every organization does GRC in some form or fashion. The question is how can it be more efficient, effective, and agile in the organization.

The official definition for GRC, as found in the OCEG GRC Capability Model, is that GRC is a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].

GRC is about people and process, and not primarily about technology. I have been referred to as the Father of GRC being the first to use the acronym back in February 2002 while at Forrester. Yes, I talk about GRC technology but technology is used to enable GRC and make it more efficient, effective, and agile. It really bothers me when organizations tell me they just bought GRC. You do not buy GRC, you do GRC. Technology just enables it. Though technology is used in every aspect of GRC from manual processes burdened with documents, spreadsheets, and emails to structured enterprise GRC programs.

That being said, there is a wide range of technologies to enable GRC and make it more efficient, effective, and agile. GRC 20/20 has mapped over 800 technology solutions into various aspects of the GRC market. No one does everything. There are enterprise GRC platforms, audit management platforms, IT GRC, EH&S solutions, policy management, compliance management, case management, third party management, and many more. GRC 20/20, in our research and interactions, helps organizations identify their requirements and select the right technologies to meet those requirements. We answer between 5 and 15 inquiries every week from organizations looking for technologies to enable aspects of GRC.

GRC 20/20 is announcing the advent of GRC 4.0. This is the 4th generation of GRC related technologies in the market. The key aspects of GRC 4.0 is the enablement of GRC across the organization and its relationships to provide 360° contextual awareness of GRC activities, processes, and alignment with business strategy and objectives. A key aspect of GRC 4.0 is the use of artificial intelligence, cognitive computing, machine learning, and natural language processing to further automate and enable GRC in organizations.

GRC 20/20 will be presenting on the latest GRC 4.0 definition, market drivers, trends, segmentation, sizing, and forecasting in the following upcoming Research Briefings . . .

  • 2017 GRC Market 4.0: The Good, The Bad & The Ugly in GRC Drivers & Trends
    October 23 @ 10:00 am – 12:00 pm CDT. Analysis & Details on GRC Buying Trends & Needs GRC 20/20’s latest market drivers, trends, inquiries, and RFP analysis for GRC 4.0. The most current look at the next generation of the GRC market for the next five years. 2017 has been the busiest year to date in the GRC market. GRC 20/20 has seen a record number of inquiries and RFPs across GRC domains in 2017 and forecasts increased activity into 2018.  This research briefing provides a breakdown of…
  • 2017 GRC 4.0 Market Sizing, Forecasting, Analysis & Segmentation
    October 30 @ 10:00 am – 12:00 pm CDT
    GRC 20/20’s latest market sizing and segmentation for GRC 4.0. The most current look at the next generation of the GRC market with new segmentation, sizing, and forecasting for the next five years. This Market Research Briefing is a two-hour briefing that delivers an analysis of the GRC market segmentation, drivers, trends, sizing, growth, forecasting, and market intelligence. GRC 20/20 has spent the last several months doing a complete overhaul of our market data, models, segmentation and mapping of solutions, sizing, and forecasting.…

Components of an Effective Incident/Case Management Process

Distributed and dynamic business requires the organization to take a strategic approach to issue reporting and case management. Organizations require complete situational and holistic awareness of issues, incidents, investigations, and cases across business operations and processes. This is best approached through structured and accountable processes enabled through an integrated information and technology architecture for issue reporting and case management. The goal is to manage individual issues at the detail level while being able to see the big picture and trends of issues and their impact on overall risk and compliance exposure.

Two essential components for a mature and robust issue reporting and case management program are:

  1. Structured processes for issue reporting and case management.
  2. Integrated information and technology architecture for issue reporting and case management.

Issue reporting and case management processes determine the types of information needed, gathered, used, and reported. It is through the integrated information and technology architecture that processes can be properly managed. The architecture defines how organizational processes, information, and technology is structured to make issue reporting and case management effective, efficient, and agile across the organization.

Issue Reporting & Case Management Process Structure

Issue reporting and case management processes are a subset of overall business and GRC processes. Issue reporting and case management identifies where things are going wrong with a goal of containing, addressing, and correcting exposure, loss, and incidents. The issue reporting and case management process is the structural design of tasks and management of how issues are reported, investigated, and resolved.

Structured processes for issue reporting and case management defines responsibilities, workflow, tasks, how issues are reported, cases managed, and how the processes work together as an integrated whole with other GRC and organizational processes. Issues and cases provide objective information that should in turn feed into risk management models as well as compliance reporting. For a mature GRC program, the organization requires the ability to track all issues across the enterprise (e.g. employee issues, customer issues, poor product quality, and supply chain).

There are five foundational process components that organizations should have in place for issue reporting and case management:

  1. Strategic/operational case planning and administration. This involves the ongoing planning and administration of issues, cases, investigators, workload, and tasks. Core to this is resource and case planning and administration, the ability to measure cycles/seasonality of cases, backlog, resource planning, and costs.
  2. Issue intake & triage. This is the foundational component where issues are reported. It involves being able to report and process issues coming from hotlines, web forms, management reports, and other inputs. The goal is to eliminate noise, consolidate duplicated issue reports, flesh out non-cases, and focus on what is critical and exposes the organization to the greatest risk. It is critical that the organization has the ability to automate and link between issues being reported, cases, parties, processes, places, and other relationships. From here initial planning and assignment of cases is done.
  3. Investigation. This is the heart of the process that takes reported issue(s) and manages the process of investigation through to closure. Investigators need structured templates and processes to keep everything organized, document the investigation, manage tasks, provide notifications and escalation, and keep all information in one place for ease of reporting. The more the organization can automatically define the process to investigate an issue/case, the better. Accountability, centralization of information, keeping everything current and up to date, and having a defensible system of record that can stand up in court is critical to this stage of the process.
  4. Remediation & resolution. History repeats itself because no one was listening the first time. This stage of the issue reporting and case management process ensures that remediation steps are followed to mitigate or eliminate the risk of further issues and incidents. The organization needs to be able to track action items and ensure that things do not slip through cracks to obtain a reduction in repeated and future cases. The organization requires the ability to link issues to policies and procedures to ensure they are updated as resolutions dictate.
  5. Reporting, analytics & metrics. This is the stage of the process that provides detailed reports on both individual and aggregate cases. The organization should be able to track past due tasks, benchmark timelines of cases, identify where loss can be mitigated, and reduce gaps.

WEBINAR: Case Management

Building a Business Case & Articulating Value to the Organization

Organizations often approach issue reporting and case management in manual processes encumbered by documents, spreadsheets, and emails. This taxes and slows down investigation processes, and makes reporting very time consuming and often inaccurate because of scattered information. GRC 20/20 Research has conducted a detailed study of organizations that moved from manual document centric approaches to i-Sight case management. GRC 20/20 found that organizations that utilize purpose built software for case management make their issue reporting and case management processes more efficient, effective, and agile. This results in a quantifiable return on investment.

On October 5th, 2-3pm, join presenter Michael Rasmussen as he outlines how case management software can make issue reporting and case management more efficient and agile.
In this webinar, organizations will learn how to:

  • Avoid the costs of manual document-centric processes in wasted time and resources
  • Identify specifics on how software makes issue reporting and case management more efficient, effective, and agile,
  • Measure and quantify the value in time and dollars saved with case management software
  • Build a business case to justify case management software in your organization

[button link=”https://i-sight.com/resources/case-management-software-building-a-business-case-articulating-value-to-the-organization/?leadsource=GRC2020″]REGISTER[/button]

Challenges in Issue Reporting & Case Management

The Best Laid Plans of Mice and Men . . .

Organizations today are distributed and dynamic. With the globalization of business, organizations find that governance, risk management, and compliance (GRC) has become complex; crossing departments, jurisdictions, geographies, and cultures. The modern organization is a complex web of employees, suppliers, vendors, contractors, consultants, agents, and third parties. At the same time, organizations are constantly changing: business is dynamic. Employees, relationships, regulations, risks, economies, litigation, regulation, and legislation are constantly changing. GRC professionals are challenged to get a big picture point of view of the range of issues being reported across the organization and the management of cases that impact how the organization’s “ability to reliably achieve objectives while addressing uncertainty and acting with integrity.”[1]

Issue reporting and case management has become a moving target which needs a structured approach supported by a strong process, information, and technology architecture. Well run organizations, with GRC processes, still have issues, incidents, cases, and investigations. As the poet Robert Burns states, “The best laid plans of mice and men often go awry.” Whether unintentional issues or acts of the malicious miscreant, organizations need to be prepared and have established processes in place to manage issues as they arise in the organization.

The typical organization has a variety of departments managing a diverse range of issues, cases, incidents, and investigations.[2] These issues and cases are often managed in silos of documents, spreadsheets, and emails or in home-grown databases and applications. Different departments often have diverse approaches and the organization does not have insight into the range of issues that are happening across operations. Organizations often lack a central repository for case management and the use of home grown solutions has limitations that make the issue management processes inefficient, ineffective, and burdensome to the organization. Issue reporting and case management is often a tactical and fragmented approach with highly diverse approaches taxing the business.

Issue management across the organization is often scattered across departments, such as:

  • Corporate security
  • Customer complaints
  • Environmental
  • Ethics and compliance
  • Fraud and corruption
  • Health and safety
  • Human resources
  • Insurance claims
  • IT security
  • Legal
  • Physical security
  • Privacy
  • Quality
  • Third party suppliers and vendors

The breadth of silos to issue reporting and case management results in a maze of disconnected processes, reporting, and information. These are redundant, document-centric, and manual approaches that do not integrate and are highly inefficient. Different functions spend more time managing the volume of emails, documents, and spreadsheets than they actually do managing the issues themselves. The line of business is overwhelmed with inconsistent approaches to issue reporting and case management.

This fragmented approach to issue reporting and case management resembles battling the multi-headed Hydra in mythology. As the Hydra grows more heads of risk, regulation, and ethical challenges, issue reporting and case management professionals find that scattered approaches leave them exhausted and overwhelmed as they lose the battle. This results in a reactive fire-fighting approach to issue reporting and case management, with silos of data that professionals struggle to find the time to coordinate and link together manually. This piecemeal approach is inefficient, increases risk exposure, and leads to serious matters that fall through the cracks. Redundant and inefficient processes lead to overwhelming complexity that slows down the business in an environment that actually requires agility.

The document-centric, scattered, and manual processes of the past have impaled case management functions with inefficiency. Process management and reporting is primarily comprised of emails, documents, shared files, homegrown databases, spreadsheets, and manual processes. Case management professionals are spending a disproportionate amount of time collecting data and reporting on data instead of time spent adding strategic value to the business through analyzing and trending the data collected. This antiquated approach leaves teams with flat metrics that lack context and don’t help professionals identify or address problematic processes, culture, or behavioral issues. GRC professionals often express to GRC 20/20 Research their frustration with the:

  • Inability to gain a clear view of issue reporting and case management interdependencies
  • High cost of consolidating silos of GRC and issue management information
  • Difficulty maintaining accurate GRC and issue management information
  • Failure to trend across issues, departments, and reporting periods
  • Incapability of providing GRC and issue intelligence to support business decisions and strategic planning
  • Redundant approaches that limit correlation, comparison, and integration of information
  • Lack of agility to respond promptly to changing regulations, laws, and business environment

Dynamic & Distributed Business Compounds the Problem

Organizations are seeing increased scrutiny and focus on compliance activities from:

  • Governments worldwide are increasing their scrutiny of organizations and have become more prescriptive in their regulations and standards.
  • Enforcement agencies have grown more sophisticated in assessing “real” versus “paper” ethics and compliance efforts.
  • Stakeholders, including investors, activist groups, consumers, business partners, and employees are demanding transparency and accountability.

These challenges are making organizations rethink their approach to issue reporting and case management. Organizations are looking for greater agility and effectiveness, while achieving greater efficiency with human and financial resources in identifying and resolving issues. The goal is to:

  • Align stakeholder demands for transparency and accountability.
  • Leverage emerging technologies to improve efficiency, effectiveness, and agility.
  • Enable GRC professionals to better target resources where issues identify the greatest exposure.

This trend points in one clear direction: a new issue management architecture that is dynamic, predictive, and information-based through the deployment of an integrated information, intelligence, and analytics architecture to overcome the inefficiencies of the manual and document-centric approaches of the past. This approach to issue reporting and case management delivers demonstrable proof of risk and compliance management, discovery and containment of issues, and shifting the focus of efforts from being reactive and “checking the box” to being proactive and forward-looking. Organizations need greater efficiency in processing and managing issues with structured information and process, greater effectiveness in ensuring corporate integrity, and increased agility in addressing rapidly changing business, regulatory, legal, and reputational risks.

The bottom line: Issue reporting and case management programs have been very tactical and inefficient in the past in collecting issue reports and managing cases. GRC functions across the organization have lacked an overall approach to manage issues, provide reporting and analytics, and the ability to move issue reporting and case management from the tactical approach to an integrated strategic approach that aligns with governance, risk management, and compliance strategy and processes. A centralized issue reporting and case management system saves time and money and creates an environment where the organization can measure the effectiveness and efficiencies of GRC resources.

Case Management Software

Building a Business Case & Articulating Value to the Organization

Organizations often approach issue reporting and case management in manual processes encumbered by documents, spreadsheets, and emails. This taxes and slows down investigation processes, and makes reporting very time consuming and often inaccurate because of scattered information. GRC 20/20 Research has conducted a detailed study of organizations that moved from manual document centric approaches to i-Sight case management. GRC 20/20 found that organizations that utilize purpose built software for case management make their issue reporting and case management processes more efficient, effective, and agile. This results in a quantifiable return on investment.

On October 5th, 2-3pm, join presenter Michael Rasmussen as he outlines how case management software can make issue reporting and case management more efficient and agile.
In this webinar, organizations will learn how to:

  • Avoid the costs of manual document-centric processes in wasted time and resources
  • Identify specifics on how software makes issue reporting and case management more efficient, effective, and agile,
  • Measure and quantify the value in time and dollars saved with case management software
  • Build a business case to justify case management software in your organization

[button link=”https://i-sight.com/resources/case-management-software-building-a-business-case-articulating-value-to-the-organization/?leadsource=GRC2020″]REGISTER[/button]


[1] This is the official definition of GRC as found in the OCEG GRC Capability Model.
[2] For the purpose of this report, the term issues and cases will be used but should be understood to include incidents and investigations.

GRC in Crisis

The world around us is in a state of alarm. Hurricane after hurricane hits the Gulf of Mexico and Caribbean. Devastating earthquakes have hit Mexico. Geo-poltical tensions are playing themselves out in the United Nations and the news. A massive data security and privacy breach at Equifax. My home state of Montana (yes, I live in Wisconsin but was raised in Montana) has had one of its worst years of forest fires with nearly one million acres burned.

This all has leads organizations to rethink their approach to GRC, in particular the components of business continuity, environmental, health and safety, operational risk management, and even third party management as organizations look at continuity and security of supply chains and vendors. What is disappointing to me is how many organizations fail to take an integrated approach to these areas. It boggles my mind the number of business continuity programs that operate completely separate from an operational risk management program. Logic would only dictate that business continuity should be a critical part of an operational risk management strategy . . . yet organizations approach these as disconnected functions.

The greatest insight and awards of risk and control comes from an integrated information architecture that can see 360° contextual intelligence. That is the only way to connect the dots and see the big picture of interconnectedness and relationships of risk, control, and continuity.

GRC is an integrated capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance] (definition from the OCEG GRC Capability Model). Organizations should carefully think through their overall strategy to Governance, Risk Management, and Compliance across the organization and look for ways to make it more efficient, effective, and agile in a dynamic, distributed, and disrupted environment.

As part of GRC 20/20’s research, we offer organizations looking for GRC solutions complimentary inquiry (email or phone) to navigate the hundreds of solutions in the market that GRC 20/20 has mapped and differentiates in capabilities. This is part of our research as we interact with organizations to help learn how GRC and it’s components. can be efficient, effective, and agile.

GRC areas for inquiries include:

  • Enterprise GRC
  • Audit Management & Analytics
  • Automated & Continuous Control
  • Business Continuity Management
  • Compliance & Ethics Management
  • Environmental Management
  • Health & Safety Management
  • Internal Control Management
  • IT GRC Management
  • Issue Reporting & Management
  • Legal Management
  • Physical Security Management
  • Policy & Training Management
  • Quality Management
  • Risk Management & Analytics
  • Strategy & Performance Management
  • Third Party Management

GRC 20/20 Events Next Week

IT GRC Management by Design Workshop, San Francisco September 25

  • Blueprint for an Effective, Efficient & Agile IT GRC Management Program REGISTER Workshop Abstract: Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the…

2017 GRC Market: The Good, The Bad & The Ugly in GRC Drivers & Trends September 28 @ 10:00 am – 12:00 pm CDT

  • Analysis & Details on GRC Buying Trends & Needs 2017 has been the busiest year to date in the GRC market. GRC 20/20 has seen a record number of inquiries and RFPs across GRC domains in 2017 and forecasts increased activity into 2018. This research briefing provides a breakdown of GRC solution drivers, trends, and forecasting by geography, industry, type of GRC technology, and buyer persona. A detailed analysis of RFP trends and inquiries that GRC 20/20 has worked on…

GRC Archetypes: Compliance & Ethics Management

Compliance and ethics has become a significant challenge for organizations across industries, geographies, and business boundaries. It is inundated with challenges such as anti-bribery and corruption, market conduct, conflict of interests, third party (e.g., vendor/supplier) compliance, code of conduct, and more. Organizations are struggling to deal with the pace of regulatory change. Not only from new regulations, but changing/evolving regulations, enforcement actions, and administrative decisions. Global financial services firms are dealing with approximately 201 regulatory change events every business day (source: Thomson Reuters).

Compliance becomes further complicated by different geographies that have different approaches to compliance. In the USA it is very much a check-box/prescriptive approach. Organizations want a specified list of what they have to do and then want a “get out of jail free” card if they do those things. In Europe the approach is focused on principle or outcome-based compliance. It is not prescriptive. Regulators tell you what you have to achieve as an outcome but not tell you how you have to achieve it. This requires a much stronger risk management approach to compliance to determine how best to comply.

The challenge for compliance and ethics grows exponentially as organizations face greater obligations to manage compliance across its third party relationships of vendors, suppliers, outsourcers, service providers, contractors, consultants, intermediaries, brokers, agents, dealers, and other partners. There compliance and ethical issues are the organizations compliance and ethical issues. The legal and regulatory environment of today is making that clearer than ever.

Though compliance and ethics is much more than regulatory compliance. Compliance and ethics is about the very integrity of the organization. Not just meeting regulatory requirements, but ensuring the organization is in aligned and adhering to the values, ethics, policies, corporate social responsibility commitments, contracts, and other obligations of the organization. I have been stating for the past decade that the true Chief Compliance and Ethics Officer is really the Chief Integrity Officer of the organization.

The truth of compliance is that it is very fragmented. In all of my research, spanning interactions with thousands of organizations, I have not encountered one Chief Ethics & Compliance Officer that is truly responsible for oversight of all of compliance. There are many disconnected factions of compliance in organizations: corporate compliance and ethics, human resources compliance, IT compliance, privacy compliance, quality compliance, third party compliance, environmental compliance, health and safety compliance, . . . .

The problem is this leads to a lot of redundancy. Organizations are finding that they lack agility as there are uncoordinated approaches to compliance and the business is struggling with multiple systems and processes that are very repetitive and confusing. Organizations often have dozen of policy portals, different approaches for compliance assessments and surveys, a mixture of processes for reporting and managing incidents and cases . . . this hinders the organization, things get missed, and the organization ends up in hot water.

An ad hoc approach to compliance management exposes the organization to significant liability. This liability is intensified by the fact that today’s GRC programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of compliance, how it was managed, who was responsible, what was done, who attested to it, what exceptions were granted, and how violations and resolution was monitored and managed. With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined compliance and ethics management program is vital to enable an organization to effectively develop and maintain the wide gamut of compliance tasks it needs to govern with integrity.

THE QUESTION: How is your organization approaching compliance and ethics management? Can you map yourself to one of the following GRC archetypes of compliance and ethics management?

  • Fire Fighter. Your organization approaches compliance and ethics management in an ad hoc fly by the seat of your pants approach. Compliance management is not structured and is addressed when there is a burning issue, incident, compliance requirement, or other pressure. Even then, it is about addressing the narrowest understanding of the requirement before you and not thinking strategically about compliance and ethics management. Compliance management is addressed in manual processes with file shares, documents, spreadsheets, and emails. The organization does not have an integrated solution to manage compliance and ethics planning, regulatory change, assessments, policies, issue reporting, third party management, and case management.
  • Department Islander. In this archetype, your organization has a more structured approach to compliance management within specific departments. There is little to no collaboration between departments and you often have different departments with a vested interest in compliance management going in different directions with a significant amount of redundancy and inefficiency. Departments may have specific technology deployed for compliance management, or may still be relying on manual processes with documents, spreadsheets, and emails. The result is a variety of compliance processes in different portals and file shares with inconsistent formats and templates.
  • GRC Collaborator. This is the archetype in which your organization has cross-department collaboration for compliance management to provide consistent processes and structure for compliance management. However, the focus is purely on addressing significant compliance concerns and risks. It is more of a checkbox mentality in collaborating on what needs to be done to manage compliance to meet requirements. Most often there is a broader compliance management platform deployed to manage compliance processes and tasks, but some still rely on manual processes supported by documents, spreadsheets, and emails.
  • Principled Performer.  This is the model in which the organization is focused on managing the integrity of the organization across its business and its relationships. Compliance and ethics management is more than meeting requirements but is about encoding, communicating, and monitoring boundaries of expected conduct to develop a strong and consistent corporate culture aligned with the ethics, values, and obligations of the organization. Compliance obligations are mapped to risks and objectives and actively understood and managed as critical governance processes of the organization. Compliance and ethics management is about the integrity of the organization and embraces corporate social responsibility, ethics, and the values of the organization and not just regulatory requirements.

The haphazard department and document centric approaches for compliance and ethics management of the past compound the problem and do not solve it.  It is time for organizations to step back and define a cross-functional and coordinated team to define and govern compliance and ethics management. Organizations need to wipe the slate clean and approach compliance and ethics management by design with a strategy and architecture to manage the ecosystem of compliance and ethics processes throughout the organization with real-time information about conformance and how it impacts the organization.

GRC 20/20’s Compliance Management Workshop

GRC 20/20 will be leading a free interactive workshop to facilitate discussion and learning between organizations on Policy Management on the following dates and locations:

Strategy Perspective on Compliance Management

Research Briefings on Compliance Management

Solution Perspectives on Policy Management

Case Studies on Policy Management