Rethinking GRC

2012 marks the 10th anniversary since I first modeled a market for technology, content, and professional services and labeled it GRC. It all started with a vendor briefing with a software firm in which they demonstrated an integrated view of controls, policies, and assessments. A light bulb flashed within my head that there is a strategic approach to business combined with services, content, and technology to service it – organizations could achieve an integrated view of information to assist with Governance, Risk Management, and Compliance (GRC). That was February of 2002 and the GRC market was born.

From the beginning I always stated that GRC was about the business first and technology was a foundation for the business to build upon. It was first and foremost about understanding the business – its strategy, risks, obligations, commitments, objectives – and helping the organization manage risk and compliance in the context of business.

Over the years, GRC has grown in conception and understanding. The best thing to happen to GRC was the development of the OCEG GRC Capability Model, and with that the OCEG definition of GRC:

  • GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.

What has been a disappointment with GRC and needs us to cause some rethinking is our technology approach to GRC. It is impossible to define GRC as a package of software. There is not one vendor that can be your GRC band-aid and solve your problems. GRC is not a commodity that you buy from a technology vendor.

GRC is what is achieved in the business and its operations. To that point we need to rethink our understanding of GRC technology.

This means that we need to think of GRC in the context of business architecture. To achieve good GRC processes in our environment requires and understanding of what the business is about, how it operates, and how it should be monitored and controlled through information and technology.

Rethinking GRC is about taking an enterprise/business architecture approach to understanding the business and how it operates. This includes:

  • Strategy architecture. Understanding what the business is about, where it is going, what the goals are. This requires that we understand GRC — and its components of governance, risk management, and compliance – in the context of business performance, strategy, objectives as well as its culture and values.
  • Process architecture. Flowing from strategy are the processes that define the business and how it operates. Good GRC is done in the context of the business – the rhythm of the business. GRC technology and processes should be integrated with business processes and systems. We need a firm understanding of how the business operates and how to manage risk, policies, and controls in the context of business operations. GRC requires that we be able to model the organization, its operations, and its processes to understand GRC in context of the business.
  • Information architecture. To support business operations and processes, we need a good definition of GRC related information. To define standards/schemas of information for risk, policies, controls and how information flows across the business. What GRC information is needed to make sure that the business is reliably achieving objectives while addressing uncertainty and acting with integrity.
  • Technology architecture. Finally, we approach technology. GRC technology needs to be kept in perspective – it is about the business. We need to make sure that the GRC technologies (and I purposely use the plural) integrate with our business operations, systems, and processes. To put GRC before the business is to put the cart before the horse.

What does all of this mean? I will write more on that in the next article. For now, it means we need to take a business approach to GRC and not lead with a technology approach. It means that we should stop thinking that GRC is about one vendor that solves all the business’ problems. It may mean that there is a technology backbone for GRC consolidated to a single vendor, but it most likely means that there will be several vendors that do different parts of GRC well that form a GRC architecture supporting the business, its operations, and its processes.

I look forward to hearing your comments and thoughs on Rethinking GRC . . .

Tracking Change that Impacts Policy

In the time it takes you to read this article your business has changed. The economic environment has changed, your employees have changed, and there are constant changes to technology, competition, and processes. Business drifts in a sea of change. One particular area of change that bears down on the organization is the siege of changing laws, regulations, and enforcement actions.

When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Information itself is not enough—organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators. In fact, the vast amount of information is part of the problem. It is not uncommon to have a myriad of subject matter experts doing ad hoc monitoring of legal and regulatory change and sending e-mails with little or no follow- up, accountability, or impact analysis.

The organization needs a defined regulatory change management process—to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organization’s policies, procedures, and controls need to be adjusted to address the change. The process must require a joint accountability and collaboration effort between legal, compliance, and the business.

Building a regulatory intelligence strategy requires the implementation of a process model that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.

Regulatory change management processes include the following components . . .

 

This is the second part of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management Lifecycle.  To access the second installment please click on the following link:  Tracking Change that Impacts Policy

There is an associated webinar with this article as well as the rest of the six articles in the series.  You can access the registration for the webinars at the links below:
Archived webinars in the series:
Additionally, I have am the chair the Policy Management Council at OCEG.  OCEG is a non-profit organization with over 30,000 members aimed at helping companies reliably achieving objectives while addressing uncertainty and acting with integrity.  You can see how policy management is critical to this mission.  We already have over 30 large enterprise organizations on the Policy Management Council.  The goal is to develop and maintain the OCEG Policy Management Guide to be the defining framework for managing policies within organizations.  Once the first version is published later this year we will be working on a policy management certification for the role of the internal policy manager within organizations to help establish and define this critical role.  Other projects are to build templates for a style guide, policy documents, and other related items.  The OCEG Policy Management Council is open to internal policy manager roles within organizations with a premium individual OCEG membership.  Professional service firms, technology vendors, and others that offer services and content around policies can join but it requires the organization to be a GRC Solutions Council member of OCEG (please email me if interested in the GRC Solutions Council membership).

I look forward to hearing your comments and thoughs on Tracking Change that Impacts Policy . . .

P.S. – There are some complimentary seats available to my Effective Policy Management Workshop next week in Boston.  These are ONLY available to internal managers of policies within a corporation.  I typically charge $500 for this workshop – but a sponsor, HITEC,  has covered the costs to allow me to offer this for free this time to those who write and manage policies for their organization. Please register.

Effective Policy Management

From time to time, to my surprise, I still hear people asking why policies matter. After all, they argue, aren’t the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their own operations and have case-by-case flexibility? Don’t policies create liability when they aren’t followed? Isn’t it just more unnecessary bureaucracy?
 
My answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths.
 
The longer answer is a bit more complex. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes— the organization states what it will and will not accept and defines the culture of integrity and compliance it expects.
 
Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct. . . .

This is the start of a six part series (once a month) on the topic of Effective Policy Management and the Policy Management lifecycle.  To access the first installment please click on the following link:  Effective Policy Management

There is an associated webinar with this article as well as the rest of the six articles in the series.  You can access the registration for the webinars at the links below:
Additionally, I have been appointed to chair the Policy Management Council at OCEG.  OCEG is a non-profit organization with over 30,000 members aimed at helping companies reliably achieving objectives while addressing uncertainty and acting with integrity.  You can see how policy management is critical to this mission.  We already have over 30 large enterprise organizations on the Policy Management Council.  The goal is to develop and maintain the OCEG Policy Management Guide to be the defining framework for managing policies within organizations.  Once the first version is published later this year we will be working on a policy management certification for the role of the internal policy manager within organizations to help establish and define this critical role.  Other projects are to build templates for a style guide, policy documents, and other related items.  The OCEG Policy Management Council is open to internal policy manager roles within organizations with a premium individual OCEG membership.  Professional service firms, technology vendors, and others that offer services and content around policies can join but it requires the organization to be a GRC Solutions Council member of OCEG (please email me if interested in the GRC Solutions Council membership).
I look forward to hearing your comments and thoughs on Effective Policy Management . . . 

GRC Flexibility and Efficiency through Mobile Audits and Assessments

The dynamic and global nature of business is challenging organizations to effectively and efficiently implement processes for governance, risk management, and compliance (GRC). As organizations expand operations, processes, locations, and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by conducting GRC audits and assessments (for both risk and compliance) as needed. This means having the ability to conduct regular/periodic assessments; but also be ready to conduct an assessment as business changes and issues arise.

Greater scrutiny of organizational processes, increased regulation, exposure to significant liability, and demand for shareholders to ensure the organization is properly managed has caused the number and variety of GRC related assessments to grow exponentially. Organizations are scrambling to complete risk and compliance audits and assessments across the business and its operations. GRC roles are limited in their resources to complete assessments and need to focus on efficiency as well as effectiveness. When an organization approaches this in a document-centric (e.g., spreadsheets, word processor documents) approach, assessments fails to actively manage risk in a timely and efficient manner. Information is trapped in documents that are out of sync, have no audit trail, and require a significant amount of time to consolidate and report.

It is not just the number and variety of assessments that burden the organization – but also the diversity. Organizations are conducting regular audits and assessments across the business and its relationships, often bringing the assessors/auditors to remote areas of the business and the world.

Success in today’s dynamic business requires organizations to integrate, build, and support GRC processes that are efficient, effective and agile. This requires that organizations engage technologies that deliver on this. Mobile technology has begun to permeate the enterprise – and is now providing benefits to the world of GRC. Organizations are beginning to look towards mobility for GRC processes such as policy communication, training, attestation, issue reporting, investigations, assessments, and audits. The goal is to make GRC processes more efficient, effective, and agile to the needs of the business.

Mobile GRC for audit and assessment purposes gives the organization flexibility in deploying GRC professionals to conduct assessments. A mobile audit and assessment platform allows for low hardware costs and the ease of conducting assessments in diverse environments.

Mobile devices provide for ready and easy access for assessment personnel to enter information, capture audio interviews, and use without having to find a desk or enter information in awkward locations. The auditor/assessor is able to walk through locations, enter information, and capture evidence without having to sit down and boot up a laptop or scribble notes on a paper/document. Simple drop-down lists can be used for accurate, consistent and efficient information capture. Organizations can leverage the hardware capabilities of mobile devices to use integrated cameras to capture evidence of issues, non-compliant situations, or other evidence collected during assessments. Pictures supporting evidence and findings do not have to be manually processed and imported into the system as they can be directly taken through a tablets camera as part of the application. When conducting interviews, a tablet is less intrusive and provides an environment of greater interaction without being hidden behind a laptop.

CAUTION: not all mobile apps are created equal. In fact, many GRC technology providers advertise mobility and what they mean is that their app may work in a mobile web browser. This may not be the right fit for the organization. The interface itself might be difficult to operate in a mobile browser – and it also requires online access. A true native app allows for greater design and control over the interface, the ability to integrate with the hardware such as cameras and microphones to capture evidence and findings, and allows for offline access if designed correctly. Many audits and assessments are being conducted in location where wireless and cellular access cannot be guaranteed – a true mobile app is most often the best fit for an organization.

The growing demand for GRC assessments and audits requires that organizations be agile in how they are conducted. The use of mobile audit and assessment platforms is a particular way to achieve greater levels of assessment agility, effectiveness, and efficiency.

This blog post was sponsored by CMO Compliance, for more information on how CMO Compliance helps organization’s address mobile audits and assessments click on the link below:

Mitigating Risk in the Era of the Corporate Bounty Hunter

Business is global, distributed and dynamic. Organizations of all sizes and industries have global client, partner, vendor and supply-chain relationships. Adding to this complexity is the dynamic nature of business — it is ever changing, with a revolving door of employees, partners, technology, processes, and strategies in an environment where risk, economics and regulations are in a constant state of change. The complexity of today’s global, distributed and dynamic business makes regulatory compliance a challenge.
How does an organization validate that it is current with legal, regulatory and other obligations in the face of an ever-changing business environment?

The era of the corporate bounty hunter

Government is increasingly turning to insiders (e.g., employees), incenting them to report wrongdoing and noncompliance. In the U.S., the SEC and DOJ have extended their compliance monitoring into a firm’s activities by enlisting the eyes, ears, and voice of the organization’s employees. The framework for this is established in the Dodd-Frank Act whistleblower provisions, which entice employees to report violations, such as bribery, corruption, fraud, insider trading, and more to the government. Corporate whistleblowers that provide information which leads to a successful SEC enforcement receive 10 to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for non-compliance, this is a significant concern that keeps executives, the board, legal, and compliance professionals up at night.
 
The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues.
 
In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently.

To mitigate risk in the era of the corporate bounty hunter, organizations needs to:

  • Strengthen ethical and compliance culture: This starts with increasing employee comfort to speak up and report issues and incidents.  It is better to have an employee to report internally than have them go to the government bypassing the organization.  HOWEVER, be prepared to respond – officials will throw the book at an organization if evidence is brought forward that an employee did report internally and the organization did nothing about it. To enable a strong ethical and compliance culture requires that the organization has mechanisms in place for employees to report issues, that they are recorded, and responded to.
  • Understand risk: An organization needs to understand the risk and exposure to non-compliance. This includes periodic assessment (e.g., annual) of exposure to unethical and non-compliant conduct. The risk-assessment process should also be dynamic — conducted when there is significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets).
  • Know who it does business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships. Due-diligence efforts in establishing relationships must make sure the organization contracts with ethical entities. If there is a high degree of risk in a relationship, preventive and detective controls must be established. This means knowing your vendors, partners, suppliers and even your own employees to understand if they are susceptible to corruption and unethical conduct. Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of non-compliance.
  • Established and communicate policies and procedures: Organizations must have documented and up-to-date policies and procedures that address compliance. The code of conduct must filter down to address regulatory requirements and obligations. Requirements and processes must be clearly documented and adhered to.
  • Effective training: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement compliance-training programs to educate employees and business partners. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
Manage business change: The organization must monitor the business environment for changes that introduce risk of non-compliance. The organization must document changes to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that change in business, regulations, and the risk environment be monitored by compliance processes to actively address risk of exposures resulting from change.
Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents corruption risk. This requires the organization to implement technology to manage compliance.

This newsletter was sponsored by DoubleCheck Software, for more information on how DoubleCheck helps organization’s address compliance risk in the era of the corporate bounty hunter click on the link below:

GRC Maturity: Measuring a New Paradigm for Risk and Compliance

Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.

With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
  • Does the business have the information to make risk-based decisions about the future of the company, when they don’t have a clear view of the risk landscape?
  • Does the business know its risk exposure at the enterprise, business process and control levels, and how they interrelate?
  • How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
  • Can the business accurately gauge the impact of risk-taking on business strategy?
  • Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
  • Does the business monitor key risk indicators across systems, relationships and processes?
  • Is the business optimally measuring and modeling risk?
  • Is the business meeting its regulatory and other obligations?
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
  • Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
  • Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
  • Improve decision-making and business performance through increased insight and business intelligence.
Architect integrated GRC systems and processes 
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”  Effective and mature GRC delivers:
  • Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise GRC framework.
  • Establishment of culture and policy: Policy must be communicated across the business to establish a risk and compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives.
  • Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — must be working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

To understand what GRC is all about, please see these OCEG videos:

This posting is from my most recent paper – GRC Maturity: From Disorganized to Integrated Risk and Performance.

Inevitability of Failure: Managing GRC in Silos

Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of governance, risk management, and compliance (GRC).  Without an integrated view of risk and compliance, the scattered and non-integrated approaches of the past fail and introduce expose the business to interrelationships of risk and compliance that were not understood.  A mature GRC program is one in which the organization has an integrated process, information, and technology architecture providing visibility across risk and compliance domains. An integrated approach that allows business managers and executives to leverage GRC data for risk-aware decision making and resource allocation.
 
Multifaceted risk environment
Risk to the business is like the hydra in mythology – organizations combat risks to only find more risks springing to threaten them.  So often risk and compliance strategies are like the ‘whack-a-mole’ game at the county fair.  Executives are constantly reacting to risks appearing about them and fail to become proactive in managing and understanding the interrelationships of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants, staffing) their risk profile grows exponentially.  Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes, internal controls) and externally (e.g., competitive, economic, political, legal, and geographic environments) to stay competitive in today’s market. What may seem as an insignificant risk in one area of the organization can have profound impact on other risks.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. In order to manage corporate performance the organizations needs to understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden business. Organizations face expanding regulations, increased fines & sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to the inevitability of failure. Reactive, document centric, and manual processes for GRC fail to proactively manage risk in the context of business strategy and performance and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure.  The organization is not thinking how GRC processes and controls can be designed to meet a range of risk and compliance needs.  An ad hoc approach to GRC results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other there is no possibility to be intelligent about risk and understanding its impact on the organization.
A non-integrated approach to GRC impacts business performance and how it is managed and executed, resulting in . . .
  • Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
  • Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
  • Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in context of the business. Corporate Integrity finds that organizations that lack a collaborative, integrated, and enterprise approach to GRC have:
  • Inability to gain a clear view of risks and their dependencies
  • High cost of consolidating disparate data silos and documents
  • Difficulty maintaining accurate data
  • Failure to report and trend GRC across assessment/reporting periods
  • Unreliable or irreconcilable risk assessment results because of different formats and approaches
  • Redundancy of risk management and compliance efforts
  • Failure to provide intelligence to support decision-making that crosses risk and compliance areas
  • Inconsistency in approaches to risk/compliance activities
  • Different vocabulary and processes that limit correlation, comparison and integration of information
  • Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

2012 GRC Technology Innovation Awards

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

  • AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.
  • Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.
  • CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.
  • HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.
  • LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.
  • Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.
  • QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.
  • QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.
  • SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
    e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.
  • SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .

 

State of the GRC Market, Q1-2012

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

  • Audit and Assurance Management
  • Board and Entity Management
  • Brand and Reputation Management
  • Business Continuity Management
  • Compliance Management
  • Contract Management
  • Control Activity, Monitoring, and Assurance
  • Corporate Social Responsibility
  • Discovery/eDiscovery Management
  • Environmental Monitoring and Reporting
  • Environmental, Health, and Safety
  • Finance/Treasury Risk Management –
  • Fraud & Corruption Detection, Prevention & Management
  • Global Trade Compliance/International Dealings
  • Hotline/Helpline
  • Information/IT Risk & Security
  • Insurance and Claims Management
  • Intellectual Property Management
  • Issue and Investigations Management
  • Matter Management
  • Physical Security & Loss Management
  • Policy Management, Communication, & Training
  • Privacy Management
  • Quality Management and Monitoring
  • Reporting and Disclosure
  • Risk Management (Enterprise & Operational)
  • Strategy, Performance, and Business Intelligence
  • Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

  • For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
  • The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
  • Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
    pporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!

Process Framework for Managing Compliance Risk

Organization exposure to compliance risk is rising at the same time the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular issues or obligations, which often resulted in multiple initiatives working in isolation. Isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, documents, and email, which is costly and unreliable. This makes it difficult to adapt to new regulatory requirements while increasing pressure and anxiety for management, employees and business relationships.

Without a business process view to manage compliance risk, organizations will continue to be burdened with the data overload and complexity of compliance data. Organizations need complete visibility into a portfolio of compliance processes spread across a distributed and complex business.  Organizations need information and not just data.

Success in compliance risk management begins with a strategy — how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes to mitigate these risks. In compliance business process architecture, accountability and compliance is effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues. Compliance needs to be an active and living part of the organization and culture to prevent and detect issues across the business. It is a continuous and ongoing process to be monitored, maintained and nurtured. This challenge is taking on a new paradigm that focuses on establishing compliance processes that move from a reactive fire-fighting mode to one that actively manages, monitors, mitigates, prevents, and detects compliance-related risks.

Using the OCEG GRC Capability Model as a basis and integrating compliance risk management requirements from experience as well as guidance from USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806:2006, there are common core processes that compliance can establish to manage compliance risk. A business process framework to manage compliance risk in the 21st century enables an organization to manage and monitor compliance risk through:

  • Compliance program management: This is the core process that everything else revolves around. It integrates all the other functions to provide a single cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks. An effective program delivers a 360-degree view of compliance risk management activities.
  • Compliance risk identification and assessment: Risk assessments are foundational to compliance initiatives. In addition to a periodic risk assessment, the organization must have regular compliance risk assessment and monitoring activities to ensure policies and controls that maintain integrity are in place and working. The compliance risk identification and assessment process drives every aspect of a successful program as it identifies and models compliance risk that all the other processes build upon.
  • Regulatory and risk intelligence: To keep current on compliance risk requires that the organization have a process to continuously monitor changes to the regulatory and risk environments impacting the business, and to monitor the business for change. This involves identifying subject matter experts for each compliance risk area that are accountable for monitoring internal changes and external change from regulators, courts, legislatures, and other sources to identify new and developing compliance risks that will impact the business.
  • Policy definition, communication, and maintenance: Organizations must have documented and up-to-date policies and procedures that both address the compliance and ethical risks and are in accordance with the culture, values, and obligations of the organization. Compliance requirements and processes must be clearly documented within policies and procedures. The policy definition, communication, and maintenance process provides proof that the program is sound and controls are adequate.
  • Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, responsibility for compliance risk management falls to the CECO, and is delegated across a variety of business processes and functions. To effectively provide assurance to the board and executives, an effective GRC approach requires that a process of compliance risk governance, accountability, and reporting be in place. This requires collaboration with other roles such as internal audit, and establishes lines of communication throughout the business.
  • Due diligence efforts: An established process to document due diligence efforts shows that employees and business partners are properly screened, and assures the business that it is not engaging with individuals or organizations that have a bent toward unethical behavior. It also assures the organization that individuals have the right background, resources, and experience to do the job they are engaged for.
  • Training and communication: Written policies are not enough — individuals need to know what is expected of them day-to-day and their business operations. Organizations are increasingly using online training in addition to discussion-led training to raise compliance and ethics awareness. There is also a trend toward using interactive technologies and learning simulations. The training and communication process is key to communicating the corporate culture, obligations, and expectations across the organization and to business partners.
  • Ongoing compliance assessment: The organization needs ongoing assessment of compliance policies and controls. This involves surveys, self-assessments, and automated assessments for regular compliance risk and control monitoring. Successful organizations conduct assessments not just on a periodic basis but whenever significant business change might impact compliance.
  • Enforcement of the control environment: While policies and procedures may define how the organization behaves, enforcement ultimately depends on controls. The organization should implement preventive and detective controls that support compliance obligations and policies. The organization needs to ensure these controls are in place and operating as designed. When there are issues, the organization must address these with corrective controls.
  • Record and report issues: Clearly defined processes must be in place for individuals to report concerns, weaknesses and wrongdoing. Reporting is often done anonymously via call centers or Weblines. Clearly defined processes must be communicated and maintained for management to document reports made directly to them as well so that one database can be maintained and audited.
  • Conduct investigations: Even in the best organization things go wrong. Investigative processes (e.g., hotline analysis, surveys, management reports, exit interviews) must be in place to quickly identify potential incidents of wrongdoing and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Implement communication and reporting processes: The organization must have channels of communication where employees can ask questions
    on policies and procedures to avoid misunderstanding as well as issues of noncompliance. Possible systems include help lines, interactive intranets with FAQs and ‘ask a question’, and forms processing where approvals are requested.
  • Third-party relationships: Central to an integrity and compliance program is the ability to identify and manage the risk of third-parties. Technology enables the ongoing due diligence effort to monitor and score vendor and third-party risk, communicate a supplier code of conduct and other policies to vendors and track attestations, and deliver surveys and assessments.

Throughout all of these processes, compliance risk management needs to have a clearly defined lessons-learned process to make sure the organization is not a repeat offender. Organizations with a history of noncompliant conduct will find that they are not treated favorably by courts and regulators.

What are your experience and thoughts on the breadth of processes needed to build a strong compliance risk management program?