Measuring the Integrity of the Organization

Compliance and ethics is not the same today as it was a few years ago. The forces shaping compli­ance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compli­ance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches tax­ing the business. This resulted in a maze of processes, reporting, and information. Each department relied on doc­ument-centric and manual ap­proaches that did not integrate, and compliance professionals spent more time managing the volume of documents than it did actually managing compliance. There were inconsistent formats for policies and procedures, is­sue/incident reporting, and as­sessments.

Like battling the multi-headed hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compli­ance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient pro­cesses led to overwhelming complexity that slowed the business, even as the busi­ness environment required more agility.

Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while address­ing uncertainty and acting with integrity.”

Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do busi­ness as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with federated compliance functions throughout the business. Orga­nizations are looking to monitor and measure integrity of the organization through information, activities and processes coordi­nated across the organization.

These trends point in one clear direction: a compliance architec­ture that is dynamic, proactive, and information-based. That is, a new model for ethics and compliance that:

  • Is aligned with stakeholder demands for transparency and accountability;
  • Functions as a strategic partner with executives and aligns with organiza­tion strategy and values;
  • Takes full advantage of emerging technologies to improve efficiencies;
  • Provides an easy-to-use and engag­ing interface to get information and participate in compliance process; and,
  • Measures integrity through an inte­grated framework of metrics.

The result is an approach to ethics and compliance that not only delivers demonstrable proof of compliance effectiveness, but at the same time shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-look­ing. This shift enables compliance to mon­itor integrity by processing and managing metrics across the organization in the con­text of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.

Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and under­stand compliance in the context of busi­ness strategy and execution. Measuring integrity requires that the organization have clear insight into metrics support­ing the development and communica­tion of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these sys­tems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.

2013 GRC Value Award: Audit Management

GRC 20/20 Research awarded ACL GRC and their client Traina & Associates its 2013 GRC Value award in the Audit Management category. ACL is an all-in-one cloud-based GRC process management solution. Since ACL GRC’s implementation at the Traina & Associates CPA firm two years ago, their average audit elapsed time went from about 60 days to 30 days; audit management efficiency increased by 25 percent; and audit revenues increased by 10 percent without increasing staffing.

Traina & Associates is a CPA firm providing IT audit services. For two years Traina & Associates has performed 100 percent of their audit work using ACL GRC and has achieved:

  • Increased productivity, and removal of the backlog of work they had experienced for over seven years thanks to the ability to divide the audit work into sections that can be signed off by the auditor, making work immediately available for review.
  • Increased audit revenues by 10 percent without increasing staffing — auditors work less and produce more work.
  • Improved information security by eliminating the risk of lost or stolen laptops containing confidential client information and discontinuing the sharing of confidential information through internal email.
  • Ability to work anytime from anywhere with cloud-based access and mobile apps — and soon may be ready to close the physical office completely, resulting in additional savings.
  • Ability to immediately update audit procedures to keep up with fast-moving technology within client businesses.
  • Retained a highly valuable employee across the country thanks to cloud-based collaboration.

The ACL GRC solution

ACL™ GRC eliminates the headaches and fragmentation associated traditional on-premise audit, risk and compliance management systems. There’s no software to install, servers to buy or resource-intensive implementation projects. With ACL GRC, everything is integrated and managed. A comprehensive set of controls guarantee data is protected.

Within one year of implementation, Traina & Associates experienced increased productivity and efficiency, including lower staffing costs, lower information security risk, increased telecommuting and reliability. For example, in addition to field work and documentation, it took about 1.5 hours to complete a final report. Using the new system, the same report can be generated in 30 minutes.

Implementation effort was minimal, and was completed in less than one month. During the next five years, the firm expects to continue to experience increased employee retention and satisfaction

The security and agility features of the ACL GRC solution are important to a firm like Traina & Associates: Because the data is securely accessible via cloud, client data is no longer stored on the auditor laptops. This eliminates the major risk of exposure due to a lost or stolen laptop with confidential client information. Client audit data is also no longer shared between team members through internal email, since it is available to everyone 24×7 in ACL GRC; a lost or stolen phone containing email has much less of an impact if there is no client data involved.

SaaS delivery also means ACL GRC clients no longer have to worry about an internal system going down, or the need to be updated or patched or backed-up. All auditors need is something with a browser and Internet access. This delivery also means the majority of employees can work virtually; in the future, the firm expects additional savings because the office space may not be needed. Change is a constant with Traina & Associates’ IT database: And ACL GRC’s management and delivery approach also makes this easy, since policy and procedure changes can be done globally and simply, via the cloud.

A homegrown system with a backlog of work

Traina & Associates previously used custom-developed software combined with a separate system of email and a number of spreadsheets to track and manage work. Traina was growing at a fairly rapid pace and auditors often faced very long work hours. In addition to doing audit work, all members of the team helped with development of new programs to keep up with new client technology. Efficiency is paramount for this small company.

Traina & Associates badly needed a cost-effective solution to improve workflow, automate the audit process and help the team stay ahead of industry advancements. The firm previously relied on its own proprietary audit management software, but questioned the wisdom of committing additional resources to develop an upgrade. Migrating from a proprietary system required identifying an alternative tool that was affordable, flexible, easy-to-use, encouraged collaboration and increased audit efficiencies. Traina & Associates did not expect that just one solution could meet all of their criteria.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

 

2013 GRC Value Award: Identity & Access GRC

GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity & Access GRC category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation (see exhibit, below).

Value Drivers

Technical Baseline/ Benchmarks

Estimated

Improvements (%)

Estimated

Benefit ($)

Improve compliance and audit FTE efficiency

10 FTEs allocated for 6 months

12%

$150,000

Improve IT FTE efficiencies for enterprise security

(IT + physical + SCADA) = 10 FTE

15%

$200,000

Reduce noncompliance penalties (NERC/CIP)

Avoid reg. fines ($1M max/violation)

10%

$100,000

Reduce O&M costs

(truck rolls, etc.)

$2,000 per incident

10%

$300,000

Reduce incident response costs

10 FTEs allocated

15%

$150,000

Reduced costs due to an integrated platform

Converged security and compliance

15%

$200,000

Total Annual Benefits (Recurring/One-Time)

$1,000,000

Source: AlertEnterprise, Inc. and GRC 20/20, 2013

The main short-term benefits include immediate identification of risk and conformity with regulatory standards. AlertEnterprise helped the utility remain complaint with NERC CIP regulations via automation of various business processes and procedures.

Enterprise Guardian leverages IT-OT convergence capabilities by linking SAP and other IT applications with physical access control systems and SCADA/operational systems to deliver critical infrastructure protection by eliminating organizational silos. Industry-specific content packs deliver fast and effective means to meet regulations, automate contractor-employee onboarding/offboarding, identity, access and role lifecycle management, simplify badging process and leverage identity analytics while reducing the complexity of provisioning across all these systems.

Customer challenges

As one of the largest electric utilities in the United States, the company required an all-encompassing enterprise access management system and solution. Primary challenges included:

  • Multiple legacy applications lacking common centralized processes to assign and monitor access
  • Large identify and access management application deployment from major vendor that did not link to internal applications
  • Contractor access to applications tracked manually, lacking documentation and evidence
  • Decentralized process for NERC CIP 004 access management
  • Tracking of certification required for CIP access is manual and time-consuming systems (PACS)

AlertEnterprise’s solution delivers these capabilities to address these challenges:

  • More efficient access management of individuals within the company
  • Establishment of one integrated system with oversight over multiple departments and systems
  • Establishment of a central repository of contractors (contract management system)
  • Complete integration for onboarding and offboarding across SAP, IAM application from major vendor, and multiple legacy applications
  • Overall, centralizing processes, automating manual tasks and providing efficiencies around compliance activities for NERC CIP 004 R1, R2, R3 and R4

A legacy system that become ungovernable

For more than a decade, the utility built a variety of tools and applications to manage identity and access within its organization. The utility also incorporated an identity and access management (IAM) system from a major vendor. The utility soon faced challenges bridging its home-grown system with this system, which created a conflict when trying to manage access across logical systems, or when it attempted to customize workflow and enforce policies. Adding to the challenge was that none of the utility’s homegrown systems could be retired as planned.

Before the implementation of AlertEnterprise solution, the process was managed manually by various teams, which were mostly technical in nature. This was due to the fact that multiple systems operated in silos with no interconnectivity or insight. These processes were expensive and time consuming, and the result was unsatisfactory.

Instead of spending days requesting various departments to reconcile user access via spreadsheets, AlertEnterprise allows the utility users to pull a report of user access at any time. AlertEnterprise also automates manual tasks, and drives these processes through a quality-driven application. AlertEnterprise helped the utility cut costs and human capital needed to operate its complex IT solutions. The unified solution allows business, as well as technical users to operate IT related tasks. Fewer resources are needed to ensure compliance regulations are met and duties are completed across systems.

A bright future outlook

AlertEnterprise will allow the utility continue its day-to-day processes and automatically enforce policies in place to meet NERC CIP compliance and other regulatory requirements. The utility can also expect these features in long term across IT, Physical and OT (Industrial Control/SCADA ) systems:

  • Automated user and access lifecycle management
  • Automated user and role certifications
  • Unified identity warehouse
  • Comprehensive audit and reporting
  • Automation of processes for security, compliance, internal audit and business enablement

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Information & Data Governance

GRC 20/20 Research awarded ClusterSeven ESM its 2013 GRC Value award in Information and Data Governance. With the help of the ClusterSeven Enterprise Spreadsheet Manager (ESM) solution, the global European banking and financial services company was able to meet regulatory demands to demonstrate control over its core financial operations. In the process, the bank projects a 3.5x ROI on ClusterSeven ESM based on risk avoidance.

As part of improving controls over its core financial processes, the bank was required to demonstrate control over business-critical spreadsheets in trading, risk management, product control and finance. ClusterSeven ESM was implemented to provide the required control and transparency. Short-term benefits of the implementation were a 1.5x ROI on ClusterSeven within one year, and a 3.5x expected return projection based on risk avoidance figures. Other benefits included:

  • Implementation of a tool that could facilitate spreadsheet best practices — primarily spreadsheet consolidation
  • A more organized and streamlined process
  • An improved, more rigorous change control over VBA Macro codes within spreadsheets
  • Addition of electronic sign-off provides improved workflow and enhanced visibility

Before the ClusterSeven ESM solution, the bank performed this process by manual controls only.

Real data on ClusterSeven’s value

The bank’s backup team calculates that they receive about 12 requests for retrieval of historical spreadsheet versions per day. Snapshots of file servers are taken every three hours during the day. On average, about 1.5 hours of work is lost on work done in between backups. This, in addition to the wait for the restoration of the spreadsheet and support time to retrieve the old version, about 21 hours of employee time per day was lost to retrieval of historical spreadsheet versions. With ClusterSeven, no support time is required, the time used to process the retrieval is negligible, and the average gap between snapshots is about 30 minutes — adding up to 1.5 hours lost per day. This is a time savings of 19.5 hours of company time, per day because of the ClusterSeven ESM solution.

In a similar scenario, the bank calculates ClusterSeven ESM’s SOX compliance process uses 750 hours of company time per year, compared to 3,125 hours per year with the old process — the equivalent of four FTE positions.

The bank also calculates many softer benefits of the ClusterSeven ESM solution, detailed in the table below.  

               

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Environmental, Health & Safety

GRC 20/20 Research awarded CMO COMPLIANCE its 2013 GRC Value award in the Environmental Health and Safety category. The CMO COMPLIANCE HSEQ solution was implemented for a contractor. and replaced numerous department and division solutions with a central solution, streamlining ISO certification, and saving them at least one month worth of additional FTE that would have been dedicated to ISO Certification management.

CMO COMPLIANCE is a Web-based and mobile enterprise GRC and health, safety, environment and quality (HSEQ) management system, offering a variety of modules and solutions to clients across multiple verticals (mining, oil and gas, energy, healthcare, infrastructure, transportation, government, manufacturing, construction, food and retail and more).

The contractor continues to discover new ways to streamline and save with the solution. Efforts to measure different ways CMO COMPLIANCE is saving money, including reduction of the number of incidents, are still developing and will continue.

Measurable change

As a result of the CMO COMPLIANCE solution, the contractors audit and inspection to reporting process has been reduced by 80 percent with the deployment of the mobile solution. Field employees can now perform their audits and inspections offline, sync the information back to CMO COMPLIANCE and reports are then automatically generated and sent out to appropriate personnel. This used to be done in the field, then entered into a system back in the office.

Audit performance time has been decreased by 25 percent with the creation of automated workflows and default responses to pick from drop-downs, reducing data entry time.

Incident reporting, investigation and closure process has been decreased by 15 percent. This has been mostly aided by the workflow and notification process afforded by CMO COMPLIANCE, that routes information to the appropriate parties, and escalates overdue items, thus increasing accountability.

The contractor  estimates automatic report generation has meant a reduction in 51 FTE hours per month. CMO COMPLIANCE also offers the ability to design its own forms and workflow — a process that takes an average 200 hours for a MS Developer in SharePoint can now be completed in 30 minutes to 1 day depending upon complexity and user knowledge.

A fast, efficient management solution

The contractors ISO certification body, when brought in to do initial assessment of their management systems were shown CMO COMPLIANCE. The solution made the process particularly easy, since the solution is also used by the auditors. CMO COMPLIANCE streamlined ISO certification for the contractors ongoing effort with ISO management and renewal. The initial estimated savings associated with this process was one month worth of additional FTE that would have been dedicated to ISO Certification management.

The contractor also uses the solution to centralize and standardize incident and investigation management, audit and inspection management, permit management, compliance management, environmental monitoring and reporting, and contract change management.

CMO COMPLIANCE is allowing the contractor to achieve its initiative, which is the centralization of multiple systems into single systems — including EHS but also quality, and compliance. Future phases include integration with SharePoint and SAP.

More than 20 solutions, down to one

CMO COMPLIANCE replaced more than 20 solutions across multiple departments and divisions. The replacement has meant a ROI savings of $2 million per year, but the ROI is not yet completed and this number will likely grow. This not only includes the reduction in annual support and maintenance fees for other solutions, but also a reduction in IT infrastructure and resourcing costs.

The value of having everyone use the same system means that all employees, contractors, and clients are speaking the same language when it comes to EHS, quality and compliance management. This allows the contractor  to have companywide user groups and drive process improvement and information sharing to continually enhance the way it operates.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Legal GRC

GRC 20/20 Research awarded Datacert Passport its 2013 GRC Value award in the Legal GRC category. Datacert’s Passport® technology platform provides an integrated legal and GRC ecosystem that allows organizations to respond to the cost of compliance and non-compliance.

Datacert’s Passport application breaks down information and process silos between a variety of legal and GRC stakeholders, and allows organizations to better understand their internal and external legal/compliance-related expenditure by activity type, business unit, geography, regulatory topic, etc. Additionally, at MMC, Passport identifies key data points and associated expenditures required to address incidents and data protection policies. This visibility brings unique value by providing the information organizations need to effectively budget for and demonstrate ROI on GRC-related expenditure.

Risk management that’s strategic, not just responsive

Marsh & McLennan Companies, Inc. (MMC) is one of the world's largest professional services, risk management and insurance brokerage firms and is headquartered in the United States with offices all over the world. Datacert’s Passport solution was implemented by MMC in April 2012 for Legal and Risk Management to manage key litigation and global insurance risks.  In 2013, MMC increased the use of the application to manage data incidents and data privacy related matters, thus leading to a combined Legal and GRC solution for the organization.  

Prior to Passport’s tracking data privacy incidents and their associated spend, MMC had to pull data manually across its Marsh and Mercer operating companies and manually determine key severity codes, root causes and remediation through steering committee meetings to ensure organizational consistency. During Q3 2013, MMC was able to generate these compliance incident spend and risk metrics in less than 20 minutes with Passport.

In addition to the above, MMC has gained significant quantitative value from utilizing Passport to optimize its outside counsel operations. Examples include:

  • From 2008 through 2012, partly via Datacert’s technology, the MMC’s legal department reduced outside counsel fees by 56 percent, its lowest spend since 2007.
  • MMC estimates it saved an additional $10 million since July 2011, aligned to mandatory discounts, 2010 rates, fixed-fee pricing and competitive bidding.
  • MMC notified all law firms that it would not be moving to 2013 billing rates, which MMC anticipates will result in savings of approximately $6 million.
  • MMC kept its global lawyer count to 140 across 26 countries and 209 total resources.
  • MMC has determined that maintaining a global legal department is key when evaluating total legal expense as a percentage of revenue. Its goal is to maintain its total legal spend at less than 1 percent of revenue, which it is able to do using Datacert’s Passport technology.
  • Improved reporting and dashboard capabilities provide a more detailed global view of spend by line of business, region, law firm and matter. With Passport, MMC is able to generate better and richer reports than it could previously, reducing time spent running these reports by 25 percent
  • By utilizing preferred providers tracked and managed in Passport, MMC lawyers can select the firm best positioned for a particular matter while building long term relationships, allowing MMC to reduce its preferred provider list from 150 to 50.

MMC's Legal and Risk & Compliance teams are still identifying opportunities to expand the use of the Passport application to manage data and analytics around GRC. In the longer term, MMC is planning to extend the reach of its Passport implementation into a broader spectrum of proactive GRC-related activities, providing additional spend intelligence in areas like operational risk assessment, internal audit, policy management, and 3rd-party risk management.

A legacy system that was costly and often ineffective

Prior to its implementation of Passport, MMC’s visibility into spend was limited to legal matters (it did not include compliance-related incidents), and legal spend data was difficult to consolidate across multiple business units and global regions within the legal function. With Passport, MMC can integrate spend management across its legal department, providing the visibility required to increase its influence over its outside service providers.

Another benefit of Passport for MMC is the improved management of outside legal service providers. Prior to the implementation of Passport, MMC was managing hundreds of law firm relationships, which it has since culled with the help of Passport to a streamlined population of high-value relationships, reducing operational overhead and allowing it to focus its efforts on increasing the value of its remaining outside counsel relationships.

Passport’s effectiveness is most notable in the area of reduced human capital cost. Greater visibility into its risk and compliance spend allows MMC to address hotspots and better project its risk and compliance-related expenditure into the future, allocating budget and resources to areas where they are most likely to be needed.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: 3rd Party GRC

GRC 20/20 Research awarded Hiperos 3PM its 2013 GRC Value award in the Third-Party GRC category for their implementation at a regional bank holding company.  The client specifics are anonymous in this publication, but GRC 20/20 has verified the factual accuracy with the bank.  After the implementation of Hiperos 3PM solution at the bank, it was able to triple the number of its third-party investigations without any increase in headcount. The number of days needed to assess the inherent risk of a third party also dropped dramatically — from 7.55 in 2011 to 5.22 in 2012 to 3.95 in 2013. Hiperos continues to deliver efficiencies.

The bank is a large U.S. bank holding company in the S&P 500. They have 11,000+ employees and their Vendor Management Team manages some 20,000 third parties. Following a regulatory examination, the bank was told that while their processes for third-party assessment and third-party risk assessment were sufficient, they needed to apply them to a number greater number of third parties to ensure the business adequately demonstrate knowledge of vendor risk and consistently apply to managed vendors. The bank had a choice: add headcount or look at technology. Hiperos was selected and contracts signed at the end of 2013. Hiperos 3PM was implemented in 87 days.

The bank is highly focused on ensuring that they address their regulatory obligations in the most cost effective and efficient manner possible. As a result of implementing Hiperos, the bank has been able to triple the number of assessments it completes on third parties with same number of people. Following the implementation of Hiperos, the bank reformulated all of its risk models, at the CEO’s request. All of the third-party risk models were redone internally, with no need for IT help or additional consulting from Hiperos.

Going from their largely spreadsheet-based approach, the bank saw similar savings across several different processes, including:

  • AML assessment — the average number of days to complete assessment went from 41.52 in 2011 to 6.86 in 2012, which is an 83.47 percent decrease in the number of days. For the same period, the bank reported a 34.55 percent increase in volume.
  • Business continuity assessment — the average number of days to complete assessment went from 23.45 in 2011 to 12.65 in 2012, which is a 46.05 percent decrease in the number of days. For the same period, the banks reported a 15.64 percent increase in volume.
  • Compliance assessment – the average number of days to complete assessment went from 66.78 in 2011 to 23.3 in 2012, a 65.01 percent decrease in the number of days. For the same period, the bank reported a 58.44 percent increase in volume.
  • Information security – the average number of days to complete assessment went from 37.12 in 2011 to 16.93 in 2012, a 54.39 percent decrease in number of days. For the same period, the bank reported a 20.88 percent increase in volume.

The bank also was able to add 5,392 assessments in 2012 compared to 2,879 in 2011, with the same number of staff.

Five-year expectations and beyond

During the next give years, the bank expects to have the ability to adapt quickly to changing business environment (growth in bank/number of third parties) as well as changing regulatory environment (changes in regulation/different expectations from inspectors). The bank recognizes that one of the advantages of Hiperos 3PM is the ability to make changes to programs quickly and easily vs. requiring IT to make changes for them. They also expect to expand the scope and value of currently implemented solution, including initial on-boarding of vendors, ongoing due diligence, and managing the implications of exiting third-party relationships. They plan to expand scope to include nontraditional vendor relationships, and improve their understanding and intelligence around the data created by the program. The bank expects to make use of the analytics capabilities of 3PM, which will allow them to do business modeling and run what-if scenarios and gain a clearer picture of trends.

The bank has seen great agility in its process since implementation in its ability to respond to changes in business environment (when the bank buys another bank or entity), its ability to quickly add new third parties to a relationship, and the ease in changing information about an existing third party. It also has vastly improved its ability to respond to changes from the regulator — to manage the potential customer impact risk or a third party, and to meet the requirements of the CFPB.

The bank, the business environment, regulations and regulators — as well as third parties — are constantly changing. This approach allowed the bank to adapt to changes quickly and efficiently, which ensuring continued optimal and risk-based, appropriate management of third parties. 

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Policy Management

GRC 20/20 Research awarded Hitec Laboratories Ltd and Markel International its 2013 GRC Value award in the Policy Management category for its PolicyHub® solution. Markel International’s implementation of PolicyHub impressed them with its enhanced ability to demonstrate compliance to regulators. Markel International can demonstrate a 100 percent compliance rate for relevant staff, and can take action on noncompliant areas of the organization, which was previously not possible.

Markel International was challenged with numerous versions of a policy, and version control. Markel International is a global insurance company providing designed solutions for a wide range of professions and sectors. After deployment of Hitec’s PolicyHub solution, Markel International was thrilled with response rates. The first PolicyHub publication generated an 85 percent completion rate within 10 days — an accomplishment not previously possible to measure. Some Policies are combined with test assessments, issued through PolicyHub’s Assessment module. The test ensures the recipient has read and understood the policy and identifies any training requirements. The response rate achieved on the first PolicyHub publication using the Assessment module was 95 percent within two weeks of rollout. This assessment feature provides Markel International with complete confidence that employee compliance knowledge and expertise can be measured and enhanced.

PolicyHub® is an end-to-end Policy and Procedure Management solution that integrates Best Practice workflow for policy creation, collaboration, approval, distribution, auditable employee signoff, attestation and reporting. It is a multilingual solution that incorporates full Microsoft Office functionality with an advanced notification system and advanced reporting features. It is available as an on-premise system or as a SaaS solution.

Future gains expected

With the growing demands of regulatory obligations, financial services organizations must provide documentary evidence that Policies and Procedures are in place and adhered to. PolicyHub dramatically changed the delivery of policies and compliance communications at Markel International. Implementation involved a collaborative team of compliance and IT professionals from Markel International and Hitec, which guaranteed smooth delivery of the project, including uploading and availability of existing documentation.

Markel International uses the flexibility of PolicyHub to provide a communications channel and create management information reports to senior executives and auditors. Markel International can clearly demonstrate a record of which staff have received, read and understood each policy and when they agreed to them. It also highlights staff who have not complied. “How do you know if they have read this policy?” is no longer a concern.

Each user has access to their own library of documents relevant to their particular role. Policies and Procedures can be updated with minimum effort and replaced within each user’s library in seconds.

With the previous solution, compliance was almost impossible to measure

The compliance team at Markel International wanted to ensure they could distribute, manage and guarantee key policies were received, read and understood by all staff. This was a logistical challenge, particularly with a growing number of locations outside its home office in the U.K.

Prior to implementing PolicyHub, policy documents were generally communicated by email, posted on the company intranet and supplemented by periodic face-to-face training. Where positive affirmation was required from each employee, compliance or HR spent inordinate time chasing signatures. For other policies, it was only possible to show a policy had been issued — but they were unable to demonstrate it had been read and fully understood.

As PolicyHub is such an improvement over Markel International’s old system, no direct cost comparison can be calculated: it’s apples to oranges. They can now show a 100 percent compliance rate for relevant staff, and more importantly take action on noncompliant areas of the organization which were not visible before.

A new world of efficiencies

Markel International experienced increased efficiencies in many areas:

  • Reduced reporting times; previously, Markel International could only report a policy had been published. Now it can report the percentage of staff that have read and acknowledged each policy;
  • Response times have also improved. The first PolicyHub publication generated an 85 percent completion rate within just 10 days;
  • Assessment times have improved; for example, the response rate achieved on the first PolicyHub publication using the Assessment module was 95 percent within two weeks of rollout;
  • Improved accuracy means Markel International can demonstrate 100 percent of relevant staff acknowledge adherence to each compliance policy. Previously there was no such audit trail;
  • Reduced errors means Markel International can show results based on accurate data.

Hitec Laboratories feedback on PolicyHub from Markel International elicits comments from users such as, “We wonder how we ever got along without it.” PolicyHub makes compliance Policy and Procedure communication easy and provides a simple and straightforward process for extracting management information for the board, auditors and regulators. Strengths of the PolicyHub approach include:

  • Simple and easy-to-navigate interface;
  • Consistent, centralized management of compliance Policies and Procedures;
  • A compliance audit trail to prove staff keep up-to-date with changes in policy;
  • Reduced administration, leading to immediate time and cost savings;
  • Flexible assessment module;
  • Detailed reporting;
  • Demonstrable evidence of Best Practice and good governance;
  • No passwords to remember with single sign-on;
  • Full version control and tamper-proof documents.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: IT & Information Risk, Security & Compliance

GRC 20/20 Research awarded LockPath its 2013 GRC Value award in the IT & Information Risk, Security, and Compliance category. A leading manufacturer of medical devices recently extended its use of LockPath's Keylight platform, including several applications. During the first year, the implementation has meant an 80 percent reduction in IT audit preparation time with five weeks of work reduced to one week, improved clarity and efficiency related to security functions, and improved insight companywide through dashboards and reports.

The manufacturer of medical devices recently extended their use of LockPath's Keylight platform, including the Risk Manager (Rm) and Compliance Manager (Cm) applications, as well as its Audit Manager (Am), Security Manager (Sm) applications, for streamlining internal and external audit processes, as well as operational control environment. They now have linkages to all of this data (vulnerabilities, audits) to assets, which is expected to unlock further valuable insight.

A disparate system with poor visibility

Prior to the LockPath implementation the organization's audits were managed on a SharePoint site, using spreadsheets, emails and individual or manual item tracking. No direct numbers were available, other than through spreadsheet manipulation. Vulnerabilities, penetration tests and Web application assessments were all maintained as separate efforts and tracked separately, without historical linkage or other insight. The company rarely had a solid view of GRC, and results were rarely reported or even visible to leadership.

Internal security teams managed tracking of audit requests to internal controls, and all communication between the organizations personnel and external auditors. The last midterm audit consumed the corporate team of two for six weeks or more, in addition to other teams at each location.

Adding safety and accountability, application-by-application

The medical device manufacturer first purchased Rm and Cm to manage control activities of one division, to map policies to requirements and to manage risk tracking and exceptions. Next, they added the Sm application, and more recently nearly automated management of its vulnerability management process, cataloged its assets and tagged them with responsible owners, and provided a near-real time dashboard for its risk posture. The organization has also included its Web apps and penetration tests from this year and the past two years into the system to track back findings and systems to historical information. The workflow transitions phases of vulnerability, alerts owners of any need to remediate, automatically reminds them if a task overdue, and automatically verifies a completed patch.

In late August of 2013, while preparing for a sizable (1,300-item) roll-forward audit, the organization quickly added Am to handle external audit requests. In only days, they entered these requests via an upload file, and set up their external audit team with specialized Keylight accounts that allowed it to review responses. Using built-in workflow, employees are alerted to items that require a response; and auditors receive notifications when requests were submitted for review. This eliminates inefficient back-and-forth dialog that typically accompanies an audit. A single dashboard allowed many views of audit progress and breakdowns providing real-time tracking and brand new insight.

The new LockPath system has enabled this medical device manufacturer to:

  • Save at least 10 weeks of corporate-internal personnel time managing the audit (two people at five weeks consumed time).
  • Save billing time from the external auditors on nonvalue transactions and coordination.
  • Shorten audit duration and speed results since they are directly available, and automatically turn into a remediation project with tasks.
  • Avoid costs associated with exploited vulnerabilities.

Qualitatively, staff feels the system has meant:

  • Reduction in risks that result in fines, litigation and reputation loss.
  • A shift to highly productive and effective tasks such as detailed analysis and discovery of opportunities, business efficiencies and true risk-analysis.
  • Audits can be managed by a central group of administrators for all locations.
  • Efficiency across all audit participants, improved morale and better cooperation.
  • Multiple views of real-time information and can be presented as desired via dashboards.
  • Better leadership confidence of management and direct insight via dashboards and tracking.

Expected benefits, five years on

This organization expects to add additional audit tasks due to increased efficiency, expanding analysis and consulting provided by its internal audit team, and also expects reduction in negative findings and remediation required from external audits, and increased opportunities recommended by internal audit team, resulting in fraud reduction, risk reduction and additional cost savings.

Enhanced security features are expected to provide improved efficiency and operations of the control environment. Security analyst work is just a fraction of what the work used to be, since it is a matter of running the tools and adding the output to the GRC system for any of several operational tasks. This means more can be done done as a team and a view can be continually maintained into organizational effectiveness through the reporting inherent in the tool.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Enterprise GRC

GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition from using hundreds of spreadsheets created every year to complete audits, credit reviews and risk assessments in addition to hundreds of other documents compiled to report on findings and risk summaries. Today’s system is a single-source GRC solution that integrates governance, risk and compliance functions and brings strong scores from regulators.

Sterling successfully used MetricStream’s single-source GRC solution suite, which consolidates various GRC functions, including enterprise risk management, internal audit, issue management, policy management, business-line risk assessment, regulatory compliance self-assessments and internal asset review, into one enterprisewide view. Benefits received in the short term (within one year) of implementation included:

  • Automated end-to-end GRC workflow, eliminating the need for cumbersome spreadsheets, saving time and costs and minimizing error
  • Ability to perform detailed risk self-assessments, define and assess controls, track loss incidents along with root causes and ownership, and quickly resolve any issues that arise
  • Established a single risk framework and nomenclature within the GRC system, and a single source of truth
  • Strong risk management grade from regulators
  • Better board reporting and focus on the risks that matter
  • Risk management is now 1 of the top-line corporate goals, raising awareness about its value

A long-term GRC vision

Among Sterling Bank’s long-term goals for the product is to push risk management down to the first line of defense, to ensure issues are identified as early as possible. This top-to-bottom approach should also involve the board of directors and actively engage them in GRC issues.

The MetricStream solution will be used for active monitoring of audit processes, risks and incidents, and ensure compliance with regulations such as SOX, GLBA, FDIC and FFIEC by all business units — and not just by the efforts of the risk and compliance staff. The solution provides a single and unified view into actionable business intelligence, active responses to risk and facilitates corresponding changes to strategy, all of which provides the bank with a competitive edge.

Risk, compliance, audit and policy in one enterprisewide view

Before MetricStream Enterprise GRC solutions was implemented, the various GRC initiatives at Sterling Bank — risk, compliance, audit, policy, etc. — were managed as separate programs, and as a result, due dates for issues could be missed and when reorganizations occurred, issues could fall between the cracks. A number of standalone software applications and point solutions catered to these individual programs and functions. There were serious challenges in ownership and transparency, which resulted from a prior inability to aggregate GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

Sterling Bank used several data sources and manual processes that were labor intensive. GRC functions were spread across multiple unrelated departments. Consolidating all GRC programs and processes into a single platform enables the organization and every employee to work more collaboratively and more efficiently, while reducing costs and eliminating redundant activities.

MetricStream GRC solutions foster communication, collaboration and information sharing between business units and corporate functions. The bank can ensure ownership and transparency while aggregating GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.

A change in GRC culture

Sterling’s fraud risk assessment process previously contained over 300 different risks, many of them applicable to only one department. By rationalizing these risks for population into the MetricStream GRC solution, Sterling was able to eliminate and consolidate fraud risks into 70 risk categories companywide. This library of risks, controls, processes, assets, issues, regulations, products, policies and objectives enhances Sterling Bank’s risk management capabilities. Business managers have real-time access to the status of audit and exam issues rather than waiting to receive a periodic spreadsheet.

The GRC program facilitates a reduced-touch approach to GRC; business units no longer have to generate as many as eight risk assessments a year, since the GRC program provides multiple automated risk assessments in a single session. The following efficiency improvements have also been realized by the new approach, supported by MetricStream GRC solutions:

  • Automated end-to-end GRC workflows eliminate the need for hundreds of documents and spreadsheets, saving time and costs and minimizing errors.
  • Provides a single-source-of-truth for risk information with a universal risk taxonomy and nomenclature.
  • Has served as a catalyst for establishing a sustainable risk culture across the enterprise.
  • Promotes tracking and trending data for management committee and board reporting.
  • Ability to isolate changes in self-assessment testing for immediate action.
  • Risk is now embedded within decision making processes, and coordinated across business units.
  • Empowering individuals and committees to be accountable in owning and/or escalating existing and emerging risks to management.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients