Category: Blogs

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 8 is OpenQ’s SafeGuard™ which showed technology innovation for managing risk in social networks. 

OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns. SafeGuard can be used with any social platform and is currently integrated into more than a dozen platforms.  It monitors risk from interactions over social networking platforms for regulated-industries to enforce corporate policy and regulatory compliance. SafeGuard collects and analyzes data, identifying levels of risk and enabling personnel to address any issues with its workflow-driven remediation capabilities. The product analyzes the internal social data streams and external social media to identify, quarantine and enable management of risk. There are similar products on the market that use keyword searches, however, SafeGuard’s social compliance technology uses a policy/signature driven approach, similar to that of antivirus software, which can adapt to industry and company needs.  It is the first and only product for policy-driven social compliance in the health, life science, and financial services ecosystems.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 9 is Blackthorn CaseNotes which showed technology innovation for advancing GRC mobility.

Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available. It enables specialists in a range of GRC fields to collect and manage information. Forms are created and published via a web portal to CaseNotes, which are completed by the mobile user on or offline and then sent back to the server for recording and analysis. CaseNotes enables GRC mobile specialists to take contemporaneous notes, complete forms and associate photos, videos, audio recordings and scanned barcodes with each GRC activity they are managing (e.g. cases, incidents, assessments, audits, reviews) What makes it different from other notes apps is that it uses encryption and hashing to give evidential integrity to the notes, making it ideal for uses where accountability, positive assurance and legal admissibility matter while fully supporting a mobile workforce that is both offline and online.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 10 is Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) which showed technology innovation for their ability to move from GRC idea to “there's an app for that. 

Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) enables their clients to drive innovation, with a particular focus in GRC in the insurance vertical.  Clients define and model new applications that are made available as applications to other clients.  Client innovations are referred to as ideas that are turned into Apps. The Apps are embeeded into the Idea eXchange interface; allowing other CODE users to find, share, and execute value-added Apps.  The Idea eXchange functions for GRC similar to Apple’s App Store.  CIE provides GRC professionals with the ability to “mold” the platform to solve challenges in a variety of relevant domains. The eXchange provides a platform where these new, innovative ideas can be shared and reused by other companies. It empowers clients to harness their own innovative ideas and concepts, and transform them into real-world business and compliance process improvements.  What is different about this approach compared to similar efforts in the past is the depth of focus for apps and content on the insurance vertical specifically.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 11 is SAP's HANA Analytics Foundation for SAP GRC Solutions which showed technology innovation for advancing GRC analytics. 

In the era of ‘Big Data,’ SAP HANA Analytics Foundation for SAP Solutions for GRC shows innovation in addressing the burgeoning velocity, volume, and variety of GRC governance, risk and compliance data in the enterprise. This The SAP HANA® platform leverages in-memory data to speed analysis of large volumes of data to provide insight. SAP HANA speeds the process of gathering, analyzing, and reporting and creates new opportunities for cross-system GRC and business analytics.  It allows for complex analysis by aggregating thousands or even millions of pieces of data across systems that used to be a task that must be run overnight or during off-hours. One example of the value of SAP HANA is in the area of fraud analytics with the ability to take an entirely new approach to fraud detection, prevention and management leveraging in-memory technology to provide insights into fraud, waste, and misuse allowing companies to take action before damage occurs. SAP HANA enables fraud detection in quasi-real-time and prevents transactions from proceeding to avoid loss. It significantly improves the accuracy of fraud identification by reducing the number of false positives and investigation team workload, and leverages predictive analytics to analyze potential fraud scenarios and adapt to changing fraud patterns.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 12 is ControlPanelGRC's AutoAuditor which showed technology innovation for efficiencies in reporting. 

ControlPanelGRC’s AutoAuditor enables companies to be in a state of continuous audit readiness by automating manual reporting processes, and through its intuitive design AutoAuditor adapts to each company’s specific reporting demands. This turnkey solution automates repetitive report generation processes to push the report output to appropriate business or risk owners for review; by eliminating any additional training or tedious setup, once installed AutoAuditor pushes reports directly to those necessary resources rather than needing to be pulled. With AutoAuditor preparing for an audit no longer has to be major cause of stress that requires internal teams to spend weeks researching reports, collating spreadsheets and manually tracking down paper reports buried in filing cabinets. Business or risk owners perform the value add steps of reviewing the output and the workflow engine captures the signoff and exception documentation. The automatic check and balance system not only pushes the necessary report on cue, but also records the mandatory review, which is then automatically saved as future audit evidence. Value is achieved in eliminating human error, missed analysis opportunities, and subsequently, possible penalties if the processes are not executed on a timely basis.

Governance, Risk Management, and Compliance – every organization does it.  There are variations in the opinion of what we call GRC.  Some like it and some do not.  Some use the term ERM in much the same way I use the term GRC, others may call it something else or not even have a name for it.

My position is that every organization does GRC.  You will not find an executive in anorganization that will tell you they do not govern the organization, they do not manage risk, and they do not comply with obligations and policies.  The components of GRC are in every organization.  They may be ad hoc, fly by the seat of our pants approaches.  They may be very mature and integrated.  The question is not if you do GRC but how mature your GRC practices are whether you call it GRC or something else.  GRC, using the only definition in a publicly vetted standard –OCEG’s GRC Capability Model, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Mature GRC practices involve architecture.  Design to integrate and leverage risk and disparate processes, information, and technology.  It is not about a software vendor who provides Enterprise GRC – that may be a component and part but that alone does not mature GRC.  Most organizations have multiple GRC technologies, information, documents, and processes.  Sometimes these work together in harmony producing mature GRC other times it is broken and fragmented leading to redundancy, inefficiency, and failures.

Most organizations suffer with immature GRC architecture.  They remind me of the Winchester Mystery House in San Jose, California.  This house was built in the 1800’s at excessive costs with no overall design or architect.  In fact it had 38 builders and no blueprint.  In the end it has 160 rooms, 47 fireplaces, 6 kitchens, 10,000 windows, 65 doors that open to a blank wall, 25 skylights in floors not ceilings, and 13 abandoned staircases that go up to nothing – or perhaps down to nothing.

This is the reality of immature GRC in many organizations.  The confusion of the Winchester Mystery House are there: 160 different assessment formats; 47 different policy formats; 6 different risk frameworks/taxonomies; 10,000 documents and spreadsheets; 65 risk and compliance management report formats; and 25 different technologies ranging from spreadsheets, custom built risk software, to commercial solutions.  This is a reality for large organizations – one financial services firm I worked with last year on the GRC technology strategy mentioned they had thousands of documents and spreadsheets for risk and compliance assessments and various technologies in place.  A hospital chain told me they had over 18,000 policies that were highly redundant nearly 30 hospitals each with their own risk and compliance programs.  An international financial services and insurance firm told me the line of business was screaming at them because of the number and different formats for risk and compliance assessments.

To solve this, organizations need to understand the maze of GRC processes, information, and technologies in place and architect approach that brings greater levels of effectiveness, efficiency, and agility to the business.  Your GRC architecture should align with your enterprise architecture and fit the way the organization operates.

As we look ahead at 2013 – how are you going to make GRC processes more effective, efficient, and agile?

As we close out 2012 let us roll the years back from 2012 to 1912.  One hundred years a go was the disaster of the Titanic.  What can we learn from it today?

I have been told that Captain E.J. Smith stated before the Titanic set sail, “Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”  In fact, the newspapers ran with headlines that stated UNSINKABLE.

What went wrong with the Titanic?  Yes, it hit an iceberg.  What truly went wrong?  The lessons we learn from the Titanic can help us understand and make a case for enterprise risk management today.  I do not claim to be a Titanic historian or expert, but in my limited understanding I have identified the following things that went wrong:

• Overconfidence.  The strategy and design of the ship led to over confidence – the first too big to fail.  Not only with the Captain, but with the media/press and everyone else involved.
• Health and safety.  To my knowledge the Titanic was fully compliant with health and safety requirements of the day – the fact still remains that there were not enough life preservers and life boats for the number of passengers on board.  There was time to get off the boat – but there was no place to go.
• Design.  I understand that the size of the propeller and rudder were to small for the massive size of the ship which limited its maneuverability around objects.
• Quality.  There is speculation that the iron ore in the rivets was of an inferior quality.  The rivets were weak that held the seams of the ship together, when it struck the iceberg the gash opened and the ocean waters flooded in.
• Ignorance.  There were warnings of icebergs in the area that were communicated to the Titanic.  The response from the Titanic was SHUT UP we are tired of hearing about it.
• Inattention.  It is understood that someone was not paying close attention on watch which caused them to confront disaster.
• Strategy.  I have read that the Titanic was designed to stay afloat with four compartments flooded.  They were headed to the iceberg dead on and decided to turn and hit it on the side.  If they would have hit it head on only two compartments would have flooded.  When they hit it on the side six compartments flooded.

The Titanic was a complex operation.  Business today is complex but also distributed and requires a strong enterprise risk management strategy.  One that sees the big picture but can also get down into the “coal face” of the business.  One that can show the relationship of risk and provide analysis at a strategy view as well as specific process or departmental view.  We need to understand the breadth and depth of risk in the context of strategy and operations of the business.

As you enter 2013 and are finalizing your strategic plans have you thought about the range of risks to those plans?  How integrated is risk management with strategic planning?  How integrated is risk management with business operations? Will you be caught by surprise because you failed to see how risk in different parts of the organization can work in concert to bring disaster or failure to meet objectives? I am anxious to hear your thoughts on risk management .

Thank you for joining me on this journey through Effective Policy Management. Today we come full circle and bring the effective policy management process to closure.

Let’s review where we have been. The first illustration and roundtable introduced the topic of why policies matter and my Effective Policy Management Lifecycle. Each illustration after that took us through the stages of the lifecycle:

1. Tracking Change That Impacts Policy
2. Policy Development and Approval
3. Policy Communication and Training
4. Policy Implementation and Enforcement

And now we turn our focus on to the final stage: 5—Policy Measurement and Evaluation.

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization.

Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review.

A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization.

Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:

• Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
• Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
• Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
• Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.
• Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change.

When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

Risk management is maturing, but as a result needs to be understood correctly and reminded that it does not rule the roost.

I have three teenage boys (19, 18, and 16).  At times my boys get to big for their britches and need to be reminded what the pecking order is.  It does not mean they are less loved or less valued – they just need to understand context and where they fit.  As with any child becoming an adult they like to challenge authority:  to think that they are in control and operate as the center of the universe.  After all, they know more than Mom and Dad.

My concern with risk management is that many (not all) risk professionals are trying to redefine risk management to make it something broader than it actually is.

There was a great article on risk management published by Harvard Business Review in June 2012, “Managing Risk: A New Framework” written by strategy guru and balanced scorecard co-creator Richard Kaplan and his colleague Anette Mikes.  The argument is that there are fundamental differences between traditional risk management focused on preventable risks and risk management for strategy and external risks.  What caught my attention was the concluding paragraphs, which stated:

• “Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. . . . Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. . . . For those reasons, most companies need a separate function to handle strategy- and external-risk management. The risk function’s size will vary from company to company, but the group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon. Risk management is nonintuitive; it runs counter to many individual and organizational biases. . . . Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.”

For the record, I completely agree with these statements from Kaplan and Mikes. Risk management is maturing and the organization needs to make a proper place for it.  Just as my sons are looking to the future and going to college – I fully support them and want to see them fulfill what they have been called to do and contribute to society.

There are three lessons that I think risk management needs to learn:

1. Risk management does not equal strategy management.  I posted an excerpt of the HBR article to several LinkedIN groups to seek perceptions.  The response from some was that “strategic management = risk management.”  This is a mistake. Strategy management is broader than risk management.  Yes, risk management is part of strategy management but it does not equal strategy management.  My fear is that we are putting the cart before the horse.  To keep it to an equation “strategy management > risk management,” that is strategy management is greater than risk management.  The two are not synonyms, though good strategy management will contain risk management.
2. Risk means there is a downside.  In order to have a risk there has to be potential for a less optimal outcome.  That is where I think that ISO 31000 confuses many on the subject of risk and strategy management.  ISO 73 and 31000 defines risk as the “effect of uncertainty on objectives.”  A more accurate understanding is that risk is an event or condition that creates a state where undesirable effects may be possible.   Risk management is the act of managing processes and resources to address risk while pursuing reward.  I am all for simple and straight forward definitions but in this case I think ISO simplifies the definition too far.
3. Strategic risk management requires different paradigms.  Much of the confusion on risk management is that risk in many organizations was buried in the bowels of the organization.  It was not an executive function.  It has been focused on insurable risks, threats, and hazards.  It was focused on preventable risks.  With growing awareness that we need formalized strategic risk management many have leapt to think that how risk is managed in the depths of the organization is how strategic risk is managed.  They are different – and require different mindsets.

At the end of the day, we need to understand that risk management is maturing.  But risk management from the top-down is not the same as how we have historically understood risk management. How we manage threat and hazard risks is different than how we manage strategic risk.  We have always managed risk as part of strategy – but it is becoming more formalized and needs a real seat at the strategy table.  However, this does not mean that risk rules those gathered at the table.  It is simply part of it.

I am anxious to hear your thoughts on the subject, though before you grill me – I would encourage you to read the HBR article.

If you have been following my posts, you will know that I created a firestorm of discussion on: Rethinking GRC, Analyst Rant, Gartner’s 2012 EGRC Magic Quadrant.  If you go to this link you will see the range of comments – many anonymous – from on the topic.

French Caldwell, who continues to be a gracious and friendly nemesis (it is interesting to be able to call someone a nemesis and friend), posted a response on his blog Oh Michael — Your Rant . . . 

October and November got me caught up in a whirlwind of activity and thus I am a month late in responding.  But I owe my followers a response.  Here it is . . .

My point of view is that Gartner and Forrester have the incorrect view of the GRC market.  More effort needs to be put into modeling the variety of niches of the GRC market and focus on GRC as an architecture that brings different pieces together.  My findings are that 86% of the market spending is on organizations looking for GRC software to solve specific issues or enhance department level processes.  Only 14% of the spending is on what we call Enterprise GRC.  Organizations looking for GRC software often turn to the Gartner and Forrester reports to build their shortlists and find to their discouragement that they do not provide the detail to make decisions on GRC software specific to their challenges.  Basically, the depth of research provided by Gartner and Forrester in GRC is lacking.  The industry needs GRC technology research that is broader and deeper. In fairness, French points out that EGRC is just one aspect of his view of the market.  Unfortunately, it is the EGRC MQ that many turn to because they have nothing else that goes into depth in these various niches.

When it comes to a comparison of the Gartner Magic Quadrant and the Forrester Wave – the Wave beats the Magic Quadrant hands down.  The Wave process is a more thorough process and the criteria are deeper and published.  Organizations can download a spreadsheet of all of the criteria, the weighting of each criterion, and how the vendors were scored based on the weighting.  Full transparency. But the Forrester GRC Wave does not go into sufficient detail in domains of GRC technology and it is not kept current.

French, in his response, told me I was inflated on the point in transparency of criteria.  Sorry French – I do not see it.  Yes, you give some high-level criteria and weightings – but this is not at the depth Forrester provides in the Wave.  It is so rolled-up and surface level that it is really useless. It does not go into specific features to look for and how vendors are scored on those features for the areas you bring forth such as: risk management, compliance management, audit management, policy management, and regulatory change management.  Despite some high-level and inconsistent comments in the MQ, the reader gets no idea how vendors rate in each of these GRC technology functional areas.  The reader is clueless as to which vendors are better in policy management over risk management – or what vendors have more advanced capabilities in these areas.

In fact, the layout of the EGRC MQ completely boggles my mind.  There are nine leaders, and many of those leaders are not leaders across the areas of risk, audit, compliance, regulatory change, and policy management.  It boggles my mind as you look at the leaders and it is apparent that Gartner is comparing apples and oranges in capabilities – they are not compared them by the same criteria to get into the Leaders Quadrant.  Only a handful of the nine have robust capabilities across all of these areas – yet they are tagged as leaders.  My only response to this is that a Leader in the Gartner MQ is a large stable technology player in the GRC market with a major brand or market momentum behind them – and they are not leaders based on the functionality of their product.  There are some in the Leaders Quadrant that definitely do stand out as Leaders. However, most only would lead in particular categories of GRC and not the range of risk, audit, compliance, policy, and regulatory change that French states he is evaluating them by.

French argues that following the two-hour script is justified; vendors have access 365 days the rest of the year to argue their points in briefings.  I am sorry, but analysts can determine when to accept or decline a vendor briefing – and those are often short and to the point. The truth is – some of the vendors get greater access to Gartner and Forrester because they spend a lot in advisory services.  They can show French how great their solutions are and define the agenda by paying $8,000 to $15,000 a day for analyst time (depending on contract).  The Leaders in the MQ are those that spend a lot of money with Gartner to bring analysts onsite where they are captive to go through the breadth and depth of their features.  Many in the Leaders Quadrant do this on a quarterly basis.  While smaller vendors get a 1/2 hour or one hour vendor briefing call once or twice a year as they do not have the budget to engage Gartner or Forrester.  The result is analysts that know the larger vendor products more intimately.  The playing field is not even.  I am not accusing French or any analyst of stacking the deck against vendors that do not spend money with them.  I am simply stating that your script process is broken.  The players that spend a lot in advisory time with you have an unfair advantage because they have perhaps a few dozen hours or more of time they have worked with you over the past year to go off script.  To level the playing field, each vendor should have at least four hours of demo time with some of it being able to go off script.  That is what I did at Forrester when I wrote the first two GRC waves.  I wanted to know the products intimately and give everyone an equal chance.

Gartner states they warn companies not to use the MQ alone to build a short-list of vendors to invite to your RFP party.  They can say this all they want – this is how organizations use the MQ.  As a result the Gartner MQ is broken.  It does not provide the depth and breadth for organizations to make valid decisions on what vendors best meet their needs.  In fact, I feel it misrepresents the vendors – the advantage is given to the larger established vendors that are marked as a leader but many of which do not have the breadth of functionality covering the areas of risk, audit, compliance, policy, and regulatory change that Gartner states they are comparing vendors against.  How are they a leader then? At least Forrester gives you a lengthy spreadsheet that breaks out capabilities in each of these areas and how vendors scored at the criteria level itself.  Forrester has a more objective and transparent process.  The issue with Forrester is that it is not current – they do not publish the GRC Wave frequently enough.  The issue with Gartner and Forrester is that there is not enough detail in specific areas of GRC such as risk, audit, policy to really compare vendors in detail within a GRC technology area, though Forester provides more detail than Gartner.

The world needs to have the analyst world re-engineered.  Client relationships should be noted so that the reader can understand conflicts of interest (something that Constellation Research Group is doing).  When a vendor is a client spending money with Gartner it should be easy to determine this.  Analyst fees need to come down.  Really, $10,000+ a day for analyst time – that is robbery.  The research process needs to be more transparent to the reader – particularly in vendor comparisons on what detailed criteria is used, what were the documented analyst findings for each criteria, and how was this weighted and scored for each criteria an
d vendor participating.

The technology world needs to be unshackled from the approach and cost of the major analyst firms.

Thank you French for continuing to be an admirable foe and friend.  I wish Gartner provided you a better framework to operate in so you could excel further in GRC research.  I am sorry that you have to defend of broken, non-transparent, and ineffective approaches such as the Gartner MQ.