IT GRC > IT Security

If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security.

IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed.  However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage.

Consider . . .

  • IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
  • IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
  • IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).

What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management.

To put it in a formula:

IT GRC ≠ Security Management

IT GRC > Security Management

What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities.

IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management.

As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context.

On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management.

The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations.

If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-it-grc-platforms/” color=”default”]REGISTER:How to Purchase IT GRC Platforms[/button]

NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.

Now Accepting 2015 GRC Value Award Nominations

2015 GRC Value AwardGRC 20/20 is accepting nominations for the 2015 GRC Value Awards!

Successful governance, risk management, and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment with agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, and a less costly, more flexible business environment. Clients engage GRC solutions with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Effective: At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored, and managed at all levels of the organization?
  • Efficient: GRC engagement provides efficiency and savings in both human and financial capital. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Agile: GRC engagement delivers business agility where organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes.

The 2015 GRC Value Award nominations will be accepted through October 5th (no exceptions, nomination form closes down at midnight CDT on October 5th). Recipients will be determined by mid-October with announcements in November.

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization. The nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  These are cold hard facts that empirical, measurable, and objective. Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process.

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.  So the client reference case study does not have to be named and can be anonymous, but GRC 20/20 must be able to know who the client case study is and validate the facts.

The seventeen categories for submission are:

  • Audit Value Case Study
  • Automated / Continuous Control Value Case Study
  • Business Continuity Value Case Study
  • Compliance Management Value Case Study
  • Enterprise GRC Value Case Study
  • Environmental, Health &; Safety Value Case Study
  • IT GRC Value Case Study
  • Internal Control Value Case Study
  • Issue Reporting & Management Value Case Study
  • Legal Management Value Case Study
  • Physical Security Value Case Study
  • Policy & Training Value Case Study
  • Quality Management Value Case Study
  • Reputation & Responsibility Value Case Study
  • Risk Management Value Case Study
  • Strategy & Performance Value Case Study
  • Third Party Management Value Case Study

Please submit nominations before midnight on October 5 2015.  Nomination forms will be accepted until this date, finalists selected and deeper dives in mid-October, with recipients selected by end of October and announced in the beginning of December.  Award recipients will be announced to vendors end of  October so that coordinated announcements/press releases can go out in the beginning of December.

2015 GRC Value Nomination Form

NOTE: You must be logged in (with a free account or GRC Advisor account) to see the 2015 GRC Value Nomination Form below.  There is a save and continue button at bottom of form.

Quick Start to a GRC RFP

So far 2015 has been the busiest year I have seen in the GRC market. There is increased demand for GRC solutions in all varieties, across industries and geographies.

The GRC market is a broad market with a variety of segments. It is not all about Enterprise GRC Platforms. In fact, only about 25% of the inquiries GRC 20/20 gets from organizations are for Enterprise GRC strategies and platforms. A good 75% of the market is aimed at solving department and specific regulatory or risk area needs. There are over 700 technology solution providers in the GRC market across 16 primary market segments. In addition to this there are over 90 GRC intelligence (content) providers offering over 350 GRC intelligence solutions of various capabilities.

The challenge is: how do you find the right GRC solution for your organization?

This is where GRC 20/20 comes in. If you are looking for GRC solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website. I will do my best to see that you are responded to quickly and efficiently. GRC 20/20 is currently answering between 5 and 10 inquiries each week from organizations looking for GRC related solutions.

The next step is building out the requirements for a GRC RFP. Whether this is for an enterprise GRC platform or a very specific segment of GRC, GRC 20/20 has detailed RFP criteria for many domains of GRC. These involve over 200 requirements (sometime many more) in a given segment of GRC that are broken into basic, common, and advanced functionality. This allows organizations to select the criteria that best fits their needs as require only simple functionality while others require advanced functionality.

GRC RFP Criteria is available, in an engagement, in the following areas:

  • Enterprise GRC Solutions
  • Audit Management Solutions
  • Policy & Training Management Solutions
  • Risk Management Solutions
  • Third Party Management Solutions (e.g., vendor, supplier)
  • Compliance Management Solutions
  • IT GRC Management Solutions
  • Internal Control Management Solutions
  • Automated/Continuous Control Management Solutions
  • Business Continuity Management Solutions
  • Environmental, Health & Safety Management Solutions
  • Issue Reporting & Management Solutions
  • Quality Management Solutions

GRC 20/20 can be engaged on RFP projects to rapidly enable organizations to developing RFPs based on our RFP criteria library. Simply email me at [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

How to Purchase Policy Management Solutions

The policy and training management technology enables and operationalizes effective, efficient and agile policy management and awareness. The goal of this technology is to operationalize the policy management processes and communication. The right policy and training management solution enables the organization to effectively manage policy and training performance across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans.

There should be an enterprise platform for policy and training management that connects the fabric of the policy management processes, information, and other technologies together across the organization. Many organizations see policy and training management initiatives fail when they purchase technology before understanding their process and information architecture and requirements.

Organizations have the following policy management choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active policy communication and training.
  • Department specific point solutions.  Implementation of a number of point solutions that are deployed and purpose built for department or specific risk and regulatory policy needs. The challenge here is that the organizations end up maintaining a wide array of solutions that do very similar things but for different purposes.  This introduces a lot of redundancy in information gathering and communications that taxes the organization and its employees.
  • Enterprise GRC platforms.  Many of the leading enterprise GRC platforms have policy and training management modules.  However, these solutions often have a predominant focus on policy and do not always have complete capabilities in training.
  • Enterprise policy and training management platform.  This can be an enterprise implementation of a point solution dedicated to policy and training management or an enterprise GRC platform that has the breadth of capabilities needed for policy and training management.  This is a complete solution that addresses the range of policy management as well as training and communication needs with the broadest array of built-in (versus build-out) features to support the breadth of policy and training management processes.

The right policy and training solution choice for an organization often involves integration into ERP/HRMS systems and other GRC and business solutions to facilitate the integration and correlation, and communication of information, analytics, and reporting. Organizations suffer when they take a myopic view of policy and training management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in.

A well-conceived technology architecture for policy and training management can enable a common policy and training framework across multiple departments, or just one department as appropriate. Organizations need a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a policy management platform approach enables better performance, less expense and more flexibility.  Some of the core capabilities organizations should consider in a policy and training management platform are:

  • Integration. Policy and training management is not a single isolated competency or technology within a company.  Policy and training management often requires information from human resources, vendor management systems and other sources to automatically maintain a single record. These applications must integrate with other systems. It needs to integrate well with other technologies and competencies that already exist in the organization – ERP and GRC.  So the ability to pull and push data through integration is critical.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with policies and training metrics and processes. Contextual awareness requires that policy and training management have a central nervous system to capture signals as changing risks and regulations, analysis, and holistic awareness in the context of changing and evolving business environment.
  • Organization management. Policies and training apply to something within the organization, whether it is a business process, a physical asset, an information asset, a business relationship, or the entire organization. The system must model the organization and map policies to where they apply.
  • Accessibility. Policies and related training are only of value if they are accessible. A policy management system must provide a complete system of record any individual can log into and find policies that apply to their role, along with required tasks, attestations, and training they must complete. The system should be available in the official languages recognized by the organization. It should also support the communication needs of the differently abled (e.g., vision impaired, etc.).
  • Training management. Training management includes support for classroom, offsite or vendor training, e-learning programs, recorded presentations, simple document delivery and attestation, registration, and attendance completions. The challenge for companies is integrating learning management systems with policy management systems. This can be done by adopting a policy management solution that provides training management. In this model, the courses, scheduling, attestations, and automatic assignment of policies and training based upon the organization matrix are integrated with workflow, task management, and monitoring. Mature policy management systems automatically reschedule training if a policy is updated and assign additional training if a person is promoted or changes roles. This greatly simplifies administration and maximizes accountability and measurability.
  • Notifications. The most effective means of providing accountability in policy management is through notifications. Notifications are delivered when policy authors receive a new work assignment, when a due date draws near, or when a task is overdue and an escalation notice must be sent to management. If a person, or perhaps a whole business unit, needs to read and attest to a revised policy, reminders and escalation are required. Policy management systems provide configuration capabilities to customize messages, provide links to tasks, consolidate notifications, and help enforce goals, plans, and accountability. Notifications must be able to integrate with the organization’s e-mail system to deliver messages and drive accountability.
  • Audit trail. If it’s not documented, it’s not done. An audit trail should record each who, what, where, and when for every document, assignment, person, and piece of content collected, developed, changed, distributed, archived, surveyed, trained, notified, and read. This ensures that when an incident occurs, an audit takes place, or a regulatory exam or investigation happens, you are prepared with accurate and timely evidence. The level of audit trail required for policy management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Intuitive interface design. Policy & training management is using leading concepts in interface design to make user experience of applications simpler, easy to navigate, aesthetically appealing, and minimizing complexity.
  • Socialization and collaboration. Collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business, and get individuals involved in policy and training at all levels of the organization.
  • Gamification. Gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. Getting employees involved through video, comedy, and games to educate on risk, policy, and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles, and illustrations help answer questions, develop skills, and communicate a point. Employees can engage policies and training to gain points, accomplish levels, earn badges, and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion policies in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies.
  • Mobility. A lot of employees do not have computers, and some that did are now being issued tablets. Policy and training engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Effective policy and training is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring policies to all levels of business operations.

More on this topic will be presented next week’s Research Briefing: How to Purchase Policy Management Solutions

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop, maintain, communicate, and train on policies. This is why organizations are aggressively looking at policy management platforms to address this challenge, and is apparent in the number of RFPs and inquiries GRC 20/20 is involved in with organizations looking for policy management platforms.

In this Research Briefing, 2015 How to Purchase Policy Management Solutions, GRC 20/20 will provide a synthesis of what organizations should consider when purchasing policy management solutions. Attendees will learn what a policy management system does and what are basic, common, and advanced features of a policy management platform. This will be supported by a framework (decision-tree) of considerations to guide an organization when purchasing policy management solutions.

[button link=”http://grc2020test.cloudaccess.host/events/2015-how-to-purchase-policy-management-solutions/” color=”default”]REGISTER[/button]

Demand & Market for GRC Content & Intelligence Offerings

Governance, Risk Management & Compliance (GRC) is something every organization does, but not necessarily does well. All have some approach to GRC whether it is ad hoc and broken, or mature and integrated. Every organization on the planet does GRC in some form or fashion. The official definition of GRC, as defined by OCEG in the GRC Capability Model, is that GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

Organizations do not buy GRC they do GRC. However, there is a market for GRC related solutions, services, and content/intelligence. These help organizations in their doing of GRC within their organization and bring organization efficiency, effectiveness, and agility to GRC strategy, processes, and architecture.

A lot of attention has been given to the GRC technology solution market. I was the first to define and model this market back in February 2002 while at Forrester and have continued my nurturing and monitoring of this market. There are over 1,000 providers in the broad GRC market which is currently a $11.89 Billion market, but this does not count the professional services market which is significantly bigger than this. The Enterprise GRC market is about 10% of this figure.

To date, not a lot of attention has been given to modeling and sizing the GRC content and intelligence market.  This market is significantly represented in the above market size figure but not completely. The reason is that there are a lot of GRC content and intelligence solutions that are tied and integrated into technology solutions.  While this is true, many of these same GRC content and intelligence solutions can also be integrated with other GRC technologies and many are agnostic to GRC technology.

The role of content in GRC strategies, solutions, and architecture is becoming significant. Organizations find that they need access to risk and compliance intelligence updates, regulatory changes, risk libraries, audit templates, sanction and watch lists, sample policies, and more. GRC solutions are often differentiating themselves by their ability to provide and integrate a range of content offerings into their solution to provide complete situational awareness in a dynamic business environment.

On Monday, July 13th, GRC 20/20 will be presenting our latest Research Briefing on 2015 Market Analysis: GRC Content & Intelligence Providers. In this research briefing we will discuss the latest drivers and trends for GRC content and intelligence as well as segmentation, size, and forecasting of the GRC content and intelligence market.

GRC 20/20 has mapped 91 GRC Content & Intelligence providers with more than 350 content & intelligence offerings across the following categories (there is some overlap between these categories):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries

The role of GRC content and intelligence integrated with technology is a growing demand and need in the GRC market.  Organizations are more and more thinking along the lines of GRC architecture to support the range of their technology and content integration needs and not in siloed concepts of a single enterprise GRC technology platform.

A Strategic Approach to Third Party Management, Part 2: Designing an Integrated Architecture to Support Your Strategy

This is the second in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive and cascading impact. In a linear system, effect is proportional with cause. In the non-linear world of business, third party risk is exponential. If we fail to see the interconnections of third party risk on the organization, the result is often massive to unpredictable.

The challenge is that different organizational areas are doing similar things in different ways in context of their third parties. Various departments with different responsibilities for pieces of third party oversight will communicate and interact with third parties in different ways. The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile.

The organization needs a common process, information, and technology architecture to support third party management across organization departments that includes a vested interest in third party relationships. Third party management is enabled at an enterprise level through implemen­tation of an integrated third party man­agement architecture. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third party management platform enables the orga­nization to effectively manage risk across extended business relationships and fa­cilitates the ability to document, commu­nicate, report, and monitor the range of assessments, documents, tasks, responsi­bilities, and action plans.

Third Party Management Process Architecture

Third party management processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships. While third party processes can vary by organization and industry, the common components are . . .

Continued on the ELM Solutions Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/strategic-approach-third-party-management-part-2-designing-integrated” color=”default”]READ MORE[/button]

Now Accepting 2015 GRC Innovation Award Nominations

2015-GRC-Innovation-Award

GRC 20/20 is accepting nominations for the 2015 GRC Innovation Awards!

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction. 

A primary directive of innovation is to provide experience that is simple yet complete. Like Apple with its innovative technologies, GRC solutions must approach solutions in a way that re-architects the way it works as well as the way it interacts. The goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right context, in the right place, when needed. It’s about bringing interaction and engagement to GRC process and information. GRC solutions should be intuitive.

2015 GRC Innovation Award nominations will be accepted through July 12th (no exceptions, nomination form closes down at midnight CDT on July 12th).

NOTE: the 2015 GRC Value Award process (our other award process) will begin on August 1st. Nominations have to be in before the end of August.  Recipients will be determined by end of October with announcements in November.

To establish a proper perspective, please understand what the GRC Innovations Awards are NOT:

  • It is NOT to recognize how one product has a better feature or feature set than a competitor
  • It is NOT to recognize competitive differentiators
  • It is NOT like a comparison or endorsement of solutions overall (like a Forrester Wave of Gartner Magic Quadrant)

The GRC Innovation Awards are to recognize innovations in GRC related solutions that are revolutionizing Governance, Risk Management, and Compliance (GRC).  GRC Innovation Awards are to recognize  solutions that show something truly unique, game changing, revolutionary, and new. If what you are proposing has been in your feature set for more than 12 months – it is not new and fresh.

The 2015 GRC Innovation Awards are considered across 17 categories of GRC functional areas and from two perspectives in each.  The two perspectives awards can be submitted from are:

  • User Interface & Experience. GRC 20/20 is putting specific focus on the fact that GRC solutions do not have to be ugly and cumbersome.
  • Other Innovation. Any innovation that is not tied to user interface & experience.

The seventeen categories for submission are:

  • Audit Solutions
  • Automated / Continuous Control Management
  • Business Continuity Solutions
  • Compliance Management Solutions
  • Enterprise GRC Architecture & Platforms
  • Environmental, Health &; Safety Solutions
  • Information & Technology GRC Solutions
  • Internal Control Management Solutions
  • Issue Reporting & Case Management Solutions
  • Legal Management Solutions
  • Physical Security Solutions
  • Policy & Training Solutions
  • Quality Management Solutions
  • Reputation & Responsibility Management Solutions
  • Risk Management Solutions
  • Strategy & Performance Management Solutions
  • Third Party Management Solutions

To be innovative requires that the submission be game changing and completely unique from what the competition is doing. Any submission that is just another “me too,” or “we are better than the rest” type of submission will not cut it and will quickly go to the digital trash bin.  We want to recognize vendors that are thinking outside of the box to boldly take GRC where no solution provider has gone before.

Please submit nominations before midnight on July 12, 2015.  Nomination forms will be reviewed in July, finalists selected and deeper dives in August, with recipients selected by end of August and announced in early September.  Award recipients will be announced to vendors at the end of August so that coordinated announcements/press releases can go out in the beginning of September.

[button link=”http://grc2020test.cloudaccess.host/2015-grc-innovation-award-nomination-form/” color=”default”]NOMINATION FORM[/button]

Considerations When Purchasing Policy Management Solutions

This is the second in a series of posts on buying considerations when purchasing GRC solutions.  The GRC Pundit first looked at overall considerations when purchasing GRC solutions, and in this post he turns his focus to Policy Management Solutions.

policy-portalPolicy management is one of the hottest segments in the GRC market. This is apparent in the number of RFPs and inquiries GRC 20/20 is involved in from organizations looking for policy management platforms.

Consider that policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk of has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Policies attach a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policies can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal and regulatory proceedings to place culpability. In this context, organizations are struggling with the following issues:

  • Policies haphazardly managed in documents, fileshares, and poorly implemented portals
  • Different departments going in different policy directions
  • Lack of centralized inventory of all organization policies
  • Need to have a defensible audit trail of all interactions with a policy and training
  • Reactive and inefficient training programs
  • Policies that do not adhere to a consistent style, template, format
  • Rogue policies that put liability and exposure on the organization
  • Out of date and inconsistent policies
  • No tracking of policy exceptions

Many organizations lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An organization must establish policy it is willing to enforce — but also must clearly train and communicate policy to make sure that individuals understand what is expected of them.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the policies needed to reliably achieve objectives while addressing uncertainty and act with integrity. This is why organizations are aggressively looking at policy management platforms to address this challenge.

Basic, Common & Advanced Policy Management Solutions

GRC 20/20 has developed an extensive framework of RFP requirements for policy management platforms and advises organizations on RFP development and solutions the organization should be considering. GRC 20/20 covers 144 solutions in the Policy & Training Management Segment of the GRC market.  Eighty-eight of these solutions do policy management, and forty-four do training management (the overlap if you add these together are solutions that do both). Every organization has unique requirements and expectations for policy management. GRC 20/20 has detailed over 200 requirements specific to policy and training management solutions in the GRC market. Overall, policy management solutions can be mapped into the following areas:

  • Basic Policy Management Capabilities. These solutions tend to focus on the back-end of policy management, the development, approval, maintenance of policies. Policies are typically managed as documents and imported into the system as documents or PDFs. Solutions in this area are focused on managing workflow and tasks for managing and maintaining policies. They often have some basic employee portal capabilities aimed at completing tasks such as reading policies and attestation (e.g., certification, read and understood).
  • Common Policy Management Capabilities. These solutions are more built out in feature sets that offer a broader range of capabilities. This includes a stronger user portal and experience to navigate policies, the ability to build forms related to policies and manage workflow and tasks around forms, map policies to regulations and other obligations, and move beyond treating policies as documents to import into the system and have integrated word processing capabilities. These solutions also have capabilities to manage policy exemptions/exceptions, and measure policy compliance. While the employee experience is stronger than those offering basic capabilities, it is still the back-end management of policies that is central to these solutions.
  • Advanced Policy Management Capabilities. Advanced policy management solutions have all the common attributes, but take on more advanced capabilities (note, advanced capabilities extend common capabilities and not all policy management solutions support the range of advanced capabilities). Advanced capabilities tend to put a stronger focus on the employee experience – the front-end of policy management – and not just the back-end experience. Advanced capabilities include:
    • Employee portal experience is clearly stronger offering an intuitive, interactive, personal, and social policy experience for employees. Policies are most often treated as HTML and not PDFs or word processing documents, and the display of policies allows for hyperlink pop-ups for clarification and resources as well as embedding training and other policy tools.
    • Embedded training in which the solution has a full LMS capability to deliver training within the policy portal for employees and they do not have to bounce around through hyperlinks.
    • Social and gamification, as part of the employee portal the solution picks up on social aspects of employees being able to share policies with other employees, provide feedback and interaction on policies, and implement employee avatars with badges for policy and training tasks.
    • Mobility there are dedicated tablet and phone apps offering policies to employees. In fact, GRC 20/20 has been involved in several interactions with organization looking to use tablets as policy and training kiosks for employees in retail, food and beverage, manufacturing, and logistics/transportation.
    • Integration with HR management systems to push policy to new employees or those that have changed roles in the organization.
    • Integration with other GRC modules and solutions such as incident management to map incidents to violations of policy. Or risk management to map risks to policies.
    • Advanced policy authoring and editing capabilities in which policy authoring is done in a browser interface with full redlining, commenting, and editing capabilities.
    • Regulatory change management in which not just documents but chapter and verse of policies is mapped to chapter and verse of regulations and there are clearly defined processes to manage policies in the context of regulatory change.
    • Federated policy management that allows large distributed and diversified organizations to have layers of policy management committees and groups to govern complex policy lifecycles.

These summaries of basic, common, and advanced capabilities are some attributes these areas from GRC 20/20’s broader RFP requirements and analysis of policy management solutions. Organizations need to select what best fits there needs. More advanced capabilities often comes at a more significant cost of the policy management solution.

The most significant trend GRC 20/20 has seen in policy management RFPs and organizational needs is the shift of focus to the front-end of policy management.  Historically, the requirements for policy management have been largely on the back-end management and maintenance of policies with only very basic requirements in the front-end communication and attestation of policies.

Over the past three years there has been a growing trend to put equal or more importance on the front-end communication and access of policies. This is in response to organizations desiring to create a single portal for all organization policies, engage employees, and provide defensible audit trails and compliance records.  One organization even requested that the policy portal have a capability to have a green light in a corner if the policy subject matter expert is at their desk and pop-up a box to ask them a question (they used a direct analogy to online shopping with a ‘can we help you’). The overall trend is that organizations desire an engaging policy portal for employees as much as they do the back-end development of policies.OCEG.GRC Illustrated.Interactive Policy.2014

CASE IN POINT: I did the design and layout of the OCEG GRC Illustration: Engaging Employees With Interactive Policies. I have had several organizations specifically reference this illustration and state “this is what we want, who does this.”

 

Questions & Considerations to Ponder on Policy Management Solutions

Organizations considering policy management solutions should ask themselves the following questions to help guide them in developing requirements and engaging solution providers:

  • What are my back-end policy lifecycle management requirements?
  • What are my front-end policy portal and employee experience requirements?
  • Is the front-end portal as important as the back-end?
  • Do we want to develop policies in standard word processors and import them as documents/PDFs into the solution to manage?
  • Do we want to develop policies within the solution/browser interface?
  • Do we need to map policies to hotline reports, issues/incidents, controls, or risks?
  • What are our requirements for regulatory change management in context of keeping policies current?
  • What are our requirements for having a full audit and compliance trail of all interactions between policies and employees?
  • Do we desire an integrated LMS capability to manage policies and training as a collective whole in an integrated portal?
  • Do we need the capability to manage policy related forms and manage those forms through workflow and tasks for review and approval/disapproval (e.g., gifts and entertainment, conflict of interest, medical leave, political contributions)?
  • What are out mobility requirements for policy and training on tablets and smartphones?
  • Do we need to integrate with HR management systems to automate the communication of policies to new employees and those that have changed roles?
  • Do we need features of socialization and gamificaiton on the policy portal?
  • What are our internationalization and language requirements for both the back-end management of policies and the front-end policy portal?
  • What are our requirements to track and manage policy exceptions and exemptions?
  • Do we need a solution that can support federated policy management to address the need for multiple layers of policy committees and a complex policy lifecycle?

These are a subset of a broader set of questions that will be categorized and mapped in the forthcoming Buyers Guide: Policy Management Solutions, and are further detailed in GRC 20/20’s RFP requirements for policy management solutions. GRC 20/20 will be releasing the following research in the next several weeks:

  • Buyer’s Guide: Policy Management Solutions. The Buyer’s Guide goes into a detailed framework in how to approach purchasing policy management platforms.
  • Strategy Perspective: Policy Management by Design. The Strategy Perspective focuses on best practices in defining a policy governance committee, framework, lifecycle, and architecture (written from context of GRC 20/20’s Policy Management by Design Workshops).
  • Online directory of Policy & Training Management Solutions. The directory lists policy and training management solutions that GRC 20/20 covers in the market and is the first part of the broader GRC Directory being rolled out in stages.
  • Market Perspective: Policy & Training Management Solutions. This details the overall drivers, trends, market size, growth, and forecasting of the Policy & Training Management Market.

I have shared my thoughts on some buying considerations of policy management solutions. I would love to hear your thoughts and reaction to this as I work on publishing this series of GRC 20/20 research.

A Strategic Approach to Third Party Management, Part 1: Defining Your Strategy

This is the first in a two-part series by Michael Rasmussen on how to take a strategic approach to effectively manage and mitigate third-party risk.

The Modern Organization: An Interconnected Mess of Relationships

Traditional brick and mortar business is a thing of the past – physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. To take some liberties with the seventeenth-century English poet John Donne, “No [organization] is an island unto itself, every [organization] is a piece of the broader whole.”1

Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees.

In this context, organizations struggle to identify and govern their third party business relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations’ problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

The Inevitability of Failure

The fragmented governance of third party relationships through disconnected silos leads the organization to . . .

Continued on the ELM Solutions Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://www.wkelmsolutions.com/blog/michael-rasmussen/strategic-approach-third-party-management-part-1-defining-your-strategy” color=”default”]READ MORE[/button]

Considerations When Purchasing GRC Solutions

Every organization does GRC. . .

It makes no difference whether you use the acronym ‘GRC’ or not, every organization has some approach to governance, risk management, and compliance. Your organization’s approach to GRC may be:

  • Ad hoc and fly by the seat of your pants;
  • Decentralized and siloed; or,
  • Collaborative and integrated.

No matter an organizations approach to GRC, the use of technology is pervasive in GRC processes. Technology for GRC can be using documents, spreadsheets, and emails; or in focused applications deployed to meet specific GRC needs; or in enterprise GRC platforms and architectures that pull many functions together.

GRC 20/20 Research is deeply focused on analyzing, monitoring, differentiating, and forecasting the market for GRC solutions. In this context I have mapped over 600 solutions into the GRC market.  These include solutions focused on specific areas of GRC (e.g., policy management, investigations, health & safety, legal matters, third party management) to GRC platforms that bring multiple modules together at a department or enterprise level. In the course of an average week, GRC 20/20 answers between 5 and 10 inquiries from organizations looking for GRC related solutions and assists many organizations in RFP development, management, and evaluation of solutions.

Over the next few months I will be doing a regular series of posts on buying considerations in different areas of GRC. However, before getting into specific areas, I want to share considerations organizations should have when looking at any type of GRC related solution.  The guidance provided below is applicable whether you are looking for something very narrow such as occupational health & safety, or very broad such as enterprise GRC platforms.

When considering GRC related solutions, organizations should:

  • Think GRC Architecture and not GRC Platform. There is no GRC silver bullet that does everything. Solution providers may sincerely think they can do it all but they do not. Yes, there can be a core platform that becomes the hub of GRC integration and reporting but it is often not the only GRC solution involved. Organizations often have several GRC related solutions deployed for different purposes. Just this past week I had dinner with individuals from three major financial services organizations that all had deployed one solution for operational risk management and another for IT GRC. I have been seeing this for years. Organizations are too focused on trying to find one platform to be all things and then find they have watered down areas of GRC and forced different GRC groups to work to the lowest common GRC denominator.
  • Be Diligent in Checking Client References. Ask the hard questions. Push them to find out what they do not like about the solution, find out where it has under-delivered, how issues were responded to. Understand that when solution providers give you a reference it is usually vetted and it is a decision-maker that purchased the product that has a vested interest in the product, and the solution provider treats them like royalty. I talk to these references, but I also insist on talking to someone else who uses the solution on a daily basis on a separate call without others on the line. Often the decision-maker will sing the solution’s praises on the first call and the other call you will hear the truth of the implementation and frustration with the solution.
  • Be Wary of the RFP “Yes, We Do That” Responses. This really frustrates me. Some solution providers basically answer ‘yes’ to nearly every criteria in an RFP. They simply believe it is a matter of ‘configuring’ their solution to support this requirement. They do not tell you it will be a six-month project to do configure it for this feature. This is why organizations have to get solutions and test drive it themselves. I have gotten to the point that I add a field in RFPs that asks if it is a native feature existing out of the box in the solution or if it is something that has to be configured and built-out.
  • Know the Solution Provider’s Expertise. A common complaint I am getting these days is that the GRC solution providers developers have no clue on GRC. Some of the most basic fundamentals of risk management have to be explained over and over again. Everything sounded great throughout the sales process, but as soon as the deal was closed and the implementation begun the implementation team and supporting developers are ignorant of GRC concepts. Make sure that you have a good understanding of the implementation team expertise and background in GRC and the developers supporting that team.  Note, I have stated developers a few times, several of the leading solutions are very bespoke and require a lot of build out for each implementation.
  • Be Cautious with Analyst Rankings and Advise. In full disclosure – I am an analyst. I spent seven years at Forrester and now eight on my own. My concern over analyst reports and rankings is growing at an alarming rate. The recent series of Magic Quadrants from Gartner has put me into a state of shock. Organizations rely on these reports to make decisions. Yes, Gartner has a veiled warning that solutions in the upper right may not be the best fit for all organizations. Still, the perception and ranking marks the ones in the furthest upper right as the best. Some advice:
    • Consider Solutions Beyond the ‘Leaders.’ I hate the two-dimensional rankings of the Forrester Wave and Gartner Magic Quadrant. There is a natural assumption that those in the upper right are the best solutions when reality it is someone in the lower left or not even in the report that may be the best fit for your organization. Many solutions cannot even get into the Gartner and Forrester reports based on their criteria for number of offices, global presence, and revenue. These are still very capable solutions and often are more agile and using newer and more innovative technologies with better user interfaces. A good RFP and evaluation often has a mixture of those evaluated and ranked highly by major analyst firms as well as a few that are not covered or did not score as highly.
    • Gartner does not publish criteria. Seriously, why can’t this be transparent? I guess this is the magic in the magic quadrant as Gartner does not want anyone to know the criteria and scores of each solution. A research organization should be able to publish its criteria, methodology, and scores or it should not call itself a research organization. Forrester does publish criteria and scores though they have been rolling up GRC Waves and it has become very high-level and lacks usefulness.
    • Reliance on video demos and questionnaires. Gartner does not have a consistent process for Magic Quadrants across their research, and even in the range of GRC Magic Quadrants they just published there is variance. However, the general approach for the recent series of GRC Magic Quadrants has been having GRC solution providers fill out a survey questionnaire and submit a video demo of the solution. For some Magic Quadrants they did not dig deeper than this. Companies are investing hundreds of thousands of dollars in GRC solutions based on Gartner rankings which in turn are based on a video demo and survey. This simply turns the Magic Quadrant process into a video beauty pageant.
    • Client references done by surveys. On top of this, Gartner did online client surveys for reference checks and randomly called a few to fact check responses. This is ridiculous. Subscribers pay tens of thousands of dollars for research access. Gartner sells redistribution rights to Magic Quadrants to vendors for thousands of dollars. Organizations are making big purchasing decisions based on these reports. Get on the phone and talk to all the client references and grill them, don’t just send them survey questions. BTW, Gartner’s day rate for consulting is over $15,000 a day which is higher than most Wall Street lawyers. Earn your money and get on the phone with clients and roll-up your sleeves and dig deep into the solutions.
    • Rankings that simply do not make sense. I look at the Magic Quadrant graphic for operational risk management and scratch my head in bewilderment. The plotting is a mystery to me. Some marked as Leaders have deep operational analytic capabilities, they have operational loss data and metrics tied to loss databases aggregating industry loss information to go into capital modeling for operational risk. These are solid solutions. Then you have others in the Leaders category that barely skim the surface of operational risk management with limited analytical capabilities. These are apples and oranges. Those that have very deep operational risk capabilities are being plotted next to others that have limited capabilities. I guess that is to be expected when evaluation is being done by submitting a video demo and questionnaire. Under those circumstances anything can be made to look better – it is like airbrushing magazine models. This was again verified this past week at the dinner I referenced above, all three major financial services firms picked one of the leaders for operational risk management because of their deep operational risk analytic capabilities while not choosing the incumbent already being used for IT GRC which scores further in the upper right in Gartner’s operational risk Magic Quadrant. Go figure . . . I could state the same for the IT Risk Management Magic Quadrant.

This is some collected advice and experience I have from a few decades of experience. What is your experience and advice to organizations in evaluating solutions related to GRC?