Category: The GRC Pundit Blog

2013 GRC Value Award: Control Monitoring & Assurance

The GRC Pundit BlogPublished onLeave a Comment on 2013 GRC Value Award: Control Monitoring & Assurance

GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring & Assurance category. When SAP was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to remove roles from users if the role is not used within 120 days, and decrease license maintenance costs by identifying and removing unused access assignments for users and roles.

SAP Access Control automates the process of detecting, remediating and ultimately preventing access risk violations. Automation with SAP Access Control extends beyond risk analysis to automation of user and role assignments with these features:

  • Automatic detection and remediation of access risk violations across SAP and non-SAP systems
  • Automated review of user access, role authorization, risk violation and control assignment
  • Periodic access reviews and centralized closed-loop super-user management
  • Process-embedded compliance checks and mandatory risk mitigation
  • Self-service workflow-driven access requests and approvals
  • Comprehensive audit trails of user and role management activities

The SAP Access Control solution is suitable for any business of any size that requires real-time visibility into their current risk position. Users can accurately manage reduce unauthorized access, fraud and the cost of compliance.

Moving from a scattered system to a precision tool

SAP Access Control's success with the leading multinational beverage corporation meant the company could move away from its legacy disparate provisioning processes spread over multiple systems. The old system had a lack of visibility, so the company could not get a handle on how roles were used or who held which roles – in fact, they had found that there were a high number of roles being maintained in the system that were no actually used by any users — thousands of inactive roles were removed from users, and about 4,000 unused system IDs were removed as well.

In the old system, it took two to four weeks to provision user access to perform their primary work tasks. The provisioning system was scattered across the enterprise in disparate systems, with little real visibility. This lack of visibility also meant the different parts of the business had poor awareness of the importance of identity and access management, and didn't have much involvement in the process.

A new solution that works, and drives down risk

This leading multinational beverage corporation has standardized their user provisioning and user access review processes, resulting in decreased time to provision access, decreased risk exposure, and decreased software licensing maintenance costs. The new system provides a sustainable process for measuring accurate access assignments, automation and consolidation of of processes, increased analytics for maintaining efficient user and role assignments and continued and increased insight and visibility to risk.

The new system decreases time to provision a new user from two to four weeks to about three days. This change in process also resulted in a decrease in the number of roles and users maintained by the system.

To prevent the buildup of unused roles and save on license maintenance costs, the system implemented a process to remove roles from users if the role is not used within 120 days. The beverage giant was also able to sunset a number of tools be moving to one standardized provisioning process.
Standardization of processes areas made possible by the SAP Access Control solution brought efficiencies and effectiveness. Risks are addressed in a more controlled manner, and provides increased visibility and insight into risk across multiple systems. Standardized processes also improved decision-making abilities and increases users' ability to do their job in a timely manner due to decreased provisioning time.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

2013 GRC Value Award: Compliance Management

The GRC Pundit BlogPublished onLeave a Comment on 2013 GRC Value Award: Compliance Management

GRC 20/20 Research awarded The Hartford its 2013 GRC Value award in the Compliance Management category. The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, uses the RSA Archer GRC Platform to support over 80 GRC processes including a New York State Labor regulation instituted in 2012.  By building a solution on the RSA Archer eGRC platform the company avoided tens of thousands of dollars in expenses, and brought The Company into compliance one month ahead of schedule. 

The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, was given a short period of time to comply with the State of New York Wage Theft Prevention Act, which required employers to give an annual written notice of wages to all new hires and other employees. The employees are required to return a form acknowledging receipt of that notice, and records of the notice and the responses must be tracked to evidence compliance.

This new regulation required a new HR process, which represented a challenge for the Hartford because:

  • The short turn-around time required to develop a new process and design a new solution to address that process
  • The compliance date differed from The Hartford’s annual merit cycle but needed to use annual wage information
  • The solution had to be user friendly to address The Hartford’s diverse employee base of 20,000+
  • Other states were expected to adopt similar — but possibly not identical — regulations, so the solution had to be flexible and repeatable
  • Forms had to be available in multiple languages
  • The Hartford had limited budget and resources to build the solution

The Hartford evaluated several options including its existing payroll systems, manual mailings, or using its operation risk management (ORM) system  (RSA Archer)..  Building a custom solution on the RSA Archer Platformoffered an affordable end-to-end solution. Other optionswere estimated to cost in excess of $70,000, and still involved manual processes.

The Hartford’s HR compliance and payroll departments partnered with the ORM team and developed a solution to automate state-specific annual employee notices, monitor employee responses, automate any follow up notices to employees and management, maintain historical evidence, provide the appropriate oversight to ensure the company complied with the law, was intuitive and end-user friendly and it was completed in three months — one month ahead of schedule.

Easy migration to a new, effective solution

Using a data import feature within the RSA Archer GRC Platform, the HR data is loaded from the external data file and populated into an employee information application. Importing data through this feature saves a great deal of time and is completed quickly and easily.

The RSA Archer Platform uses a campaign feature to set a date on which acknowledgement forms are automatically created. The form contains employee geographical and wage information along with instructions to complete the form, explanation of the requirements, due date and a selection for the employee to respond. An email notification is automatically generated once the acknowledgement form is created, which contains a brief description of the process, instructions, obligations and a link to the acknowledgement form. The employee clicks on the link to access their record, review wage information and select the appropriate radio button (to acknowledge or request a notice in a language other than English, which is a NY state requirement). As soon as the employee saves the record, their response is electronically recorded, the acknowledgement stored and the process is completed for the year.

The Hartford’s first campaign touched 1,461 employees. It took just 37 minutes to create the acknowledgement forms and emails. Within the first six minutes of the launch, they had received a 32 percent response rate. If employees do not respond within given deadlines, the system automatically escalates and notifies HR employees who can help. In the two years since the process was implemented, HR received fewer than 10 questions from users about completing the process.

The Hartford estimates that with the old processes, completing the requirement would draw resources from multiple organizations and could take more than 100 hours. With the automated process, it takes about six to 10 hours over six to eight weeks.

THE NEW SOLUTION

Companies must be diligent with the ever changing regulatory environment. While a poster in the break room used to be the norm, the explosion of remote work has legislatures looking for additional ways to ensure that employees receive notice. States are more frequently requiring that records be kept to make sure employees receive and understand legal notices. The RSA Archer solution puts The Hartford in a position to easily address any new state labor requirements with little to no cost and with minimal effort, and to address regulatory inquiries through existing automated reporting.

Since the passage of the New York state regulation, the state of California now requires commissioned employees to receive an annual notice, and the state of New Jersey will soon also require employees to sign an acknowledgement form that they have read a gender-equality notice. The Hartford’s RSA Archer solution will help the company quickly come up to speed with new requirements for employees in those states. Leveraging the existing workflow and structure for new states does not require a new license and only requires approximately 10 to 15 resource hours to add the new requirements to the solution.

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 Announces 2013 GRC Value Award Recipients

The GRC Pundit BlogPublished onLeave a Comment on GRC 20/20 Announces 2013 GRC Value Award Recipients

GRC 20/20 today announced the launch of its inaugural GRC Value Awards program. Fifteen leaders in GRC were honored for real-world implementations of Governance, Risk Management and Compliance programs and processes that have returned significant and measurable value to an organization. 

Nominations from GRC solution providers as well as internal GRC programs within organizations were evaluated and vetted from a pool of 87 total nominations. Nominations were evaluated for depth of quantitative facts and each final selection was validated by GRC 20/20 and the specific implementation to attest to accuracy (even the anonymous entries below were vetted with direct contact with the specific implementation). Fifteen are recognized across the following categories (in alphabetical order):

  • 3rd Party GRC: GRC 20/20 Research awarded Hiperos 3PM its 2013 GRC Value award in the Third-Party GRC category for their implementation at a regional bank holding company.  The client specifics are anonymous in this publication, but GRC 20/20 has verified the factual accuracy with the bank.  After the implementation of Hiperos 3PM solution at the bank, it was able to triple the number of its third-party investigations without any increase in headcount. The number of days needed to assess the inherent risk of a third party also dropped dramatically — from 7.55 in 2011 to 5.22 in 2012 to 3.95 in 2013. Hiperos continues to deliver efficiencies. 
  • Audit Management: GRC 20/20 Research awarded ACL GRC and their client Traina & Associates its 2013 GRC Value award in the Audit Management category. ACL is an all-in-one cloud-based GRC process management solution. Since ACL GRC’s implementation at the Traina & Associates CPA firm two years ago, the average audit time went from 60 days to 30 days; audit management efficiency increased by 25 percent; and audit revenues increased by 10 percent without increasing staffing.
  • Business Continuity Management: GRC 20/20 Research awarded RSA® and Equifax its 2013 GRC Value award in the Business Continuity Management category. After implementing RSA Archer’s Business Continuity Management solution, U.S. consumer credit reporting agency Equifax experienced an immediate 60 percent reduction in time to create business continuity and disaster recovery plans, and a 20 percent OPEX savings for 2013.
  • Compliance Management: GRC 20/20 Research awarded The Hartford its 2013 GRC Value award in the Compliance Management category. The Hartford, a leader in property and casualty insurance, group benefits and mutual funds, uses the RSA Archer GRC Platform to support over 80 GRC processes including a New York State Labor  regulation instituted in 2012.  By building a solution on the RSA Archer eGRC platform the company avoided tens of thousands of dollars in expenses, and brought The Company into compliance one month ahead of schedule. 
  • Control Monitoring & Assurance: GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring/Assurance category. When SAP Access Control was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to automatically remove roles from individual profiles if the role is not used within 120 days, and decrease license overall maintenance costs.
  • Enterprise GRC: GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition to an automated and integrated GRC program — from hundreds of spreadsheets to track audits, credit reviews and risk assessments, as well as hundreds of documents used to report findings and risk summaries. Today’s single-source GRC solution integrates functions and brings Sterling Bank strong scores from regulators. 
  • Environmental, Health & Safety: GRC 20/20 Research awarded CMO COMPLIANCE its 2013 GRC Value award in the Environmental Health and Safety category. The CMO COMPLIANCE HSEQ solution was implemented for a contractor, which reports an ROI of $2 million and growing. The solution replaced 20-internal solutions, streamlining ISO certification, and saving them at least one month additional FTE dedicated to ISO management and they continue to find new ways to streamline and save with the solution.
  • Identity & Access GRC: GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity and Access category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation.
  • Information & Data Governance: GRC 20/20 Research awarded ClusterSeven ESM its 2013 GRC Value award in Information and Data Governance. With the help of the ClusterSeven Enterprise Spreadsheet Manager (ESM) solution, a global European banking and financial services company was able to meet regulatory demands to demonstrate control over its core financial operations. In the process, the bank projects a 3.5x ROI on ClusterSeven ESM based on risk avoidance.
  • Insurance & Claims Management: GRC 20/20 Research awarded Riskonnect RMIS and the State of Utah its 2013 GRC Value award in the Insurance & Claims Management category. Riskonnect RMIS’s fully automated insurance risk management software platform addresses insurance claims, litigation, exposure, and policy management. Within one year of implementation the Utah Division of Risk Management estimates it saved $1 million on reconciliation of insurance premium billing, and saw an 82 percent increase in efficiency in processing high dollar payments.
  • Investigations Management: GRC 20/20 Research awarded SAI Global and HealthPlus its 2013 GRC Value award in the Investigations Management category. With the help of the SAI Global solution called Compliance 360®, HealthPlus, a Michigan health and wellness organization, reduced its average days to complete investigations cases by 56 percent. Average days to complete cases has been reduced from nine days to four days. In spite of ever-rising caseload numbers, the SAI Global
    team was able to complete the implementation two months ahead of schedule. 
  • IT & Information Risk, Security & Compliance: GRC 20/20 Research awarded LockPath its 2013 GRC Value award in the IT & Information Risk, Security, and Compliance category. A leading manufacturer of medical devices recently extended its use of LockPath’s Keylight platform, including several modules. During the first year, the implementation has meant an 80 percent reduction in IT audit preparation time with five weeks of work reduced to one week, improved clarity and efficiency related to security functions, and improved insight companywide through dashboards and reports. 
  • Legal GRC: GRC 20/20 Research awarded Datacert Passport® and Marsh & McLennan Companies its 2013 GRC Value award in the Legal GRC category. Datacert’s Passport technology platform provides an integrated legal and GRC ecosystem that allows organizations to respond to the cost of compliance and non-compliance. The Passport implementation at financial leader Marsh & McLennan Companies helped reduced its outside counsel fees by 56 percent, its lowest spend since 2007, among other savings.
  • Policy Management: GRC 20/20 Research awarded Hitec Laboratories Ltd and Markel International its 2013 GRC Value award in the Policy Management category for its PolicyHub® solution. Markel International’s implementation of PolicyHub impressed them with its enhanced ability to demonstrate compliance to regulators. Markel International can demonstrate a 100 percent compliance rate for relevant staff, and can take action on noncompliant areas of the organization, which was previously not possible.
  • Risk Management: GRC 20/20 Research awarded Modulo Risk Manager its 2013 GRC Value award in the Enterprise Risk Management (ERM) category. A large regional financial services company used Modulo Risk Manager to help it comply with HIPAA, PCI and SOX; as well as its consolidation of 350 independently chartered bank branches, with 6,700 employees and a heterogeneous environment spanning a variety of operating systems, servers, application platforms and legacy systems for each back-end core banking platform.

"We are extremely pleased with the response and the quality of submissions for the first year of the GRC Value Awards, which reflects strong market demand and growth across all GRC segments," said Michael Rasmussen, Chief GRC Pundit for GRC 20/20 and internationally recognized expert. "These are awards play an important role in recognizing today's successes as a milestone toward advancing GRC maturity. In achieving maturity, GRC is part of the organization's strategy and operations and supported by a range of technology, knowledge and services – enabling the organization to achieve greater efficiency, effectiveness, and agility in GRC processes and broader business operations."

About GRC 20/20

GRC 20/20 is the authority in understanding how organizations implement GRC practices that are effective, efficient and agile. Through independent research and industry interaction, GRC 20/20 advises the entire ecosystem of GRC roles within organizations, technology and knowledge solution providers, and professional service firms. Organizations engage GRC 20/20 when they need insight, guidance and advice in dealing with a dizzying array of disruptive issues, challenges, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Visit GRC 20/20 at http://www.grc2020.com/ and follow on Twitter at @GRCPundit.

 

The Rise of GRC Architecture in GRC 3.0

The GRC Pundit BlogPublished onLeave a Comment on The Rise of GRC Architecture in GRC 3.0

Moving Beyond the GRC Platform to GRC Architecture

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

GRC cannot be managed in isolation.  That is what fails.  The decentralized and disconnected distributed systems of the past catch the organization off guard to risk and expose the organization.  Complexity of business and intricacy and interconnectedness of GRC data requires that we have an integrated approach to business systems, data, and GRC. 

The Bottom Line: The organization requires complete situational and holistic awareness of GRC across operations, processes, relationships, systems, and data to see the big picture or risk and its impact on organization performance and strategy.   Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to GRC architecture.  GRC fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole.  GRC also fails when it is thought of as a single platform to manage workflow and tasks.  GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.

Why not see BOTH the forest and the trees?

The individual components of GRC — governance, risk management, and compliance — are a necessary and intricate challenge to business.  GRC is not optional: every organization has some approach to GRC from the ad hoc to the agile.   The primary directive of a mature GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance.  This requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. Doing this is not easy as all of these elements are in a constant state of change.

GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard.  When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood. 

To maintain integrity, and execute on strategy, the organization has to be able to see the individual area of risk (the tree) as well as the interconnectedness of risks (the forest). 

GRC relationships are non-linear.  They are not a simple equation of 1 + 1 = 2.  They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300.  What seems like a small disruption or risk exposure may have a massive effect or no effect at all.  In a linear system effect is proportional with cause, in the non-linear world of business and GRC it is exponential. Business is chaos theory realized.  The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business the result is often exponential to unpredictable.

GRC 3.0 – Moving Beyond the GRC Platform to GRC Architecture

The core of GRC 3.0 is operationalizing GRC across the fabric of business strategy and operations – seamlessly, agilely and non-invasively.  This involves bringing GRC to the ‘coal-face’[1] of the organization through employee engagement in GRC with systems that are simple, mobile, and easy to use at the frontline of the business. It is about leveraging and harmonizing existing data and systems that deliver results in focused areas but now need to feed into the bigger picture of enterprise transparency in the context of distributed and dynamic business.

The challenge is how to reconcile business agility with GRC strategy and architecture?  Most GRC decisions were considered as a base reaction to the newest regulatory demand. This resulted in billions of dollars spent in GRC with a limited understanding alignment to the business. GRC was approached tactically and not strategically. Organizations have ended up with topography of GRC projects individually focused on risk at department or regulatory/risk issues that have often failed to deliver cross-enterprise insight needed. To use an analogy from anatomy, the enterprise GRC body has functioning heart, kidney’s, limbs, lungs, and other organs that operate as separate entities and not as part of a unified body. What is often missing is a level of integration that provides a central nervous system that connects everything and makes it operate as a body.  This is more than a GRC platform as it has been understood for the past decade.

GRC Platforms: Problem or Cure?

In GRC 2.0 organizations approached GRC as a platform to document and manage content related to risks, policies, and controls, enhanced with workflow to manage assessments, issues, and reporting.  There was limited integration and correlation of GRC information and analytics and reporting was on fairly static information collected over time. Organizations suffered when GRC did not connect all the dots and provide context to business analytics, performance, objectives and strategy in the real-time business operates in.  GRC delivers limited value to the organization when it simplifies risk management to being just surveys and forms that lead to subjective analysis.  GRC has been tactical and focused on putting out fires, particularly compliance fires.   GRC platforms have been primarily workflow, task management, and content systems to document controls and compliance and provide some subjective reporting on risk.  GRC in 1.0 and 2.0 has not delivered on a true integrated understanding of risk and performance. Organizations often have a diverse set of independent and disconnected systems to address a range of credit, market, interest, operational, strategic, reputation, capital, and regulatory risks with no integrated view across these systems.  It is not uncommon for an organization to have six different GRC platforms from different solution providers and a dozen or more other risk and compliance solutions scattered across the organization.

Organizations need to move beyond the concept of a GRC platform as it only addresses part of the challenge and focus on an integrated view of GRC data and systems through a GRC architecture that is a cohesive part of the broader business fabric of the organization. GRC technology is not about a single GRC platform that promises to be all things and fails to deliver them.

The goal of GRC 3.0 is to enable a GRC architecture that effectively reconciles organization strategy, process, information, and technology into a federated architecture model.  There still can be a central core system for GRC, but GRC is not defined as this one central system (or platform) but the integrated whole.  

GRC 3.0 is: an architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the ‘coal-face’ of the front office
; focused at value protection and creation; and is proactive in measurement, management and interdiction.  GRC 3.0 provides an integrated GRC architecture that connects the fabric of the business together across the organization and its disparate systems, processes, and information. 

[1] The ‘Coal-Face’ is a term originated in the United Kingdom referring to the miners deep in the shafts extracting coal for the business.  Every organization has a ‘coal-face.’  These are the front-line employees that make decisions every day impacting GRC and business performance. 

Where does conflict minerals fit into your broader 3rd party GRC strategy?

The GRC Pundit BlogPublished onLeave a Comment on Where does conflict minerals fit into your broader 3rd party GRC strategy?

The 3rd Party GRC market is the fastest growing segment of the GRC market.  The pressures are many: social accounability/international labor standards, quality, environmental, health and safety, privacy, informaiton security, credentialing, code of conduct, geo-political and operational risk.  An organization's vendors, suppliers, outsourcers, agents, service providers, contractors, consultants, temporary workers . . . it is hard to understand where the organization starts and stops.  The extended enterprise of today is a complex, distributed, diverse, and dynamic organizations that requires risk and complaince oversight.

One of the most significant challenges bearing down on many organizations is conflict minernal compliance.

Organizations approaching conflict mineral compliance can take several paths leading to varying degrees of program maturity.  Mature conflict mineral compliance is an integrated part of a broader governance, risk management, and compliance strategy. It requires a top-down view of conflict mineral risk that is understood in context of enterprise risks. It also means bottom-up participation where business functions identify and monitor risk and suppliers that expose the organization. GRC 20/20 has developed the third Party GRC Maturity Model to articulate maturity in conflict mineral compliance processes in context of broader third party governance, risk management, and compliance. 

  1. Ad hoc and document centric approach. Organizaitons at this level of maturity do not understand risk and exposure to conflict mineral issues.  The organization addresses conflict mineral compliance in a reactive mode and does not invest in technology for compliance and utlizes documents and emails by the thousands to get the job done.  This leads to a mountain of information requiring significant time to reconcile and report while introducing errors and omissions.  It never produces a defensible audit trail or chain of evidence of how assessments and documents were completed and reported upon.  This leaves the organization into exposure as their compliance program is riddled with flaws waiting for the auditor or regulator to pounce upon. There is limited ownership or monitoring of conflict mineral compliance, and certainly no integration of compliance information and processes. 
  2. Fragmented approach focused only on conflict minerals. Here the organization is fragemented.  Conflit mineral compliance is a defined program but operates independently of other programs monitoring risk and compliance across third party relationships.  The organization most likely has seen the value of technology and utlizes it to address conflict mineral compliance. In the broader scope of things conflict minerals is a siloed initiative operating indepentely of others such as social accountabiltiy, quality, environmental, health and safety, and anti-bribery and corruption across the supply chain.  The requirements are being met and the reports made but the organization is inefficient, ineffective, and certainly not agile as it has redundancy in approaches to third party oversight as information and processes are highly redundant and lack integration. 
  3. Integrated approach to conflict minerals as part of social accountability. The integrated stage of conflict mineral maturity is when it is understood in the context of social accountability.  The goal of conflict minerals is to address human rights violations.  This stage of maturity sees conflict mineral compliance moving beyond a compliance initiative to being an integrated part of the values and ethics of the organization and is lived out actively through the code of conduct throughout the organization and its third party relationships.  The organization has an integrated approach to not only address conflict mineral compliance but also child labor, forced labor, working hours, wage/hour, health & safety across its supply chain. The organization has developed consistent and integrated processes to manage assessments, audits, communicate policies, deliver training, report, and remediate.  Technology enables this and ensures that items are done and that the integirty of the organization is protected. 
  4. Aligned third party governance, risk management, and compliance program. In the aligned stage the organization has a cross-department strategy for managing third party GRC.  Here the organization is thinking holistically across governance, risk management, and compliance issues impacting third party relationships.  As the integrated stage sees conflict minerals in the context of social accountability, both are now managed consistently across other third party GRC areas such as anti-bribery & corruption, quality, environmental, health & safety, security, and privacy in third party relationships. The organizaiton has an integrated third party GRC platform to manage the range of these topics while delivering consistency in policy communication, training, assessment, audit, and remediation in third party relationships.  Suppliers and other third parties are relieved as there is a consistent approach and the burden of responding to multiple items in different formats goes away.  The organization benefits from removing the cost of redundant processes, forms, assessments, and approach but also gains the value of an integrated view of the integrity and health of thrid party relationships in the context of performance.
  5. Optimized as part of  an enterprise GRC architecture. At the optimized stage, the third party risk program – and with that conflict minerals – is part of the fabric of a broader enterprise GRC architecture.  As the Aligned stage brought the value of understanding third party risk and compliance in context across third party risk and compliance domains, the organization at the Optimized stage sees and understands third party risk in context of enterprise risk.  This allows for a holistic approach to a 360º conextual awareness.  The organization understands its risk and compliance posture in the context of business objectives, values, risk boundaries, and strategy.  The intricacies of third party risk and how they impact other risks such as financial, reputational, strategic, and operational are understood and managed accordingly.

How Do I Achieve Effective, Efficient, & Agile Conflict Mineral Compliance?

The GRC Pundit BlogPublished onLeave a Comment on How Do I Achieve Effective, Efficient, & Agile Conflict Mineral Compliance?

The specific obligation of the Conflict Mineral Rule is to gather information about the use and source of 3TG in products and report to the SEC (and on the organization's website). As with other significant regulations with a far reach (e.g., Sarbanes Oxley), there is a lot of confusion out of the gates. This includes misconceptions and failure to scope a program that will stand the test of time.
Organizations are best served to define a supplier GRC program and framework to address Conflict Mineral Rule requirements that will be effective today and into the future. The goal is to establish a process that meets or exceeds requirements and reduces risk exposure in a dynamic and distributed business environment. A successful supplier GRC program that addresses conflict mineral requirements is:

  • Effective. Organizations need the program to be effective in meeting requirements as well as reduce risk exposure to the organization.
  • Efficient. Developing processes that are efficient reduces both financial and human capital costs in meeting requirements and governing supplier relationships.
  • Agile. Organizations require agility in supplier governance as it operates in an ever-changing business environment – regulations and requirements change, the business itself changes and new products are developed, and the supply chain is in a constant state of change.

To be effective, efficient, and agile in supplier governance with a focus on conflict mineral compliance program requires a framework that has the following elements supported by process and technology:

  1. Ownership. At the end of the day someone needs responsibility to ensure that the conflict mineral compliance program is functioning and meeting the obligations and reducing risk exposure. This role needs executive sponsorship, as the organization will have to certify the reports it submits putting the executives and board on the line in regards to their fiduciary responsibilities.
  2. Collaboration. While the organization needs someone to lead the conflict mineral compliance program to ensure that it is both designed and operating properly, there are many departments and roles that need to be involved in the program. This includes supply-chain management, procurement, corporate compliance & ethics, legal, risk management, business operations, and audit. A cross-functional committee of roles and departments involved should be established to ensure that everyone is on board and working as a team.
  3. Policies, Procedures, & Training. The cornerstone of any compliance program is policy. In the case of conflict minerals this starts with the organizations code of conduct with a statement regarding the organization's ethics and values in relation to human rights within its operations and across supply-chain and third party relationships. This gets reflected in the supply-chain code of conduct that suppliers have to acknowledge and adhere to. Further detail on expectations, boundaries, and responsibilities is spelled out in related policies and procedures. Training is critical both internally to the organization as well as with the supply-chain so that everyone is on board and understands what is expected of them. Suppliers need to be informed of expectations and obligations as well as understand the process for compliance.
  4. Understand the organization's products. Product filtering is the cornerstone task for making conflict mineral compliance effective, efficient, and agile. The organization needs to catalog its products and the materials used and determine which ones contain 3TG. This is done to define the scope of the detailed assessment and reporting requirements. Proper scoping of products impacts the effectiveness and efficiency of the program as the organization has to track down the source of 3TG that are used in them. Scoping products correctly directly impacts the organization and suppliers burden in compliance.
  5. Assessment. The majority of conflict mineral compliance work is in the assessment process. Here the organization compiles self-assessment surveys/questionnaires to send to its suppliers. Each supplier that is involved with 3TG minerals in products needs to be sent a self-assessment survey to attest to the use and source of 3TG in those products. The challenge for organizations is to drill down deep into the supply-chain to get to the smelter and mine that the minerals came from. Organizations can send self-assessments to their direct suppliers and then require that these suppliers send self-assessments to their downstream suppliers until the original country and source of the mineral is discovered. Or the organization can insist that their suppliers inform the organization of their downstream suppliers and the organization can send assessments itself down into the depths of the supply chain. This becomes a tricky area to navigate: at many points the organization may have to rely on the attestation and information provided by suppliers finding it difficult to navigate past them to the source of the minerals. The key is to keep a watch for inaccurate and misleading information. Intelligence, intuition, and insight are needed to ensure that the organization has taken 'reasonable' steps to identify the source of conflict minerals.
  6. Due Diligence. If the organizations determines that 3TG in products is sourced from DCR or adjoining countries the next step is due diligence. The due diligence expectation is to determine if the minerals sourced from these countries are connected with armed militias. The organization needs to determine how the minerals are moved and controlled. It is expected that the organization will have to put greater oversight and control over the logistics of minerals from these countries to ensure that these groups do not profit militias known for crimes against humanity.
  7. Audit. An important element of conflict mineral compliance is the requirement to have the Conflict Mineral Report audited. Organizations need to leverage their own internal audit staff to ensure the integrity of the report, information collected, and the process for compliance. However, the requirement is to have the report audited by an external auditor. The goal of internal audit is to provide assurance and find issues for the organization to resolve before it gets to the external auditor. Both internal and external audit will need complete access to assessments and due diligence efforts to conduct their audits. Onsite inspections of suppliers should also be expected.
  8. Reporting. The primary deliverable of conflict mineral compliance is the disclosure forms that are reported to the SEC and put on the organizations website. At a minimum organizations have to file a Form SD. Organizations that have to go further and develop a Conflict Mineral Report to accompany Form SD are those that cannot provide reasonable assurance that 3TG is conflict free and have to go beyond reasonable inquiry to suppliers to a structured due diligence process that is audited. This requires the integration and analysis of all the previous collected information so that the organization can build these reports and executives can attest to accuracy.
  9. Remediation. The end game of conflict mineral regulation is to reduce the use of 3TG sourced from facilities connected to human rights violations and bring greater awareness to human rights violations connected to the militias involved with mines and smelters in the region. When issues are found, the organization is to work through the supply chain to remove these facilities and cut off funds to militia groups in the region of the DRC and their crimes against humanity.

Growing Risk Exposure in Business Relationships

The GRC Pundit BlogPublished onLeave a Comment on Growing Risk Exposure in Business Relationships
This is part 1 in GRC 20/20's series of posts on Conflict Mineral Compliance and broader 3rd Party GRC . . . 

No company is an island unto itself: organizations are a complex and diverse system of business relationships. Governance, risk management and compliance (GRC) challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern risk and compliance in extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and other third parties. Business partner problems are the organizations problems that directly impact the organization’s brand, reputation, and increase exposure to compliance matters. When questions of business practice, ethics, safety, human rights, corruption and the environment arise, the organization is held accountable, and it must ensure that business partners behave appropriately. 

Organizations need to understand business relationships in the context of the risk and compliance  issues that impact operations and the brand. The challenge before organizations is: “Can you attest to the status of risk and compliance across the organization’s extended business relationships?”  The head of procurement, for example, is often left considering supplier risk during on-boarding of a relationship but has inadequate resources and experience to effectively monitor risk ongoing.

Managing risk across third party relationships is particularly cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be consistent in its GRC processes across business relationships as well. Manual spreadsheet and document centric processes are prone to failure, as they bury procurement and other areas of third party business relationship management, in mountains of data that is difficult to maintain, aggregate, and report on.  This consumes valuable resources trying to figure things out instead of actively understanding and managing third party risk and compliance exposure.  

Third party relationships — supply chain, value chain, vendors, service providers, outsourcers, agents, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits, controls, and other business practices. Organizations need to actively demonstrate an in-compliance status throughout their extended business environment.

Managing 3rd party risk is a particular challenge in the context of conflict mineral compliance requirements across the organization’s supply chain.  Organizations need an integrated approach to manage the entire supply chain exposure to conflict minerals.  This requires a framework to manage supplier risk, conduct assessments, gather supporting information, report and analyze, resolve issues, and monitor a supply chain that is constantly changing.

In the next few weeks GRC 20/20 will post more articles in the Conflict Mineral series. . . 

 

 

Characteristics of GRC 3.0

The GRC Pundit BlogPublished on1 Comment on Characteristics of GRC 3.0

In the previous post I reviewed the history of GRC.  In this post we examine the characteristics of GRC 3.0. REMEMBER:  every organization does GRC.  You may not call it GRC but your organization has some approach to governance, risk management, and compliance.  The question is how mature is the organizations approach.  The definition of GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

The Core Characteristic of GRC 3.0 is Architecture

The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – and how mature GRC is about integration and not necessarily one platform that tries to be all things.

There are different architecture approaches to GRC – decentralized where everyone does their own thing, centralized where everyone has to use one common GRC platform, or a federated approach.  GRC 3.0 is focused on a federated GRC approach.

A federated GRC architecture allows best of breed solutions to exist where they make sense but has a centralized capability to integrate and manage GRC information.  Instead of “one platform to replace them all” (centralized architecture model) we have the “one platform to integrate them all” (GRC 3.0 federated architecture model).

The truth is – organizations often have multiple GRC solutions in house. Different departments have invested in best of breed solutions that make sense where they are.  Gutting and replacing solutions often means the department loses functionality and we manage GRC to the lowest common denominator. No GRC solution does everything GRC.  GRC involves a range of different roles, processes, technologies, and content.  One platform simply does not do everything – or at least it cannot do everything well.

A federated GRC model allows for consolidation where it makes sense, but also allows for best of breed where it makes sense. GRC 3.0 is about building a federated GRC architecture that centralizes oversight, reporting, accountability, and analytics yet allows for integration with other GRC technologies that do specific things very well. The goal is to let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. It allows for diversity while still providing integration and consistency centrally. It allows an organization to have an ecosystem of process, technology, and content that works together to provide the best alignment and value to the business.

Other characteristics of GRC 3.0 include:

  • Operationalizing GRC. Operationalizing GRC is extending GRC into business applications and processes. It is about enabling GRC across business systems and processes.  It is bringing GRC to the business intelligence, performance, and ERP environment to improve real-time insight into business decisions, operational intelligence, and monitoring.
  • Integration of content.  The integration of content and technology is core to GRC 3.0. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.
  • 360º GRC contextual and situational awareness.  Through GRC architecture and extension into business operations the GRC environment gains a complete view of what is happening – situational awareness.  Where risk and compliance is monitored and understood in the course of business operations and transactions.
  • Bringing GRC to the ‘coal-face’.  Organizations are recognizing that effective GRC includes those on the front lines of the business – the “coal-face.” GRC 3.0 is about delivering a better end-user experience: getting employees involved by providing elegant interfaces that are intuitive and social. The goal here is to engage employees and provide them with an interface that allows them to participate in GRC without feeling intimidated and lost.
  • GRC gamification.  GRC 3.0 is focused on GRC gamification, engaging employees – that coal-face – with games and interactive content.  Implementing training and awareness programs that enables employees to earn points or badges – perhaps redeemable for certain things.  To recognize people when they make good risk decisions or alert the organization to a problem.
  • Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting is readily done through mobile devices.  Tablets can be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access or as a mobile kiosk for a group of employees.  Mobile devices can be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.

What are your thoughts on GRC 3.0 and its characteristics?

GRC 3.0 – A History of GRC

The GRC Pundit BlogPublished on3 Comments on GRC 3.0 – A History of GRC

GRC is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity."  The reliable achievement of objectives is the governance piece, addressing uncertainty is about risk management, and acting with integrity is the compliance angle.  All three of these provide a natural flow.  Governance provides direction and objectives giving the context for risk management.  Risk management in turn aims to comprehend uncertainty and set boundaries which then relies on compliance to ensure that we stay within those boundaries.

Organizations have been doing GRC since the dawn of business.  We did not need a three-letter acronym to all of a sudden do GRC.  Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned.  GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all.  The question to consider is how mature is your organization’s GRC practices.

GRC is more than technology. You cannot go out and buy “GRC” – sure, you can buy GRC technologies that enable, improve, and mature GRC related processes.  GRC, properly understood, is something the organization does and not buys.  The right solutions, and in this context GRC solutions, can enable and mature your organizations GRC processes.  But technology by itself does not give you GRC.

That being said – we do have a GRC market for technology, professional services, and content.  I know – I was the first to define, model, and label it GRC back in February 2002 “while at Forrester Research.  I have been working on refining and modeling the market in the eleven years since.  As with any market, they evolve shift and mature.  The GRC market certainly has shifted and changed.  This is what I refer to as: GRC 3.0 – Rethinking GRC.

Let’s explore the stages of the GRC market since it’s first definition and inception in February 2002 to the present day.  It all started . . .

  • GRC 0.9, before 2002: Yes, we had GRC before we had GRC.  GRC is part of business and we have always used technology to manage it.  At one point pen and paper were high-tech.  Organizations have been doing GRC and using tools to manage it for as long as we have had business.  Similar to other technologies like Client Relationship Management – we did not need CRM systems to all of a sudden begin managing client relationships.  CRM came into the world to improve and mature how we manage client relationships.
  • GRC 1.0, 2002 to 2007: On a cold snowy day in February 2002, in the offices of GiGa Information Group in Chicago soon to be acquired by Forrester Research I sat through two vendor briefings that struck me with a revelation.  The first was a technology vendor briefing demonstrating their solution to manage and integrate policies, controls, and risks.  This really struck me.  It was something I had envisioned in the 1990’s as a consultant but was not a software developer so never took action on.  It was simply brilliant.  What do we call it?  A few hours later I had another briefing with PwC reviewing their services.  My ADD mind was bouncing around back to this previous briefing while coming back the PwC briefing – sort of a mental Ping-Pong.  The PwC briefing had some terms that seem to drift toward me from the slides.  On different slides my mind locked onto the terms Governance, Risk Management, and Compliance.  There it was – a name for this new market – GRC.  Providence would have it that the timing for this market was spot on as Enron and Worldcom hit us hard and we had resulting legislation such as SOX.  GRC 1.0 was largely focused on addressing the challenge of internal controls over financial reporting, SOX compliance, as well as related IT controls.
  • GRC 2.0, 2007 to 2012:  Over five years the GRC market grew and expanded.  It was growing in dimensions.  My second Forrester GRC Wave, published in December 2007 right as I left Forrester to become a boutique analyst/researcher, understood this.  It had four separate Wave graphics representing the solutions in different ways as different parts of the organization have different needs as well as some core common needs for GRC.  During the period of 2007 to 2012 we saw GRC expand and take on areas of audit management, enterprise and operational risk management, broader understanding of compliance beyond financial controls, and more.  I began referring to the market as the GRC EcoSystem as it had many components.  I worked with OCEG on defining the GRC Solutions Guide 2.0 and 2.1, which defines 28 categories of GRC technology.  GRC during this period was very focused on the back-office functions of GRC.  There are hundreds of vendors/solutions in its various sectors/categories. At the same time the major analyst firms continued to focus on GRC in their static, two-dimensional, vendor comparisons limited to about fifteen vendors – completely misrepresenting the market and leaving many worthy companies out.  As more solutions focused on this area – the bar gets raised by the analyst firms.  To be recognized you have to have so much revenue, offices in multiple countries, and more.  They expanded what they evaluated slowly but did not give more time to analyze.  In one major firm you now have a multi-billion market based on analyst research that allows a ninety minute demo covering nine very complex areas of GRC – and organizations are basing significant investment decisions on this report.  The GRC market has expanded but the major analyst firms have not kept up.
  • GRC 3.0, 2013 into the future:  We now enter the era of GRC 3.0 – what I label Rethinking GRC.  Later this month I will be releasing the new GRC market model.  This is a representation of the market that understands the building blocks of GRC – functional areas of GRC solutions/technology.  How these come together into platforms that serve the needs of various GRC related departments in the organization (e.g., risk management, compliance, legal, finance, audit, security, health and safety, and more), and how they can come together into an enterprise GRC initiative.  There are industry specific views into the model, as well as issue specific views (e.g., anti-bribery/corruption, AML, conflict minerals, privacy, and more).  GRC 3.0 is also about significant changes to use of GRC solutions within organizations.  One is GRC architecture – it is not about one GRC solution to replace them all.  That can be a strategy, but organizations have different solutions serving different needs – how do we get it to work together.  It is about operationalizing GRC – brining GRC further into the business fabric/operations.  It is about brining GRC to the ‘coal-face’ where we focus on engaging employees in GRC and providing solutions that are simple, mobile, and easy to use for GRC happening at the front-lines/office of the business.

GRC is more than technology – but it is technology that matures GRC practices and processes to be more efficient, effective, and agile in a dynamic and distributed business environment.  The GRC market is a macro-market and not a micro-market. It is a market with many sectors that serve components of GRC scattered throughout the organization.  Some of these functions come together to serve an enterprise approach to GRC to drive consistency where there are similar needs across GRC areas of the business.

As
I wrap up my market definitions and models for GRC 3.0, I would love to hear you opinions, experiences, and thoughts.  Please feel free to comment below.

GRC 20/20 is Clarity of GRC Vision

The GRC Pundit BlogPublished onLeave a Comment on GRC 20/20 is Clarity of GRC Vision

This is the busiest I have ever been as a GRC analyst and market researcher.  Lot's of RFPs and projects happening, in fact tracking several dozen current RFP and GRC process improvement initiatives within organizations.  For example, there are approximately a dozen RFPs in the policy management sector of GRC right now. 

I am hard at work on redefining the whole GRC market with my GRC 3.0.  I will have a completely revised market model with market reports available about the end of April.  This research shows that the GRC market is broad, with about 500 solution providers – but even more professional service firms.  There are many sectors and sub-sectors to the market.

NOTE: I am discussing the GRC market.  GRC itself is broader than technology, content, and consulting services.  What I am discussing is the market for GRC technology, content, and consulting services as it serves and supports broader GRC initiatives.  And every organization does GRC.  It does not matter if you use the GRC label or something else.  The simple truth is every organization has some approach (even a bad one) to aspects of Governance, Risk Management, and Compliance.  There is no argument over if any organization does GRC or not – everyone does.  It is a question of maturity.  How mature and integrated (not consolidated) is an organizations approach to GRC.

FURTHER NOTE:  While there is a concept of the GRC Platform, the GRC market is much broader than this.  It includes sectors for risk management, audit management, compliance management, policy management, investigations/issue management, identity and access, 3rd party management, IT risk/compliance/security, fraud, and many others.  In fact, many of these areas have sub-sectors.  Compliance management has sub-sectors for regulatory change management, assessments, and more.

AND ANOTHER NOTE:  GRC 20/20 gives full and free inquiry access to buyers of GRC technologies – across the GRC market landscape.  If you are an organization looking for advice on the solutions, services, and best practices in GRC at the enterprise, department, or specific issue/risk area – send me an email.  Inquiries are specific questions that can be answered via email or phone in less than a 1/2 hour.  Free inquiries are only available for consumers of GRC solutions and services.  Currently GRC 20/20 fields several hundred such inquiries each year.

As I am hard at work on GRC 3.0 – I thought I would share my latest messaging about GRC 20/20 Research in this newsletter.  I would love to hear your thoughts on how GRC 20/20 Research can provide you the deepest market research, benchmarking, and training in the GRC space. . .

GRC 20/20 is about Clarity of GRC Vision

20/20 vision is perfect clarity.  Clarity, so you are able to see and process your surrounding context and react accordingly.

Clarity of Governance, Risk Management and Compliance

GRC 20/20 Research, LLC (GRC 20/20) provides objective market research, benchmarking, training, and analysis on topics related to governance, risk management and compliance (GRC).

GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” This is the OCEG definition for GRC Capability and integrates with their definition of Principled Performance.

Every organization does GRC – though it may not be called GRC.  The truth simply is that every organization has some approach to governance, risk management and compliance.  The question is how mature is the approach.  To achieve higher levels of GRC maturity requires an understanding and integration of the context of the business and its environments with GRC strategy, process, information, and technology architecture.  GRC happens at an enterprise level, but is most frequently focused on department/function/role needs and address specific risk and regulatory issues.

The GRC market is the demand for technology, content, and service/consulting solutions that address specific aspects/components of GRC or the overall strategic vision for GRC the enterprise.  GRC is a macro-market with many sectors and sub-sectors.  It is not about one product category that tries to be all things to the organization.  Over eighty-percent of the market is focused on department or specific risk and regulatory issues, and less than twenty-percent is focused on top-down enterprise GRC strategies. There are over 500 solution providers that GRC 20/20 has mapped into the sectors of the GRC market, and monitors market size, demand, growth, and directions.

GRC 20/20 brings real-world expertise, independence, creativity and objectivity to help organizations understand and apply strategies and technology to meet GRC challenges. Whether focused on a specific issue, department-level strategy, or an enterprise-wide GRC strategy, clients seek GRC 20/20 advice in achieving sustainable and pragmatic innovation.  GRC 20/20 advises the entire ecosystem of GRC solution buyers, solution providers/vendors, content, and professional service firms. We serve the needs of organizations that seek insight, guidance and advice in dealing with a dizzying array of disruptive issues, challenges, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment.

GRC 20/20 is a:

  • Buyer advocate, representing the needs of those purchasing GRC solutions to help them navigate provider hyperbole to identify the solutions and services that are practical and deliver on requirements.
  • Solution strategist, helping technology, content, and service solution providers understand the demand and needs of buyers to enable product, market, sales, growth, and partner strategies.
  • Market evangelist, to educate and evangelize GRC strategies that are practical for the enterprise or specific departments, provide ideas and the role of technology in making GRC processes efficient, effective and agile.

Through ongoing research and industry interaction, GRC 20/20 is the authority in understanding how organizations approach governance, risk management and compliance practices that are effective, efficient and agile. We advise organizations about how to identify and select the right combination of GRC technology, content, and professional services to maintain a position of integrity aligned with business values, objectives, strategy and performance.

Unlike the major market research and analyst firms – GRC 20/20 aims to be:

  • Affordable.  GRC 20/20 rates are 1/3rd to 1/4th of what you will find at the major analyst firms.  Organizations and solution providers do not need to pay $1,000+ an hour for analyst time.
  • Deep.  GRC 20/20 does not believe that the GRC market can be represented in a single two-dimensional comparison of a handful of select solutions.  Major analyst firms have misrepresented the market this way. We are the only GRC market research and analyst firm to provide detailed selection criteria and market sizing and growth for different sectors/sub-sectors of the GRC market.
  • Pragmatic. GRC 20/20 understands that there are many niches to the GRC market and tha
    t most buyer activities are not trying to do enterprise GRC. GRC 20/20 prides itself on real-world experience – advisors that have experience in the trenches of the organization and know what works and does not work.  GRC 20/20 research is VOID of being academic ivory towers disconnected from the real world.
  • Collaborative.  GRC 20/20 understands we live in a social world field with professional communities and circles.  GRC 20/20 actively engages organizations buying solutions, non-profit associations, solution providers, professional service firms, and others to get complete clarity of aspects of the GRC market and how it should be modeled.
  • Social.  GRC 20/20 knows that to be collaborative requires engagement in social networking.  To be actively involved in discussion, debate, and thought leadership in the social communities GRC professionals participate int.  GRC 20/20 analysts do not sit back in cloistered offices and avoid getting involved in the real GRC world.
  • Reachable.  GRC 20/20 is easy to access.  Clients of GRC 20/20 can phone, email, text, instant message, tweet, or even send smoke signals if necessary to communicate with us and help you get the answers to your questions when you need them.  In fact, GRC 20/20 offers free inquiries to buyers of GRC solutions and services to help them get the understanding they need to take the next step.  GRC 20/20 fields several hundred inquiries each year with buyers of GRC solutions and services, and many more from providers of GRC solutions and services
  • Transparent.  GRC 20/20 represents and works with the ecosystem of buyers and GRC solution, service, and content providers.  GRC 20/20 revenue comes from a mixture of these elements, and is fully committed to objectivity in research, and is not afraid to disclose solution provider relationships.

I would love to hear your thoughts on analysts in the GRC market . . .