Benchmarking Your Policy Management Program: Deficient, Common & Leading Practices

Corporate policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorize other policies to govern the entire organization. Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended. Policy attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must closely manage and monitor policy in place. Policy is a necessary means to clearly define, articulate, and communicate boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy.

Organizations often lack an auditable means of policy maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved supporting the business, including internal employees and third parties.

If policy documentation doesn’t conform to an orderly style and structure, uses more than one set of vocabulary, is located in different places, and don’t offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

GRC 20/20’s Effective Policy Management Benchmark provides a framework for an organization’s approach to policy management to be measured against its peers within industry as well as organizations of similar size and structure across industries. The purpose is to identify whether an organization is Below Parity, at Parity, or Above Parity relative to its peers in the context of policy management.  Where an organization is significantly lacking ability it is ranked Inferior, while an organization that demonstrates outstanding ability is referenced as Best in Class.

The Effective Policy Management Benchmark can be used at a department or enterprise level. The Benchmark comparison is based on GRC 20/20 research and interactions. These interactions include projects, surveys, inquiries, and advisory engagements. The rankings are a guideline and represent GRC 20/20’s opinion and professional experience working with a variety of organizations across industries.

There is not a one-size fits all approach to policy management.  One organization’s approach to policy management will vary from another depending on size, nature of the business, scope of policies, resources, and executive sponsorship of a policy management program.  Care must be given when measuring an organization as many facets need to be taken into consideration.

GRC 20/20’s Effective Policy Management Benchmark synthesizes GRC 20/20 research and analysis of the following six key Policy Management Program components:

  1. Governance of Policy Management Program. Policy management program governance comprises the program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
  2. MetaPolicy.  The MetaPolicy, often referred to as the “policy on policies,” is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
  3. Supporting Policy Management Resources.  Supporting the MetaPolicy, is an array of other resources to build out the policy governance process within an organization.  
  4. Policy Management Lifecycle.  The policy management lifecycle is the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced. 
  5. Operational Effectiveness of Policy Management Program.  The Operational Effectiveness component of the Effective Policy Management Benchmark addresses how effectively the GPM and policy management lifecycle are implemented and managed across the organization. 
  6. Technology Enablement of Policy Management Program. A well-conceived technology strategy for policy management can enable a common policy framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a governance, risk management, and compliance (GRC) technology approach to policy management enables better performance, less expense and more flexibility. 

GRC 20/20 does a number of benchmark projects for organizations.  The Effective Policy Management Benchmark is one among several, others include Effective GRC Management, Effective Risk Management, and Effective Compliance Management Benchmarks.

The latest GRC 20/20 research paper that provides more detail on the Effective Policy Management Benchmark has recently been published and can be accessed at the link below. It is free to access but requires registration on the GRC 20/20 Research website.

ACCESS BENCHMARK RESEARCH

There are also a variety of upcoming webinars GRC 20/20 is presenting on on the topic of Policy Management in August. These include:

Where Risk (and GRC) Technology Fails

Risk management is a huge topic these days with organizations looking for solutions to help them manage enterprise and operational risk across the departments and functions. However, there are many risk management technology projects that have failed to meet expectations, have gone over budget, and well past project deadlines.

Why? . . . there are many reasons. 

One is simply that the organization is trying to do too much too fast. They are overly ambitious on what can be achieved in a given time frame. This is particularly true when risk management has been an ad hoc “fly by the seat of our pants” operation (Urban Dictionary: to pilot a plane by feel and instinct rather than by instruments, to proceed or work by feel or instinct without formal guidelines or experience). Many areas of the organization have not thought through risk management and then it is pushed upon them.

Another reason is a failure to align risk with business strategy, objectives, and performance. The ISO 31000:2009 definition of risk is “risk is the effect of uncertainty on objectives.” This might be done well at a project or operational process, but as you rollout enterprise and operational risk technology the organization fails to provide the alignment of risk to business strategy and objectives.

The primary and disastrous failure of risk technology implementations I want to focus on in this post is risk normalization and aggregation. This is something that the major analyst firms leave out of their reviews and ranking of GRC solutions (note: GRC is a broad market and includes the range of risk management technology solutions available).

Risk normalization is simply the ability to compare apples to apples. If one department’s high risk is another department’s low risk this should be evident in risk reporting. Risk aggregation is the ability to take risks from different areas of the business and roll them up into an enterprise view of risk that makes sense. Risk normalization and risk aggregation work hand and hand. To aggregate risks properly requires that the technology have the logic to do risk normalization.

CASE IN POINT: I will never forget a panel I hosted at a GRC conference. On this panel was the Corporate Secretary/Assistant General Counsel for a major financial services brand. This role was responsible for the overall risk and GRC reporting that went to the Board of Directors. He stated to all in attendance that his Board never wants to see a risk report from their __________ GRC platform again (consistently a leader in major analyst reports).  Explaining this further he stated the risk reports were broken and meaningless as one departments high risk was discovered to be another departments low risk and everything globulated to the center on heat maps and made no sense (my view of risk heat maps is that they are often very broken and misused).

If Department A’s risk exposure is $10 million and ranked a high risk and Department B’s risk exposure is $100 million and ranked a medium risk, the overall risk report needs to reflect this accurately.  Organizations run the ‘risk’ that Department A’s risk will be focused on while Department B’s may be overlooked. This is oversimplification, there are many other variables such as frequency, probability/likelihood, velocity, and more to consider as well.

The challenge is that many risk management solutions (including some leading GRC platforms) were developed as a department level solution for risk.  They have a fairly flat view of the world. This leads to two points of risk technology failure in solutions that do not have native approaches for dealing with risk normalization and aggregation:

  1. Force everyone into one flat view of risk. This essentially pushes every department and function into the lowest common denominator. All have to manage risk to a common set of criteria and scoring and individual departments lose out in depth and detail they need within their specific context. It limits the ability to get a true department perspective of risk for the sake of enterprise risk reporting that is in turn degraded and can no longer be trusted as departments lose their granularity needed to accurately measure and manage risk to their specific needs. There is a need to measure, model, and analyze risk in different ways in different departments/functions of the organization. The way an organization measures models market risk will be different than how it models health & safety risk.
  2. Expensive services engagement to built out. Solutions that do not have risk normalization and aggregation as native features inherent in their technology will address this issue through implementation projects that are expensive and take a lot of time. GRC 20/20 has seen risk/GRC implementation projects that typically span from six months to over two years to rollout. The most common reason is customizing the platform to do risk normalization and aggregation. Then the platform breaks during the next upgrade process because of the behind the scenes customization of logic and rules done to support risk normalization and aggregation. 

BOTTOM LINE: when buying risk/GRC technology solutions that are to do risk reporting across risk areas, make sure that the solution has been designed from the ground up to measure and model risk in the variety of ways different areas need and that the solution supports risk normalization and aggregation without the need for expensive customization and implementation projects. Further, do not assume that a ‘Leader’ in analyst reports actually has addressed risk normalization and aggregation because many of them have not. Failure to consider this may mean expensive implementation projects that take more time than expected, result in broken upgrades, and outright scrapping the platform to move to a different solution. GRC 20/20 has seen it all happen.

I encourage you to share your experience and insight into this issue below.  It is one that GRC 20/20 has encountered several times in the market. Be bold; help other organizations understand this issue and its impact if not considered up front.

If you are considering risk technology to use within your environment, click on the Ask Inquiry button to the right.  GRC 20/20 offers complimentary inquiries to organizations evaluating GRC technology, solutions, and services. We are here to provide you insight into the market to make intelligent choices. GRC 20/20 can give you specific insight into what solutions do what aspects of risk management and GRC well and which do not.

Mature Governance, Risk Management & Compliance Needs an Enterprise Architecture Approach

Continued on the MEGA Corporate Governance Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://community.mega.com/t5/Blog/Mature-Governance-Risk-Management-amp-Compliance-needs-an/ba-p/9315″ color=”default”]READ MORE[/button]

2014 GRC Value Award Nominations are Being Accepted

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization.

Whether technology, content, or professional service providers – all can submit an award about a solution or service.  However, the nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process. 

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.   

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.

Nominations must be received by June 30, 2014.  Recipients will be notified in August 2014 at least two weeks before formal announcements/publications are made in early September 2014.

Download the nomination form:

{rsfiles path=”2014 GRC Value Nomination Form.docx”}

 

Inevitable Failure: Disconnected Risk & Policy Management

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.

The modern organization is:

  • Distributed.  The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations.  An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization.  Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
  • Dynamic.  Organizations are in a constant state of flux.  Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe.  Regulatory change has more than doubled in some industries in the past five years and has grown for all industries.  Managing risk, regulatory and business change on numerous fronts has buried many organizations.
  • Disrupted.  The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.”  Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate.  Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events.  The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points. 

A backbone of GRC is risk management.  Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together.  To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value. 

Isolated Risk and Policy Initiatives Introduce Greater Risk

Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.  

The official definition of GRC is:

The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance.  All three of these provide a natural flow.  Governance provides strategy and objectives that deliver the context for risk management.  Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives.  Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives. 

The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization. 

A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:

  • Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other.  Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address. 
  • Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
  • Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners. 
  • Lack of business agility. The organization is constantly changing and  therefore its risk profile is changing.  The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic. 
  • Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the
    job done.  This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.

What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework. 

More on this topic can be found in the following items from GRC 20/20 . . .

 

GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet

All organizations do GRC (governance, risk management, and compliance).  It does not matter if the organization uses the acronym or not, every organization has some approach to the elements of governance, risk management and compliance whether it is non-integrated and siloed across scattered areas of the organization or a federated GRC strategy that links GRC activities into a strategy, process, information, or technology architecture.  GRC by definition (OCEG) is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

GRC maturity is highly dependent on technology.  To be clear, you cannot buy GRC — GRC is something you do, not purchase.  You can buy GRC technology that assist in managing GRC related processes, analytics, reporting, and more.  Every organization uses technology for GRC; pens and paper are a form of technology, so is email, spreadsheets, and documents.  The correct selection and use of GRC technology is one aspect in maturing the organization’s approach to GRC.  In fact, GRC maturity cannot be achieved without improving your information and technology architecture for GRC.  However, I cringe when organizations tell me they just bought GRC and now need to figure out what to do.  Strategy and process comes before technology.

The coverage of GRC technology by other analysts is frustrating.  For full disclosure, I am a research analyst.  I research and monitor GRC best practices, benchmark organizations, and define/model the market for GRC solutions, content, and services.  I review solution provider offerings, assist organizations in selection and write/manage RFPs.  While an independent research analyst for the past seven years, I previously spent seven years at Forrester Research where I was the first analyst to define and model the market for GRC solutions and services and label it GRC (February 2002).  I wrote the first two Forrester GRC Waves comparing solutions. Since leaving Forrester I have spent the last seven years bewildered by the way my analyst competitors cover the market for GRC technology.  I respect that in some cases they are handicapped by internal research boundaries of other analysts.  However, the coverage of the GRC market by other analysts firms is confusing and damaging.  

Before I critique my competitors, let me state my position. GRC, approached correctly, involves a strategy, process, information, and technology architecture.  The GRC market is comprised of a wide range of solution categories.  Some of these are represented in a GRC platform that tries to accomplish several areas of GRC in one neat little package.  Caution though, the idea of a single ‘GRC Platform’ to meet all your needs has challenges. There is no one-stop show for GRC. There can be a core backbone for GRC, but GRC often requires integration of a range information and technology.  Some of today’s complex governance, risk, and regulatory reporting requirements are only done through significant integration and analytics of data across the business. Organizations are best served to approach GRC as an architecture and throw away this idea of a single platform that promises to do everything.  I still reference GRC platforms as there can be a backbone that brings things together. Organizations are best served through a federated architecture that allows for best of breed GRC solutions where they make sense and does not force the organization into the lowest common denominator through one platform that tries to be all things to all needs.  I will be discussing my representation of the GRC market in next week’s 2014-Q2 State of the GRC Market Research Briefing.

Now that you understand my position, let’s review how GRC 20/20’s competitors approach the GRC market from the perspectives of Gartner, Forrester, Chartis, and Market to Markets:

Gartner

Gartner is the largest market research firm covering a wide range of technology and services.  Their GRC research I have ranted on in the past:

In these posts I have critiqued Gartner’s GRC Magic Quadrant stating it is not transparent and does not represent the real world of GRC buying as 80% is focused on specific areas of GRC and less than 20% on enterprise GRC platforms. Gartner has responded to my critiques and changed course (though they would never confess).  In a blog entry, French Caldwell announced their new approach: A Revolution in GRC Affairs at Gartner (or burning the EGRC mq).  To me it reads that French is saying ‘GRC is dead, long live GRC.’  In this post Gartner recognizes what I have been preaching form may analyst pulpit for seven years that the GRC market is a broad market with solutions that do different things. 

Gartner has responded by breaking up the Magic Quadrant and analyzing solutions on use cases.  This analysis is just starting and covers the aspects of: 

  • Use case 1: IT Risk Management (ITRM). 
  • Use case 2: Operational risk management (ORM). 
  • Use case 3: Audit management. 
  • Use case 4: Vendor risk management (VRM). 
  • Use case 5: Business continuity management (BCM). 
  • Use case 6: Corporate Compliance and Oversight. 

Further Gartner has scoped a wide range of other GRC market research:

  • Market Guide for Audit Management 
  • Magic Quadrant for Operational Risk Management 
  • Magic Quadrant for Security & IT Risk 
  • Magic Quadrant for Business Continuity Planning 
  • Magic Quadrant for Vendor Risk Management 
  • Market Guide for Corporate Compliance and Oversight 
  • Critical Capabilities of GRC Vendors 

Gartner is to be commended for this shift in research and is my most formidable competitor. I do appreciate the interactions I have with French despite our online debates.  We make a great nemesis team — protagonist and antagonist — Batman and The Joker, Superman and Lex Luthor (I will let you decide who is who).

Despite this tremendous change in strategy I am here to say it has some issues in the definition of the use cases.  Basically, some of the use cases do not accurately represent the breadth of market requirements.  I have looked them over carefully.  As an independent analyst I get engaged to assist solution providers in how to approach and manage their relationships with the major analyst firms.  I am asked to play the role of French Caldwell and review their responses and watch their demos to improve how they present their solutiosn to analysts.  It is quite fun.  The past few weeks, several solution providers have reached out to seek my assistance in strategizing responses to Gartner’s new GRC use cases.  My concerns are as follows:

  • Use case 1: IT Risk Management (ITRM). This use case I find interesting: its criteria covers the basics, but I am surprised on the limitation of the compliance mapping.  It makes no reference to ISO 27000, NIST, or other popular standards and only references US-based regulations (note: PCI is not a regulation, but a contractual requirement).  I take particular issue in Gartner Analys
    t Paul Proctor’s blog Gartner Resets Approach to GRC. What Paul states is counter to Gartner having a use case in this area, he says, “The delineation of IT-GRC vs EGRC is almost meaningless because all of the IT-GRC vendors claim to do everything the EGRC vendors do and vice versa.” My point of view: IT-GRC solutions have an expanded data architecture to cover information and IT assets (e.g., logical, physical, relational, process), vulnerability and threat information, and hooks into the security architecture (e.g., vulnerability scanners, configuration management, security event/information management).  There is a difference between IT-GRC and EGRC.  Yes, some EGRC solution providers make a lot of claims and can tell Gartner all day long they do IT-GRC, it is Gartner’s job (and mine) to hold them to account on this and not just cave in.  Some vendors state they can do anything, and with a significant amount of money and services they can do some interesting things, it will just cost you money and time.  It is the job of analysts to analyze solutions and tell the world who actually has the features, who has the track record of success, who simply has capabilities that can be built out at a cost, and who lacks it all together. In my view it is easier for an IT-GRC solution to be an EGRC solution than an EGRC solution to become an IT-GRC solution.  Gartner – you appear to be speaking out both sides of your mouth stating that delineation is almost meaningless and putting the time and effort into a use case in this area. 
  • Use case 2: Operational risk management (ORM). This use case has many of the high-level core criteria I would expect.  I would like to see more on risk identification and collaboration. It could be more thorough in the variety of risk models solutions can do.  There are over a dozen different risk analysis/assessment techniques that I review in my Risk Management Workshop. The international standard ISO 31010 (which provides supporting guidance to ISO 31000) has thirty different approaches.  I often get asked which solutions support which of these risk assessment and analysis techniques when other analyst firms cannot answer this question.  Another area for improvement in this use case is the ability to map/relate risks to show how risk interrelates with other risk not just vertically in hierarchies but horizontally across hierarchies. A particularly big issue in this area, and lacking in the use case, is the ability to aggregate and normalize risk.  Some in the Magic Quadrant are quite flawed.  They break down when different departments have different risk models and scoring.  To overcome this, vendors have significant implementation time lines (at great financial cost) to build out rulesets and logic for risk normalization and aggregation because it is not a native feature to the solution. Risk normalization and aggregation is critical and necessary so risk reporting across department/operational areas to enterprise risk reporting makes sense.
  • Use case 3: Audit management. Someone has done their homework.  Compared to the other use cases, the audit management use case is far more detailed.  Makes one wonder why Gartner goes deep in a few use cases while the rest are very light.  My minor issues with this is an ability to build dynamic audit plans based on changes to business/regulatory/risk environments and the ability to build the more traditional three or five year audit plans.  It could be stronger by listing the ability for external auditors to use the platform, and flexibility of the solution to perform a range of operational audits including those across vendor and supply-chains (where external auditors are often used).
  • Use case 4: Vendor risk management (VRM). This one is a big disappointment.  They scope the use case to be vendor risk management, and strongly lean it toward security.  It should be 3rd party management (though in the commentary it does discuss applicability to supply chain, I suspect the narrow scope of this is due to internal politics and research boundaries with other Gartner analysts covering supply chain, if so it is a disservice to clients that are thinking more holistically).  I do not see anything in the use case that identifies: a portal for 3rd parties, self-registration, communication of code of conduct and other policies, delivery of training, and ability for internal or external auditors to use the solution and record findings when exercising right to audit clauses.  It is weak on detail about integration with 3rd party content for due diligence and monitoring activities — organizations are looking for solutions with a lot of depth in this area and the brief criteria statement is rather . . . light.  In summary, from one industry perspective, this use case would end up with analysis of solutions that does not meet the needs of financial services institutions responding to the latest OCC requirements for more holistic vendor governance.  The use case only partially fits the criteria needed by banks in this area.
  • Use case 5: Business continuity management (BCM). Similar to audit management, Gartner has a lot more detail on the BCM use case and makes you wonder why the other four use cases are so light in comparison.  A pretty thorough job in BCM.
  • Use case 6: Corporate Compliance and Oversight. My greatest disappointment. This one is long and needs to be broken into subbullets:  
    • Compliance risk. Compliance risk assessments go beyond prioritization and planning. It is an integral part of the elements of a compliance program defined by the United States Sentencing Commission and is referenced by regulators as well as mentioned in some consent decrees, corporate integrity agreements, non-prosecution agreements, and more.  It is part of board’s fiduciary obligations of compliance oversight. Compliance assessments are more than control assessments.  Control is a term used by auditors, financial compliance, and IT.  Compliance assessments, which can include control, also cover the state of policy development, maintenance, and communication.  Compliance assessments review hotline reports and cases.  Compliance assessments look at training programs.  To do a proper compliance assessment looks at compliance process as well as controls.  
    • Exception management. Gartner’s coverage of exception management does not reference policy exceptions.  
    • Regulatory intelligence. I would expect to see deeper criteria on regulatory intelligence and the ability to not only integrate but provide content and in what areas content is provided (list the areas Gartner, break it out and measure solution providers on depth and breadth of regulatory content).  Some solutions are deep in industry verticals like insurance, banking, health and safety – let your readers know which areas of content depth solutions deliver through relationships or directly themselves.  Have a taxonomy in the criteria so solutions have to show the range of regulatory intelligence coverage – and I pray Gartner understands that this is more than the Unified Compliance Framework (I am not critiquing UCF, just recognizing that they only have a small slice of the regulatory world).  
    • Policy management. For policy management, Gartner should break this out in its own use case.  There are a lot of enterprise and department policy management RFPs and projects that are not part of a broader compliance platform selection process. Gartner could spell out detail in policy lifecycle management capabilities, and it is missing exception management for policies as previously noted.  There also is nothing in the criteria that covers the communication plan and campaigns for policies and training.  
    • Issue reporting and ca
      se management.
      Under the incident criteria there should be an item that reviews the ability of the solution to stand up in court with proper evidence tagging and non-repudiation.  
    • Compliance forms & disclosure management. The use case criteria is missing forms management such as disclosures for conflict of interest; gifts; entertainment; hospitality – this is critical functionality for a solution for corporate compliance and ethics, particularly if you want to help your clients with FCPA and other regs. 
    • Due diligence. The criteria is void on integration with due diligence and other content databases (beyond regulatory intelligence) to fulfill due diligence requirements on internal personnel as well as 3rd parties.  
    • More compliance content. Some of the strongest compliance solution providers in the space provide content themselves and there is no coverage or the range of content – regulatory analysis, policies, controls, training/elearning courses, standardized assessments, 3rd party due diligence.
    • Defensibility. Most significantly, there is nothing on a defensible audit trail.  There is a reference to history in the use case – but organizations need more than that and solutions need to prove it to you Gartner.  Look at the DoJ memo on Morgan Stanley and how they were praised for the ability to demonstrate policy maintenance, communication and training activities, assessments, monitoring, due diligence. Organizations need defensible compliance with clear audit trails of who did what, how, when, and why.  Regulators are starting to tell banks that spreadsheets/documents do not have the right integrity in audit trail to use for assessments (something I have been stating for a decade).  The November 2012 FCPA guidance by the DoJ and SEC states that they often encounter compliance programs that look good on paper but fail operationally and they are sick and tired of it.  We need defensible compliance.

These are the use cases GRC solution providers have to prepare for, Gartner is just beginning their process.  They could explore much of what I discuss throughout the process, but it would be best if it was apparent up front in the use cases themselves.  There also is still time to revise these use cases as analysis is just starting. This matters as organizations invest a lot of money in solutions and need the deepest insight into the solutions they are purchasing.  When requirements are not met it hurts the market as a whole.  Gartner has a log of influence and is the biggest brand in the business.  While we compete in market research, their approach can cast a shadow that hurts the rest of us. I dive deep into the functionality of these solutions and care that organizations select the right solution for their needs. 

One more thing – Paul Proctor’s blog I referenced above.  He critiques the acronym of GRC as being the most overused term confusing things.  For clarity, the individual parts of GRC – governance, risk management, and compliance are all very overused terms across the business with many different interpretations.  This is the area of  research each of our firms cover and the one our clients engage us to make sense of.

Forrester

Compared to the long Gartner post, the brevity of this discussion may come across as letting Forrester off lightly.  There is some serious misalignment between Forrester on one-side and myself and Gartner on the other.  I cannot even go into the detail that I did with Gartner as Forrester just lacks the same point of view of the GRC market. I cut my GRC teeth at Forrester, defined the GRC market before anyone else, wrote the first two Forrester GRC Waves (as well as the first two ERM Consulting Waves).  I recognized in 2007 with the 2nd GRC Wave that this market was too complex to represent in one two-dimensional graphic.  As a result, my Wave had four graphics representing the aspects of: 1, overall GRC; 2, governance (audit); 3, risk management; and 4, compliance management. I reference Forrester in some of the blog entries I link to above discussing Gartner, but also have discussed Forrester in the following:

Previously I have given praise to Forrester for transparency. The Wave process gives clarity into scoring and criteria that Gartner’s Magic Quadrant does not (but these use cases are getting there). In the past seven years Forrester has collapsed the GRC Wave and failed to expand it.  The four GRC Wave graphics went to one graphic. To make matters worse, Forrester combined a separate Wave on IT-GRC into the Enterprise GRC Wave (I discuss my views on the differences of IT-GRC and Enterprise GRC above in the Gartner analysis).  Further consolidating research analysis of solutions where I have been expanding it and now Gartner is as well. Forrester – what GRC market are you covering?  Certainly not the one I am covering, and not the one Gartner is covering. 

Chartis

Chartis is not as well known as Gartner or Forrester. They provide market research with a predominant focus on financial services.  They cover a range of GRC topics that I would all put under the umbrella of GRC, but their approach is to split GRC into its own category of multi-functional platforms distinct from other areas of their risk and compliance coverage.  

My approach is that the entire market is called GRC and there are a lot of segments in this market of different types of solutions.  Like IT security which has segments for firewalls, intrusion detection, anti-virus, and more . . . GRC has segments for risk, audit, compliance, policy, health & safety, quality management and many more areas.  To me, GRC is the macro-market, an umbrella that covers a range of solutions. Chartis and I talk “apples and oranges” as we are representing GRC as different things. Their approach fails as it aligns more with Forrester than myself.  Though if you take the scope of what they cover as ‘risk technology’ we become more “apples to apples.” It is how we name the high-level market category that everything cascades from that differentiates us.  They call it risk technology, I call it GRC.

What really sets me off about Chartis is their recent statement in Enterprise GRC – Time for GFRC?  Chartis states, “To drive a behavior-driven approach to GRC, firms need to incorporate performance and remuneration measurements into GRC. Chartis believes that firms should replace ‘GRC’ as a concept with ‘GFRC’ – Governance, Finance, Risk, and Compliance . . . Traditional GRC is outdated and fails to manage risk and prevent serious compliance breaches . . . Firms need to move beyond traditional GRC and take a more dynamic approach to governance, risk, and compliance.”

We are actually aiming for the same trajectory that there is more than a GRC platform and GRC platforms by themselves are not enough and can force an organization to the lowest common denominator in managing risk. Later in the article they state, “Chartis also believes that firms should do more to incorporate areas currently overlooked by GRC, including model risk, conduct risk, reputational risk, and stress testing.”  These areas of risk are covered in the GRC 20/20 market model for GRC.  I am writing a paper right now on model risk management, GRC 20/20 has a segment of the GRC market that catalogs solutions for reputation/brand risk, conduct risk falls into our coverage of compliance management solutions (e.g., market conduct exams for insurance), and stress testing is in the coverage of risk management technologies.  Where GRC 20/02 defines a range of solutions in the market GRC and Chartis calls the same over
all market ‘risk technology,’ Chartis is using the GRC label similar to Forrester by collapsing a platform down to the lowest common denominator and then taking the perspective Gartner and I have stating it is missing something.  Technically, Chartis and GRC 20/20 is aligned as we see a range of technologies that define a category.  I call it GRC.  Chartis calls it risk technology.  We are pointing at the same thing in this sense.  

I take issue with Chartis trying to create GFRC – that just confuses things.  The GRC market started growth in financial controls as a fallout of SOX and some back in 2003 and 2004 tried to add Finance then.  I don’t understand what Chartis is trying to communicate. Adding finance into the mix is a step back and not a step forward. One of the problems with traditional strategic planning is that it is really about financial planning and budgeting. In the UK there’s an entire movement around something called “beyond budgeting.”  Finance, as well as operations, falls under the pervasive umbrellas of governance, risk management, and compliance.  If not, do we start adding HR for human resources for the human element of GRC, IA for internal audit, H&S for health & safety.  The nice thing about the GRC acronym is that these words are adaptable across the organization and provides a good umbrella. GRC defines the flow and context for the solutions in the market.  GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.  Risk needs governance to set the objectives and strategy to give risk management context. We measure and monitor risk as it relates to performance, objectives, strategy with a focus on uncertainty.  Part of risk management is setting boundaries that get established in policies, procedures, and controls that compliance ensures we adhere too – acting with integrity.

Markets to Markets

This company should not even be referenced in this post, but I do as they have been brought to my attention by solution providers a few times in concern. You can request their sample GRC report for free, but they charge thousands for the full report – the sample has anything of value redacted.  Why I bring them up is their flagrant disregard for intellectual property and copyright. Their GRC market report takes some of my GRC content, particularly on GRC 3.0, the market timeline for GRC 3.0 in an exact representation of my work, and other GRC points and they source it back to themselves and not to GRC 20/20.  Be wary of the analyst firm that fails to have an original thought of their own and takes the intellectual property of others.  It came to my attention after solution providers in the GRC space (more than one) pointed out my IP being referenced as theirs. Still waiting for a confession and apology . . .

2014 GRC Technology Innovation Award: ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires

In November 2013, ACL delivered an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation.

At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. It meaningfully blends the capabilities of data analytics with surveying to provide the analyst with a simple, integrated toolkit for monitoring and remediation.

At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. With the ability to seamlessly blend “human data” with “systems data”, a new world of analysis is possible to identify red flags, as well as serve as the basis for rich visualization of blended data.

Prior to this innovation, control monitoring and other data analytics were loosely integrated into broader GRC risk & control platforms and GRC architecture. Results of analytics were often simply attached as files to serves as control evidence. This new approach fully integrates into a unified GRC architecture with analytics so GRC evaluations, assessments, and decisions can be made seamlessly in real-time using the most up-to-date information available in the organization. Introducing the surveying/questionnaire piece allows ACL users to feed the same control monitoring engine with survey data (“human data”) and drive the same remediation actions as could be done from transactional data.

The core functionality of the technology is to take the results of control monitoring analytics and bring those into a centralized, easy-to-use web environment where it is integrated into the overall GRC information and process architecture. It provides an intuitive questionnaire builder to develop questionnaires when a “trigger” condition happens that allows for automatic triggering of questionnaires based on data analysis criteria. It blends data analysis records with the questionnaire results to provide a consolidated dataset that the organization may use to drive remediation, act as control evidence, or provide executive reporting.

The key technical functionality is the “Big Data” engine that lies at the heart of the ACL GRC Results Manager module. This data engine uses an innovative data store that is capable of storing unstructured and arbitrary data. This is critical for several reasons but primarily because 1) organization need to analyze different types of data that a traditional database system cannot effectively ingest the “arbitrary” data needed for analysis, 2) these organizations need to be able to “blend” a transaction record with a survey response on the fly without doing traditional database table joins, and 3) the ability operate at cloud scale to drive the fastest performance and response times. Layered on top of the big data engine is ACL GRC’s development stack and intuitive user interface built in HTML5, CSS3, and high performance JavaScript. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC

ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices including:

  • User Interface.  Touch, gestures, responsiveness, hardware rotation, etc.
  • Multimedia evidence capture. Create and attach photos, videos, sound recordings, geo-location, etc. from within an audit procedure, control walkthrough, control test, etc.
  • Scan to PDF. Use the app to “scan” hard copy documents directly into the system without leaving a given audit step or control test by taking a picture of the document. The app’s PDF generation engine will automatically convert to a document-quality PDF.
  • Cloud connected. Built to enable connectivity and integration to their native multi-tenant software as a service ACL GRC platform so that none of the typical connectivity challenges to on premise server infrastructures impede easy access and use.

This is the first GRC mobile app to bring the full power of design delivered through powerful and capable devices, to the problem of audit management. GRC 20/20 sees a major shift beginning occurring where document, spreadsheets, and paper binders are being replaced by multimedia including audio, video, photo, data visualization, geo-location, etc.

There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. ACL has now fully engaged the capability of the device to leverage multimedia capabilities of the devices as well as redesigned the application from the ground-up to take advantage of the incredible power available in the iOS SDK. The platform was expanded to enable complete enterprise risk assessment and reporting in a fully touch interactive environment.

The historic reality after fieldwork finished there would be an additional two weeks of work to be completed compiling notes, transcribing, documenting, etc. after leaving the field, then another two weeks of report writing and revisions. Progressively leveraging ACL GRC for iOS and its multimedia capability, the auditors can potentially walk out of the field completely done and documented with multimedia backing up a clean, engaging audit report. This enables users to work in an environment where they are able to create and capture both interactive media and structured data to accomplish existing audit goals while not relegating themselves to countless hours of tedious document preparation only to end up with all of their data forever “trapped” by documents.

The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc. This provides a faster, better, more beautiful, and more tightly integrated experience for the user than a mobile web app or a wrapper for the web that pretends to be an app.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change

The Be Informed GRC-solution is based on the Be Informed business process platform, which is a platform using innovative semantic technology which can be understood as a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. It is fully model-driven, which means that requirements and specifications are expressed in semantic models, which can be directly executed, i.e. without transformation to another (programming) environment. This constraint-based process approach allows for dynamic processes, by which every individual transaction has its own process flow, depending on the data and context of that transaction.

The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment.  This allows organizations to stay current with the ever-continuing stream of new and changing regulations.  Organizations will find that regulatory change alongside business change and risk change becomes easier to manage, control, and traceable. Semantic models determine behavior of the business within rules. With Be Informed, the rules of business are modeled, not coded, in a visual and very comprehensible way for business users. This enables users to easily understand and change business rules, making the Be Informed business process platform an agile solution.

Be Informed through its semantics engine allows organizations to be in full control. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.  This is enhanced by audit trails that demonstrate accountability to customers, employees, shareholders and supervisory authorities.

By using the semantic models, you can define the requirements in an accurate, concise and machine executable format. Semantic models are used to make decisions, to classify what is applicable (and/or needed) and to calculate values. These outcomes are used to determine which controls are applicable, which data is needed to perform activities, how to drive the workflow process and even to determine which components of a report must be generated.

The Be Informed framework consists of three parts. The first part is the Definition part by using semantic models. Here Regulations and Policies are translated into regulatory and risk controls.  Second, once a control is defined it can be executed as a service in any of the core processes of the organization as represented. A transaction can only be completed if all necessary controls have resulted in a positive outcome. And third, Be Informed supports the review and evaluation of the effectiveness of the controls by planning, scheduling and executing of all kinds of assessments with the GRC-Workplace.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients

2014 GRC Technology Innovation Award: Convercent Delivers Agile Compliance Reporting

The 2014 GRC Technology Innovation Awards was filled with competition.   Nominations increased to 62 over last year’s awards, and fifteen winners were selected.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.

Convercent Delivers Agile Compliance Reporting

Nearly every business function in today’s organization has benefitted from a transformational shift in how data is used to enable business agility – the ability to deliver meaningful intuitive information at a moment’s notice and enable accessibility across devices from computers, laptops, tablets, and mobile devices. However, compliance has struggled with systems in which information is neither agile nor mobile. The effect is a blurred or inaccurate picture of compliance risk. In today’s business, understanding a true picture of compliance at any point in time is critical. Compliance programs struggle with mountains of data in documents and emails or with expensive and non-intuitive solutions that create challenges to managing compliance effectively. Technology is a limiting factor to many ethics and compliance programs and is manifested in:

  • Increased exposure. Inability to make rapid decisions, and inability to draw historical benchmarks or predictive analysis based on integrated trends
  • Reduced efficiency. Time inefficiency to aggregate information into board/audit/executive reports
  • Increased cost. Utilizing manual processes to do what technology can streamline, centralize and automate.

Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline and investigations to enable effective compliance risk monitoring and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed.  With Convercent it becomes easy to rapidly report on issues and understand what trainings and policies an employee has received and attested to at a moment’s notice. The ability to drill down to the individual level allows organizations to track and monitor developing compliance risks, and proactively analyzes and reports on information that highlights compliance efforts.

Convercent provides three layers of reporting and analytics, ranging from at-a-glance dashboards that enable program monitoring to effective oversight at the board level through the ability to use Microsoft Office tools to create a “two-click board report” in real time. Convercent allows for business agility within compliance departments and a reduction in costs associated with manual processes that is supported by three levels of reporting and analytics capabilities:

  • Dashboard Reporting provides the ability to understand performance at a glance. Compliance managers can monitor case management, policy and training health to get a high level overview on how the organization’s ethics and compliance program is performing.
  • Web-Based Reporting provides rapid understanding of issues that are occurring in real time. A variety of prebuilt case management reports are available for the compliance manager to present the information the way it needs it.
  • Convercent Data Services puts powerful and customizable reports at the organization’s fingertips. It provides the ability to collect real time ethics and compliance data in Convercent and immediately transfer it into Microsoft Excel and PowerPoint utilizing open standard oData technology.

To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients