2014 GRC Technology Innovation Award: Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis

Lexer’s innovation is a solution to integrate and visualize streams of data to manage reputation risk across social media content.  Lexer does this by producing highly accurate geographic insights used as the conduit between the various data sources such as census, socio-economic, transactional, CRM, and customer support.. This unified data set offers businesses a new perspective on reputation and brand risk since it offers a wealth of detail on data previously inaccessible.

In 2013, Lexer invested greatly in the enrichment process of the data it collects and, as previously outlined, the introduction of geographical enrichment as a highly accurate and reliable conduit between many external data sources. Using these new data sets, Lexer now has the ability to create complex personas based on behavioral, social and economic profiles – ensuring their data sets align with brand segments, key audiences and most importantly, stakeholders. Whether it’s in prediction, reaction or reflection, Lexer’s enriched data sources give businesses a new perspective on the way consumers react, engage and change in brand incidents. Moments of crisis regularly impact organizations, digital media has accelerated the speed at which information about a crisis can spread and during times of crisis, poor decisions are made due to inexperience, pressure and the lack of hard data. These poor decisions result in enhanced financial, reputational, health, safety and environmental risks.

Lexer uses integrated datasets to deliver routine reports on the details of incidents and the aftermath that includes influencer analysis, trend data and trajectories, topic and sentiment analysis – but most intriguingly, they are able to track the incident right to the root.

Lexer’s prime technical innovation is the ability to collect, process and unify unstructured data sources in real time. The technical focus for 2013 was to identify and develop into the core of the Lexer platform a common point of reference in which other data sources; such as CRM, Transactional and Socio-Economic data could integrate.

After extensive research and prototyping it was clear that geospatial detail was required to create a clear conduit between sources. As such, Lexer invested its efforts in being able to determine the location of social media users even when they didn’t share details such as longitude and latitude. Their enrichment process uses Machine Learning and Real-Time Data Processing infrastructure to analyze language, physical reference points and trends for each piece of data consumed by the Lexer platform. They are now able to obtain 3rd party data and integrate that geospatial data to map once abstract sources together, allowing more specific querying of data, clearer segmentation that’s relative to the organization’s segments, and insights that take in the whole picture. Their core ability is to help organizations understand the cost of making a wrong decision.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources

MetricStream’s GRCIntelligence.com is an innovative cloud-based content portal that enables GRC professionals to access and integrate the latest GRC content from a variety of knowledge providers and information sources through a single online content store – GRCIntelligence.com.  GRCIntelligence.com makes curated intelligence available to all users within the enterprise adding significant value and increasing the effectiveness of the GRC program within the organization. The portal is integrated with MetricStream GRC Platform, thus providing subscribers with content updates and notifications directly within the MetricStream GRC application.

GRCIntelligence includes:

  • Curated content store. The GRCIntelligence.com portal serves as a one-stop shop for curated intelligence sources from partners and domain experts across industries for all GRC needs.
  • Direct delivery model. Automatically delivers subscribed content from the GRCIntelligence.com content store into the subscriber’s MetricStream GRC application through the GRCIntelligence application.
  • Content recommendations engine. Content recommendations engine within the MetricStream application based on user activity and social profiles.

GRCIntelligence.com enables GRC practitioners across the enterprise to purchase contextually relevant GRC content via credit card or purchase orders and have the content delivered automatically into their MetricStream GRC application for immediate use. This paradigm shift enables organizations to source and integrate GRC content from multiple sources across risk, compliance and audit with their MetricStream GRC applications in real-time. It also allows content updates to be notified to end-users via RSS feeds, system alerts or email.

The GRCIntelligence.com portal currently offers content from more than 50 content partners and sources including Unified Compliance Framework (UCF), Risk Spotlight, Shared Assessments, Code of Federal Regulations (CFR), and Clear Market Practices, and is adding new content partners and sources to its portfolio. A subscriber can choose from a range of content sources including regulatory updates, risk and control libraries, policy updates, market intelligence, and news feeds to receive periodic updates. The portal allows users to identify relevant content by leveraging features such as capability to filter results by content type, industry, role, and function with an intuitive and user-friendly interface.

The content is delivered into the subscriber’s MetricStream GRC application through channels that are setup in the GRCIntelligence application layer within the client installation of MetricStream. Once the content is in, MetricStream users have the capability to review the content, identify internal action items, log issues, trigger workflows, and notify users. The incoming content is stored in the Big Data store within the MetricStream client application and it can be selectively pushed into operational data store within MetricStream applications.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive’

ngCompliance’s innovation is the ability to automate the analysis of regulatory changes against the organizations policies and procedures. The solution is called Sherlock and it makes regulatory change management and mapping elementary and deductive.  Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. This mapping can be used to demonstrate whether the organization operates in line with regulatory requirements and it can disclose gaps. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign. Amazingly, the system does so cross lingual that allows the organizations to map and analyze policies written in other languages, for example Chinese against regulations written in English.

This automates what has historically been a manual process of cross-referencing policies to regulations within GRC solutions or within documents and spreadsheets to prove to regulators that all policies and procedures are in line with rules and regulations. ngCompliance’s innovation significantly reduces the manual work as initial mapping is generated by their Sherlock system. The mapping should be reviewed by subject matter experts, but it significantly reduces the work of building mappings manually.

Organizations that adopt this innovation, no longer need to allocate this task to a big workforce. This allows for reduced cost and time spent in administrative activities of compliance, regulatory change, and policy maintenance. Once Sherlock creates a mapping, it allows the user to evaluate the mapping and confirm correctness or make adjustments. Any time there is a regulatory change, the system submits to the user an impact analysis on which policies or steps in procedures are impacted. Because the user sees both the policy text as the related legislation or regulation changes, the user can immediately give the appropriate advice on the required changes and start necessary change management workflows.

As the regulatory mapping functionality can also be used to verify norms against contracts, the system can also be used to identify the most high risk contracts and pull those up, in combination with analytics analyzing the risk in third party relationships, it will alert on high risk third parties that need review and facilitate mitigating controls on the relationship (e.g. change management on the contract).

The system reads the regulation and analyzes the text. Based on text-analytics, definitions based on financial and legal terms are extracted from the article and converted into a tree representation. The same is done on paragraphs of policies and steps of procedures. Because they are converted back to a definitions structure it takes into account synonyms and differences in languages. A mapping engine compares the definition trees and builds appropriate connections between legislation/regulation text and policy/procedure text. When employees look at policies they are able to also see the related regulations. The context that is built during analysis of texts is used to make sure the connections match the contexts, e.g. articles applicable to organizations with a banking license are only shown once the process is within the organization of a bank.

Sherlock keeps track of all history that can be used to look back in time and verify alignment of organizational procedures with applicable legislation and regulation. In this way it is easy to demonstrate the level of compliance of the organization at any given moment in the past. Sherlock comes with a unique feature that can create the initial mapping from rules to internal policies and procedures, regardless of the number of jurisdictions it has to take into account or the number of languages it has to deal with. This way Sherlock contributes to a significant decrease of the organizations administrative burden.

The Sherlock solution allows for adding web locations that are used by regulators or other organizations that publish regulatory information, in addition to your normal regulatory feeds. The synchronization functionality ensures that the regulatory information stored in the database is always accurate without the need to maintain this manually. In addition, a historical trail on the regulatory developments is maintained. Any information that is found on the web and seems to be of relevance for Compliance can be included in the legal framework, either by means of the synchronization functionality or the quick-browse-and-add feature of Sherlock. When any regulatory change enters the legal framework in Sherlock, or when the legal framework detects a change from a regulator’s site it is monitoring, the solution will notify this to the user according to specified needs on the dashboard, in the task inbox, by email or compliance wiki. The solution can filter and sort on relevance, and can even distribute to different users based on jurisdiction, language, topic or expertise.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: True Office Engages Employees Through Interactive GRC Learning Experience

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

True Office Engages Employees Through Interactive GRC Learning Experiences

Impacting and driving true learning to the employees/consultants/partners of major firms around compliance and risk management is the “last mile” of GRC. The missing link in organizational training is two-fold: 1), are people truly learning, and 2), how do you measure not only the learning, but the potential risk to the organization if complex policies are not understood. After considerable investment is made in managing risks and controls, it is important that an organization’s work force — the front line of the business — is able to learn the policy and its effect on the company’s business outcomes in order to ‘walk the walk’ on a daily basis.

True Office is demonstrating innovation in impactful, gamified training solutions applied to compliance & risk management, professional development and customer proficiency. True Office, because of its ability to bring dry policy to life, engage learners and measure their efficacy through rich, comprehensive analytics, and is paving the way for a new era of Policy & Training Management.

True Office’s current focus enlarges their overall scope to bring greater satisfaction through “content transformation” of existing client content based on four interactive learning frameworks. A customer engagement may consist of training on topics such as Anti-corruption, Workplace Harassment and Data Privacy. However, clients also possess their own unique policies and processes which True Office is able to bring to life, through an impactful experience, in which employees that must execute these policies can truly learn.

The solution offers proof that improved efficacy is actually happening as well as highlight the “hot-spots” requiring additional learning and development.

The True Office solution has already seen a “real-world” application with characteristics of over 90,000 users, 12 languages, and multiple industries. Modules are designed to encompass 10-20 minutes across True Office’s 4 Interactive Learning Frameworks. Based on the learning framework and corresponding business outcome, the learner will be placed in different situations where “they” take an active role in the learning—through dialogue, trend analysis, making decisions, or answering questions. By interacting with the module, the underlying analytics indicate their level of understanding of the policy.

True Office is a cloud-based software solution, compatible with a client’s own Learning Management System (LMS) interfacing with the True Office Analytics server. Individual users are presented a web-based login either on their desktop/laptop computer or through HTML5 via an iOS device (e.g., mobile or tablet).

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

UCF Demonstrates it is the Science of Compliance Through its Most Recent Patent.

The Unified Compliance Framework has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.

The Unified Compliance Framework has received the first ever patent for a compliance requirement segmentation and mapping framework. The patent was granted rapidly as the US Patent and Trademark Office stated that there has been nothing like it filed. This means that the UCF is the only GRC framework that has patented SNED values that can instruct GRC solutions as to which records are the Same, New, Edited, and Deprecated by using a single character to manage regulatory and requirement change.  This is supported by an end to end process that reaches from the Authority Document (AD) on one end, through the Authority Document’s Citations, to harmonized Common Controls, and out to Audit/Assessment Questions with supporting evidence. The UCF has a hierarchical structure wherein a parent and sort value can be assigned to any hierarchical record. This allows GRC solutions to plug into the UCF and automatically be able to display a list in original form, replicating legal or even “book” structures of original regulatory/requirement documents. GRC solutions utilizing UCF will be able to automatically discern how to handle audit questions and the necessary “skip logic” used when presenting hierarchical audits. Further, the schema allows for the breaking down of Citations and Common Controls into primary verb-noun pairs to “prove” the mapping of the Citation to the Common Control.

The business functionality is simple: any organization building out a GRC database or GRC solution can leverage the UCF’s patented structure to jump start their GRC strategy. There are already other firms such as Accenture that are now filing derivative work patents on top of the UCF’s patent.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

How are you addressing access control risks?

The fact is: business is dynamic, distributed, and complex.  The pace of change to risk, regulations, employees, partners, and technology requires organizations to approach governance, risk management, and compliance in a way that is efficient, effective, and agile to the needs of today’s dynamic business environment.  

Organizations do not operate in a static environment that slowly evolves.  Today’s organization is in a continuous state of change as with shifting employees: new ones are hired, others change roles, still others leave or are terminated.   There are changing business partner relationships, including those with suppliers, vendors, contractors, outsourcers, service providers, and temporary workers  – all of whom may have access to internal systems.  These business partners also have constantly changing employees that impact the organization.  On top of this, business processes and the technology change at a rapid pace.

This means that organizations cannot rely on manual, ad hoc, and document-centric approaches to manage access to critical business systems.  The issues of segregation of duties, inherited rights, critical and super user access, compliance, risk management, and general change to roles is too much for today’s organization to manage adequately in spreadsheets and e-mail. Growing exposure to risk and increasing regulations compound this as they require greater oversight of access to critical systems with audit validations of access control.  

However, access control is not just about regulatory compliance; it is also about consistent operations.  The organization needs distributed responsibilities and processes that are reliable and behave consistently.  Strong access control delivers a structured system of access governance that enables processes to work as intended without anyone maliciously or inadvertently causing an issue.

Surprisingly, many organizations still use manual processes and documents to manage access and the associated risk upon the organization.  This is primarily done by spreadsheets, word processing documents, and email.  Not only are these approaches inefficient and ineffective, slowing the business down, but they introduce greater exposure to risk and non-compliance, as it is nearly impossible to keep up with risk.  By automating the access management process and embedding risk analysis and mitigation into user and role maintenance, organizations take a proactive approach to avoiding risk while cutting down the cost and time required to maintain compliance.

Organizations need to establish a strategy and processes supported by technology to build and maintain an access control program that balances business agility with control and security in order to mitigate risk, reduce loss/exposure, and satisfy both auditors and regulators while enabling users to perform their jobs. 

In an ERP environment, the business challenge of managing access control is burdensome when done with manual and document centric approaches.  The inefficient, ineffective, and non-agile organization runs a combination of ERP security and access reports, and then compiles access information into documents and spreadsheets that are sent out via e-mail as an improvised workflow tool for review and analysis.  At the end of the day, significant time is spent running reports, compiling information, and integrating that information into documents and spreadsheets to send out via e-mail for review.  This manual and document-centric process ends up costing organizations significantly more in wasted resources, errors in manual reporting, and audit time drilling into the process than an automated solution costs. Worse, organizations often miss things as there is no structure of accountability and workflow and audit trails do not exist. This approach is not scalable and becomes unmanageable over time.  It leads to a false sense of security due to reliance on inaccurate and misleading results from errors produced by manual processes.

The situation:  manual approaches to managing access in the ERP environment are time-consuming, prone to mistakes and errors, and leave the business exposed.  

This challenge grows when you consider the complex interrelationship of different ERP instances and access to those across the business environment.   To reconcile access across different systems and see the big picture of access risk becomes complicated as the ERP environment grows.  Organizations struggle to manage access risk within one instance of ERP; managing access across multiple ERP systems causes an exponential growth in time and resources when done by a manual and document-centric approach.  In a heterogeneous environment, these challenges only become more complicated.

There are a variety of solutions on the market to manage access control in ERP environments. GRC 20/20 is focused researching, evaluating, and differentiating the solutions in this segment of the GRC market to assist organizations with their decisions to acquire the right solution to deliver value across efficiency, effectiveness, and agility.  

Organizations looking for automated control, segregation of duty, user access, and broader GRC solutions can engage GRC 20/20 through our complimentary inquiry process to get your questions answered on the solutions in this space.  Send an email to [email protected] with a focused question of what you are looking at and we will respond with our view of solutions that address your need.

 

Considerations When Purchasing GRC Solutions

As a market research analyst, I get involved in a lot of inquiries and interactions with organizations looking to purchase GRC solutions.  On average, GRC 20/20 handles about five interactions a week – some weeks more and some weeks less.  These can range from simple questions via email or phone to detailed help in writing and managing RFPs.

Please note: I define GRC (governance, risk management, and compliance) as a broad market with a lot of different types of solutions in this market.  While there is a concept of a GRC platform, most the vendors in the space are very focused.  The GRC solution market has over 500 providers in it and some are very specific to areas of quality, environmental, health & safety, security, legal management, and more.  However several solutions market themselves as platforms that tie a view of compliance, risk, audit, policy, and incident management into a cohesive information and technology architecture (whether this is reality or fiction is the focus of my points below).  Some use the term GRC some do not – the discussion I give below is valid across the range of focused solutions to enterprise GRC platforms.

Over the past twenty years I have seen a number of mistakes and issues organizations have made in purchasing GRC solutions, and have noted many considerations when organizations evaluate and select solutions.  Organizations are best served to keep the following points in mind when looking to purchase a GRC solution (these points are items to keep in mind and not meant to scare you away from solutions, there are great solutions out there – but all are not equal is the point) . . . 

  • Is that really a feature?  Some solution providers will promise you the world and then after they close the deal inform you they have to build it.  I have seen some amazing shenanigans in this market – which should alarm you, as an aspect of GRC is ethics.  I have encountered situations in which solution providers tell you they do something when they do not and inform you they have to build it after you have signed a contract. In fact, there are times I have found solution providers doing demos when the demo they are showing is not their solution.
  • Field of dreams.  Many solution providers will woo you with how flexible and configurable their platforms are.  They will captivate you with possibilities of customization and configurability.  After all they have the most magical solution that you can do anything with – buy it and the rest of the organization will align.  The truth is that some of these solutions lack specific depth in given GRC areas and love to take on long services engagements to build out and deliver.  One organization that I provided RFP support for chose a leading GRC solution against my recommendation.  I told them it would be over budget and well out of bounds of project timelines.  They told me two years later when they were just starting to roll it out (seriously two years of building the GRC field of dreams) that they wished they had listened to my advice.
  • Feature or customization?  Related to these first two points is the common promise of a solution provider to say they do anything – after all they have a platform that you can build anything upon.  A recent interaction illustrates this.  A financial services organization had two different solutions doing an aspect of GRC (3rd party management).  There was a push to standardize on one solution provider.  One had a specific feature to do vendor self-registration; the other stated they could do that too.  When you pushed the other solution you found out it was not a feature and would require services to build out and the last organization they built something similar for took six months to build.  
  • Customization breaks things.  I have seen many organizations struggle because they bought into the GRC field of dreams that they can build and customize the solution.  The field of dreams became a trap – a sticky pit of tar that is impossible to get out of. After significant investment in customization many have discovered that upgrades break things.  At a GRC workshop I taught this past year I had several attendees present wanted to pour forth with their rants in how their GRC solution has not served them, cost them more in services than could be imagined, takes so many FTEs to manage, and customizations hindered upgrades. Others in the room had wonderful experiences with other solutions.
  • Be careful with references.  Solution providers always have a great set of references (OK, nearly always – I have been on a few calls where the references did not have anything good to say about the solution provider . . . those are always very interesting).  When a solution provider gives you a reference understand that they are most likely giving you the decision maker – the person that made the purchasing decision.  This person is paraded at the solution provider’s events and in materials.  The decision maker stands behind their decision and loves the lime light of publicity¬ — basking in the praise of how wise they were to choose this solution.  Talk to these references but ask them the hard questions – insist they answer; there is not perfect bed of roses.  More importantly, be polite but ask to talk to someone on his or her team that uses the solution.  You will often find that the people in the trenches using the solution every day have a completely different story to tell. And NEVER talk to the reference with the solution provider present and on the phone.
  • Do not solely rely on major analyst reports. For full disclosure I spent seven years at Forrester and wrote the first two Forrester GRC Waves and ERM Consulting Waves.  Gartner and Forrester tend to have an IT bent that fails to connect with those looking for solutions for problems outside of IT.  The biggest issue is the Wave and Magic Quadrant itself (note, Gartner has stated they are going more broad with use cases to address this in the future).  You cannot represent the market in a single two-dimensional comparison of solutions.  The solution provider in the upper right may be a worse fit for you than the provider in the lower left.  In fact, the provider that is not even in the report may be the best fit for you.  These reports cover up to 20 solution providers in a market that has hundreds. The threshold to get in these reports means only a very few get covered.  
  • GRC platforms and the lowest common denominator.  There are many solutions that tell you they can do everything including solving world hunger.  Be careful in where you put your faith in a GRC platform.  I do believe there can be a core platform that provides the backbone of GRC management and integration – but that is not the end all of GRC.  I have not found one GRC solution provider that excels or even delivers on all aspects of GRC.  You run the risk of forcing the organization to one view of GRC and requiring everyone to use the same approach.  There are great and flexible solutions in the market, but there are also handicaps in any solution.  Think of GRC architecture instead of platform.  There can be a core backbone but you may need to integrate different technologies to achieve the GRC strategy, process, and information architecture needed to optimize value to the business.
  • Be careful of department solutions masquerading as enterprise.  There are dozens of GRC solution providers telling you they are an enterprise GRC platform – not all are the same.  Some are departmental solutions that were never designed with the enterprise in mind. I had one financial services executive on a panel at a conference that stated the board never wants to see a risk report again from their ‘leading’ GRC solution.  The solution was designed for a department and then moved to market an enterprise platf
    orm.  The issue is that it lacked any idea of risk normalization and aggregation.  What was one department’s high risk was another department’s low risk.  The result was a mess.  Different departments need their risk scoring scales with rules for risk normalization and aggregation for enterprise reporting – many do not do this well.  Some ‘leading’ GRC solutions address this directly, others tell you they do but it is not designed into their product and takes a year of services to configure, and others do nothing about it.
  • Consider intuitiveness.  I know many organizations right now struggling through the pains of the complexity of their GRC solutions.  Some of the leading providers in this space have a lot of features but using the system takes a PhD in chaos to begin to make sense of.  When approaching GRC solutions make sure that you really do your evaluation of the intuitiveness and ease of use of solutions.

I could go on with more – but that is probably enough to digest for now.  Please share your comments and experiences below for the benefit of all (solution providers, readers do not want product pitches so please avoid those in comments).  My thoughts are notes of caution in evaluating solutions.  There are great GRC solutions in the market – and the right solution for one organization is not the right solution for another.  GRC 20/20 is here to help sort this all out – that is what we do, market research.  We are not a consulting firm but an market research/analyst firm.

Expanding Role of Audit Stretches Resources and Capabilities

The role of the audit is taking on greater significance to guide the enterprise beyond traditional attitudes about financial controls; toward assuring that the organization is managing risk appropriately and meeting obligations across a range of high-risk business processes, operations, and regulatory requirements.  Today’s audit department must have a full understanding of the risks the organization faces and how they relate to each other across processes and activities.  The auditor must be able to rely on well constructed and performed evaluations of risk management, control, and governance processes to provide assurance that controls are designed appropriately and operating as designed.  The Chief Audit Executive is challenged to provide help to lead the organization to higher levels of performance while assuring the Board and stakeholders that the organization can both anticipate adverse events and take full advantage of opportunities that will help it meet its objectives.

Over the past two decades audit has changed.  Audit still has a strong focus over financial risks and controls over financial reporting.  However, the role of information technology audits has seen steady growth for the past fifteen years.  Today, audit is being challenged to cover enterprise risk management, a broad array of operational audits, increasing regulatory compliance audits, and expanding demand for 3rd party (e.g., vendor, supplier, agent) audits across a dynamic and distributed business. Therefore audit itself needs to have a strategy that encompasses both the dynamic need for audits as well as the planned and cyclical. There is growing interest in dynamic audits – but the best approach is a hybrid in which there are regularly scheduled and planned audits yet there are resources available for the dynamic needs of business for audits when risk and situations require them. This grows particularly challenging as business is constantly changing and distributed across a mesh of business relationships.  Providing assurance to stakeholders in the modern organizations has become a real challenge to audit and has increased audits role and visibility while stretching its resources.  To effectively manage audit requires new paradigms in managing audit, audit processes, analytics, and the role of technology to make audit successful.  

The issues facing audit are more challenging than ever before.  The audit department is being asked to do more audits across more areas of business operations with limited resources.  It has become an ongoing challenge to document and maintain auditor skill sets, develop and deliver audit work papers, and provide assurance across business operations and relationships.  The business has grown in diversity, complexity, and processes that challenge audit to build an audit program that is sustainable, efficient, effective, and agile to the needs of a distributed and complex business environment.  The need for resources and tools to drive efficient and effective audits through audit analytics of vast sets of data further adds to the challenges facing audit.

Audit needs to provide assurance and lead the organization to align and provide assurance on the governance, risk management, and compliance (GRC) strategy by understanding, communicating, and providing assurance on the risks the organization faces as well as the importance of including the audit interaction across GRC related activities. Audit needs to be prepared to: 

  • Articulate to the Audit Committee and the full Board why having a clear and conformed view of risk across the enterprise is critical to providing assurance
  • Demonstrate how strong objective, independent assessments and audits can be used to evaluate all aspects of performance from strategic to financial and operational 
  • Communicate the need for dynamic audits alongside cyclical audits in coordination of a complex web of related risks impacting an expanding array of dynamic business operations and relationships 
  • Influence other key functional executives to align with audit’s risk and audit strategy and the organization’s achievement of business objectives 
  • Collaborate with other GRC executives as well as business operations in developing auditable processes that allow for measurable evaluation of effectiveness and efficiency
  • Assure the executives, the board, and other stakeholders that controls are in place and operational to prevent adverse effects from identified risks
  • Help the stakeholders appreciate how audit aligned risk management can protect and grow value to the organization
  • Deliver to the executives and the board clear and reliable information about risks that will drive strategic decisions and future outcomes 
  • Allocate limited resources to audits and controls evaluations to provide assurance 
  • Utilize technology to maximize these limited resources that have ever increasing demands for more audits in expanding risk, regulatory, and business environment that is constantly changing.
  • Address need for audits and audit analytics that do not disrupt operations, and have coordinated schedules and content 
  • Provide for improved efficiencies and reduced risks throughout the extended enterprise

Equipping Audit to be Ready for the Challenge Before It

The demand upon audit to do more with limited resources is a daunting challenge.  Internal auditors have the skill set, interest and focus to be able to look at things in a measurable way across the business and its operations.  Audit has a broad understanding of many facets of the organization. However, audit has limited budgets and resources available to assess controls across business processes and relationships and therefore needs to be able to efficiently manage assignments and resources to provide the greatest value to the organization. This is particularly challenging in a dynamic business environment. If the audit function is not consistent and measurable, audit will have trouble assessing processes and provide assurance to the Board. 

To address this complex web of challenges, audit needs an  approach that drives an integrated and coordinated effort of audit management and analytics across the organization and its audit plan. An audit plan that has the flexibility to met the needs of dynamic audits when needed, but allows for the cyclical and routine as well. This includes the ability to:

  • Define and manage the “audit aligned risk universe” – consisting of an alignment of audit with enterprise risk in which audit plans are prioritized by risk allowing for dynamic audits as the organization encounters greater risk exposure in areas or reacts to events.  
  • Plan and manage a flexible five-year audit plan from which annual audit schedules are prepared. Including ability to plan and schedule routine/cyclical audits. Yes, the business needs audit resources for the dynamic audits more than ever – but the need for the cyclical will remain as well as there are some audits that are routine and just have to be done.  The audit plan is critical to ensure that cyclical audits get done but is more important to ensure that audit also has resources available for the dynamic audits that come up. 
  • Prioritize the audit by risk and support a risk-based approach to auditing that is driven by the enterprise risk register with the ability to auto-populate the audit plan with data from corporate and divisional risk registers.
  • Estimate total resources (e.g., labor hours, cost and manpower) required to complete an audit based on estimated time required for each audit engagement in the audit plan.  
  • Define and manage detailed checklists and tasks
     for each section and sub-section that need to be performed for executing the audit along with evaluation and pass/fail criteria.
  • Schedule audits with the ability to monitor audit tasks, send appointments, define and track requirement dates. 
  • Break audits into parts and assign to different groups/individual auditors with the ability to distribute audit tasks to internal and/or external auditors
  • Create, store, and share standard audit workpapers, checklists, and questionnaires with ability to assign a weight factor to the items or sections on the audit checklist.
  • Send audit questionnaires and monitor their completion and record information received.
  • Provide mobile capabilities to allow auditors to enter findings in remote sites and deliver agility to conduct audits when and where needed..
  • Maintain a library of workpaper templates, customize workpapers, and manage changes to the structure of audit workpapers managed to respective templates.
  • Track the status of the audit and measure progress against milestones including the capability to assign staff to audit projects and specific tasks and manage/monitor them through completion.
  • Monitor and measure audit metrics: who worked on an audit, progress of audits, time spent on an audit, and remaining time needed to complete an audit.
  • Map risks, obligations, and audits to policies, internal controls, operational processes/maps, system assessments, system scans, system screen shots, vendor documents or other supporting documents to audit workpapers and questionnaires.
  • Provide integrated audit analytics across a wide spectrum of information to provide assurance and insight on processes, operations, and transactions across the business and the state of control of the same.

The bottom line: This is not your father’s audit program.  Audit today is different than it was twenty to thirty years a go.  Today’s audit department has growing demands to do more audits across operations and relationships while still being constrained by limited resources to fulfill these demands.  To effectively conduct audits, efficiently manage limited audit resources, and meet the agility required of a dynamic business environment requires a top-down approach to audit that is driven by risk-based priorities and technology is utilized to manage resources, analyze data, and streamline audit operations.

GRC Federalist Papers: A Call to Action

Business is complex. Gone are the years of simplicity in business operations. Exponential growth and change in risk, regulations, globalization, distributed operations, processes, competitive velocity, business relationships, disruptive technology, technology, and business data encumbers organizations of all sizes. Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business. 

GRC cannot be managed in isolated silos that lead to the inevitability of failure. This is what I call ‘anarchy’ architecture where decentralized, disconnected, and distributed GRC processes catch the organization off guard to risk and exposure. Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture. In this approach the organization takes a one-size-fits-all approach to GRC and tries to implement GRC processes through a single GRC platform all are required to use. This forces the organization to adapt and manage GRC to the lowest common denominator. 

The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach. 

In the end, GRC architecture, and particularly technology, should not get in the way of business. The primary issue is overhead in extensive services and technology implementation to integrate and develop massive GRC implementations that end up slowing the business down and delaying value (if value is ever achieved). The problem is that by what GRC vendors call integration they really mean consolidation, replication, and redundancy. There is a huge gap between being functional and agile. 

Organizations should aim to define a GRC architecture that effectively reconciles organization strategy, process, information, and technology into what I call a ‘federated’ GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. Allow for diversity while providing integration, discipline, and consistency. Note the word “centralization” is being avoided. To “centralize” immediately imposes alien constructs that undermine agility. Federated GRC goes beyond functional to be agile and valuable to the business by delivering a harmonious relationship of GRC and the business. GRC is to enable enterprise agility by creating dynamic interactions of GRC information, analytics, reporting, and monitoring in the context of business. Federated GRC enables agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed nature of the modern enterprise.

This blog article is part of the OCEG GRC Illustrated Series that GRC 20/20 is engaged as a thought leaders and designer: The Federated GRC Approach

Business Agility Across the Extended Enterprise

No company is an island. Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations struggle to identify, manage, and govern extended business relationships. The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight. 

Organizations tend to look at the formation of a business relationship and fail to foresee that issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. They make two common mistakes: 

  • Risk is only considered during the on-boarding process: Risks in extended business relationships are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship. 
  • Partner performance evaluations neglect risk: Metrics and measurements often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations. 

Organizations need an integrated approach to third-party management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility. The building blocks of an effective, efficient, and agile third-party management program are: 

  1. Define Your Program. The first step is to define the third-party management program. While an individual needs to lead the program it also necessitates that different parts of the organization work with this role. Defining your program includes understanding board oversight and reporting for third-party risk and compliance and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place. 
  2. Establish Framework. The third-party management framework is used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. The framework starts with developing a list of third-party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices. 
  3. Onboarding. Evaluation of risk and compliance needs to be integrated with the process of procurement and vendor/supplier/partner relations. A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements. 
  4. Ongoing Monitoring. A variety of environmental and geo-political factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships. 
  5. Resolve Issues. Even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution. 

Manual spreadsheet- and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. 

Third-party management is enabled at an enterprise level through implementation of an integrated third-party management platform. This offers the adaptability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans. 

This blog article is part of the latest GRC Illustrated Series: Integrated Third-Party Management