Category: The GRC Pundit Blog

Response to Lumigent's "GRC Starts With C"

The GRC Pundit BlogPublished onLeave a Comment on Response to Lumigent's "GRC Starts With C"

John Capobianco, CEO of Lumigent, recently published “GRC Starts with ‘C’” commentary. While there is much to be admired about Lumigent’s messaging and awareness campaign of application GRC – I found this particular post to be misguided.

 
The thrust of the message, as I understand it, is to reduce cost by tackling the C element (Compliance) before focusing on the G (Governance) and R (Risk). The truth is that this is not as simple nor practical as it appears.
 
The first thought that came to mind is that this is a bottoms up approach and essentially can lead to more reactive stovepipes within the organization instead of a streamlined approach to compliance and risk. Too many organizations see a compliance issue and try to solve it without thinking holistically and figure out how they can leverage controls and reduce risk with a common architecture. The bottoms up approach can lead to many bottoms or foundations because the governance of compliance and collaboration are not approached. I expect that Lumigent agrees with me on this point – however it was not brought out clearly in the article.
The logic is missing as the article recommends starting with the greatest point of pain which would require some understanding of the various points of pain within the organization and awareness of risk and economic cost these points of pain bring. My gut reaction was that Lumigent is carelessly promoting a shoot from the hip approach assuming compliance is the greatest issue the company faces and with that no thought on how to measure and approach even compliance at a strategic level.
 
The second reaction was that you cannot ignore the G and R and think C can be tackled independently. Compliance is being driven by the G and R. The United States Sentencing Commission promotes an annual risk assessment for potential wrong doing in its compliance guidelines. Much of the world, and with that recent approaches to U.S. regulations such as SOX, are going towards a principles-based approach to compliance. This requires a risk-based approach to compliance to identify how the organization is going to be compliant. We see this in a lot of compliance wording such as a top-down approach to compliance. Further, much of compliance is not prescriptive – there is interpretation as to how any specific organization should be compliant. This requires that the C in GRC work with the R to even define how the organizations will comply.
 
My final reaction is that the G (governance) and with that corporate culture is integral to compliance. There are issues of social responsibility/accountability, culture, ethics, and code of conduct that determine how an organization defines, manages, and maintains compliance. It is governance that also drives risk and sets the risk tolerance and appetite levels which also impact compliance. You can have two organizations within the same industry (same regulations) and have very different controls and approach to compliance because of different governance cultures.
 
The GRC acronym, as I first used it to define this market and how to approach an integrated process and collaboration, was not haphazardly put together. What Lumigent proposes would leave one to believe that the C really is independent of the G and R and can stand on its own two feet. The reality is that the G, R, and C are each a leg on a three-legged stool that crumbles in inefficiency and wasted resources when separated from each other. To achieve the economies that Lumigent is encouraging requires that an organization develop a common architecture for GRC and think collaboratively across issue and process areas. From there an organization can understand where its greatest risks are, including economic burdens and inefficiency, to tackle first.
 

Mutli-Perspective Risk Analysis

The GRC Pundit BlogPublished onLeave a Comment on Mutli-Perspective Risk Analysis

 

Unfortunately, organizations get locked into a static view of risk analysis and management.They are overly focused on heat maps generated from fairly static risk assessment processes. The era of SOX and control self-assessments has propagated this further.Organizations have often ended up with an enterprise risk management program that is nothing more than SOX and financial controls on steroids with little perspective of true enterprise risk management.

To manage and assess risk – whether at the enterprise level, or within specific business functions and processes – requires an individual to think outside of the box.There are ‘black swans’ (the completely unexpected) but there are many risks realized that should never be black swans and are just a failure in the organization to get a 360-degree perspective on risk.

When risk management becomes mundane and routine an organization ‘risks’ that their risk management may be ineffective.A simple two-dimensional view of risk (like that of a heat map) can easily lull an organization into thinking they are managing risk and be caught off guard.Particularly if the risk taxonomy and assessment process is static and does not provide for new inputs. Do not get me wrong – heat maps have their purpose but alone are not enough.

Look at the room around you.If you take a picture of the room you get one perspective.If you take a thermal image you get another.If you take an X-ray you get still another perspective.

Consider going to the doctor because something is ailing you.The doctor most likely will do a physical exam, might order some blood tests, and perhaps even do an MRI or some other investigatory procedure.

I remember evaluating a so-called ‘risk management’ platform from one of the leading software vendors in the industry and was shocked to find that it was a replacement for spreadsheets for risk questionnaires/assessments and nothing more.Specifically, it had no loss/event history.How does an organization begin to model risk and identify likelihood if it does not have any clue into the issues, events, incidents, losses, and investigations impacting the risk area?The vendor provided a beautiful heat map – but the information behind it was pure speculation from just a few inputs.

To manage risk effectively in an organization requires multiple inputs and methods of modeling and analyzing risks.This requires information gathering – risk intelligence – so that the organization can have a full perspective of risk and make ‘wise’ decisions (something more than just intelligence gathered from information overload delivers).

Effective risk management involves gathering multiple perspectives of risk information to enhance risk analysis.This includes gathering risk intelligence from the . . .

 

  • External perspective.Monitoring the external environment for geo-political, environmental, competitive, economic, regulatory/legal and other risk intelligence sources.
  • Internal perspective.Evaluating the internal environment of controls, audits, assessments, issues, events, incidents, corporate performance and risk indicators, and other internal data points.

 

Visualization of risk from multiple angles becomes important.Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving monte carlo or value/capital at risk simulations.

As organizations build enterprise, operational, or other risk management programs it is important that they build this 360-degree multi-perspective risk analysis framework that allows an organization to think outside the box and look at risk from a variety of perspectives.

Risk & Regulatory Intelligence (or should it be Wisdom)?

The GRC Pundit BlogPublished onLeave a Comment on Risk & Regulatory Intelligence (or should it be Wisdom)?
Intelligence and wisdom . . . we have seen these words bantered around quite a bit. While the market seems to be eager to grasp onto the phrase ‘risk intelligence’ it means nothing if corporations do not know what to do with the knowledge that intelligence brings them. There are ignorant individuals and organizations that acquire a lot of knowledge but fail to apply this to good business decisions. Wisdom requires intelligence/knowledge. Though, as Martin Luther stated – “All our experience with history should teach us, . . . how badly human wisdom is betrayed when it relies on itself” relying on ones own ‘wisdom’ is also a recipe for disaster.” – Proverbs tells us “Without counsel plans fail, but with many advisers they succeed.” (ESV, Proverbs 15:22) Wisdom ultimately comes when one considers multiple angles of looking at possibilities.
 
Organizations are in a complex environment of risk. They suffer from both internal risks as well as external. The legal and regulatory environment further adds to internal and external risks to monitor and be aware of. When the organization approaches risk and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business strategy.
 
The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments so they can make wise business decisions. This involves gathering information from the internal environment such as:
  • Losses. What has the historical trends and patterns been of loss to the organization?
  • Issues/events. What events, issues, incidents, investigations has the organization undergone?
  • Success & performance. Where has the organizational been surprisingly successful in seasoning opportunities and creating value?
  • Controls. What is the state of controls in the environment? Are they effective?
  • Policies. Does the organization have adequate policies and procedures? Are they current and up to date? Do responsible parties understand them?
  • Risk appetite. Is the organization taking on too much risk or to little risk?
  • Risk management. Is the risk taken adequately monitored and managed?
  • Compliance. Are compliance obligations being met? Are there issues with law enforcement or regulators?
  • Culture. Do employees understand and subscribe to the corporate ethics and code of conduct?
  • Business relationships. Is there unwarranted risk, unacceptable values/ethics, or issues with compliance across 3rd party business relationships?
Over the years, many organizations have matured in their view of internal risk intelligence issues. However, external environment issues remain very broken processes. To date external risks are managed in a very ad hoc way with little accountability and oversight – if at all. Within legal and compliance it is not uncommon to have a myriad of legal professionals doing ad hoc monitoring of legal developments and compliance requirements and emailing parties of interest to developments with little to no follow-up.
 
Risk and regulatory intelligence of the external environment includes:
  • Legal monitoring. Monitoring of new case law, regulations, and pending legislation to predict the readiness of the organization to meet new requirements.
  • Geo-political risks. Monitoring of countries around the world that the organization has operations in or does business with to determine events that could have a positive or negative impact on the business. This includes civil unrest, terrorism, new laws, business dealings, etc.
  • Environmental. Monitoring environmental predictions and threats of natural or man-made events that could impact the organization (e.g., tornados, hurricanes, earthquakes, volcanoes, mass virus/disease).
  • Hostile threats and vulnerabilities/exposure. Monitoring of individuals, organizations, and governments who may act hostilely toward the organization as well as looking for vulnerabilities and exposure of the organization to threats.
  • Financial risks. Monitoring of the capital markets and areas such as foreign exchange rates and commodities so the organization can capture return/opportunity while mitigate/control loss. This allows for proper hedging.
  • Competitive environment. Monitoring what competitors are doing and evaluating their product, service, marketing, sales, financial, and partnering performance.
To be risk and regulatory intelligent, and from there to make wise decisions, requires a process to intake information, track accountability of who needs to act on it, and model/measure potential impact on the organization.
 
Corporate Integrity is monitoring the integration and expansion of many GRC systems/technologies that are being used to intake risk and regulatory information, weed through irrelevant information, and route critical information to specific individuals responsible for making a decision on the particular issue. This at a minimum requires workflow and process management capabilities, but in more mature systems provides direct integration with content/information aggregators in which the organization is profiled and relevant new developments are routed right to specific individuals responsible for evaluating that area.

Thoughts from the Archer National Summit

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from the Archer National Summit

As a risk and compliance (GRC) pundit one gets invited to a lot of conferences. Some, like Compliance Week, are particularly interesting as the format, content, and high-level audience remains engaging year after year. Typically, technology vendor conferences are dull and mundane – Archer’s National Summit held last week in Orlando, Florida is a surprising exception.

 
What makes Archer different?
 
First and foremost is their ability to build a community. Over the course of the last several years I have attended this conference off and on (participated as a speaker in a few). I have been interested as they attract a solid audience, some senior executives as well as individuals down in the trenches. What is surprising is the consistency in attendance as well as growth year over year. This year Archer’s attendance grew when everyone else is seeing declines with the economy.
 
Community is at the core of what Archer is about. I remember one visit to Kansas City (Archer’s headquarters) when the CEO of Archer, Jon Darbyshire, gave me a book “Hug Your Customer.” He told me this is what Archer is about – servicing the client. Archer has done this in such away that many others should take note of. They have a business environment in which customers feel part of the Archer team. Customer involvement in development, enhancement, and expansion of the Archer platform is critical. In fact, Archer clients appear as if they have a sense of ownership and pride in the platform. The entire summit was built around client’s sharing their use and experience of the Archer platform and requesting enhancements.
 
Archer has carried this further than their conference. Their online portal called the Archer Exchange mirrors what Salesforce.com delivers with their AppExchange. This is a place where Archer customers and partners can share the process modules and content they have built on the Archer platform with each other. It gives them a sense of contribution and ownership into the platform that I have not seen with other GRC vendors.
 
I also was quite surprised at the amount of enterprise GRC, risk, and compliance issues brought forth in customer discussions at the conference. Archer has historically been an IT/information risk and compliance platform – but has rapidly expanded into enterprise GRC over the past two years. While they have been growing in this area, I was not ready for the volume and dominance of enterprise GRC (not IT specific) client content at the conference. It is very impressive how rapidly Archer is advancing in the enterprise GRC space. They particularly are well adept at entering through IT and expanding across the business.
 
The other item of note is the continued revelation of the flexibility of their platform to adapt to manage any complex or obscure process. They have a highly customizable/configurable solution that allows any normal business user to quickly architect a data model, workflow, and process for risk and compliance. Discussing use of Archer with some of their clients revealed that some clients have developed dozens of custom GRC processes on the Archer platform (some of these being made available on the Archer Exchange for other clients).
 
My two cents . . .
  • Archer is growing and becoming a formidable player in the enterprise GRC space. Other GRC vendors are taking note and becoming concerned.
  • Archer is specifically good at building brand loyalty through developing a community environment for its users.
  • Archer’s platform is one of the most adaptable platforms to tailor to GRC processes that I have seen – though they lack some advanced/niche features in some areas like complex risk modeling (e.g.,, monte carlo, value at risk) that a few GRC vendors have.

Ultimate Legal Management Platform

The GRC Pundit BlogPublished onLeave a Comment on Ultimate Legal Management Platform

Legal – the last (OK, perhaps I should state latest) technology frontier – to boldly go where no one has embraced technology before. So it would appear to an observer of the average corporate legal department. Corporate attorneys have been technology agnostics not willing to give up their legal pads and pens in exchange for process efficient technology.

Times are changing. Lawyers have been forced to embrace technology and understand it in more detail with the advent of electronic discovery requirements (e.g., Federal Rules of Civil Procedure). This has caused many a lawyer to get over their severe case of techphobia and come to understand that technology can really improve the performance and governance of the corporate legal department. Inside counsel is now becoming tech savvy and willing to embrace technology to improve business legal processes that have historically been very manual and paper-based.

Corporate Integrity sees a new evolution of legal management software that embraces a holistic view of legal process management. Currently, the market is comprised of several dozen software vendors focusing on specific legal functions. The future will show a few of these vendors successfully creating a solution that manages legal processes in an integrated platform. The goal: to bring sustainability, consistency, efficiency, transparency, and accountability to legal process management.

The legal process management market (part of the GRC – Governance, Risk, and Compliance – Market) incorporates the following components:

  • Discovery Management is a recent solution area that evolved out of the hailstorm of eDiscovery solutions in response to the revised Federal Rules of Civil Procedure in the United States. These platforms assist in managing the accountability, documentation, and process/workflow of fulfilling discovery requests. In one sense they are a natural extension of matter management platforms. Leading discovery process management solutions include Bridgeway, Exterro, Mitratech, and PSS Systems.
  • Contract Management solutions manage the contracting process from a legal perspective in assisting in the writing, review, modification, negotiation, execution, and archiving of all legal contracts and obligations of the company. Legal contract management platforms that have had broader adoption in corporate legal departments include Compliance 360, EAG CaseTrack, Emptoris, Mitratech, and Selectica. Archer Technologies and Axentis have also been deployed for contract management – but have not seen the same level of traction within corporate legal departments.
  • Hotline/Whistleblower are more than a technology platform as they end up being a service to provide for reporting of incidents (many times anonymously) via the web or telephone hotline. Leading vendors in the hotline and whistleblower space include Allegiance, EthicsPoint, Global Compliance, and The Network. Several of these solutions also offer enterprise investigations management as a platform as well.
  • Board & Entity Management delivers a solution for the corporate secretary (typically in legal) to manage board papers, communications, and corporate reports/filings. This includes features for board calendaring and scheduling as well as documenting legal entities, structure, relationships, assets, and responsible parties (Executives, Directors). Vendors in this area include BoardVantage, Bridgeway, BWise, Computershare, CSC, ICSA, Mitratech, SAI Global, and CT Wolters Kluwer.
  • Policy & Procedure Management involves a platform for defining, communicating, provide training, managing, and archiving of corporate policies, procedures, ethics, and code of conduct. Solutions in this space provide a central repository for managing the policy lifecycle. Vendors include Archer Technologies, Axentis, BWise, Compliance 360, Mitratech, OpenPages, QUMAS, and SAI Global. However, not all of these vendors offer the same features. Axentis offers the easiest to use – but complete – policy and procedure management solution. Archer Technologies, Axentis, and Compliance 360 can deliver training modules within their platforms. Mitratech just offers the management of policy lifecycles – but not the communication component.
  • Training Solutions offer a wide range of legal, ethics, and regulatory training modules to be delivered in other GRC platforms (such as Policy & Procedure Management) or eLearining solutions. Vendors such as Corpedia, Global Compliance, Integrity Interactive, LRN, and SAI Global offer training solutions in this area.
  • Legal Risk Management & Analysis solutions are designed for defining, managing, modeling, and monitoring legal and compliance risks in the enterprise. This is a relatively new area for technology solutions and is best done with solutions that support decision tree risk modeling to help an organization analyze legal scenarios and outcomes. Solutions focused on this capability include Mitratech and Riskonnect. Amenaza is another vendor but has not focused on the legal market.
  • Compliance Management involves a platform for documenting requirements (laws, regulations, contractual), mapping them to corporate controls and policies, and providing for the assessment and reporting on the state of compliance. There is a wide range of vendors offering compliance management solutions – many of which grew out of the Sarbanes Oxley/financial controls space such as OpenPages and Paisley. Vendors that have shown particular traction within legal departments for managing compliance include Axentis, Compliance 360, QUMAS, Mitratech, and SAI Global. Other vendors offering compliance management – but do not have demonstrated traction within legal – are Archer Technologies< /span>, BWise, and MetricStream.
  • Legal & Regulatory Intelligence is a particular feature set embedded in legal process management solutions that deliver efficiency and accountability in monitoring changes in laws, regulations, legislation, and court rulings that could impact the company. The leading innovator in this area is Compliance 360 as their solution profiles regulatory and legal interests and directly integrates with Lexis Nexis and Thomson Westlaw and routes new legal developments into a process flow. Mitratech has capabilities in this area as well. Axentis is doing similar management of the accountability and evaluation process – but does not have the integration with content providers. Corporate Integrity fully expects that Lexis Nexis, LRN, SAI Global, Thomson, and Wolters Kluwer will be building out solutions in this area to further leverage their content.
  • 3rd Party Compliance Management involves platforms for communicating ethics, code of conduct, and policies across an organizations 3rd party and supply-chain relationships. Some of these platforms go further into managing self-assessments and audits of the vendors as well. Most companies buying solutions in this space seek a Software as a Service (Saas)/hosted platform for easy accessibility by 3rd party business relationships. Leading vendors in this space include Archer Technologies, Axentis, Compliance 360, and Integrity Interactive.
  • Corporate Social Responsibility Management is a relatively new space of technology that is just emerging. While there are platforms out there for managing CSR – particularly from an environmental perspective such as Equilibrium – not many platforms have targeted the legal and corporate secretary role in CSR. However, some vendors that have engaged with legal are seeing their platforms retooled for CSR purposes led from the legal department. These vendors include Archer Technologies and Compliance 360.
  • Information Management consists of applications for identifying and cataloging information assets across the organization. This category would focus on sensitive corporate information (e.g., personal information, corporate records, and even intellectual property) and catalog its location, controls, and policies. Archer Technologies is an example of a vendor that operates in this space.
  • Intellectual Property Management consists of applications for cataloging intellectual property across the organization including includes ownership rights, regulatory requirements as well as renewal dates, governmental correspondences, and filing status. The focus of this area is on intellectual property (e.g., patents, trademarks, copyrights) and has vendors such as Anaqua, Cognocys, and IPDOX.

The legal process management has many niches – as illustrated above. The begging question – who does it all? Answer: simply no one. Though there are a few notables that provide a fairly complete enterprise legal process management platform. Mitratech and Compliance 360 are providing very complete platforms – but from different angles. Mitratech grew out of the matter management area and has expanded rapidly into other areas. Compliance 360 grew out of the corporate compliance function within legal (initially within healthcare and insurance) and has been expanding out. Other vendors appear to be aggressively focusing on the corporate legal department and providing an end to end solution – these include Archer Technologies, SAI Global, and Wolters Kluwer.

 

Who is the largest GRC vendor?

The GRC Pundit BlogPublished onLeave a Comment on Who is the largest GRC vendor?
There certainly is a lot of activity in the GRC – governance, risk, and compliance – software market. This is due to companies coming out of budget freezes imposed on them in October as a result of the plunging economy. Buyer interest and buying has also started to recover as organizations begin to position themselves to manage risk and gear up for forthcoming regulations.
 
In general, risk management spending is currently getting more activity than compliance. The reason is that risk is something companies aim to get a handle on in reaction to the current environment while compliance spending is on hold as expectations of significant government overhaul of regulations is seen in the forthcoming months. Corporate Integrity sees compliance spending significantly increasing in the second half of 2009 as organization react to new regulations and requirements.
 
The current market is also seeing significant focus on merger and acquisition strategies in the GRC technology space. After several questions and a few vendor engagements, Corporate Integrity has put effort into further understanding the market size of the GRC market.
 
From an addressable market size – a market size if every company was buying solutions in the GRC space – the GRC market is approaching $30 billion. This is done by calculating the average deal size in the core GRC market segments (e.g., policy & procedure management, control & audit management, risk management, loss & investigations management, continuous control monitoring) and multiplying this by the number of large organizations around the world. However, this figure does not include the addressable market size for many segments of the GRC market such as quality, EH&S, hotline/whistleblower, matter management, board management, etc. Nor does it include large and independent GRC related markets such as security (which itself is much bigger than $30 billion).
 
Thirty billion dollars is a large market – but the key to understanding this is that this is the addressable market size. The actual GRC software market size (the amount currently being spent on specific GRC technologies) is approaching $2 billion for enterprise GRC solutions. If you account for all of the niches of GRC software spending the software market may be as big as $6 billion.
 
Let’s do the math – $30 billion minus $2 to 6 billion equals an unaddressed market of $24 to 28 billion. That is a lot of money not being spent and opportunity for growth. The natural questions are:
  • Why such a gap between addressable and actual market size?
  • What are companies doing if they are not buying software?
The gap comes down to two things. The first is that everyone (globally) has not come under pressure to buy at this point. There have certainly been hotspots such as SOX, but in general, and on a global scale, there has not been specific demand for organizations to invest in this space. That is changing as more organization adapt to a dynamic risk environment and prepare for increasing regulatory oversight.
 
The second reason as to why there is a gap dovetails into the second question – what are companies doing if they are not buying software? The two go hand and hand. Most organizations are complacent in their risk and compliance software spending because they have already invested in the largest non-GRC software to address risk and compliance processes.
 
Who is the largest GRC software provider to the GRC space?
 
None other than Microsoft. You ask any vendor in this space who their largest competitor is and they will tell you it is Microsoft Excel, SharePoint, and Word – as well as other technologies such as using email for workflow. Organizations continue to kludge through poorly defined risk and compliance processes by using band-aids of desktop applications instead of a platform built for specific risk and compliance purposes. This does not mean that Microsoft has $28 billion in GRC revenues – certainly not. It is just that their solutions have kept many organizations complacent about further spending in this market.
 
This is a significant concern to me – and one that needs to be addressed. Governance, risk, and compliance information and processes house some of the most sensitive and critical information of an organization. Any organization relying on desktop applications as their risk and compliance backbone should consider . . .
  • Non-repudiation. How do you know that the person who answered the questions in Excel or Word was the person it was supposed to be? How do you verify for accountability that the questions and surveys are going to the right people? This is critical as you need to identify accountability – who answered a survey, who read a policy, who was trained.
  • Audit & integrity. How do you know that the questions, responses, and/or information is the exact original information/answers and were not entered or modified at a later time to cover a trail, or turn attention away from a specific area? Is there a detailed audit trail of who accessed what and what modifications and changes were made to the file(s)? This is critical as the organization needs to demonstrate integrity in risk and compliance information – that information was not changed in an unauthorized/unaccounted for manner.
  • Data overload. How many files are you managing? Can you adequately integrate, digest, and report on the volume of individual files from desktop applications that come back to your desk (e.g., Corporate Integrity has seen some organizations struggle with as many as 40,000 spreadsheets for a single risk and compliance purpose). This is critical, as organizations need to be able to demonstrate they are on top of compliance and not just going through the motions.
 
Spreadsheets, word processor documents, homegrown databases – they all may play a supporting role in risk and compliance processes, but should not be the backbone of them. As organizations wake up to this and further address GRC through the use of technology built to provide sustainability, accountability, efficiency, transparency, and accountability the actual market size will grow over the next few years to fill the addressable market size.

Thoughts from SAP GRC Insider

The GRC Pundit BlogPublished onLeave a Comment on Thoughts from SAP GRC Insider

 

SAP continues to show thought leadership and growth in the GRC space as revealed in the GRC Insider conference last week. The conference itself is a combination of GRC, Financials, and Human Resources tracks put together for SAP users. The overall conference had over 2000 individuals in attendance with significant growth in GRC’s presence over previous years.
 
Of particular interest is the contrast of SAP’s GRC strategy to other companies in the industry. What many vendors assume to be competitive they would actually find complimentary. SAP strengths in GRC are in . . .
Where does SAP need to show further growth in GRC? There is no one stop technology shop for GRC – any organization looking to define a technology GRC strategy will soon realize that SAP is a solid core, but not enough. SAP is particularly weak, or needs further growth in the following GRC functional areas:
  • Content and process management. SAP’s GRC strategy has been focused on business transactions and intelligence where most other GRC vendors have focused on GRC documentation and workflow/process management. SAP does not have strong content and process management capabilities/technologies within its portfolio – and is hesitant to offer this directly as they have a rich ecosystem of enterprise content and business process management partners. SAP really should consider acquiring a GRC vendor with strong content/process management capabilities or work out a GRC market strategy that integrates one of their ECM/BPM partners in this space.
  • Human resources. The most surprising blind spot in SAP’s GRC strategy to me is the lack of integration with SAP’s human resources management business. A significant portion of GRC involves the HR element – training, background checks, policies & procedures, access management, approvals, etc. There was tight integration at the conference between GRC and Financials, but the Human Resources track (as well as SAP’s GRC technology) remains completely separate from GRC. SAP is a dominant player in the HR market and one would think they would be quick to integrate and deliver a holistic GRC solution in this area.
One final thought that occurred to me . . . how would Thomson’s acquisition of Paisley impact SAP? To date the two offering are complimentary. Paisley documents, communicates, and manages workflows for GRC and does not automate transactions. The Thomson acquisition of Paisley aims to deliver and integrate rich tax/accounting content into the Paisley audit/GRC platform. While this still remains complimentary – what would happen if Thomson would acquire an automated/continuous control-monitoring vendor (e.g., ACL, Approva, Oversight Systems) that directly competes with SAP Process & Access Controls? The complete integration of information/content, process management, and automated controls could really shake up the space.
 

Ultimate 3rd Party/Supply-Chain Risk & Compliance Platform

The GRC Pundit BlogPublished onLeave a Comment on Ultimate 3rd Party/Supply-Chain Risk & Compliance Platform

Friend,

Frédéric Bastiat in the 19th century could have been talking (see quote above) about the complexity of managing risk and compliance across business in the 21st century.  So often organizations look at the surface of a relationship and fail to see the significance and exposure that can cascade across the organizations causing severe damage to reputation and exposure to legal and operational risks.

A chain is only as strong as its weakest link . . . in the case of business relationships this could be an organization’s supply-“chain” or other business relationship such as vendors, outsourcers, and service providers that bring increased risk and exposure to the organization.

Today’s organization is a complex diversity of processes and business relationships that span the globe. Organizations struggle to identify, manage, and control Governance, Risk Management, and Corporate Compliance (GRC) across extended business relationships. Whether it is called 3rd party, vendor, or supply-chain – risk and compliance challenges do not stop at the traditional boundaries of the organization. Adding to this is the growth and focus of Corporate Social Responsibility (CSR) initiatives that are forcing organizations to determine if their business partners hold the same values and ethics that the organization communicates to its stakeholders and customers. Further, there are specific pressures within vertical industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).

The issues organizations face in managing risk and compliance across business relationships include:

  • Code of conduct. Communicating and validating that the business partner and its employees share the same values and ethics as the organization.
  • Labor standards. Managing adherence to a complex array of international laws while validating that the business partner has proper controls to ensure compliance to policies on working hours, forced labor, child labor, wage, discrimination/harassment, and benefits.
  • Corporate social responsibility. Ensuring that the business partner is communicating and reporting similar corporate values on social, environmental, and financial practices (e.g., global reporting initiative).
  • Anti-corruption. Conveying policies and training while validating compliance to anti-corruption and bribery statutes and standards (e.g., Foreign Corrupt Practices ActOECD Anti-Bribery Convention).
  • Operational risks. Identification, assessment, management, and monitoring of operational risks across business relationships and their impact on the organization.
  • Supply-chain risks. The management and monitoring of specific risks within supply-chains and their impact on the organization and its products.
  • Environmental. Ongoing monitoring of business partners commitment to environmental standards as well as compliance with laws and regulations that impact environmental responsibility.
  • Health and safety. Ensuring that business partners are committed to safe working environments free from hazards.
  • Security. Validating that business partners are meeting obligations to protect the physical and information technology environments.
  • Privacy. Enforcing privacy requirements on personal information as well as sensitive corporate information across business partner relationships.
  • Quality. Providing for ongoing monitoring to ensure that quality and/or service level agreements are met in adherence to contract and expectations of the business relationship.

The ultimate platform to manage risk and compliance across 3rd party relationships has the abilities of:

  • Definition and modeling of relationship, risks, compliance issues, and controls across extended business relationships;
  • Communication and attestation of policies, procedures, and code of conduct;
  • Delivery of training on code of conduct, compliance, policies, and procedures;
  • Integration of risk and compliance intelligence that alerts the organization to new developments and issues that could impact specific relationships and/or geographies;
  • Self-assessment by each business partner of the risk and compliance requirements within that particular business relationships;
  • Providing for independent audits to validate controls, risk, and compliance to laws and contractual requirements; and,
  • Scoring of risk based on the business relationship and status of assessment and audit findings. 

Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance obligations. Just in the past few months Corporate Integrity has interacted with over two dozen of the Fortune 500 looking for solutions and professional services to assist them in their 3rd party risk and compliance strategies. Within one organization, I have sat on a social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain. 

This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering allowing organizations to have a software platform hosted on the Internet and not open up internal networks to hundreds or thousands of business relationships. 

Specific solutions in the 3rd party risk and compliance space include:

  • Outsourced GRC process management. Organizations such as Intertek are providing a full-service offering to outsource management and monitoring of 3rd party/supply-chain risk and compliance. This includes a software platform hosted in a SaaS model to communicate policies, deliver training, and assess risk while also providing for independent validation through onsite audits.
  • Code of conduct and policy communication. Communication, attestation, and training on code of conduct and specific policies is critical to managing compliance across business relationships. Axentis offers the strongest platform for
    the ongoing communication and training of policies and procedures. Integrity Interactive is another vendor offering a subscription platform
  • Compliance & risk assessment. To manage risk, organizations need a platform that allows it to push self-assessments on risks, controls, and compliance to business partners. This is further enhanced by allowing independent auditors also use the platform to assess business relationships. Archer TechnologiesAxentis, and Compliance 360 have focused solutions to manage a full risk and compliance process across 3rd party relationships.

Third party risk and compliance issues are significant, overwhelming, growing, getting more complex, and not going away. Corporate Integrity sees 3rd party risk and compliance management as one of the most challenging GRC issues facing organizations across industries over the next 18 months.

Ultimate Operational Risk Management Platform

The GRC Pundit BlogPublished onLeave a Comment on Ultimate Operational Risk Management Platform

The Titanic is a study in operational risk management. Unfortunately, many organizations are in the same state – they do not see a complete picture of the risks they face and therefore are ignorant of the significance of the aggregate of a lot of islands of operational risk. And when things did go wrong there were not enough lifeboats . . .

There are a variety of risks the Titanic faced – overconfidence, poorly manufactured rivets, focus on speed while ignoring the external risk environment, inadequate design, and lack of someone diligently watching for icebergs. Organizations are in the same ‘boat’ today.

Deloitte illustrated this very well a few years back in their Value Killers research. In this research they studied the Global 1000 and found that nearly half of these companies had a drop in value of 20% or more in less than a month (this was before this last year). In 80% of these cases (that is 400 out of the Global 1000 for those not following along mathematically) it was because of multiple risk factors creating a greater risk environment but these risks were managed autonomously in different parts of the organization.

Organizations continue to manage operational risk in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics. modeling, frameworks, and assumptions. Operational risk platforms (if deployed) are typically not equipped to capture the complex interrelationship among operational risks that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their own view of risk and not the aggregate picture of risk, failing to recognize substantial and preventable losses.

Increasing demands of Operational Risk Management (ORM) requires effective technology to support a comprehensive system of record to manage operational risk in a systematic way – across the entire business including its business relationship and external risk environment.

The “Ultimate ORM Platform” enables the enterprise to answer the following questions across business lines and aggregate risk to an enterprise perspective:

  • Do you know you know your risk exposure at the business process as well as enterprise operations levels?
  • How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
  • Can you accurately gauge the impact of risk taking on business strategy as well as loss?
  • Does the business get the information it needs to take timely action to risk exposure to seize opportunities while mitigate negative events?
  • Do you have repetitive and inefficient controls, documentation, processes, testing, and risk measurement / management?
  • Are you optimally measuring and modeling risk?

To answer these questions, the ultimate ORM platform will have to cover the following key areas:

  • Risk and control assessment. This includes risk identification, assessment, surveying, and analysis. To mange operational risk, an organization will implement a taxonomy of risks and a framework designed to provide a sound and well-controlled operational environment. The ORM solution needs to be able to integrate with multiple-frameworks (e.g., ISO 31000AS/NZS 4360:2004, COSO). In addition, organizations need to manage the balance between the cost of controls and the reduction in risk that the controls effect. The platform should support a range of assessment styles including qualitative and quantitative assessments, as well as top-down and bottom-up techniques. Risk measurement should cover both inherent and residual risk metrics.
  • Internal loss events. Operational losses are increasing in frequency and impact because business has grown more complex, particularly as transaction volumes have increased, organizations have distributed operations, growth in business relationship, and businesses’ reliance on automated systems outpaces their ability to monitor risk. Critical requirements for an ORM process includes capturing loss information. This includes creating a consistent categorization scheme for loss events (e.g. Basel II causal categories for losses), and linking loss to the risk taxonomy. This last requirement is extremely important since it allows an organization to pinpoint the root cause of losses and determine if certain controls are failing. This process facilitates the continual optimization of risk management as well as the control environment. An ORM platform needs to combine assessment data with loss event data to support an ORM process.
  • External loss data. External losses are also a key component of the Ultimate ORM Platform. The solution should support automatic up-load and down-load capability for interfacing with external loss consortiums (e.g., ORX) or commercial providers (e.g.,AlgorithmicsAONSAS). In addition, the system should facilitate the use of external loss for capital modelling, scenario analysis and benchmarking.
  • Key risk indicators. Continual monitoring and management of key risk indicators – including trending and aggregation of KRIs – is a critical element of an ORM process. An ORM platform is to support automatic notification to risk owners when KRI values reach thresholds. Workflows should automate ORM process such as KRI review and analysis. KRIs must support thresholding and time-trending. The best systems will also allow you to align enterprise performance management with risk management and give you a view into risk optimization as opposed to simply risk mitigation. Organizations take risk – they need assurance they are taking the right risk to meet objectives and that risk is effectively monitored and managed.
  • Reporting. An ORM platform needs to provide timely and accurate information to risk managers, risk owners in lines of business, senior and executive management, board, and external constituencies such as auditors and regulators. ORM reports enable management to maintain risk at appropriate levels within line of business, escalate issues and provide consistent data aggregation across business roles and functions. With improved visibility into its risk environment, an organization is in a position to make risk intelligent business decisions. The ORM platform needs to support a variety of ORM reports including high-level dashboards, risk models, and detailed reports. It has to be able to aggregate data across business entities, relationships, risk categories, event types, and time periods.
  • Extensible & flexible platform. One size fits all does not apply for an ORM process. Organizations need an adaptable solution and process to meet specific needs, taking into account corporate governance including corporate policies and procedures. When choosing a technology platform organizations need to pick an application that can adjust to its process as opposed to adjusting processes to fit the application. Important areas for extensibility include
  • Business hierarchy. Multiple hierarchies (legal, finance, organizational), multiple levels (with no limit), and asymmetrical hierarchies are all essential to conform ORM to the business.
  • Localization. As most firms operate in a number of localities around the world, many of which have their own local reporting needs, it is essential that the technology solution you choose can be deployed enterprise-wide and can be effective across all geographies and business functions.
  • Risk Framework. The ORM platform must be able to adapt to different risk categorization, taxonomies, measurement schemes, and evolve as risk processes mature over time.

Which vendors provide this breadth and depth of ORM functionality?

Only a handful – and many are still growing to achieve this vision. ORM vendors that I have deep respect for in the ORM area include BWiseCURAMEGAOpenPages, and Texert. Each of these vendors has proven capabilities to handle multiple frameworks and integrated processes for ORM.

OpenPages has given a lot of development and thought to the integration of loss information this past year that has recently impressed me. It is impossible to model risk without understanding where your most significant issues have been – historical trends do have an important place in risk modelling. BWise and MEGA have carried the torch in quantitative risk modelling – though not every organization needs this, while some will use an external application or spreadsheet for complex risk modelling.

There are indusry specific ORM solutions for financial services from vendors such as Algorithmics,Oracle Financial Services Suite, and SAS. However, these solutions tend to be more rigid and lack on the extensible/flexible platform requirement. I have had a deep respect for Ci-3 as well over the years but am waiting to see where this heads under the Wolters Kluwer acquisition.

Sound Advice Against Reckless Risk Taking

The GRC Pundit BlogPublished onLeave a Comment on Sound Advice Against Reckless Risk Taking

A respected friend, Charles Le Grand, recently posted this on a mailing list we belong to . . . 

 

It is a fundamental problem between risk takers and those who would constrain risk to a prudent level.  For example, many young people take stupid risks with their money, lives, and health and say “See. Nothing happened.  Why should I worry?  I have insurance.”  Similarly many people responsible for the assets of others are willing to risk them for the benefit of personal gain without due regard for their stewardship role.  So it engenders a culture of reckless risk taking and disregard for stewardship.  “Everybody is doing it.  That’s just the way it is.”  So we abandon prudence in favor of self governance.  And we quickly forget about the last time everybody got burned from such irresponsibility. . . 

. . . Those who would recklessly endanger themselves and others must be constrained for the overall good.  And our governance bodies must stop giving in to the siren call of fast and fabulous gains, and once again favor the value of steady progress.  We must learn to spot the signs of recklessness and deceit.  We must use the available tools to spot anomalies and reveal them for what they are – whether short lived phenomena or outright lies.