INQUIRY: What are the 3 biggest misunderstandings about GRC-enabling technology?

 

INQUIRY: What are the 3 biggest misunderstandings about GRC-enabling technology? Why these particular areas are the most misunderstood outside of the IT organization and how can IT help clarify information?   

 

RESPONSE: There are several areas that are highly misunderstood in regards to GRC-enabling technology.  The following represent what I see as the most common misunderstandings:

 

1.      First biggest misunderstanding – GRC is not just about technology.  That is the first issue, if you do not have the process and organization structure down the impact of GRC enabling technology is limited.  GRC is not just about technology – it is about building a collaborative approach and framework for GRC across business functions.  This is also something to understand before investing in technology.  It is important the organization understand what they are trying to achieve before selecting a vendor or else they may be locked into a specific vendors concept and framework of GRC – and thus disappointed and limited.

2.      Second biggest misunderstanding – we have a lot to do still in the world of automated controls.  We have seen a lot of control enforcement and monitoring be successfully deployed for SOX, AML, OFAC, and other areas of compliance, but there are many other areas of GRC that this has not extended to.  In 2009 we see the world of automated controls move full scale across other GRC processes and become a holistic solution.  

3.  Third biggest misunderstanding – dashboards.  I have seen very few good GRC dashboards.  Don’t get me wrong, everyone has a dashboard in their product and that is great.  But very few are good business dashboards across GRC processes.  The issue is that many have not achieved or do not get the relationship between business performance and risk/control/compliance indicators.  An effective GRC or risk dashboard is a corporate performance dashboard that ties key risk indicators to key performance indicators of the business.

 

 

INQUIRY: In 2009, what will be the least obvious/highest impact business or market trend resulting from GRC automation?

 

INQUIRY: In 2009, what will be the least obvious/highest impact business or market trend resulting from GRC automation?
 
RESPONSE: Tough question – but I am happy to play the prophet.  I would have to say it is the use of GRC technology to extend GRC processes to business partners.  There are more also areas of GRC technology such as automated controls and business rules engines that will see further growth in 2009.  The biggest value I am beginning to see is the extension of policies & procedures, training, and risk & control assessment to an organizations business partners.  Highly regulated organizations like life science companies already have to see that certain vendors have communicated and trained vendors/business partners and their respective employees on policies and procedures.  Liability and new regulatory requirements is seeing this grow.  Further, I am seeing many organizations begin to ask how they can leverage technology they have used for other areas to conduct self-assessments of controls to their business partners.  Typical contract language includes right to audit clauses which organizations with hundreds of relationships are not exercising.  This is an issue and the way out is the use of technology to push the burden on conducting self-assessments out to business relationships is the answer.  I was at an organization yesterday that is a software platform hosted on the web to push assessments of risk and controls out to thousands of business partners for environmental, health and safety, quality, and corporate social responsibility audits.  By the way, this is a huge boon to the GRC vendors that are Software as a Service (SaaS)/on-demand platforms as it is the easiest way to give access to policy & procedure communication and training as well as risk & control assessments to thousands of relationships without opening up your network to everyone.

INQUIRY: What are the roles/responsibilities of a compliance officer?

QUESTION: What are the top three roles and responsibilities of a compliance officer? We are trying to define this job role very clearly before we determine we need one.

RESPONSE:
The top three roles and responsibilities of a compliance officer vary — it depends on what you are defining as a compliance officer. If you mean a true Chief Compliance Officer (CCO) that sits outside of IT, then the top three roles and responsibilities tend to be:

  • Policy and Procedure Management — this is the definition, communication, training and attestation to corporate policies and procedures.
  • Compliance Monitoring — evaluating and measuring the state of compliance across the organization.
  • Investigations — managing investigations into wrong doing and anything that violates regulatory/legal requirements.

These three functions are part of a broader set of seven elements that the United States Sentencing Commission (USSC) has established as what an effective compliance program looks like. Read these seven elements of effective compliance and ethics programs on the USSC website.

If you are referring to an IT compliance officer, the duties are similar but more focused on IT as opposed to broader compliance. An IT compliance officer also tends to focus more on automation of IT controls.

The Ultimate ERM Platform

The New Year of 2009 is at our doorstep and with the global turmoil it is about time many organizations begin thinking of enterprise risk management

Today we explore the Ultimate Enterprise Risk Management (ERM) Platform. Many of you expressed deep interest in my Ultimate Compliance Platform earlier in December. This week, I am delivering the second of my ultimate platform role-plays looking at what the Enterprise Risk Officer/Manager desires in an ideal Enterprise Risk Management (ERM) platform.

Defining an ERM platform is not easy – just as defining ERM is not easy. For some unfortunate organizations, ERM is Sarbanes Oxley on steroids as it is nothing more than a deeper look into internal controls with some heat maps built on top of it. In this case it truly is no an enterprise view of risk. In fact, many organizations have been deceived by the likes of the COSO ERM framework – which tends to take an auditors view of risk and not a true risk officer/manager view of risk. Granted, the COSO ERM cube is an interesting model to get a conversation started. The document itself is hard to read, hard to apply, and takes an internal view of risk and largely neglects the external elements of risk that a business faces in its operations outside of its organization. I myself find more promise in the adoption of ISO 31000 (currently in draft and expands upon the AS/NZS 4360:2004 standard).

However, many organizations are keenly interested in ERM. Some of this comes from the emphasis that credit rating agencies such as Standard & Poor’s are putting on it. Others are seeking solace in ERM to help them drive through turbulent economic times. While many seek ERM to help manage uncertainty in a dynamic and distributed business environment that extends across complex global business relationships where a small mishap may significantly impact business operations and performance.

The challenge organizations face in truly managing ERM is the number of silos of risk management scattered across the organization focused on specific issues of risk. The goal of ERM is to tie all of these independent risk management programs in the organizations together into a broader and transparent view of risk permeating throughout the enterprise.

The issue organizations face – there is no single vendor that ties all of the elements of risk together into a comprehensive ERM platform. The Ultimate ERM platform, like the Ultimate Compliance Platform, is one that needs further work and integration. The best solutions come from a range of providers and not a single vendor.

WARNING – most vendors marketing ERM platforms end up being a replacement for spreadsheets and do not bring a full picture of enterprise risk.  If all the platform is doing is surveying people, they are just about assessing operational risk and controls.  Challenge vendors – ask any vendor how they are managing ERM by providing integration into financial, treasury, and commodity risks alongside a breadth of operational and regulatory risks.  Most will be stumped on this question. 

If I were to build the Ultimate ERM Platform I would combine the following:

  • Risk framework flexibility. The goal of ERM is to provide harmony across a range of frameworks, standards, and approaches that are currently being used across the enterprise. Different risk areas have their unique needs and standards they follow. A robust ERM platform will be able to harmonize and provide fluidity across these frameworks. To date the best platforms I have seen that provide a harmonized approach to integrating multiple frameworks is BWise, Cura, and Texert.
  • Risk intelligence. These days every vendor has a dashboard to model and report on risk. However, they fall down when it comes to direct integration with business systems and applications. Further, most of them do not integrate with corporate performance management. This goes against what risk management is about. Risk management, done properly, is all about managing risk in light of corporate performance. For every key risk indicator there should be corresponding corporate performance indicators. The best risk dashboard that provides an integrated view into corporate performance is SAP’s.
  • Risk management breadth & depth. Risk management is more than just managing the downside of risk; it is about optimizing risk taking in the organization to seize hold of opportunity and return to the organization. Organizations stuck in managing the negative and neglect the positive side of taking risk miss what ERM is about. A robust risk management platform will have sophisticated modeling capabilities that can demonstrate the positive return on risk taking and not just the downside. This requires depth in risk modeling and analytic capabilities to measure and model risk. Cura, MEGA, Strategic Thought, and Texert are vendors that I find leading in the breadth and depth of their risk management functionality.
  • Risk visualization. I for one am tired of heat maps. Nearly every vendor has latched onto heat maps as if they are the only way to visualize risk. Granted, heat maps can be useful – but they are not the end all of risk visualization. Good risk management requires multiple visualization models. A risk manager needs to be able to look at risk from different views and angles to identify intricacies, relationships, and exposure. Different pictures tell different stories. You take a photograph of a room and this tells you only one story, an x-ray tells another, and a thermal map tells another. The same is true with risk visualization – we need multiple ways to visualize risk to comprehend the full picture. The good news is that there are vendors taking some interesting directions. I particularly like the risk relationship diagramming that Neohapsis (acquired from Risk Governance) and Riskonnect are offering. I am also quite intrigued by what some organizations are beginning to do with fractal maps (such as what Fractal Edge delivers).
  • Risk process management. Enterprise risk management requires the flexibility of workflow and process management. Bringing together the many factions of risk management across the enterprise demands a platform that is easy to model business processes, workflow, and provides great flexibility and customization. The leading platforms offering the best risk process management capabilities are Archer Technologies, BWise, and MEGA.
  • Risk integration – herding the silos of risk. Enterprise risk management is like herding cats – different parts of the organization have implemented their own risk solutions that are particularly adapted to their specific needs. A good risk management platform will provide integration with specialty platforms that are managing specific areas of risk. These might include Modulo focused on the depth of I
    T risk management, the complexity of foreign exchange risk that FireApps manages, the intricacies of commodity risk management that Triple Point Technologies excels at, the complications of operational risk management that Ci3/Wolter Kluwer delivers, and legal/compliance risk that Axentis is focusing on with their risk driven compliance theme. Resolver is another vendor of interest as it provides a risk assessment and surveying technologies that simplify risk assessment processes. Of course, there are industry specific solutions managing the range and depth of risk for particular industries – such as Algorithmics, SAS, and Oracle Financial Services Software.

The Ultimate ERM Platform is not a one-stop shop at a single vendor – today it requires integration of several technologies. Many of these solutions show great insight and are executing on robust visions to deliver the best ERM platform for the future while delivering significant value to their clients today.

The Ultimate Compliance Platform

 

Christmas (or other holiday tradition you celebrate) is upon us with its associated gift giving.  In the spirit of giving and Christmas cheer, I am delivering the beginning of a series of role-plays looking at what different risk and compliance roles would want in their Christmas stockings.

To kick this off- we will initially focus on the role of Corporate Compliance . Each subsequent week we will look at another role (see below for schedule).

To understand what Corporate Compliance desires requires an understanding of what this roles is about and its responsibilities. Unfortunately compliance, like many GRC related terms, has different heads and definitions throughout the organization.  Though Corporate Compliance is a specific role that typically reports into legal/general counsel and is focused on the the most pertinent legal/regulatory issues the organization has to comply with.  To date I have not met one Corporate Compliance Officer that is responsible for every aspect of compliance throughout the organization.  Often fragments of compliance such as SOX, privacy, information security, health and safety, and other other areas often fall outside of the Corporate Compliance area of focus.

Corporate Compliance is typically responsible for managing the most significant and highly visible legal/regulatory compliance issues such as; anti-corruption, ethics, anti-trust, employment/labor issues, etc. In the U.S. this role is centered around adherence to the U.S. Sentencing Commission Organizational Sentencing Guidelines and what is laid out as the seven elements of what a compliance program should look like.  This compliance program involves defining and maintaining policies, oversight, due diligence in hiring and access, training/communication, monitoring, investigations, and program improvement.  There is also an additioanl requirement to implement at least an annual risk analysis for potential wrongful conduct.

Again there are other view of compliance – IT, finance, audit, business operations – and they have varying but related needs to Corporate Compliance.

So when you think of the Corporate Compliance Officer/Manager this season your first desire may be to give this role the ultimate compliance platform to manage compliance content and processes.  In designing this platform, you will find that the best solutions come from a range of providers and not a single vendor.  So my Christmas Wish would be for a new platform to be developed that would integrate the following:

  • Next generation policy & procedure management.  Organizations are in a complete disarray in managing corporate policies and procedures – they often are out-dated, scattered across parts of the business, and not manage consistently.  Further, the recent trend in legislation and regulatory guidance is to demonstrate training and not just attestation.  I desire a platform that is easy to use, manages the lifecycle of policies, and allows dissemination, communication and training (e.g., elearning) on these policies in a single platform.  Axentis is the best example of a platform delivering this today.  Neohapsis (former Certus) has done interesting things with a few clients. QUMAS, has the most robust policy lifecycle management but lacks the integrated eLearning component.

 

  • Regulatory intelligence.  The Corporate Compliance role struggles with trying to keep abreast of a growing array of regulations, legislation, regulator findings/rulings, and case law.  The current situation is to have an army of legal professionals mining legal and regulatory sources for new developments that will impact the organization.  My desire is to see this automated. Give the Corporate Compliance role an application that allows the compliance and legal function to profile their organization, link into content providers (e.g., WestLawLexisNexis) and then have new developments/alerts be pushed into the application and disseminated to the appropriate person for review and analysis based on responsibility.  Compliance360 is the only company offering something close to this vision today.  Though there are some industry specific providers doing interesting things such as CompliNet andFortent in the financial services vertical. ComplianceOnline (by MetricStream) also provides a wealth of regulatory information. SAI Global is also doing some interesting things in this area, with a particular strength outside the US. Further, LRN is another provider that continues to amaze me in their thought leadership and content.

 

  • Enterprise investigations management.  A struggling area of compliance is enterprise investigations – in most organizations there is no such thing as ‘enterprise’ investigations management.  This is unfortunate as organizations fail to get a grasp on the range of issues, events, incidents, wrongdoing, and complaints across the organization. Without a complete view into enterprise issues, events, and investigations an organization’s risk management and compliance strategies become handicapped.  On top of thi
    s, organizations manage investigations in home grown databases and spreadsheets which often lack any form of audit trail and non-repudiation. Consider solving this problem for corporate compliance buy giving Corporate Compliance a single enterprise investigations management platform that ties into whistle blowing/hotlines for anonymous reporting of incidents.  EthicsPoint, in my humble opinion, offers one of the best solutions on the market for managing corporate investigations across the organization with integrated hotline services. Other contenders are AxentisQUMAS, and Archer Technologies – but lack the hotline piece of EthicsPoint. BTW – get rid of the spreadsheets, they are difficult to manage and do not have the non-repudiation needed for sensitive compliance processes.

 

  • Compliance process management.  Corporate compliance today is a labor intensive and manual process.  When it is automated this typically means sending an email.  This is unfortunate given the range of process management solutions on the market.  Corporate compliance needs a compliance backbone that allows them to manage complex processes and workflow as well as content.  The most adaptable backbone for corporate compliance isArcher Technologies.  Archer is quickly moving into a broader GRC offering from a focus within IT, and has one of the most flexible and highly configurable risk and compliance solutions on the market today.  They allow for complete module customization, and even allow clients to share custom built risk and compliance process modules.  On top of this they offer modules for many of the functions I list above – policy and investigations management in particular.  There are other GRC platforms focused on process management – going beyond simple workflow – such as MitratechCompliance360BWise, and MEGA.  BWise and MEGA have particularly interesting solutions that support visual process modeling.

 

  • Time machine.   While compliance is focused on assuring compliance in the hear and now it often has to react to investigations, lawsuits, and regulators that want to understand the state of compliance on a given date and time.  In that case how you are compliant today is of little importance. The Department of Justice, regulator, or prosecutor wants to know how you were compliant on this day five years back.  This requires that the organization be able to demonstrate who read, was trained, and attested to a policy on a given date and time; how an investigation was handled; and how compliance was managed.  I am a Mac user and love Leopard’s Time Machine ability to go back to any date in time and see my system/files on that date.  That is what Corporate Compliance needs as well – a compliance Time Machine.  There are a few vendors delivering this today such as Compliance360and QUMAS

There . . . I have provided you some technical stocking stuffers for your corporate compliance department.  In the next few years we should see an integrated application that delivers all of this best in class functionality.

Corporate Integrity welcomes your comments and thoughts on this topic in our blog.  Upcoming issues of the newsletter will focus on ultimate platforms for:

  • Enterprise risk management – week of 12/22/08
  • Operational risk management – week of 12/29/08
  • Supply-chain risk & compliance – week of 1/5/09
  • Legal/general counsel – week of 1/12/09
  • Corporate social responsibility – week of 1/19/09
  • Audit – week of 1/26/09
  • Finance/treasury – week of 2/2/09
  • IT – 2/9/09
  • Quality – 2/16/09
  • Environmental, Health, & Safety – 2/23/09

Merry Christmas! (Yes, it is OK to say Merry Christmas),

Michael Rasmussen
President & Research Analyst

[email protected]
LinkedIn · Plaxo

Perspectives on the Paisley Acquisition

While briefed on the acquisition before the announcement, I took a few days before commenting on my blog.  The reason being two-fold – I came down with a seasonal cold, but more importantly I wanted to reflect on this some more.
 
In general – the acquisition of Paisley by Thomson Reuters is a good thing.  Good for Paisley, good for Thomson, good for the market, and even good for competitors.  Though there are some concerns I have as well.
  • It is good for Paisely as it gives them a much bigger organization and client base to pursue than they had before.  The ability to integrate and deliver Thomson’s wealth of content is also very intriguing and delivers on the risk and regulatory intelligence theme I have been discussing for some time.
  • It is good for Thomson Reuters as it gives them a technology platform to be competitive in the market and deliver their content on.  The Paisley on-demand/SaaS offering is a critical component for them to deliver content within.  It allows them to stay competitive as other content providers such as Wolters Kluwer/CCH (acquired TeamMate and Ci3) and SAI Global (acquired 80-20 Software) are aggressively pursuing technology integration and acquisition.  We will see what card LexisNexis plays in the next few months as a result to this competitive positioning.
  • It is good for the GRC – governance, risk, compliance, and audit market.  I believe we are a verge of widespread convergence in this space.  There are too many providers in a tough economy.  I know of several organizations looking to acquire someone as they feel they can get a good deal in the current economy.  Consolidation is good and is what this market needs to be stable and sustainable.
  • Finally, it is good for competitors.  One aspect of this is the previous point as it accelerates the consolidation.  The other aspect is the fact that whenever acquisitions happen it causes current clients to consider their future options and direction.  The audit management market is in a perfect storm right now.  With the acquisition of TeamMate and now Paisley you have approximately 80% of the current audit management software market changing hands.  With a lot of new entrants into this space it should be some interesting times for market positioning in the next year.
As for my concerns – they largely depend on Thomson’s strategy going forward.  Paisley has built an excellent GRC application and has delivered a solution that helps a variety of risk and compliance roles well outside its traditional audit base.  Since the Tax and Accounting division of Thomson did this acquisition I fear that Paisley’s market penetration and competitiveness in other areas of risk and compliance may be limited.  Paisley also has a strong partnership with QUMAS that has just started showing traction on policy management, I am not sure how Thomson will sustain and nurture this going forward.
 
If Thomson can leverage the Paisley acquisition across its business/product lines to be a platform to manage risk and compliance and integrate Thomson content – then Paisley becomes a truly dominant next generation GRC application.  However, if Thomson entrenches Paisley in the Tax and Accounting area – then Paisley becomes a next generation audit management platform (minus the automated/continuous control piece), but loses much relevance in the broader GRC market.
 

3rd Party Risk & Compliance – A Significant Challenge for Large Organizations

Issues impacting corporate governance, risk management, and compliance are abundant. GRC 20/20 has identified 27 issue areas that organizations struggle with in risk and compliance – THOUGH the one that is keeping GRC 20/20 research and advisory the busiest is 3rd party risk and compliance management.

What do you mean by 3rd party risk & compliance?

Third party risk and compliance is a generic term – specific industries and organizations may refer to it as supply chain, vendor, or service provider risk and compliance management. The impact of the extended enterprise is significant on business. Organizations are dealing with numerous and global relationships. There are also specific pressures within industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).

The specific risk and compliance concerns impacting 3rd party relationships extend across a range of issues – international labor standards, code of conduct, corporate social responsibility, operational risks, supply chain risks, environmental, health and safety, security, privacy, quality . . . the list of issues across industries is expansive.

Core processes that organizations require to manage 3rd party risk and compliance include:

 

  • Definition and modeling of relationship, risks, compliance issues, and controls with extended business relationships;
  • Communication and attestation of policies, procedures, and code of conduct;
  • Delivery of compliance and code of conduct eLearning/training content;
  • Ability to have business partners conduct self-assessments of risk, compliance, and controls;
  • Interface for consultants and auditors to validate risk and controls and exercise right to audit clauses;
  • Provide a platform for risk and compliance intelligence where the company can be alerted to new developments and issues that could impact specific relationships and/or geographies; and,
  • Assessment and scoring of risk based on the business relationship and status of assessment/audit findings.

Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance relationship processes. Just in the past few months GRC 20/20 has interacted with several large and medium-sized banks, a major food retailer, Fortune 100 retailers, entertainment conglomerate, high-tech manufacturers, life sciences firm, insurance, major pharmaceutical benefits provider, and more. In one firm I sit on the social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain. These issues are significant, overwhelming, growing, getting more complex, and not going away.

This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering – as organizations are reluctant to open up their internal networks to accomplish 3rd party risk and compliance management.

This is just a quick synopsis of a very intricate issue that organizations are struggling with. GRC 20/20 welcomes your comments and thoughts on this topic

 

 

Top 27 Risk & Compliance Issues Organizations Struggle With

Global markets are in turmoil, investigations into corporate and executive wrong doing, demands for increased oversight and regulation . . . while the economic climate in general is in question there is no doubt that organizations need stronger corporate governance, enterprise risk, and compliance oversight.

The challenge for risk and compliance managers is to make sense of a GRC market with over 1300 providers of technology and consulting services.  The challenge for technology providers, professional service firms, and knowledge providers is to make sure their message and value is clearly articulated so they can be heard above the swarm of competitors.

One thing is certain . . . buyers of risk and compliance products and services have specific issues they need to deal with.  Specific economic and treasury risks, specific operational risks, specific compliance issues.  Providers that tout a generic swiss army knife approach will find their offerings in a tailspin – shot down by competitors that know how to solve the specific problems organizations are trying to solve.

GRC 20/20’s research has identified 27 issue and corresponding solution areas that organizations are looking for specific help from technology, consulting, and knowledge providers.  This cross-industry view represents the core of GRC 2.0 the GRC EcoSystem.  While these are not all of the risk and compliance issues organziations face – these are the most challenging ones driving organizations to look for consulting help and technology solutions. These 27 areas are . . .

3rd Party Management Anti-money Laundering Audit Management Brand & Reputation
Business Continuity/Resiliency Corporate Compliance Corporate Governance Corporate Social Responsibility
Corruption & Fraud Crisis Management Employment/Labor Enterprise Risk Management
Environmental Ethics & Integrity Financial Assurance & Control Geo-Political Risk Management
Global Trade & International Dealings Health & Safety Information Risk & Compliance Insurance & Claims Management
Investigations Legal Matter Management Operational Risk Management Physical Security
Privacy Quality Treasury Risk Management  

While organizations struggle in these 27 core areas – they want to make sure that their investment in technology can be leveraged for other risk and compliance issues.  They are tired of wasteful spending and fragmented approaches to GRC – organizations want to be assured that their investment can be the backbone of a risk and compliance architecture.

GRC 20/20 has defined a core GRC architecture of 13 technology architecture categories that can be leveraged across risk and compliance processes to provide for sustainability, consistency, efficiency, transparency, and accountability.   These 13 core GRC technology architecture categories are. . .

Assessments & Surveys Audit Management Control Documentation & Repository Control Monitoring & Enforcement
Enterprise Asset Management GRC Dashboards & Reporting Hotline & Whistleblower Identity & Access Management
Investigations, Event, & Loss Management Policy & Procedure Management Risk & Regulatory Intelligence Risk Analytics & Modeling
Training & Awareness Management      

We encourage you to comment on GRC 20/20’s GRC EcoSystem model as we wrap up the written research that will be published in the next few weeks.  If you have comments on the GRC EcoSystem model – please send them to [email protected].

Focus of the Board on GRC

What are the questions the Board of Directors of any publicly traded company should be asking regarding the status of GRC enabling technology in their organization?
 
My experience is that the Board of Directors is not really focused on the technology enablement of GRC – for that part they probably know very little about technology, and I am not sure if they really need understand the technology enablement of GRC.
 
The Board is ultimately responsible for risk and compliance.  There are New York Stock Exchange listing requirements that obligate the board to oversee risk.  There are decisions such as In re Caremark that require that the Board oversee that a compliance function is operating.  Risk and Compliance are a part of the Board’s governance responsibilities.  Interestingly enough, Corporate Secretary magazine added the tagline the Governance, Risk, & Compliance Monthly to their periodical.  The role of the Corporate Secretary (typically the general counsel) is the aggregation point of GRC information that goes to the board.
 
However, my fear is that organizations, and with that Board of Directors, begin to view GRC as a technology issue, problem, or event bandage.  Don’t get me wrong – technology enablement of GRC is critical, but GRC is much broader than technology.  It was over five years a go that I defined a market for products and services/consulting and called it GRC.  In that time I have seen it grow, but I have also seen more and more organizations equate GRC to IT and technology.
 
GRC is about a philosophy of business in which the organization is looking at governance, risk, and compliance from a holistic perspective across islands of responsibility.  In the past these islands of responsibility were operating as islands and not communicating with each other causing significant issues and a waste of resources for the organization.
 
Technology is important as it provides the collaboration, automation, and reporting within and across these islands of GRC so that the organization begins to work in harmony.  The Board of Directors should not be as concerned if the organization is using technology, the proper question is “Do we have sustainable, consistent, efficient, and transparent GRC processes that work together collaboratively?”  In answering this question you will find GRC can only be done through the use of technology.

GRC 2.0 the GRC EcoSystem

The writing is on the wall – we are entering a new era of corporate governance, risk management, and compliance. The shake up on Wall Street is just the current example of a trend towards greater oversight of business in a volatile world. With this comes a renewed focus on integrity, ethics and values. Organizations large and small are in a period of looking in the mirror and examining themselves.

  • Do we have the correct risk management oversight across business operations and relationships?
  • Do we have appropriate compliance processes?
  • Do compliance processes get to the principle of the matter are are they simply about checking a requirement?
  • Are the values and code of conduct of the corporation adequately defined and communicated?
  • Are people trained properly on the expectations set before them?
  • Is risk and compliance managed across business relationships?
  • How does governance, risk, and compliance practices intersect and support corporate social responsibility?

All this becomes particularly challenging when organizations look inside and see the disarray of overlapping and siloed risk and compliance initiatives. Corporate governance is handicapped. Directors and Executives have a duty of care to oversee risk management as well as compliance in the organization. This is further complicated as Standard & Poor’s and others focus on evaluating risk management practices. From the compliance perspective we have seen year over year growth in regulations for the past thirty years – regulations are an increasing burden on the business.

When I first defined and model a market for technology and consulting services and gave it the label of GRC it was at a time when organizations were struggling with Sarbanes-Oxley compliance. Over the past years there has been added interest in information risk and compliance to this.

Times have changed – so must our definition of Governance, Risk, and Compliance. The current demands on business require that organizations adjust their approach to GRC across their organization.

However, GRC initiatives are being led by different parts of the organization and still largely operates in silos. This leaves organizations struggling to breakdown internal silos and politics to encompass a holistic GRC strategy. It challenges vendors as many of the roles responsible for GRC silos are not focused on enterprise issues but on specific points of pain.

This has led me to redefine and model the GRC market as well as understand organizational approaches and leading practices. This is GRC 2.0 the GRC EcoSystem. The focus of this research is to map the roles responsible for GRC to their critical issues the company is trying to address. This has resulted in 27 solution areas that GRC products and consulting services are marketed and sold within to solve specific big issues areas that organizations struggle with. Beyond the specific points of pain that organizations need to respond to it also maps in 13 core technology areas that the organization should build into an enterprise architecture for GRC so that there is sustainability, consistency, efficiency, transparency, and accountability across GRC areas of the organization.

To date GRC 20/20 has identified nearly 1300 technology, consulting, and knowledge/content providers around the world that map into the GRC EcoSystem.
This new research will be released in a Webinar on October 7th. It will be followed by a written research document outlining the model for the market – solution/issue areas, technology categories, areas of professional services/consulting, knowledge content providers, as well as professional associations. In 2009, GRC 20/20 will be releasing detailed market models, sizing, and participants for our clients as well.