Is SMR & CR, the UK Financial Services biggest challenge for 2018?

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects . . .

The rest of the article can be read via the link in the button below. Michael Rasmussen of GRC 20/20 posted this as a guest blog on www.governorsoftware.com.

[button link=”https://www.governorsoftware.com/news/is-smr-cr-the-uk-financial-services-biggest-challenge-for-2018″]READ MORE[/button]

The IRM Emperor (Gartner) Has No Clothes

The Gartner Integrated Risk Management (IRM) Magic Quadrant has been out a few weeks and I have been buried with inquiries from organizations asking my thoughts on it. While I initially was going to post my thoughts in this article right away, I have spent the past few weeks doing a lot of reflection and talking to the majority of the solution providers in the Magic Quadrant and their experiences. In fact, I have interacted with 12 of the 16 solution providers in the Magic Quadrant. With 5 of these solutions providers I have actually advised them throughout varying aspects of the Magic Quadrant process in reviewing their responses, preparing them for interactions with Gartner, and playing the ‘dark side’ analyst to critique their solutions.

The Gartner IRM Magic Quadrant is of great concern in how it represents and analyzes solutions, and the process of the IRM MQ is of even greater concern. Organizations should be very cautious and skeptical of the results. I feel they are very unreliable. Here are my issues . . .

  • IRM vc GRC. Gartner has to invent new terms to make themselves feel relevant. John Wheeler came out with several blogs stating how GRC has failed and is dead and organizations should look to IRM. First off, technology evolves and changes. GRC today is not the same as GRC 10 years back. Same with other areas of technology such as ERP and CRM, these technology categories have evolved and not remained the same . . . but we still refer to them as ERP and CRM. Gartner is actually 5 years behind. What John Wheeler states as IRM in his blog GRC vs. IRM Solutions – What’s the Difference? is what I talked about in GRC 3.o in my research and blogs back in 2013:
  • If GRC is dead, where is the difference in the MQ? Let’s get right to the point. Gartner has made a big push in their research, blogs, and speeches that GRC is dead and failed now we have IRM. If this is the case, then why are the Leaders in the Magic Quadrant for IRM the same Leaders that were in the last several Magic Quadrants for GRC by Gartner.  What has failed if the exact same solutions that dominate the market are getting the leading accolades from Gartner in their old GRC research h and now their new IRM research? The answer is simple, IRM is a marketing ploy by Gartner and the technologies they say have failed in GRC they now praise as leaders in IRM are the same solutions and must not have failed as Gartner originally stated.
  • What is with Gartner changing all these terms? It is not just GRC that Gartner is trying to change. They also talk about Digital Risk Management. What is Digital Risk Management? Organizations do not use this term. They talk about information security, or IT security. Gartner has some need to rebrand things to make their analysts feel relevant.
  • Can Gartner make the hard calls? I must applaud Forrester in their most recent GRC Wave, they had the ‘cojones’ to knock back one of the leaders out of the leaders area. You can compare the Wave and MQ to figure out who I am talking about; it is the solution that I get more complaints on than any other solution in the market by a significant amount.
  • Gartner IRM use cases are incomplete. Gartner defined in their IRM MQ six IRM use cases: Digital Risk Management, Vendor Risk Management, Business Continuity Management, Audit Management, Corporate Compliance & Oversight, and Enterprise Legal Management. My prominent question – where is Enterprise and Operational Risk Management (ERM, ORM)? There are defined capabilities and needs for enterprise and operational risk management that are not covered and brought out. Most of Gartner’s research has a large IT security bent to it, oops, I mean digital risk management, that permeates everything and fails to see the broad range of enterprise and operational risks. Also, they bring Enterprise Legal Management into the IRM which I see in about 5 to 10% of Enterprise GRC (IRM) RFPs. I am not against this, but they failed to mention Environmental, Health & Safety (EH&S) which is in over 50% of Enterprise GRC (IRM) RFPs. In fact, Gartner has completely discontinued their coverage of EH&S technology.
  • The Magic Quadrant process has serious issues. What is extremely concerning about the Gartner Magic Quadrant for IRM is the process. Some issues are:
    • Video demos and not live demos. Gartner did not want to have live demonstrations of the solutions, they wanted organizations to submit video demos. Anything can be mocked up in a video. Forrester, on the other hand, requires live demos and even requires a sandbox to work with the solution themselves. I have advised solution providers in the Forrester GRC Wave and have seen the audit trail of Forrester analysts going through the solution and testing it themselves. Not so with Gartner, they do not want a sandbox or even a live demo . . . just a video. And organizations around the world are relying on the Magic Quadrant? This is down right scary.
    • Lack of transparency. Further, Gartner does not publish the criteria, scores and weightings of the Magic Quadrant. It is exactly what it says it is . . . MAGIC. Forrester publishes a full spreadsheet with each of the hundreds of criteria measured, the vendor score on each, and the weighting. You might disagree with Forrester’s findings, I do at tines, but Forrester is transparent and Gartner is not.
    • Client reference checks. Client references are also a concern, while Gartner got on the phone with a few client references they are overly reliant on web surveys for client references. To get real answers you have to talk and interact with a range of client references and ask the hard questions. You also have to talk to the individuals using the solution every day and not just the decision maker.
    • Inconsistency in Strengths and Cautions. For each solution evaluated Gartner publishes strengths and weaknesses of each, usually 3, but sometimes 2. But these are not consistent. For example, Gartner calls out negatives on some solutions that they do not do Enterprise Legal Management, but in others that also do not have it they do not call it out. These are not an apples to apples comparison.

My advice to organizations, avoid Gartner when it comes to GRC/IRM. They are clueless and actually dangerous to organizations looking for solutions in the market. While I provide insight and advice (including complimentary inquiry for organizations looking at solutions in the market), their are other analysts as well, my competitors, that do a much better job than Gartner. Forrester and Verdantix are prime examples.

In full disclosure, Gartner is my competitor. They are the behemoth of the analyst world. I spent 7 years at Forrester Research as a Vice President and one of their top analysts and now have been 11 years on my own as a individual market analyst covering solutions in the Governance, Risk Management, and Compliance (GRC) Market. While Gartner is my competitor, that does not keep me from having respect for competitors. Though I disagree with them at times, I have deep respect for the analysts at Forrester Research, and I have deep respect for Verdantix, which covers the Environmental, Health & Safety aspect of the GRC market. Even in Gartner, there are analysts I have very deep respect for such as my former manager Merv Adrian. It is the IRM research that I have major concerns with at Gartner and you should too.


GRC 20/20’s Research Briefings on the GRC Market . . .

Most Recent On-Demand Recorded Buyers Guide:
Upcoming Live Buyer Guides
Other On-Demand Buyer Guides
Other Research Briefings

Defining the Issue Reporting & Case Management Process

Distributed and dynamic business requires the organization to take a strategic approach to issue reporting and case management. Organizations require complete situational and holistic awareness of issues, incidents, investigations, and cases across business operations and processes. This is best approached through structured and accountable processes enabled through an integrated information and technology architecture for issue reporting and case management. The goal is to manage individual issues at the detail level while being able to see the big picture and trends of issues and their impact on overall risk and compliance exposure.

Two essential components for a mature and robust issue reporting and case management program are:

  1. Structured processesfor issue reporting and case management.
  2. Integrated information and technology architecturefor issue reporting and case management.

Issue reporting and case management processes determine the types of information needed, gathered, used, and reported. It is through the integrated information and technology architecture that processes can be properly managed. The architecture defines how organizational processes, information, and technology is structured to make issue reporting and case management effective, efficient, and agile across the organization.

Issue Reporting & Case Management ProcessStructure

Issue reporting and case management processes are a subset of overall business and GRC processes. Issue reporting and case management identifies where things are going wrong with a goal of containing, addressing, and correcting exposure, loss, and incidents. The issue reporting and case management process is the structural design of tasks and management of how issues are reported, investigated, and resolved.

Structured processes for issue reporting and case management defines responsibilities, workflow, tasks, how issues are reported, cases managed, and how the processes work together as an integrated whole with other GRC and organizational processes. Issues and cases provide objective information that should in turn feed into risk management models as well as compliance reporting. For a mature GRC program, the organization requires the ability to track all issues across the enterprise (e.g. employee issues, customer issues, poor product quality, and supply chain).

There are five foundational process components that organizations should have in place for issue reporting and case management:

  1. Strategic/operational case planning and administration.This involves the ongoing planning and administration of issues, cases, investigators, workload, and tasks. Core to this is resource and case planning and administration, the ability to measure cycles/seasonality of cases, backlog, resource planning, and costs.
  2. Issue intake & triage.This is the foundational component where issues are reported. It involves being able to report and process issues coming from hotlines, web forms, management reports, and other inputs. The goal is to eliminate noise, consolidate duplicated issue reports, flesh out non-cases, and focus on what is critical and exposes the organization to the greatest risk. It is critical that the organization has the ability to automate and link between issues being reported, cases, parties, processes, places, and other relationships. From here initial planning and assignment of cases is done.
  3. This is the heart of the process that takes reported issue(s) and manages the process of investigation through to closure. Investigators need structured templates and processes to keep everything organized, document the investigation, manage tasks, provide notifications and escalation, and keep all information in one place for ease of reporting. The more the organization can automatically define the process to investigate an issue/case, the better. Accountability, centralization of information, keeping everything current and up to date, and having a defensible system of record that can stand up in court is critical to this stage of the process.
  4. Remediation & resolution.History repeats itself because no one was listening the first time. This stage of the issue reporting and case management process ensures that remediation steps are followed to mitigate or eliminate the risk of further issues and incidents. The organization needs to be able to track action items and ensure that things do not slip through cracks to obtain a reduction in repeated and future cases. The organization requires the ability to link issues to policies and procedures to ensure they are updated as resolutions dictate.
  5. Reporting, analytics & metrics.This is the stage of the process that provides detailed reports on both individual and aggregate cases. The organization should be able to track past due tasks, benchmark timelines of cases, identify where loss can be mitigated, and reduce gaps.

Issue Reporting & Case Management Information & Technology Architecture

With processes defined and structured the organization can now define the information architecture needed to support issue reporting and case management processes. Issue reporting and case management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a structured and coordinated whole. The issue reporting and case management information architecture involves the structural design, labeling, use, flow, processing, and reporting of information to support issue reporting and case management processes. This architecture supports and enables the process structure and overall issue reporting and case management strategy.

Successful issue reporting and case management information architecture will be able to integrate, manage, and report on issues and cases across the organization. This requires a robust and adaptable information architecture that can model the complexity of information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and data.

The issue reporting and case management technology architecture operationalizes information and processes to support the overall strategy. The right technology architecture enables the organization to effectively manage issues and facilitate the ability to document, communicate, report, and monitor the range of investigations, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for issue reporting and case management that connects the fabric of the processes and information together across the organization. Many organizations see issue reporting and case management initiatives fail when they purchase technology before understanding their process and information requirements. The “best” systems are the ones that are highly configurable to a client’s situation and can be adapted to the company’s forms, processes, technical architecture. The system should not run the business, the business should run the system. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email.Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring. This is where most organizations have focused in managing issues and cases. There is increased inefficiency and ineffectiveness as this document centric and manual approach grows too large and limits the amount of information that can be managed.
  • Custom built databases.Organizations also have built custom internal databases to manage issues and cases. The challenge here is that the organization ends up maintaining a solution that is limited in function and costly to keep current. Many companies go from the document and spreadsheet approach to building a custom database that is limited in features, reporting, and scalability at a cost of internal IT resources and maintenance.
  • Issue reporting and case management platforms.These are solutions deployed for issue reporting and case management and have the broadest array of built-in (versus built-out) features to support the breadth of case management processes. In this context, they take a full-lifecycle view of managing the entire process of issue reporting and case management. These solutions allow an organization to govern incidents and issues throughout the lifecycle and enable enterprise reporting.

Most homegrown systems are the result of starting with tools that are readily available and easy: documents, spreadsheets, emails, and desktop databases. Too many organizations take an ad hoc approach to issue reporting and case management by haphazardly using documents, spreadsheets, desktop databases, and emails, which then dictates and limits what their issue reporting and case management process will be limited to. This approach then grows and expands quickly outgrowing these desktop tools to the point where it grows cumbersome. Organizations suffer when they take a myopic view of issue reporting and case management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in. The right issue reporting and case management technology architecture choice for an organization involves an integrated platform to facilitate the correlation of issue and case information, analytics, and reporting.

NOTE: GRC 20/20 will be conducting a Research Briefing on how to build a business case, define value/return, and navigate the range of requirements and solutions to automate and enable the issue reporting and case management process. For example, one organization spent 200 FTE hours on doing an end of year report on the organizations cases, investigations, incidents, and issues . . . it now takes them less than 5 minutes. Register to attend (and gain access to the on-demand recording afterwards) Buyer’s Guide: Issue Reporting & Case Management Solutions.


Upcoming Research Briefing On Issue Reporting & Case Management

Research Paper: Value of Issue Reporting & Case Management

Research Paper: Case Study on Issue Reporting & Case Management

Solution Perspectives: Solution Overviews in Issue Reporting & Case Management

Strategy Perspectives: Strategic Directions in Issue Reporting & Case Management

An Enterprise Approach to Issue Reporting & Case Management

GRC 20/20 has seen many organizations take an enterprise perspective on aspects of GRC, such as Enterprise Policy Management, Enterprise Third Party Management, and, of course, Enterprise Risk Management. Over the past 18 months, GRC 20/20 has seen a growing demand for Enterprise Case Management which involves issue reporting (e.g., hotlines, management reports, complaints) and case management (e.g., issues, incidents, cases, investigations). This is a holistic strategy to manage all issues/case types in a federated and collaborative strategy across departments. This is particularly interesting as case/issue information ties closely into and feeds metrics and data into policy management and risk management programs.

Issue reporting and case management has become a moving target which needs a structured approach supported by a strong process, information, and technology architecture. Whether unintentional issues or acts of the malicious miscreant, organizations need to be prepared and have established processes in place to manage issues as they arise in the organization. GRC professionals are challenged to get a big picture point of view of the range of issues being reported across the organization and the management of cases that impact how the organization’s “ability to reliably achieve objectives while addressing uncertainty and acting with integrity.”[1]

The typical organization has a variety of departments managing a diverse range of issues, cases, incidents, and investigations.[2] These issues and cases are often managed in silos of documents, spreadsheets, and emails or in home-grown databases and applications. Different departments often have diverse approaches and the organization does not have insight into the range of issues that are happening across operations. Organizations often lack a central repository for case management and the use of home grown solutions has limitations that make the issue management processes inefficient, ineffective, and burdensome to the organization. Issue reporting and case management is often a tactical and fragmented approach with highly diverse approaches taxing the business.

Issue management across the organization is often scattered across departments, such as

  • Corporate security
  • Complaints
  • Compliance
  • Environmental
  • Ethics and compliance
  • Fraud and corruption
  • Health and safety
  • Human resources
  • Insurance claims
  • IT security
  • Legal
  • Physical security
  • Privacy
  • Quality
  • Third party suppliers and vendors

The breadth of silos to issue reporting and case management results in a maze of disconnected processes, reporting, and information. These are redundant, document-centric, and manual approaches that do not integrate and are highly inefficient. Different functions spend more time managing the volume of emails, documents, and spreadsheets than they actually do managing the issues themselves. The line of business is overwhelmed with inconsistent approaches to issue reporting and case management.

This fragmented approach to issue reporting and case management resembles battling the multi-headed Hydra in mythology. As the Hydra grows more heads of risk, regulation, and ethical challenges, issue reporting and case management professionals find that scattered approaches leave them exhausted and overwhelmed as they lose the battle. This results in a reactive fire-fighting approach to issue reporting and case management, with silos of data that professionals struggle to find the time to coordinate and link together manually. This piecemeal approach is inefficient, increases risk exposure, and leads to serious matters that fall through the cracks. Redundant and inefficient processes lead to overwhelming complexity that slows down the business in an environment that actually requires agility.

The document-centric, scattered, and manual processes of the past have impaled case management functions with inefficiency. Process management and reporting is primarily comprised of emails, documents, shared files, homegrown databases, spreadsheets, and manual processes. Case management professionals are spending a disproportionate amount of time collecting data and reporting on data instead of time spent adding strategic value to the business through analyzing and trending the data collected. This antiquated approach leaves teams with flat metrics that lack context and don’t help professionals identify or address problematic processes, culture, or behavioral issues. GRC professionals often express to GRC 20/20 Research their frustration with the:

  • Inability to gain a clear view of issue reporting and case management interdependencies
  • High costof consolidating silos of GRC and issue management information
  • Difficulty maintaining accurate GRC and issue management information
  • Failure to trend across issues, departments, and reporting periods
  • Incapability of providing GRC and issue intelligence to support business decisions and strategic planning
  • Redundant approaches that limit correlation, comparison, and integration of information
  • Lack of agility to respond promptly to changing regulations, laws, and business environment

Dynamic & Distributed Business Compounds the Problem

Organizations today are distributed and dynamic. The modern organization is a complex web of employees, suppliers, vendors, contractors, consultants, agents, and third parties. At the same time, organizations are constantly changing: business is dynamic. Employees, relationships, regulations, risks, economies, litigation, regulation, and legislation are constantly changing. These challenges are making organizations rethink their approach to issue reporting and case management. Organizations are looking for greater agility and effectiveness, while achieving greater efficiency with human and financial resources in identifying and resolving issues. The goal is to:

  • Align stakeholder demands for transparency and accountability.
  • Leverage emerging technologies to improve efficiency, effectiveness, and agility.
  • Enable GRC professionals to better target resources where issues identify the greatest exposure.

This trend points in one clear direction: a new issue reporting and case management architecture that is dynamic, predictive, and information-based through the deployment of an integrated information, intelligence, and analytics architecture to overcome the inefficiencies of the manual and document-centric approaches of the past. This approach to issue reporting and case management delivers demonstrable proof of risk and compliance management, discovery and containment of issues, and shifting the focus of efforts from being reactive and “checking the box” to being proactive and forward-looking. Organizations need greater efficiency in processing and managing issues with structured information and process, greater effectiveness in ensuring corporate integrity, and increased agility in addressing rapidly changing business, regulatory, legal, and reputational risks.

The bottom line: Issue reporting and case management programs have been very tactical and inefficient in the past in collecting issue reports and managing cases. GRC functions across the organization have lacked an overall approach to manage issues, provide reporting and analytics, and the ability to move issue reporting and case management from the tactical approach to an integrated strategic approach that aligns with governance, risk management, and compliance strategy and processes. A centralized issue reporting and case management system saves time and money and creates an environment where the organization can measure the effectiveness and efficiencies of GRC resources.

[1]This is the official definition of GRC as found in the OCEG GRC Capability Model.

[2]For the purpose of this post, the term issues and cases will be used but should be understood to include incidents and investigations.


Upcoming Research Briefing On Issue Reporting & Case Management

Research Paper: Value of Issue Reporting & Case Management

Research Paper: Case Study on Issue Reporting & Case Management

Solution Perspectives: Solution Overviews in Issue Reporting & Case Management

Strategy Perspectives: Strategic Directions in Issue Reporting & Case Management

3 Key Findings from the Policy Management by Design Workshop

Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures.

In GRC 20/20’s recent workshop Policy Management by Design (Workiva hosted). Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs.

Here are three of the top takeaways from the Policy Management by Design Workshop.

1. Policy management affects organizations of all sizes

The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:

  • Updating policies is a reactive process rather than proactive, meaning policies are often outdated
  • Searching for policies is difficult without a cross-organizational master index
  • Ownership and enforcement is insufficient
  • Version control is not available and understanding what changed in the event of an audit is problematic
  • Visibility into how policies link to other internal control frameworks is limited
  • Measurement of policy effectiveness is inadequate or unavailable

2. Policy management can be like a “choose your own adventure”

A key part of the discussion revolved around how the creation, review, and update of policies is like a “choose your own adventure,” as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.

3. Consistency, consistency, consistency

Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:

  • Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
  • Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
  • Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.

What should you look for in a policy management technology?

Evaluating policy management options can be daunting. Rasmussen suggested looking solutions which are proven to streamline the process of policy drafting, document management, and distribution across the team.

Rasmussen recommended comparing the following criteria when selecting a policy management solution:

  1. Ease of use and intuitiveness
  2. Defensible system of record with a precise, electronic record of who changed what policy, how, and when
  3. Access to a master index of all policies
  4. Ability to cross-reference linking to other policies
  5. Ability to link policy information across documents, spreadsheets, and presentations
  6. Tools for policy review and attestation workflow and tasking
  7. Survey capabilities

Continuing the conversation on governance, risk, and compliance

The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces.

This post was originally published by Workiva.

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

2019 GRC User Experience Award Nominations

GRC 20/20 is accepting nominations for the 2019 GRC User Experience Awards!

Governance, risk management and compliance (GRC) is a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of GRC in the organization. The user experience for GRC related solutions has been typically poor in most organizations, resulting in time-consuming and redundant processes.

The core of GRC related technologies is operationalizing GRC across the fabric of business. This involves employee engagement in GRC related solutions with systems that are simple, mobile and easy to use from the frontline of the business to the back-office operations of GRC.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Efficient:GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Effective:At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context.
  • Agile:GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner.

Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of GRC related technologies is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The  goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2019 GRC User Experience Award nominations will be accepted through 31 January 2019 (no exceptions, nomination form closes down at midnight CDT on 31 January). Recipients will be determined by end of March, write-ups for each recipient (one per category) will be completed in April and May with announcements in June 2019. Each recipient of an award will be written up and acknowledged.

The seventeen categories for submission are:

  • Audit Management & Analytics User Experience
  • Automated / Continuous Control User Experience
  • Business Continuity Management User Experience
  • Compliance & Ethics Management User Experience
  • Enterprise GRC User Experience
  • Environmental, Health &; Safety User Experience
  • IT GRC/Information Security User Experience
  • Internal Control Management User Experience
  • Issue Reporting & Case Management User Experience
  • Know Your Customer User Experience
  • Legal Management User Experience
  • Physical Security Management User Experience
  • Policy & Training Management User Experience
  • Quality Management User Experience
  • Reputation & Responsibility User Experience
  • Risk Management Value User Experience
  • Strategy & Performance User Experience
  • Third Party Management User Experience

Please submit nominations before midnight on 31 January  2019.

2019 GRC User Experience Nomination Form

Improving Policies Through Metrics

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization.

Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review.

A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization.

Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:

  • Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
  • Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
  • Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
  • Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.

Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change.

When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

I am presenting in detail on this specific topic in the following webinar . . .

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Policy Management Requires Attention

Policies: A Foundation in GRC Strategies

Policies are critical to organizations as they establish boundaries of behavior for individuals, processes, relationships, and transactions. An organization must establish policy it is willing to enforce – but it also must clearly train and communicate the policy to ensure that individuals understand what is expected of them.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” [note: this definition is from the GRC Capability Model at www.OCEG.org] Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies accomplish the following:

  • Provide a framework of governance. Policy defines the organization’s governance culture and structure. Without good policy as a guide, corporate culture and control morphs, changes, and takes unintended paths.
  • Identify and treat risk. Policy articulates a culture of risk. Policy addresses risk and establishes risk responsibility, communication, appetites, tolerance, and risk ownership. Without clearly written policy, risk governance is ineffective.
  • Define compliance. Policy establishes a culture of compliance. Policy details how an organization meets its obligations and commitments and how it will stay within legal, regulatory, and contractual boundaries to avoid exposure to liabilities.

Hordes of Policies Scattered Across the Organization

Policies matter. However, the way the typical organization manages policies would leave the impression they are irrelevant and considered a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files are dispersed on a number of fileshares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures.There is no single place where an individual can see all the policies in the organization and those that apply to specific roles – thus, limiting defense of legal liability.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.
  • Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face exposure and liability with any misaligned, mismanaged, and unauthorized rogue policies.
  • Out-of-date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies that do not adhere to a consistent style. The typical organization has policies that do not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g. active voice, concise language, and reading level).
  • Policies without lifecycle management. Many organizations maintain an ad-hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations. The organization has no information about where policy is breaking down or how it can be addressed.
  • Reactive and inefficient training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.

Inevitable Failure of Policy ManagementExposes the Organization to Significant Liability

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved in supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital. It enables an organization to effectively develop and maintain the wide scope of policy it needs to govern with integrity and limit corporate liability.

The Bottom Line: The haphazard department and document-centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and implement a centralized strategy and approach to authoring, approving, maintaining, and communicating policies across the organization.


GRC 20/20 Policy Management Resources . . .

Upcoming Policy Management Workshop

Upcoming Policy Management Webinars

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Why it Makes Sense to Manage Retention with Privacy and GDPR

There is increasing focus on the protection of personal identity information around the world. Over the past two decades, we have seen increasing regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the regulation. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).

Full compliance for organizations . . .

The rest of this article by GRC 20/20 can be found at the following link as a guest blog on the INFOGOTO blog . . .

[button link=”https://infogoto.com/why-it-makes-sense-to-manage-retention-with-privacy-and-gdpr/”]READ MORE[/button]

GDPR in Third Party Relationships Stretches Resources

As the years go by, there is increasing focus on the protection of personal identity information around the world. Over time we have seen new regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC, and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the Regulation. GDPR is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).

The GDPR strengthens and unifies data protection of individuals in the EU. Where the former directive required each country to pass national legislation that was not consistent, the GDPR is a regulation and does not require further national legislation.

Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes, or transfers the personal data of EU data subjects. It does not matter if the organization resides in the EU. Fines can be stiff, going as high as €20 million or 4% of global revenues of an organization, whichever is greater.

The regulation defines personal data as: “Personal data is any information related to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

To be compliant and mitigate the risk of data protection incidents, organizations should:

  • Establish a Data Processing Officer. In fact, this is required in the regulation (Articles 37-39) for all public authorities and organizations that are processing more than 5,000 data subjects in a 12-month period. This role is also called a Chief Privacy Officer.
  • Define & Communicate Policies & Procedures with Training. The foundational component of any compliance program is outlining what is expected of individuals, business processes, and transactions. This is established in policies and procedures that need to be communicated to individuals and proper training.
  • Document Data Flows & Processes. Organizations should clearly document how individual data is used and flows in the organization and maintain this documentation in context of organization and process changes. This is a key component of managing information assets of individuals.
  • Conduct Data Privacy Impact Assessments. The organization should do regular privacy impact assessments to determine risk of exposure to non-compliant management of personal identity information. When events occur, the regulation specifically requires (Article 35) a data protection impact assessment.  A new data privacy impact assessment is required if there is a change in the nature, scope, context or purposes of the organization’s processing of PII.
  • Implement, Monitor & Assess Controls. Define your controls to protect personal data and continuously monitor to ensure these controls are in place and operating effectively.
  • Prepare for Incident Response. The regulation requires data breach notification to supervisory authorities within 72 hours of detection. Organizations need defined processes in place and be prepared to respond to, contain, and disclose/notify of breaches that occur in the organization or those that may have occurred by the data processor.
  • Data Privacy by Design.  Each new service or business process that makes use of personal identity information within your organization must take the protection of such data into consideration when designing new or updating operational processes and technology builds.
  • Ensure Third Parties are Compliant. Many data protection breaches happen with third-party relationships (e.g., vendors, contractors, outsourcers, law firms, and service providers). Organizations need to make sure their third parties are compliant as well and follow strict policies and controls that are aligned with the organizations policies and controls. These data processors now have legal liability under GDPR and have direct legal compliance obligations.  One additional requirement is the data processor cannot use a ‘fourth party’ to process any personal identity information without obtaining prior authorization from their client (i.e. data controller).

It is this last bullet, the requirement to ensure third parties are compliant, that is becoming one of the most challenging elements for organizations in GDPR compliance. The dependence on third parties processing data for organizations is becoming critically important and common. Competitive markets are forcing companies to evaluate and potentially outsource more processing to specialist and cost efficient providers to improve margins and/or become more agile in product and service delivery. These third parties who either process employee or customer data need to safeguard this information, particularly in the scope of GDPR. Third party suppliers represent some of the weakest links to a company’s employee and customer data. More than 63% of data breaches can be attributed to third parties, but the organization is still accountable and liable for these breaches.

Organizations will need to take a much stricter approach when dealing with third parties in context of GDPR as they need to ensure that potential contractors handle data privacy and security in a way that is compliant to the regulation. Organizations need to complete due diligence and question their third parties’ data handling practices, how they store and delete data, who has access, their encryption policies, and essentially anything relevant to how applicable structured and unstructured digital data is handled and processed. This will also require more documentation and audit trail capabilities in order to be able to demonstrate compliance to the regulators and their EU data subjects.

This is a program that needs to be managed on a continuous basis to be compliant and minimize risk of exposure in the GDPR regulation in context of third party relationships. Organizations that attempt to manage this in documents, spreadsheets, and emails will find that this approach will lead to inevitable failure. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that are difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active data protection risk monitoring.

The Bottom Line: To address GDPR compliance in third party relationships, organizations should avoid manual processes encumbered by documents, spreadsheets, and emails. They should look to implement a solution that can manage the assessment, communication, and awareness of GDPR requirements and processes in and across third party relationships to manage compliance consistently and continuously in the context of distributed and dynamic business.


GRC 20/20 GDPR Resources

Upcoming Webinar

On-Demand/Recorded Webinar

Research Papers