Category: The GRC Pundit Blog

The global economy is driving many organizations to develop enterprise risk management strategies.  Unfortunately for many they often interpret this as SOX on steroids and fail to deliver a true enterprise view of risk.  ERM often is trapped in an internal control view of risk that fails to comprehend and interpret the complexities of global business.

For this reason I am introducing a critical area of risk management that should be part of enterprise risk strategies for organizations that are susceptible to risk in the availability and pricing of commodities. 

Organizations are in an ongoing effort to achieve sustainability, consistency, transparency, accountability, and efficiency across risk and compliance initiatives. The fact of the matter is: organizations need complete visibility into the portfolio of risks spread across distributed and complex business processes and relationships. A spectrum of organizations are susceptible to uncertainty and risk in relation to commodities. Rising demand for commodities, limited supplies, complex supply chains, international relations, hedging, and exchange rates – all have a large impact on the ability of organizations to produce and deliver goods to their clients profitably.

As organizations define their enterprise risk and GRC strategies it is essential that they gain an understanding of the central relevance that commodity risk management plays. 
Risk management is ultimately about managing uncertainty in business. While there are a number of risk management initiatives that are part of a GRC or ERM program (e.g., treasury, operational, strategic risk), commodity risk management is often overlooked and poorly managed across a number of siloed roles in the organization which are focused on specific commodities.

If an organization’s bottom line is subject to extensive variability because of fluctuating commodity prices, it becomes paramount that the organization develop and implement processes and systems to manage commodity risk centrally on a holistic basis.

To learn more about Commodity Risk Management I encourage you to download (no charge) my latest research on the topic from my website:  Foundations of GRC: Commodity Risk Management.

Chalres Dickens might as well have been speaking about the risk and compliance market (GRC market) when he stated “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness.” 

What was considered foolish a few years back – basically conservatively running a business – now is reaping rewards and once again shows the wisdom in living within ones means (in this case a business).  Vendors that took on too much debt and went to the well of venture funding time and time again now find themselves sinking slowly into the abyss with a millstone of expensive operations and stakeholder expectations sinking them to its depths.

However, those that ran a very conservative business are reaping rewards and seizing opportunity in the current economic environment.  Two such vendors that have publicly come forward with this are Archer Technologies andCompliance 360.  There are others succeeding as well, but there are far more that are treading water hoping some ship of acquisition passes by in the next few months.  Others are sinking with that millstone of debt and excessive expectations.

2009 will bring renewed focus on corporate governance, enterprise risk, and compliance management (GRC).  Organizations will continue to seek help from professional service firms to implement GRC and ERM strategies.  Further, in a tight economy, organizations will continue to implement processes and technology that assist in streamlining risk and compliance operations at lower costs.

Interestingly, while compliance will remain a priority I see enterprise risk management pulling ahead in 2009.  This is because of the economy and the fact that organizations need to have a transparent view of risk and performance across the organization.  It also is a result of the complexity and distributed nature of business as well as current challenges such as  Standard & Poor’s risk evaluations impacting enterprise risk strategy. This is driving the risk consulting market more than the technology market at this point.  I see a greater technology spend on enterprise risk management solutions/technology in the 2nd half of 2009.  Right now organizations are recovering from economy shock, a new administration (in the U.S.), and seeking advice on enterprise risk strategy.  My newsletters illustrate a broader trend in risk over compliance – I have a 10% higher read rate on my mailing list of 5500+ subscribers on the Ultimate ERM Platform than I did on the Ultimate Compliance Platform – despite the ERM newsletter went out between Christmas and New Years (bad-timing for a newsletter).

Compliance though remains a priority for organizations.  The SEC in particular has been very vocal that organizations should not cut corners on compliance.  Organizations are struggling to gain an understanding on how they can streamline processes for management of policies as well as communication of them.  There is increased interest in automating compliance and control monitoring within business systems and processes.  Further, organizations desire to get an enterprise view into loss, issues, and incidents – which is a necessity to truly manage and measure enterprise risk.

The single focus area of risk and compliance that will get the most attention in 2009 is managing risk and compliance across extended business relationships (e.g., 3rd parties, supply chain, vendors, outsourcers, service providers).  This focus area of risk and compliance has been my busiest over the last several months. I have had well over a dozen conversations with large international organizations trying to figure out how to manage employment/labor, code of conduct, anti-corruption, quality, safety, and security across extended business relationships.

This is just a quick summary of the complexity, challenges, and potential for the risk and compliance(GRC) market in 2009. For those interested, I will be doing an online 2-hour workshop on this topic February 2nd – 2009 Fundamentals, Trends, & Market Directions.

INQUIRY: Among the companies you speak with, which organizational departments (finance, operations, legal, HR, etc.) appear to have the most to gain from GRC automation?

RESPONSE: GRC is about collaboration across these roles – so all have a lot to gain from GRC technology enablement and automation.  However I would state that business operations has the most to gain.  The reason being is that it is the line of business that suffers most from a wide array of demands to assess, train, and respond to silos of GRC.  I have been in numerous organizations in which they are looking at GRC technology to bring together varied assessment processes for operational risk, business continuity, SOX, IT, compliance and others.  The reason being is that the business is fighting back – often stating that these silos of GRC are asking them similar questions every week. This week it is a Basel II operational risk assessment, next it is a business continuity assessment, then it is an IT risk assessment, after that is a SOX 404 assessment, and then compliance is sending something.  Business operations wants a single platform to harness information and stop them from responding to similar questions week after week.  Further, it is business operations that would desire a common portal into policies and procedures instead of a dozen different internal websites that store policies and procedures for varying functions.

 INQUIRY:  What are the 3 most critical areas for further GRC automation in 2009 – and why?

RESPONSE:

1. The top of my list is what I am calling “Next Generation Policy & Procedure Management.”  This may not be on everyone’s radar – but it is a significant area to drive efficiency, consistency, as well as consolidate spending across the business.  The typical organization – large and small – is in a mess as to how they define, manage, and train on corporate policies and procedures.  Add to this the fact that regulators, new laws, and the courts (USSC) are pushing that individuals not only be aware of policies but that they be trained on them.  The typical organization has policies and procedures scattered across internal websites and no consistent approach to managing their life-cycle not concerted effort to train employees.  Best practice organizations that I am monitoring are beginning to consolidate dozens of different policy and procedure systems (typically intranet sites) into a single policy and procedure management platform owned by legal or compliance.  The best of these systems is able to present and communicate policies and procedures with the training courses delivered in the same user interface.  One single platform for managing corporate policies and procedures.
2. Next on my list is the critical area of loss & investigations management.  Like policies and procedures, this is a mess of hodge podge systems – or even no systems at all.  To manage risk effectively, as well as manage sensitive investigations, it is time for organizations to consolidate on a single investigations, loss, event, complaint, issue management platform (you pick the term that best suits your organization).  A single platform for managing loss and investigations allows for greater transparency in where issues are across the organization and feeds the risk management process which needs to understand historical loss data to effectively build risk models.
3. The third area of criticality is managing business relationships.  Organizations are complex entities that extend to hundreds or thousands of business relationships around the world.  These business relationships need to comply with your respective regulatory requirements, corporate culture, statements of corporate social responsibility/sustainability, and business practices.  Thus organizations need to use GRC technology to extend policy & procedure communication and training, assessments, and even investigations to their extended enterprise/relationships.  As I have mentioned previously, this is a significant opportunity for the Software as a Service/on-demand GRC solutions.

QUESTION: What are the top three roles and responsibilities of a compliance officer? We are trying to define this job role very clearly before we determine we need one.

RESPONSE:
The top three roles and responsibilities of a compliance officer vary — it depends on what you are defining as a compliance officer. If you mean a true Chief Compliance Officer (CCO) that sits outside of IT, then the top three roles and responsibilities tend to be:

The New Year of 2009 is at our doorstep and with the global turmoil it is about time many organizations begin thinking of enterprise risk management

Today we explore the Ultimate Enterprise Risk Management (ERM) Platform. Many of you expressed deep interest in my Ultimate Compliance Platform earlier in December. This week, I am delivering the second of my ultimate platform role-plays looking at what the Enterprise Risk Officer/Manager desires in an ideal Enterprise Risk Management (ERM) platform.

Defining an ERM platform is not easy – just as defining ERM is not easy. For some unfortunate organizations, ERM is Sarbanes Oxley on steroids as it is nothing more than a deeper look into internal controls with some heat maps built on top of it. In this case it truly is no an enterprise view of risk. In fact, many organizations have been deceived by the likes of the COSO ERM framework – which tends to take an auditors view of risk and not a true risk officer/manager view of risk. Granted, the COSO ERM cube is an interesting model to get a conversation started. The document itself is hard to read, hard to apply, and takes an internal view of risk and largely neglects the external elements of risk that a business faces in its operations outside of its organization. I myself find more promise in the adoption of ISO 31000 (currently in draft and expands upon the AS/NZS 4360:2004 standard).

However, many organizations are keenly interested in ERM. Some of this comes from the emphasis that credit rating agencies such as Standard & Poor’s are putting on it. Others are seeking solace in ERM to help them drive through turbulent economic times. While many seek ERM to help manage uncertainty in a dynamic and distributed business environment that extends across complex global business relationships where a small mishap may significantly impact business operations and performance.

The challenge organizations face in truly managing ERM is the number of silos of risk management scattered across the organization focused on specific issues of risk. The goal of ERM is to tie all of these independent risk management programs in the organizations together into a broader and transparent view of risk permeating throughout the enterprise.

The issue organizations face – there is no single vendor that ties all of the elements of risk together into a comprehensive ERM platform. The Ultimate ERM platform, like the Ultimate Compliance Platform, is one that needs further work and integration. The best solutions come from a range of providers and not a single vendor.

WARNING – most vendors marketing ERM platforms end up being a replacement for spreadsheets and do not bring a full picture of enterprise risk.  If all the platform is doing is surveying people, they are just about assessing operational risk and controls.  Challenge vendors – ask any vendor how they are managing ERM by providing integration into financial, treasury, and commodity risks alongside a breadth of operational and regulatory risks.  Most will be stumped on this question. 

If I were to build the Ultimate ERM Platform I would combine the following:

• Risk framework flexibility. The goal of ERM is to provide harmony across a range of frameworks, standards, and approaches that are currently being used across the enterprise. Different risk areas have their unique needs and standards they follow. A robust ERM platform will be able to harmonize and provide fluidity across these frameworks. To date the best platforms I have seen that provide a harmonized approach to integrating multiple frameworks is BWise, Cura, and Texert.

• Risk intelligence. These days every vendor has a dashboard to model and report on risk. However, they fall down when it comes to direct integration with business systems and applications. Further, most of them do not integrate with corporate performance management. This goes against what risk management is about. Risk management, done properly, is all about managing risk in light of corporate performance. For every key risk indicator there should be corresponding corporate performance indicators. The best risk dashboard that provides an integrated view into corporate performance is SAP’s.

• Risk management breadth & depth. Risk management is more than just managing the downside of risk; it is about optimizing risk taking in the organization to seize hold of opportunity and return to the organization. Organizations stuck in managing the negative and neglect the positive side of taking risk miss what ERM is about. A robust risk management platform will have sophisticated modeling capabilities that can demonstrate the positive return on risk taking and not just the downside. This requires depth in risk modeling and analytic capabilities to measure and model risk. Cura, MEGA, Strategic Thought, and Texert are vendors that I find leading in the breadth and depth of their risk management functionality.

• Risk visualization. I for one am tired of heat maps. Nearly every vendor has latched onto heat maps as if they are the only way to visualize risk. Granted, heat maps can be useful – but they are not the end all of risk visualization. Good risk management requires multiple visualization models. A risk manager needs to be able to look at risk from different views and angles to identify intricacies, relationships, and exposure. Different pictures tell different stories. You take a photograph of a room and this tells you only one story, an x-ray tells another, and a thermal map tells another. The same is true with risk visualization – we need multiple ways to visualize risk to comprehend the full picture. The good news is that there are vendors taking some interesting directions. I particularly like the risk relationship diagramming that Neohapsis (acquired from Risk Governance) and Riskonnect are offering. I am also quite intrigued by what some organizations are beginning to do with fractal maps (such as what Fractal Edge delivers).

• Risk process management. Enterprise risk management requires the flexibility of workflow and process management. Bringing together the many factions of risk management across the enterprise demands a platform that is easy to model business processes, workflow, and provides great flexibility and customization. The leading platforms offering the best risk process management capabilities are Archer Technologies, BWise, and MEGA.

• Risk integration – herding the silos of risk. Enterprise risk management is like herding cats – different parts of the organization have implemented their own risk solutions that are particularly adapted to their specific needs. A good risk management platform will provide integration with specialty platforms that are managing specific areas of risk. These might include Modulo focused on the depth of I
  T risk management, the complexity of foreign exchange risk that FireApps manages, the intricacies of commodity risk management that Triple Point Technologies excels at, the complications of operational risk management that Ci3/Wolter Kluwer delivers, and legal/compliance risk that Axentis is focusing on with their risk driven compliance theme. Resolver is another vendor of interest as it provides a risk assessment and surveying technologies that simplify risk assessment processes. Of course, there are industry specific solutions managing the range and depth of risk for particular industries – such as Algorithmics, SAS, and Oracle Financial Services Software.

The Ultimate ERM Platform is not a one-stop shop at a single vendor – today it requires integration of several technologies. Many of these solutions show great insight and are executing on robust visions to deliver the best ERM platform for the future while delivering significant value to their clients today.

Christmas (or other holiday tradition you celebrate) is upon us with its associated gift giving.  In the spirit of giving and Christmas cheer, I am delivering the beginning of a series of role-plays looking at what different risk and compliance roles would want in their Christmas stockings.

To kick this off- we will initially focus on the role of Corporate Compliance . Each subsequent week we will look at another role (see below for schedule).

To understand what Corporate Compliance desires requires an understanding of what this roles is about and its responsibilities. Unfortunately compliance, like many GRC related terms, has different heads and definitions throughout the organization.  Though Corporate Compliance is a specific role that typically reports into legal/general counsel and is focused on the the most pertinent legal/regulatory issues the organization has to comply with.  To date I have not met one Corporate Compliance Officer that is responsible for every aspect of compliance throughout the organization.  Often fragments of compliance such as SOX, privacy, information security, health and safety, and other other areas often fall outside of the Corporate Compliance area of focus.

Corporate Compliance is typically responsible for managing the most significant and highly visible legal/regulatory compliance issues such as; anti-corruption, ethics, anti-trust, employment/labor issues, etc. In the U.S. this role is centered around adherence to the U.S. Sentencing Commission Organizational Sentencing Guidelines and what is laid out as the seven elements of what a compliance program should look like.  This compliance program involves defining and maintaining policies, oversight, due diligence in hiring and access, training/communication, monitoring, investigations, and program improvement.  There is also an additioanl requirement to implement at least an annual risk analysis for potential wrongful conduct.

Again there are other view of compliance – IT, finance, audit, business operations – and they have varying but related needs to Corporate Compliance.

So when you think of the Corporate Compliance Officer/Manager this season your first desire may be to give this role the ultimate compliance platform to manage compliance content and processes.  In designing this platform, you will find that the best solutions come from a range of providers and not a single vendor.  So my Christmas Wish would be for a new platform to be developed that would integrate the following:

• Next generation policy & procedure management.  Organizations are in a complete disarray in managing corporate policies and procedures – they often are out-dated, scattered across parts of the business, and not manage consistently.  Further, the recent trend in legislation and regulatory guidance is to demonstrate training and not just attestation.  I desire a platform that is easy to use, manages the lifecycle of policies, and allows dissemination, communication and training (e.g., elearning) on these policies in a single platform.  Axentis is the best example of a platform delivering this today.  Neohapsis (former Certus) has done interesting things with a few clients. QUMAS, has the most robust policy lifecycle management but lacks the integrated eLearning component.

 

• Regulatory intelligence.  The Corporate Compliance role struggles with trying to keep abreast of a growing array of regulations, legislation, regulator findings/rulings, and case law.  The current situation is to have an army of legal professionals mining legal and regulatory sources for new developments that will impact the organization.  My desire is to see this automated. Give the Corporate Compliance role an application that allows the compliance and legal function to profile their organization, link into content providers (e.g., WestLaw, LexisNexis) and then have new developments/alerts be pushed into the application and disseminated to the appropriate person for review and analysis based on responsibility.  Compliance360 is the only company offering something close to this vision today.  Though there are some industry specific providers doing interesting things such as CompliNet andFortent in the financial services vertical. ComplianceOnline (by MetricStream) also provides a wealth of regulatory information. SAI Global is also doing some interesting things in this area, with a particular strength outside the US. Further, LRN is another provider that continues to amaze me in their thought leadership and content.

 

• Enterprise investigations management.  A struggling area of compliance is enterprise investigations – in most organizations there is no such thing as ‘enterprise’ investigations management.  This is unfortunate as organizations fail to get a grasp on the range of issues, events, incidents, wrongdoing, and complaints across the organization. Without a complete view into enterprise issues, events, and investigations an organization’s risk management and compliance strategies become handicapped.  On top of thi
  s, organizations manage investigations in home grown databases and spreadsheets which often lack any form of audit trail and non-repudiation. Consider solving this problem for corporate compliance buy giving Corporate Compliance a single enterprise investigations management platform that ties into whistle blowing/hotlines for anonymous reporting of incidents.  EthicsPoint, in my humble opinion, offers one of the best solutions on the market for managing corporate investigations across the organization with integrated hotline services. Other contenders are Axentis, QUMAS, and Archer Technologies – but lack the hotline piece of EthicsPoint. BTW – get rid of the spreadsheets, they are difficult to manage and do not have the non-repudiation needed for sensitive compliance processes.

 

• Compliance process management.  Corporate compliance today is a labor intensive and manual process.  When it is automated this typically means sending an email.  This is unfortunate given the range of process management solutions on the market.  Corporate compliance needs a compliance backbone that allows them to manage complex processes and workflow as well as content.  The most adaptable backbone for corporate compliance isArcher Technologies.  Archer is quickly moving into a broader GRC offering from a focus within IT, and has one of the most flexible and highly configurable risk and compliance solutions on the market today.  They allow for complete module customization, and even allow clients to share custom built risk and compliance process modules.  On top of this they offer modules for many of the functions I list above – policy and investigations management in particular.  There are other GRC platforms focused on process management – going beyond simple workflow – such as Mitratech, Compliance360, BWise, and MEGA.  BWise and MEGA have particularly interesting solutions that support visual process modeling.

 

• Time machine.   While compliance is focused on assuring compliance in the hear and now it often has to react to investigations, lawsuits, and regulators that want to understand the state of compliance on a given date and time.  In that case how you are compliant today is of little importance. The Department of Justice, regulator, or prosecutor wants to know how you were compliant on this day five years back.  This requires that the organization be able to demonstrate who read, was trained, and attested to a policy on a given date and time; how an investigation was handled; and how compliance was managed.  I am a Mac user and love Leopard’s Time Machine ability to go back to any date in time and see my system/files on that date.  That is what Corporate Compliance needs as well – a compliance Time Machine.  There are a few vendors delivering this today such as Compliance360and QUMAS. 

There . . . I have provided you some technical stocking stuffers for your corporate compliance department.  In the next few years we should see an integrated application that delivers all of this best in class functionality.

Corporate Integrity welcomes your comments and thoughts on this topic in our blog.  Upcoming issues of the newsletter will focus on ultimate platforms for:

• Enterprise risk management – week of 12/22/08
• Operational risk management – week of 12/29/08
• Supply-chain risk & compliance – week of 1/5/09
• Legal/general counsel – week of 1/12/09
• Corporate social responsibility – week of 1/19/09
• Audit – week of 1/26/09
• Finance/treasury – week of 2/2/09
• IT – 2/9/09
• Quality – 2/16/09
• Environmental, Health, & Safety – 2/23/09

Merry Christmas! (Yes, it is OK to say Merry Christmas),

Michael Rasmussen
President & Research Analyst

[email protected]
LinkedIn · Plaxo