Reflecting on summer . . .

Summer is over.  Schedules change, kids are in school, fall is arriving.

 
As many of you noticed – I took a break from blogging this summer. However, this was not a break from GRC 20/20 work.  I have been working hard at delivering value to clients facing risk and compliance issues as well as rebranding the GRC 20/20 image.
 
To kick-off a renewed spurt of blog thoughts I thought it best to focus on some summer 2008 reflections to inform you of what GRC 20/20 has been up to:
  • Major food retailer social accountability advisory board.  The most intriguing engagement which I started, and continues on an ongoing basis, is the my appointment to the Social Accountability Advisory Board of a major food retailer.  My role on this board is monitor and research global risk and compliance trends and issues that impact this food retailer with a particular focus on the 5000+ relationships they have in their supply chain.
  • Segregation of Duties and Access Management benchmark project.  The largest project in GRC 20/20’s short history was started this summer in which we were engaged to do a benchmark assessment of global 100 firms and their practices and issues they face in managing SoD and AM.  The risk and compliance issues are significant in managing who has access to critical systems and information when spread across thousands of business relationships in the extended enterprise and throughout the world.  A major auto manufacturer engaged GRC 20/20 and a leading consulting firm to deliver on this in a joint effort.
  • Compliance roadshow with EMC.  In July and August GRC 20/20 was engaged to deliver on a four city roadshow to discuss the range of technologies needed to effectively manage enterprise risk and compliance with a focus on sustainability.
  • Compliance Week 2008.  I attended the Compliance Week 2008 conference in Washington DC in June – this is simply the best and most informative compliance conference out there.  I was really impressed with the level of speakers.  The format was also exceptional as each presentation was followed by a roundtable ‘Conversation’ to discuss the material presented.  Vendor involvement was also tightly controlled.  Very impressive.
  • OCEG Red Book 2.0.  It has been exciting to continue to work with the Open Compliance and Ethics Group to contribute and deliver on the Red Book 2.0 which provides the leading GRC framework guidance.  It has now been released for public review.
  • GRC 20/20 branding.  As you can see by the website – I have given our branding a complete overhaul. I am now delivering more content and services and aim to grow GRC 20/20 further over the next few years.  I changed the colors as well as the logo.  Green communicates responsibility and sustainability.  The steel blue communicates strength – like iron.  The I is encompassed within the C of the logo to communicate that Integrity is something that comes from within.
  • General growth of business.  I have been honored to see our client list grow into the dozens.  Many of these are special projects or engagements, however list of clients who has GRC 20/20 on an ongoing retainer now numbers over 10!
The work does not stop there – but as you can see, it has been a very busy summer.
 
Fall 2008 is bringing many new exciting things to GRC 20/20 as well.  We are about to publish our next piece of research on Enterprise Investigations Management.  Blogging will pick up again.  We are starting our educational workshop series – starting with GRC Fundamentals for Technology Providers and Consultants.  And more . . . 
 
As always, I would love to hear your feedback, thoughts, and perspectives – particularly on how GRC 20/20 can serve you and become an even more outstanding business!

Corporate Compliance & Ethics Week 2008

It is the end of the week – but still a good chance for that final reminder that it is Corporate Compliance and Ethics Week – which happens the last week of May every year. I would encourage you to send out that email to your employees and partners reminding them that compliance is about doing the right thing. Compliant organizations are organizations of corporate integrity. Are you an organization that “walks its talk?” or one that just “talks its talk?”

Business Intelligence & GRC

Does the business intelligence (BI) issue fall under the governance, risk and compliance (GRC) domain?

Business intelligence (BI) is an essential component to a successful governance, risk and compliance (GRC) strategy: It involves what I refer to as risk and regulatory intelligence. Basically, business has to monitor its internal environment — as well as the external environment the company operates in — for issues, events and risks that can impact the organization. The goal is be intelligent to maximize opportunities while mitigating or avoiding negative events.

In the business intelligence (BI) this means implementing tools that have the ability to integrate into your environment to monitor changes, collect information, and report on the state of GRC across systems, processes and business relationships. Further, these tools need to have content and process/workflow management capabilities to store information and provide processes to evaluate risk.

My original post on this topic focused more on IT-GRC/Security can be found at SearchDataManagement.com

2008 GRC Drivers, Trends, & Market Directions

I recently published my”2008 GRC Drivers, Trends, & Market Directions”research illustrating the dynamic and growing nature of GRC adoption within organizations and the direction and size of the overall GRC market for products and services. Below are the summary highlights from this piece of research. . .

Organizations Embrace GRC Principles

The Governance, Risk, and Compliance (GRC) market is in significant momentum as organizations embrace collaboration across silos of GRC and generally recognize that something needs to be done.

GRC is About Organizational Collaboration

GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization – its oversight, its processes, and its culture. Organizations are approaching GRC to get an enterprise view of risk and compliance that requires that GRC initiatives involve a federation of professional roles working together in a common framework, collaboration, and architecture to achieve:

  • Sustainability. Organizations demand a sustainable process and infrastructure for ongoing governance, risk, and compliance processes that are becoming more onerous.
  • Consistency. Organizations require that multiple roles in the organization start working together in an integrated framework.
  • Efficiency. GRC aims to ease the burden on business by leveraging common processes, assessments, and information.
  • Transparency. Business demands transparency across key-performance and risk indicators so it can monitor the organization’s health, take advantage of opportunity, and avert or mitigate disaster.

Drivers Influencing Corporate Directions in GRC

Good governance is built upon diligent risk and compliance management processes. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. Through ongoing research and interactions with organizations around the world, GRC 20/20 has identified the following drivers that are the primary influencers driving organizations to consider and adopt GRC strategies:

  • Growth of Corporate Social Responsibility.
  • Increasing governance demands.
  • Rating agencies focused on enterprise risk management.
  • Increasing risk profile in a distributed world.
  • Connecting performance management to risk management.
  • Increasing regulatory compliance profile.
  • Impact of the extended enterprise.
  • Inefficient, manual, and siloed risk and compliance initiatives are ineffective.

Silos of GRC Lead to Greater Exposure to Risk

A reactive and siloed approach to GRC is a recipe for disaster and leads to . . .

  • Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
  • Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.
  • Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
  • Lack of flexibility. Complexity drives inflexibility – the organization is not agile to the dynamic business environment it operates in.
  • Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.

2008 Trends Maturing GRC Practices

Organizations are driven to ‘think’ GRC. The complexity of business, increasing risk and regulatory profiles, as well as the nature of extended and global business requires that organizations reengineer how they approach governance, risk, and compliance by leveraging processes as GRC. The 2008 GRC trends within global enterprises addressing GRC include:

  • GRC 2.0 – the GRC.EcoSystem.
  • Maturation of GRC technology.
  • Next generation policy and procedure management.
  • Enterprise investigations and loss management.
  • Policing the extended enterprise.
  • Software as a Service grows as a GRC implementation model.
  • Beginning of GRC outsourcing.
  • Risk & regulatory intelligence.
  • GRC is growing organically within organizations.
  • GRC is spanning industry verticals and business processes.

The GRC Market in Momentum

The GRC market is growing and expanding – though, from a market size perspective, it remains difficult to define and put boundaries around. GRC 20/20 sizes the GRC market in 2008 at approximately $52.1 billion. This is broken down into the three primary categories of GRC 20/20’s GRC EcoSystem:

  • GRC Professional Service Market is $40.6 billion in 2008.
  • GRC Technology Provider Market is $9.3 billion in 2008.
  • GRC Information/Content Provider Market is $2.2 billion in 2008.

NOTE: If you are interested in purchasing this research to dive deeper into these points, click on the following link “2008 GRC Drivers, Trends, & Market Directions”

Thank You,

P.S. – I am involved in the OCEG GRC Forums. There is limited space available, but if you are a senior internal GRC executive/practitioner at a large company I invite you to register for this event . . .

OCEG GRC FORUM: HOW TO ENSURE INFORMATION TECHNOLOGY SUPPORTS GRC PROGRAMS

OCEG continues it’s innovative thought leadership through the OCEG GRC Forums. These forums afford senior GRC and IT professionals the opportunity to collaborate on ways to improve how GRC can be enabled by technology. In one day intensive workshops, leading companies along with subject matter experts will take a “deep dive” and develop strategic plans that address the challenges of improving GRC program information flow and consistency.

Five key issues will be considered with a focus on how technology is leveraged to improve the overall GRC program:

  • Corporate risk mitigation emphasis
  • Organizational change emphasis
  • Global markets emphasis
  • M&A emphasis
  • Technology-driven business emphasis 

Spreadsheets are inadequate for risk and compliance assessment questionaires

My two cents – if you are relying on spreadsheets (or for that matter word processing documents) to survey and gather risk and compliance information you have a problem. This in and of itself is a control issue that should be flagged.

Spreadsheets are a thorn in the flesh of risk and compliance. I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

It gets worse . . . auditors and legal can step in and cry ‘foul.’ It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that “this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified.” Spreadsheets do not have this level of authentication, access control and audit trail. GRC processes require a robust audit trail so that you know who answered a question and if that answer was modified – spreadsheets do not provide the functionality to cover this.

There are spreadsheet management solutions that do provide authentication, access controls and audit trails — but they are cumbersome to use for broad compliance purposes. Anyways, there are technologies with integrated content and workflow that can be more easily managed.

To replace spreadsheets I would look towards governance, risk, and compliance (GRC) management platforms. Vendors in this space include Archer Technologies, Axentis, BWise, MEGA, MetricStream, OpenPages, Paisley, and QUMAS. These vendors, and many more, have integrated content and workflow technologies to manage GRC assessment processes. They are a much better choice over the use of spreadsheets for GRC processes.

NOTE: a variation of this post can be found on my Ask the Experts post on SearchDataManagement.com.

SAP Delivers on GRC Vision

Last week was an exciting week – three events converged in an action packed week in Orlando:

  • I did a live webcast on Measuring the Ethical Organization with the Institute of Internal Auditors from their headquarters in Florida;
  • Archer Technologies had their User Summit – it has been a pleasure to see Archer grow and expand over the past seven years. Particularly as they move beyond IT-GRC into enterprise GRC initiatives; and,
  • SAP held GRC 2008 – and that is something to really talk about. This was an exciting conference with over 1000 people in attendance.

SAP for the past two years has communicated one of the broadest visions for GRC in the industry. What is exciting is that they have really begun to deliver on it.

I am getting irritated with companies that still equate GRC to SOX or IT controls/security. Yes, that is part of GRC – but my vision, since I originally defined this market four to five years back, has been much broader.

What SAP has done is demonstrated a broader footprint and definition for GRC. The SAP GRC strategy and demos at GRC 2008 illustrated how enterprise risk management is tied into strategic planning, the role of environmental, health & safety (EH&S) in GRC, the complexities of environmental compliance monitoring, as well as the integration of GRC around global trade compliance (e.g., OFAC). The SAP approach still includes a significant focus in financial controls and with that SOX – but SAP has demonstrated how their technology and strategy are reaching well beyond this.

SAP is strongest when GRC means business monitoring and transactions. When GRC is about monitoring the environment and transactions SAP is building a robust solution set. However, they have some weaknesses . . .

These weaknesses primarily stem around the documentation of GRC and management of GRC processes. SAP needs to further develop their enterprise content management (ECM) and business process management (BPM) strategies as they related to GRC. These are technology gaps that SAP does not own today which puts them at a disadvantage in some GRC deals.

My assessment to date – SAP is a leader in enterprise monitoring and enforcement of GRC, though they are weak when it comes to documenting and managing the processes of GRC.

SAP is a thought leader in advancing the definition and cause of what GRC is about. This is more than I can state for Oracle who still seems to be confused about communicating a broad GRC strategy and executing on it – SAP is clearly winning the day on that end.

While SAP and Oracle duke it out – it is still the small, nimble and focused GRC players that have the most traction in the market today. However, the next 18 months will show a lot of consolidation in this market as SAP and Oracle become a dominant force. SAP still remains well in the lead in the battle of GRC from the ERP vendor side.

What are your perspectives on SAP in the GRC space?

What is IT GRC?

Confusion leads to chaos. One area of confusion is IT-GRC. Major analyst firms are in a hubbub trying to get their arms around IT-GRC. IT security vendors are pulling in many directions trying to get IT-GRC to be defined to cover their respective niche. Others are lobbying to define IT-GRC as everything technology that relates to GRC.

Time for my soapbox – which brings a simple set of points to understand this . . .

  1. GRC itself is bigger and broader than technology. GRC is about collaboration and communication – it is getting many silos of risk, compliance, and governance to work together and share information and processes. Technology is a piece, and an important piece of GRC, but it is not GRC itself.
  2. An enterprise view of GRC encompasses . . . the enterprise. GRC is about all the silos. Each silo has its label – finance, HR, quality, ethics, legal, audit, compliance, environmental, health & safety, risk, and yes – IT. For that matter we have things like Finance-GRC, Quality-GRC, Environmental-GRC, Supply Chain-GRC – you get the point. Each siloed domain has governance, risk, and compliance concerns keeping a portion of the business up and night while the rest sleeps.
  3. IT has a dual role in GRC. IT plays a supporting role in the infrastructure managing enterprise GRC silos. The other role is the one IT has in managing is own set of governance, risk, and compliance concerns within the IT context.

It is the dual role of IT where the confusion comes in.

My view of the world is that enterprise GRC is greater than IT-GRC (GRC > IT-GRC). Technology supports and enables enterprise GRC processes to deliver sustainability, consistency, efficiency, and transparency. Technology is important in all the domains of GRC.

Then you have the GRC concerns that fall on the shoulders of the IT department – security, disaster recovery, IT governance, IT risk, IT compliance . . . this is IT-GRC.

In a nutshellIT-GRC is what keeps the CIO and CISO up awake at night, while other areas of GRC are what keeps others awake at night. IT-GRC involves the governance, risk, and compliance issues and burdens on IT that are the responsibility of IT to manage. That is IT-GRC.

Interestingly enough, I was at an event last week of a dozen senior IT executives and we discussed this concept of IT-GRC. These were all Fortune 500 firms. Going around the room each was spending on average 5-6% of their IT budget this year on IT-GRC. A few were lower than this in the 2-3% range while one, who was significantly working on their IT-GRC strategy, was spending about 12% of their IT budget on IT-GRC.

What are your thoughts and perspectives on this? As many of you know, I am actively engaged with the Open Compliance and Ethics Group (sorry for being a broken record on this). The technology council of OCEG is going to be having an internal call to discuss the difference and relationship of IT-GRC to other areas of GRC. I would love your feedback in preparation for this call. . .

Getting It Right

One of my pet peeves in the GRC space is the misuse of words.

I frequently have vendors come to me and tell me that they are an enterprise risk management solution – when in fact it is obvious that what they are doing is something specific like IT risk management. My response to these vendors is to listen patiently and then ask them. . .

“you state you are an ERM solution/platform. What you have demonstrated to me is IT risk management – can you now show me how you help manage credit risk, foreign exchange risk, or perhaps many of the other domains of operational risk such as quality or supply chain risk management?”

The response is typically puzzlement and then lights go on – they retrench and understand who and what they are about. They a fresh perspective on the broader GRC.EcoSystem that they have been largely ignorant towards.

Another misuse is the use of terminology.

Currently I am at the SAP GRC 2008 conference. One product I saw demoed had a heat map that had one axis labeled probability. What they were displaying was not probability – it was likelihood. Probability is a mathematical representation of a chance of occurrence represented between 0 and 1. The product was displaying issues on a heat map with red, yellow, and green fields to represent risk levels – this is not probability. Look it up for yourself – the definition for probability is in ISO/IEC 73 which is the definitive ISO definition standard for risk management.

I have seen risk managers/officers throw vendors out of a selection process because they misrepresent what they do (inadvertently or maliciously) as well as misuse terminology. The mindset is that the vendor must not really understand risk management if they do not misuse terminology.

The misuse of terminology is not limited to vendors – professionals in general can be sloppy in the use of terms.

Part of the problem is having a good source of definitions that we can all agree with. One area that this is being worked on is within the Open Compliance and Ethics Group (www.oceg.org). There is a committee within OCEG that is working on the GRC Taxonomy – a reference source of definitions for governance, risk, and compliance. If you are interested in working on this – please contact me ([email protected]).

In the meantime, let’s all work hard to make sure we know what we are talking about.

GRC 2.0 – The GRC.EcoSystem

GRC 1.0 – it was a good start.

When I originally defined the GRC market, unlike other analysts, I had a holistic view of business processes in mind that needed to participate in a GRC vision and strategy.  The goal was to make sure that GRC was not limited to SOX/finance or IT.  GRC needed to embrace a range of roles and business processes and could not be hijacked (which it often has been) by specific roles.  Thus, I defined the GRC Software Platform as one that could manage policies & procedures, risk & control assessments, loss & investigations, and analytics & reporting across the enterprise.

This was a good start and I have interacted with 114 software vendors that tell me they can do this across GRC roles (NOTE: this is a fabrication or at best a far stretch of the truth for most of them).  In the meantime, I was compiling what appeared to be an endless list of 500+ software vendors offering GRC-related solutions.   Further, I started working with consulting/professional service firms offering a range of professional services across roles and another growing list of 200+ firms.  Finally, I became more aware of the dozens of information/content providers that provided GRC-related content and information to the various roles of GRC.

GRC 2.0 – The GRC.EcoSystem expands on the original vision.

Obviously, the definition and market of GRC needs an overhaul.  And that is what I present to you today in draft form – GRC 2.0 – the GRC.EcoSystem.

The GRC.EcoSystem falls into three primary categories; each with myriad branches and interrelationship beneath them:

  1. GRC Technology Providers. The GRC.EcoSystem moves beyond the four areas I originally defined as GRC (Policy & Procedure Management, Risk & Control Management, Loss & Investigation Management, and GRC Analytics & Reporting).  It now provides an architecture that can more relevantly map the 500+ technology providers.
  2. GRC Professional Service Firms. Next, the GRC.EcoSystem provides a framework for modeling the market for the range of consulting and professional services.  This includes 200+ professional service firms from the Big 4, mid-tier audit firms, management consulting, systems integrators, outsourcers, and law firms.
  3. GRC Content Providers. Finally, the GRC.EcoSystem defines a model for mapping the dozens of firms aimed at consolidating and providing risk and compliance information to organizations.

The goal of the GRC.EcoSystem is to provide a map of the market to GRC professional roles (e.g., corporate secretary, legal, ethics, compliance, risk, security, audit, finance, IT, quality, health & safety, environmental, fraud . . . you get the picture).  This map helps these roles understand how they integrate into the holistic view of business GRC issues as well as provides a resource for them to identify the right professional service firms, content providers, and technology providers with which to work.

Next, I would like to mention that my work on the GRC.EcoSystem is integrated with my work with the Open Compliance and Ethics Group.  The GRC technology provider section is being leveraged as the foundation for what we are building together at OCEG as the GRC IT Blueprint. For those interested in OCEG’s work in this space, I would encourage you to contact OCEG to see how you can contribute to this work. Yes, I am working closely with the same individual who used to be my arch-rival and nemesis at Gartner when I was at Forrester.

As for my direction – I aim to take the structure of the GRC.EcoSystem when finalized and map, at a minimum, 500+ technology providers with over 1000+ products, 200+ professional service firms, and 50+ content providers into the GRC.EcoSystem.  It will then be my tool to size and model the market, provide direction to buyers, and build an online directory of GRC to those looking for firms to engage.

Today, I am revealing the following document drafts to get your feedback on the organization and structure of the GRC.EcoSystem so I can incorporate it into a final (but ever evolving) market landscape.

  • GRC.Ecosystem Map.  This link provides the overall visual map in tabloid format. Those interested can purchase a large color printed format from me.
  • GRC.EcoSystem Outline. This link provides the map in a text outline form that can be used alongside the map.

I would encourage you to review and provide feedback back to me on how it can be improved.  You may post a comment on this blog, or reply directly back to me at [email protected].

It has been a rewarding time working with many of you – and I look forward to many more years of interactions with my new endeavor!

Understanding GRC

Governance, Risk, and Compliance can each be confusing to understand in their individual capacities – bring them together as GRC and it can be even more confounding. GRC is more than a catchy acronym used by technology providers and consultants to market their solutions – it is a philosophy of business. This philosophy permeates the organization: its oversight, its processes, its culture. Ultimately, GRC is about the integrity of the organization:

  • Does the organization properly managed and have sound governance?
  • Does the organization take risk within risk appetite and tolerance thresholds?
  • Does the organization meet its legal/regulatory compliance obligations?
  • Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?

The challenge of GRC is that each individual term – governance, risk, compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . the list of mandates and initiatives goes on and on.

It is easier to define what GRC is NOT. GRC is not about silos of risk and compliance operating independently of each other. GRC is not solely about technology – though technology plays a critical role. GRC is not just a label of services that consultants provide. GRC is not just about Sarbanes-Oxley compliance. GRC is not another label for enterprise risk management (ERM), although GRC encompasses ERM.

Further, GRC is not about a single individual owning all aspects of governance, risk, and compliance. 

GRC IS a philosophy of business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, and losses across these professional roles. GRC’s purpose is to show the full view of risk and compliance and identify interrelationships in today’s complex and distributed business environment. GRC is a federation of professional roles – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve sustainability, consistency, efficiency, and transparency across the organization.

Individually, I use the following standard definitions to define the components of GRC as:

  • Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
  • Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
  • Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

GRC is a three-legged stool:  governance, risk, and compliance are all necessary to effectively manage and steer the organization. In summary – good governance can only be achieved through diligent risk and compliance management. In today’s business environment, ignoring a federated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind — GRC aligns them to be more efficient and manageable. Inefficiencies, errors, and potential risks can be identified, averted, or contained, reducing exposure of the organization and ultimately creating better business performance.

How do you define GRC? What is GRC’s role within the organization (please comment)?