Mitigating Risk in the Era of the Corporate Bounty Hunter

Business is global, distributed and dynamic. Organizations of all sizes and industries have global client, partner, vendor and supply-chain relationships. Adding to this complexity is the dynamic nature of business — it is ever changing, with a revolving door of employees, partners, technology, processes, and strategies in an environment where risk, economics and regulations are in a constant state of change. The complexity of today’s global, distributed and dynamic business makes regulatory compliance a challenge.
How does an organization validate that it is current with legal, regulatory and other obligations in the face of an ever-changing business environment?

The era of the corporate bounty hunter

Government is increasingly turning to insiders (e.g., employees), incenting them to report wrongdoing and noncompliance. In the U.S., the SEC and DOJ have extended their compliance monitoring into a firm’s activities by enlisting the eyes, ears, and voice of the organization’s employees. The framework for this is established in the Dodd-Frank Act whistleblower provisions, which entice employees to report violations, such as bribery, corruption, fraud, insider trading, and more to the government. Corporate whistleblowers that provide information which leads to a successful SEC enforcement receive 10 to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for non-compliance, this is a significant concern that keeps executives, the board, legal, and compliance professionals up at night.
 
The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues.
 
In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently.

To mitigate risk in the era of the corporate bounty hunter, organizations needs to:

  • Strengthen ethical and compliance culture: This starts with increasing employee comfort to speak up and report issues and incidents.  It is better to have an employee to report internally than have them go to the government bypassing the organization.  HOWEVER, be prepared to respond – officials will throw the book at an organization if evidence is brought forward that an employee did report internally and the organization did nothing about it. To enable a strong ethical and compliance culture requires that the organization has mechanisms in place for employees to report issues, that they are recorded, and responded to.
  • Understand risk: An organization needs to understand the risk and exposure to non-compliance. This includes periodic assessment (e.g., annual) of exposure to unethical and non-compliant conduct. The risk-assessment process should also be dynamic — conducted when there is significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets).
  • Know who it does business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships. Due-diligence efforts in establishing relationships must make sure the organization contracts with ethical entities. If there is a high degree of risk in a relationship, preventive and detective controls must be established. This means knowing your vendors, partners, suppliers and even your own employees to understand if they are susceptible to corruption and unethical conduct. Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of non-compliance.
  • Established and communicate policies and procedures: Organizations must have documented and up-to-date policies and procedures that address compliance. The code of conduct must filter down to address regulatory requirements and obligations. Requirements and processes must be clearly documented and adhered to.
  • Effective training: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement compliance-training programs to educate employees and business partners. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
Manage business change: The organization must monitor the business environment for changes that introduce risk of non-compliance. The organization must document changes to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that change in business, regulations, and the risk environment be monitored by compliance processes to actively address risk of exposures resulting from change.
Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents corruption risk. This requires the organization to implement technology to manage compliance.

This newsletter was sponsored by DoubleCheck Software, for more information on how DoubleCheck helps organization’s address compliance risk in the era of the corporate bounty hunter click on the link below:

GRC Maturity: Measuring a New Paradigm for Risk and Compliance

Lacking an integrated view of GRC results in business processes, partners, employees and systems that behave like leaves blowing in the wind. Modern business requires a new paradigm for tackling risk and compliance issues across the enterprise. No longer can organizations afford to focus on single risk and compliance issues as unrelated projects; nor can they allow software Band-Aids that are not integrated with the business to masquerade as GRC. A targeted strategy addressing GRC through common processes, information and technology gets to the root of the problem.

With changing and diverse risks bearing down on the organization, there is a clear need to tackle the problem at its root and develop a mature approach to GRC. Instead of treating each risk and compliance issue as an individual problem, organizations need to define a common process, information and technology architecture to manage GRC across the range of issues.
To address these issues, leading organizations have adopted a common framework, information architecture and shared processes to effectively manage risk and compliance, enable risk-aware decision-making, increase efficiencies, and be agile in response to the needs of a dynamic business environment.
The questions organizations must ask:
  • Does the business have the information to make risk-based decisions about the future of the company, when they don’t have a clear view of the risk landscape?
  • Does the business know its risk exposure at the enterprise, business process and control levels, and how they interrelate?
  • How does the business know it is taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
  • Can the business accurately gauge the impact of risk-taking on business strategy?
  • Does the business get the information it needs so it can take timely action on risk exposure to avoid or mitigate negative events?
  • Does the business monitor key risk indicators across systems, relationships and processes?
  • Is the business optimally measuring and modeling risk?
  • Is the business meeting its regulatory and other obligations?
A well-defined GRC environment will not only do risk assessment and modeling, but will also deliver definition, communication and training on risk-taking and accountability. The organization must map the interrelationship of risks to controls, policies, enterprise assets (e.g., business process, employees, relationships, physical assets and logical assets), and incidents to business strategy, objectives and corporate performance.
Mature GRC delivers better business outcomes because of stronger integrated information, which will:
  • Lower costs, reduce redundancy and improve efficiencies by rationalizing the information architecture.
  • Deliver consistent and accurate information about the state of risk and compliance initiatives, to assess exposure.
  • Improve decision-making and business performance through increased insight and business intelligence.
Architect integrated GRC systems and processes 
A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. No longer is risk and compliance about an annual audit; it now involves continuous monitoring in an ever-changing environment. GRC has to be sustainable as an ongoing and integrated part of business processes. A successful and mature GRC strategy has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Organizations need to be intelligent about what processes and technologies they deploy. The goal is to make an effective decision once, and comply with many regulations, manage a range of risks and maximize value from the convergence of technology, people and process. A sustainable approach to GRC results in an organization looking to the future and mitigating risk in the course of business, as opposed to putting out fires by reacting to risk and control issues as they arise.
Mature GRC enables the organization to understand performance in the context of risk and compliance. It achieves the definition of GRC, which is “a capability that enables an organization to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”  Effective and mature GRC delivers:
  • Holistic awareness of risk: There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise GRC framework.
  • Establishment of culture and policy: Policy must be communicated across the business to establish a risk and compliance culture. Policies are kept current, and reviewed and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives.
  • Risk-intelligent decision-making: This means the business has what it needs to make risk-intelligent business decisions. GRC strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of GRC: Accountability and risk ownership are established features of GRC. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional GRC analysis and planning: The organization needs a range of GRC analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — must be working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy: The enterprise views and categorizes risk in the context of corporate objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

To understand what GRC is all about, please see these OCEG videos:

This posting is from my most recent paper – GRC Maturity: From Disorganized to Integrated Risk and Performance.

Inevitability of Failure: Managing GRC in Silos

Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of governance, risk management, and compliance (GRC).  Without an integrated view of risk and compliance, the scattered and non-integrated approaches of the past fail and introduce expose the business to interrelationships of risk and compliance that were not understood.  A mature GRC program is one in which the organization has an integrated process, information, and technology architecture providing visibility across risk and compliance domains. An integrated approach that allows business managers and executives to leverage GRC data for risk-aware decision making and resource allocation.
 
Multifaceted risk environment
Risk to the business is like the hydra in mythology – organizations combat risks to only find more risks springing to threaten them.  So often risk and compliance strategies are like the ‘whack-a-mole’ game at the county fair.  Executives are constantly reacting to risks appearing about them and fail to become proactive in managing and understanding the interrelationships of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants, staffing) their risk profile grows exponentially.  Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes, internal controls) and externally (e.g., competitive, economic, political, legal, and geographic environments) to stay competitive in today’s market. What may seem as an insignificant risk in one area of the organization can have profound impact on other risks.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. In order to manage corporate performance the organizations needs to understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden business. Organizations face expanding regulations, increased fines & sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to the inevitability of failure. Reactive, document centric, and manual processes for GRC fail to proactively manage risk in the context of business strategy and performance and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure.  The organization is not thinking how GRC processes and controls can be designed to meet a range of risk and compliance needs.  An ad hoc approach to GRC results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other there is no possibility to be intelligent about risk and understanding its impact on the organization.
A non-integrated approach to GRC impacts business performance and how it is managed and executed, resulting in . . .
  • Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
  • Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
  • Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in context of the business. Corporate Integrity finds that organizations that lack a collaborative, integrated, and enterprise approach to GRC have:
  • Inability to gain a clear view of risks and their dependencies
  • High cost of consolidating disparate data silos and documents
  • Difficulty maintaining accurate data
  • Failure to report and trend GRC across assessment/reporting periods
  • Unreliable or irreconcilable risk assessment results because of different formats and approaches
  • Redundancy of risk management and compliance efforts
  • Failure to provide intelligence to support decision-making that crosses risk and compliance areas
  • Inconsistency in approaches to risk/compliance activities
  • Different vocabulary and processes that limit correlation, comparison and integration of information
  • Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

2012 GRC Technology Innovation Awards

GRC technology innovation is alive and well!

As I mentioned in last week’s posting, the GRC market is now 10 years old. It was in February 2002 that I first modeled a market for technology and professional services and labeled it GRC while I was at Forrester Research (at the time GiGa Information Group). It is exciting to see GRC technology continue to evolve to make GRC processes agile, efficient, and effective!

GRC technology has continued to expand and grow. Corporate Integrity’s inaugural GRC Technology Innovation awards illustrate the diversity of technologies that are expanding GRC into new areas where no technology has gone before.

Over the past few months, Corporate Integrity has received dozens of nominations for the awards. Most nominations are worthy of mention — they illustrate how technology is being used and advanced. However, most of the submissions were focused on why a vendor has a stronger feature set and not necessarily on how it is paving new ground for GRC technology.

After combing through dozens of nominations, Corporate Integrity is pleased to announce the following 10 GRC Technology Award recipients. Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and unique solutions delivering innovative technology to organizations.

The 2012 GRC Technology Award recipients are:

  • AlertEnterprise: Enterprise Identity and Access Management Security Convergence Solution. The AlertEnterprise Enterprise Identity and Access Management Security Convergence Solution (EIAM Solution) delivers a next-generation identity and access management (IAM) solution. The solution enhances traditional IAM fulfillment capabilities with built-in identity and access governance. It enables self-service capabilities to automate access requests, enforce policies, ensure compliance, enable delegated administration, and generate roles-based dashboards and reports. AlertEnterprise combines the best of IAM with compliance automation to reduce security risks and eliminate costly violations in both physical and logical access environments.
  • Catelas: People Governance Solution. Catelas is the world’s first solution that focuses exclusively on GRC challenges with a company’s employees and partners, and their collective communications (email, voice, IM, etc.), a.k.a., people governance. The volume of communications has made it challenging for compliance officers to holistically audit or monitor for potential infractions (e.g., insider trading, fraud, corruption, IP theft). Catelas has introduced an innovative approach that enables companies to review, audit and monitor corporate communications. This allows compliance officers to effectively review or monitor the company’s communications network and identify potential irregularities, based on relationships.
  • CMO Compliance: Mobile Audit, Risk and Compliance Software. CMO Compliance provides a suite of offline mobile solutions, including iPad/iPhone/iPod Touch apps, to support audit and compliance processes. The mobility compliance and audit software allows corporations to improve operational efficiencies for GRC. The iPad/iPhone apps allows field data collection, with intuitive interfaces that simplify and streamline compliance management, audits, inspections, assessments and reviews for field personnel, providing the ability to view and submit documents offline, manage actions, and capture and annotate photos for evidence and findings.
  • HiSoftware: Security Sheriff™ SP. HiSoftware Security Sheriff SP makes SharePoint safe for even the most sensitive enterprise data: from personally identifiable information (PII) to protected health information (PHI) to prerelease financials, strategic product information, HR data and more. Security Sheriff SP focuses on content awareness and content governance, so it determines access not by location but by what information it contains. It then applies governance rules to that information depending on who accesses it when and from where. Security Sheriff SP scans information, reports its status to management, classifies the information and then acts upon it, taking the actions necessary to keep it safe.
  • LockPath: Keylight GRC platform. LockPath has implemented the next-generation GRC content architecture that provides a less cumbersome way to achieve the true promise of enterprisewide GRC. The Keylight platform provides real-time, regulatory and risk intelligence with actionable context-aware integration of content. Based on a flexible architecture, Keylight is highly scalable, and provides unprecedented correlation capabilities, delivering integrated risk and regulatory intelligence through a streamlined user experience. LockPath has the broadest content integration capabilities and provides the first complete end-to-end integration and harmonization of the unified compliance framework and shared assessments content libraries with customer-created content.
  • Pneuron: Real-time distributed GRC analytics. Pneuron provides the unique ability to configure and deploy in real time, for any GRC function, component, product, rule, model or analytics from any source (third-party, proprietary or developed) to any system or set of systems without the need for an intermediary database, data mart or common data model. Pneuron enables the creation of new GRC capabilities and direct interaction with existing systems with minimal adjustments. The result — real-time globally deployed analysis, interdiction, workflow integration and enterprise intelligence.
  • QCC Information Security: Blackthorn GRC. Blackthorn GRC enables risk to be presented in a clearer, repeatable and graphical way. Risk is understood and analyzed within Blackthorn through the use of “trees.” In Blackthorn, the approach is to use drag-drop functionality to build risk models using objects (threats, threat agents, exploits and vulnerabilities, impacts, controls, etc.). The models are built underneath each critical business asset. Because risk models are built around assets and represented in trees, it has the ability to aggregate risk totals up the tree, with total risk for the organization viewable from any level. Blackthorn represents risk models so they are fed with data from a range of activities, both proactive (assessments, audits, reviews, etc.) and reactive (incidents, cases, breaches, etc.). This makes the risk results both real-time and more reliable.
  • QUMAS: ComplianceSP. QUMAS ComplianceSP on SharePoint 2010 is an innovative compliance management solution, combining the power of SharePoint 2010 with the proven regulatory domain expertise of QUMAS. Combined with preconfigured solutions for managing documents, processes, people and tasks, ComplianceSP on SharePoint 2010 delivers an innovative solution that can manage a wide range of compliance activities on the latest technologies. QUMAS ComplianceSP is fully Web-based, ensuring anytime/anywhere access to critical compliance activities, all secured by role and permission-based access. It integrates seamlessly and leverages the wider Microsoft environment, including Office, Outlook and Silverlight and other elements of the Microsoft technology stack.
  • SAP: Mobile GRC solutions. SAP is empowering the mobile GRC workforce by delivering more consumable GRC information and processes. This enables users to manage risk and compliance via mobile devices. The SAP GRC Access Approver mobil
    e application facilitates review, time-sensitive approvals and operation-critical access requests for managers, allowing authorized employees to gain access to systems and continue their work in a timely manner. With the SAP GRC Policy Survey mobile application, employees can keep track of the latest policy changes that impact their areas of the organization and complete policy-related surveys and attestations.
  • SAP: Risk Bow-Tie Builder. The SAP risk bow-tie builder allows users to visualize and maintain risks in the recognized “bow-tie” format using simple drag-and-drop capabilities. The scope of each risk as well as the causes and effects can be created, maintained and visualized. The visual representation of risk allows managers and executives throughout the typical enterprise to easily understand risk concepts. It is an effective tool to convey the importance of risk management across the organization to those that lack risk management expertise. It delivers the ability for risk managers to engage and have valuable conversations with managers and executives regarding risk. The risk bow-tie builder is revolutionary as it provides an easy-to-understand summary risk visualization with all the supporting details that management can understand and take action on.

Please share your comments, thoughts, experiences, and reflections on GRC technology innovation.  Go ahead – comment below on others that are doing great things (just avoid the better mouse trap argument – post what is truly innovative and breaking new ground).  Let the recognition of those above be the start of a great thread of conversation on other GRC technology innovations.  I am eager to hear . . .

 

State of the GRC Market, Q1-2012

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

  • Audit and Assurance Management
  • Board and Entity Management
  • Brand and Reputation Management
  • Business Continuity Management
  • Compliance Management
  • Contract Management
  • Control Activity, Monitoring, and Assurance
  • Corporate Social Responsibility
  • Discovery/eDiscovery Management
  • Environmental Monitoring and Reporting
  • Environmental, Health, and Safety
  • Finance/Treasury Risk Management –
  • Fraud & Corruption Detection, Prevention & Management
  • Global Trade Compliance/International Dealings
  • Hotline/Helpline
  • Information/IT Risk & Security
  • Insurance and Claims Management
  • Intellectual Property Management
  • Issue and Investigations Management
  • Matter Management
  • Physical Security & Loss Management
  • Policy Management, Communication, & Training
  • Privacy Management
  • Quality Management and Monitoring
  • Reporting and Disclosure
  • Risk Management (Enterprise & Operational)
  • Strategy, Performance, and Business Intelligence
  • Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

  • For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
  • The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
  • Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with su
    pporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!

Process Framework for Managing Compliance Risk

Organization exposure to compliance risk is rising at the same time the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular issues or obligations, which often resulted in multiple initiatives working in isolation. Isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, documents, and email, which is costly and unreliable. This makes it difficult to adapt to new regulatory requirements while increasing pressure and anxiety for management, employees and business relationships.

Without a business process view to manage compliance risk, organizations will continue to be burdened with the data overload and complexity of compliance data. Organizations need complete visibility into a portfolio of compliance processes spread across a distributed and complex business.  Organizations need information and not just data.

Success in compliance risk management begins with a strategy — how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes to mitigate these risks. In compliance business process architecture, accountability and compliance is effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues. Compliance needs to be an active and living part of the organization and culture to prevent and detect issues across the business. It is a continuous and ongoing process to be monitored, maintained and nurtured. This challenge is taking on a new paradigm that focuses on establishing compliance processes that move from a reactive fire-fighting mode to one that actively manages, monitors, mitigates, prevents, and detects compliance-related risks.

Using the OCEG GRC Capability Model as a basis and integrating compliance risk management requirements from experience as well as guidance from USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806:2006, there are common core processes that compliance can establish to manage compliance risk. A business process framework to manage compliance risk in the 21st century enables an organization to manage and monitor compliance risk through:

  • Compliance program management: This is the core process that everything else revolves around. It integrates all the other functions to provide a single cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks. An effective program delivers a 360-degree view of compliance risk management activities.
  • Compliance risk identification and assessment: Risk assessments are foundational to compliance initiatives. In addition to a periodic risk assessment, the organization must have regular compliance risk assessment and monitoring activities to ensure policies and controls that maintain integrity are in place and working. The compliance risk identification and assessment process drives every aspect of a successful program as it identifies and models compliance risk that all the other processes build upon.
  • Regulatory and risk intelligence: To keep current on compliance risk requires that the organization have a process to continuously monitor changes to the regulatory and risk environments impacting the business, and to monitor the business for change. This involves identifying subject matter experts for each compliance risk area that are accountable for monitoring internal changes and external change from regulators, courts, legislatures, and other sources to identify new and developing compliance risks that will impact the business.
  • Policy definition, communication, and maintenance: Organizations must have documented and up-to-date policies and procedures that both address the compliance and ethical risks and are in accordance with the culture, values, and obligations of the organization. Compliance requirements and processes must be clearly documented within policies and procedures. The policy definition, communication, and maintenance process provides proof that the program is sound and controls are adequate.
  • Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, responsibility for compliance risk management falls to the CECO, and is delegated across a variety of business processes and functions. To effectively provide assurance to the board and executives, an effective GRC approach requires that a process of compliance risk governance, accountability, and reporting be in place. This requires collaboration with other roles such as internal audit, and establishes lines of communication throughout the business.
  • Due diligence efforts: An established process to document due diligence efforts shows that employees and business partners are properly screened, and assures the business that it is not engaging with individuals or organizations that have a bent toward unethical behavior. It also assures the organization that individuals have the right background, resources, and experience to do the job they are engaged for.
  • Training and communication: Written policies are not enough — individuals need to know what is expected of them day-to-day and their business operations. Organizations are increasingly using online training in addition to discussion-led training to raise compliance and ethics awareness. There is also a trend toward using interactive technologies and learning simulations. The training and communication process is key to communicating the corporate culture, obligations, and expectations across the organization and to business partners.
  • Ongoing compliance assessment: The organization needs ongoing assessment of compliance policies and controls. This involves surveys, self-assessments, and automated assessments for regular compliance risk and control monitoring. Successful organizations conduct assessments not just on a periodic basis but whenever significant business change might impact compliance.
  • Enforcement of the control environment: While policies and procedures may define how the organization behaves, enforcement ultimately depends on controls. The organization should implement preventive and detective controls that support compliance obligations and policies. The organization needs to ensure these controls are in place and operating as designed. When there are issues, the organization must address these with corrective controls.
  • Record and report issues: Clearly defined processes must be in place for individuals to report concerns, weaknesses and wrongdoing. Reporting is often done anonymously via call centers or Weblines. Clearly defined processes must be communicated and maintained for management to document reports made directly to them as well so that one database can be maintained and audited.
  • Conduct investigations: Even in the best organization things go wrong. Investigative processes (e.g., hotline analysis, surveys, management reports, exit interviews) must be in place to quickly identify potential incidents of wrongdoing and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Implement communication and reporting processes: The organization must have channels of communication where employees can ask questions
    on policies and procedures to avoid misunderstanding as well as issues of noncompliance. Possible systems include help lines, interactive intranets with FAQs and ‘ask a question’, and forms processing where approvals are requested.
  • Third-party relationships: Central to an integrity and compliance program is the ability to identify and manage the risk of third-parties. Technology enables the ongoing due diligence effort to monitor and score vendor and third-party risk, communicate a supplier code of conduct and other policies to vendors and track attestations, and deliver surveys and assessments.

Throughout all of these processes, compliance risk management needs to have a clearly defined lessons-learned process to make sure the organization is not a repeat offender. Organizations with a history of noncompliant conduct will find that they are not treated favorably by courts and regulators.

What are your experience and thoughts on the breadth of processes needed to build a strong compliance risk management program?

How to Buy GRC (Risk & Compliance) Software

The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain.

How does an organization make sense of all of this? How do you know what you are buying is the right platform and right vendor for your organization?

Before I give some guidance on this – let me first state that GRC software is needed in organizations.  Using a document centric approach done in spreadsheets and word processing documents is prone to issues.  Issues in consolidation and reporting – both errors and time it takes.  Issues in accountability in audit trails – to validate that things were not changed to get someone or the organization out of trouble, or paint a rosier picture of the organization.  Issues in efficiency as document centric approaches take more resources to manage.

The issue is sifting through all the vendors with their offerings to find the one that best fits your organization.

My advice on buying GRC (and related risk and compliance software):

  • Get to know the vendor.  I have spent nearly twenty years in this space.  There are good vendors and bad vendors.  There are good sales people and bad sales people.  A successful software implementation is going to require a relationship.  Make sure that the vendor and sales person you are considering doing business with is someone you want to work with.  Someone that is arrogant or pushy is going to give you headaches and make your life miserable – they will always be pushing for the next deal and expanding the platform.  Pick the vendor that appears to have your best interest in mind and not theirs.
  • Understand who the vendor typically sells to – industry and role.  Every vendor in this space has a history and track record.  Some have strengths in audit or risk or compliance or information security or some other role.  Some have a history in financial services while another is healthcare.  While many vendors can serve across several roles where they have historically sold their platform into will tell you where their dominate strengths lie.
  • Use caution with Forrester Waves and Gartner Magic Quadrants.  Too many organizations see whoever is in the upper right quadrant and pick them for their short list.  THIS IS A MISTAKE.  These documents have their value, but just because someone appears to be the leader does not mean they are the best fit for your organization.  That ‘winner’ may serve primarily Fortune 1000 banks, while you are a mid-size hospital.  They may be strong in risk while you are looking for a strong compliance solution. Do not assume that the leaders in these research pieces are what will be best for your organization.  There may be a vendor not even in the research that is the ideal fit for you.
  • Check references.   Require that the vendor give you references – and check them.  Grill the references.  Ask questions on what they like least about the vendor and the solution. Ask them what they would change.  Many of these references have sweet deals from the vendors and are spokespeople for them – you need to grill them and look for the chinks in the armor.  I would also use social networking (e.g., LinkedIn, Twitter) to ask for experiences of others.  Talk to analysts and insist on knowing the good, the bad, and the ugly.  If the analyst does not have much to offer – go to one that has experience.
  • Control the vendor.  A huge issue with GRC software projects is when the vendor sees $$$.  I have seen situations in which the sales person is striving for a much bigger sale than what the organization is ready for.  In these cases the sales person has taken it upon themselves to knock on other doors across the organization in an attempt to get buy-in to a GRC vision and fix corporate political issues.  This kills GRC projects.  Go back to the first bullet above – know your vendor and make sure it is who you want to do business with.
  • Get in the drivers seat.  A HUGE ISSUE is that some vendors are great at demos.  They can find out what you need and go back and build some mock-ups that look great. When the deal closes they have not told you that they have to build out much of the functionality they demonstrated and do so on your dime.  It is important that you demo the solution and get behind it yourself.  Build scenarios of what you want to accomplish, do not give all the details to the vendor (just the general goals) and sit behind it and walk through it.  This will make your decision much clearer as the system that is easiest to use will quickly become apparent.
  • Test your enterprise needs.  Some vendors work great when operating in a specific business department, but their risk analysis and reporting falls apart as you try to aggregate, normalize, and report on information on an enterprise level – as with ERM (Enterprise Risk Management).  I have had one senior executive tell me that they never want to see a heat map again as their GRC/risk vendor’s reporting was a mess and what appeared on the heat map was comparing apples and oranges.
If you have questions or need help on understanding the GRC software space – I am happy to help.
If you are a vendor, a few things you may be interested in are:
  1. GRC Technology Innovation Awards.  I am seeking nominations for Corporate Integrity’s GRC Technology Innovation Awards to be announced in February.  If you have something revolutionary that changes the landscape of GRC for the future – contact me for a nomination form.  This is not for ‘me too’ functionality but is something that is really unique and game changing.
  2. Ultimate [GRC] Platform Designation.  If you feel your software is among the best in its domain, Corporate Integrity can be engaged to put it through its paces.  Vendors that make it through get a write up by Corporate Integrity on the solution and the ability to use the Ultimate Platform label.  Please contact me for more information. The ultimate platform designation can be pursued in the following categories:
  • The Ultimate Enterprise GRC Platform
  • The Ultimate Risk Management Platform
  • The Ultimate Compliance Management Platform
  • The Ultimate Audit Management Platform
  • The Ultimate Policy Management Platform
  • The Ultimate Legal Management Platform
  • The Ultimate IT Risk & Compliance Platform
  • The Ultimate 3rd Party/Vendor/Supplier Platform

Principles of Compliance Risk Management

Understanding and Approaching Compliance and Ethics Risk

Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.

The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).

Regardless of the complexity of the analysis, the principles of compliance risk management are the same:

  • Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
  • Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
  • Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
  • Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
  • Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
  • Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.
What are your thoughts on the core principles of compliance risk management?

Regulations and a Demand for Integrity Bear Down on the Organization

Managing an organization’s ethics and values is challenging enough. A legion of laws, regulations, contractual obligations, judgments, and fines bear down on the organization and the CECO in the 21st century. There is a difficult path ahead for ethics and compliance management. Compliance is particularly difficult, as business is bombarded with thousands of new regulations each year.

U.S. Perspective
At the U.S. federal level (not including U.S. state or local jurisdictions) there were more than 3,500 new regulations issued last year. This brings the total number of regulations issued since 1995 to nearly 60,000. Another 4,000 new laws and regulations are pending, waiting for approval. The sheer volume is staggering. FCPA is a particular hotbed of compliance in the U.S.:
  • The court found Frederic Bourke, Jr. was willfully blind and as an investor he should have done more due diligence and should have known that the energy company he invested in bribed foreign officials.
  • The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.
  • The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.
  • The U.S. Department of Justice assessed nearly $2 billion in fines in 2010. Eight of the top 10 FCPA settlements occurred in 2010. BAE Systems was the third largest fine at $500 million. Daimler AG had $185 million in fines and disgorgements. Snamprogetti had $365 million in fines (the fourth-largest).
  • Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison.
  • Siemens spent $850 million in fees and expenses to investigate anticorruption. Daimler had a five-year investigation that cost over $500 million.
European Perspective 
Europe has been known for a principles-based (or outcomes-based) approach to compliance — which originates from the United Kingdom’s Financial Services Authority. They have turned their focus away from specific requirements toward understanding and interpreting compliance in light of the risk the organization faces, requiring a risk-based approach to compliance. Adding to compliance mandates, the U.K. approved the U.K. Bribery Act (UKBA) legislation in 2010, which went into enforcement in July 2011.  This brings broader scope and implications to anticorruption compliance. Both the FCPA and the UKBA are country-specific initiatives in support of the Organization for Economic Cooperation and Development’s (OECD) anticorruption initiatives in 34 countries.  The OECD has released Good Practice Guidance for internal controls, ethics, and compliance to combat corruption around the world.
Australian Perspective
Australia, through the ASNZ 3806 standard, takes a principles-based approach to compliance. The 12 principles provide guidance to organizations designing, developing, implementing and maintaining an effective compliance program, encompassing:
  • Commitment
  • Implementation
  • Monitoring and measuring
  • Continual improvement
  • In addition, mandates such as those provided by the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) broaden the scope and compliance requirements for listed organizations or those within the financial services industry.
The Era of the Corporate Bounty Hunter
Government is cracking down on organizations that lack integrity in their ethics and compliance practices. The current environment is seeing increased actions and judgments for noncompliant behavior such as corruption, insider trading, antitrust abuse, harassment, discrimination, fraud, and privacy violations. Fraud and unethical behavior is not tolerated — government and society have had enough. One aspect of this change is the government focus on initiatives that establish rewards for corporate whistleblowers. This heralds the era of the corporate bounty hunter.
The U.S. government recently introduced its most extensive regulation to uncover corporate wrongdoing in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111-203, H.R. 4173).  Title IX Subtitle B gives the SEC powers to enforce a “whistleblower bounty program.”  This program allocates a 10 percent to 30 percent reward to corporate whistleblowers who provide information leading to a successful government enforcement action with monetary sanctions of more than $1 million. In an era of increased scrutiny and judgments for anticorruption, insider trading, and other areas, this significant concern keeps executives, the board, legal, and compliance professionals up at night.
This just scratches the surface of the regulatory burden on organizations amidst thousands that span areas of employment, quality, health and safety, environmental, business transactions, privacy, security, and many other areas. Distributed businesses that cross jurisdictions in transactions and relationships have a great deal to answer for when it comes to regulatory oversight. The burden is so great it demands companies use limited resources and a risk-based approach to understand where its greatest ethics and compliance risks are. A risk-based approach complements a values-based approach and enhances corporate culture. While culture and values ultimately drive compliance, an organization must understand where its greatest compliance exposure is and allocate resources accordingly.

This is the second in my series on Compliance Management in the 21st Century. The previous ones have been:

I would love to hear your thoughts as well – please share them.

For those that cannot wait for all of my upcoming posts – you can read my thoughts and perspectives in my most recent written report:  Compliance Risk Management in the 21st Century.

 

The Leading GRC Technology Vendor Is . . .

Before even getting into technology and vendors it is necessary to understand what GRC is about.  I argue that GRC is nothing new – we have been doing GRC long before we had an acronym that I first started using back in 2002. The truth is organizations have governance, risk management, and compliance (GRC) practices and processes in place.  Your organization is doing GRC whether you call it GRC or not.  These processes are most likely siloed and scattered across the organization.  They may be formal processes or informal, they may be defined and written down or ad hoc.  You will not find an executive that states we lack governance, do not manage risk, and can care less about compliance.  Whatever you may call it – the truth is that GRC exists in your organization.

So why all this fuss over GRC?  There are better ways of doing things.  The goal is to make GRC processes that already exist in the environment more effective at meeting obligations and managing risk, more efficient in use of financial and human resources, and more agile to the needs of a dynamic and distributed business environment.

Thus enters technology – GRC technology is used to go bring greater effectiveness, efficiency, and agility to GRC processes across the organization.  One goal is to move beyond documents and spreadsheets that have there issues (such as no audit trail, difficulty reporting). Another goal is to share information and provide a framework for collaboration across risk and compliance roles.  Finally, a goal is to provide shared processes and technology.

I often hear the line of business screaming “ENOUGH.”  This week it is a SOX assessment, next week an oprisk assessment, the week after that a business continuity assessment, and then five others.  Several come in spreadsheets formatted differently, others in web survey tools, others in software applications.  There are a dozen of more file shares or intranet sites claiming to have corporate policies – where is the correct one? How come they are in different formats?  Who is controlling this?  Investigations, incident, and issue systems are scattered across several areas as well.

Organizations are waking up to the fact that GRC can be more effective, efficient, and agile.  Thus enters technology to enable it.  GRC technology is very much like CRM (client relationship management) technology back in the 1980’s which are a core part of business today.  Before we had CRM we still managed client relationships.  The issue is that we had out of sync data and no one had the complete picture of the client.  Sales had their view, marketing theirs, and then service theirs.  CRM systems came in to provide a holistic view of the client – one complete and accurate picture that all these roles in their respective capacities can access.  The same for GRC technology – there are a variety of roles across the business doing aspects of risk and compliance that have very similar information and process needs though they maintain their individual subject expertise.

I will state that there is no single vendor that does all of GRC from a technology perspective.  There are over 400 vendors that do aspects of GRC.  I model the market around 28 categories of GRC software (this will be released in a few weeks in the updated OCEG Solutions Guide for GRC).  Several of these technology categories span needs across the enterprise others address needs within specific functions.

In my work in GRC market research, education/training, and advisory I get involved in over 200 interactions each year with organizations looking for GRC technology.  Most, as much as 90%, are focused on specific issues while about 10% are truly focused on enterprise GRC initiatives.  However, even those focused on specific issues want to invest in technology that can address other issues and grow and expand into enterprise GRC over time.

Looking over the past two years of interactions with buyers of GRC software, the top five GRC vendors that I see most often in RFPs/RFIs are (in alphabetical order):  BWise, MetricStream, OpenPages, RSA Archer, and Thompson Reuters Accelus.  Of these it is BWise and RSA Archer that most often come up in interactions.

This does not necessarily mean that these vendors are the best for you.  There are aspects of the 28 categories of GRC that they do not do.  Every vendor has their strengths and weaknesses.  Depending on organization size, industry, complexity, and needs the vendor you want to engage will vary.  In fact, several organizations I have interacted with have four or more GRC vendors in place doing different parts of GRC.

Other vendors that I frequently encounter include (in alphabetical order): ActiveRisk, Compliance 360, CMO Compliance, CURA, Easy2Comply, EthicsPoint, Lockpath, Mitratech, Oracle, QUMAS, SAI Global, SAP,  SAS, and Wolters Kluwer.

Beyond this group are vendors such as Agiliance, AlineAlytics, AssurX, BPS Resolver, Chase Cooper, Continuity Logic, Global Compliance, MEGA, Methodware, Modulo, Policy Technologies, The Network, Pilgrim Software, Process Unity, and RSAM.

Here I have only touched on a few dozen of the 400 vendors in this space.

If this topic interests you, I would encourage you to consider my upcoming online training on the GRC technology market.

State of the GRC Market Q4-2011 FRIDAY, OCTOBER 14, 2011 EASTERN TIME 12:00 PM – 2:00 PM / PACIFIC TIME 9:00 AM – 11:00 AM / GMT 4:00 PM – 6:00 PM

Today’s complex and competitive GRC market demands that you be at the top of your game.  Corporate Integrity is the leading GRC market research and education firm.

This webinar is Corporate Integrity’s quarterly uddate on the State of the GRC Market.  This is the summary of Corporate Integrity’s market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year.  It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market.  It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.

Attendees will be able to answer the following questions:

  • Who are the leading (most active) GRC technology providers?
  • Why are organizations buying GRC technology?
  • What differentiates the GRC technology providers?
  • How do you categorize and define the GRC technology market?
  • What is the market size of the GRC technology market?  Where will it grow?
  • What are the leading risk and compliance drivers for buying GRC technology?
  • What is the value that organizations have achieved by implementing GRC technology?
  • Where is GRC technology headed?
  • What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
  • Who are some of the up and comers in GRC technology that I should be watching and why?