Growing Risk Exposure in Business Relationships

This is part 1 in GRC 20/20's series of posts on Conflict Mineral Compliance and broader 3rd Party GRC . . . 

No company is an island unto itself: organizations are a complex and diverse system of business relationships. Governance, risk management and compliance (GRC) challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern risk and compliance in extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and other third parties. Business partner problems are the organizations problems that directly impact the organization’s brand, reputation, and increase exposure to compliance matters. When questions of business practice, ethics, safety, human rights, corruption and the environment arise, the organization is held accountable, and it must ensure that business partners behave appropriately. 

Organizations need to understand business relationships in the context of the risk and compliance  issues that impact operations and the brand. The challenge before organizations is: “Can you attest to the status of risk and compliance across the organization’s extended business relationships?”  The head of procurement, for example, is often left considering supplier risk during on-boarding of a relationship but has inadequate resources and experience to effectively monitor risk ongoing.

Managing risk across third party relationships is particularly cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more.  Risk, regulatory, and business environments are in a constant state of change. The business needs to be consistent in its GRC processes across business relationships as well. Manual spreadsheet and document centric processes are prone to failure, as they bury procurement and other areas of third party business relationship management, in mountains of data that is difficult to maintain, aggregate, and report on.  This consumes valuable resources trying to figure things out instead of actively understanding and managing third party risk and compliance exposure.  

Third party relationships — supply chain, value chain, vendors, service providers, outsourcers, agents, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits, controls, and other business practices. Organizations need to actively demonstrate an in-compliance status throughout their extended business environment.

Managing 3rd party risk is a particular challenge in the context of conflict mineral compliance requirements across the organization’s supply chain.  Organizations need an integrated approach to manage the entire supply chain exposure to conflict minerals.  This requires a framework to manage supplier risk, conduct assessments, gather supporting information, report and analyze, resolve issues, and monitor a supply chain that is constantly changing.

In the next few weeks GRC 20/20 will post more articles in the Conflict Mineral series. . . 

 

 

Characteristics of GRC 3.0

In the previous post I reviewed the history of GRC.  In this post we examine the characteristics of GRC 3.0. REMEMBER:  every organization does GRC.  You may not call it GRC but your organization has some approach to governance, risk management, and compliance.  The question is how mature is the organizations approach.  The definition of GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].”

The Core Characteristic of GRC 3.0 is Architecture

The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – and how mature GRC is about integration and not necessarily one platform that tries to be all things.

There are different architecture approaches to GRC – decentralized where everyone does their own thing, centralized where everyone has to use one common GRC platform, or a federated approach.  GRC 3.0 is focused on a federated GRC approach.

A federated GRC architecture allows best of breed solutions to exist where they make sense but has a centralized capability to integrate and manage GRC information.  Instead of “one platform to replace them all” (centralized architecture model) we have the “one platform to integrate them all” (GRC 3.0 federated architecture model).

The truth is – organizations often have multiple GRC solutions in house. Different departments have invested in best of breed solutions that make sense where they are.  Gutting and replacing solutions often means the department loses functionality and we manage GRC to the lowest common denominator. No GRC solution does everything GRC.  GRC involves a range of different roles, processes, technologies, and content.  One platform simply does not do everything – or at least it cannot do everything well.

A federated GRC model allows for consolidation where it makes sense, but also allows for best of breed where it makes sense. GRC 3.0 is about building a federated GRC architecture that centralizes oversight, reporting, accountability, and analytics yet allows for integration with other GRC technologies that do specific things very well. The goal is to let GRC work with and throughout the business and not force parts of the business into a mold that does not fit. It allows for diversity while still providing integration and consistency centrally. It allows an organization to have an ecosystem of process, technology, and content that works together to provide the best alignment and value to the business.

Other characteristics of GRC 3.0 include:

  • Operationalizing GRC. Operationalizing GRC is extending GRC into business applications and processes. It is about enabling GRC across business systems and processes.  It is bringing GRC to the business intelligence, performance, and ERP environment to improve real-time insight into business decisions, operational intelligence, and monitoring.
  • Integration of content.  The integration of content and technology is core to GRC 3.0. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.
  • 360º GRC contextual and situational awareness.  Through GRC architecture and extension into business operations the GRC environment gains a complete view of what is happening – situational awareness.  Where risk and compliance is monitored and understood in the course of business operations and transactions.
  • Bringing GRC to the ‘coal-face’.  Organizations are recognizing that effective GRC includes those on the front lines of the business – the “coal-face.” GRC 3.0 is about delivering a better end-user experience: getting employees involved by providing elegant interfaces that are intuitive and social. The goal here is to engage employees and provide them with an interface that allows them to participate in GRC without feeling intimidated and lost.
  • GRC gamification.  GRC 3.0 is focused on GRC gamification, engaging employees – that coal-face – with games and interactive content.  Implementing training and awareness programs that enables employees to earn points or badges – perhaps redeemable for certain things.  To recognize people when they make good risk decisions or alert the organization to a problem.
  • Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting is readily done through mobile devices.  Tablets can be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access or as a mobile kiosk for a group of employees.  Mobile devices can be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.

What are your thoughts on GRC 3.0 and its characteristics?

GRC 3.0 – A History of GRC

GRC is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity."  The reliable achievement of objectives is the governance piece, addressing uncertainty is about risk management, and acting with integrity is the compliance angle.  All three of these provide a natural flow.  Governance provides direction and objectives giving the context for risk management.  Risk management in turn aims to comprehend uncertainty and set boundaries which then relies on compliance to ensure that we stay within those boundaries.

Organizations have been doing GRC since the dawn of business.  We did not need a three-letter acronym to all of a sudden do GRC.  Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned.  GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all.  The question to consider is how mature is your organization’s GRC practices.

GRC is more than technology. You cannot go out and buy “GRC” – sure, you can buy GRC technologies that enable, improve, and mature GRC related processes.  GRC, properly understood, is something the organization does and not buys.  The right solutions, and in this context GRC solutions, can enable and mature your organizations GRC processes.  But technology by itself does not give you GRC.

That being said – we do have a GRC market for technology, professional services, and content.  I know – I was the first to define, model, and label it GRC back in February 2002 “while at Forrester Research.  I have been working on refining and modeling the market in the eleven years since.  As with any market, they evolve shift and mature.  The GRC market certainly has shifted and changed.  This is what I refer to as: GRC 3.0 – Rethinking GRC.

Let’s explore the stages of the GRC market since it’s first definition and inception in February 2002 to the present day.  It all started . . .

  • GRC 0.9, before 2002: Yes, we had GRC before we had GRC.  GRC is part of business and we have always used technology to manage it.  At one point pen and paper were high-tech.  Organizations have been doing GRC and using tools to manage it for as long as we have had business.  Similar to other technologies like Client Relationship Management – we did not need CRM systems to all of a sudden begin managing client relationships.  CRM came into the world to improve and mature how we manage client relationships.
  • GRC 1.0, 2002 to 2007: On a cold snowy day in February 2002, in the offices of GiGa Information Group in Chicago soon to be acquired by Forrester Research I sat through two vendor briefings that struck me with a revelation.  The first was a technology vendor briefing demonstrating their solution to manage and integrate policies, controls, and risks.  This really struck me.  It was something I had envisioned in the 1990’s as a consultant but was not a software developer so never took action on.  It was simply brilliant.  What do we call it?  A few hours later I had another briefing with PwC reviewing their services.  My ADD mind was bouncing around back to this previous briefing while coming back the PwC briefing – sort of a mental Ping-Pong.  The PwC briefing had some terms that seem to drift toward me from the slides.  On different slides my mind locked onto the terms Governance, Risk Management, and Compliance.  There it was – a name for this new market – GRC.  Providence would have it that the timing for this market was spot on as Enron and Worldcom hit us hard and we had resulting legislation such as SOX.  GRC 1.0 was largely focused on addressing the challenge of internal controls over financial reporting, SOX compliance, as well as related IT controls.
  • GRC 2.0, 2007 to 2012:  Over five years the GRC market grew and expanded.  It was growing in dimensions.  My second Forrester GRC Wave, published in December 2007 right as I left Forrester to become a boutique analyst/researcher, understood this.  It had four separate Wave graphics representing the solutions in different ways as different parts of the organization have different needs as well as some core common needs for GRC.  During the period of 2007 to 2012 we saw GRC expand and take on areas of audit management, enterprise and operational risk management, broader understanding of compliance beyond financial controls, and more.  I began referring to the market as the GRC EcoSystem as it had many components.  I worked with OCEG on defining the GRC Solutions Guide 2.0 and 2.1, which defines 28 categories of GRC technology.  GRC during this period was very focused on the back-office functions of GRC.  There are hundreds of vendors/solutions in its various sectors/categories. At the same time the major analyst firms continued to focus on GRC in their static, two-dimensional, vendor comparisons limited to about fifteen vendors – completely misrepresenting the market and leaving many worthy companies out.  As more solutions focused on this area – the bar gets raised by the analyst firms.  To be recognized you have to have so much revenue, offices in multiple countries, and more.  They expanded what they evaluated slowly but did not give more time to analyze.  In one major firm you now have a multi-billion market based on analyst research that allows a ninety minute demo covering nine very complex areas of GRC – and organizations are basing significant investment decisions on this report.  The GRC market has expanded but the major analyst firms have not kept up.
  • GRC 3.0, 2013 into the future:  We now enter the era of GRC 3.0 – what I label Rethinking GRC.  Later this month I will be releasing the new GRC market model.  This is a representation of the market that understands the building blocks of GRC – functional areas of GRC solutions/technology.  How these come together into platforms that serve the needs of various GRC related departments in the organization (e.g., risk management, compliance, legal, finance, audit, security, health and safety, and more), and how they can come together into an enterprise GRC initiative.  There are industry specific views into the model, as well as issue specific views (e.g., anti-bribery/corruption, AML, conflict minerals, privacy, and more).  GRC 3.0 is also about significant changes to use of GRC solutions within organizations.  One is GRC architecture – it is not about one GRC solution to replace them all.  That can be a strategy, but organizations have different solutions serving different needs – how do we get it to work together.  It is about operationalizing GRC – brining GRC further into the business fabric/operations.  It is about brining GRC to the ‘coal-face’ where we focus on engaging employees in GRC and providing solutions that are simple, mobile, and easy to use for GRC happening at the front-lines/office of the business.

GRC is more than technology – but it is technology that matures GRC practices and processes to be more efficient, effective, and agile in a dynamic and distributed business environment.  The GRC market is a macro-market and not a micro-market. It is a market with many sectors that serve components of GRC scattered throughout the organization.  Some of these functions come together to serve an enterprise approach to GRC to drive consistency where there are similar needs across GRC areas of the business.

As
I wrap up my market definitions and models for GRC 3.0, I would love to hear you opinions, experiences, and thoughts.  Please feel free to comment below.

GRC 20/20 is Clarity of GRC Vision

This is the busiest I have ever been as a GRC analyst and market researcher.  Lot's of RFPs and projects happening, in fact tracking several dozen current RFP and GRC process improvement initiatives within organizations.  For example, there are approximately a dozen RFPs in the policy management sector of GRC right now. 

I am hard at work on redefining the whole GRC market with my GRC 3.0.  I will have a completely revised market model with market reports available about the end of April.  This research shows that the GRC market is broad, with about 500 solution providers – but even more professional service firms.  There are many sectors and sub-sectors to the market.

NOTE: I am discussing the GRC market.  GRC itself is broader than technology, content, and consulting services.  What I am discussing is the market for GRC technology, content, and consulting services as it serves and supports broader GRC initiatives.  And every organization does GRC.  It does not matter if you use the GRC label or something else.  The simple truth is every organization has some approach (even a bad one) to aspects of Governance, Risk Management, and Compliance.  There is no argument over if any organization does GRC or not – everyone does.  It is a question of maturity.  How mature and integrated (not consolidated) is an organizations approach to GRC.

FURTHER NOTE:  While there is a concept of the GRC Platform, the GRC market is much broader than this.  It includes sectors for risk management, audit management, compliance management, policy management, investigations/issue management, identity and access, 3rd party management, IT risk/compliance/security, fraud, and many others.  In fact, many of these areas have sub-sectors.  Compliance management has sub-sectors for regulatory change management, assessments, and more.

AND ANOTHER NOTE:  GRC 20/20 gives full and free inquiry access to buyers of GRC technologies – across the GRC market landscape.  If you are an organization looking for advice on the solutions, services, and best practices in GRC at the enterprise, department, or specific issue/risk area – send me an email.  Inquiries are specific questions that can be answered via email or phone in less than a 1/2 hour.  Free inquiries are only available for consumers of GRC solutions and services.  Currently GRC 20/20 fields several hundred such inquiries each year.

As I am hard at work on GRC 3.0 – I thought I would share my latest messaging about GRC 20/20 Research in this newsletter.  I would love to hear your thoughts on how GRC 20/20 Research can provide you the deepest market research, benchmarking, and training in the GRC space. . .

GRC 20/20 is about Clarity of GRC Vision

20/20 vision is perfect clarity.  Clarity, so you are able to see and process your surrounding context and react accordingly.

Clarity of Governance, Risk Management and Compliance

GRC 20/20 Research, LLC (GRC 20/20) provides objective market research, benchmarking, training, and analysis on topics related to governance, risk management and compliance (GRC).

GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].” This is the OCEG definition for GRC Capability and integrates with their definition of Principled Performance.

Every organization does GRC – though it may not be called GRC.  The truth simply is that every organization has some approach to governance, risk management and compliance.  The question is how mature is the approach.  To achieve higher levels of GRC maturity requires an understanding and integration of the context of the business and its environments with GRC strategy, process, information, and technology architecture.  GRC happens at an enterprise level, but is most frequently focused on department/function/role needs and address specific risk and regulatory issues.

The GRC market is the demand for technology, content, and service/consulting solutions that address specific aspects/components of GRC or the overall strategic vision for GRC the enterprise.  GRC is a macro-market with many sectors and sub-sectors.  It is not about one product category that tries to be all things to the organization.  Over eighty-percent of the market is focused on department or specific risk and regulatory issues, and less than twenty-percent is focused on top-down enterprise GRC strategies. There are over 500 solution providers that GRC 20/20 has mapped into the sectors of the GRC market, and monitors market size, demand, growth, and directions.

GRC 20/20 brings real-world expertise, independence, creativity and objectivity to help organizations understand and apply strategies and technology to meet GRC challenges. Whether focused on a specific issue, department-level strategy, or an enterprise-wide GRC strategy, clients seek GRC 20/20 advice in achieving sustainable and pragmatic innovation.  GRC 20/20 advises the entire ecosystem of GRC solution buyers, solution providers/vendors, content, and professional service firms. We serve the needs of organizations that seek insight, guidance and advice in dealing with a dizzying array of disruptive issues, challenges, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment.

GRC 20/20 is a:

  • Buyer advocate, representing the needs of those purchasing GRC solutions to help them navigate provider hyperbole to identify the solutions and services that are practical and deliver on requirements.
  • Solution strategist, helping technology, content, and service solution providers understand the demand and needs of buyers to enable product, market, sales, growth, and partner strategies.
  • Market evangelist, to educate and evangelize GRC strategies that are practical for the enterprise or specific departments, provide ideas and the role of technology in making GRC processes efficient, effective and agile.

Through ongoing research and industry interaction, GRC 20/20 is the authority in understanding how organizations approach governance, risk management and compliance practices that are effective, efficient and agile. We advise organizations about how to identify and select the right combination of GRC technology, content, and professional services to maintain a position of integrity aligned with business values, objectives, strategy and performance.

Unlike the major market research and analyst firms – GRC 20/20 aims to be:

  • Affordable.  GRC 20/20 rates are 1/3rd to 1/4th of what you will find at the major analyst firms.  Organizations and solution providers do not need to pay $1,000+ an hour for analyst time.
  • Deep.  GRC 20/20 does not believe that the GRC market can be represented in a single two-dimensional comparison of a handful of select solutions.  Major analyst firms have misrepresented the market this way. We are the only GRC market research and analyst firm to provide detailed selection criteria and market sizing and growth for different sectors/sub-sectors of the GRC market.
  • Pragmatic. GRC 20/20 understands that there are many niches to the GRC market and tha
    t most buyer activities are not trying to do enterprise GRC. GRC 20/20 prides itself on real-world experience – advisors that have experience in the trenches of the organization and know what works and does not work.  GRC 20/20 research is VOID of being academic ivory towers disconnected from the real world.
  • Collaborative.  GRC 20/20 understands we live in a social world field with professional communities and circles.  GRC 20/20 actively engages organizations buying solutions, non-profit associations, solution providers, professional service firms, and others to get complete clarity of aspects of the GRC market and how it should be modeled.
  • Social.  GRC 20/20 knows that to be collaborative requires engagement in social networking.  To be actively involved in discussion, debate, and thought leadership in the social communities GRC professionals participate int.  GRC 20/20 analysts do not sit back in cloistered offices and avoid getting involved in the real GRC world.
  • Reachable.  GRC 20/20 is easy to access.  Clients of GRC 20/20 can phone, email, text, instant message, tweet, or even send smoke signals if necessary to communicate with us and help you get the answers to your questions when you need them.  In fact, GRC 20/20 offers free inquiries to buyers of GRC solutions and services to help them get the understanding they need to take the next step.  GRC 20/20 fields several hundred inquiries each year with buyers of GRC solutions and services, and many more from providers of GRC solutions and services
  • Transparent.  GRC 20/20 represents and works with the ecosystem of buyers and GRC solution, service, and content providers.  GRC 20/20 revenue comes from a mixture of these elements, and is fully committed to objectivity in research, and is not afraid to disclose solution provider relationships.

I would love to hear your thoughts on analysts in the GRC market . . .

Compliance & Ethics in the Year 2020

Compliance and ethics is not the same today as it was a few years ago, and it’s safe to say that it will continue to evolve in 2020.

In the past, compliance and ethics was distributed and disconnected. The result was a maze of processes, reporting, and information. Compliance functions spent more time managing the volume of documents than it did actually managing and improving compliance.

Compliance and ethics today is in the midst of transformation.  The pressure upon organizations is requiring them to rethink the approach and role of compliance across the organization.  The organization is looking for greater compliance effectiveness while being more efficient with human and financial resources.

What do these many factors, trends and forces suggest for the future of ethics and compliance?

In 2020, Compliance will no longer be the ‘corporate cop’ as it shifts to focus on the integrity of the organization. Compliance and ethics are becoming how we do business as opposed to obstacles of business.  As with any transformation – the road of change will have speed bumps. Change is inevitable.  The business environment – along with the risk and regulatory environment – is constantly changing.  This will force ethics and compliance to evolve to meet organizational requirements for corporate integrity throughout the business and its relationships.

Compliance operations will become federated to overcome the inefficiencies of the decentralized approaches of the past.  While compliance and ethics oversight is centralized under the role of a CECO with stronger executive and board relationships, the islands of compliance scattered throughout the business will begin to coordinate and work together under the leadership of the CECO.  It will not be a completely centralized organization as there are many domains of compliance that work best with business operations and close to the “coal face” of the organization, but compliance information, activities and processes will be coordinated across these departments.

The Shift to a New Ethics and Compliance Information-Based Architecture

All of the above trends point in one clear direction, toward a new ethics and compliance architecture that is dynamic, proactive and information-based. That is, a new model for ethics and compliance that:

  • Is aligned with stakeholder demands for transparency and accountability;
  • Functions as a strategic partner with leadership;
  • Takes full advantage of emerging technologies to improve efficiencies; and
  • Will allow ethics and compliance practitioners to better target their resources.

This shift enables the ethics and compliance organization of tomorrow to have greater efficiency in processing and managing information, effectiveness in ensuring corporate integrity, and agility in addressing rapidly changing business, regulatory, legal and reputational risks. In particular, this new architecture will transform every one of the current elements constituting an ethics and compliance program. Codes, policies and training will all be changed. For example:

  • Risk management. Ethics and compliance will have an active seat at the table of risk management.
  • Code(s) of conduct. A standalone code will be a thing of the past; employees will have an interactive code environment.
  • Policy and procedure management. Similar to the code, policies will be accessed in a user-friendly environment through a portal aligned with the organization brand.
  • Training. As a result of the interactive policy management portal, learning management and delivery of training will be an integrated part of the portal itself and not require disconnected platforms to be integrated.
  • Monitoring & assessment. The ethics and compliance department will have access to data-mining and benchmarking resources that will allow for predictive modeling and serve as a tool for targeting training, security and mitigation efforts.
  • Investigations.  The organization will have a single system to record and capture issues, incidents, and events that integrate with helplines.
  • Change management. Ethics and compliance will be able to integrate processes and technology with information from content providers to rapidly assess changing laws, regulations, and developments around the world and understand how they impact policy and the integrity of the organization.
  • Mobility. There’s an app for ethics & compliance! Ethics and compliance will embrace mobile technology on tablets and other devices to do: issue reporting; deliver policies, training, and other interactive content; and, conduct investigations, audits and assessments.
  • 3rd-party management. Across the range of the items above, ethics and compliance will more effectively manage and communicate integrity across its business relationships with vendors, suppliers, distributors, outsourcers, contractors, consultants, service providers and temporary workers.
  • Metrics and benchmarking.  With a strong information architecture integrated with external content, the ethics and compliance organization will have an optimized infrastructure to report on metrics, trends and benchmarking to track performance and how it is aligned with business strategy and execution.

As with any transformation, the road of change will have speed bumps. Some individuals are naturally resistant to change.  They like the consistency of knowing they have mastered their field and find comfort in performing the job the same way they have in decades past. But change is inevitable. The business environment—along with the risk and regulatory environment—is constantly changing.  This will force ethics and compliance to evolve to meet organizational requirements for corporate integrity throughout the business and its relationships.

I would love to hear your thoughts on compliance management yesterday, today, and tomorrow . . . please comment below.

2013 GRC Drivers & Trends

With March upon us, 2013 is well underway. GRC related activities – process and technology – is increasing as organizations look for better ways to do things while they face distributed and dynamic risk and regulation.  Fresh budgets, new resolutions, growing risk and regulatory burdens, understanding risk in the context of strategy, dynamic and distributed business: all lead to process reengineering for governance, risk management, compliance, legal, security and audit functions across the business.

GRC Process & Strategy Drivers

The bulk of GRC spending is happening at the department level to address specific issues or department level GRC process and technology improvement.  GRC 20/20 Research is following several enterprise GRC strategies and implementations, but this represents less than twenty percent of the overall GRC market.

The number-one driver for improving GRC is dealing with the explosive growth of GRC “Big Data” in documents, spreadsheets, paper trails, and emails with no audit trails to validate who did what, when, how, where, and why.  One RFP that GRC 20/20 worked on for a financial services firm revealed that the risk, compliance and audit staff were spending 80% of their time managing documents and reconciling information and only 20% of their time in actually managing risk and compliance.

Organizations are swamped from the amount of regulatory change— new laws, changing regulations, administrative decisions to court cases.   Keeping current on regulations, documenting impact assessments, and maintaining compliance has been a critical driver within several industries to adopt stronger GRC approaches to manage regulatory change.  Specific focus is on anti-bribery and corruption (e.g., US FCPA, UKBA, OECD).

GRC 20/20 is seeing significant activity in the area of managing vendor/supplier risk, compliance, and performance across extended business relationships.  This includes seeking improved third-party governance because of anti-bribery and corruption, conflict minerals, vendor assessments and attestations, security, and privacy.  This includes the need to do due diligence and provide assessments, audits, policy communication, training, forms, and attestations across third-party relationships.  Specifically, there is a particular growing need to manage risk and compliance around international labor standards across third party relationships. GRC 20/20 has seen increased activity from organizations developing strategies and RFPs to address social accountability across extended busines.

Critical 2013 GRC Process and Technology Trends

GRC, properly defined, is “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” To address this understanding of GRC, and what OCEG calls Principled Performance, GRC approaches are evolving to address the mature the           matrix of enterprise strategy, process, information, and technology.   This is what GRC 20/20 defines as GRC 3.0 – where GRC becomes pervasive across the business and its operations.  Where GRC extends from the risk and compliance departments to the executives as well as the “coal-face” of the organization.

The major trends GRC 20/20 is researching and monitoring in 2013 are as follows. GRC 20/20 major trends identify game changing GRC trends and identify significant shifts in GRC strategy and technology.

  • GRC Architecture. The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations.  Organizations are leveraging enterprise architecture concepts and applying them to GRC.  GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment.  This requires that we understand the business and how it operates – leading to an enterprise architecture approach to GRC.
  • Risk Socialization & Collaboration.  Organizations are recognizing that effective risk management includes those on the front lines of the business – the “coal-face.”  To execute on this, GRC leaders are exploring ways to make risk management social and collaborative, easy to understand and engage across all levels of the organization.  One of the emerging methods is to utilize social technology to facilitate risk collaboration and gameification across the risk management process.
  • Engaged Employee.  On the topic of socialization, GRC is part of everyone’s job description.  Forward-thinking companies are looking for the user experience: getting employees involved and providing elegant interfaces that employees enjoy working with. A lot of work has been done on GRC technology and process to manage the back-end of GRC—the processes and operations of audit, compliance, and risk management.  However, little has been done to improve the front-end of GRC: engaging employees and providing them with interface, content and collaboration technologies to participate in GRC without feeling intimidated and lost.
  • Operationaling GRC.  Operationalizing GRC is taking GRC to the business.  This ties into the above trends of GRC Architecture, Risk Socialization/Collaboration, and the Engaged Employee, but is more than that.  It is about enabling GRC across business systems and processes.  It is bringing GRC to the process and ERP fabric of the business to improve real-time insight into business decisions, operational intelligence, and monitoring of the business environment.
  • MobilityThere’s an app for GRC! GRC is embracing mobile technology on tablets and other devices.  Issue reporting will readily be done through mobile devices.  Tablets will be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access.  Mobile devices will be used in conducting investigations, audits and compliance assessments.  The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.
  • Business, Risk, & Regulatory Change Management.  GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization.  When the business changes, such as through mergers and acquisitions, GRC is getting involved to assess and harmonize policies, controls, and processes impacted by business change.

Other significant trends in 2013, but not categorized as major trends, that GRC 20/20 continues to research and monitor closely are:

  • 3rd Party Management.  Do you really know who you are doing business with? GRC is being used to more effectively manage and communicate integrity across its business relationships with vendors, suppliers, outsourcers, contractors, consultants, service providers, third party intermediaries, and other non-employee roles.  The goal is holistic management of third-party relationship performance, integrity, risk and compliance throughout the business ecosystem.
  • Business Process Modeling.  Leading GRC solutions are adopting more business process modeling capabilities.  This allows the organization to see how business processes function and information flows combined with control and risk areas. Organizations w
    ant to see a visual representation of a business process and where it is having issues and incidents—in other words, to see a graphical dashboard of the process in a GRC context.
  • Policy & Procedure Management.  Organizations are driven to replace ad hoc approaches to policy management.  The goal is a user-friendly environment policy portal.  Employees will easily be able to find the current policy with interactive tools to explain the policy. Policy resources and related forms will be part of the portal. Learning management and delivery of training will be an integrated part of the portal itself and not require disconnected platforms to be integrated. There are over a dozen policy management deals that GRC 20/20 is monitoring at the moment in Fortune 500 companies—and more beyond that.
  • Corporate Compliance Management.  In the past GRC focused on financial controls/compliance and IT risk and control.  Then it moved to enterprise/operational risk and audit management.  Now GRC 20/20 is seeing growing demand for compliance management platforms that bring together regulatory change management, policy management, compliance assessments, reporting/hotlines, training and investigations.
  • Anti-bribery and corruption. Growing anti-bribery and corruption laws, requirements and enforcement actions challenges organizations.  Organizations are looking for a mixture of process, technology and content to effectively address anti-bribery and corruption compliance requirements on a global basis. Organizations are looking for a mixture of solutions to address process, policies, training, screening, due diligence, and transaction monitoring.
  • Identity & access governance.  Who forgot identity?  Identity and access governance is a critical enterprise GRC technology.  Many risk and compliance issues boil down to who has access to what in both the physical and logical environments and whether that access is rational and justified.  This includes making sure individuals are trained and aware of policies for the access they are given. 2013 will show greater awareness and integration of identity and access governance and technologies as part of a GRC strategy. Significant focus will be on compliance reporting and risk exposure.

Wrapping Up Effective Policy Management Loose Ends

Many of you have closely followed my commentary over the past few years on Effective Policy Management and its role in a broader GRC architecture. It is apparent that I am an advocate for technology to manage policies.  Document centric approaches fail.  When we manage policies in word processors and distribute them in email or intranet sites we quickly lose control.

The fact is – organizations struggle with out of date policies.  As soon as I make a policy revision and distribute it, there are still perhaps hundreds (depending on organization size) of versions of the old policy scattered in file shares, email inboxes, local hard-drives, mobile/tablet devices, SharePoint sites, etc.

What is worse is that any employee (or worse yet, a business partner such as a contractor) can create a document and call it a policy.  This puts the organization at risk.  Policies can establish a duty of care to the organization.  Rogue policies that are not officially approved/authorized may throw the doors of liability and legal exposure wide open to the organization.

Organizations need better technology to effectively manage the development, distribution, communication, and maintenance of policies throughout the enterprise.  Technology is enhanced when the organization has standard templates and development/lifecycle process for policy management.  Any employee should be able to open a policy and be able to validate that it is an official policy by comparing it to the current official version on the centralized policy management portal.  They should be able to know if it is an official policy by the template it is in and the fact that it is properly catalogued.

Further, to defend the organization we need audit trails on who interacted with any specific policy.  Organizations need audit trails around interactions with policy – who read/accessed it, when did they access it, where did they access it, how often did they access it – to defend themselves in the current legal/regulatory climate.  Want proof – consider the Morgan Stanley FCPA case in 2012 when they were the first company in 35 years of FCPA history to not be prosecuted.  If you read the DoJ/SEC press release you will find that Morgan Stanley maintained policies (kept them current), and could defend their compliance program by telling how many times Mr. Petersen in their Asian real-estate business was communicated a policy, reminded of one, was trained, etc.

How does an organization go about selecting a policy management solution?  Should they build one in house on tools such as SharePoint? Should they purchase a policy management solution built on SharePoint? What about stand-alone policy management software? What value do these offerings bring that a SharePoint implementation cannot achieve?  When does an enterprise GRC platform make sense that can cross-reference policies to issues, investigations, risks, controls, and even regulatory change management to manage policies when regulations change?

GRC 20/20 Research tracks approximately sixty different solutions providers in the policy management space.  This is among the over 500+ solution providers in the broad GRC market with its various market segments. Some of these solutions are what is understood as an enterprise GRC platform where policy management is one module/app integrated with a series of others to provide insight and intelligence across policies and broader GRC.  Other solutions are policy management pure-plays that focus exclusively (or nearly so) on policy management.  Still others are solutions that are built upon content management systems such as SharePoint.

How does an organization make sense of all this?  It can be challenging.

GRC 20/20 Research is happy to interact with any organization looking for solutions in the GRC space – and in this context, policy management solutions.  This ranges from ½ hour email or phone inquiries to discuss the market, players in the market, and what differentiates them. for organizations evaluating or implementing solutions.  GRC 20/20 provides open access to our research analysts to any organization looking to purchase GRC technologies.  If deeper help is needed, GRC 20/20 can be engaged on projects to help you develop/customize an organization’s RFP and select the right vendors to evaluate based on your organization size, locations, industry, and other demographics.  Every solution provider has its strengths and weaknesses – you need to end up with the one that best fits your business.

Some additional things to consider:

  • Later in February, GRC 20/20 Research will be releasing two market research reports.  One will be a GRC 20/20 Market Landscape: Policy Management Solutions that defines the market, size, growth/direction, drivers, trends, and key players.  The other will be a GRC 20/20 Buyer Perspective: Selection Criteria for Policy Management Solutions focused to help organizations in developing RFPs for policy management solutions.
  • My Effective Policy Management Lifecycle and workshops have been very popular – and continue to do them in public and private formats.  The eBook combining my commentary and work with OCEG, Compliance Week, and several solution providers is also available for download.  The OCEG GRC Policy Management Illustrated series is contained in the eBook.
  • GRC 20/20 is proud to announce that Lisa Hill is now a contributing analyst of GRC 20/20 Research.  Lisa is the former policy manager at VISA – and has built one of the most mature approaches to policy management process and lifecycle that I have encountered.  She has her own consulting business, PolicyScape, that works directly with organizations to help them define and build their policy management process.  As a contributing analyst, she works through GRC 20/20 Research as an analyst in the GRC technology market to assist with GRC/policy technology RFPs, deliver GRC 20/20 policy training, and assist solution providers in their strategies.
  • I chair the OCEG Policy Management Group.  While some collaboration started in 2012, the group (comprised of policy managers and others interested in policy management) is ready to fully launch with activities later in February.  OCEG has established a collaboration management platform that we will be utilizing to develop the OCEG policy management guide; provide templates for a style guide, policy on writing policies, and a library of policies themselves that is contributed to by members.  Further, we will be working on a Policy Manager certification to help establish this critical role in organizations.  If interested in this group, please contact me.

register-now GRC 20/20 is providing the following (paid) research webinar on this topic: Policy Management Market Landscape & Selection Criteria.  This is a one-hour webinar to layout the policy management market size, players, differentiators, and direction.  We will also explore the core selection criteria organizations should be considering when purchasing a policy management solution.  While the webinar does not go into specific comparisons of individual vendors, we will present a model that characterizes the market into basic, mature, and advanced offerings.

2013 GRC Technology Innovation Awards

GRC and technology. Every organization does GRC, not every organization does GRC well.  You will not find an organization that states it lacks governance, does not care about risk, and forgets about compliance.  Organizations may not call it GRC – but they have GRC processes from the ad hoc to the mature.  What makes a mature GRC approach – either at the departmental or enterprise level – different from an immature approach is how the organization utilizes process, technology, and information.  Technology makes GRC and its individual components of governance, risk management, and compliance more effective, efficient, and agile.

Over the years GRC technology has evolved and changed. There is not one vendor that delivers all of GRC, there are many market segments and niches.  In 2012, GRC 20/20 recognized ten vendors from a few dozen submissions in the 2012 GRC Technology Innovation Awards.   To recognize how technology is evolving, GRC 20/20 Research is proud to announce the 2nd annual GRC Technology Innovation Awards. 

The 2013 GRC Technology Innovation Award process was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.  Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and innovative solutions.

Particular trends to note in the 2013 selections are:

  • Delivering a GRC marketplace for the exchange of ideas, content, and apps (note RSA Archer started this trend a few years back, but other vendors have picked up on it and have advanced it to new levels);
  • Socializing GRC and risk management by utilizing social technologies to facilitate risk collaboration/gameification across the business and engage everyone in GRC and risk management (note BPS Resolver started this trend several years back – but it is just now gaining momentum and a few companies selected are really advancing this concept);
  • GRC architecture and integration – it is not about one GRC vendor that can do everything.  GRC requires the integration of different types of applications and content to make it work.  This requires that we understand the business, how the business operates, and take an enterprise architecture approach to GRC.
  • Engaging the employee, at the end of the day GRC is part of everyone’s job description.  Forward thinking companies are looking for the user experience and how to get employees more involved and providing elegant interfaces that employees enjoy working with.

Not every vendor selected for the 2013 award fits into one of thee buckets completely, but all this year’s award recipients touch one or more of them with where they are taking GRC technology.

The 2013 GRC Technology Innovation Award recipients are (please follow hyperlinks to see more detail on each recipient):

  1. The GRC Marketplace: the Force.com of GRC. MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community.
  2. Risk collaboration: socializing risk in the enterprise. Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves. 
  3. Engaging Risk: providing a social GRC architecture. Integrc’s "Engaging Risk” is a combination of integrated GRC knowledge solutions that helps organizations achieve greater understanding and interaction.
  4. Delivering GRC Architecture. MEGA’s Holistic Operational Excellence platform (HOPEX) integrates enterprise architecture (EA) capabilities with GRC capabilities into one platform.
  5. Mind-mapping GRC. C2CSmartCompliance’s Compliance Mapper has a powerful GRC content mapping engine that allows an organization to graphically map regulatory and customer-generated content and click to establish bi-directional links.
  6. The user experience: the Apple of GRC.  The Network’s Integrated GRC Suite is innovative for its design and end user experience.
  7. Integrating content, experience, and process. Think of Compli Portfolio™ as the “electronic binder” that integrates the work of internal and external experts in an elegant user experience to illustrate and manage an organization’s compliance and risk profile.
  8. Managing risk in social networks. OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns.
  9. Advancing GRC mobility. Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available.
  10. From GRC idea to “there’s an app for that.”  Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) enables their clients to drive innovation, with a particular focus in GRC in the insurance vert
    ical. 
  11. Advancing GRC analytics. In the era of ‘Big Data,’ SAP HANA Analytics Foundation for SAP Solutions for GRC shows innovation in addressing the burgeoning velocity, volume, and variety of GRC governance, risk and compliance data in the enterprise.
  12. Efficiencies in reporting. ControlPanelGRC’s AutoAuditor enables companies to be in a state of continuous audit readiness by automating manual reporting processes, and through its intuitive design AutoAuditor adapts to each company’s specific reporting demands.

GRC 20/20 wishes we could recognize more – but we had to put a cap somewhere.  Twelve seemed like the appropriate number.  There were many great submissions – some more innovative than others.  The 2014 award nomination process will begin in October of 2013.  Further, GRC 20/20 will be doing another award process called the GRC Value Awards.  Nominations will be accepted starting in April 2013 and award recipients will be selected and announced in July 2013.  That process will look to find who has the best-substantiated value proposition in various categories of GRC software.  Stay tuned.

 
 
 
 

 

1 – The GRC Marketplace: the Force.com of GRC, MetricStream’s Zaplet

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 1 is MetricStream’s Zaplet which showed technology innovation for the GRC Marketplace: the Force.com of GRC.

MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community. This enables the broadest GRC ecosystem of partners and content providers to deploy GRC applications and content. At its core is the GRC App Store, a web-based marketplace, where customers can browse, learn about, license, and run GRC apps and integrated content. Each app has its own data models, workflows, information flows, content, reports, dashboards, and templates that are fully tailored to specific requirements around a business process, industry mandate, or regulatory requirement. These apps are rich in content and functionality as they are designed and developed by GRC subject matter experts. Developers build applications using the AppStudio suite of development tools, which provides a visual environment with web-based drag-and-drop tools for defining workflows and information routing rules, forms, business reporting processes, and the underlying business logic that controls the interactions between various elements. Developers and partners can provide customer demos, free trials, and upgrades, while accessing critical customer feedback and any new requirements via the GRC App Store. 

 
 
 

 

2 – Risk collaboration: socializing risk in the enterprise, Riskflo’s Discovery™

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 2 is Riskflo’s Discovery™ which showed technology innovation for risk collaboration: socializing risk in the enterprise.

Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves.  This knowledge is fragmented across the organisation, business processes and from management to the ‘coal face.’  Riskflo’s suite of applications provide a new approach to risk workshops and facilitation so that the knowledge locked away inside the heads of those that are closest to business process and risk are captured.  Riskflo has moved beyond risk voting tools to support a rich interactive discussion between facilitator and participants in an environment where participant identity can firewalled. Riskflo address the core problem of eliciting and aggregating expert opinion from multiple participants – navigating cognitive and behavioral bias through technology that delivers risk facilitation, group learning, knowledge elicitation and group estimate aggregation methodologies.  This approach transforms the quality of the risk assessment information while providing a rich and engaging experience for both facilitator and participants alike.  Riskflo has developed a new paradigm for engaging all levels of the organization in risk management activities in a deep and lasting way and in the process providing a means to transform the risk management culture.