Category: The GRC Pundit Blog

Delivering 360° Contextual Awareness of Your GRC Program

Blogs, The GRC Pundit BlogPublished onUpdated on1 Comment on Delivering 360° Contextual Awareness of Your GRC Program

Governance, risk management, and compliance — what we refer to collectively as GRC — is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. Over the past twenty years, we have seen technology evolve and mature to assist organizations in achieving this definition of GRC.

This evolution of GRC technology started with engaging the back-office functions of GRC, what we often call the second and third-line of defense. These are the risk, compliance, security, internal control, and audit/assurance departments that manage and monitor areas of GRC day in and day out.

Over the past several years, we have seen GRC technology grow and also spread to engage the front-office of the business, as well as all levels of management. These are the people that own risk and controls and are making risk and compliance decisions throughout the day. When you think about it, GRC is not about the back-office departments of GRC but about the front-office engagement and commitment to GRC. This moved technology into the Agile GRC era that focused on usability and experience to make GRC relevant for the front-office of the business — not just the back-office of traditional GRC functions and roles.

We are now moving into the era of Cognitive GRC. This extends . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RUBIQ BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

Why Third-Party 360° Situational Risk Awareness is Needed Now More Than Ever

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Why Third-Party 360° Situational Risk Awareness is Needed Now More Than Ever

I am a James Bond fan and eagerly anticipate the next James Bond film, “No Time to Die.” Unfortunately, because of the global crisis we all now face, we have to wait until November 2020 instead of seeing it on the big screen this month. While we wait for this next installment in the 007 sagas, we can still learn and apply what makes the master spy so great to our world of business that is situational awareness.

Today’s organization needs situational awareness. Situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the business but is particularly needed in the context of risk in third-party relationships . . .

The remainder of this article can be found on the SureCloud site where GRC 20/20’s Michael Rasmussen has contributed his thoughts in a guest blog on this site.

READ MORE

Centralizing Compliance and Ethics Communications in a Time of Crisis

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Centralizing Compliance and Ethics Communications in a Time of Crisis

In a time of crisis, like what we face with the global pandemic, centralizing compliance and ethics communications and reporting is critical to streamline interactions, maintain corporate culture and integrity, improve employee morale, and communicate expectations.

However, a lot of organizations are finding they are not prepared. Consider that a lot of policies are changing right now, such as remote office worker policies, home office expense policies, and conduct policies. Other policies may not have changed, but employees still need to be reminded of them as they operate in a high-risk environment for fraud, privacy, customer/client communications, health and safety, and security.

In this current crisis, one large organization I was talking to discovered they had over 20 policy portals scattered in different departments. Policies were on different fileshares, Sharepoint sites, and ad hoc technology platforms. Policies looked different on each portal and used language inconsistently. Some policies were out of date.

In a time of crisis when people are working from home, having . . .

[The rest of this blog can be found at the Convercent website where GRC 20/20’s Michael Rasmussen contributed this as a guest blog post]

READ MORE

Being Unprepared for the Crisis Does Not Make it a Black Swan

The GRC Pundit BlogPublished onUpdated on16 Comments on Being Unprepared for the Crisis Does Not Make it a Black Swan

I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 

Communicating Policies in a Time of Crisis

The GRC Pundit BlogPublished onUpdated on4 Comments on Communicating Policies in a Time of Crisis

Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

  • Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
  • Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .

Keep Calm & GRC On!

The GRC Pundit BlogPublished onUpdated on1 Comment on Keep Calm & GRC On!

These are crazy and uncertain times, but this does not mean governance, risk management, and compliance (GRC) comes to a halt in organizations. It is the opposite, this is the time for strong corporate governance, risk management, and compliance. This is what gets organizations through the crisis and allows them to navigate the chaos. As the British taught us in World War II, we all need to “keep calm and carry on.” That last part is critical. Now is not the time for GRC to stall in your organization but to lead. We need to KEEP CALM AND GRC ON!

The official definition of GRC is that GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” [source OCEG GRC Capability Model] Now is the time for greater GRC strategy, practices, and processes to enable your organization to

  • reliably achieve objectives, though those may be changing to respond to the environment;
  • manage uncertainty, which these times are very uncertain; and
  • act with integrity in the face of changing business processes and economic conditions.

GRC strategies and infrastructure will come out of this stronger than ever. I have been a research analyst for 20 years, I saw GRC functions thrive after 9/11 in 2001. I saw them thrive after the 2008 financial crisis. GRC related departments, processes, and technology architecture will be stronger because of the horrible global crisis we face. GRC strategies, solutions, and services are and will be in demand.

Risk management, business continuity, operational resiliency, third party GRC, policy management are all hot topics right now that I am interacting on because of the crisis. Coming out this will see changes to regulations that will cause more demand for compliance management. Strategies related to ESG, EH&S, and CSR will grow in organizations because of this crisis.

How GRC Will Change in Organizations

I have been interacting on a number of inquiries this past week from organizations (across buyers of solutions as well as solution/service providers). Here are my thoughts:

  • Risk management will fundamentally change. Too often enterprise and operational risk management programs have been dominated or even consumed with IT security risk focuses. IT risk is huge and an important topic, but our most significant risks are from other areas such as environmental, health and safety.
    • Just a few months back I blogged on this, “Tale of Two Futures: Blade Runner or Star Trek?” While information security will remain a critical risk area, we are going to see more balanced enterprise and operational risk management strategies that include environmental and health/safety risks across industries.
  • Operational resiliency – integrating risk and business continuity management. The UK, in financial services, has had a specific regulatory focus on operational resiliency which requires an integrated approach top operational risk and business continuity management (as well as third party risk).
    • This is the buzz word right now and will be a global cross-industry focus coming out of this crisis. In most organizations, business continuity has been overly focused on disaster recovery from an IT focus. There will be a new focus in true business continuity management that is part of an enterprise/operational risk management program. Operational resiliency is what brings this together. 
  • Third-party risk management is a necessity. Business today is not defined by employees and brick and mortar walls. It is a complex web of relationships. The crisis is showing this.
    • Organizations need 360° situational awareness of risk and continuity in their third party relationships. This cannot just be an IT security focus but needs to be complete situational awareness of risk and continuity in the extended enterprise. 
  • Policy management is in demand. I get a lot of inquiries on policy management, but I am the only analyst that covers it as its own defined area of GRC. I have been getting inquiries on best practices and ideas on how to communicate changing policies, track understanding/acknowledgment, and monitor compliance in times of crisis. The fact is that business operations have changed this past week — this means policies and procedures have changed. The common question is how do we change and manage policies in times of crisis and then bring the organization back to a state of normal (or a new normal)?
    • There are a lot of organizations that have realized how messed up their policies are and that they need a centralized portal for all corporate policies to deal with crisis and change. When an organization has 20 policy portals scattered in different corners of the organization it makes reacting to crisis and change challenging if not impossible.
  • Look for CSR/ESG to evolve. Many organizations are doing great things to respond to the crisis, and others are failing miserably.
    • Look for a variety of lessons learned and new perspectives and initiatives in CSR/ESG particularly on matters of social accountability and responsibility in organizations. 

I would love to hear your thoughts . . .

Forrester GRC Wave = Tsunami of Confusion

The GRC Pundit BlogPublished onUpdated on1 Comment on Forrester GRC Wave = Tsunami of Confusion

I feel that I am in an alternate reality. This cannot possibly be the real world. Are we living in a DC multi-verse where there are different GRC technology realities and I am just confused as I woke up in the wrong world?

Anyone following me long knows my frustration with Gartner and the Magic Quadrant (see note at bottom on Gartner)[i]. But now Forrester?

I long praised Forrester for their Wave approach and methodology (full disclosure, I was a VP and ‘top analyst’ at Forrester from 2001 through 2007 and wrote four Waves, including two GRC Waves). Where Gartner is based on secrets and magic (I guess that is truth in advertising), Forrester discloses every criterion, weighting, and scores.

The previous Forrester GRC Wave I only had one major issue with, and I talked to the lead analyst of the previous report about it last June at a conference we were both at. That issue was the fact that Forrester had a criterion that every solution evaluated had to be doing $30 million in GRC revenue, and at least one solution, LogicManager, was not. The analyst explained to me that they were grand-fathered in. I replied that an exception should be documented and footnoted in the research report. Organizations were being left with a false impression that this vendor is much larger than it is. That solution is a Leader in the new GRC Wave, but Forrester dropped the revenue criteria down to $15 million, but I still think that is a stretch. But that was my only issue with the previous Wave.

Now the 2020 Forrester GRC Wave is released, and I feel that I must be in a different reality. It does not make sense. 

Before I get into that, I must state how I loathe two-dimensional representation of winners and losers such as in the Forrester Wave and Gartner Magic Quadrant. These graphics have deep underlying assumptions and criteria that make some solutions winners and other losers in a single graphic. Every solution in the current GRC Wave I can think of situations where they are a good fit. To have a graphic that makes someone the winner and the rest losers leads many down the road to project confusion and often failure. In fact, my last GRC Wave I wrote at Forrester in 2007 had four different Wave graphics as the market back 13 years ago was too complex to represent in one graphic. It is a time for these two-dimensional analyst graphics to die, or at least do them tied to very specific use cases based on the size/complexity of an organization and industry.

Looking at the recently released GRC Wave, my first question is who is this Wave for?

It cannot be a representation of solutions that are delivering true integrated GRC, ERM, or ORM in Fortune 500 companies. The only way the graphic and scoring make sense to me is if it is a GRC Wave for the SMB (small to mid-sized business market). Perhaps this is the ‘undocumented’ focus of the report as their comment on ServiceNow, one of the Leaders, is that it is “a good fit for midmarket companies.” Ironically, ServiceNow does have large enterprise clients for ITSM, but I am personally not aware of any large organization using them for a full enterprise/operational risk management program in all its complexity.

This leads to the question . . . who are Forrester’s clients? From my experience, Forrester subscribers have tended to be large global organizations and not the SMB market. So is this Wave a good fit for Forrester’s actual subscribers/readers . . . I do not believe so. 

While I have a deep respect for the Leaders in the Wave, they all have their strengths and areas of focus, I cannot come up with any client references that I know of where they are truly being used for an enterprise/integrated GRC/ERM/ORM implementation in Fortune 500 companies. Yes, many of the Leaders are in Fortune 500 companies in specific use cases (e.g., audit management, internal controls, ITSM, IT risk management), but I am not aware of any large global organization in the Fortune 500 actually using any of the Leaders for a complex enterprise view of risk that aggregates and normalizes risk across the entire organization (e.g., strategic, operational, financial/treasury, compliance/regulatory, EH&S, IT). I could be wrong, but I talk to a lot of organizations and interact on a lot of RFPs every year in my market research. Forrester does not clarify the scope and since it is GRC, it can only be assumed that a broad focus of enterprise and operational risks would be a primary use case.

I do applaud Forrester for their focus on user experience, ease of implementation, cost of ownership, configurability of the solution, as well as artificial intelligence. These are areas I have carefully defined in GRC 4.0 – Agile GRC as well as the artificial intelligence capabilities coming forth in GRC 5.0 – Cognitive GRC. The next generation GRC 5.0 Cognitive GRC platform I have personally experienced in my interaction with ING in their GRC Orchestrate project in ING Labs.

If I was a Fortune 500 company looking at this Wave, I would ask the following questions:

  • What actual client references can a solution provider deliver that are using the solution for a true enterprise view of risk (not an IT-focused view of risk)?
    • You want a solution that has a proven track record at tackling the complexities of GRC/ERM/ORM in large global organizations.
  • How do these solutions do risk normalization and aggregation (which is ‘table stakes’ for a true enterprise view of risk)? 
    • Many solutions have a very flat view of risk as they were built for smaller organizations or for a specific department like IT security/risk management. They fail when you have a complex enterprise implementation. One department’s high risk may be another department’s low risk. Large organizations need a legitimate department view of risk as well as an enterprise view of risk in a solution that makes sense. To compare apples to apples and not apples to oranges you need advanced risk aggregation and normalization.
  • What are the solution’s capabilities for risk analytics and modeling?
    • Too many solutions have a very flat heat-map approach to risk, and that is a recipe for disaster. Large organizations need a variety of risk analysis techniques that require advanced analytics and modeling. You should understand the range of risk analytics and modeling capabilities in the solution (e.g., bow-tie risk analysis, monte carlo, decision tree, FAIR, and more).
  • How does the solution show risk interrelationships or interconnectedness?
    • Risk modeling is complex in today’s dynamic business environment. You cannot depend on a solution that simply allows for a cascading risk hierarchy (e.g, register). Risks have relationships across the hierarchy and any risk may have many-to-many relationships with other risks in the hierarchy.
  • How does the solution support a top-down approach to risk management aligned with objectives?
    • The official definition of GRC is that GRC is a “capability to reliably achieve objectives while addressing uncertainty and act with integrity.” Any solution in the GRC space needs to show how it can document and manage the reliable achievement of objectives and manage risk in that context. Whether these are strategic entity objectives down into division, department, process, project, and even asset level objectives. Risk management requires context and it is the strategy and objectives of the organization that provides context for risk assessment. 
  • Does the solution have the data and application architecture to scale?
    • Large organizations require a data and application architecture that can scale to their complex environments. This means that the solution needs to be able to address varying complex and distributed organizational structures.
  • Does the solution support business process modeling?
    • The complex risk and compliance challenges of today require that organizations look for solutions that support business process modeling. The operational resiliency requirements coming out of the UK, GDPR/CCPA, and even the changes in SOX compliance over the past few years require that organizations have the capability to model and document business processes in a risk and compliance context.
  • How does the solution do quantitative risk modeling?
    • There are functional uses for qualitative risk modeling and reporting, but organizations need to be able to quantify risk. Large organizations require actual objective financial numbers to risk that are defensible and not subjective. 
  • Does the solution truly integrate and support an enterprise view of risk?
    • This may seem redundant, but it needs to be emphasized. Can the solution actually deliver on a true enterprise view of risk where it can bring together disparate risk areas such as strategic risks in context with the wide array of operational risks across operations, third parties, environmental, health and safety, quality, conduct, compliance/ethics, IT risk, and more. This may require integration with a range of other risk and business solutions.
  • How does the solution bring together both a top-down and bottom-up view of risk?
    • Large organizations need an integrated view of risk that aligns with the objectives and strategy of the organization (top-down) as well as the controls and risks down in the bowels of the organization (bottoms-up). Too many solutions only focus on the bottoms-up, and to my previous point, often only one or a few areas. 

If you apply criteria around these questions you will get a completely different ranking of solutions than what Forrester delivers, but you will also find no one solution is perfect and does everything. 

Here are some other thoughts, insights, and experiences on the Forrester GRC Wave:

  • Inconsistent criticisms. I do not understand how SAI Global gets called out for having separate platforms under the hood when the dominant ‘Leader’ Galvanize has the same thing? SAI Global is working hard, like Galvanize, to bring about a consistent architecture from their acquisitions. But Forrester downplays Galvanize by referring to ‘modules’ not having the same interface, while SAI Global is criticized for separate applications. The ‘modules’ in Galvanize are separate applications, not modules. These currently are different code bases for the ACL product and Rsam products that form Galvanize HighBond with different user experiences. Galvanize is a great solution, but I find the Wave evaluation not to be consistent in evaluation.

    Forrester gives Galvanize a score of 5 on Mobile and yet highlights Mobile as an area of weakness on the commentary of Galvanize. Others, like MetricStream who have some of the largest adoptions of enterprise GRC mobility, get a score of 1. 

    Next, consider risk and control management. This is a broad category with many sub-criteria.  One of the sub-criteria for the highest score required a dedicated team to maintain content.  Both ServiceNow and MetricStream are criticized in their profiles for using UCF for content, though ServiceNow still receives the highest score in the category, while others are not. On the topic of content – bringing in content from authoritative sources is critical for GRC and could be a range of criteria Large organizations expect integrations with various content sources. A requirement for a GRC vendor to maintain their own content team hardly makes sense except for a few narrow use cases in IT Risk where pre-mapped controls from a couple of common frameworks may be sufficient for the mid-market.

  • What are the full GRC capabilities? I am a fan of Workiva, it is doing some great things in internal control management, audit management, and policy management. But Forrester states that “one-third of customers use Workiva’s full GRC capabilities.” What are they measuring? If Forrester means internal control management, then I can agree with that. Workiva states they have 3,400 clients. Forrester scored them across risk and control management, document management, policy management, audit management, IT risk management, third-party risk management, and risk scoring. That would mean that over 1,100 companies are using Workiva for all of these capabilities? This simply is not true. Internal control management they have had for years. Other modules in their ‘full’ GRC capabilities are newer. There is no way 1,100 companies are using all these use cases scored by Forrester on Workiva. Workiva is doing some great things, but Forrester has the breadth of their use cases wrong.

  • Where are the greatest risks organizations face?  According to the World Economic Forum and Davos, the most significant risks we face are environmental risks (and with that health and safety risks with the current virus threat). Enablon has moved from a strong position in previous Waves to the back of the pack, but it is the one solution tackling and managing the most significant risks organizations are facing. Other analysts that understand this, like Verdantix, put Enablon in a clear-leader position. 

    Other analyst firms, like Chartis that understand the range of financial and non-financial operational risk in large organizations, place IBM and MetricStream as leaders in their most recent market quadrant. RSA scores high in IT Risk with Chartis. Galvanize, ServiceNow, and Logic Manager do not even appear on the Chartis quadrant as relevant, but this could be because Chartis if focusing on the challenges of large organizations and not the SMB market. I feel the Forrester scoring in the Wave may be heavily weighted to SMB organizations without clearly stating this or for use cases predominantly focused on IT risk/security that lowers the score and positioning of the systems doing broader enterprise/operational risk management. 
  • Conflict of Interest. Another critical issue I have is the fact that this is an official research report and conflicts of interest should be documented. I am not stating there was any wrongdoing, but any conflict of interest should be footnoted for the reader. Part of any compliance program (as well as research) is managing and documenting conflicts of interest on anything that can influence bias. The fact that the lead analyst has six years in a senior role at one of the solutions being evaluated (and the one that ends up being the leader of leaders) should be documented in the report so readers can take this into account. Any research publication from Wall Street financial analysts would require management of conflicts of interest, the same should be true of industry/technology analysts. Besides, there is also experience with the solution. The lead analyst is intimately familiar with the capabilities of the new leader having worked there for 6 years, while other solutions in the Wave get a 90-minute demo?

  • That brings us to Sandbox and demos. Forrester requested a sandbox environment to go into and experience the solution. This was provided, but solutions in the Wave are reporting no logins at all to just a few minutes of activity actually in the solution. Forrester states that they only use the sandbox to validate things and not for scoring. This is a huge issue. Organizations are investing hundreds of thousands and some cases millions on software and much more on implementation and the analysts recommending the solutions are not even kicking the tires themselves. One constant criticism of Forrester in this process is the level of due diligence and response to issues in this research. Eight vendors have complained about this. How can Forrester claim to have the insight by reviewing 80 pieces of functionality in a 90-minute demo? They require a data populated sandbox but audit logs show they do not log in or just spend a few minutes looking at the solution. To make it worse, they allow only 300 characters (not words) to explain each piece of functionality/criterion in their spreadsheet answers to capabilities.

[i] At the heart of it is the fact that Gartner does not disclose any of their criteria and is becoming more dependent on recorded videos than live demos and does not actually get hands on with the products. My latest issues with Gartner were the smoke and mirrors of IRM in which the lead IRM analyst stated GRC technology has failed and now we have IRM technology when the IRM MQ had the same exact technology as GRC. What failed? If Gartner had simply come out and stated that they are now calling GRC by the term IRM, I would not have cared. Call it whatever you want: GRC, ERM, ORM, IRM, ABC, XYZ. What matters is what organizations are doing and not what they are calling it. But Gartner had to say GRC tech failed and promotes IRM technology which was the same exact GRC technology as before. Off to battle I went . . . 

360° Control Automation, Monitoring & Enforcement

The GRC Pundit BlogPublished onUpdated onLeave a Comment on 360° Control Automation, Monitoring & Enforcement

Business today is changing minute-by-minute and second-by-second. Processes and technology and their configurations are changing. Employees and their access into systems is changing as new employees are hired, others change roles and have inherited rights issues, others leave the organization. Transactions and vendors are changing. The pace of change in business today requires new approaches to control automation.

The past involved random sampling, an approach that is dated and out of step for the dynamic nature of business today. Random sampling and monitoring of controls only cover a small fraction of the configuration, master data, segregation of duties/access rights, and transaction controls in the environment. Manual processes for control monitoring focused on random sampling leaves the organization in a false sense of control where the reality is there can be significant control issues that expose the organization to malicious and inadvertent issues and events.

Random sampling of controls results in . . .

[This is continued as a guest blog by Michael Rasmussen of GRC 20/20 on the Greenlight Technologies blog]

READ MORE

Don’t miss the upcoming Webinar How to Achieve an Integrated & Continuous Approach to Managing Controls on March 4th. Click here for more information and to register.

Managing Risk in Dynamic & Distributed Business

The GRC Pundit BlogPublished onUpdated on2 Comments on Managing Risk in Dynamic & Distributed Business

Organizations are dynamic and distributed. They are changing minute-by-minute and second-by-second. That is challenging many risk management programs, but the complexity of distributed business further chaos to the organization and makes risk management very complicated. There is no such thing as brick and mortar business, organizations are not defined by employee relationships. Half of an organizations ‘insiders’ are now third parties.

I recently was having a conversation with risk, compliance, and legal management at a global manufacturer with a global manufacturer (about 200,000 employees). Their challenge was managing risk in a distributed and dynamic business. They expressed challenges in which what used to be thought of as an inside risk now extends across a web of third-party relationships. Policies that used to be just for employees, now have impact and governance over a range of individuals from third-party relationships that work and interact with the organization’s internal processes (e.g., outsourcers, suppliers, service providers, contractors, consultants, temporary workers).

I also recently talked to a global European bank that is looking at requiring every individual in their data centers to go through the same GDPR policies and training as employees do. Most of the individuals in their data centers are third parties.

Risk management is not just about the back office of the chief risk officer, but it is also about the front lines of the business that take and manage risk every day in their jobs. Risk management is not about the traditional brick and mortar business but also about the extended enterprise and nested relationships of risk that exposes the business and can hinder it from achieving objectives (or help it).

Organizations need to think holistically about risk management and adapt their programs to the dynamic and distributed business of today. They need to align and integrate risk management with strategic planning, objectives, and performance while still having visibility into risk down in the bowels of the organization’s processes and relationships. In essence, organizations need a 360° contextual view of risk in the organization in the context of both strategy and operations. This requires a top-down view of risk as well as a bottom-up view of risk. It also requires quantitative risk analytics that brings value and order to qualitative methods (which still have use). It requires right-brain creative out of the box thinking of risk as well as left-brain analytical and model thinking of risk.

I will be interacting on next-generation risk management as it transcends the enterprise at the following upcoming events:

Upcoming Risk Events & Interactions

Roundtable Discussion & Coffee in London 

Third Party GRC Management by Design Workshops 

Risk Management by Design workshops are:

Policy Management by Design workshops are:

  • Chicago, Policy Management by Design, April – details forthcoming
  • New York, Policy Management by Design, April 28th
  • London, United Kingdom, Policy Management by Design, June – details forthcoming

Upcoming Risk Conferences . . .

  • Zurich, Switzerland, RiskIn, May 13th to 15th

Upcoming Webinars . . .

7 Habits of a Highly Effective Privacy Compliance Program

The GRC Pundit BlogPublished onUpdated onLeave a Comment on 7 Habits of a Highly Effective Privacy Compliance Program

Privacy has become a front-and-center compliance risk in organizations around the world. GDPR (Europe), CCPA (California), APP (Australia), PIPEDA (Canada), PDO (Hong Kong), PIPA (Japan), ECTA (South Africa)…the world of privacy compliance is like a bowl of alphabet soup, yet this list just highlights some of many privacy regulations bearing down on organizations.

The challenge with privacy compliance is that business is dynamic. It changes minute by minute and second by second. Personal data is pervasive across the data and processes of an organization (e.g., employee data, customer data, and sales data). You may have been on top of your privacy obligations at the end of 2019, but the organization has changed significantly over the past few weeks and now also has CCPA compliance to worry about. Processes have changed, the business has changed, employees have changed, third parties have changed, your customers have changed.

Privacy compliance management has to be continuously managed and monitored in organizations. It is not a point in time effort but one that has to be addressed in the context of continuous organizational change. Privacy compliance is about identifying and mitigating the compliance, brand, and business risks associated with processing personal data. It is about managing risks across the full lifecycle of data in an organization and its web of processes, transactions, relationships, and interactions.

Here are 7 habits of highly effective privacy compliance programs to help keep you on track:

1. Appoint . . .

[this is a guest blog by GRC 20/20’s Michael Rasmussen published on the Mitratech blog. The rest of the blog can be read at the link below]

READ MORE