2014 GRC Drivers, Trends & Directions

I trust the New Year is off to a great start and your governance, risk management, and compliance (GRC) initiatives are fruitful.  Myself, I have been quiet in communications this last month wrapping up 2013 projects, redoing much of the www.GRC2020.com website, and planning for 2014.

It is important to note that every organization does GRC.  Every organization has some approach to governance, risk management, and compliance processes.  These may be siloed or integrated, centralized or federated.  They may be fly by the seat of your pants or defined and disciplined.  GRC is not just technology; it is about people, strategy, process, information and technology.  GRC maturity is measured by how this is integrated, aligned with the business, and provides business value.  GRC is not only about a strategy that spans the enterprise – GRC happens in different departments and functions throughout the business.  There are top down enterprise-wide GRC initiatives, but a lot of GRC happens in the trenches throughout the organization in disconnected departments.

As with any New Year initiative – it is good to be forward looking to see what the future beholds us in GRC.  As a market research analyst I dust off my palantir (that is a crystal ball for the non-Tolkien enthusiasts) and tell you what is important for 2014 as we look ahead.

The future depends on the past and the events that drive us toward the trends that lay before us. The drivers impacting organizations to improve their GRC related processes are:

  • Rapid pace of change. Business itself is changing rapidly (e.g., employees, partners, technology, processes, strategy).  Risk environments are changing (e.g., geo-political, financial, environmental, competitive). Regulatory and legal requirements are changing.  Trying to keep business, risk, and regulatory change in sync is not easy.  The greatest challenge for GRC is to coordinate all of this change and ensure that the organization achieves its objectives while addressing uncertainty and acting with integrity (see blog:  Tracking Change that Impacts Policy).
  • Increased risk, regulation, and scrutiny.  Not only is risk and regulatory change happening faster than organizations can keep, risk, regulations, and scrutiny of business governance and operations are also increasing.  This results in an exponential GRC impact on organizations as we manage increasing new risk and new regulation in an environment where existing risk and existing regulation is also rapidly changing.
  • Extended enterprise adds layers of complexity.  It is one thing to manage all of the change bearing down on business in a contained environment.  When you begin to think of the hundreds to thousands to tens-of-thousands of business relationships impacting the organization you face GRC terror.  Suppliers, vendors, outsourcers, service providers, contractors, agents, temporary workers, partners . . . they all impact your business (see blog:  Growing Risk Exposure in Business Relationships).  Your risk and regulatory issues are their risk and regulatory issues, however you are the one left in the spotlight when things go wrong and fines are imposed and your organization is on the front page of news in a negative way.
  • GRC addressed in silos.  We talk a lot about Enterprise GRC.  It is a great idea – how perfect the world would be if we had one single integrated view of GRC information and processes.  Reality is different.  Organizations have GRC processes and data scattered across the organization with several “GRC platforms” installed.  Sort of makes you think of the ERP world.  We talk about how wonderful business will be with one instance of ERP when in reality the organization has several.  Right now 80% of the spending on GRC solutions happens at the department or issue level and less than 20% on top-down enterprise GRC strategies. Some of the 80% is moving toward the enterprise view but are still on the journey.
  • Herding cats.  There are those that have vision for an enterprise approach to GRC and bringing everything together.  Many times these roles are a voice crying in the wilderness.  Worse, there are several with a vision but internal political strife rises within the business over who controls enterprise GRC strategy.  Needless to say, getting people on board and cooperating is a lot like herding cats (see my favorite cat herding video).
  • Multiple GRC solutions in house.  As stated, most organizations have many GRC solutions in house.  Some are home grown, others are commercial software.  Every week I am told how such and such a vendor is the GRC platform for some organization and I reflect back to last week when someone else told me they were for the same organization and the week before that . . .
  • Documents, Emails & Spreadsheets. Oh My!  Despite multiple solutions in house, much of the business is still struggling with manual and document centric approaches to aspects of GRC.  Yes, some solutions have been purchased – but many areas of GRC are still encumbered by the inefficiency and ineffective use of documents, spreadsheets, and emails (see blog:  GRC Spreadsheets, Documents & Email, OH MY!).  Not to mention that this approach is often not defensible in a growing legal landscape that requires auditable and defensible GRC.
  • Policies are a cornerstone to successful GRC.  There is growing awareness that policies are the cornerstone of a successful GRC initiative whether focused on a specific issue, department, or enterprise.  Policies need to be properly written, communicated, and maintained.  They address risk, define how to comply with obligations, and establish culture (at least properly written, managed, and enforced policies).  Policies are essential to successful GRC.
  • GRC to the scale of ERP cost and complexity. Every week I am hearing the weeping from organizations as they tell me tales of GRC initiatives that are burying them. Monstrous and costly initiatives that are over budget and past deadlines.  I taught a workshop in 2013 in which I had to rein attendees in three times throughout the day as they wanted a GRC psychiatrist to listen to their PTSD stories of GRC implementation. Ironically, the GRC solution providers are not the only culprits for selling complex and cumbersome GRC initiatives; large consulting firms that love the services revenue from these projects also drive it. I had one client I helped with an RFP (who chose a solution against my recommendation) tell me it took them two years to roll out and was significantly over budget . . . they now wished they had listened to me.
  • Unintuitive and difficult to use GRC solutions. I am regularly told about the frustrations on easy of use of GRC solutions.  Many of the leading GRC solutions are very complex, lack intuitiveness and ease of use, and have dated interfaces. Interesting, you talk to some vendor references and you hear glowing reports.  However, these references tend to be the decision maker who is thrilled to be paraded at conferences, given press, and like to bask in the light of their ever so wise decision of a GRC solution.  Instead, if you talk to the users of the platform in the same organization you often get a completely different point of view.
  • Major analyst firms offer poor GRC advice.  The GRC market is a macro-market with a lot of segments.  It includes categories like risk management, audit management, compliance management, policy management, security, health
    and safety, and more.  You cannot collapse this market into a two-dimensional graphic that gives a perception of leaders and losers.  There are 500+ solution providers GRC 20/20 tracks in the market and the major analyst reports only cover 10 to 20.  The last Forrester GRC Wave I wrote in 2007 before going independent had four different Wave graphics, as the market was complex then. Forrester is in retreat.  Subsequent Waves went to one graphic.  Now they are collapsing two separate Waves (IT GRC and Enterprise GRC) into a single Wave graphic.  This does not make sense and organizations are frustrated.  I had one large organization tell me that they do not think Gartner could spell FCPA as they had no clue and kept throwing broad GRC platforms at them with no context of how it addressed anti-bribery and corruption (see blog: Gartner GRC Magic Quadrant Rant, Part 3).

Before I get to the GRC trends that spring from these GRC drivers, I want to address the GRC naysayers.  I use the term GRC broadly to bucket a range of terms and approaches to risks and regulations.  GRC includes ERM, and some would define ERM the way I would define GRC.  So the issues listed above are not the result or because of GRC.  I can do a find and replace of GRC with ERM and we have the same truth.  These are acronyms that cover a wide range of processes, information, and approaches.  The pain expressed above is the growing pains of maturity in GRC, ERM, and many other acronyms and terms we use.  It is the result of misguidance from major analyst firms and organizations taking on more than they can accomplish.

The answer to the pain that is burdening organizations in the GRC drivers above are the trends that are happening in the GRC market and will be reflected in GRC 20/20’s research throughout 2014.  These trends are:

  • GRC by Design.  Organizations are realizing they cannot buy GRC.  You cannot go to a vendor and buy a platform and get GRC and bring it home to the office.  Successful GRC is an architecture (see blog: The Rise of GRC Architecture in GRC 3.0).  It requires design and planning.  It requires structure.  There will not be one GRC platform that solves all your problems. There can, and often should, be a core GRC platform that is the backbone of GRC integration, processes, and reporting.  However, there are solutions that are built for very specific purposes of IT security/GRC, health & safety, quality, matter management, and more.  All these are in the GRC space – but one platform does not do all these categories well. Mature GRC requires a strategy that applies architecture design to GRC processes (aligned and integrated with business processes), information, and technology.  This is GRC by Design.
    • Over the course of 2014, GRC 20/20 will be working on a series of research on GRC by Design supported by research on Audit by Design, Compliance by Design, Risk by Design, and more.
    • The GRC 3.0 Marketecture is a representation of the GRC market across a range of categories. There are over 500 solutions in the GRC market that GRC 20/20 maps into the GRC 3.0 Marketecture (e.g., there are 81 policy & training management solutions, 75 3rd party management solutions).  This is coming together in the GRC Directory being launched in February on the www.GRC2020.com website.
  • Measuring GRC Maturity & Building a Business Case. The first decade of GRC solutions and strategy is past and we are in the maturing phase.  Organizations are looking to compare themselves and demonstrate maturity against peers.  They are looking at how do we articulate the value of GRC and build a business case for improvement.
    • GRC 20/20 is supporting this trend through our GRC Benchmark projects that includes a GRC Benchmark for enterprise GRC as well as focused benchmarks on policy, risk, audit, and compliance.
    • Further, our 2014 research will have a series of pieces on GRC Archetypes that define the different approaches organizations can take, how maturity is measured and value articulated, and building a business case for improvement.
  • GRC Intelligence & Analytics. To manage the amount of change impacting organizations requires intelligence. This is more than raw data, but the integration (and not necessarily consolidation) of information to bring knowledge and insight.  Much of this intelligence is in information sources feeding information on regulatory change, geo-political risk, environmental factors, financial risks, world developments, 3rd party screening and due diligence.  The organization needs to integrate a changing business with changing risk and regulatory environments.  This requires that organizations rethink GRC data and have the ability to integrate multiple sources of data for analysis and reporting.  It also requires us to rethink how we address Big GRC Data.  Monolithic and expensive GRC data warehouses are not necessarily the answer, nor are they needed.  It is a matter of connecting the right information sources where they are at – harvesting what is needed – and bringing together this information into actionable GRC intelligence.
    • GRC 20/20 is supporting this trend with a variety of research and projects focused on GRC information and data architecture and reporting.
  • Getting a Handle on the Extended Enterprise.  This is the fastest growing segment of the GRC market (currently has 76 solutions in it that GRC 20/20 tracks to size, segment, and forecast this market).  Organizations are struggling with issues like conflict mineral compliance (see blog:  Where does conflict minerals fit into your broader 3rd party GRC strategy?), social accountability, privacy, security, code of conduct, ethics, environmental responsibility, health and safety, quality, and more.  They are looking for integrated solutions that help them manage risk and compliance across their 3rd party relationships (see blog:  3rd Party GRC: Business Agility in a Dynamic and Distributed Environment).
    • GRC 20/20 will be releasing our Market Landscape and Buyers Guide for 3rd Party Management solutions shortly as soon as infrastructure work on the www.GRC2020.com website is complete.
    • GRC 20/20 is also managing the design and layout of the OCEG GRC Illustrated series on 3rd Party Management.  The first illustration is complete and published and work has begun on the 2nd.  This will come together in an eBook later this year.
  • Getting Your Policy House in Order.  The busiest segment of the GRC space for GRC 20/20 has been policy management.  Throughout 2013 GRC 20/20 has been actively involved in many RFPs and GRC buyer inquiries looking for policy management solutions.  The trend is toward enterprise policy management. There is growing demand for platforms to manage policies across the enterprise.  2014 is showing a whole new range of RFPs just starting to open up in enterprise policy management (as noted above, there are 81 solutions in this space).  Organizations are being held under greater regulatory scrutiny for how they manage and communicate policies and find that their current approaches do not provide a defensible position when under legal and regulatory scrutiny. Organizations are also looking for guidance on how to build a business case and articulate value of policy management.
    • GRC 20/20 has a lot of published research in this space and will be updating
      much of it in 2014.  We have a policy management business justification and value tool we use with organizations to articulate the value of an enterprise policy management strategy and a policy management benchmark as to tell them how they compare to their peers in maturity.
  • The Year of the GRC David/Underdog.  There are lots of solutions in the GRC market.  Some focused on very specific issues (e.g., FCPA, conflict minerals, PCI), others on departments/roles (e.g., IT, audit, compliance, risk), and some are solutions that transcend across a range of departments and address a variety of issues.  Many, in fact the majority, cannot be found in major analyst reports.  With growing frustration with large complex GRC projects that under deliver, are over budget, and have missed deadlines, organizations are becoming more interested in the new breed of GRC solutions.  There are some great solutions that offer very elegant and intuitive user interfaces that are easy to deploy and use (see blog: Employee Engagement in the Context of GRC: Bringing GRC to the Coal-Face).
    • GRC 20/20 is covering the range of solutions in the GRC market from the established major players that have been racking up market share and brand recognition for years to the nimble start-ups that offer a fresh perspective on GRC technology and ease of use.
  • Growth in GRC Software as a Service.  Related to the previous point, GRC 20/20 is seeing a massive and growing interest in Software as a Service (SaaS or cloud) for GRC.  Yes, we still have security naysayers that seem to want to shut down the cloud.  The reality is that some of the most sensitive business information is in the SaaS cloud.  Most board portal solutions managing board papers, calendars, and board voting is cloud-based.  GRC 20/20 is seeing significant growth in cloud-based solutions for legal matter management and many other sensitive areas of GRC.
    • GRC 20/20 is committed to publishing research in 2014 focusing on cloud adoption for GRC solutions.

There you have it – a synopsis (though a lengthy one) of the drivers and trends impacting GRC in 2014.  More detail will be given in next week’s Q1 State of the GRC Market Research Briefing.  GRC 20/20 is also working on publishing a range of Buyers Guides for categories of GRC solutions as well as Market Landscapes of GRC solutions.  These will cover GRC solution categories of policy, 3rd party, compliance, audit, and risk management to begin with and expand into other categories of GRC solutions over time.  These will be supported by research on value and business case justification and a variety of case studies.

Bottom Line:  GRC 20/20 is focused on providing you the deepest and broadest insight into the GRC solution market covering a range of solutions, buying criteria, market growth dynamics, projections, and business/value justification throughout 2014.

 

GRC Spreadsheets, Documents & Email, OH MY!

Why Spreadsheets, Documents & Emails Fail for GRC

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past decade has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after a decade of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows:

  • No audit trail.  By themselves, without some additional tools/solutions and significant configuration, these solutions do not have inherent audit trails.  You cannot go back and state that you know with a specific level of certainty that those answers were gathered from that specific individual on this date and time and represent their actual, unaltered, authenticated answer to that survey, assessment, analysis, policy attestation or audit.
  • Easy to manipulate.  Building on the first point, there is no audit trail or history of changes made.  It is a simple task for anybody to go back and manipulate responses to paint a rosier picture to get himself or herself, someone else, or the organization out of hot water.  Someone can easily go back and cover their trail when there is no audit trail and authentication happening that tracks changes, what those changes were, who made them, and keeps a record of all changes.
  • Slipping through the cracks.  There is no structure of required workflow and task management.  Things can be configured in email systems, but most often people fire off emails asking for assessments to be done, audit findings to be responded to, policy attestations to be made . . . and no one gets it done.  It ends up in the trash, junk folder, filed away, and never responded to until someone is screaming.
  • No consistency.  It is hard to make assessments, surveys, attestations, policies and other GRC related information consistent.  If a new assessment is needed – we just open up Excel and create a new assessment from scratch and fail to realize that there is another assessment asking the same people half of the same questions as our new assessment.  Further, different documents and spreadsheets are formatted in different ways and each requires its own learning curve.
  • Compilation nightmares.  Have you ever been asked to compile reports involving hundreds or even thousands of documents, spreadsheets, and emails?  If you are a GRC professional the odds are you have.  I have had one financial services organization tell me in an RFP project (I was writing the RFP for them) that 80% of their GRC resources (FTEs) were nothing more than document reconcilers.  In surveys and webinar pulls you find that it often takes 80+ man-hours to compile GRC (risk/compliance/audit) reports.  There is a significant amount of time needed to integrate and compile information from a mountain of documents, spreadsheets, and emails.  Myself, I would not be interested in a job very long where 80% of my time is cut, paste, manipulate data for reports.  My interest is in analysis and managing risk and compliance not in cut and paste – that is what I did in kindergarten.  
  • Compilation errors.  At the end of the day, all this work compiling and integrating hundreds to thousands of documents, spreadsheets and emails is inevitable failure.  Odds are there is something wrong.  That much manual reporting is bound to have serious errors.  Not malicious, but inadvertent.  It happens all the time.  In fact, one of the primary contributing factors to the multi-billion dollar JP Morgan Whale loss was an error in a spreadsheet.  

Those are my primary reasons why documents, spreadsheets and emails by themselves fail in GRC.  There are ways to fix this. Solutions that provide and enforce consistency and audit trails within spreadsheets, but these do not account for workflow and task management needs.  The best approach to address these limitations is to implement GRC management solutions that provide for audit trails, consistency, and integrated reporting. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed).

What are your thoughts and experiences with spreadsheets, documents and emails in GRC processes and reporting?

 

3rd Party GRC: Business Agility in a Dynamic and Distributed Environment

GRC 20/20 is providing a specific focus on 3rd Party Governance, Risk Management & Compliance (GRC) in the month of December.  This is the fastest growing part of the GRC market as organizations struggle with issues of conflict minerals, anti-bribery & corruption, social accountability, privacy, security, and more . . . 

No company is an island unto itself: Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern extended business relationships as they stand in the shoes of their agents, vendors, partners, suppliers, and relationships. Business partner problems and issues are the organizations problems that directly impact the organization’s brand and reputation. When questions of business practices, compliance, and controls arise, the organization is held accountable, and it must ensure that business partners behave appropriately.

Businesses must understand business relationships in the context of the governance, risk and compliance (GRC) issues that impact business operations and brand. The challenge before organizations is: “Can you attest that risk and compliance is managed across extended business relationships?”  The head of procurement, for example, is often left with managing supplier risk across these business relationships but has inadequate processes and information to effectively monitor them.

This is challenging enough with the distributed and extended nature of business, but it becomes particularly challenging in the current dynamic ever-changing business environment.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be current in its governance, risk management, and compliance processes across business relationships. Manual email, spreadsheet, and document centric processes are prone to failure, as they bury procurement and other areas of 3rd party risk/compliance resulting in mountains of documents that are difficult to maintain, aggregate, and report on: consuming valuable resources in data management instead of managing 3rd party risk and compliance.  Organizations need an integrated solution to manage 3rd party risk and compliance that brings together frameworks, content, and technology to deliver not only efficiency and effectiveness but also agility.  

Extended business relationships — supply chain, value chain, vendors, service providers, outsourcers, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits and controls, and other business practices. Organizations need to actively demonstrate an in-compliance and in-control status throughout the extended business environment. Anything that impacts business relationships can taint the organization’s brand — such as child labor, quality issues, fraud, privacy violations, or other misconduct.

Procurement, and other parts of the business, tend to look at the formation of a business relationship and fail to foresee issues that can cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship itself.

The list of exposure areas impacting business relationships can be categorized as . . . 

  1. Operational risk.  The organization needs to ensure that business processes and information are managed to limit risk exposure to the business.  This can cover areas such as health and safety, continuity of operations, redundancy in supply chain, quality issues, and security.
  2. Financial risk & performance.  The organization needs to make sure it is doing business with stable organizations that can be relied upon.
  3. Reputation.  The organization’s brand is on the line. To make sure that the corporate brand is not tarnished the organization needs to ensure that its vendors and business relationships hold to appropriate commitments to labor standards, environmental protection, fiscal responsibility, and social responsibility.
  4. Compliance.  The organization needs assurance that its vendor and business relationships are complying with local laws and regulations as well as the laws and regulations that bear down upon the business around the world.  This covers a wide spectrum of compliance to labor, anti-bribery and corruption, quality, import/export, security, privacy, and health and safety regulations and laws.

Organizations tend to look at the formation of a business relationship and fail to foresee these issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. There is a common failure to manage risk across the lifecycle of business relationships for the following reasons:

  1. Risk is only considered during the on-boarding process: Risks in extended business relationships are usually only analyzed during the on-boarding process to validate the organization is doing business with the right companies. This approach fails to recognize that additional risk is incurred over the life of the business relationship.
  2. Relationship performance evaluations neglect an integrated view of GRC: Metrics and measurements for ongoing business relationships often fail to fully analyze and monitor risk. Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. Organizations must actively manage and monitor risk and compliance across the lifecycle of a business relationship. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak and unmonitored oversight.

In the past, risk in extended business relationships was predominantly focused on the on-boarding process. After that point, individual business areas may conduct routine audits and assessments or require attestation to a code of conduct, but it is not a coordinated or collaborative function and often lacks accountability.

Document centric processes bury the organization with mountains of out of sync data that takes time to reconcile and report.  The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. Business needs defined processes, information, frameworks, and solutions to effectively and efficiently manage 3rd party extended business relationships. The goal is to enable business agility by providing defined and integrated accountability processes that can manage risk and compliance in the context of performance and change across  business relationships. A clearly defined approach to managing GRC across extended business relationships requires a consistent lifecycle and program supported by a common information and technology architecture. 

Upcoming Research Briefings on this topic are . . . 

 

Examples of GRC Engagement

In my previous article I made the argument that GRC (Governance, Risk Management & Compliance) is as relevant to the front office as it is to the back office.  That the front lines of the business use GRC systems and need engaging user experiences. 

It is not just the front lines though.  All levels of the organization interact and use GRC technologies from taking assessments, reading policies, going through training, reporting incidents, evaluation reports, diving through dashboards, and more.

Employee engagement in GRC 3.0 requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

A primary directive of GRC 3.0 is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC 3.0 goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

I have been evaluating GRC technologies for twelve years now and find that many have average to poor user experiences.  Even some of those who are recognized as GRC leaders who would have you believe that their platform could solve the worlds problems have interfaces that are overly complex, non-intuitive, confusing, and at times downright confounding.  

What I am doing today is drawing attention to some examples of Engaging GRC – solutions that I think are delivering cutting edge interface design focused on intuitiveness, aesthetics, and engaging employees at all levels.  However, this is not a blanket endorsement of these products.  Some are very strong in what they do others are early on the journey of building out breadth and depth.  Please do not see this as a blanket endorsement – it is not.  I am happy to answer questions on any of these vendors listed and anyone else being considered by buyers in the GRC ecosystem of technologies.

Examples of the latest in GRC Engagement delivering intuitive and easy to use interfaces are as follows (in alphabetical order, there are other vendors that I think excel in GRC Engagement – these were selected as they had publicly accessible video that at some point in the video in these links has a view into their product I could comment on):

    • ACL.  This is one of my favorites – you have to click on the video icon to get the video that demos the product.  Great use of white space, sidebars, clean interface, fonts, and graphics for navigation and context.  Very clean interface.  I particularly like the drag and drop risk tagging and moving things to different buckets/stages.  Great reporting and dashboards with intuitive drill down capability for GRC intelligence.
    • BitSight.  The first minute and a half is one of the most brilliant marketing videos I have come across, once you get through this you get to the interface.  I love the crispness of the reports, the different ways of representing data, the clean interface, and use of graphics in navigation and context.
    • Compli.  I wish this video showed more of the product other than a few quick glimpses. There is so much more to it.  Clean interface.  Great use of fonts and numbers.  They have a video animation showing the drag and drop workflow but does not show the product itself and elegance of their implementation of this feature.
    • Convercent.  Beautiful interface with intuitive navigation and drill-down.  Good use of white space, clean fonts, attractive colors, and clean graphics and reporting.
    • CoreStream.  Notice the clean use of fonts, not an overly busy interface, and the use of graphics icons for navigation and context.
    • LockPath.  This solution is delivering some very innovative and graphical concepts of interactive data visualization and relationship.  The top panel has a play button where you can see innovation in the relationship and management of GRC data..
    • StratexSystems.  You have to scroll down to the bottom of the screen to get to the videos of the product itself.  There is a lot in this product that makes it average from GRC Engagement, but it stands out in some of its navigation, use of fonts, graphics, and I particularly like the business organization layout and use of colors and shapes.
    • The Network. Delivers a clean, elegant, and intuitive interface that minimizes the complexity of policy management.  Great use of graphics, easy tagging, integration of video, interactive content with the written policy itself in the same interface.
    • TrueOffice.  This solution stands out as a prime example of GRC Gamification and connecting to employees through interactive content.  I love what this company is doing in the niche of GRC that it delivers.
    • TRUSTe.  Great interface design, intuitive navigation, good use of fonts and white space as well as graphics.
    • 360factors.com.  This one unfortunately does not have a video and I about did not include it. It does have some screenshots that show the interface, good use of graphics for navigation and context, clean use of fonts and balance.

A Stakeholder's Expectation from the Audit, Risk and Compliance Programs

Employee Engagement in the Context of GRC: Bringing GRC to the Coal-Face

Governance, risk management and compliance (GRC) are a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of the organization. This misperception is a critical issue organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations. They cross partner, vendor and supplier relationships throughout the extended enterprise.

The user experience for GRC has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality and lack of central coordinated efforts for GRC communications. Organizations have ended up with multiple sources of policy, training, surveys, assessments and issue reporting hotlines. Interaction with these systems has consumed human and financial capital. Interaction is often inconsistently logged in documents and spreadsheets, if they are logged at all. There is no coordination of GRC communication and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten.

GRC is not just for back-office risk experts. For GRC to be successful, organizations must engage employees. It is no longer good enough to just have well documented policies and controls. Organizations must demonstrate GRC is active and operational across the organization.

GRC processes and technology can be contrasted with the past experience of employees to the present needs that build the future of GRC:

  • Past GRC approaches offered disconnected systems where an employee gets an email about a new policy, clicks on a link to go to the policy and read it in a text-heavy interface, then has to click on a link to take training on another system, and then has to link to a survey to test their understanding, and in all of this there are no places provided to ask questions or find other relevant resources. GRC for the average employee of the organization has been confusing and disconnected from what they do.
  • Present into the future of GRC is about integrating technologies and content to deliver an engaging experience that is interactive and connected. Where an employee clicks on the new policy and the training is delivered right in the same interface with the policy actually embedded into the same page as the policy flows around it. Other interactive content is delivered such as games that illustrate the policy.

The bottom line: GRC is only as good as your front-line understanding, participation and alignment with GRC. It is no longer enough to have the right GRC documentation; you have to show it is operationally effective. This requires employee engagement in GRC. This involves bringing GRC to the coal-face. The term coal-face is a term the British use to define frontline operations of the organization. It comes from miners deep in mineshafts at the coal-face harvesting coal. Every organization has a coal-face — the front line employees engaged in business operations. To maintain integrity and execute on strategy, the organization must be able to engage GRC in the context of its coal-face.

GRC solutions in the enterprise should deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into GRC that are interactive, engaging and social. GRC solutions need to instruct, inform and be easy to use at all levels. It engages employees in GRC without leaving them overwhelmed and confused. Employee engagement happens through:

  • GRC intuitive interface design: GRC is using leading concepts in interface design to make user experience of GRC applications simpler, easy to navigate, aesthetically appealing and minimizing complexity.
  • GRC socialization and collaboration: GRC collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business and get individuals involved in GRC at all levels of the organization.
  • GRC gamification: GRC gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making.
  • GRC mobility: GRC is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring GRC to all levels of business operations.

The result: Backend management and oversight of risk and compliance is still needed, however the frontend user experience is dramatically improved to engage employees and stakeholders to ensure they are connected to GRC in the context of their role and responsibilities. For GRC to provide value, employee engagement is critical, not optional.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.[1]

A primary directive of GRC is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive. 

 


[1] This quote has been attributed both to Einstein and E.F. Schumacher.

 

Gartner GRC Magic Quadrant Rant, Part 3

Uh Oh, It’s Magic, Gartner’s Got a Hold On You . . .

Tossing and turning, anxiety is stirring me.  I am trapped in a labyrinth of quadrants with flying dots that do not make any sense coming at me from all directions.  One appears in front of me, I am startled.  I remark, “you do not belong here, that does not make any sense, you should really be over in that quadrant.”  All around me I eerily here the 80’s group The Cars singing “Uh Oh, It’s Magic, Gartner’s Got a Hold On You . . . “.  I tremble.  I am overwhelmed . . . I wake up screaming, covered in sweat.  My wife once again, as she has done so many times this past month, looks over at me and offers me a Xanax, yet again.

OK, it is not quite that extreme – but it is bad.  I have lay awake in bed until two in the morning many nights over the past four weeks pondering the black magical depth of the Gartner GRC Magic Quadrant.  Perhaps depth is not the right word – more like the mysterious shallows.  Actually, I cannot tell you how deep or shallow it is as Gartner gives me no indication of the depth of their analysis.  We are left to assume Gartner has depth and objective criteria and detail to their analysis.  Where is it? I am unable to reconcile how Gartner came to this place yet again.   It is like Gartner is playing mind games with me – intentional infliction of emotional distress.

GRC.  I take it seriously.  The GRC market is something I have been tending and caring for since February of 2002 in my early days at Forrester.  I have watched the market for GRC solutions, services, and content grow and mature.  I watched it grow in GRC 1.0 (2002-2006) as it grappled with SOX and internal controls but yet I knew it was going to do much more than that.  The breadth was apparent in the Forrester GRC Wave that I wrote and and it grew rapidly into GRC 2.0 (2007-2012).  In the second Forrester Wave it had advanced so much there were four separate Wave graphics as it could not be contained and represented in just one two-dimensional graphic any longer.

Then it happened – the separation.  Forrester and I parted ways six years back.  The GRC market (which is technology, services, and content that supports GRC strategy and processes) became a joint custody arrangement between Forrester, Gartner, and myself.  I continued to see that GRC is a broad market with a lot of segments and sectors within those segments.  The proper way to understand the GRC market is as an ecosystem of offerings and as a GRC architecture within a specific organization and not as a single platform. However, the other custodians – they kept GRC back into one two-dimensional graphic.  Where I used four graphics before leaving Forrester, Forrester went back to a single graphic.  Gartner did the same, but worse.  While Forrester objectively tries to model GRC in a way that is transparent and publishes the criteria and scores used, Gartner simply states here is the grade I think you should have and gives us no transparency into how GRC solutions are objectively measured.  There is a lot of truth to the Magic Quadrant being Magic – it is beyond our comprehension.

This is my third rant against Gartner on GRC Magic Quadrant.  For the past four weeks I have been pursued by many to respond to the new version released in September 2013.  I guess I have a loyal following of GRC groupies that are crying foul, down with injustice to GRC!  I struggled with responding yet again. I do not want a reputation as an aggressor – it does not interest me.  However, I am an idealist to the core and have a soft heart for the mistreated and maligned . . . so I lay awake late into the night fretting over Gartner and their 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms.

For those interested in the historical back and forth, my previous rants are:

In all fairness, I do really like French Caldwell.  He is a very gracious nemesis and we have some great discussions.  While we debate, and at times collaborate, he is always very engaging and polite.  I tell myself it is not French it is Gartner and their confounded approach and process to the Magic Quadrant.  That allows me to continue to be cordial and attempt to be half as gracious as French is toward me when my hackles are raised and I am screaming at the injustice done to the GRC market.

There is a lot I would like to say about vendor positioning in the Magic Quadrant, but most of it I will not.  Perhaps if you take me out for pint in a nice British Pub (going to London next week) you will get the depth of my thoughts with the dirt and praise on specific vendors.  I hold back particularly because I accuse Gartner of not showing objective criteria and scores that map vendors on their graphic and would be doing the same if I tell you where vendors should be positioned and do not give you specific criteria and scores.  While I provide my commentary below, I will be agnostic when it comes to specific vendor names.

My grievances with the 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms are:

  • Consistency.  When you read the strengths and cautions on the vendors in the MQ and know these products personally as an analyst you see issues.  For example, when one (actually a few) is beaten up because a few clients have referenced implementations greater than six months yet several in the Leaders quadrant have implementations on a regular basis greater than a year and some for over two years – we are not comparing apples to apples.  One RFP I assisted with selected a prominent Leader against my recommendation.  I specifically told them the Leader does some good things but they will come in well over budget and well beyond their six month implementation plan.  Two years later . . . guess what, still rolling out and way over budget.  Or consider when I have to tell attendees (from three different organizations) at my GRC workshops (recent) to stop complaining about their GRC solution (again in the Leaders) because they keep turning the workshop into a gripe session about the vendor’s missed expectations, length of implementations, being over budget, and the amount of staff and services needed to maintain what they were told was so simple and easy to configure.  It irritates me as this gets referenced as a caution for some, with an implication that it lowered their score, but for the greatest offenders it does not appear to be an issue.  And some get dinged for just over a six month implementation as opposed to years for others. I do not get it.  I want transparency in the MQ.  
  • Where’s the Beef?  One would assume that Gartner assesses solutions against a defined set of required functionality (that is the assumption and very words of my friend Norman Marks in his rant with Gartner).  It would be nice to believe – but I am not sure it is true. Honestly Gartner, give us details.  Yes, this goes back to the transparency point.  This is a huge market with billions being spent.  Organizations are making huge financial commitments to solutions based on this two-dimen
    sional diagram.  How do they stack up? The MQ states solutions were evaluated around risk management, audit management, compliance and policy management, regulatory change management, and incident or case management.  That isa great; they are in my taxonomy of the GRC market along with more.  Gartner, tell us who is better at each of these and why?  I cannot find any detail on how one vendor is better at risk against another.  I cannot find any real detail on how one vendor is better at a range of GRC areas against another.  So what does your MQ really prove?  This is wrong.  I can tell you who is better in risk management, audit, or any of these areas whether you were looking for just that solution area or or a GRC implementation that combines these areas.  Gartner it is your bloody report; you give us a misleading graphic and no details to back it up.  Forrester gives you a spreadsheet with all of the criteria and scores so you can see how vendors score in different areas.  This alone makes the MQ not only useless but also absolutely dangerous. Gartner, show us the criteria you measured, the grading scale used , and the scores for each criteria given to each vendor!  Forrester does it.  The MQ is rubbish without this.  I challenge you to be transparent.  Good grief, the price organizations pay for your research you would think the depth of criteria and scoring would be made available.
  • Depth.  I challenge you, my reader, look at the breadth of areas that Gartner states it covers in the MQ:  risk management, audit management, compliance and policy management, regulatory change management, and incident or case management.  The Gartner MQ for GRC gives vendors a few hours to demo their solution to cover all these use case areas.  Gartner, you cannot be serious?  I myself could not do justice to the market presenting a comparative ranking of vendors with just a few hours to demo all these areas together.  Two hours in just one of these areas would not be acceptable – particularly when it impacts a market that is over a billion dollars and this is the go to report for decisions on who to engage.  How does Gartner do it?  It must be all the time Gartner analysts spend up on those ivory towers where they are endowed with unnatural wisdom from on high and gives them amazing ninja like perception abilities to distinguish solutions in a short demo covering the range of use cases.  That must be why they call it Magic as Gartner analysts are really omniscient beings from another dimension. 
  • Fairness.  In fact, I challenged French in person at a vendor conference in Las Vegas last spring on the issue of expecting vendors to cover all of these areas in a short demo and basing a MQ that is the key report by which organizations make significant spending decisions.  He said that is the way it works and that GRC vendors have all year to engage him through strategy days to show the depth of their offerings in these areas.  That is a serious issue of fairness.  There is an unfair advantage toward those willing to fork out the $10,000 to $15,000 a day to educate Gartner on their offerings that others in the Magic Quadrant do not do and some do not have the means to do.  Some of this cannot be prevented as vendors seek to gain Gartner’s insight.  However, the playing field can become much more fair by allowing vendors a half-day to a full-day to go through their GRC solution.  For what Gartner makes from reprints vendors pay to distribute the MQ you think they would invest more time with each solution to go deep into it.  Perhaps Gartner would uncover that some in the Leaders quadrant have issues with normalization and aggregation of risk in an enterprise perspective.  That some may have issues with the complexity of their platform and how much time it takes to configure.  Or how weak one of the existing Leaders is in risk analytics and modeling.  Perhaps they may even discovered what they were told was functionality in the system and the demo they saw was smoke and mirrors and not reality in functionality.  
  • Breadth.  Vendors with the broadest use cases covering things like product quality, environmental monitoring, health and safety, legal matter management, 3rd party GRC (vendor/supplier), global trade compliance, automated controls, corporate social responsibility did not seem to have the breadth of these GRC offerings considered.  Some of the Leaders do not have as much breadth of GRC coverage as solutions in other quadrants.  Even in the Leaders quadrant solutions with broader use cases and functionality seem to have not faired as well.  There appears to be a biased toward a field of dreams approach in which solutions that promise to be all things to all organizations and anything can be built and configured on the platform get rated higher than vendors that have working real-world solutions with domain expertise and industry depth for addressing a variety of challenges that do not have to be built or configured (but are still highly adaptable).  How is Gartner handling diverse GRC scenarios? Success in a few functional areas is great, but there any consideration for breadth of use across a range of functional areas? And depth of use getting into content and industry specific needs?  This is critically important as organizations are headed towards an integrated GRC architecture.  Some Leaders seem to have a narrow focus in specific solution areas, yet they appear to be the strongest “broad” GRC platform in the MQ, which they are not. I also do not see proper evaluation of content integration as a factor of consideration in GRC offerings, particularly depth of content across compliance and risk areas.
  • Requirements to play.  Another sore point I have is Gartner’s requirements to be in the MQ.  There are a lot of very capable GRC solutions that would love to be in the Magic Quadrant but will never get in because they do not fit Gartner’s specific mold of GRC or they do not meet the every increasing ceiling of requirements.  To get in you a vendor has to have a solution that delivers across compliance, risk, and regulatory change management as a minimum (interesting, I see regulatory change management as part of compliance).  They need to have at least $12 million in revenue, one-hundred or more customers with live implementations, reference customers for corporate governance activities (seriously, I would like to know how many board members or corporate secretaries Gartner actually talked to though Gartner in the MQ relates ERM and financial reporting compliance as governance), be in multiple industries with a worldwide presence.  That simply means only large GRC players will be represented in the MQ.  And very capable GRC solutions that are new and innovative, operate in just one geography or industry, and have good traction and are growing but have not hit the right level of customers or revenue will not be considered.  This cuts out some really great solutions that end up not getting to the decision table because Gartner did not include them.  This ends up with very frustrated organizations that come to me and ask about solutions to meet their specific industry challenges.  I had a tier 1 bank tell me that they did not think Gartner could spell FCPA because every time they asked about it they were sent the Gartner GRC MQ and Gartner could not interact with them on solutions to address FCPA specifically (which every solution in the MQ would tell you they do).

Honestly, the Gartner GRC Magic Quadrant really does not provide what is needed to make business decisions on GRC solutions.  It is not complete, is not consistent, and has issues.  The best use for it I have found is to start a fire in my fireplace on this cool autumn day.  Sorry French, I know it is a lot of work.  The whole process seems like a reality show for GRC . . The Gartner Bachelor with a bunch of GRC solution providers in a beauty contest trying to pull off t
he slickest short demo (remember just a few hours) to woo the Gartner Bachelor.  I say roll up the sleeves and get involved in the solutions, build relationships, be easy to approach and engage, interact on a detailed basis.  Go deep.  

Let’s now see if I can get some sleep tonight . . .

 

Measuring the Integrity of the Organization

Compliance and ethics is not the same today as it was a few years ago. The forces shaping compli­ance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compli­ance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches tax­ing the business. This resulted in a maze of processes, reporting, and information. Each department relied on doc­ument-centric and manual ap­proaches that did not integrate, and compliance professionals spent more time managing the volume of documents than it did actually managing compliance. There were inconsistent formats for policies and procedures, is­sue/incident reporting, and as­sessments.

Like battling the multi-headed hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compli­ance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient pro­cesses led to overwhelming complexity that slowed the business, even as the busi­ness environment required more agility.

Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while address­ing uncertainty and acting with integrity.”

Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do busi­ness as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with federated compliance functions throughout the business. Orga­nizations are looking to monitor and measure integrity of the organization through information, activities and processes coordi­nated across the organization.

These trends point in one clear direction: a compliance architec­ture that is dynamic, proactive, and information-based. That is, a new model for ethics and compliance that:

  • Is aligned with stakeholder demands for transparency and accountability;
  • Functions as a strategic partner with executives and aligns with organiza­tion strategy and values;
  • Takes full advantage of emerging technologies to improve efficiencies;
  • Provides an easy-to-use and engag­ing interface to get information and participate in compliance process; and,
  • Measures integrity through an inte­grated framework of metrics.

The result is an approach to ethics and compliance that not only delivers demonstrable proof of compliance effectiveness, but at the same time shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-look­ing. This shift enables compliance to mon­itor integrity by processing and managing metrics across the organization in the con­text of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.

Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and under­stand compliance in the context of busi­ness strategy and execution. Measuring integrity requires that the organization have clear insight into metrics support­ing the development and communica­tion of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these sys­tems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.