Category: Blogs

GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition from using hundreds of spreadsheets created every year to complete audits, credit reviews and risk assessments in addition to hundreds of other documents compiled to report on findings and risk summaries. Today’s system is a single-source GRC solution that integrates governance, risk and compliance functions and brings strong scores from regulators.

Sterling successfully used MetricStream’s single-source GRC solution suite, which consolidates various GRC functions, including enterprise risk management, internal audit, issue management, policy management, business-line risk assessment, regulatory compliance self-assessments and internal asset review, into one enterprisewide view. Benefits received in the short term (within one year) of implementation included:

• Automated end-to-end GRC workflow, eliminating the need for cumbersome spreadsheets, saving time and costs and minimizing error
• Ability to perform detailed risk self-assessments, define and assess controls, track loss incidents along with root causes and ownership, and quickly resolve any issues that arise
• Established a single risk framework and nomenclature within the GRC system, and a single source of truth
• Strong risk management grade from regulators
• Better board reporting and focus on the risks that matter
• Risk management is now 1 of the top-line corporate goals, raising awareness about its value

A long-term GRC vision

Among Sterling Bank’s long-term goals for the product is to push risk management down to the first line of defense, to ensure issues are identified as early as possible. This top-to-bottom approach should also involve the board of directors and actively engage them in GRC issues.

The MetricStream solution will be used for active monitoring of audit processes, risks and incidents, and ensure compliance with regulations such as SOX, GLBA, FDIC and FFIEC by all business units — and not just by the efforts of the risk and compliance staff. The solution provides a single and unified view into actionable business intelligence, active responses to risk and facilitates corresponding changes to strategy, all of which provides the bank with a competitive edge.

Risk, compliance, audit and policy in one enterprisewide view

Before MetricStream Enterprise GRC solutions was implemented, the various GRC initiatives at Sterling Bank — risk, compliance, audit, policy, etc. — were managed as separate programs, and as a result, due dates for issues could be missed and when reorganizations occurred, issues could fall between the cracks. A number of standalone software applications and point solutions catered to these individual programs and functions. There were serious challenges in ownership and transparency, which resulted from a prior inability to aggregate GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

Sterling Bank used several data sources and manual processes that were labor intensive. GRC functions were spread across multiple unrelated departments. Consolidating all GRC programs and processes into a single platform enables the organization and every employee to work more collaboratively and more efficiently, while reducing costs and eliminating redundant activities.

MetricStream GRC solutions foster communication, collaboration and information sharing between business units and corporate functions. The bank can ensure ownership and transparency while aggregating GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

A change in GRC culture

Sterling’s fraud risk assessment process previously contained over 300 different risks, many of them applicable to only one department. By rationalizing these risks for population into the MetricStream GRC solution, Sterling was able to eliminate and consolidate fraud risks into 70 risk categories companywide. This library of risks, controls, processes, assets, issues, regulations, products, policies and objectives enhances Sterling Bank’s risk management capabilities. Business managers have real-time access to the status of audit and exam issues rather than waiting to receive a periodic spreadsheet.

The GRC program facilitates a reduced-touch approach to GRC; business units no longer have to generate as many as eight risk assessments a year, since the GRC program provides multiple automated risk assessments in a single session. The following efficiency improvements have also been realized by the new approach, supported by MetricStream GRC solutions:

• Automated end-to-end GRC workflows eliminate the need for hundreds of documents and spreadsheets, saving time and costs and minimizing errors.
• Provides a single-source-of-truth for risk information with a universal risk taxonomy and nomenclature.
• Has served as a catalyst for establishing a sustainable risk culture across the enterprise.
• Promotes tracking and trending data for management committee and board reporting.
• Ability to isolate changes in self-assessment testing for immediate action.
• Risk is now embedded within decision making processes, and coordinated across business units.
• Empowering individuals and committees to be accountable in owning and/or escalating existing and emerging risks to management.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Modulo Risk Manager its 2013 GRC Value award in the Enterprise Risk Management category. The financial services company used Modulo Risk Manager to help it comply with HIPAA, PCI and SOX, and its consolidation of its 350 independently chartered bank branches, with 6,700 employees and a heterogeneous environment spanning a variety of operating systems, servers and application platforms as well as legacy systems for each of the back-end core banking platforms. Benefits from the first phase of its Modulo Risk Manager implementation included:

• Creating efficiencies and consistency by unifying silos of data into one automated governance, risk and compliance program
• Completed 40 percent more risk assessments without adding any additional resources
• Finished risk assessments two months ahead of schedule
• Accomplished twice as much work with the same resources
• Attained a complete picture of the company-wide risk posture for improved business decision making

The second phase of the implementation, now in progress, is developing and integrating processes for GLBA compliance assessments, business continuity management and vendor risk management.

A new system that brings together scattered ERM

The financial services company was challenged with finding an automated GRC process to eliminate manual costs associated with risk assessments, consolidate GRC data into a common format and automate workflow. It wanted a system that could communicate risk in a timely and consistent fashion with different information for different stake holders, as appropriate. The solution needed to rationalize IT controls and create efficiencies around design, testing and reporting to meet increased regulatory scrutiny across all disciplines including HIPAA, PCI and SOX.

Modulo Risk Manager enabled the company to achieve its GRC audit goals on time, on budget and do twice as much with the same resources. It is also leveraging Modulo to mature its information risk process into an operational discipline, providing a more complete picture of the companyʼs risk posture.

Modulo’s Risk Manager™ software solution helped streamline the company’s risk assessments, reduced its control testing and expenses, and improved its communication of risk to various lines. The solution helps manage complex and dynamic dependencies of IT resources to supports critical system availability and confidentiality. The company’s feedback is that they regard Modulo as a strategic partner with extremely well trained and responsive staff.

Looking forward with a clearer view

With close to $30 billion in assets, this regional financial services company’s banking divisions provide commercial and retail banking, investment and mortgage services. It recently consolidated its 350 independently chartered bank branches. With 6,700 employees at the time and a heterogeneous environment spanning a variety of operating systems, servers and application platforms as well as legacy systems for each of the back end core banking platforms, the infrastructure of the multi-bank model was complex. As a result of this consolidation as well as an increasing number of regulations to comply with — from PCI, HIPPA, FFIAC, OCC, SOX, GLBA, FFIEC and SECISO to FDIC as well as other federal and state government requirements — the company was responsible for completing twice the number of audits with the same resources, and streamlining its overall GRC program.

Faced with increased regulatory scrutiny and an exponentially more complex environment, the company was under pressure to complete more risk assessments. Additionally, it was in the process of evolving its information risk practice into a broader, more mature operational risk discipline in order to get a complete picture of the organizationʼs risk posture.

The company’s team expects to continually find new uses for the flexible Modulo Risk Manager platform that streamlines and improves security, risk and compliance management initiatives. It will extend the program to tie company policies and industry controls (such as those for COBIT and SOX) to the Modulo framework for more efficient rationalization. It also plans to integrate data from third-party vulnerability scanning systems into the model for a more complete picture of gaps and risks. They also plan to record and report data losses due to process and technology failures or fraud to identify exposures before they impact the business. With the Modulo Risk Manager Web-based platform, the financial services company can easily customize and scale to meet the growing needs of the organization and integrate it with existing processes and technologies.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded Riskonnect RMIS and the State of Utah its 2013 GRC Value award in the Insurance & Claims Management category. Riskonnect RMIS’s fully automated insurance risk management software platform addresses insurance claims, litigation, exposure, and policy management.

The Utah Division of Risk Management (DRM) chose Riskonnect RMIS (risk management information system) to replace its legacy vendor's basic claim system. Within one year of implementation of Riskonnect RMIS the Utah DRM estimates it saved $1 million on reconciliation of insurance premium billing, and saw an 82 percent increase in efficiency in processing high dollar payments. Other short-term gains included:

• High-dollar payment process reduced from 17.1 days to one day
• Bill processing (acceptance/authorization/payment) reduced form 29.3 days to two days
• Complete integration of relevant risk data removed need for five hours per week of reconciliation between source systems
• Consolidation of the contact database produced significant reduction in resources because if its consistent, accurate linking to appropriate contacts for all risk-related activities
• Reduced time to generate current risk status reports and reduced travel time to home office, with remote Web access to risk system
• Reduction in fees for redundant systems of over $30,000

During the next five years, because of its Riskonnect RMIS implementation, the Utah DRM expects:

• More effective management and response to risk-related issues
• Improved ability to make decisions about risk, based on real data, not estimates
• Continued cost savings and efficiencies due to ongoing and expanded use of the Riskonnect RMIS system

The previous solution

The State of Utah Risk Fund managed by the State of Utah DRM insures State government agencies, school districts, institutions of higher education and charter schools. The fund insures more than $28 billion worth of property, 7,000 buildings, 13,000 vehicles and liability coverage for over 120,000 employees. The division also offers claims adjusting, loss control services, insurance procurement and policy management.

Before the Riskonnect implementation, Utah’s Risk Management division managed the process via a legacy system with limited functionality with multiple sets of disparate data. The system was incomplete and expensive.

Riskonnect RMIS, a comprehensive risk management work platform, includes a central repository to house previously separate databases and to easily incorporate workflow and automate business processes into the system. Qualitatively, the Riskonnect system provides substantially greater levels of confidence in the data and related processes. In addition, the reputation of the user group with its stakeholders is enhanced substantially because of the huge reduction in processing times. Additional savings continue to accrue.

New speed and agility and best of all, better data

The speed of responding appropriately to a wide range of risk related activities has greatly enhanced the reputation and support for the Utah DRM. In addition, the substantial increase in the quality of the related risk data has meant the negotiations with mitigation providers has been far better with significant savings in effort and price.

Being able to provide quality data for decision-making has been a huge benefit.  Utah DRM has been able to provide its insured entities and other interested stakeholders in real-time loss data that has been critical in management policies and priorities. Loss control activities can be targeted towards specific and current trends and audit queries are processed seamlessly.

The new system has given rise to new levels of agility. For instance, today changes in configuration can occur during a conference call — particularly changes in system reports. This means the Utah DRM can respond much more quickly and accurately than previously. Flexibility and ease of most system changes has been a significant benefit.

To the Utah DRM, the greatest strengths of the current approach is the new accuracy and consistency produced by integrated workflow, its built-in validation rules and the approval processes. Going forward, it expects resources can be freed up to focus more on risk decisions and less on day-to-day reconciliations.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded RSA® and Equifax its 2013 GRC Value award in the Business Continuity Management category. After implementing RSA Archer’s Business Continuity Management solution, U.S. consumer credit reporting agency Equifax experienced an immediate 60 percent reduction in time to create business continuity and disaster recovery plans, and a 20 percent OPEX savings for 2013.

Equifax expanded its use of the RSA® Archer solution in 2012 to include the Business Continuity Management (BCM) functionality, and it now also manages business impact analysis, business continuity planning and IT disaster recovery planning on a global scale. RSA Archer helps Equifax drive new initiatives on revenue and risk analysis; cross-reference business process related risk with the associated IT applications and service delivery to customers; and understand how each customer is potentially affected by long-term Equifax operations and systems outages.

Immediate and continued benefits of the RSA Archer solution include a standardized business process terminology that follows the ITIL model and allows Equifax to tie each process to an associated IT managed application; clean executive-level dashboards that show risk exposure and opportunities for investment; comprehensive impact analyses and plans; and risk data reports that the CFO can use to make informed decisions on risk management and risk investment.

During the next five years, Equifax projects additional benefits from the RSA Archer solution, including 20 percent OPEX depreciation and amortization savings from 2013 to 2016, 30 percent reduction in time to create business impact analysis reports (BIAs), business continuity planning reports (BCPs) and DR plans through ease of use of RSA Archer Business Continuity Management, and a substantial increase in overall maturity level of both BC and DR programs as measured by COBIT model against DRII 10 Professional Practices.

A mix of industry tools and spreadsheets

Before the RSA Archer solution was implemented in 2012, BCPs and BIAs were done with another industry tool. DR planning was performed in spreadsheets and word documents. In-depth analysis on the BCM program maturity was performed by an independent auditor in Q4 2010, and was followed up internally in 2011. The following challenges with the former BCM tool were documented in the findings:

• BC/DR tool could not scale to meet Enterprise Risk Management objectives
• No cross departmental standardization of BC/DR program or documentation existed
• No alignment of business process risk with IT application risk existed
• Overall BC/DR program maturity was not visible or measurable within the existing functionality

The RSA Archer Business Continuity solution has helped Equifax to reduce projected annual operational costs by $400,000.

New BCM efficiencies radiate through other processes

The RSA Archer Business Continuity Management process at Equifax is now sharing information from its BIA Risk assessments back to other GRC processes, which has had a positive impact on other organizational risk aversion efforts. Equifax is able to make risk decisions based on real risk assessment and BIA data rather than subjective input from business units, and business leaders can refer to dashboards in RSA Archer to get real-time status on the maturity of their respective BC and DR responsibilities within the enterprise BC framework, making processes simpler and less time-consuming. Consistent, intuitive layouts and workflows also minimize training efforts year-over-year, which have resulted in broader engagement and buy-in from business users.

Risk decisions are based on objective data that connect with BC and DR investments in the U.S., Argentina, Chile, and Canada with pending decisions in Russia and India. Users of the RSA Archer Business Continuity Management solution are complimentary of the process because it is far less time consuming for them to create plans and BIAs than in previous years. BC and DR teams are working more efficiently and now feel that they have more control over their own destiny due to a marked reduction in operational overhead. 

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded SAI Global and HealthPlus its 2013 GRC Value award in the Investigations Management category. With the help of the SAI Global solution called Compliance 360®, HealthPlus, a Michigan health and wellness organization, reduced its average days to complete investigations cases by 56 percent. Average days to complete cases has been reduced from nine days to four days. In spite of ever-rising caseload numbers, the SAI Global team was able to complete the implementation two months ahead of schedule.

Compliance 360 is a comprehensive software solution that streamlines the GRC process for organizations of all sizes and geographic diversity.  SAI Global’s Compliance 360 solution is designed to make compliance, risk and audit management easier, less costly, and much more manageable – even for organizations in highly regulated industries.  Compliance 360 is a highly configurable set of modules that help identify gaps and risks, eliminate duplicate efforts and easily maintain the records needed to demonstrate full control of compliance, risk and audit programs.

HealthPlus of Michigan (HealthPlus) provides customized, nationally recognized health plans that meet the needs of large and small employers, and families and individuals, through a variety of programs including Medicare Advantage and Medicaid. Organizations including HealthPlus that participate in Medicare and Medicaid programs face significant and unique compliance challenges. In this environment, the regulating entity is also the payer, providing funding for the services provided to health plan members. Because of this unique situation compared to other regulated industries, compliance gaps and breaches can not only result in fines and sanctions, but also in withholding of payments and termination of participation in the program.

A manual, inefficient system stymies a growing organization

Prior to 2011, HealthPlus was managing their cases using manual tools including an MS Access database and e-mail. With over 4,000 cases in the system, they were challenged with difficulty in managing and tracking case status and visibility when needed for escalation. They also needed to improve efficiency.

These objectives were very important in order to ensure rapid response and resolution of cases including allegations of fraud, waste, abuse, privacy, security and other compliance requirements. Failure to do so can result in increased scrutiny and potential fines for health plan organizations.

The Compliance 360 GRC System

The Compliance 360 GRC system from SAI Global was chosen to facilitate regulatory change management and incident management. In spite of an 8 percent increase in case volume in 2011, the implementation of Compliance 360, including the conversion of all cases and all user training, was completed two months ahead of schedule. The implementation at HealthPlus reduced the average days to complete cases by 56 percent. Average days to complete cases has been reduced from, from nine days to four days.

Overall, the system provides improved visibility and flexibility in the form of:

• Support for establishing standard and consistent processes through workflow automation
• Ability to ensure security of access to potentially sensitive information — very important in healthcare
• Monitor and report on trends based on incident types and utilize information to proactively initiate corrective actions for recurring issues
• Ensure a continual audit-ready state with all incidents, investigations and outcomes in a central system of record

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring & Assurance category. When SAP was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to remove roles from users if the role is not used within 120 days, and decrease license maintenance costs by identifying and removing unused access assignments for users and roles.

SAP Access Control automates the process of detecting, remediating and ultimately preventing access risk violations. Automation with SAP Access Control extends beyond risk analysis to automation of user and role assignments with these features:

• Automatic detection and remediation of access risk violations across SAP and non-SAP systems
• Automated review of user access, role authorization, risk violation and control assignment
• Periodic access reviews and centralized closed-loop super-user management
• Process-embedded compliance checks and mandatory risk mitigation
• Self-service workflow-driven access requests and approvals
• Comprehensive audit trails of user and role management activities

The SAP Access Control solution is suitable for any business of any size that requires real-time visibility into their current risk position. Users can accurately manage reduce unauthorized access, fraud and the cost of compliance.

Moving from a scattered system to a precision tool

SAP Access Control's success with the leading multinational beverage corporation meant the company could move away from its legacy disparate provisioning processes spread over multiple systems. The old system had a lack of visibility, so the company could not get a handle on how roles were used or who held which roles – in fact, they had found that there were a high number of roles being maintained in the system that were no actually used by any users — thousands of inactive roles were removed from users, and about 4,000 unused system IDs were removed as well.

In the old system, it took two to four weeks to provision user access to perform their primary work tasks. The provisioning system was scattered across the enterprise in disparate systems, with little real visibility. This lack of visibility also meant the different parts of the business had poor awareness of the importance of identity and access management, and didn't have much involvement in the process.

A new solution that works, and drives down risk

This leading multinational beverage corporation has standardized their user provisioning and user access review processes, resulting in decreased time to provision access, decreased risk exposure, and decreased software licensing maintenance costs. The new system provides a sustainable process for measuring accurate access assignments, automation and consolidation of of processes, increased analytics for maintaining efficient user and role assignments and continued and increased insight and visibility to risk.

The new system decreases time to provision a new user from two to four weeks to about three days. This change in process also resulted in a decrease in the number of roles and users maintained by the system.

To prevent the buildup of unused roles and save on license maintenance costs, the system implemented a process to remove roles from users if the role is not used within 120 days. The beverage giant was also able to sunset a number of tools be moving to one standardized provisioning process.
Standardization of processes areas made possible by the SAP Access Control solution brought efficiencies and effectiveness. Risks are addressed in a more controlled manner, and provides increased visibility and insight into risk across multiple systems. Standardized processes also improved decision-making abilities and increases users' ability to do their job in a timely manner due to decreased provisioning time.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Research awarded The Hartford its 2013 GRC Value award in the Compliance Management category. The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, uses the RSA Archer GRC Platform to support over 80 GRC processes including a New York State Labor regulation instituted in 2012.  By building a solution on the RSA Archer eGRC platform the company avoided tens of thousands of dollars in expenses, and brought The Company into compliance one month ahead of schedule. 

The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, was given a short period of time to comply with the State of New York Wage Theft Prevention Act, which required employers to give an annual written notice of wages to all new hires and other employees. The employees are required to return a form acknowledging receipt of that notice, and records of the notice and the responses must be tracked to evidence compliance.

This new regulation required a new HR process, which represented a challenge for the Hartford because:

• The short turn-around time required to develop a new process and design a new solution to address that process
• The compliance date differed from The Hartford’s annual merit cycle but needed to use annual wage information
• The solution had to be user friendly to address The Hartford’s diverse employee base of 20,000+
• Other states were expected to adopt similar — but possibly not identical — regulations, so the solution had to be flexible and repeatable
• Forms had to be available in multiple languages
• The Hartford had limited budget and resources to build the solution

The Hartford evaluated several options including its existing payroll systems, manual mailings, or using its operation risk management (ORM) system  (RSA Archer)..  Building a custom solution on the RSA Archer Platformoffered an affordable end-to-end solution. Other optionswere estimated to cost in excess of $70,000, and still involved manual processes.

The Hartford’s HR compliance and payroll departments partnered with the ORM team and developed a solution to automate state-specific annual employee notices, monitor employee responses, automate any follow up notices to employees and management, maintain historical evidence, provide the appropriate oversight to ensure the company complied with the law, was intuitive and end-user friendly and it was completed in three months — one month ahead of schedule.

Easy migration to a new, effective solution

Using a data import feature within the RSA Archer GRC Platform, the HR data is loaded from the external data file and populated into an employee information application. Importing data through this feature saves a great deal of time and is completed quickly and easily.

The RSA Archer Platform uses a campaign feature to set a date on which acknowledgement forms are automatically created. The form contains employee geographical and wage information along with instructions to complete the form, explanation of the requirements, due date and a selection for the employee to respond. An email notification is automatically generated once the acknowledgement form is created, which contains a brief description of the process, instructions, obligations and a link to the acknowledgement form. The employee clicks on the link to access their record, review wage information and select the appropriate radio button (to acknowledge or request a notice in a language other than English, which is a NY state requirement). As soon as the employee saves the record, their response is electronically recorded, the acknowledgement stored and the process is completed for the year.

The Hartford’s first campaign touched 1,461 employees. It took just 37 minutes to create the acknowledgement forms and emails. Within the first six minutes of the launch, they had received a 32 percent response rate. If employees do not respond within given deadlines, the system automatically escalates and notifies HR employees who can help. In the two years since the process was implemented, HR received fewer than 10 questions from users about completing the process.

The Hartford estimates that with the old processes, completing the requirement would draw resources from multiple organizations and could take more than 100 hours. With the automated process, it takes about six to 10 hours over six to eight weeks.

THE NEW SOLUTION

Companies must be diligent with the ever changing regulatory environment. While a poster in the break room used to be the norm, the explosion of remote work has legislatures looking for additional ways to ensure that employees receive notice. States are more frequently requiring that records be kept to make sure employees receive and understand legal notices. The RSA Archer solution puts The Hartford in a position to easily address any new state labor requirements with little to no cost and with minimal effort, and to address regulatory inquiries through existing automated reporting.

Since the passage of the New York state regulation, the state of California now requires commissioned employees to receive an annual notice, and the state of New Jersey will soon also require employees to sign an acknowledgement form that they have read a gender-equality notice. The Hartford’s RSA Archer solution will help the company quickly come up to speed with new requirements for employees in those states. Leveraging the existing workflow and structure for new states does not require a new license and only requires approximately 10 to 15 resource hours to add the new requirements to the solution.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 today announced the launch of its inaugural GRC Value Awards program. Fifteen leaders in GRC were honored for real-world implementations of Governance, Risk Management and Compliance programs and processes that have returned significant and measurable value to an organization. 

Nominations from GRC solution providers as well as internal GRC programs within organizations were evaluated and vetted from a pool of 87 total nominations. Nominations were evaluated for depth of quantitative facts and each final selection was validated by GRC 20/20 and the specific implementation to attest to accuracy (even the anonymous entries below were vetted with direct contact with the specific implementation). Fifteen are recognized across the following categories (in alphabetical order):

• 3rd Party GRC: GRC 20/20 Research awarded Hiperos 3PM its 2013 GRC Value award in the Third-Party GRC category for their implementation at a regional bank holding company.  The client specifics are anonymous in this publication, but GRC 20/20 has verified the factual accuracy with the bank.  After the implementation of Hiperos 3PM solution at the bank, it was able to triple the number of its third-party investigations without any increase in headcount. The number of days needed to assess the inherent risk of a third party also dropped dramatically — from 7.55 in 2011 to 5.22 in 2012 to 3.95 in 2013. Hiperos continues to deliver efficiencies. 
• Audit Management: GRC 20/20 Research awarded ACL GRC and their client Traina & Associates its 2013 GRC Value award in the Audit Management category. ACL is an all-in-one cloud-based GRC process management solution. Since ACL GRC’s implementation at the Traina & Associates CPA firm two years ago, the average audit time went from 60 days to 30 days; audit management efficiency increased by 25 percent; and audit revenues increased by 10 percent without increasing staffing.
• Business Continuity Management: GRC 20/20 Research awarded RSA® and Equifax its 2013 GRC Value award in the Business Continuity Management category. After implementing RSA Archer’s Business Continuity Management solution, U.S. consumer credit reporting agency Equifax experienced an immediate 60 percent reduction in time to create business continuity and disaster recovery plans, and a 20 percent OPEX savings for 2013.
• Compliance Management: GRC 20/20 Research awarded The Hartford its 2013 GRC Value award in the Compliance Management category. The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, uses the RSA Archer GRC Platform to support over 80 GRC processes including a New York State Labor  regulation instituted in 2012.  By building a solution on the RSA Archer eGRC platform the company avoided tens of thousands of dollars in expenses, and brought The Company into compliance one month ahead of schedule. 
• Control Monitoring & Assurance: GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring/Assurance category. When SAP Access Control was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to automatically remove roles from individual profiles if the role is not used within 120 days, and decrease license overall maintenance costs.
• Enterprise GRC: GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition to an automated and integrated GRC program — from hundreds of spreadsheets to track audits, credit reviews and risk assessments, as well as hundreds of documents used to report findings and risk summaries. Today’s single-source GRC solution integrates functions and brings Sterling Bank strong scores from regulators. 
• Environmental, Health & Safety: GRC 20/20 Research awarded CMO COMPLIANCE its 2013 GRC Value award in the Environmental Health and Safety category. The CMO COMPLIANCE HSEQ solution was implemented for a contractor, which reports an ROI of $2 million and growing. The solution replaced 20-internal solutions, streamlining ISO certification, and saving them at least one month additional FTE dedicated to ISO management and they continue to find new ways to streamline and save with the solution.
• Identity & Access GRC: GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity and Access category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation.
• Information & Data Governance: GRC 20/20 Research awarded ClusterSeven ESM its 2013 GRC Value award in Information and Data Governance. With the help of the ClusterSeven Enterprise Spreadsheet Manager (ESM) solution, a global European banking and financial services company was able to meet regulatory demands to demonstrate control over its core financial operations. In the process, the bank projects a 3.5x ROI on ClusterSeven ESM based on risk avoidance.
• Insurance & Claims Management: GRC 20/20 Research awarded Riskonnect RMIS and the State of Utah its 2013 GRC Value award in the Insurance & Claims Management category. Riskonnect RMIS’s fully automated insurance risk management software platform addresses insurance claims, litigation, exposure, and policy management. Within one year of implementation the Utah Division of Risk Management estimates it saved $1 million on reconciliation of insurance premium billing, and saw an 82 percent increase in efficiency in processing high dollar payments.
• Investigations Management: GRC 20/20 Research awarded SAI Global and HealthPlus its 2013 GRC Value award in the Investigations Management category. With the help of the SAI Global solution called Compliance 360®, HealthPlus, a Michigan health and wellness organization, reduced its average days to complete investigations cases by 56 percent. Average days to complete cases has been reduced from nine days to four days. In spite of ever-rising caseload numbers, the SAI Global
  team was able to complete the implementation two months ahead of schedule. 
• IT & Information Risk, Security & Compliance: GRC 20/20 Research awarded LockPath its 2013 GRC Value award in the IT & Information Risk, Security, and Compliance category. A leading manufacturer of medical devices recently extended its use of LockPath’s Keylight platform, including several modules. During the first year, the implementation has meant an 80 percent reduction in IT audit preparation time with five weeks of work reduced to one week, improved clarity and efficiency related to security functions, and improved insight companywide through dashboards and reports. 
• Legal GRC: GRC 20/20 Research awarded Datacert Passport® and Marsh & McLennan Companies its 2013 GRC Value award in the Legal GRC category. Datacert’s Passport technology platform provides an integrated legal and GRC ecosystem that allows organizations to respond to the cost of compliance and non-compliance. The Passport implementation at financial leader Marsh & McLennan Companies helped reduced its outside counsel fees by 56 percent, its lowest spend since 2007, among other savings.
• Policy Management: GRC 20/20 Research awarded Hitec Laboratories Ltd and Markel International its 2013 GRC Value award in the Policy Management category for its PolicyHub® solution. Markel International’s implementation of PolicyHub impressed them with its enhanced ability to demonstrate compliance to regulators. Markel International can demonstrate a 100 percent compliance rate for relevant staff, and can take action on noncompliant areas of the organization, which was previously not possible.
• Risk Management: GRC 20/20 Research awarded Modulo Risk Manager its 2013 GRC Value award in the Enterprise Risk Management (ERM) category. A large regional financial services company used Modulo Risk Manager to help it comply with HIPAA, PCI and SOX; as well as its consolidation of 350 independently chartered bank branches, with 6,700 employees and a heterogeneous environment spanning a variety of operating systems, servers, application platforms and legacy systems for each back-end core banking platform.

"We are extremely pleased with the response and the quality of submissions for the first year of the GRC Value Awards, which reflects strong market demand and growth across all GRC segments," said Michael Rasmussen, Chief GRC Pundit for GRC 20/20 and internationally recognized expert. "These are awards play an important role in recognizing today's successes as a milestone toward advancing GRC maturity. In achieving maturity, GRC is part of the organization's strategy and operations and supported by a range of technology, knowledge and services – enabling the organization to achieve greater efficiency, effectiveness, and agility in GRC processes and broader business operations."

About GRC 20/20

GRC 20/20 is the authority in understanding how organizations implement GRC practices that are effective, efficient and agile. Through independent research and industry interaction, GRC 20/20 advises the entire ecosystem of GRC roles within organizations, technology and knowledge solution providers, and professional service firms. Organizations engage GRC 20/20 when they need insight, guidance and advice in dealing with a dizzying array of disruptive issues, challenges, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Visit GRC 20/20 at http://www.grc2020.com/ and follow on Twitter at @GRCPundit.

Moving Beyond the GRC Platform to GRC Architecture

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

GRC cannot be managed in isolation.  That is what fails.  The decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization.  Complexity of business and intricacy and interconnectedness of GRC data requires that we have an integrated approach to business systems, data, and GRC. 

The Bottom Line: The organization requires complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy.   Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to GRC architecture.  GRC fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole.  GRC also fails when it is thought of as a single platform to manage workflow and tasks.  GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.

Why not see BOTH the forest and the trees?

The individual components of GRC — governance, risk management, and compliance — are a necessary and intricate challenge to business.  GRC is not optional: every organization has some approach to GRC from the ad hoc to the agile.   The primary directive of a mature GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance.  This requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. Doing this is not easy as all of these elements are in a constant state of change.

GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard.  When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood. 

To maintain integrity, and execute on strategy, the organization has to be able to see the individual area of risk (the tree) as well as the interconnectedness of risks (the forest). 

GRC relationships are non-linear.  They are not a simple equation of 1 + 1 = 2.  They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300.  What seems like a small disruption or risk exposure may have a massive effect or no effect at all.  In a linear system effect is proportional with cause, in the non-linear world of business and GRC it is exponential. Business is chaos theory realized.  The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business the result is often exponential to unpredictable.

GRC 3.0 – Moving Beyond the GRC Platform to GRC Architecture

The core of GRC 3.0 is operationalizing GRC across the fabric of business strategy and operations – seamlessly, agilely and non-invasively.  This involves bringing GRC to the ‘coal-face’[1] of the organization through employee engagement in GRC with systems that are simple, mobile, and easy to use at the frontline of the business. It is about leveraging and harmonizing existing data and systems that deliver results in focused areas but now need to feed into the bigger picture of enterprise transparency in the context of distributed and dynamic business.

The challenge is how to reconcile business agility with GRC strategy and architecture?  Most GRC decisions were considered as a base reaction to the newest regulatory demand. This resulted in billions of dollars spent in GRC with a limited understanding alignment to the business. GRC was approached tactically and not strategically. Organizations have ended up with topography of GRC projects individually focused on risk at department or regulatory/risk issues that have often failed to deliver cross-enterprise insight needed. To use an analogy from anatomy, the enterprise GRC body has functioning heart, kidney’s, limbs, lungs, and other organs that operate as separate entities and not as part of a unified body. What is often missing is a level of integration that provides a central nervous system that connects everything and makes it operate as a body.  This is more than a GRC platform as it has been understood for the past decade.

GRC Platforms: Problem or Cure?

In GRC 2.0 organizations approached GRC as a platform to document and manage content related to risks, policies, and controls, enhanced with workflow to manage assessments, issues, and reporting.  There was limited integration and correlation of GRC information and analytics and reporting was on fairly static information collected over time. Organizations suffered when GRC did not connect all the dots and provide context to business analytics, performance, objectives and strategy in the real-time business operates in.  GRC delivers limited value to the organization when it simplifies risk management to being just surveys and forms that lead to subjective analysis.  GRC has been tactical and focused on putting out fires, particularly compliance fires.   GRC platforms have been primarily workflow, task management, and content systems to document controls and compliance and provide some subjective reporting on risk.  GRC in 1.0 and 2.0 has not delivered on a true integrated understanding of risk and performance. Organizations often have a diverse set of independent and disconnected systems to address a range of credit, market, interest, operational, strategic, reputation, capital, and regulatory risks with no integrated view across these systems.  It is not uncommon for an organization to have six different GRC platforms from different solution providers and a dozen or more other risk and compliance solutions scattered across the organization.

Organizations need to move beyond the concept of a GRC platform as it only addresses part of the challenge and focus on an integrated view of GRC data and systems through a GRC architecture that is a cohesive part of the broader business fabric of the organization. GRC technology is not about a single GRC platform that promises to be all things and fails to deliver them.

The goal of GRC 3.0 is to enable a GRC architecture that effectively reconciles organization strategy, process, information, and technology into a federated architecture model.  There still can be a central core system for GRC, but GRC is not defined as this one central system (or platform) but the integrated whole.  

GRC 3.0 is: an architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the ‘coal-face’ of the front office
; focused at value protection and creation; and is proactive in measurement, management and interdiction.  GRC 3.0 provides an integrated GRC architecture that connects the fabric of the business together across the organization and its disparate systems, processes, and information.