Category: The GRC Pundit Blog

Thoughts from Compliance Week '09 Day 1

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from Compliance Week '09 Day 1

Compliance Week remains the highlight of GRC events throughout the year. As one Tweet states at the beginning of the conference: “dougcorneliusStarting the “Davos” of compliance.”

Sure there are many events I enjoy for networking and catching up with others. However, Compliance Week is one of the few events I attend that actually stretches me intellectually. This has a lot to do with the format. I have low expectations for most conferences as vendors have invaded and product pitches remain the same. Compliance Week remains one of those conferences that holds vendors at bay and requires practitioners to present (though vendors may present alongside practitioners). Granted, there is an occasional presentation that is a poorly disguised product pitch – according to the Twitter traffic (#CW2009) this is the case with Oracle co-presented session Proactive Risk and Compliance Strategies for Uncertain Times (NOTE: I did not attend this session).
Much of the general conference discussion focused on the value of risk management and control in difficult economic times. There was also a lot of discussion taking place on Senator Schumer’s (D-NY) Bill S.1074 which would require new corporate governance standards involving a board risk committee to oversee the establishment and evaluation of risk management in the organization.
Other thoughts and perspectives I noted throughout the day . . .
  • SEC Commissioner Louis Aguilar’s opening keynote was thought provoking on The Regulatory Agenda was thought provoking. While supporting regulatory reform and a new financial regulation I also saw caution in too quickly consolidating the 5 U.S. financial regulators that are specialized and focus. Rolling things up without proper forethought may cause regulatory oversight to become too generic. How do we strike the right balance of regulatory oversight remains a common thought with me as I pondered the presentation. Consider Commissioner Aguilar’s statement “Government currently helps keep us safe from things like exploding toasters but not from disastrous mortgages.”
  • The Paisley and Computershare session Implementation Case Study—Embracing a Common, Integrated Approach to Audit, Risk and Compliance was a good overview of the value in times of economic turmoil that integrated GRC processes deliver efficiency and support collaboration. In fact, much of the conference chatter was focused on value and return from solid risk and compli
    ance processes.
  • PricewaterhouseCoopers and Schering Plough did an excellent session on privacy – Integrated Compliance Frameworks for Privacy, Security and Identity Theft Prevention. However, from my experience most corporate compliance departments do not pay enough attention to privacy. Privacy has grown in stature within many organizations, but it still plays second fiddle to other compliance and risk issues in most firms I come across. My prediction is that we will continue to see privacy compliance concerns grow over the next few years as well, as risk from litigation and brand damage, that will bring privacy to a more prominent role in corporate compliance programs. The presenters advocated a build a program to the highest common denominator – which is much like the 80/20 perspective that I have recommended in building a baseline that gets you most of the way their across jurisdictions and realize there will be some areas of the world where exceptions abound and privacy is managed differently in some aspects. PwC also promoted an integrated framework for privacy – however still more discussion needs to be had on integrating the integrated frameworks with a common backbone (or Rosetta Stone) such as OCEG’s Red Book 2.0.
  • The Starting an ERM Program from Square One session presented by Eastman Kodak was a good risk management starter kit. I would state, from the presentation, that Eastman Kodak has implemented a slightly above average ERM program. Say a 3.25 on a maturity scale of 1 to 5. The missing element is a focus on value of ERM and alignment of risk management to corporate performance management. Too many ERM programs miss the mark as they are focused on avoiding the nasty and fail to realize that organizations take risk all the time to make money. Maximizing return and optimizing corporate value is what the most mature ERM programs are about. The presentation did a good job at pointing out the drivers for ERM including: NYSE listing requirements, SEC disclosures, Standard & PoorsERM evaluations, USSC requirement for risk assessment for potential wrong doing, insurance impact, as well as fiduciary obligations.
  • The final session I attended of Day 1 was the KPMG and Office Depot session on Tone at the Top and In the Middle—Enhancing Regulatory Compliance through Your ERM Program. This was the best non-keynote session of the day. It provided the most mature view of ERM with a focus on value and impact on corporate objectives and performance. It was then brought to a practical compliance point by showing FCPA compliance through an ERM perspective.
 

Thoughts from the OCEG Leadership Council

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from the OCEG Leadership Council

A Proverb states: “Where there is no guidance, a people falls, but in an abundance of counselors there is safety.”  Much of the GRC world – with its various professional stovepipes – has struggled for guidance and direction on how to effectively integrate and define common processes for Governance, Risk, & Compliance.  Sure, we have a variety of GRC related professions (e.g., legal, risk, compliance, finance, IT, audit, investigations, ethics, etc.) with their corresponding associations (many of which are superb).  The issue has been integration, communication, and collaboration between these processes to bring a sustainable, consistent, efficient, accountable, and transparent view across GRC roles and processes.

 
I am happy to communicate – we are passing the dawn of GRC inspiration into the world of GRC practicality.  The last several years we have seen the philosophy and content of GRC being defined with little practical guidance on how to implement GRC and make it efficient and effective within the organization.  Yesterday’s meeting of the Open Compliance and Ethics Group Leadership Council demonstrated significant maturity in thought leadership and practice to bring GRC to a reality in organizations.
 
Some specific highlights brought forth today in the meeting were:
  • The GRC Rosetta Stone in the OCEG Red Book 2.0.  OCEG has delivered the most comprehensive and practical process model for managing GRC and its interrelationships within business processes.  Varying roles across the organization can leverage and integrate their specific frameworks and standards into a common GRC methodology.  This provides a common framework to support collaboration, accountability, and transparency across the organization.
  • User experience and validation.  Not only has Red Book 2.0 been released, but OCEG has been hard at work building the validation framework for GRC in the Burgundy Book.  Specifically, organizations such as AON, Archer Daniels Midland, Dell, Staples, Ventura Foods, and WalMart demonstrated their measurement and use of Red Book for GRC through validation of the Burgundy Book model.
  • Upcoming release of the online GRC Directory.  OCEG announced its partnership with yours truly (Corporate Integrity, LLC) on the July release of an online directory to catalog GRC technology and service/consulting providers.  The taxonomy for the technology providers will be based around the OCEG IT Blueprint ‘Technology Arenas.’  Currently, Corporate Integrity has cataloged over 1100+ technology and service provider firms in the GRC EcoSystem that will be part of this online directory.
  • Product validation of technology vendor GRC claims.  With the OCEG GRC IT Blueprint providing practical guidance to the relevance and taxonomy of IT to support GRC business processes, OCEG also brought forth plans to have independent validation of products mapped to the GRC IT Blueprint.  This provides value to organizations looking for technology to vet vendor claims to deliver specific functionality.
  • Providing workshops and bootcamps to educate the GRC community.  To help kickstart GRC programs and initiatives – and provide common education and guidance on OCEG Red Book and other materials – OCEG announced its plans to roll out online GRC Fundamentals training as well as in person GRC Fundamental & Red Book 2.0 BootCamps.  In conjunction with OCEG, Corporate Integrity will be delivering one of the first GRC Fundamentals & Red Book 2.0 BootCamp in August.
  • Expansion of the GRC community.  With the release of the new OCEG website scheduled for late June/early July, OCEG will also be delivering online GRC communities where individuals and organizations can interact in online (as well as physical) forums around specific risk/interest, role, geography, and industry areas.
  • Globalization of OCEG.  Since its inception, OCEG has met the needs of U.S companies including large multi-national organizations operating globally.  Over the past few years OCEG has seen growing interest from around the world as it now has members in over 68 countries.  OCEG has revealed the next steps to provide for online communities that support geographies and international issues and guidance development, and is also partnering with other associations around the world to bring together a community of associations to work to bring GRC guidance to the diverse GRC roles within business. The goal is to provide an international hub of information as well as interaction with other GRC related associations and professionals.
OCEG has demonstrated strong growth over the years and continues to articulate a solid vision for GRC.  Further, it does not see itself as a one stop shop or replacing other function/role specific associations.  Instead, OCEG sees its role as a hub – a Rosetta Stone – enabling communication and collaboration across business GRC functions.  I strongly encourage organizations to look at OCEG’s thought leadership and framework, implement it in their organization, and participate in OCEG on an ongoing basis.

'Lean' GRC – Good Concept, Poor Choice of Word

The GRC Pundit BlogPublished onLeave a Comment on 'Lean' GRC – Good Concept, Poor Choice of Word

 

A recent discussion on the Corporate Integrity LinkedIN Group was started by Norman Marks when he stated: How would you go about applying Lean principles to making sure your GRC processes, organization, and systems are not only effective but efficient? 

Personally, I do not like the word ‘lean’ as an adjective for GRC. Yes, I understand lean principles for business (particularly manufacturing). From a language perspective though it leaves a negative perception of GRC – look lean up in thesaurus. Such as (references taken from Apple Mac OS X dictionary/thesaurus). . .

lean (adjective)

  • 1 a tall, lean man slim, thin, slender, spare, wiry, lanky, skinny. See note at thin . antonym fat.
  • 2 a lean harvest meager, sparse, poor, mean, inadequate, insufficient, paltry, scanty, deficient, insubstantial. antonym plentiful, abundant.
  • 3 lean times hard, bad, difficult, tough, impoverished, poverty-stricken. antonym prosperous.

or a dictionary

lean |lēn| |lin| |liːn| (adjective)

 

  • 2 (of an activity [GRC is a set of business activities] or a period of time) offering little reward, substance, or nourishment; meager : the lean winter months | keep a small reserve to tide you over the lean years.

 

Anyways, I understand the principle and what it is getting at. From that perspective, Lean GRC needs to start with an understanding of where ‘fat’ can be trimmed. This is started by conducting an assessment to determine:

 

  • # of GRC processes
  • # of GRC process owners/roles
  • # of assessments
  • # of frameworks
  • # of policies
  • # of incident/loss systems
  • # of GRC related technology
  • # of GRC related spreadsheets & documents  

 

 

Angus Passmore also had some great insight to the ‘lean’ concept’:

If the “product” as defined by the Lean Principles is considered to be the delivery of correct and validated Governance and Compliance reporting/BI, the foundation of these should be a fully structured and correctly inter-related data environment that has all the required data elements and relationships clearly defined for the total organisation that will be subject to the GRC process (The Enterprise). Having this founding structure allows an accurate tactical delivery based on a pre-defined Enterprise GRC strategy which should encompass Lean principles.

What are your thoughts?

Developing a GRC Strategic Plan

The GRC Pundit BlogPublished on1 Comment on Developing a GRC Strategic Plan
Governance, Risk, and Compliance can be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of an organization:
  • Does the organization properly managed and have sound governance? 
  • Does the organization take risk within risk appetite and tolerance thresholds?
  • Does the organization meet its legal/regulatory compliance obligations?
  • Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.
 
It is easier to define what GRC is NOT. 
  • GRC is NOT about silos of risk and compliance operating independently of each other. 
  • GRC is NOT solely about technology – though technology plays a critical role. 
  • GRC is NOT just a label of services that consultants provide. 
  • GRC is NOT just about Sarbanes-Oxley compliance. 
  • GRC is NOT another label for enterprise risk management (ERM), although GRC encompasses ERM.
  • GRC is NOT about a single individual owning all aspects of governance, risk, and compliance. 
GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It IS about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose IS to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC IS a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, accountability, and transparency across the organization.
 
GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization. In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind — GRC aligns them to be more efficient and manageable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.
 
Governance, risk, and compliance are diverse and complex with their individual intricacies and issues ready to frustrate the organization. Organizations that attempt to build a GRC strategy with home-grown solutions, spreadsheets, or islands of technology not built to meet a range of needs are left in the dark and boxed into a view of the world that they will find limiting down the road. 
 
The current business environment requires a new paradigm and approach to GRC – requiring a common framework, integrated processes, and platform that span across the organization and its individual risk and compliance issues.  This is brought together in a GRC strategy ready to take the tackle issues at their roots through core GRC processes that are leveraged across the organization.
 
A company’s strategy for GRC success starts with a simple five-step plan. This plan draws on the lessons learned from Corporate Integrity working with a numerous large corganizations around the world with complex business operations and relationships. Here are the steps that prepare you to deliver a sustainable GRC program:
  1. Identify the interrelated processes, problems, & issues. An understanding of the scope of GRC issues, processes, technology, and requirements is the beginning. Organizations should start with a survey assessment aimed at identifying and cataloging the number of processes, technologies, methodologies, and frameworks used for risk and compliance across all business operations. This assessment is best aligned with the OCEG Red Book 2.0 Capability Model.
  2. Establish GRC program goals and objectives. Once the organization has identified the scope of GRC across the organization it can establish the goals needed to achieve GRC. This starts with establishing a vision and mission statement for GRC that the goals stem from. Central to these goals will be a determination on GRC program structure – centralized, federated, or some form of deliberate but ad hoc collaboration. This structure will determine many other goals – particularly the consistent and relevant use of technology.
  3. Develop your short term strategy for fulfilling GRC requirements. With your goals in mind, identify the “quick wins” that will demonstrate GRC success and improvement. Aim for tackling the items that immediately show a return to the organization and build greater buy-in to the GRC strategy across business operations. This short-term plan should not be longer than 12 months.
  4. Conduct a comprehensive organizational risk assessment. Part of the short-term plan should be a detailed risk assessment that provides a common framework and catalog of corporate risks across GRC management silos. This risk assessment is used to further identify and feed into the long-term comprehensive GRC strategy to help the organization better understand, manage, and monitor risk exposure. 
  5. Provide a comprehensive action plan. With the short-term plan in place – focused on the easy wins and pr
    ocess improvement – the organization can begin working on the long-term strategic plan that develops a comprehensive GRC strategy focused on process improvement. The harder and more challenging components of GRC should be brought into this plan. This plan is optimal when it covers a three-to-five year period.
Further advice . . . prioritization of risk and compliance activities needs to be decided at an enterprise level. This can be difficult as silos of risk and compliance can function buried within different functions of the business. To overcome this and facilitate a top-down approach, a sustainable GRC strategy requires that the organization get executive buy-in and support. This provides endorsement of the effort and overcomes obstacles of silos wanting to work independently and do things their own way.
 
One thing is a certain – risk and compliance burdens are not going away. Government regulators continue to influence control upon organization practices through tighter regulation. Business partners are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization. The time is now for organizations to define and implement a sustainable GRC strategy that drives sustainability, consistency, efficiency, accountability, security, and transparency of GRC across the organization.

Streamlining Compliance

The GRC Pundit BlogPublished onLeave a Comment on Streamlining Compliance
Organizational exposure to compliance risk is rising while the cost of compliance soars. Additionally, the ad hoc, reactive approach to compliance brings complexity, forcing business to be less agile. Organizations typically address compliance as singular issues and obligations; as a result they have multiple initiatives working in isolation to respond to each regulatory requirement. These isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, often proving costly and unreliable. This modus operandi is not proactive and makes it difficult to adapt to new regulatory requirements while increasing pressure and anxieties on management, employees, and business relationships. 
 
Without a holistic and streamlined view of compliance, organizations will continue to be burdened with the data overload and complexity of compliance data for management reporting. Organizations need complete visibility into a portfolio of compliance obligations spread across distributed, complex business processes and relationships. 
 
Compliance management is ultimately about maintaining oversight and control of business processes, transactions, relationships, and information. Organizations are beginning to provide an integrated view across specific compliance requirements that roll up into a broader compliance management program. 
 
Success in compliance management begins with a strategy – how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates as well as maintain oversight and control over business processes to mitigate these risks. This requires the organization to deploy an infrastructure and supporting processes that deliver real-time compliance transparency across the business and its relationships. A streamlined compliance architecture is one in which accountability and compliance are effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues.
 
By integrating a common regulatory and control framework with other business applications, an organization can deliver automation in control monitoring and remediation processes. This integration results in efficiency of controls and minimizing the time between the occurrence of an issue (control failure, fraud incident, etc.) and its identification, thus reducing overall risk and minimizing future issues. It allows issues to be detected quickly and dealt with in a timely manner, and provides better visibility on compliance risks across different mandates and methods of mitigation. Failures can be treated individually as well as aggregated to track areas of weakness and to implement remediation more efficiently. 
 
The outcome is an organization delivering streamlined compliance management through control optimization that enables and does not encumber corporate performance.
 
This blog post is the Executive Summary to my latest piece of research (commissioned by SAP), Foundations of GRC:  Streamlining Compliance

Response to Lumigent's "GRC Starts With C"

The GRC Pundit BlogPublished onLeave a Comment on Response to Lumigent's "GRC Starts With C"

John Capobianco, CEO of Lumigent, recently published “GRC Starts with ‘C’” commentary. While there is much to be admired about Lumigent’s messaging and awareness campaign of application GRC – I found this particular post to be misguided.

 
The thrust of the message, as I understand it, is to reduce cost by tackling the C element (Compliance) before focusing on the G (Governance) and R (Risk). The truth is that this is not as simple nor practical as it appears.
 
The first thought that came to mind is that this is a bottoms up approach and essentially can lead to more reactive stovepipes within the organization instead of a streamlined approach to compliance and risk. Too many organizations see a compliance issue and try to solve it without thinking holistically and figure out how they can leverage controls and reduce risk with a common architecture. The bottoms up approach can lead to many bottoms or foundations because the governance of compliance and collaboration are not approached. I expect that Lumigent agrees with me on this point – however it was not brought out clearly in the article.
The logic is missing as the article recommends starting with the greatest point of pain which would require some understanding of the various points of pain within the organization and awareness of risk and economic cost these points of pain bring. My gut reaction was that Lumigent is carelessly promoting a shoot from the hip approach assuming compliance is the greatest issue the company faces and with that no thought on how to measure and approach even compliance at a strategic level.
 
The second reaction was that you cannot ignore the G and R and think C can be tackled independently. Compliance is being driven by the G and R. The United States Sentencing Commission promotes an annual risk assessment for potential wrong doing in its compliance guidelines. Much of the world, and with that recent approaches to U.S. regulations such as SOX, are going towards a principles-based approach to compliance. This requires a risk-based approach to compliance to identify how the organization is going to be compliant. We see this in a lot of compliance wording such as a top-down approach to compliance. Further, much of compliance is not prescriptive – there is interpretation as to how any specific organization should be compliant. This requires that the C in GRC work with the R to even define how the organizations will comply.
 
My final reaction is that the G (governance) and with that corporate culture is integral to compliance. There are issues of social responsibility/accountability, culture, ethics, and code of conduct that determine how an organization defines, manages, and maintains compliance. It is governance that also drives risk and sets the risk tolerance and appetite levels which also impact compliance. You can have two organizations within the same industry (same regulations) and have very different controls and approach to compliance because of different governance cultures.
 
The GRC acronym, as I first used it to define this market and how to approach an integrated process and collaboration, was not haphazardly put together. What Lumigent proposes would leave one to believe that the C really is independent of the G and R and can stand on its own two feet. The reality is that the G, R, and C are each a leg on a three-legged stool that crumbles in inefficiency and wasted resources when separated from each other. To achieve the economies that Lumigent is encouraging requires that an organization develop a common architecture for GRC and think collaboratively across issue and process areas. From there an organization can understand where its greatest risks are, including economic burdens and inefficiency, to tackle first.
 

Mutli-Perspective Risk Analysis

The GRC Pundit BlogPublished onLeave a Comment on Mutli-Perspective Risk Analysis

 

Unfortunately, organizations get locked into a static view of risk analysis and management.They are overly focused on heat maps generated from fairly static risk assessment processes. The era of SOX and control self-assessments has propagated this further.Organizations have often ended up with an enterprise risk management program that is nothing more than SOX and financial controls on steroids with little perspective of true enterprise risk management.

To manage and assess risk – whether at the enterprise level, or within specific business functions and processes – requires an individual to think outside of the box.There are ‘black swans’ (the completely unexpected) but there are many risks realized that should never be black swans and are just a failure in the organization to get a 360-degree perspective on risk.

When risk management becomes mundane and routine an organization ‘risks’ that their risk management may be ineffective.A simple two-dimensional view of risk (like that of a heat map) can easily lull an organization into thinking they are managing risk and be caught off guard.Particularly if the risk taxonomy and assessment process is static and does not provide for new inputs. Do not get me wrong – heat maps have their purpose but alone are not enough.

Look at the room around you.If you take a picture of the room you get one perspective.If you take a thermal image you get another.If you take an X-ray you get still another perspective.

Consider going to the doctor because something is ailing you.The doctor most likely will do a physical exam, might order some blood tests, and perhaps even do an MRI or some other investigatory procedure.

I remember evaluating a so-called ‘risk management’ platform from one of the leading software vendors in the industry and was shocked to find that it was a replacement for spreadsheets for risk questionnaires/assessments and nothing more.Specifically, it had no loss/event history.How does an organization begin to model risk and identify likelihood if it does not have any clue into the issues, events, incidents, losses, and investigations impacting the risk area?The vendor provided a beautiful heat map – but the information behind it was pure speculation from just a few inputs.

To manage risk effectively in an organization requires multiple inputs and methods of modeling and analyzing risks.This requires information gathering – risk intelligence – so that the organization can have a full perspective of risk and make ‘wise’ decisions (something more than just intelligence gathered from information overload delivers).

Effective risk management involves gathering multiple perspectives of risk information to enhance risk analysis.This includes gathering risk intelligence from the . . .

 

  • External perspective.Monitoring the external environment for geo-political, environmental, competitive, economic, regulatory/legal and other risk intelligence sources.
  • Internal perspective.Evaluating the internal environment of controls, audits, assessments, issues, events, incidents, corporate performance and risk indicators, and other internal data points.

 

Visualization of risk from multiple angles becomes important.Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving monte carlo or value/capital at risk simulations.

As organizations build enterprise, operational, or other risk management programs it is important that they build this 360-degree multi-perspective risk analysis framework that allows an organization to think outside the box and look at risk from a variety of perspectives.

Risk & Regulatory Intelligence (or should it be Wisdom)?

The GRC Pundit BlogPublished onLeave a Comment on Risk & Regulatory Intelligence (or should it be Wisdom)?
Intelligence and wisdom . . . we have seen these words bantered around quite a bit. While the market seems to be eager to grasp onto the phrase ‘risk intelligence’ it means nothing if corporations do not know what to do with the knowledge that intelligence brings them. There are ignorant individuals and organizations that acquire a lot of knowledge but fail to apply this to good business decisions. Wisdom requires intelligence/knowledge. Though, as Martin Luther stated – “All our experience with history should teach us, . . . how badly human wisdom is betrayed when it relies on itself” relying on ones own ‘wisdom’ is also a recipe for disaster.” – Proverbs tells us “Without counsel plans fail, but with many advisers they succeed.” (ESV, Proverbs 15:22) Wisdom ultimately comes when one considers multiple angles of looking at possibilities.
 
Organizations are in a complex environment of risk. They suffer from both internal risks as well as external. The legal and regulatory environment further adds to internal and external risks to monitor and be aware of. When the organization approaches risk and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business strategy.
 
The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments so they can make wise business decisions. This involves gathering information from the internal environment such as:
  • Losses. What has the historical trends and patterns been of loss to the organization?
  • Issues/events. What events, issues, incidents, investigations has the organization undergone?
  • Success & performance. Where has the organizational been surprisingly successful in seasoning opportunities and creating value?
  • Controls. What is the state of controls in the environment? Are they effective?
  • Policies. Does the organization have adequate policies and procedures? Are they current and up to date? Do responsible parties understand them?
  • Risk appetite. Is the organization taking on too much risk or to little risk?
  • Risk management. Is the risk taken adequately monitored and managed?
  • Compliance. Are compliance obligations being met? Are there issues with law enforcement or regulators?
  • Culture. Do employees understand and subscribe to the corporate ethics and code of conduct?
  • Business relationships. Is there unwarranted risk, unacceptable values/ethics, or issues with compliance across 3rd party business relationships?
Over the years, many organizations have matured in their view of internal risk intelligence issues. However, external environment issues remain very broken processes. To date external risks are managed in a very ad hoc way with little accountability and oversight – if at all. Within legal and compliance it is not uncommon to have a myriad of legal professionals doing ad hoc monitoring of legal developments and compliance requirements and emailing parties of interest to developments with little to no follow-up.
 
Risk and regulatory intelligence of the external environment includes:
  • Legal monitoring. Monitoring of new case law, regulations, and pending legislation to predict the readiness of the organization to meet new requirements.
  • Geo-political risks. Monitoring of countries around the world that the organization has operations in or does business with to determine events that could have a positive or negative impact on the business. This includes civil unrest, terrorism, new laws, business dealings, etc.
  • Environmental. Monitoring environmental predictions and threats of natural or man-made events that could impact the organization (e.g., tornados, hurricanes, earthquakes, volcanoes, mass virus/disease).
  • Hostile threats and vulnerabilities/exposure. Monitoring of individuals, organizations, and governments who may act hostilely toward the organization as well as looking for vulnerabilities and exposure of the organization to threats.
  • Financial risks. Monitoring of the capital markets and areas such as foreign exchange rates and commodities so the organization can capture return/opportunity while mitigate/control loss. This allows for proper hedging.
  • Competitive environment. Monitoring what competitors are doing and evaluating their product, service, marketing, sales, financial, and partnering performance.
To be risk and regulatory intelligent, and from there to make wise decisions, requires a process to intake information, track accountability of who needs to act on it, and model/measure potential impact on the organization.
 
Corporate Integrity is monitoring the integration and expansion of many GRC systems/technologies that are being used to intake risk and regulatory information, weed through irrelevant information, and route critical information to specific individuals responsible for making a decision on the particular issue. This at a minimum requires workflow and process management capabilities, but in more mature systems provides direct integration with content/information aggregators in which the organization is profiled and relevant new developments are routed right to specific individuals responsible for evaluating that area.

Thoughts from the Archer National Summit

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from the Archer National Summit

As a risk and compliance (GRC) pundit one gets invited to a lot of conferences. Some, like Compliance Week, are particularly interesting as the format, content, and high-level audience remains engaging year after year. Typically, technology vendor conferences are dull and mundane – Archer’s National Summit held last week in Orlando, Florida is a surprising exception.

 
What makes Archer different?
 
First and foremost is their ability to build a community. Over the course of the last several years I have attended this conference off and on (participated as a speaker in a few). I have been interested as they attract a solid audience, some senior executives as well as individuals down in the trenches. What is surprising is the consistency in attendance as well as growth year over year. This year Archer’s attendance grew when everyone else is seeing declines with the economy.
 
Community is at the core of what Archer is about. I remember one visit to Kansas City (Archer’s headquarters) when the CEO of Archer, Jon Darbyshire, gave me a book “Hug Your Customer.” He told me this is what Archer is about – servicing the client. Archer has done this in such away that many others should take note of. They have a business environment in which customers feel part of the Archer team. Customer involvement in development, enhancement, and expansion of the Archer platform is critical. In fact, Archer clients appear as if they have a sense of ownership and pride in the platform. The entire summit was built around client’s sharing their use and experience of the Archer platform and requesting enhancements.
 
Archer has carried this further than their conference. Their online portal called the Archer Exchange mirrors what Salesforce.com delivers with their AppExchange. This is a place where Archer customers and partners can share the process modules and content they have built on the Archer platform with each other. It gives them a sense of contribution and ownership into the platform that I have not seen with other GRC vendors.
 
I also was quite surprised at the amount of enterprise GRC, risk, and compliance issues brought forth in customer discussions at the conference. Archer has historically been an IT/information risk and compliance platform – but has rapidly expanded into enterprise GRC over the past two years. While they have been growing in this area, I was not ready for the volume and dominance of enterprise GRC (not IT specific) client content at the conference. It is very impressive how rapidly Archer is advancing in the enterprise GRC space. They particularly are well adept at entering through IT and expanding across the business.
 
The other item of note is the continued revelation of the flexibility of their platform to adapt to manage any complex or obscure process. They have a highly customizable/configurable solution that allows any normal business user to quickly architect a data model, workflow, and process for risk and compliance. Discussing use of Archer with some of their clients revealed that some clients have developed dozens of custom GRC processes on the Archer platform (some of these being made available on the Archer Exchange for other clients).
 
My two cents . . .
  • Archer is growing and becoming a formidable player in the enterprise GRC space. Other GRC vendors are taking note and becoming concerned.
  • Archer is specifically good at building brand loyalty through developing a community environment for its users.
  • Archer’s platform is one of the most adaptable platforms to tailor to GRC processes that I have seen – though they lack some advanced/niche features in some areas like complex risk modeling (e.g.,, monte carlo, value at risk) that a few GRC vendors have.

Ultimate Legal Management Platform

The GRC Pundit BlogPublished onLeave a Comment on Ultimate Legal Management Platform

Legal – the last (OK, perhaps I should state latest) technology frontier – to boldly go where no one has embraced technology before. So it would appear to an observer of the average corporate legal department. Corporate attorneys have been technology agnostics not willing to give up their legal pads and pens in exchange for process efficient technology.

Times are changing. Lawyers have been forced to embrace technology and understand it in more detail with the advent of electronic discovery requirements (e.g., Federal Rules of Civil Procedure). This has caused many a lawyer to get over their severe case of techphobia and come to understand that technology can really improve the performance and governance of the corporate legal department. Inside counsel is now becoming tech savvy and willing to embrace technology to improve business legal processes that have historically been very manual and paper-based.

Corporate Integrity sees a new evolution of legal management software that embraces a holistic view of legal process management. Currently, the market is comprised of several dozen software vendors focusing on specific legal functions. The future will show a few of these vendors successfully creating a solution that manages legal processes in an integrated platform. The goal: to bring sustainability, consistency, efficiency, transparency, and accountability to legal process management.

The legal process management market (part of the GRC – Governance, Risk, and Compliance – Market) incorporates the following components:

  • Discovery Management is a recent solution area that evolved out of the hailstorm of eDiscovery solutions in response to the revised Federal Rules of Civil Procedure in the United States. These platforms assist in managing the accountability, documentation, and process/workflow of fulfilling discovery requests. In one sense they are a natural extension of matter management platforms. Leading discovery process management solutions include Bridgeway, Exterro, Mitratech, and PSS Systems.
  • Contract Management solutions manage the contracting process from a legal perspective in assisting in the writing, review, modification, negotiation, execution, and archiving of all legal contracts and obligations of the company. Legal contract management platforms that have had broader adoption in corporate legal departments include Compliance 360, EAG CaseTrack, Emptoris, Mitratech, and Selectica. Archer Technologies and Axentis have also been deployed for contract management – but have not seen the same level of traction within corporate legal departments.
  • Hotline/Whistleblower are more than a technology platform as they end up being a service to provide for reporting of incidents (many times anonymously) via the web or telephone hotline. Leading vendors in the hotline and whistleblower space include Allegiance, EthicsPoint, Global Compliance, and The Network. Several of these solutions also offer enterprise investigations management as a platform as well.
  • Board & Entity Management delivers a solution for the corporate secretary (typically in legal) to manage board papers, communications, and corporate reports/filings. This includes features for board calendaring and scheduling as well as documenting legal entities, structure, relationships, assets, and responsible parties (Executives, Directors). Vendors in this area include BoardVantage, Bridgeway, BWise, Computershare, CSC, ICSA, Mitratech, SAI Global, and CT Wolters Kluwer.
  • Policy & Procedure Management involves a platform for defining, communicating, provide training, managing, and archiving of corporate policies, procedures, ethics, and code of conduct. Solutions in this space provide a central repository for managing the policy lifecycle. Vendors include Archer Technologies, Axentis, BWise, Compliance 360, Mitratech, OpenPages, QUMAS, and SAI Global. However, not all of these vendors offer the same features. Axentis offers the easiest to use – but complete – policy and procedure management solution. Archer Technologies, Axentis, and Compliance 360 can deliver training modules within their platforms. Mitratech just offers the management of policy lifecycles – but not the communication component.
  • Training Solutions offer a wide range of legal, ethics, and regulatory training modules to be delivered in other GRC platforms (such as Policy & Procedure Management) or eLearining solutions. Vendors such as Corpedia, Global Compliance, Integrity Interactive, LRN, and SAI Global offer training solutions in this area.
  • Legal Risk Management & Analysis solutions are designed for defining, managing, modeling, and monitoring legal and compliance risks in the enterprise. This is a relatively new area for technology solutions and is best done with solutions that support decision tree risk modeling to help an organization analyze legal scenarios and outcomes. Solutions focused on this capability include Mitratech and Riskonnect. Amenaza is another vendor but has not focused on the legal market.
  • Compliance Management involves a platform for documenting requirements (laws, regulations, contractual), mapping them to corporate controls and policies, and providing for the assessment and reporting on the state of compliance. There is a wide range of vendors offering compliance management solutions – many of which grew out of the Sarbanes Oxley/financial controls space such as OpenPages and Paisley. Vendors that have shown particular traction within legal departments for managing compliance include Axentis, Compliance 360, QUMAS, Mitratech, and SAI Global. Other vendors offering compliance management – but do not have demonstrated traction within legal – are Archer Technologies< /span>, BWise, and MetricStream.
  • Legal & Regulatory Intelligence is a particular feature set embedded in legal process management solutions that deliver efficiency and accountability in monitoring changes in laws, regulations, legislation, and court rulings that could impact the company. The leading innovator in this area is Compliance 360 as their solution profiles regulatory and legal interests and directly integrates with Lexis Nexis and Thomson Westlaw and routes new legal developments into a process flow. Mitratech has capabilities in this area as well. Axentis is doing similar management of the accountability and evaluation process – but does not have the integration with content providers. Corporate Integrity fully expects that Lexis Nexis, LRN, SAI Global, Thomson, and Wolters Kluwer will be building out solutions in this area to further leverage their content.
  • 3rd Party Compliance Management involves platforms for communicating ethics, code of conduct, and policies across an organizations 3rd party and supply-chain relationships. Some of these platforms go further into managing self-assessments and audits of the vendors as well. Most companies buying solutions in this space seek a Software as a Service (Saas)/hosted platform for easy accessibility by 3rd party business relationships. Leading vendors in this space include Archer Technologies, Axentis, Compliance 360, and Integrity Interactive.
  • Corporate Social Responsibility Management is a relatively new space of technology that is just emerging. While there are platforms out there for managing CSR – particularly from an environmental perspective such as Equilibrium – not many platforms have targeted the legal and corporate secretary role in CSR. However, some vendors that have engaged with legal are seeing their platforms retooled for CSR purposes led from the legal department. These vendors include Archer Technologies and Compliance 360.
  • Information Management consists of applications for identifying and cataloging information assets across the organization. This category would focus on sensitive corporate information (e.g., personal information, corporate records, and even intellectual property) and catalog its location, controls, and policies. Archer Technologies is an example of a vendor that operates in this space.
  • Intellectual Property Management consists of applications for cataloging intellectual property across the organization including includes ownership rights, regulatory requirements as well as renewal dates, governmental correspondences, and filing status. The focus of this area is on intellectual property (e.g., patents, trademarks, copyrights) and has vendors such as Anaqua, Cognocys, and IPDOX.

The legal process management has many niches – as illustrated above. The begging question – who does it all? Answer: simply no one. Though there are a few notables that provide a fairly complete enterprise legal process management platform. Mitratech and Compliance 360 are providing very complete platforms – but from different angles. Mitratech grew out of the matter management area and has expanded rapidly into other areas. Compliance 360 grew out of the corporate compliance function within legal (initially within healthcare and insurance) and has been expanding out. Other vendors appear to be aggressively focusing on the corporate legal department and providing an end to end solution – these include Archer Technologies, SAI Global, and Wolters Kluwer.