Category: Blogs

Policy engagement: There is a lot to be said for how technology can make policies easier to find, social, and interactive. In fact, I have been on my soapbox proclaiming next-generation policy and training management for the past decade in which organizations deploy a portal that brings together policies, training, and related resources in one integrated interface that is intuitive and engaging for employees to use. 

Policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorizes other policies to govern the entire organization. These filter down into specific policies for business units, departments, and individual business processes. 

To deliver engaging policy requires a firm foundation. We might be quick to think this foundation is technology itself. No. Technology is important, but the foundation for good policy is a well-written policy. A policy that is clear, void of cluttered language, written in the active voice, and delivers the message. 

The typical organization is a mess when it comes to policies. Policies are scattered across the organization, reside in a variety of formats ranging from printed documents to internal portals and fileshares, are out of date and poorly written. Policy writing that is wordy and confusing is damaging to the corporate image and leads to confusion and misunderstanding, which then costs time and money. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not clearly written and consistent. 

Well-written and presented policies aid in improving performance, producing predicable outcomes, mitigating compliance risk, and avoiding incidents and loss. Good policy writing and layout: 

• Articulates corporate culture 
• Shows that the organization cares about policy 
• Demonstrates professionalism 
• Avoids expensive misunderstandings 
• Aids those that struggle with reading or do not speak the language natively 
• Provides consistency across policies 

Consider a supply chain code of conduct I was asked to review for a global brand with thousands of suppliers. This code of conduct had long paragraphs that were written in the passive voice and not active voice. It was cluttered with unnecessary and complex language. The audience for this code of conduct is an international audience of whom many did not speak the language of the code of conduct as their native tongue. Further, the first sentence of the first paragraph stated “Company believes …” and the next paragraph began, “Company strongly believes …” Do we have different levels of belief in the code of conduct? 

We are working against ourselves when we deliver such rubbish. As a native English speaker this might be quick to glance over, but for someone that has English as a second language, they will analyze every word and come to the erroneous conclusion that the second paragraph is more important than the first. Organizations are full of individuals who are not native speakers (or in this case readers) of the language policies are written in. We do them a disservice when we write policy that is not clear and to the point. 

Good policy writing is not just about clear and concise language but also about layout and design. How we structure paragraphs and present them in print or digital form matters. 

I have three sons; two are now adults and the third is in his last year of high school. The oldest and youngest do well academically. My middle son is very reliable and can be counted on to get things done but has struggled academically. He is brilliant but has been plagued with a learning disability—dyslexia—his whole life. In educating him, my wife and I tried a variety of options. I remember giving him something to read that was a page of nearly solid text in just a few paragraphs. He struggled to get through it. I then gave him the same text broken out into many paragraphs with plenty of white space between them. His comprehension of the text skyrocketed with the revised version. The text itself did not change, simply the presentation of it. 

When we break policies out into shorter paragraphs and utilize white space it aids in the comprehension of the policy. White space, and in that context design and layout of the policy, is just as important as the actual written words of the policy. 

Critical to the success of policy engagement is a policy style guide. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies. It expresses how to use active over passive voice, avoid complicated language and “legalese,” how to write for impact and clarity, use of common terms, how to approach gender in writing, and even internationalization considerations. 

Corporate policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorize other policies to govern the entire organization. Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended. Policy attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must closely manage and monitor policy in place. Policy is a necessary means to clearly define, articulate, and communicate boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy.

Organizations often lack an auditable means of policy maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved supporting the business, including internal employees and third parties.

If policy documentation doesn’t conform to an orderly style and structure, uses more than one set of vocabulary, is located in different places, and don’t offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

GRC 20/20’s Effective Policy Management Benchmark provides a framework for an organization’s approach to policy management to be measured against its peers within industry as well as organizations of similar size and structure across industries. The purpose is to identify whether an organization is Below Parity, at Parity, or Above Parity relative to its peers in the context of policy management.  Where an organization is significantly lacking ability it is ranked Inferior, while an organization that demonstrates outstanding ability is referenced as Best in Class.

The Effective Policy Management Benchmark can be used at a department or enterprise level. The Benchmark comparison is based on GRC 20/20 research and interactions. These interactions include projects, surveys, inquiries, and advisory engagements. The rankings are a guideline and represent GRC 20/20’s opinion and professional experience working with a variety of organizations across industries.

There is not a one-size fits all approach to policy management.  One organization’s approach to policy management will vary from another depending on size, nature of the business, scope of policies, resources, and executive sponsorship of a policy management program.  Care must be given when measuring an organization as many facets need to be taken into consideration.

GRC 20/20’s Effective Policy Management Benchmark synthesizes GRC 20/20 research and analysis of the following six key Policy Management Program components:

1. Governance of Policy Management Program. Policy management program governance comprises the program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
2. MetaPolicy.  The MetaPolicy, often referred to as the “policy on policies,” is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
3. Supporting Policy Management Resources.  Supporting the MetaPolicy, is an array of other resources to build out the policy governance process within an organization.  
4. Policy Management Lifecycle.  The policy management lifecycle is the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced. 
5. Operational Effectiveness of Policy Management Program.  The Operational Effectiveness component of the Effective Policy Management Benchmark addresses how effectively the GPM and policy management lifecycle are implemented and managed across the organization. 
6. Technology Enablement of Policy Management Program. A well-conceived technology strategy for policy management can enable a common policy framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a governance, risk management, and compliance (GRC) technology approach to policy management enables better performance, less expense and more flexibility. 

GRC 20/20 does a number of benchmark projects for organizations.  The Effective Policy Management Benchmark is one among several, others include Effective GRC Management, Effective Risk Management, and Effective Compliance Management Benchmarks.

The latest GRC 20/20 research paper that provides more detail on the Effective Policy Management Benchmark has recently been published and can be accessed at the link below. It is free to access but requires registration on the GRC 20/20 Research website.

ACCESS BENCHMARK RESEARCH

There are also a variety of upcoming webinars GRC 20/20 is presenting on on the topic of Policy Management in August. These include:

• Policy Management, Part 1: When and How to Write a Policy; August 07, 2014 3:00 pm to August 07, 2014 4:00 pm
• Enabling GRC at All Levels of the Organization; August 13, 2014 1:00 pm to August 13, 2014 2:00 pm
• Policy Management, Part 2: Employee Engagement; August 14, 2014 3:00 pm to August 14, 2014 4:00 pm 
• The Next Generation Approach to Policy Management – Enhancing Employee Engagement; August 21, 2014 10:00 am to August 21, 2014 11:00 am
•  Policy Management, Part 3: Stewardship and Maintenance; August 21, 2014 3:00 pm to August 21, 2014 4:00 pm

Risk management is a huge topic these days with organizations looking for solutions to help them manage enterprise and operational risk across the departments and functions. However, there are many risk management technology projects that have failed to meet expectations, have gone over budget, and well past project deadlines.

Why? . . . there are many reasons. 

One is simply that the organization is trying to do too much too fast. They are overly ambitious on what can be achieved in a given time frame. This is particularly true when risk management has been an ad hoc “fly by the seat of our pants” operation (Urban Dictionary: to pilot a plane by feel and instinct rather than by instruments, to proceed or work by feel or instinct without formal guidelines or experience). Many areas of the organization have not thought through risk management and then it is pushed upon them.

Another reason is a failure to align risk with business strategy, objectives, and performance. The ISO 31000:2009 definition of risk is “risk is the effect of uncertainty on objectives.” This might be done well at a project or operational process, but as you rollout enterprise and operational risk technology the organization fails to provide the alignment of risk to business strategy and objectives.

The primary and disastrous failure of risk technology implementations I want to focus on in this post is risk normalization and aggregation. This is something that the major analyst firms leave out of their reviews and ranking of GRC solutions (note: GRC is a broad market and includes the range of risk management technology solutions available).

Risk normalization is simply the ability to compare apples to apples. If one department’s high risk is another department’s low risk this should be evident in risk reporting. Risk aggregation is the ability to take risks from different areas of the business and roll them up into an enterprise view of risk that makes sense. Risk normalization and risk aggregation work hand and hand. To aggregate risks properly requires that the technology have the logic to do risk normalization.

CASE IN POINT: I will never forget a panel I hosted at a GRC conference. On this panel was the Corporate Secretary/Assistant General Counsel for a major financial services brand. This role was responsible for the overall risk and GRC reporting that went to the Board of Directors. He stated to all in attendance that his Board never wants to see a risk report from their __________ GRC platform again (consistently a leader in major analyst reports).  Explaining this further he stated the risk reports were broken and meaningless as one departments high risk was discovered to be another departments low risk and everything globulated to the center on heat maps and made no sense (my view of risk heat maps is that they are often very broken and misused).

If Department A’s risk exposure is $10 million and ranked a high risk and Department B’s risk exposure is $100 million and ranked a medium risk, the overall risk report needs to reflect this accurately.  Organizations run the ‘risk’ that Department A’s risk will be focused on while Department B’s may be overlooked. This is oversimplification, there are many other variables such as frequency, probability/likelihood, velocity, and more to consider as well.

The challenge is that many risk management solutions (including some leading GRC platforms) were developed as a department level solution for risk.  They have a fairly flat view of the world. This leads to two points of risk technology failure in solutions that do not have native approaches for dealing with risk normalization and aggregation:

1. Force everyone into one flat view of risk. This essentially pushes every department and function into the lowest common denominator. All have to manage risk to a common set of criteria and scoring and individual departments lose out in depth and detail they need within their specific context. It limits the ability to get a true department perspective of risk for the sake of enterprise risk reporting that is in turn degraded and can no longer be trusted as departments lose their granularity needed to accurately measure and manage risk to their specific needs. There is a need to measure, model, and analyze risk in different ways in different departments/functions of the organization. The way an organization measures models market risk will be different than how it models health & safety risk.
2. Expensive services engagement to built out. Solutions that do not have risk normalization and aggregation as native features inherent in their technology will address this issue through implementation projects that are expensive and take a lot of time. GRC 20/20 has seen risk/GRC implementation projects that typically span from six months to over two years to rollout. The most common reason is customizing the platform to do risk normalization and aggregation. Then the platform breaks during the next upgrade process because of the behind the scenes customization of logic and rules done to support risk normalization and aggregation. 

BOTTOM LINE: when buying risk/GRC technology solutions that are to do risk reporting across risk areas, make sure that the solution has been designed from the ground up to measure and model risk in the variety of ways different areas need and that the solution supports risk normalization and aggregation without the need for expensive customization and implementation projects. Further, do not assume that a ‘Leader’ in analyst reports actually has addressed risk normalization and aggregation because many of them have not. Failure to consider this may mean expensive implementation projects that take more time than expected, result in broken upgrades, and outright scrapping the platform to move to a different solution. GRC 20/20 has seen it all happen.

I encourage you to share your experience and insight into this issue below.  It is one that GRC 20/20 has encountered several times in the market. Be bold; help other organizations understand this issue and its impact if not considered up front.

If you are considering risk technology to use within your environment, click on the Ask Inquiry button to the right.  GRC 20/20 offers complimentary inquiries to organizations evaluating GRC technology, solutions, and services. We are here to provide you insight into the market to make intelligent choices. GRC 20/20 can give you specific insight into what solutions do what aspects of risk management and GRC well and which do not.

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization.

Whether technology, content, or professional service providers – all can submit an award about a solution or service.  However, the nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process. 

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.   

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.

Nominations must be received by June 30, 2014.  Recipients will be notified in August 2014 at least two weeks before formal announcements/publications are made in early September 2014.

Download the nomination form:

{rsfiles path=”2014 GRC Value Nomination Form.docx”}

 

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.

The modern organization is:

• Distributed.  The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations.  An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization.  Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
• Dynamic.  Organizations are in a constant state of flux.  Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe.  Regulatory change has more than doubled in some industries in the past five years and has grown for all industries.  Managing risk, regulatory and business change on numerous fronts has buried many organizations.
• Disrupted.  The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.”  Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate.  Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events.  The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points. 

A backbone of GRC is risk management.  Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together.  To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value. 

Isolated Risk and Policy Initiatives Introduce Greater Risk

Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.  

The official definition of GRC is:

• A capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].  

The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance.  All three of these provide a natural flow.  Governance provides strategy and objectives that deliver the context for risk management.  Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives.  Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives. 

The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization. 

A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:

• Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other.  Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address. 
• Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
• Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners. 
• Lack of business agility. The organization is constantly changing and  therefore its risk profile is changing.  The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic. 
• Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the
  job done.  This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.

What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework. 

More on this topic can be found in the following items from GRC 20/20 . . .

• Polices: The Last Mile of Risk Management – A GRC 20/20 Strategy Perspective
• There is no Security Patch for Human Error – Webinar
• Benchmarking Your Policy Management Program: Deficient, Common & Best Practices – Webinar
• Market Landscape: Policy & Training Management Solutions – a GRC 20/20 Online Research Briefing

 

All organizations do GRC (governance, risk management, and compliance).  It does not matter if the organization uses the acronym or not, every organization has some approach to the elements of governance, risk management and compliance whether it is non-integrated and siloed across scattered areas of the organization or a federated GRC strategy that links GRC activities into a strategy, process, information, or technology architecture.  GRC by definition (OCEG) is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

GRC maturity is highly dependent on technology.  To be clear, you cannot buy GRC — GRC is something you do, not purchase.  You can buy GRC technology that assist in managing GRC related processes, analytics, reporting, and more.  Every organization uses technology for GRC; pens and paper are a form of technology, so is email, spreadsheets, and documents.  The correct selection and use of GRC technology is one aspect in maturing the organization’s approach to GRC.  In fact, GRC maturity cannot be achieved without improving your information and technology architecture for GRC.  However, I cringe when organizations tell me they just bought GRC and now need to figure out what to do.  Strategy and process comes before technology.

The coverage of GRC technology by other analysts is frustrating.  For full disclosure, I am a research analyst.  I research and monitor GRC best practices, benchmark organizations, and define/model the market for GRC solutions, content, and services.  I review solution provider offerings, assist organizations in selection and write/manage RFPs.  While an independent research analyst for the past seven years, I previously spent seven years at Forrester Research where I was the first analyst to define and model the market for GRC solutions and services and label it GRC (February 2002).  I wrote the first two Forrester GRC Waves comparing solutions. Since leaving Forrester I have spent the last seven years bewildered by the way my analyst competitors cover the market for GRC technology.  I respect that in some cases they are handicapped by internal research boundaries of other analysts.  However, the coverage of the GRC market by other analysts firms is confusing and damaging.  

Before I critique my competitors, let me state my position. GRC, approached correctly, involves a strategy, process, information, and technology architecture.  The GRC market is comprised of a wide range of solution categories.  Some of these are represented in a GRC platform that tries to accomplish several areas of GRC in one neat little package.  Caution though, the idea of a single ‘GRC Platform’ to meet all your needs has challenges. There is no one-stop show for GRC. There can be a core backbone for GRC, but GRC often requires integration of a range information and technology.  Some of today’s complex governance, risk, and regulatory reporting requirements are only done through significant integration and analytics of data across the business. Organizations are best served to approach GRC as an architecture and throw away this idea of a single platform that promises to do everything.  I still reference GRC platforms as there can be a backbone that brings things together. Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs.  I will be discussing my representation of the GRC market in next week’s 2014-Q2 State of the GRC Market Research Briefing.

Now that you understand my position, let’s review how GRC 20/20’s competitors approach the GRC market from the perspectives of Gartner, Forrester, Chartis, and Market to Markets:

Gartner

Gartner is the largest market research firm covering a wide range of technology and services.  Their GRC research I have ranted on in the past:

• Gartner’s EGRC “Arcane” Magic Quadrant
• Rethinking GRC: Analyst Rant, Gartner’s 2012 EGRC Magic Quadrant
• Gartner GRC Magic Quadrant Rant, Part 3
• Concluding the GRC Analyst Rant

In these posts I have critiqued Gartner’s GRC Magic Quadrant stating it is not transparent and does not represent the real world of GRC buying as 80% is focused on specific areas of GRC and less than 20% on enterprise GRC platforms. Gartner has responded to my critiques and changed course (though they would never confess).  In a blog entry, French Caldwell announced their new approach: A Revolution in GRC Affairs at Gartner (or burning the EGRC mq).  To me it reads that French is saying ‘GRC is dead, long live GRC.’  In this post Gartner recognizes what I have been preaching form may analyst pulpit for seven years that the GRC market is a broad market with solutions that do different things. 

Gartner has responded by breaking up the Magic Quadrant and analyzing solutions on use cases.  This analysis is just starting and covers the aspects of: 

• Use case 1: IT Risk Management (ITRM). 
• Use case 2: Operational risk management (ORM). 
• Use case 3: Audit management. 
• Use case 4: Vendor risk management (VRM). 
• Use case 5: Business continuity management (BCM). 
• Use case 6: Corporate Compliance and Oversight. 

Further Gartner has scoped a wide range of other GRC market research:

• Market Guide for Audit Management 
• Magic Quadrant for Operational Risk Management 
• Magic Quadrant for Security & IT Risk 
• Magic Quadrant for Business Continuity Planning 
• Magic Quadrant for Vendor Risk Management 
• Market Guide for Corporate Compliance and Oversight 
• Critical Capabilities of GRC Vendors 

Gartner is to be commended for this shift in research and is my most formidable competitor. I do appreciate the interactions I have with French despite our online debates.  We make a great nemesis team — protagonist and antagonist — Batman and The Joker, Superman and Lex Luthor (I will let you decide who is who).

Despite this tremendous change in strategy I am here to say it has some issues in the definition of the use cases.  Basically, some of the use cases do not accurately represent the breadth of market requirements.  I have looked them over carefully.  As an independent analyst I get engaged to assist solution providers in how to approach and manage their relationships with the major analyst firms.  I am asked to play the role of French Caldwell and review their responses and watch their demos to improve how they present their solutiosn to analysts.  It is quite fun.  The past few weeks, several solution providers have reached out to seek my assistance in strategizing responses to Gartner’s new GRC use cases.  My concerns are as follows:

• Use case 1: IT Risk Management (ITRM). This use case I find interesting: its criteria covers the basics, but I am surprised on the limitation of the compliance mapping.  It makes no reference to ISO 27000, NIST, or other popular standards and only references US-based regulations (note: PCI is not a regulation, but a contractual requirement).  I take particular issue in Gartner Analys
  t Paul Proctor’s blog Gartner Resets Approach to GRC. What Paul states is counter to Gartner having a use case in this area, he says, “The delineation of IT-GRC vs EGRC is almost meaningless because all of the IT-GRC vendors claim to do everything the EGRC vendors do and vice versa.” My point of view: IT-GRC solutions have an expanded data architecture to cover information and IT assets (e.g., logical, physical, relational, process), vulnerability and threat information, and hooks into the security architecture (e.g., vulnerability scanners, configuration management, security event/information management).  There is a difference between IT-GRC and EGRC.  Yes, some EGRC solution providers make a lot of claims and can tell Gartner all day long they do IT-GRC, it is Gartner’s job (and mine) to hold them to account on this and not just cave in.  Some vendors state they can do anything, and with a significant amount of money and services they can do some interesting things, it will just cost you money and time.  It is the job of analysts to analyze solutions and tell the world who actually has the features, who has the track record of success, who simply has capabilities that can be built out at a cost, and who lacks it all together. In my view it is easier for an IT-GRC solution to be an EGRC solution than an EGRC solution to become an IT-GRC solution.  Gartner – you appear to be speaking out both sides of your mouth stating that delineation is almost meaningless and putting the time and effort into a use case in this area. 
• Use case 2: Operational risk management (ORM). This use case has many of the high-level core criteria I would expect.  I would like to see more on risk identification and collaboration. It could be more thorough in the variety of risk models solutions can do.  There are over a dozen different risk analysis/assessment techniques that I review in my Risk Management Workshop. The international standard ISO 31010 (which provides supporting guidance to ISO 31000) has thirty different approaches.  I often get asked which solutions support which of these risk assessment and analysis techniques when other analyst firms cannot answer this question.  Another area for improvement in this use case is the ability to map/relate risks to show how risk interrelates with other risk not just vertically in hierarchies but horizontally across hierarchies. A particularly big issue in this area, and lacking in the use case, is the ability to aggregate and normalize risk.  Some in the Magic Quadrant are quite flawed.  They break down when different departments have different risk models and scoring.  To overcome this, vendors have significant implementation time lines (at great financial cost) to build out rulesets and logic for risk normalization and aggregation because it is not a native feature to the solution. Risk normalization and aggregation is critical and necessary so risk reporting across department/operational areas to enterprise risk reporting makes sense.
• Use case 3: Audit management. Someone has done their homework.  Compared to the other use cases, the audit management use case is far more detailed.  Makes one wonder why Gartner goes deep in a few use cases while the rest are very light.  My minor issues with this is an ability to build dynamic audit plans based on changes to business/regulatory/risk environments and the ability to build the more traditional three or five year audit plans.  It could be stronger by listing the ability for external auditors to use the platform, and flexibility of the solution to perform a range of operational audits including those across vendor and supply-chains (where external auditors are often used).
• Use case 4: Vendor risk management (VRM). This one is a big disappointment.  They scope the use case to be vendor risk management, and strongly lean it toward security.  It should be 3rd party management (though in the commentary it does discuss applicability to supply chain, I suspect the narrow scope of this is due to internal politics and research boundaries with other Gartner analysts covering supply chain, if so it is a disservice to clients that are thinking more holistically).  I do not see anything in the use case that identifies: a portal for 3rd parties, self-registration, communication of code of conduct and other policies, delivery of training, and ability for internal or external auditors to use the solution and record findings when exercising right to audit clauses.  It is weak on detail about integration with 3rd party content for due diligence and monitoring activities — organizations are looking for solutions with a lot of depth in this area and the brief criteria statement is rather . . . light.  In summary, from one industry perspective, this use case would end up with analysis of solutions that does not meet the needs of financial services institutions responding to the latest OCC requirements for more holistic vendor governance.  The use case only partially fits the criteria needed by banks in this area.
• Use case 5: Business continuity management (BCM). Similar to audit management, Gartner has a lot more detail on the BCM use case and makes you wonder why the other four use cases are so light in comparison.  A pretty thorough job in BCM.
• Use case 6: Corporate Compliance and Oversight. My greatest disappointment. This one is long and needs to be broken into subbullets:  
  • Compliance risk. Compliance risk assessments go beyond prioritization and planning. It is an integral part of the elements of a compliance program defined by the United States Sentencing Commission and is referenced by regulators as well as mentioned in some consent decrees, corporate integrity agreements, non-prosecution agreements, and more.  It is part of board’s fiduciary obligations of compliance oversight. Compliance assessments are more than control assessments.  Control is a term used by auditors, financial compliance, and IT.  Compliance assessments, which can include control, also cover the state of policy development, maintenance, and communication.  Compliance assessments review hotline reports and cases.  Compliance assessments look at training programs.  To do a proper compliance assessment looks at compliance process as well as controls.  
  • Exception management. Gartner’s coverage of exception management does not reference policy exceptions.  
  • Regulatory intelligence. I would expect to see deeper criteria on regulatory intelligence and the ability to not only integrate but provide content and in what areas content is provided (list the areas Gartner, break it out and measure solution providers on depth and breadth of regulatory content).  Some solutions are deep in industry verticals like insurance, banking, health and safety – let your readers know which areas of content depth solutions deliver through relationships or directly themselves.  Have a taxonomy in the criteria so solutions have to show the range of regulatory intelligence coverage – and I pray Gartner understands that this is more than the Unified Compliance Framework (I am not critiquing UCF, just recognizing that they only have a small slice of the regulatory world).  
  • Policy management. For policy management, Gartner should break this out in its own use case.  There are a lot of enterprise and department policy management RFPs and projects that are not part of a broader compliance platform selection process. Gartner could spell out detail in policy lifecycle management capabilities, and it is missing exception management for policies as previously noted.  There also is nothing in the criteria that covers the communication plan and campaigns for policies and training.  
  • Issue reporting and ca
    se management. Under the incident criteria there should be an item that reviews the ability of the solution to stand up in court with proper evidence tagging and non-repudiation.  
  • Compliance forms & disclosure management. The use case criteria is missing forms management such as disclosures for conflict of interest; gifts; entertainment; hospitality – this is critical functionality for a solution for corporate compliance and ethics, particularly if you want to help your clients with FCPA and other regs. 
  • Due diligence. The criteria is void on integration with due diligence and other content databases (beyond regulatory intelligence) to fulfill due diligence requirements on internal personnel as well as 3rd parties.  
  • More compliance content. Some of the strongest compliance solution providers in the space provide content themselves and there is no coverage or the range of content – regulatory analysis, policies, controls, training/elearning courses, standardized assessments, 3rd party due diligence.
  • Defensibility. Most significantly, there is nothing on a defensible audit trail.  There is a reference to history in the use case – but organizations need more than that and solutions need to prove it to you Gartner.  Look at the DoJ memo on Morgan Stanley and how they were praised for the ability to demonstrate policy maintenance, communication and training activities, assessments, monitoring, due diligence. Organizations need defensible compliance with clear audit trails of who did what, how, when, and why.  Regulators are starting to tell banks that spreadsheets/documents do not have the right integrity in audit trail to use for assessments (something I have been stating for a decade).  The November 2012 FCPA guidance by the DoJ and SEC states that they often encounter compliance programs that look good on paper but fail operationally and they are sick and tired of it.  We need defensible compliance.

These are the use cases GRC solution providers have to prepare for, Gartner is just beginning their process.  They could explore much of what I discuss throughout the process, but it would be best if it was apparent up front in the use cases themselves.  There also is still time to revise these use cases as analysis is just starting. This matters as organizations invest a lot of money in solutions and need the deepest insight into the solutions they are purchasing.  When requirements are not met it hurts the market as a whole.  Gartner has a log of influence and is the biggest brand in the business.  While we compete in market research, their approach can cast a shadow that hurts the rest of us. I dive deep into the functionality of these solutions and care that organizations select the right solution for their needs. 

One more thing – Paul Proctor’s blog I referenced above.  He critiques the acronym of GRC as being the most overused term confusing things.  For clarity, the individual parts of GRC – governance, risk management, and compliance are all very overused terms across the business with many different interpretations.  This is the area of  research each of our firms cover and the one our clients engage us to make sense of.

Forrester

Compared to the long Gartner post, the brevity of this discussion may come across as letting Forrester off lightly.  There is some serious misalignment between Forrester on one-side and myself and Gartner on the other.  I cannot even go into the detail that I did with Gartner as Forrester just lacks the same point of view of the GRC market. I cut my GRC teeth at Forrester, defined the GRC market before anyone else, wrote the first two Forrester GRC Waves (as well as the first two ERM Consulting Waves).  I recognized in 2007 with the 2nd GRC Wave that this market was too complex to represent in one two-dimensional graphic.  As a result, my Wave had four graphics representing the aspects of: 1, overall GRC; 2, governance (audit); 3, risk management; and 4, compliance management. I reference Forrester in some of the blog entries I link to above discussing Gartner, but also have discussed Forrester in the following:

• The Forrester GRC ‘Ripple’ (OOOPS . . . I Mean, ‘Wave’)

Previously I have given praise to Forrester for transparency. The Wave process gives clarity into scoring and criteria that Gartner’s Magic Quadrant does not (but these use cases are getting there). In the past seven years Forrester has collapsed the GRC Wave and failed to expand it.  The four GRC Wave graphics went to one graphic. To make matters worse, Forrester combined a separate Wave on IT-GRC into the Enterprise GRC Wave (I discuss my views on the differences of IT-GRC and Enterprise GRC above in the Gartner analysis).  Further consolidating research analysis of solutions where I have been expanding it and now Gartner is as well. Forrester – what GRC market are you covering?  Certainly not the one I am covering, and not the one Gartner is covering. 

Chartis

Chartis is not as well known as Gartner or Forrester. They provide market research with a predominant focus on financial services.  They cover a range of GRC topics that I would all put under the umbrella of GRC, but their approach is to split GRC into its own category of multi-functional platforms distinct from other areas of their risk and compliance coverage.  

My approach is that the entire market is called GRC and there are a lot of segments in this market of different types of solutions.  Like IT security which has segments for firewalls, intrusion detection, anti-virus, and more . . . GRC has segments for risk, audit, compliance, policy, health & safety, quality management and many more areas.  To me, GRC is the macro-market, an umbrella that covers a range of solutions. Chartis and I talk “apples and oranges” as we are representing GRC as different things. Their approach fails as it aligns more with Forrester than myself.  Though if you take the scope of what they cover as ‘risk technology’ we become more “apples to apples.” It is how we name the high-level market category that everything cascades from that differentiates us.  They call it risk technology, I call it GRC.

What really sets me off about Chartis is their recent statement in Enterprise GRC – Time for GFRC?  Chartis states, “To drive a behavior-driven approach to GRC, firms need to incorporate performance and remuneration measurements into GRC. Chartis believes that firms should replace ‘GRC’ as a concept with ‘GFRC’ – Governance, Finance, Risk, and Compliance . . . Traditional GRC is outdated and fails to manage risk and prevent serious compliance breaches . . . Firms need to move beyond traditional GRC and take a more dynamic approach to governance, risk, and compliance.”

We are actually aiming for the same trajectory that there is more than a GRC platform and GRC platforms by themselves are not enough and can force an organization to the lowest common denominator in managing risk. Later in the article they state, “Chartis also believes that firms should do more to incorporate areas currently overlooked by GRC, including model risk, conduct risk, reputational risk, and stress testing.”  These areas of risk are covered in the GRC 20/20 market model for GRC.  I am writing a paper right now on model risk management, GRC 20/20 has a segment of the GRC market that catalogs solutions for reputation/brand risk, conduct risk falls into our coverage of compliance management solutions (e.g., market conduct exams for insurance), and stress testing is in the coverage of risk management technologies.  Where GRC 20/02 defines a range of solutions in the market GRC and Chartis calls the same over
all market ‘risk technology,’ Chartis is using the GRC label similar to Forrester by collapsing a platform down to the lowest common denominator and then taking the perspective Gartner and I have stating it is missing something.  Technically, Chartis and GRC 20/20 is aligned as we see a range of technologies that define a category.  I call it GRC.  Chartis calls it risk technology.  We are pointing at the same thing in this sense.  

I take issue with Chartis trying to create GFRC – that just confuses things.  The GRC market started growth in financial controls as a fallout of SOX and some back in 2003 and 2004 tried to add Finance then.  I don’t understand what Chartis is trying to communicate. Adding finance into the mix is a step back and not a step forward. One of the problems with traditional strategic planning is that it is really about financial planning and budgeting. In the UK there’s an entire movement around something called “beyond budgeting.”  Finance, as well as operations, falls under the pervasive umbrellas of governance, risk management, and compliance.  If not, do we start adding HR for human resources for the human element of GRC, IA for internal audit, H&S for health & safety.  The nice thing about the GRC acronym is that these words are adaptable across the organization and provides a good umbrella. GRC defines the flow and context for the solutions in the market.  GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.  Risk needs governance to set the objectives and strategy to give risk management context. We measure and monitor risk as it relates to performance, objectives, strategy with a focus on uncertainty.  Part of risk management is setting boundaries that get established in policies, procedures, and controls that compliance ensures we adhere too – acting with integrity.

Markets to Markets

This company should not even be referenced in this post, but I do as they have been brought to my attention by solution providers a few times in concern. You can request their sample GRC report for free, but they charge thousands for the full report – the sample has anything of value redacted.  Why I bring them up is their flagrant disregard for intellectual property and copyright. Their GRC market report takes some of my GRC content, particularly on GRC 3.0, the market timeline for GRC 3.0 in an exact representation of my work, and other GRC points and they source it back to themselves and not to GRC 20/20.  Be wary of the analyst firm that fails to have an original thought of their own and takes the intellectual property of others.  It came to my attention after solution providers in the GRC space (more than one) pointed out my IP being referenced as theirs. Still waiting for a confession and apology . . .