Category: Blogs

From Backcountry Ranger to GRC Pundit

The GRC Pundit BlogPublished on1 Comment on From Backcountry Ranger to GRC Pundit

BenjiMontanaIt is the Thanksgiving holiday here in the United States, so I thought I would make this post a little more personal. I am grateful for all of my clients, followers/subscribers, and the many I get to interact with in the range of my travels at conferences, workshops, and other events. Each and everyone of you make GRC worthwhile.

As I have often stated, GRC is something organizations do it is not something organizations buy. There is a range of technology solutions that help improve GRC processes and can make GRC more effective, efficient, and agile. But purchasing a GRC solution does not get you GRC. GRC is something every organization does. Some well, others not so well. You will not find an organization that states they lack governance, do not manage risk, and can care less about compliance. Whether the organization uses the GRC acronym, something else, or no label at all . . . all do GRC in some form or fashion. At the end of the day it is actually individuals that do GRC. We all play our part and participate in the machine of strategy and operations of the organization(s) we serve. Each of you plays a part in GRC in one or many organizations.

Oddly enough, becoming a GRC professional is not something I ever strategically planned to pursue. We often talk about organizations being on a GRC journey and it is not a particular destination. As a professional it has been a journey, one that I have enjoyed but not one that was intended.

I grew up in the Northwest corner of Montana near Glacier National Park. Montana is in my blood. I echo the words of John Steinbeck, in Travels with Charley: In Search of America, “I’m in love with Montana. For other states I have admiration, respect, recognition, even some affection. But with Montana it is love. And it’s difficult to analyze love when you’re in it.” From the age of four until I was seventeen my desire was to be a backcountry ranger. I loved, and still love, the outdoors. I spent my teenage years backpacking, rock-climbing, skiing, and doing anything outdoors. I was fascinated with all aspects of nature, ecology, botany, and the variety of animals that surrounded me. The mountains themselves beckoned to me and my heart leaps when I get to see mountains, particularly those in Northwest Montana. My middle son, one of three who is twenty-one years old, lives where I grew up. His friends often chide him as he will wake up and look at the mountains and be amazed. They will remind him he has been living there for over two years; it does not matter to him as every day mountain vistas strike his heart with a fresh flood of admiration and amazement. I understand my son.

The only thing that could move me from my pursuit of the outdoors and becoming a backcountry ranger was my greater love for the Creator of all that I loved so dearly. At age seventeen I decided to pursue theology in college to become a pastor/minister. It was my first year of college that I met a wonderful young lady and fell in love. We got married two years later while still in college, and a year later got pregnant with our first child. I was serving in ministry while still trying to finish my degree, it was not enough to support a young family. We moved to Milwaukee, Wisconsin (where my darling wife is from) and I pursued work in technology, with a focus in information risk and compliance. I worked in a manufacturing organization, then in a healthcare and life science research organization, and then led a risk and compliance consulting practice in the Chicago and Milwaukee area for several years throughout the 1990’s.

During this time, I finished my undergrad degree in business, not theology, and went on to complete a Juris Doctorate. Though my passion for theology has not changed as I have finished my coursework and am writing my thesis for a Masters in Church History. My thesis is on the influence of medieval theology on J.R.R. Tolkien (another passion of mine). My favorite theologian and philosopher from church history is Anselm (11th/12th century Archbishop of Canterbury), who stated my life’s purpose so well in his Proslogium, “One who strives to lift his mind to the contemplation of God, and seeks to understand what he believes.”

As for my professional life, I started the Milwaukee chapter of the ISSA and was appointed to serve on the International Board of Directors for the ISSA serving in several capacities, first the VP of Chapter Relations, then VP of Marketing, and finally the VP of Standards & Public Policy representing the many ISSA members on public policy matters and standards impacting information security, risk, and compliance. I was able to have some of my works published in Congressional reports as well as serve on special Congressional committees.

It just so happened that the Chicago chapter president of the ISSA, and friend, was Steve Hunt, an analyst at GiGa Information Group (note the two capital G’s in GiGa, it actually stands for Gideon Gartner and not Gigabyte, Gideon left Gartner which he established to form a new bread of analyst firm in GiGa). Steve kept throwing his client inquiries/questions on compliance and policy over the fence to me for my insight and answers. One day he said, why don’t you just come work here. So my next part of my journey started – I became an industry/market research analyst at GiGa which shortly thereafter got acquired by Forrester Research.

I guess my claim to fame, should Wikipedia or something else remember me for a few months after I am gone, is on a snowy day in February 2002 at the GiGa offices in Chicago. During my consulting years in the late 1990’s I had pondered that there had to be a better way to manage risks, policies, controls, compliance requirements, and do this in context of each other. A solution provider named Telos (with their solution Xacta), focused on government, demoed a solution to me that did just that on that snowy day in Chicago. It struck me that this is exactly what I had envisioned and was looking for in the 1990’s. I saw a great demand for this type of solution and decided that it needed its own market segment and name (little did I know that the events unfolding with Enron at that time would lead to SOX which would see this market take off very rapidly).

The question before me: what do I call this market. My next briefing after Telos was with PwC. They were reviewing the range of their services with me. They had lots of slides in their presentation categorizing their services from broad to industry specific. But three separate slides stood out to me, their Governance services, their Risk Management services, and their Compliance services.  GRC. That was it. So on a snowy day in Chicago in February 2002 I first defined and labeled a market GRC.  I went on to further define and model this market, but also have worked closely with OCEG over the years in contributing to and collaborating on the GRC Capability Model as at the end of the say GRC is something organization do, not something they buy.

Thus the GRC market was born. During my tenure at Forrester I was a VP and led their GRC research, often getting their Top Analyst award. I wrote the first two Forrester GRC Waves comparing solutions in the market, as well as the two ERM Consulting Waves comparing risk management consultants. I spent seven years at Forrester and then went on my own as an independent market research analyst under my company name, GRC 20/20 Research, LLC.

The GRC market has grown over the years and I love researching and following it. I have mapped over 700 technology solution providers into different segments of the GRC market, and have now mapped over 115 providers of GRC intelligence and content solutions with over 500 content offerings into the market as well. It is a passion of mine to understand the different solutions, what differentiates each, and to model and forecast the market.

I trust this Thanksgiving holiday is a good one for each and everyone of you. I am thankful for all of you as you make my research meaningful, and I love interacting with all of you! I would love to hear about your GRC professional journey, feel free to comment on the road you took to where you are at now . . .

 

 

 

The Agile Organization: GRC in Context of Regulatory Change

The GRC Pundit BlogPublished onLeave a Comment on The Agile Organization: GRC in Context of Regulatory Change

Change is an intricate machine of chaotic gears and movements and is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive, as I discussed in my previous post The Agile Organization: GRC as a Transformational Process.

Managing this dynamic and intricate nature of change is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization. Organizations are past the point of treading water as they actively drown in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.

GRC Regulatory activity

What further complicates this is the exponential effect of regulatory change on the business. Business operates in a world of chaos and in that context regulatory chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which a small event actually results, develops and influences what ends up being a significant event. The concept uses the analogy that the simple flutters of a butterfly’s wings create tiny changes in atmosphere that ultimately impacts the development and path of a hurricane.

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Instead . . .

The rest of this post can be found a guest blog on MEGA’s Corporate Governance Blog . . .

[button link=”http://community.mega.com/t5/Blog/The-Agile-Organization-GRC-in-Context-of-Regulatory-Change/ba-p/11248″ color=”default”]READ MORE[/button]

IT GRC > IT Security

The GRC Pundit BlogPublished on1 Comment on IT GRC > IT Security

If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security.

IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed.  However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage.

Consider . . .

  • IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
  • IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
  • IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).

What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management.

To put it in a formula:

IT GRC ≠ Security Management

IT GRC > Security Management

What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities.

IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management.

As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context.

On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management.

The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations.

If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-it-grc-platforms/” color=”default”]REGISTER:How to Purchase IT GRC Platforms[/button]

NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.

Now Accepting 2015 GRC Value Award Nominations

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Now Accepting 2015 GRC Value Award Nominations

2015 GRC Value AwardGRC 20/20 is accepting nominations for the 2015 GRC Value Awards!

Successful governance, risk management, and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment with agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, and a less costly, more flexible business environment. Clients engage GRC solutions with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Effective: At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored, and managed at all levels of the organization?
  • Efficient: GRC engagement provides efficiency and savings in both human and financial capital. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Agile: GRC engagement delivers business agility where organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes.

The 2015 GRC Value Award nominations will be accepted through October 5th (no exceptions, nomination form closes down at midnight CDT on October 5th). Recipients will be determined by mid-October with announcements in November.

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization. The nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  These are cold hard facts that empirical, measurable, and objective. Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process.

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.  So the client reference case study does not have to be named and can be anonymous, but GRC 20/20 must be able to know who the client case study is and validate the facts.

The seventeen categories for submission are:

  • Audit Value Case Study
  • Automated / Continuous Control Value Case Study
  • Business Continuity Value Case Study
  • Compliance Management Value Case Study
  • Enterprise GRC Value Case Study
  • Environmental, Health &; Safety Value Case Study
  • IT GRC Value Case Study
  • Internal Control Value Case Study
  • Issue Reporting & Management Value Case Study
  • Legal Management Value Case Study
  • Physical Security Value Case Study
  • Policy & Training Value Case Study
  • Quality Management Value Case Study
  • Reputation & Responsibility Value Case Study
  • Risk Management Value Case Study
  • Strategy & Performance Value Case Study
  • Third Party Management Value Case Study

Please submit nominations before midnight on October 5 2015.  Nomination forms will be accepted until this date, finalists selected and deeper dives in mid-October, with recipients selected by end of October and announced in the beginning of December.  Award recipients will be announced to vendors end of  October so that coordinated announcements/press releases can go out in the beginning of December.

2015 GRC Value Nomination Form

NOTE: You must be logged in (with a free account or GRC Advisor account) to see the 2015 GRC Value Nomination Form below.  There is a save and continue button at bottom of form.

Quick Start to a GRC RFP

The GRC Pundit BlogPublished onLeave a Comment on Quick Start to a GRC RFP

So far 2015 has been the busiest year I have seen in the GRC market. There is increased demand for GRC solutions in all varieties, across industries and geographies.

The GRC market is a broad market with a variety of segments. It is not all about Enterprise GRC Platforms. In fact, only about 25% of the inquiries GRC 20/20 gets from organizations are for Enterprise GRC strategies and platforms. A good 75% of the market is aimed at solving department and specific regulatory or risk area needs. There are over 700 technology solution providers in the GRC market across 16 primary market segments. In addition to this there are over 90 GRC intelligence (content) providers offering over 350 GRC intelligence solutions of various capabilities.

The challenge is: how do you find the right GRC solution for your organization?

This is where GRC 20/20 comes in. If you are looking for GRC solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website. I will do my best to see that you are responded to quickly and efficiently. GRC 20/20 is currently answering between 5 and 10 inquiries each week from organizations looking for GRC related solutions.

The next step is building out the requirements for a GRC RFP. Whether this is for an enterprise GRC platform or a very specific segment of GRC, GRC 20/20 has detailed RFP criteria for many domains of GRC. These involve over 200 requirements (sometime many more) in a given segment of GRC that are broken into basic, common, and advanced functionality. This allows organizations to select the criteria that best fits their needs as require only simple functionality while others require advanced functionality.

GRC RFP Criteria is available, in an engagement, in the following areas:

  • Enterprise GRC Solutions
  • Audit Management Solutions
  • Policy & Training Management Solutions
  • Risk Management Solutions
  • Third Party Management Solutions (e.g., vendor, supplier)
  • Compliance Management Solutions
  • IT GRC Management Solutions
  • Internal Control Management Solutions
  • Automated/Continuous Control Management Solutions
  • Business Continuity Management Solutions
  • Environmental, Health & Safety Management Solutions
  • Issue Reporting & Management Solutions
  • Quality Management Solutions

GRC 20/20 can be engaged on RFP projects to rapidly enable organizations to developing RFPs based on our RFP criteria library. Simply email me at [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

How to Purchase Policy Management Solutions

The GRC Pundit BlogPublished onLeave a Comment on How to Purchase Policy Management Solutions

The policy and training management technology enables and operationalizes effective, efficient and agile policy management and awareness. The goal of this technology is to operationalize the policy management processes and communication. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There should be an enterprise platform for policy and training management that connects the fabric of the policy management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements.

Organizations have the following policy management choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions.  Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organizations end up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms.  Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform.  This can be an enterprise implementation of a point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training solution choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration and correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple departments, or just one department as appropriate. Organizations need a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy management platform approach enables better performance, less expense and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

More on this topic will be presented next week’s Research Briefing: How to Purchase Policy Management Solutions

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop, maintain, communicate, and train on policies. This is why organizations are aggressively looking at policy management platforms to address this challenge, and is apparent in the number of RFPs and inquiries GRC 20/20 is involved in with organizations looking for policy management platforms.

In this Research Briefing, 2015 How to Purchase Policy Management Solutions, GRC 20/20 will provide a synthesis of what organizations should consider when purchasing policy management solutions. Attendees will learn what a policy management system does and what are basic, common, and advanced features of a policy management platform. This will be supported by a framework (decision-tree) of considerations to guide an organization when purchasing policy management solutions.

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-policy-management-solutions/” color=”default”]REGISTER[/button]

Demand & Market for GRC Content & Intelligence Offerings

The GRC Pundit BlogPublished on1 Comment on Demand & Market for GRC Content & Intelligence Offerings

Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture.

A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure.

To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market.  This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions.  While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology.

The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment.

On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market.

GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries

The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market.  Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.

A Strategic Approach to Third Party Management, Part 2: Designing an Integrated Architecture to Support Your Strategy

The GRC Pundit Blog, Third Party Management SolutionsPublished onUpdated onLeave a Comment on A Strategic Approach to Third Party Management, Part 2: Designing an Integrated Architecture to Support Your Strategy

This is the second in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive and cascading impact. In a linear system, effect is proportional with cause. In the non-linear world of business, third party risk is exponential. If we fail to see the interconnections of third party risk on the organization, the result is often massive to unpredictable.

The challenge is that different organizational areas are doing similar things in different ways in context of their third parties. Various departments with different responsibilities for pieces of third party oversight will communicate and interact with third parties in different ways. The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile.

The organization needs a common process, information, and technology architecture to support third party management across organization departments that includes a vested interest in third party relationships. Third party management is enabled at an enterprise level through implemen­tation of an integrated third party man­agement architecture. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third party management platform enables the orga­nization to effectively manage risk across extended business relationships and fa­cilitates the ability to document, commu­nicate, report, and monitor the range of assessments, documents, tasks, responsi­bilities, and action plans.

Third Party Management Process Architecture

Third party management processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. While third party processes can vary by organization and industry, the common components are . . .

Continued on the ELM Solutions Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/strategic-approach-third-party-management-part-2-designing-integrated” color=”default”]READ MORE[/button]

Now Accepting 2015 GRC Innovation Award Nominations

The GRC Pundit BlogPublished onLeave a Comment on Now Accepting 2015 GRC Innovation Award Nominations

2015-GRC-Innovation-Award

GRC 20/20 is accepting nominations for the 2015 GRC Innovation Awards!

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction. 

A primary directive of innovation is to provide experience that is simple yet complete. Like Apple with its innovative technologies, GRC solutions must approach solutions in a way that re-architects the way it works as well as the way it interacts. The goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right context, in the right place, when needed. It’s about bringing interaction and engagement to GRC process and information. GRC solutions should be intuitive.

2015 GRC Innovation Award nominations will be accepted through July 12th (no exceptions, nomination form closes down at midnight CDT on July 12th).

NOTE: the 2015 GRC Value Award process (our other award process) will begin on August 1st. Nominations have to be in before the end of August.  Recipients will be determined by end of October with announcements in November.

To establish a proper perspective, please understand what the GRC Innovations Awards are NOT:

  • It is NOT to recognize how one product has a better feature or feature set than a competitor
  • It is NOT to recognize competitive differentiators
  • It is NOT like a comparison or endorsement of solutions overall (like a Forrester Wave of Gartner Magic Quadrant)

The GRC Innovation Awards are to recognize innovations in GRC related solutions that are revolutionizing Governance, Risk Management, and Compliance (GRC).  GRC Innovation Awards are to recognize  solutions that show something truly unique, game changing, revolutionary, and new. If what you are proposing has been in your feature set for more than 12 months – it is not new and fresh.

The 2015 GRC Innovation Awards are considered across 17 categories of GRC functional areas and from two perspectives in each.  The two perspectives awards can be submitted from are:

  • User Interface & Experience. GRC 20/20 is putting specific focus on the fact that GRC solutions do not have to be ugly and cumbersome.
  • Other Innovation. Any innovation that is not tied to user interface & experience.

The seventeen categories for submission are:

  • Audit Solutions
  • Automated / Continuous Control Management
  • Business Continuity Solutions
  • Compliance Management Solutions
  • Enterprise GRC Architecture & Platforms
  • Environmental, Health &; Safety Solutions
  • Information & Technology GRC Solutions
  • Internal Control Management Solutions
  • Issue Reporting & Case Management Solutions
  • Legal Management Solutions
  • Physical Security Solutions
  • Policy & Training Solutions
  • Quality Management Solutions
  • Reputation & Responsibility Management Solutions
  • Risk Management Solutions
  • Strategy & Performance Management Solutions
  • Third Party Management Solutions

To be innovative requires that the submission be game changing and completely unique from what the competition is doing. Any submission that is just another “me too,” or “we are better than the rest” type of submission will not cut it and will quickly go to the digital trash bin.  We want to recognize vendors that are thinking outside of the box to boldly take GRC where no solution provider has gone before.

Please submit nominations before midnight on July 12, 2015.  Nomination forms will be reviewed in July, finalists selected and deeper dives in August, with recipients selected by end of August and announced in early September.  Award recipients will be announced to vendors at the end of August so that coordinated announcements/press releases can go out in the beginning of September.

[button link=”http://grc2020test.cloudaccess.host/2015-grc-innovation-award-nomination-form/” color=”default”]NOMINATION FORM[/button]

Considerations When Purchasing Policy Management Solutions

Policy & Training Management Solutions, The GRC Pundit BlogPublished on2 Comments on Considerations When Purchasing Policy Management Solutions

This is the second in a series of posts on buying considerations when purchasing GRC solutions.  The GRC Pundit first looked at overall considerations when purchasing GRC solutions, and in this post he turns his focus to Policy Management Solutions.

policy-portalPolicy management is one of the hottest segments in the GRC market. This is apparent in the number of RFPs and inquiries GRC 20/20 is involved in from organizations looking for policy management platforms.

Consider that policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk of has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Policies attach a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policies can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal and regulatory proceedings to place culpability. In this context, organizations are struggling with the following issues:

  • Policies haphazardly managed in documents, fileshares, and poorly implemented portals
  • Different departments going in different policy directions
  • Lack of centralized inventory of all organization policies
  • Need to have a defensible audit trail of all interactions with a policy and training
  • Reactive and inefficient training programs
  • Policies that do not adhere to a consistent style, template, format
  • Rogue policies that put liability and exposure on the organization
  • Out of date and inconsistent policies
  • No tracking of policy exceptions

Many organizations lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An organization must establish policy it is willing to enforce — but also must clearly train and communicate policy to make sure that individuals understand what is expected of them.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the policies needed to reliably achieve objectives while addressing uncertainty and act with integrity. This is why organizations are aggressively looking at policy management platforms to address this challenge.

Basic, Common & Advanced Policy Management Solutions

GRC 20/20 has developed an extensive framework of RFP requirements for policy management platforms and advises organizations on RFP development and solutions the organization should be considering. GRC 20/20 covers 144 solutions in the Policy & Training Management Segment of the GRC market.  Eighty-eight of these solutions do policy management, and forty-four do training management (the overlap if you add these together are solutions that do both). Every organization has unique requirements and expectations for policy management. GRC 20/20 has detailed over 200 requirements specific to policy and training management solutions in the GRC market. Overall, policy management solutions can be mapped into the following areas:

  • Basic Policy Management Capabilities. These solutions tend to focus on the back-end of policy management, the development, approval, maintenance of policies. Policies are typically managed as documents and imported into the system as documents or PDFs. Solutions in this area are focused on managing workflow and tasks for managing and maintaining policies. They often have some basic employee portal capabilities aimed at completing tasks such as reading policies and attestation (e.g., certification, read and understood).
  • Common Policy Management Capabilities. These solutions are more built out in feature sets that offer a broader range of capabilities. This includes a stronger user portal and experience to navigate policies, the ability to build forms related to policies and manage workflow and tasks around forms, map policies to regulations and other obligations, and move beyond treating policies as documents to import into the system and have integrated word processing capabilities. These solutions also have capabilities to manage policy exemptions/exceptions, and measure policy compliance. While the employee experience is stronger than those offering basic capabilities, it is still the back-end management of policies that is central to these solutions.
  • Advanced Policy Management Capabilities. Advanced policy management solutions have all the common attributes, but take on more advanced capabilities (note, advanced capabilities extend common capabilities and not all policy management solutions support the range of advanced capabilities). Advanced capabilities tend to put a stronger focus on the employee experience – the front-end of policy management – and not just the back-end experience. Advanced capabilities include:
    • Employee portal experience is clearly stronger offering an intuitive, interactive, personal, and social policy experience for employees. Policies are most often treated as HTML and not PDFs or word processing documents, and the display of policies allows for hyperlink pop-ups for clarification and resources as well as embedding training and other policy tools.
    • Embedded training in which the solution has a full LMS capability to deliver training within the policy portal for employees and they do not have to bounce around through hyperlinks.
    • Social and gamification, as part of the employee portal the solution picks up on social aspects of employees being able to share policies with other employees, provide feedback and interaction on policies, and implement employee avatars with badges for policy and training tasks.
    • Mobility there are dedicated tablet and phone apps offering policies to employees. In fact, GRC 20/20 has been involved in several interactions with organization looking to use tablets as policy and training kiosks for employees in retail, food and beverage, manufacturing, and logistics/transportation.
    • Integration with HR management systems to push policy to new employees or those that have changed roles in the organization.
    • Integration with other GRC modules and solutions such as incident management to map incidents to violations of policy. Or risk management to map risks to policies.
    • Advanced policy authoring and editing capabilities in which policy authoring is done in a browser interface with full redlining, commenting, and editing capabilities.
    • Regulatory change management in which not just documents but chapter and verse of policies is mapped to chapter and verse of regulations and there are clearly defined processes to manage policies in the context of regulatory change.
    • Federated policy management that allows large distributed and diversified organizations to have layers of policy management committees and groups to govern complex policy lifecycles.

These summaries of basic, common, and advanced capabilities are some attributes these areas from GRC 20/20’s broader RFP requirements and analysis of policy management solutions. Organizations need to select what best fits there needs. More advanced capabilities often comes at a more significant cost of the policy management solution.

The most significant trend GRC 20/20 has seen in policy management RFPs and organizational needs is the shift of focus to the front-end of policy management.  Historically, the requirements for policy management have been largely on the back-end management and maintenance of policies with only very basic requirements in the front-end communication and attestation of policies.

Over the past three years there has been a growing trend to put equal or more importance on the front-end communication and access of policies. This is in response to organizations desiring to create a single portal for all organization policies, engage employees, and provide defensible audit trails and compliance records.  One organization even requested that the policy portal have a capability to have a green light in a corner if the policy subject matter expert is at their desk and pop-up a box to ask them a question (they used a direct analogy to online shopping with a ‘can we help you’). The overall trend is that organizations desire an engaging policy portal for employees as much as they do the back-end development of policies.OCEG.GRC Illustrated.Interactive Policy.2014

CASE IN POINT: I did the design and layout of the OCEG GRC Illustration: Engaging Employees With Interactive Policies. I have had several organizations specifically reference this illustration and state “this is what we want, who does this.”

 

Questions & Considerations to Ponder on Policy Management Solutions

Organizations considering policy management solutions should ask themselves the following questions to help guide them in developing requirements and engaging solution providers:

  • What are my back-end policy lifecycle management requirements?
  • What are my front-end policy portal and employee experience requirements?
  • Is the front-end portal as important as the back-end?
  • Do we want to develop policies in standard word processors and import them as documents/PDFs into the solution to manage?
  • Do we want to develop policies within the solution/browser interface?
  • Do we need to map policies to hotline reports, issues/incidents, controls, or risks?
  • What are our requirements for regulatory change management in context of keeping policies current?
  • What are our requirements for having a full audit and compliance trail of all interactions between policies and employees?
  • Do we desire an integrated LMS capability to manage policies and training as a collective whole in an integrated portal?
  • Do we need the capability to manage policy related forms and manage those forms through workflow and tasks for review and approval/disapproval (e.g., gifts and entertainment, conflict of interest, medical leave, political contributions)?
  • What are out mobility requirements for policy and training on tablets and smartphones?
  • Do we need to integrate with HR management systems to automate the communication of policies to new employees and those that have changed roles?
  • Do we need features of socialization and gamificaiton on the policy portal?
  • What are our internationalization and language requirements for both the back-end management of policies and the front-end policy portal?
  • What are our requirements to track and manage policy exceptions and exemptions?
  • Do we need a solution that can support federated policy management to address the need for multiple layers of policy committees and a complex policy lifecycle?

These are a subset of a broader set of questions that will be categorized and mapped in the forthcoming Buyers Guide: Policy Management Solutions, and are further detailed in GRC 20/20’s RFP requirements for policy management solutions. GRC 20/20 will be releasing the following research in the next several weeks:

  • Buyer’s Guide: Policy Management Solutions. The Buyer’s Guide goes into a detailed framework in how to approach purchasing policy management platforms.
  • Strategy Perspective: Policy Management by Design. The Strategy Perspective focuses on best practices in defining a policy governance committee, framework, lifecycle, and architecture (written from context of GRC 20/20’s Policy Management by Design Workshops).
  • Online directory of Policy & Training Management Solutions. The directory lists policy and training management solutions that GRC 20/20 covers in the market and is the first part of the broader GRC Directory being rolled out in stages.
  • Market Perspective: Policy & Training Management Solutions. This details the overall drivers, trends, market size, growth, and forecasting of the Policy & Training Management Market.

I have shared my thoughts on some buying considerations of policy management solutions. I would love to hear your thoughts and reaction to this as I work on publishing this series of GRC 20/20 research.