Category: The GRC Pundit Blog

GRC and technology. Every organization does GRC, not every organization does GRC well.  You will not find an organization that states it lacks governance, does not care about risk, and forgets about compliance.  Organizations may not call it GRC – but they have GRC processes from the ad hoc to the mature.  What makes a mature GRC approach – either at the departmental or enterprise level – different from an immature approach is how the organization utilizes process, technology, and information.  Technology makes GRC and its individual components of governance, risk management, and compliance more effective, efficient, and agile.

Over the years GRC technology has evolved and changed. There is not one vendor that delivers all of GRC, there are many market segments and niches.  In 2012, GRC 20/20 recognized ten vendors from a few dozen submissions in the 2012 GRC Technology Innovation Awards.   To recognize how technology is evolving, GRC 20/20 Research is proud to announce the 2^nd annual GRC Technology Innovation Awards. 

The 2013 GRC Technology Innovation Award process was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.  Some of these recognitions go to established vendors — others go to up-and-comers. Some have mature offerings, others still need some polish — all are advancing GRC into new areas. The current award recipients show thought leadership and innovative solutions.

Particular trends to note in the 2013 selections are:

• Delivering a GRC marketplace for the exchange of ideas, content, and apps (note RSA Archer started this trend a few years back, but other vendors have picked up on it and have advanced it to new levels);
• Socializing GRC and risk management by utilizing social technologies to facilitate risk collaboration/gameification across the business and engage everyone in GRC and risk management (note BPS Resolver started this trend several years back – but it is just now gaining momentum and a few companies selected are really advancing this concept);
• GRC architecture and integration – it is not about one GRC vendor that can do everything.  GRC requires the integration of different types of applications and content to make it work.  This requires that we understand the business, how the business operates, and take an enterprise architecture approach to GRC.
• Engaging the employee, at the end of the day GRC is part of everyone’s job description.  Forward thinking companies are looking for the user experience and how to get employees more involved and providing elegant interfaces that employees enjoy working with.

Not every vendor selected for the 2013 award fits into one of thee buckets completely, but all this year’s award recipients touch one or more of them with where they are taking GRC technology.

The 2013 GRC Technology Innovation Award recipients are (please follow hyperlinks to see more detail on each recipient):

1. The GRC Marketplace: the Force.com of GRC. MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community.
2. Risk collaboration: socializing risk in the enterprise. Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves. 
3. Engaging Risk: providing a social GRC architecture. Integrc’s "Engaging Risk” is a combination of integrated GRC knowledge solutions that helps organizations achieve greater understanding and interaction.
4. Delivering GRC Architecture. MEGA’s Holistic Operational Excellence platform (HOPEX) integrates enterprise architecture (EA) capabilities with GRC capabilities into one platform.
5. Mind-mapping GRC. C2CSmartCompliance’s Compliance Mapper has a powerful GRC content mapping engine that allows an organization to graphically map regulatory and customer-generated content and click to establish bi-directional links.
6. The user experience: the Apple of GRC.  The Network’s Integrated GRC Suite is innovative for its design and end user experience.
7. Integrating content, experience, and process. Think of Compli Portfolio™ as the “electronic binder” that integrates the work of internal and external experts in an elegant user experience to illustrate and manage an organization’s compliance and risk profile.
8. Managing risk in social networks. OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns.
9. Advancing GRC mobility. Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available.
10. From GRC idea to “there’s an app for that.”  Compliance Assurance Corporation’s Compliance Idea eXchange (CIE) enables their clients to drive innovation, with a particular focus in GRC in the insurance vert
    ical. 
11. Advancing GRC analytics. In the era of ‘Big Data,’ SAP HANA Analytics Foundation for SAP Solutions for GRC shows innovation in addressing the burgeoning velocity, volume, and variety of GRC governance, risk and compliance data in the enterprise.
12. Efficiencies in reporting. ControlPanel^GRC’s AutoAuditor enables companies to be in a state of continuous audit readiness by automating manual reporting processes, and through its intuitive design AutoAuditor adapts to each company’s specific reporting demands.

GRC 20/20 wishes we could recognize more – but we had to put a cap somewhere.  Twelve seemed like the appropriate number.  There were many great submissions – some more innovative than others.  The 2014 award nomination process will begin in October of 2013.  Further, GRC 20/20 will be doing another award process called the GRC Value Awards.  Nominations will be accepted starting in April 2013 and award recipients will be selected and announced in July 2013.  That process will look to find who has the best-substantiated value proposition in various categories of GRC software.  Stay tuned.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 1 is MetricStream’s Zaplet which showed technology innovation for the GRC Marketplace: the Force.com of GRC.

MetricStream’s Zaplet brings the benefits of Platform-as-a-Service (PaaS) technology to the GRC space, providing a platform to build, market, and sell specialized GRC applications using the power of cloud technology and community. This enables the broadest GRC ecosystem of partners and content providers to deploy GRC applications and content. At its core is the GRC App Store, a web-based marketplace, where customers can browse, learn about, license, and run GRC apps and integrated content. Each app has its own data models, workflows, information flows, content, reports, dashboards, and templates that are fully tailored to specific requirements around a business process, industry mandate, or regulatory requirement. These apps are rich in content and functionality as they are designed and developed by GRC subject matter experts. Developers build applications using the AppStudio suite of development tools, which provides a visual environment with web-based drag-and-drop tools for defining workflows and information routing rules, forms, business reporting processes, and the underlying business logic that controls the interactions between various elements. Developers and partners can provide customer demos, free trials, and upgrades, while accessing critical customer feedback and any new requirements via the GRC App Store. 

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 2 is Riskflo’s Discovery™ which showed technology innovation for risk collaboration: socializing risk in the enterprise.

Riskflo’s Discovery™ platform addresses the fundamental challenge of capturing, integrating and sharing the knowledge of how a risk behaves.  This knowledge is fragmented across the organisation, business processes and from management to the ‘coal face.’  Riskflo’s suite of applications provide a new approach to risk workshops and facilitation so that the knowledge locked away inside the heads of those that are closest to business process and risk are captured.  Riskflo has moved beyond risk voting tools to support a rich interactive discussion between facilitator and participants in an environment where participant identity can firewalled. Riskflo address the core problem of eliciting and aggregating expert opinion from multiple participants – navigating cognitive and behavioral bias through technology that delivers risk facilitation, group learning, knowledge elicitation and group estimate aggregation methodologies.  This approach transforms the quality of the risk assessment information while providing a rich and engaging experience for both facilitator and participants alike.  Riskflo has developed a new paradigm for engaging all levels of the organization in risk management activities in a deep and lasting way and in the process providing a means to transform the risk management culture.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 3 is Integrc’s "Engaging Risk” which showed technology innovation for engaging Risk: providing a social GRC architecture.

Integrc’s "Engaging Risk” is a combination of integrated GRC knowledge solutions that helps organizations achieve greater understanding and interaction. The common aspiration for organizations is to change how they interact, adopt, perceive and embed GRC technologies and initiatives and Engaging Risk achieves this through a portfolio of user facing technologies that include dashboards, apps, adobe forms, and internal tools for GRC. Engaging Risk promotes "social GRC” (gamification) and helps organizations improve participation in risk management. Historical GRC solutions are designed primarily with the risk community in mind; Engaging Risk takes a broader approach by recognizing that successful GRC initiatives engage the users and other stakeholders, encouraging participation, explaining benefits and embedding  into standard processes. Engaging Risk does not replace the core GRC engine but focuses on delivery of the GRC benefits through the wider user community. Engaging Risk increases the participation in the processes and the perception of GRC processes by breaking down the silos and making GRC relevant to the wider community. The core goals are applied; to hunt down the pain for GRC users, to encourage adoption by lowering the participation barriers and embed GRC in the DNA of the business.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 4 is MEGA’s Holistic Operational Excellence platform (HOPEX) which showed technology innovation for delivering GRC Architecture. 

MEGA’s Holistic Operational Excellence platform (HOPEX) integrates enterprise architecture (EA) capabilities with GRC capabilities into one platform. This enables an organization to manage a GRC program that delivers value, aligns with core business strategy and objectives, and drives operational performance and process execution. The HOPEX platform empowers organizations to gather and understand enterprise strategy, capabilities, business processes, organizational structure and assets, including IT assets, risks, and controls. GRC programs and initiatives can now include modeling capabilities, on top of which assessment and governance capabilities can be used by a large number of employees in the organization to assess and monitor business performance.  By leveraging EA and GRC capabilities on the same platform, GRC Architects can utilize architecture capabilities to understand how their organization works and plan transformations, with execution capabilities to get the transformation implemented and assessed, in a continuous improvement approach. This fosters the alignment with strategies, business processes, information systems and corporate objectives. GRC professionals will then have a clear, detailed vision into the business and the direct results of managing, testing, and monitoring can be shared to improve the organization.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 5 is C2CSmartCompliance’s Compliance Mapper which showed technology innovation for mind-mapping GRC.  

C2CSmartCompliance’s Compliance Mapper has a powerful GRC content mapping engine that allows an organization to graphically map regulatory and customer-generated content and click to establish bi-directional links.  The organization can graphically map policies and procedures to regulations and standards. Compliance Mapper eliminates the need for generically mapped, document-based approaches and reduces the number of controls needed to validate GRC.  The mapping engine enables ‘anything’ across the GRC spectrum to be linked together such that the relationship(s) many levels deep can be seen. For example, an incident could be mapped to an asset that is linked to a procedure that addresses a policy that meets a requirement (standard or regulatory requirement). Change a policy, regulation, standard or best practice in the GRC framework and see what is affected before making the change. C2C mapping technology highlights both direct mapping and indirect mappings ensuring all affected parties can be notified of possible changes, before a process or supporting document is ‘knocked out’ of compliance. 

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 6 is The Network’s Integrated GRC Suite which showed technology innovation for the user experience: the Apple of GRC.  

The Network’s Integrated GRC Suite is innovative for its design and end user experience. While most GRC applications focus on the back-end complexity of GRC, The Network has delivered a platform that is fresh, beautiful, and simply elegant for the user. It features an intuitive, employee-engaging, social media-style interface for ease of use, collaboration and configurability to an organization’s specific needs to match brand and culture, and is scalable to address global needs. The GRC Suite is positioned to help organizations transform the compliance function from a chore into a valued and valuable business asset. The GRC Suite blends GRC technology with awareness and communications expertise to help drive ethical culture. Where other GRC technology providers focus on the professional side of the equation, The Network’s solution adds interface assets that work to engage employees, while providing administrators and executives with the tools needed to manage compliance. Recognizing that employees are both the greatest asset and the biggest risk toward an ethical culture, the GRC Suite has been developed to enhance how employees consume, retain and apply information, to engrain them in the compliance process.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 7 is Compli Portfolio™ which showed technology innovation for integrating content, experience, and process. 

Think of Compli Portfolio™ as the “electronic binder” that integrates the work of internal and external experts in an elegant user experience to illustrate and manage an organization’s compliance and risk profile. Portfolio allows organizations to take their important disparate systems (which normally generate waste and functional overlap, limiting an organization’s ability to quickly demonstrate a program’s efficacy) and integrate them into a single outlet with a powerful reporting engine thereby “connecting the dots” when it comes to meeting compliance requirements.  Portfolio is an innovative approach to providing the integration of technology, process, and to automate the awareness, training and risk mitigation process. No matter the origin of an organization’s content, Portfolio provides a graceful interface that becomes a GRC binder for policies, procedures, trainings and certifications required of internal and external stakeholders. Portfolio utilizes workflow and content tools that deliver an intuitive, drag and drop interface to quickly create effective awareness, training and reporting campaigns. GRC professionals and subject matter experts can instantly devise complex cross-functional initiatives without requiring additional programming or being technology experts.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 8 is OpenQ’s SafeGuard™ which showed technology innovation for managing risk in social networks. 

OpenQ’s SafeGuard™ is addressing the risk of social technologies in regulated industries that have held back from using social technology because of GRC concerns. SafeGuard can be used with any social platform and is currently integrated into more than a dozen platforms.  It monitors risk from interactions over social networking platforms for regulated-industries to enforce corporate policy and regulatory compliance. SafeGuard collects and analyzes data, identifying levels of risk and enabling personnel to address any issues with its workflow-driven remediation capabilities. The product analyzes the internal social data streams and external social media to identify, quarantine and enable management of risk. There are similar products on the market that use keyword searches, however, SafeGuard’s social compliance technology uses a policy/signature driven approach, similar to that of antivirus software, which can adapt to industry and company needs.  It is the first and only product for policy-driven social compliance in the health, life science, and financial services ecosystems.

The 2013 GRC Technology Innovator awards was filled with competition.  The number of submissions more than doubled over 2012.  With 57 submissions there were only twelve slots for winners.  GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected the 12 recipients to receive this honor.

Number 9 is Blackthorn CaseNotes which showed technology innovation for advancing GRC mobility.

Supporting GRC activities on the move, Blackthorn CaseNotes represents one of the most feature rich GRC mobile apps available. It enables specialists in a range of GRC fields to collect and manage information. Forms are created and published via a web portal to CaseNotes, which are completed by the mobile user on or offline and then sent back to the server for recording and analysis. CaseNotes enables GRC mobile specialists to take contemporaneous notes, complete forms and associate photos, videos, audio recordings and scanned barcodes with each GRC activity they are managing (e.g. cases, incidents, assessments, audits, reviews) What makes it different from other notes apps is that it uses encryption and hashing to give evidential integrity to the notes, making it ideal for uses where accountability, positive assurance and legal admissibility matter while fully supporting a mobile workforce that is both offline and online.