Category: Blogs

Establishing an Enterprise View of Risk & Compliance

The GRC Pundit BlogPublished onLeave a Comment on Establishing an Enterprise View of Risk & Compliance

 

Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of risk and compliance.Without a new approach to risk and compliance, the scattered and non-integrated risk and compliance approaches of the past fail and introduce greater risk and regulatory threats to the business.A sustainable enterprise view of risk and compliance is one in which accountability is effectively managed and the business has a complete system of record – providing visibility to assess across a multiplicity of risk and compliance issues. This is supported today by technology that allows for the direct integration of controls within business systems to prevent and/or detect unwanted behavior. Business now requires that governance, risk, and compliance (GRC) controls be integrated into business processes, systems, and applications.

With new risk and compliance issues constantly coming to bear, organizations need to tackle the problem at its roots.Instead of treating each risk and compliance issue as an individual problem (as they have in the past), organizations need to define a common process and technology architecture to manage risk and compliance across the range of issues faced.

The old paradigm of managing risk and compliance is a recipe for disaster. Organizations have been reactive as they used manual or point solutions for risk and compliance while being extremely fragmented in managing risk and compliance as individual efforts that do not relate to a broader risk and compliance. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.The result is complexity, redundancy, and failure.The organization is not thinking how controls and processes can be architected to meet a range of risk and compliance needs – NOR do they gain an understanding on how risk management and compliance control impact corporate performance.An ad hoc approach to GRC results in poor visibility across the organization and its control environment, as there is no framework or architecture for managing risk and compliance as an integrated part of business.

What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored into its relationship and impact.Organizations face out-of-sync controls and corporate policies that are inadequate to manage risk and compliance. Organizations fail and are encumbered by unnecessary complexity because they manage requirements, risks, and controls within specific issues and do not look to see how a common integrated framework and architecture can bring efficiency to GRC processes. Further, executives are becoming aware of these redundant risk and compliance projects from different parts of the organizations wasting company time and resources with manual and laborious assessments that fail to leverage technology and information.

Modern business requires a new paradigm in tackling risk and compliance issues across the enterprise.No longer can organizations afford to focus on single risk and compliance issues as unrelated projects and assessment, nor can they allow software band-aids to masquerade as GRC that is not integrated into business systems.A targeted strategy addressing GRC requirements through common processes and integration into enterprise applications gets to the root of the problem. The risk and compliance complexity in today’s business requires a common strategy and architecture to effectively manage GRC. GRC is a three-legged stool:governance, risk, and compliance oversight are each individual but interrelated necessary components for effectively managing and directing an organization. In summary – good governance is built upon diligent risk and compliance management processes.

GRC solutions that operate autonomously from business processes introduce further risk in today’s complex and distributed business environment.Organizations require an enterprise view of GRC that not only brings together silos of risk and compliance, but integrates them into the enterprise process and application fabric of the business.

In today’s business environment, ignoring an integrated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. Organizations face a complex array of risk and compliance demands impacting business. The more extended and distributed the business – the more challenging risk and compliance is to manage. An integrated GRC architecture aligns them to be efficient and manageable. Inefficiencies, redundancy, errors, and potential risks can be identified, averted, or contained.This reduces risk exposure of the organization and enhances business agility and performance.

Organizations are embracing technology to get away from document centric approaches to GRC that are based on paper, electronic documents, and spreadsheets.Organizations require a GRC architecture that can expand and contract to ever changing business initiatives over time.However, the first generation of GRC solutions have often been limited as they end up being a band-aid to replace spreadsheets and lack true integration into the enterprise application fabric and business processes. A primary consideration is the flexibility of the GRC architecture to enable the identification and resolution of business problems.

Continuously monitoring risk and compliance has become imperative but it’s only cost effective if the organization has a strategic approach to managing controls across risk and compliance initiatives. The business is in an awkward position of reacting to mandates where it should be proactively managing controls and risk.The web of stakeholders with varying risk and compliance requirements appears to introduce a complex tug-of-war with opposing priorities.GRC requirements, risks, and controls have an impact on corporate strategy and performance and need to be monitored as part of an overall corporate performance strategy.

There is significant redundancy in requirements, technologies, and processes across risk and compliance issues impacting the business that can be addressed by a common architecture and process approach to GRC.

Efficiency in risk and compliance processes is achieved through the definition of common processes and integration into the enterprise application environment that different stakeholders can utilize for their individual requirements as well as collaborate and share.A successful GRC strategy is one that has a symbiotic influence on the variety of business stakeholder roles and their common requirements.

Sustainable risk and compliance programs are built upon a common process and technology architecture designed to meet a range of requirements impacting the business.Organizations need to be intelligent about what processes and technologies they deploy – the goal is to define once and comply with many regulations, manage a range of risks, and maximize value from the convergence of technology, people and process.A sustainable approach to GRC results in an organization that is looking to the future and mitigating risk in the course of business as opposed to putting out fires by reacting to risk and control issues as they arise.

Risk and compliance management is complex with numerous individual intricacies and issues ready to frustrate the organization.Organizations that attempt to build a GRC strategy with home-grown solutions, spreadsheets — or islands of technology that do not integrate into the enterprise and processes — are left in the dark and boxed into a view of the world that they will find limiting down the road.

The
case has been laid that the current business environment requires a new paradigm of GRC technology – a platform that spans across the organization and its individual risk and compliance issues, integrates into enterprise applications, becomes an integral part of business processes, brings together a GRC strategy ready to tackle risk and compliance issues at their roots, and is critically linked to corporate performance and strategy.

While comprehensive GRC is much broader than technology – GRC cannot be accomplished without technology.Technology is the foundation of GRC processes and provides the backbone of GRC communication and collaboration.

Getting started on a sustainable GRC strategy requires that the organization get a current assessment of where they are today, what is in place and already deployed, identify redundancies in technology, and find areas that might have been addressed but where the solutions are not scalable or manageable at an enterprise level.The gap analysis is aimed to not only identity the current state but to also help the organization prioritize their roadmap going forward.

One thing is a certain – risk and compliance burdens are not going away.Government regulators continue to influence control upon organization practices through tighter regulation.Business partners are requiring stronger controls within their relationships.The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization.The time is now for organizations to define and implement a sustainable GRC strategy that drives accountability, security, sustainability, consistency, efficiency, and transparency of GRC across the organization.Selecting the right technology vendor that provides the integration and enterprise control of risk and compliance is a critical step that organizations should not take lightly.

This article is an excerpt from my latest written research piece on the topic. Additionally, a corresponding webinar has been posted at OCEG. For those that want the best training on the subject of GRC Strategy and Technology Enablement – see my workshops below. Please comment on this article on the GRC Pundit Blog.

Where is performance & strategy in GRC?

The GRC Pundit BlogPublished onLeave a Comment on Where is performance & strategy in GRC?

Most GRC software as well as GRC implementations are more like RC (without the G). Or just R or just C. Or perhaps Rc or rC. . .

My position for this discussion – we cannot adequately state we are doing the G in GRC unless we are also taking into account business objectives, strategy, and performance. That is what corporate governance is about. Staying within boundaries for compliance, and managing risk plays into this. But the GRC solutions and initiatives do not really do the G.

Thoughts?

We do not need a Chief GRC Officer!

The GRC Pundit BlogPublished onLeave a Comment on We do not need a Chief GRC Officer!

For one thing – that would be too much of an acronym CGRCO. The subject actually came up in a corporate governance discussion group I belong to. Michael Corcoran posted the question “Anybody know of a Chief Governance, Risk And Compliance (GRC) Officer?” and provided a short article in which he was advocating this role.

 
My response . . . I have seen a few individuals with GRC in their title. Though I do not advocate a Chief GRC Officer. The concept of GRC, and what I have been promoting since forming the GRC solution space seven years back, is that GRC is about collaboration and federation. That it does not all roll up into a single reporting structure. The idea is not to replace specific officers/executives with a new role that encompasses them all. The talents of a risk officer, compliance officer, legal/general counsel, audit, finance, IT are all needed to make GRC successful – and their individual roles are not to be diminished. The collaboration is what is important to bring sustainability, consistency, efficiency, transparency, and accountability to GRC related processes.
 
That being stated, and I do not want to appear to speak out of both sides of my mouth, someone does need to lead the GRC strategy that brings the collaboration & communication across these roles together. Otherwise GRC becomes a nice idea that does not move forward. But I do not see this leadership role as an executive that has the other chiefs (CCO, CRO, GC, CIO, CFO) reporting to it – that would diminish their responsibilities/role and would actually hinder GRC as it would remove proper balance and cross-accountability.
 
My two cents – no, we do not want a Chief GRC Officer.

The GRC Technology EcoSystem – Revised

The GRC Pundit BlogPublished onLeave a Comment on The GRC Technology EcoSystem – Revised

 

While GRC is ultimately about collaboration and communication between the business roles and processes responsible for varying risk and compliance functions, there is no doubt that technology has an important role in facilitating this enterprise cooperation.

As a result . . . I am combing my work on the GRC EcoSystem with the second version of OCEG’s GRC Technology Blueprint. Both are going through a revision process to provide a valuable framework to understand the scope and application of technology to meet GRC purposes. OCEG decided to move IT Blueprint into a version 2 to make it more practical and applicable to organizations trying to implement technology to provide an architecture for GRC.

 

NOTE: Your Feedback is Requested!

 

Based on my experience as an industry analyst, I have put together a new high-level framework addressing GRC and its components. Attached to this newsletter you will find a PDF labeled theGRC Technology EcoSystem which is the backbone for the restructuring of the IT Blueprint at this point. Looking at the file you will find at a high level the blueprint is broken into the following areas:

  • Enterprise GRC Architecture/Applications. Represent the solution areas that span risk and compliance roles and processes that organizations can leverage and use as the backbone for a GRC strategy. The technology categories in this area are listed below in brief definition. These solutions are not locked to a single role but something multiple roles/business functions/processes can leverage. I feel this area is fairly solid, but appreciate your feedback.
  • Role specific Applications. This provides a list of GRC related roles within the organization and specific application categories that serve these specific roles. There is still much to be built out in this area and would appreciate your feedback on these specific roles and the application categories that serve them. There are some technologies, such as audit management, that are essential for a strong GRC strategy – but they serve primarily a single role, audit.
  • Industry Specific Applications. It is in this category that applications/technologies aimed at a specific industry vertical are mapped. An example is the several technology providers aimed specifically at helping life sciences companies comply with GxP. Or there are other solutions aimed at Medicare/Medicaid RAC audits. Or NERC in the utility space. This area has a lot that can be built out. I would love your feedback on getting to a standard for representing industries that is not too narrow nor broad. I would also appreciate your feedback and experience on applications focusing on specific industry issues.
  • Geography/Legal Jurisdiction Applications. This is the most rough, and I am not sure how it will be built out. This is the thought that there are specific legal jurisdictions that might require a specific solution for GRC purposes. Thoughts?
  • Technology Architecture Components. This is a listing of feature/functionality that any given product in any of these areas might bring together to deliver a solution. It also may represent the IT platform/architecture tools that organizations can build their own GRC platforms out of if they were not going to invest in a commercial product. As for commercial products, a buyer should be able to evaluate them and identify if such technology components as content management, workflow, and other components are part of the platform being implemented/considered. Of course, varying GRC related solutions (and there are over 500 vendors and 1000+ products in this space) can be utlizied in a variety of technology delivery capabilities such as software as a service, hosted application, or traditional software model.

Now to give you some brief definition to the Enterprise GRC Architecture/Applications, and again I request your feedback and input, they are as follows:

  • Accountability Management. This provides an enterprise platform to manage the accountability/ownership of risks, controls, policies, incidents/loss, and GRC related processes. Every silo of risk and/or compliance should have someone accountable as well as specific policies, investigations, loss, risks, assessments, etc.
  • Assessment & Survey Management. This is the enterprise platform for delivering a common assessment and survey tool/process. Of course, at a basic level this could be spreadsheets – and often are. At the right implementation level it is a consistent tool to deliver, track, and record survey/assessments for risk, control, and compliance purposes.
  • Asset/Process/Entity Register/Taxonomy. If you think about it – every risk, control, policy, loss, requirement applies to something in the organization. It is important that organizations have an ability to model their organization structure, roles/employees, business relationships, processes, physical environment, logical environment, and information. From there – risks, controls, policies, and so forth can be applied to the assets/processes they apply/belong to.
  • Continuous Control Monitoring/Automation/Enforcement. This is the category to provide an enterprise platform for the continuous monitoring and automation of controls – both preventive and detective. This includes continous/automated monitoring of (1) IT infrastructure, (2) application permissions, (3) records/data, and (4) business transactions.
  • Control Registry/Taxonomy. It is here that the organization provides a catalog of its controls, as well as versioning of controls to provide a history/audit trail. It is in this category that the broad spectrum of controls is defined and managed.
  • GRC Dashboard & Reporting. This is the core capability necessary to analyze and report on the breadth of GRC related data across the enterprise.
  • Hotline/Helpline. It is here the organization deploys a centralized web-reporting and/or call center where employees, clients, partners, stakeholders can report wrong doing and/or suspicious activity as well as seek help on certain compliance, risk, ethics, and code of conduct topics.
  • Identity & Access Management. My research this past year has caused me to elevate this to an enterprise issue, and not just an IT risk and compliance category. Organizations need an enterprise approach to cataloging identities, access, entitlements to both the physical and logical business environments. If you think about it, a lot of risk and compliance issues comes down to who has access to what, what can they do with it, etc.
  • Investigations/Incident/Loss Management. This represents an enterprise platform/ability to consistently document and manage the process/workflow of investigations. It also provides a common platform for tracking and monitoring losses the organizations has experienced.
  • Policy & Procedure Management. It is here an organization builds/delivers a solution to provide a consistent interface and user experience to manage the development, approval, communication, maintenance, and archiving of corporate policies and procedure documents. This also includes training management related to those policies and proc
    edures.
  • Requirements Register/Taxonomy. It is in this category that organizations document and breakout the specific chapter and verse of regulatory, legal, and standard guidance. This is the registry that defines the mandatory and voluntary boundaries by which the company is governed – it defines the lines that should not be crossed and what is required of individuals, processes, business relationships, etc.
  • Risk & Regulatory Intelligence. Organizations need the ability to monitor the internal context of risk and compliance as well as the external context that business operates within. This represents the category of technologies that can take information from data feeds and turn them into tasks/workflows routed to the right individual to make a decision on a changing business, risk, and/or regulatory environment and how it impacts the organization.
  • Risk Analytics & Modeling. Some might see this as part of GRC dashboards and reporting, but the area is complex and can stand on its own. This represents the organizations ability to display and model risk. At a simple level it is heatmaps, at a complex level it may involve monte carlo simulations, bayesian modeling, or value at risk.
  • Risk Register/Taxonomy. This represents the enterprise catalog of risks. Like the other register/taxonomy items above the purpose is to not only define, but also to cross-reference risks to loss, policies, controls, assessments, etc.

Thank you for your attention to this. Within the next week (end of day on Sept 25th) I need your reaction/thoughts on this.

Chief Punishment Officer

The GRC Pundit BlogPublished onLeave a Comment on Chief Punishment Officer

During my latest OCEG GRC Strategy & Red Book 2 Bootcamp, one attendee stated they had seen the job title of Chief Punishment Officer in China. Any takers?

On a related note – one attendee had asked if anyone had a disciplinary matrix – wrongs with associated punishments – for their organization.

 
My upcoming bootcamps can be found at:
 
GRC STRATEGY & RED BOOK 2.0 BOOTCAMP
Boston, Massachusetts
Date: October 28-29, 2009

The objective of this Bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently design a GRC program based on Red Book 2.0. Attendees will learn about defining a GRC Strategy aligned with Red Book 2.0 through lectures and practical group exercises. For more detail and registration information, contact us at [email protected] or log into the new OCEG website (beta) and download the brochure. Register early to secure your space in this limited attendance event.

DEVELOPING YOUR GRC IT IMPROVEMENT PLAN BOOTCAMP
Boston, Massachusetts
Date: October 30, 2009

Held immediately following the GRC STRATEGY & RED BOOK 2.0 BOOTCAMP, at the same location, this is a one-day basic training exercise in developing GRC IT technology architecture and strategy. Attendees will receive value in understanding technology enablement of GRC and developing a GRC technology strategy that delivers sustainability, consistency, accountability, efficiency (cost-savings), and transparency across the organization’s risk and compliance initiatives. For more detail and registration information, contact us at [email protected] or log into the new OCEG website (beta) and download the brochure. Register early to secure your space in this limited attendance event.

Defining & Communicating a Culture of Risk

The GRC Pundit BlogPublished onLeave a Comment on Defining & Communicating a Culture of Risk
I am baffled by the ignorant that are happy with their blinders and do not see how governance, risk, and compliance interrelate and support each other to form GRC. Today we will look at how the R (risk) in GRC needs governance and compliance.
 
Risk professionals can suffer with a myopic view of their work – a lack of imagination, foresight, or intellectual insight. They are comfortable with their quantification work and love Monte Carlo simulations, Bayesian modeling, and Value at Risk algorithms. They do not always understand how risk interacts with governance and compliance to properly steer and direct the organization to stay within mandatory boundaries of laws and regulations as well as the voluntary boundaries of risk culture, tolerance, appetite, and values.
 
Risk by the OCEG definition in Red Book 2 is defined as . . .
 
“. . .the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk.”

Risk management does not happen in a vacuum – it needs Culture & Context (the first elements of the GRC Capability Model). The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined. That is where risk needs governance. The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. If the governance function does not do this – risk taking is up to individuals and the integrity of the organization is in jeopardy.
 
Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures. This is where risk needs compliance. Compliance is more than adhering to laws and regulations – it is making sure that risk culture, policies, procedures, and controls are being adhered to. In the case of risk management, compliance plays a critical role in communicating policies and validating that the organization is staying within proper boundaries of risk taking established by the governance roles in the organization.
 
The elements of governance, risk, and compliance are three legs of the GRC stool. You take any one away and the stool becomes unstable. They need and depend on each other.
 
My advice . . . organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite. The complex interrelationship of risks requires that an organization gain an enterprise view of risk by overcoming the silos of risk management. Risk management should develop relationships with corporate compliance to help communicate policies and monitor adherence and enforcement of them.
 
A well defined GRC system and process will not only do risk assessment and modeling, but also will deliver the definition, communication, and training on policies and procedures. The system will map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets, and logical assets), as well as incidents & loss.

Gartner's EGRC "Arcane" Magic Quadrant

The GRC Pundit BlogPublished onLeave a Comment on Gartner's EGRC "Arcane" Magic Quadrant

My apologies. Along with my commentary on Forrester’s GRC Ripple (OOOPS . .. I Mean Wave) I had promised to provide my thoughts on Gartner’s EGRC Magic Quadrant once it was publicly available. Needless to say – August was a busy month, between end of summer trips, preparing for the fall, and kicking off the highly successful OCEG Red Book, GRC Strategy, & IT Bootcamps nearly a month has gone by without my comment. Better late than never . . .

 
As for process – the best definition of Gartner’s Magic Quadrant in my mind is either ‘black magic’ or more preferably ‘arcane.’ According to my Macintosh dictionary, arcane is defined as:
  • arcane |ärˈkān|(adjective) -understood by few; mysterious or secret
Unfortunately that is where I end up understanding the Gartner process. Unlike Forrester who publishes score, scales, weightings, and explanations thoroughly in a comprehensive spreadsheet – Gartner does not reveal in detail what happens behind the curtain. One is left hoping that the analysts approached it objectively and understand the space. That gives me a lot less to critique because Gartner does not expose as much.
 
Gartner’s ‘arcane’ magic must be working though. Overall, with some minor tweaks, I feel the current Gartner Magic Quadrant was a fairly well representation of the players, the market, and where they compete. I do get concerned in some of their ‘strengths’ and ‘cautions’ for each vendor as it is not consistently applied. It makes you feel they are digging to put something in the spots. For example, OpenPages is given a caution because they do not provide content. This does not appear on any of the other caution lists – but I know for a fact that several of the vendors represented do not provide content. They did not get the same warning. That is where a model like Forrester’s is more fair (but time consuming often leading to out of date content by the time the process is done). With Forrester you can see each criteria, such as content, get an explanation and a score comparing the vendors.
 
Gartner has earned more respect from me as their Magic Quadrant is a good representation of the players. This is a change. I remember previous Magic Quadrants where the players came from different parts and niches of the GRC space and often did not compete with each other. It was like comparing apples and oranges. This is sad when so many use these research reports to pick short lists of vendors for RFPs/RFIs. They need to be competitive with each other.
 
SAP is not in the report – which it was in Forrester’s. This is good and bad for SAP. They had a poor representation in the Forrester report, had they been represented in Gartner’s they may have had the same. Though this is largely do to the fact that SAP is focusing and doing very innovative things in the GRC space that pushes the envelope significantly and challenges the vendors represented in these analyst reports. SAP is focused on making GRC a part of business.
 
To borrow a Forrester term . . . now for the WIM (What It Means). Whether it is a Forrester Wave or a Magic Quadrant understand that it is one organization’s perspective and may not represent the players for your specific needs and requirements (though the Forrester Wave model allows you to change the weightings for your own needs). It also may not represent all the players you may want to engage for your specific requirements. Use the documents for what they are – a research perspective from one point of view. Do not treat them as authoritative.
 
My advice to Gartner: while you have a good representation in this Wave, your process and applicability to buyers is far behind Forrester’s. Reveal your criteria and scoring and deliver a tool to help organizations make buying decisions.

Who Defines Your Corporation's Values?

The GRC Pundit BlogPublished onLeave a Comment on Who Defines Your Corporation's Values?
Values and ethics define an individual – as well as families, societies, and culture in general. Everyone puts a stake in the ground as to what is important to him or her and what is not. We interact with others based on our values: which acts much like two magnets. If the right polarity exists the magnets attract each other, if the wrong polarity exists then the magnets repel each other.
 
Corporations have values and ethics as well – which are either formally defined and managed or are left to be defined by a variety of pressures and influences. From a legal perspective a corporation is an entity – it can be interacted with, sued in court, and even taxed (depending on the type of corporation) just as an individual can.
 
Who defines the corporation’s values and ethics? The answer really stems from the corporation’s overall culture – but that too has to be modeled and defined somewhere.
 
There are several places that a corporation can have its values and ethics molded for it, these are:
 
  • Directors and executive management. Ultimately the board and management have a key stake in establishing the culture, ethics, and values of the organization. It is at this level that code of conduct should be defined and enforced from the top down. The board also plays a key role in establishing risk appetite and tolerance levels that impact how an organizations takes and manages risk. This is what is meant by tone at the top.
  • Employees. If executives fail to define and communicate an organization’s culture, ethics, and values employees are left to define it. Even when executives have defined and communicated values it is employees that mold, shape, and make it reality or fiction. People tend to hire and relate well to those that have similar interests – political, religious, social, etc. The discussion in break rooms, meetings, and even interviews often acts like a magnet to attract similar systems of belief and value.
  • Business partners. An organization is no longer an entity unto itself – it is impossible to define where the culture and boundaries of an organization start and stop. The extended enterprise of business partners, supply chain, outsourcers, service providers, contractors, consultants, temporary staffing, and customers all influence and mold the values of an organization. Organizations, particularly in this era of corporate social responsibility, want to make sure they are doing business with other businesses that share the same values. No organization wants to be in the spotlight of media for partnering with unethical business – those that engage in such things as child labor or corrupt practices.
  • Customers. Ultimately an organization exists to provide value. For commercial organizations this is financial value and not just ethical value. In order to achieve financial value it is necessary to attract customers. Customers obviously want to achieve value in quality and service from the organization – though they are also becoming more selective in doing business with organizations that share the same ethical and social values.
  • Governments. Through regulation, legal liability, and plain old pressure, governments are able to extend great influence on the culture and values of the organization. This current economic crisis has given us many examples of government’s influence and control over entire industries as well as practices within those industries (e.g., salary & bonuses).
  • Non-government organizations. Non-profits, lobbyists, and associations all influence power over an organization and how it defines its culture, value, and ethics. NGO’s are quick to wield great political, social, and media pressure upon organizations to manipulate them to the purposes they value.
The net result of all of this – an organization is going to have its values defined somewhere. Either management is going to lead this charge or other pressures will influence it. Where values and ethics are not centrally defined and communicated as a part of corporate culture – the organization risks going in a direction it never intended. Additionally, an ad hoc approach to defining corporate values leaves the door wide-open for corruption.
 
Values and culture also influence risk management through how the organization and its employees take risk and stay within boundaries of risk tolerance and appetite. Without sound values defined the organization can and most often will enter reckless risk taking and poorly defined boundaries of acceptable and unacceptable risks (the financial crisis of the past few years are a great example of reckless risk taking and willingness to put aside defined boundaries of risk tolerance and appetite).
 
The area of corporate values and ethics is very real to me. I left a former employer because of a significant difference in values. Management allowed one group in the organization to move forward with a conference that included a keynote speaker from an organization branded for adult entertainment (I do not want to use specific words that I feel better describe this so this post is not blocked by filters). I spoke up stating this was a slap in the face to the women of the organization. I also expressed that there are many people within the organization that have had families devastated by this industry – something I can speak personally to in my extended family. My voice to management fell on deaf ears and I was brushed aside. They ignored the issue and allowed this group in the organization to further define the culture and direction of what was acceptable. Though a top performer (and I had recently received an award for this) I resigned.
 
Organizations need to define their values from the top down. In this day and age you are not going to appease everyone. The pressures of conservative, liberal, environmental, social, and other factors are real and significant upon the organization – and can even be in conflict with stakeholders.
 
If this topic interests you – and you want to know how to make culture, values, and ethics defined, managed, and monitored in your organization – I would point you to the Open Compliance & Ethics Group (OCEG) Red Book 2 and the GRC Capability Model™. This delivers the only full framework that I am aware of that drives an organization toward Principled Performance™. Later in August I am delivering a multi-day bootcamp specific to this topic – GRC Strategy & Red Book 2 Bootcamp. This is directly followed by another bootcamp aimed at using technology to enable a culture of ethics, compliance, and risk management – Developing Your GRC Technology Improvement Bootcamp.
 
Please reply back with your feedback and thoughts. How do you see/recommend that an organization define and communicate its values, culture, and ethics? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.
 
“To understand the religion of a people is to understand the people. For their religion expresses what they take to be the ultimate values of human life, underlying their whole attitude to everything else.”
J. Geddes MacGregor (1909 – 1998)

Framework Approach to Governance, Risk Management, & Compliance

The GRC Pundit BlogPublished onLeave a Comment on Framework Approach to Governance, Risk Management, & Compliance
The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks. Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as the language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”
 
There is only one framework that I see that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC. These practices address the many elements that make up a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them enable an organization to:
  • Achieve business objectives
  • Enhance organizational culture
  • Increase stakeholder confidence
  • Prepare and protect the organization
  • Prevent, detect and reduce adversity
  • Motivate and inspire desired conduct
  • Improve responsiveness and efficiency
  • Optimize economic and social value
The GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. The OCEG GRC Capability Model™ is broken into eight components:
  1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
  2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
  3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
  4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
  5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
  6. RESPOND & RESOLVE. Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
  7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
  8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.
OCEG’s GRC Capability Model™ is, in my opinion, the best umbrella framework to bring a holistic enterprise view of GRC together that works from the board of directors down into the management and process of an organization. Its goal is not to replace other frameworks and standards but to give them a common language and context to operate within and thus provide enterprise collaboration and communication across governance, risk, and compliance.
 
I sat on the OCEG Steering Committee to define this valuable work and am encouraged by several Fortune 1000 companies that are now seeing it used and benefits achieved. There is nothing else available in scope and practicality to implement a GRC program around. For those interested in rolling up your sleeves further – whether an organization implementer, technology provider, or professional services provider – I encourage you to take a close look at the upcoming Bootcamp training (OCEG members get a significant discount). There is also a consecutive Bootcamp on defining a GRC technology architecture.
 
Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

Wolters Kluwer Aquires the Gem in Policy Management – Axentis

The GRC Pundit BlogPublished onLeave a Comment on Wolters Kluwer Aquires the Gem in Policy Management – Axentis

Wolters Kluwer Tax & Accounting announced today that it acquired Axentis. This acquisition further extends Wolters Kluwer role in the GRC (Governance, Risk, & Compliance) technology and content/information market.

 
Axentis, according to Corporate Integrity research, has a leading policy and procedure management platform. The company has done an excellent job at addressing investigations management and has specific addressed a broad array of GRC issues aimed to address corporate integrity agreements, risk management, ethics, code of conduct, corporate compliance, financial controls management, IT risk and compliance, regulatory intelligence/management, privacy, and vendor/supplier/3rd party compliance. Axentis has also been a pioneer of addressing GRC through a Software as a Service (SaaS) model.
 
Wolters Kluwer has been on track in acquiring a portfolio of GRC related products. Axentis adds to their line of acquisitions which include TeamMate, Sword, and MediRegs (ComplyTrack). Wolters Kluwer also has a range of other GRC related products that tackle issue of matter management as well as board & entity management. However, the most significant differentiator for Wolters Kluwer is the integration of content/information related to regulations and risks into these suite of products as they provide a competitive information and knowledge offering that competes against the like of Thomson, Lexis, and SAI Global. Some of these knowledge providers also see the value of GRC technology solutions integrating with content – Thomson Reuters acquired Paisley last November, and SAI Global acquired 80/20 Software among a few others.
 
The challenge now for Wolters Kluwer is to bring things together. To date they have focused on different solutions across their technology line and does not promote a single all-encompassing GRC application. This can work for as well as against them. If they can bring together a common back-end data architecture and deliver a consistent interface across individual products – I believe that organizations will buy this. If they fail to do this, other vendors will when the GRC game. Organizations do not necessarily need a single application interface for GRC – but they do need a common data architecture. I also see that many GRC vendors lose out because they try to oversell instead of addressing the specific needs set before them. Wolters Kluwer can sell to the specific need with the specific product and expand. This also helps penetrate deals as GRC involves multiple roles. Without confusing the buyer, Wolters Kluwer can sell the products to the meet the needs of the specific business buyer before them (e.g., legal, compliance, enterprise risk, operational risk, finance, audit).
 
As Thomson, SAI Global, and Wolters Kluwer have all demonstrated significant commitment to the GRC space, I am particularly curious about Lexis Nexis‘ reaction as to how they will approach this space.
 
The end game of the GRC market breaks down as follows:
  • Enterprise technology providers. CA, Oracle, and SAP are all committed to the GRC space. These providers, as well as some to change focus to GRC again, will continue to expand and grow in the market. Their value proposition will be the integration of technology into a broader technology architecture.
  • Information/knowledge providers. The likes of Wolters Kluwer and Thomson will focus on using technology to integrate with content – delivering on what I call risk and regulatory intelligence.
  • Boutique providers. There will remain a number of GRC providers that utilize their smaller size to be nimble and react first to changing m
    arket demands and grow to be a solid GRC player, several of these players will differentiate themselves by delivering solutions aimed at specific GRC issues (e.g., environmental, health & safety, matter management) as well as roles (e.g., audit, legal, compliance, risk, IT).