Top 27 Risk & Compliance Issues Organizations Struggle With

Global markets are in turmoil, investigations into corporate and executive wrong doing, demands for increased oversight and regulation . . . while the economic climate in general is in question there is no doubt that organizations need stronger corporate governance, enterprise risk, and compliance oversight.

The challenge for risk and compliance managers is to make sense of a GRC market with over 1300 providers of technology and consulting services.  The challenge for technology providers, professional service firms, and knowledge providers is to make sure their message and value is clearly articulated so they can be heard above the swarm of competitors.

One thing is certain . . . buyers of risk and compliance products and services have specific issues they need to deal with.  Specific economic and treasury risks, specific operational risks, specific compliance issues.  Providers that tout a generic swiss army knife approach will find their offerings in a tailspin – shot down by competitors that know how to solve the specific problems organizations are trying to solve.

GRC 20/20’s research has identified 27 issue and corresponding solution areas that organizations are looking for specific help from technology, consulting, and knowledge providers.  This cross-industry view represents the core of GRC 2.0 the GRC EcoSystem.  While these are not all of the risk and compliance issues organziations face – these are the most challenging ones driving organizations to look for consulting help and technology solutions. These 27 areas are . . .

3rd Party Management Anti-money Laundering Audit Management Brand & Reputation
Business Continuity/Resiliency Corporate Compliance Corporate Governance Corporate Social Responsibility
Corruption & Fraud Crisis Management Employment/Labor Enterprise Risk Management
Environmental Ethics & Integrity Financial Assurance & Control Geo-Political Risk Management
Global Trade & International Dealings Health & Safety Information Risk & Compliance Insurance & Claims Management
Investigations Legal Matter Management Operational Risk Management Physical Security
Privacy Quality Treasury Risk Management  

While organizations struggle in these 27 core areas – they want to make sure that their investment in technology can be leveraged for other risk and compliance issues.  They are tired of wasteful spending and fragmented approaches to GRC – organizations want to be assured that their investment can be the backbone of a risk and compliance architecture.

GRC 20/20 has defined a core GRC architecture of 13 technology architecture categories that can be leveraged across risk and compliance processes to provide for sustainability, consistency, efficiency, transparency, and accountability.   These 13 core GRC technology architecture categories are. . .

Assessments & Surveys Audit Management Control Documentation & Repository Control Monitoring & Enforcement
Enterprise Asset Management GRC Dashboards & Reporting Hotline & Whistleblower Identity & Access Management
Investigations, Event, & Loss Management Policy & Procedure Management Risk & Regulatory Intelligence Risk Analytics & Modeling
Training & Awareness Management      

We encourage you to comment on GRC 20/20’s GRC EcoSystem model as we wrap up the written research that will be published in the next few weeks.  If you have comments on the GRC EcoSystem model – please send them to [email protected].

Focus of the Board on GRC

What are the questions the Board of Directors of any publicly traded company should be asking regarding the status of GRC enabling technology in their organization?
 
My experience is that the Board of Directors is not really focused on the technology enablement of GRC – for that part they probably know very little about technology, and I am not sure if they really need understand the technology enablement of GRC.
 
The Board is ultimately responsible for risk and compliance.  There are New York Stock Exchange listing requirements that obligate the board to oversee risk.  There are decisions such as In re Caremark that require that the Board oversee that a compliance function is operating.  Risk and Compliance are a part of the Board’s governance responsibilities.  Interestingly enough, Corporate Secretary magazine added the tagline the Governance, Risk, & Compliance Monthly to their periodical.  The role of the Corporate Secretary (typically the general counsel) is the aggregation point of GRC information that goes to the board.
 
However, my fear is that organizations, and with that Board of Directors, begin to view GRC as a technology issue, problem, or event bandage.  Don’t get me wrong – technology enablement of GRC is critical, but GRC is much broader than technology.  It was over five years a go that I defined a market for products and services/consulting and called it GRC.  In that time I have seen it grow, but I have also seen more and more organizations equate GRC to IT and technology.
 
GRC is about a philosophy of business in which the organization is looking at governance, risk, and compliance from a holistic perspective across islands of responsibility.  In the past these islands of responsibility were operating as islands and not communicating with each other causing significant issues and a waste of resources for the organization.
 
Technology is important as it provides the collaboration, automation, and reporting within and across these islands of GRC so that the organization begins to work in harmony.  The Board of Directors should not be as concerned if the organization is using technology, the proper question is “Do we have sustainable, consistent, efficient, and transparent GRC processes that work together collaboratively?”  In answering this question you will find GRC can only be done through the use of technology.

GRC 2.0 the GRC EcoSystem

The writing is on the wall – we are entering a new era of corporate governance, risk management, and compliance. The shake up on Wall Street is just the current example of a trend towards greater oversight of business in a volatile world. With this comes a renewed focus on integrity, ethics and values. Organizations large and small are in a period of looking in the mirror and examining themselves.

  • Do we have the correct risk management oversight across business operations and relationships?
  • Do we have appropriate compliance processes?
  • Do compliance processes get to the principle of the matter are are they simply about checking a requirement?
  • Are the values and code of conduct of the corporation adequately defined and communicated?
  • Are people trained properly on the expectations set before them?
  • Is risk and compliance managed across business relationships?
  • How does governance, risk, and compliance practices intersect and support corporate social responsibility?

All this becomes particularly challenging when organizations look inside and see the disarray of overlapping and siloed risk and compliance initiatives. Corporate governance is handicapped. Directors and Executives have a duty of care to oversee risk management as well as compliance in the organization. This is further complicated as Standard & Poor’s and others focus on evaluating risk management practices. From the compliance perspective we have seen year over year growth in regulations for the past thirty years – regulations are an increasing burden on the business.

When I first defined and model a market for technology and consulting services and gave it the label of GRC it was at a time when organizations were struggling with Sarbanes-Oxley compliance. Over the past years there has been added interest in information risk and compliance to this.

Times have changed – so must our definition of Governance, Risk, and Compliance. The current demands on business require that organizations adjust their approach to GRC across their organization.

However, GRC initiatives are being led by different parts of the organization and still largely operates in silos. This leaves organizations struggling to breakdown internal silos and politics to encompass a holistic GRC strategy. It challenges vendors as many of the roles responsible for GRC silos are not focused on enterprise issues but on specific points of pain.

This has led me to redefine and model the GRC market as well as understand organizational approaches and leading practices. This is GRC 2.0 the GRC EcoSystem. The focus of this research is to map the roles responsible for GRC to their critical issues the company is trying to address. This has resulted in 27 solution areas that GRC products and consulting services are marketed and sold within to solve specific big issues areas that organizations struggle with. Beyond the specific points of pain that organizations need to respond to it also maps in 13 core technology areas that the organization should build into an enterprise architecture for GRC so that there is sustainability, consistency, efficiency, transparency, and accountability across GRC areas of the organization.

To date GRC 20/20 has identified nearly 1300 technology, consulting, and knowledge/content providers around the world that map into the GRC EcoSystem.
This new research will be released in a Webinar on October 7th. It will be followed by a written research document outlining the model for the market – solution/issue areas, technology categories, areas of professional services/consulting, knowledge content providers, as well as professional associations. In 2009, GRC 20/20 will be releasing detailed market models, sizing, and participants for our clients as well.

Ethics & Integrity In Volatile Times

News . . . the roller-coaster of information pouring into us about the tumultuous times we live in can be overwhelming.  The current focus on the economy in the wake of an ongoing shake-up in Wall Street has many living on the edge of their seats – uncertain about the future.

 
There definitely is a need for a correction in the course of our economy and financial markets.  Whether one is for or against an economic bailout – one thing is certain . . . the financial markets need to be fixed.  What the US, and the World, for that matter is facing now is much more significant than the Enron and WorldCom scandals that opened the 21st Century. The writing is on the wall – tighter regulation and restructuring of regulatory oversight will happen.  This is unfortunate for libertarians and free market capitalists, but it appears to be the inevitable at this point.  There is and will be a continued look at fraud and wrong-doing with a push to hold executives accountable.
 
What does this mean to the GRC market?  It means opportunity and growth.  We will see a renewed focus on corporate and political ethics and integrity.  Organizations will strive to communicate ethics and further establish a culture of compliance within organizations. 
 
However, ethics is not something that is simply taught – but also is enforced.  It is hard to get a way from discussions of philosophy and theology when it comes to these matters.  Myself, I am a Calvinist and believe that man has a depraved nature and inclined to make bad choices.  Ethics and integrity training by itself is not complete.  What will be demanded from regulators and stakeholders is accountability and oversight.  The fallout will mean more than stronger corporate values, better training, and ongoing communication of policies.  It will also require stronger processes for monitoring and enforcement of policy.  To keep people, whether there intentions are overtly malicious or not, doing the right thing.  The fallout will also require a revisiting reporting and investigations processes.
 
While many parts of the economy will suffer if a recession will bare down on us, the market for products and services to establish a culture of governance, risk, and compliance oversight will remain strong.  GRC solutions and services will be the prescription ordered to help cure the ailments upon business and the financial markets.

Reflecting on summer . . .

Summer is over.  Schedules change, kids are in school, fall is arriving.

 
As many of you noticed – I took a break from blogging this summer. However, this was not a break from GRC 20/20 work.  I have been working hard at delivering value to clients facing risk and compliance issues as well as rebranding the GRC 20/20 image.
 
To kick-off a renewed spurt of blog thoughts I thought it best to focus on some summer 2008 reflections to inform you of what GRC 20/20 has been up to:
  • Major food retailer social accountability advisory board.  The most intriguing engagement which I started, and continues on an ongoing basis, is the my appointment to the Social Accountability Advisory Board of a major food retailer.  My role on this board is monitor and research global risk and compliance trends and issues that impact this food retailer with a particular focus on the 5000+ relationships they have in their supply chain.
  • Segregation of Duties and Access Management benchmark project.  The largest project in GRC 20/20’s short history was started this summer in which we were engaged to do a benchmark assessment of global 100 firms and their practices and issues they face in managing SoD and AM.  The risk and compliance issues are significant in managing who has access to critical systems and information when spread across thousands of business relationships in the extended enterprise and throughout the world.  A major auto manufacturer engaged GRC 20/20 and a leading consulting firm to deliver on this in a joint effort.
  • Compliance roadshow with EMC.  In July and August GRC 20/20 was engaged to deliver on a four city roadshow to discuss the range of technologies needed to effectively manage enterprise risk and compliance with a focus on sustainability.
  • Compliance Week 2008.  I attended the Compliance Week 2008 conference in Washington DC in June – this is simply the best and most informative compliance conference out there.  I was really impressed with the level of speakers.  The format was also exceptional as each presentation was followed by a roundtable ‘Conversation’ to discuss the material presented.  Vendor involvement was also tightly controlled.  Very impressive.
  • OCEG Red Book 2.0.  It has been exciting to continue to work with the Open Compliance and Ethics Group to contribute and deliver on the Red Book 2.0 which provides the leading GRC framework guidance.  It has now been released for public review.
  • GRC 20/20 branding.  As you can see by the website – I have given our branding a complete overhaul. I am now delivering more content and services and aim to grow GRC 20/20 further over the next few years.  I changed the colors as well as the logo.  Green communicates responsibility and sustainability.  The steel blue communicates strength – like iron.  The I is encompassed within the C of the logo to communicate that Integrity is something that comes from within.
  • General growth of business.  I have been honored to see our client list grow into the dozens.  Many of these are special projects or engagements, however list of clients who has GRC 20/20 on an ongoing retainer now numbers over 10!
The work does not stop there – but as you can see, it has been a very busy summer.
 
Fall 2008 is bringing many new exciting things to GRC 20/20 as well.  We are about to publish our next piece of research on Enterprise Investigations Management.  Blogging will pick up again.  We are starting our educational workshop series – starting with GRC Fundamentals for Technology Providers and Consultants.  And more . . . 
 
As always, I would love to hear your feedback, thoughts, and perspectives – particularly on how GRC 20/20 can serve you and become an even more outstanding business!

Corporate Compliance & Ethics Week 2008

It is the end of the week – but still a good chance for that final reminder that it is Corporate Compliance and Ethics Week – which happens the last week of May every year. I would encourage you to send out that email to your employees and partners reminding them that compliance is about doing the right thing. Compliant organizations are organizations of corporate integrity. Are you an organization that “walks its talk?” or one that just “talks its talk?”

Business Intelligence & GRC

Does the business intelligence (BI) issue fall under the governance, risk and compliance (GRC) domain?

Business intelligence (BI) is an essential component to a successful governance, risk and compliance (GRC) strategy: It involves what I refer to as risk and regulatory intelligence. Basically, business has to monitor its internal environment — as well as the external environment the company operates in — for issues, events and risks that can impact the organization. The goal is be intelligent to maximize opportunities while mitigating or avoiding negative events.

In the business intelligence (BI) this means implementing tools that have the ability to integrate into your environment to monitor changes, collect information, and report on the state of GRC across systems, processes and business relationships. Further, these tools need to have content and process/workflow management capabilities to store information and provide processes to evaluate risk.

My original post on this topic focused more on IT-GRC/Security can be found at SearchDataManagement.com

2008 GRC Drivers, Trends, & Market Directions

I recently published my”2008 GRC Drivers, Trends, & Market Directions”research illustrating the dynamic and growing nature of GRC adoption within organizations and the direction and size of the overall GRC market for products and services. Below are the summary highlights from this piece of research. . .

Organizations Embrace GRC Principles

The Governance, Risk, and Compliance (GRC) market is in significant momentum as organizations embrace collaboration across silos of GRC and generally recognize that something needs to be done.

GRC is About Organizational Collaboration

GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization – its oversight, its processes, and its culture. Organizations are approaching GRC to get an enterprise view of risk and compliance that requires that GRC initiatives involve a federation of professional roles working together in a common framework, collaboration, and architecture to achieve:

  • Sustainability. Organizations demand a sustainable process and infrastructure for ongoing governance, risk, and compliance processes that are becoming more onerous.
  • Consistency. Organizations require that multiple roles in the organization start working together in an integrated framework.
  • Efficiency. GRC aims to ease the burden on business by leveraging common processes, assessments, and information.
  • Transparency. Business demands transparency across key-performance and risk indicators so it can monitor the organization’s health, take advantage of opportunity, and avert or mitigate disaster.

Drivers Influencing Corporate Directions in GRC

Good governance is built upon diligent risk and compliance management processes. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. Through ongoing research and interactions with organizations around the world, GRC 20/20 has identified the following drivers that are the primary influencers driving organizations to consider and adopt GRC strategies:

  • Growth of Corporate Social Responsibility.
  • Increasing governance demands.
  • Rating agencies focused on enterprise risk management.
  • Increasing risk profile in a distributed world.
  • Connecting performance management to risk management.
  • Increasing regulatory compliance profile.
  • Impact of the extended enterprise.
  • Inefficient, manual, and siloed risk and compliance initiatives are ineffective.

Silos of GRC Lead to Greater Exposure to Risk

A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .

  • Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
  • Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.
  • Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
  • Lack of flexibility. Complexity drives inflexibility – the organization is not agile to the dynamic business environment it operates in.
  • Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.

2008 Trends Maturing GRC Practices

Organizations are driven to ‘think’ GRC. The complexity of business, increasing risk and regulatory profiles, as well as the nature of extended and global business requires that organizations reengineer how they approach governance, risk, and compliance by leveraging processes as GRC. The 2008 GRC trends within global enterprises addressing GRC include:

  • GRC 2.0 – the GRC.EcoSystem.
  • Maturation of GRC technology.
  • Next generation policy and procedure management.
  • Enterprise investigations and loss management.
  • Policing the extended enterprise.
  • Software as a Service grows as a GRC implementation model.
  • Beginning of GRC outsourcing.
  • Risk & regulatory intelligence.
  • GRC is growing organically within organizations.
  • GRC is spanning industry verticals and business processes.

The GRC Market in Momentum

The GRC market is growing and expanding – though, from a market size perspective, it remains difficult to define and put boundaries around. GRC 20/20 sizes the GRC market in 2008 at approximately $52.1 billion. This is broken down into the three primary categories of GRC 20/20’s GRC EcoSystem:

  • GRC Professional Service Market is $40.6 billion in 2008.
  • GRC Technology Provider Market is $9.3 billion in 2008.
  • GRC Information/Content Provider Market is $2.2 billion in 2008.

NOTE: If you are interested in purchasing this research to dive deeper into these points, click on the following link “2008 GRC Drivers, Trends, & Market Directions”

Thank You,

P.S. – I am involved in the OCEG GRC Forums. There is limited space available, but if you are a senior internal GRC executive/practitioner at a large company I invite you to register for this event . . .

OCEG GRC FORUM: HOW TO ENSURE INFORMATION TECHNOLOGY SUPPORTS GRC PROGRAMS

OCEG continues it’s innovative thought leadership through the OCEG GRC Forums. These forums afford senior GRC and IT professionals the opportunity to collaborate on ways to improve how GRC can be enabled by technology. In one day intensive workshops, leading companies along with subject matter experts will take a “deep dive” and develop strategic plans that address the challenges of improving GRC program information flow and consistency.

Five key issues will be considered with a focus on how technology is leveraged to improve the overall GRC program:

  • Corporate risk mitigation emphasis
  • Organizational change emphasis
  • Global markets emphasis
  • M&A emphasis
  • Technology-driven business emphasis 

Spreadsheets are inadequate for risk and compliance assessment questionaires

My two cents – if you are relying on spreadsheets (or for that matter word processing documents) to survey and gather risk and compliance information you have a problem. This in and of itself is a control issue that should be flagged.

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

It gets worse . . . auditors and legal can step in and cry ‘foul.’ It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that “this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified.” Spreadsheets do not have this level of authentication, access control and audit trail. GRC processes require a robust audit trail so that you know who answered a question and if that answer was modified – spreadsheets do not provide the functionality to cover this.

There are spreadsheet management solutions that do provide authentication, access controls and audit trails — but they are cumbersome to use for broad compliance purposes. Anyways, there are technologies with integrated content and workflow that can be more easily managed.

To replace spreadsheets I would look towards governance, risk, and compliance (GRC) management platforms. Vendors in this space include Archer Technologies, Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley, and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for GRC processes.

NOTE: a variation of this post can be found on my Ask the Experts post on SearchDataManagement.com.

SAP Delivers on GRC Vision

Last week was an exciting week – three events converged in an action packed week in Orlando:

  • I did a live webcast on Measuring the Ethical Organization with the Institute of Internal Auditors from their headquarters in Florida;
  • Archer Technologies had their User Summit – it has been a pleasure to see Archer grow and expand over the past seven years. Particularly as they move beyond IT-GRC into enterprise GRC initiatives; and,
  • SAP held GRC 2008 – and that is something to really talk about. This was an exciting conference with over 1000 people in attendance.

SAP for the past two years has communicated one of the broadest visions for GRC in the industry. What is exciting is that they have really begun to deliver on it.

I am getting irritated with companies that still equate GRC to SOX or IT controls/security. Yes, that is part of GRC – but my vision, since I originally defined this market four to five years back, has been much broader.

What SAP has done is demonstrated a broader footprint and definition for GRC. The SAP GRC strategy and demos at GRC 2008 illustrated how enterprise risk management is tied into strategic planning, the role of environmental, health & safety (EH&S) in GRC, the complexities of environmental compliance monitoring, as well as the integration of GRC around global trade compliance (e.g., OFAC). The SAP approach still includes a significant focus in financial controls and with that SOX – but SAP has demonstrated how their technology and strategy are reaching well beyond this.

SAP is strongest when GRC means business monitoring and transactions. When GRC is about monitoring the environment and transactions SAP is building a robust solution set. However, they have some weaknesses . . .

These weaknesses primarily stem around the documentation of GRC and management of GRC processes. SAP needs to further develop their enterprise content management (ECM) and business process management (BPM) strategies as they related to GRC. These are technology gaps that SAP does not own today which puts them at a disadvantage in some GRC deals.

My assessment to date – SAP is a leader in enterprise monitoring and enforcement of GRC, though they are weak when it comes to documenting and managing the processes of GRC.

SAP is a thought leader in advancing the definition and cause of what GRC is about. This is more than I can state for Oracle who still seems to be confused about communicating a broad GRC strategy and executing on it – SAP is clearly winning the day on that end.

While SAP and Oracle duke it out – it is still the small, nimble and focused GRC players that have the most traction in the market today. However, the next 18 months will show a lot of consolidation in this market as SAP and Oracle become a dominant force. SAP still remains well in the lead in the battle of GRC from the ERP vendor side.

What are your perspectives on SAP in the GRC space?