Posted on 1 Comment

Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC

This is the 2nd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.

With an understanding of where you are at and where you want to go with 3rd Party Governance, the next step is to make sure your team and systems are ready for the journey. The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC): 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in 3rd Party GRC. What further complicates this is the exponential effect of 3rd party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of 3rd party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives.

The organization needs to have holistic visibility and situational awareness into 3rd party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy. 

The primary directive of a mature 3rd Party GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of 3rd party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

Organizations need to ensure that the various departments and roles involved in governing 3rd party relationships are on board and willing to work together in a cohesive strategy. The goal is to provide the greatest balance in collaborative 3rd party governance and oversight to allow for some department/business function autonomy where needed, but focuses on a common governance model and alignment that the various groups in 3rd party governance utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

The goal is to have centralized 3rd party governance oversight to create consistent and aligned strategy with a common 3rd party governance process, information and technology architecture. Organizations with this collaborative approach report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk and compliance, and greater effectiveness through the ability to report and analyze 3rd party risk and compliance data. The goal should not only to manage risk and compliance, but to integrate 3rd party governance in the context of performance, objectives, and strategy in relationships.

To achieve the full benefits from an 3rd party GRC strategy, GRC 20/20 recommends the following next steps:

  • Gain executive support and sponsorship of the third party governance strategy.The organization needs to work in harmony on third party governance. Different groups doing their own thing handicap the business. Executive support is critical to align the organization.
  • Develop harmonized systems and processes. Key to success is identification of shared processes and information for 3rd party GRC across the enterprise. This includes identifying technology and information solutions to support integrated information and process architecture.

This team needs to be aligned to share a common vision to move to an integrated approach to 3rd party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships.

[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Posted on Leave a comment

UK SMCR: A Paradigm Shift to GRC Accountability

The UK Senior Manager’s Regime and Certification Regime (UK SMCR) is a paradigm shift in regulation and accountability. In one context, I have used the analogy that it is the “One Ring” in Tolkien’s Lord of the Rings. Instead of a ring, it is the:

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

UK SMCR is a significant challenge for financial services firms. This year, the Financial Conduct Authority (FCA) is applying the regulation to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives if there is negligence or lack of due diligence in managing risk, conduct, compliance, and controls. These senior managers could go to jail or be personally fined (and their organization cannot reimburse them). It is the UK SMCR regulation that sees that other risk and compliance is properly managed across the organization. For example, Barclay’s CEO was recently fined £640,000personally under UK SMR/CR.

This is a significant shift from responsibility to accountability. The difference may seem subtle, but it is real. Accountability means . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the SureCloud site]

Posted on Leave a comment

Chief Ethics & Compliance Officer: SWOT Analysis

Last week a Global CECO (manufacturing company operating in more than 60 countries with over 17,000 employees) reached out to me on a research piece I had published back in 2012 (a report I wrote for OCEG). It was a SWOT Analysis of the CECO role. This CECO asked me if I had updated this as it had provided him insight into his career and direction six years back and curious how my research and thoughts on this have changed since then. Before we get into the my current SWOT analysis on the CECO role, it is important to understand a few things happening that is shifting the role of compliance in organizations . . .

  • Compliance the Bastion of Organization Integrity. For the past fifteen years I have stated that if we could rebrand the CECO role I would advocate it to be the Chief Integrity Officer, but we already have a CIO so that most likely will not work. Integrity is the purpose and focus of compliance and ethics. This is becoming more and more apparent as the years move on and the compliance and ethics role evolves.
  • Compliance is Dealing with Lots of Change. The greatest challenge for the compliance and ethics function is keeping up with change, and then keeping all that change in sync. There is a barrage of regulatory, risk, and business change happening. Global financial services firms are dealing with 216 regulatory change events every business day (source: Thomson Reuters). Other industries are seeing a similar onslaught of evolving legislation, regulation, litigation, and enforcement actions. But the business is changing just as rapidly through shifts in strategy, employees, technology, mergers/acquisitions, and more. The challenge is keeping all that change in sync. Being intelligent about the law or regulation does not make you compliant if compliance is not operational in context of an evolving and dynamic organization.
  • Compliance Becoming an Independent Function in the Organization. There has been increased pressure for the compliance and ethics function to report outside of legal. This comes from a string of consent decrees, deferred prosecution agreements, non-prosecution agreements, corporate integrity agreements, and changes to the US Sentencing Commission Organizational Sentencing Guidelines. Compliance has the duty to discover and fix, while legal generally has the duty to deny and protect. This can be at odds with each other and a conflict. So in the slight majority of organizations we now see that the operational aspects of compliance now reports outside of legal. As a result, compliance functions are getting their own budgets and looking for improvements in compliance/ethics strategy, process, and technology to support their initiatives.
  • Compliance Accountability (more than Responsibility). Regulations like the United Kingdom’s Senior Manager’s Regime/Certification Regime (which has had a cascading impact on other jurisdictions such as Australia, Singapore, Hong Kong, Japan, Ireland) is focused on putting senior managers and executives personally accountable for compliance failures as a result of negligence or lack of due diligence. Last year, Barclay’s CEO was fined over £640,000 (nearly $900,000) under UK SMR/CR in context of a whistle blower issue. He personally had to pay this and the bank cannot reimburse them. I have likened UK SMR/CR to the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them (for all of you Tolkien fans). It is the regulation of all regulations that puts personal accountability and exposure on senior managers and executives.
  • Compliance Roles Gaining Risk Management Skills. Another paradigm shift I have been monitoring for the past twelve+ years is the dichotomic differences in compliance between the USA and much of the rest of the world. In the USA you have a very prescriptive, check-box mentality to compliance. Organizations want their checklist and if they check the checkboxes they want their get out of jail free card. This is in contrast to what we see in the UK, across Europe, and much of the rest of the world which takes a principle, or outcome-based, approach to compliance. In this approach organizations are not given a checklist, but what the expected outcomes or principles are. The way one organization achieves compliance is different from the way another organization might choose to get there. The focus is on the end results. This is requiring that compliance executives have a stronger background in risk management as they have to understand the compliance risk and choose the best approach to mitigate the risk for their particular organizations situation. As regulations are written with a cross-jurisdictional impact, like GDPR, this means that principle/outcome-based approaches are making a global impact requiring compliance executives to build strong risk management skillsets.
  • Compliance as a Federated Function. There are lots of departments of compliance – corporate compliance, HR compliance, IT compliance, quality compliance, environmental compliance, health & safety compliance. The CECO role is becoming a facilitator and leader of compliance across these departments in a federated and collaborative capacity.

SWOT Analysis of the Chief Ethics & Compliance Officer Role

SWOT Analysis is a powerful technique for identifying strengths and weaknesses, and for examining the opportunities and threats a CECO faces in managing and maintaining organization integrity and driving toward a strategy of Principled Performance®.  A SWOT analysis can help a CECO develop his or her career in a way that takes best advantage of one’s talents, abilities, and opportunities. What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities an executive can take advantage of. By understanding one’s weaknesses, an executive can manage and eliminate threats that could otherwise catch them unaware. More than this, using the SWOT framework, the CECO can start to distinguish him or herself from peers, and move quickly to develop the specialized talents and abilities needed to accelerate one’s career.

Approaching a SWOT analysis on a role/function like the CECO can be divided into:

  • Internal Qualities
    • Strengths: Your personal professional capabilities 
    • Weaknesses: Your personal professional challenges
  • External Dynamics
    • Opportunities: Organizational prospects to leverage and advance your career 
    • Threats: Organizational challenges to overcome and advance your career

Strengths: Professional Capabilities

  • Enabler & leader, that strives to enable the organization to reliably achieve objectives while addressing uncertainty and act with integrity.
  • Evangelist & visionary, that provides leadership, direction and insight for creating and protecting organization integrity, ethics, and values as well as maintain compliance with laws, regulations, policies, and procedures.
  • Energetic & engaging, with good communication skills that builds interest in better approaches to compliance management, ethics, and values throughout the organization.
  • Agile & versatile, that brings broad experience in compliance, ethics, regulatory issues, and corporate values and how they impact other business disciplines and roles.
  • Dedicated & driven, a passionate goal-oriented problem-solver that moves the enterprise forward through strong execution of finding and fixing compliance and ethical problems while enabling the business to execute on strategy in a principled manner.
  • Collaborator & facilitator, of compliance and ethics across a range of compliance functions scattered across the business and operations that acts as a partner with peers in the organization, adept at leveraging best practices and initiatives across operating units.

Weaknesses: Professional Challenges

  • Limited technical acumen, most compliance roles have grown out of legal that has often been more comfortable with documents and paper with limited understanding of how technology can make compliance more efficient, effective, and agile. When compliance executives are approached with technology they tend to find a solution to a specific problem as opposed to thinking big picture on how an integrated compliance technology architecture can provide greater contextual insight into compliance.
  • Manual processes and myopic technology, related to the limited technical acumen, this overwhelms the compliance officer and function with documents and manual processes that takes time to reconcile and report. For example, one organization was spending 200 FTE hours building a compliance report that now takes them 1 minute.
  • Project management skills are needed, compliance and ethics management has become a complex and intricate set of projects, tasks, and reports that requires compliance management to have an integrated view into compliance deadlines, resources, reports, and activities. This means that the CECO needs to have strong project management capabilities.
  • Federated facilitation experience, while the CECO role is the figure head of compliance, this role often has a limited view into the expanse of compliance across departments. The CECO role needs to be the chief herder of the compliance cats to get various fragments of compliance scattered in business operations to work together collaboratively.
  • Moving beyond checklists, the compliance function has a tendency to focus on corporate compliance checklists to find and resolve compliance issues, and now is being challenged to understand compliance risk and take on ethics, values, social responsibility, and become a champion for corporate culture.
  • Stigma of the corporate cop, the compliance role has historically been seen as a corporate cop rather than a strategic and operationally influential champion of organization integrity. This leads to a misperception of compliance being the department of NO instead of the principled enabler of ethical business.
  • Fire fighting and reactive approaches to compliance, where resources are consumed in investigations and putting out compliance fires which leaves little to no resources for proactive planning of compliance and ethics. The CECO is constantly behind in trying to keep a changing business compliant while reacting to ever-changing laws, regulations, and court and regulatory rulings.

Opportunities: Organization Prospects

  • Focus on integrity, in which the the compliance and ethics function continually assesses regulatory, ethical, and social responsibility trends to develop a full understanding of mandatory and voluntary obligations and requirements for compliance that align with the organizations values.
  • Federated Governance, Risk Management & Compliance (GRC) focus in which the CECO is part of an executive strategy to enable an organization “to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” This requires that the CECO be able to collaborate across the range of compliance areas that he or she has not typcially covered before to facillitate compliance across the organization.
  • Leverage an integrated information and technology architecture to manage the range of compliance projects, tasks, assessments, exams/audits, investigations, policies, and training. So the organization has 360° contextual intelligence on compliance. Where there is one common portal for policies and training for employees.
  • Enable the organization to be a Principled Performer to pursue competitive advantages with superior GRC capability aligned with compliance and ethics that is kept current and managed in a dynamic business, risk, and regulatory environment.
  • Improve compliance reporting to senior management and the board by integrating compliance metrics, information into existing reporting processes and forms to assist in their fiduciary obligations of oversight of compliance.
  • Build superior shareholder relations and broader stakeholder communications around ethics, values, and compliance activities.

Threats: Organization Challenges

  • Third party risk and compliance in which vendors, suppliers, outsourcers, and such expose the organization to issues of fraud, corruption, social responsibility, and compliance violations across these extended business relationships that result in reputational damage and substantial fines and penalties. Over half of insiders are not traditional employees but third parties which requires that a compliance program extend across third party relationships.
  • Keeping a changing organization in sync with changing compliance requirements, the volume of change impacting compliance is staggering. Being knowledgable at regulations and the law does not good if the organization is not operationally compliant. Keeping a dynamic business compliant with ever changing laws, regulations, and enforcement actions is a huge issue for most organizations.
  • Lack of competitive edge as competitors with more agile, effective, and efficient compliance programs outpace the organization in the market as it is encumbered with slow processes and reactive approaches. This stems from:
    • Failure to implement adequate compliance and ethics infrastructure and architecture to monitor, mitigate, and respond to compliance and conduct risk of unethical conduct.
    • Inadequate integrated GRC technology infrastructure, which reduces the quality and flow of information.
    • Siloed processes and systems causing delayed reporting and inconsistent quality and reliability of risk information.
    • Document centric approaches handicap compliance reporting and relative value to the rest of the organization.
  • Culture reinforcing compliance communication after an event or incident occurs, rather than proactively identifying potential problems before the occur.
Posted on Leave a comment

Leveraging Data Classification to Enable GDPR/CCDP Data Subject Requests

Regulatory requirements are driving organizations to clearly define processes to manage personal data requests from data subjects [1], which in turn requires clear data classification and disposition controls in the environment. Chief among these regulations is the EU Global Data Protection Regulation (GDPR) but following suit later this year is the California Consumer Privacy Act (CCPA).

A key component of these regulations, with some nuances between them, is to assure data subjects of the control, use, protection and privacy of their personal data. To do this, GDPR empowers data subjects with specific rights. These rights enable data subjects to make specific requests and be assured that their personal data is only used for approved purposes for which it was provided. They include the right to access and rectify data collected on the data subject, the right for erasure of personal data, and the right to object to the data subject’s information being used.

These data subject rights provide the foundation for GDPR and CCPA compliance and an organization, the . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the InfoGoTo site]

Posted on Leave a comment

2019 GRC User Experience Award Nominations

GRC 20/20 is accepting nominations for the 2019 GRC User Experience Awards!

Governance, risk management and compliance (GRC) is a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of GRC in the organization. The user experience for GRC related solutions has been typically poor in most organizations, resulting in time-consuming and redundant processes.

The core of GRC related technologies is operationalizing GRC across the fabric of business. This involves employee engagement in GRC related solutions with systems that are simple, mobile and easy to use from the frontline of the business to the back-office operations of GRC.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Efficient:GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Effective:At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context.
  • Agile:GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner.

Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of GRC related technologies is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The  goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2019 GRC User Experience Award nominations will be accepted through 31 January 2019 (no exceptions, nomination form closes down at midnight CDT on 31 January). Recipients will be determined by end of March, write-ups for each recipient (one per category) will be completed in April and May with announcements in June 2019. Each recipient of an award will be written up and acknowledged.

The seventeen categories for submission are:

  • Audit Management & Analytics User Experience
  • Automated / Continuous Control User Experience
  • Business Continuity Management User Experience
  • Compliance & Ethics Management User Experience
  • Enterprise GRC User Experience
  • Environmental, Health &; Safety User Experience
  • IT GRC/Information Security User Experience
  • Internal Control Management User Experience
  • Issue Reporting & Case Management User Experience
  • Know Your Customer User Experience
  • Legal Management User Experience
  • Physical Security Management User Experience
  • Policy & Training Management User Experience
  • Quality Management User Experience
  • Reputation & Responsibility User Experience
  • Risk Management Value User Experience
  • Strategy & Performance User Experience
  • Third Party Management User Experience

Please submit nominations before midnight on 31 January  2019.

2019 GRC User Experience Nomination Form

2019 GRC User Experience Nomination

  • GRC Solution Provider Organization Details

    The details requested in this section are for the organization overall and not specific to the solution.
  • Solution Provider Nomination Submitter Contact Details

    Please enter the contact information for the primary individual responsible for this nomination.
  • Nomination Details

    Please enter the details for this nomination.
  • Is this solution and innovation operating in real-world client environments as of this nomination? Concepts, good ideas, prototypes, etc. will not be considered. The innovation has to have real-world implementations that can vouch for the innovation (client reference asked for later).
  • Please avoid hyperbole and stick to specific facts and details, answer agnostically of solution itself.
  • Please avoid hyperbole and stick to specific facts and details.
  • The nomination has to be something released or made available in the past year.
  • Basically, why would organizations care about this and what value does it bring them.
  • Drop files here or
  • Client Reference

    Please submit a client reference that we can call that can validate that this solution is operating in the real-world and delivering as indicated on this nomination if your nomination is selected as a finalist.
  • This field is for validation purposes and should be left unchanged.
Posted on Leave a comment

Our Perspective

Our Perspective on the GRC Market and GRC Solutions

The GRC market is a macro-market that encompasses several smaller market segments.  Major analyst firms treat the GRC market as a micro-market they think can be rolled-up and covered in a two-dimensional plot comparing less than 20 solutions.  Their market model and sizing is nothing more than adding up projected revenues for a small group of select vendors and perhaps making some adjustments.  This is absurd. GRC solutions and services are varied and have a variety of functions. The major analyst firms have it wrong. The GRC market cannot be defined in a single comparative report with a two-dimensional graphic. GRC 20/20 understands this and helps organizations perceive the panorama of issues and challenges organizations face and identify the right solutions to meet their specific requirements.

GRC 20/20 has mapped over 500 solution providers into our GRC market model that is broken into segments and sectors.  We are the ONLY market research and analyst firm monitoring market size, demand, growth, and trends at both the sector and segment level, in addition to the high-level roll-up of the GRC market.  We specialize in differentiating solutions on their value and capabilities within segments of the GRC market and not just paying attention to a few. 

GRC 20/20 specializes in the details of the GRC market. We help buyers of GRC solutions to identify the solutions they should consider given their specific requirements. Whether it is criteria for RFPs in specific areas of GRC to broad solutions that provide the backbone of an enterprise GRC architecture – we deliver depth. On the other side, our insight enables solution providers to hone their product, service, marketing, sales, content, partner, and growth strategies to move from being good to being great.  We help solution providers to understand their competitive differentiators and how to win deals and articulate value in how they make clients more efficient, effective and agile.

GRC 20/20 is focused on delivering high-value relationships with GRC solution provider clients. Services are typically ¼ of what major analyst firms charge and value is achieved through personal accessibility to get you answers when you need them. GRC 20/20 wants to be part of your team and not some cloistered ivory tower that is hard to contact and even harder to connect to.  Working with GRC 20/20 is about engagement – to be an objective and independent advisor while still a part of your team. 

Posted on Leave a comment

Our Differentiators

Our Differentiators

GRC 20/20 is collaborative.  We like to roll-up our sleeves and get involved in details.  We thrive on interaction and engagement.  To be successful in understanding and predicting the GRC market requires that we listen and learn and not merely pontificate and make ourselves untouchable.  Unlike major market research and analyst firms, we recognize the need to involved.  

GRC 20/20 is:

  • Affordable.  Our rates are comparable to an experienced consultant rather than of major analyst firms who charge more than high-end Wall Street attorneys.  Organizations do not need to pay $1,000+ an hour for analyst time; that is robbery, and in some cases extortion.  GRC 20/20 is often ¼ the cost of major analyst firms.
  • Deep. The GRC market cannot be represented in a single two-dimensional comparison of a handful of select GRC solutions. We are the only market research firm to provide detailed buying criteria, comparisons, market sizing, and growth for the entire GRC market as well as specific segments of the GRC market covering more than 500+ solutions.
  • Pragmatic. We understand that organizations have a range of GRC roles and processes focused on aspects of governance, risk management and compliance.  While an enterprise GRC strategy and architecture is ideal, most organizations are addressing department needs as well as specific risk and compliance issues and must learn to crawl before they can run. 
  • Grounded. GRC 20/20 prides itself on analysts with real-world experience from the trenches of organizations.  We know what works and does not work as well as how to get the job done. Our analysts do not sit back in cloistered offices and avoid getting involved in the real world.
  • Collaborative.  Collaboration requires engagement in discussion, debate, and thought leadership in GRC professional communities and associations.  GRC 20/20 actively engages organizations, non-profit associations, solution providers, professional service firms, and others in research collaboration to gain perspective and clarity into aspects of the GRC market.  This breadth of interaction feeds into our market models, advice, and forecasts. 
  • Reachable.  We are easy to access.  Clients of GRC 20/20 can call, email, text / message, tweet, Skype, or use a palantir (should you have one) to get answers when they are needed.  We offer complimentary inquiries/answers to GRC purchaser questions on strategy and solutions to provide the clarity they need to take the next step.  GRC 20/20 fields hundreds of buyer inquiries each year looking for GRC solutions and services to address a range of GRC challenges from broad to specific.
  • Transparent.  GRC 20/20 represents and works with the ecosystem of buyers as well as GRC solution and service providers.  Our revenue comes from a mixture of these elements and we are fully committed to objectivity in research and not afraid to disclose our relationships or criteria on how we recommend and evaluate solutions. We evaluate GRC solutions using transparent, consistent, and objective criteria. 
Posted on Leave a comment

About GRC 20/20

About GRC 20/20 Research, LLC

20/20 vision is perfect clarity in sight: clarity to see and process surrounding context and achieve situational awareness — to observe the world around you, be aware of risks, and react accordingly.

Clarity of Governance, Risk Management & Compliance

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC)  solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.

GRC 20/20 advises the entire ecosystem of GRC solution purchasers within organizations, professional service firms, and solution providers.  We serve the needs of organizations that seek clarity, guidance and advice in dealing with a dizzying array of disruptive issues, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment.  Whether focused on a specific risk, regulation, department, or enterprise GRC strategy, organizations seek clarity through GRC 20/20.  This clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically.  Our clients include Fortune 1000 companies, major professional service firms, and an array of GRC solution providers who require our research and advise to apply strategies and technology to meet the GRC challenges they face. 

GRC 20/20 is a:

  1. Buyer advocate.  We assist those purchasing GRC solutions  to help them navigate hyperbole to select solutions that are practical and deliver on requirements.  

    Simply, we help buyers select the right solution(s) for their needs and get the most out of their investment.

  2. Solution strategist.  We guide GRC solution providers in understanding the demand and needs of buyers and improve product, marketing, competitive, sales, partner, content, and growth strategies.  

    Simply, we make good GRC solutions into great GRC solutions.

  3. Market evangelist.  We educate and evangelize GRC strategies that deliver value and results through advocacy of technology, content, and services in making GRC processes efficient, effective and agile.

    Simply, we define the future of GRC and understand where it is headed.
Posted on Leave a comment

Research Terms & Conditions

These terms and conditions  govern the use of  GRC 20/20 Content (content includes, but is not limited to: website, research, intellectual property, and information in all forms).  If you have any questions please email info@grc2020.com.

Intellectual Property

You agree and acknowledge that all Intellectual Property Rights in all GRC 20/20 website, research, intellectual property, content, and all material and information contained within belongs to GRC 20/20. You shall not obtain any Intellectual Property Rights in GRC 20/20 content. You may not publicly use any GRC 20/20 content without GRC 20/20’s prior written permission.  GRC 20/20 content is for internal use only to your organization.

Licence of GRC 20/20 Content

GRC 20/20 licence’s its content as follows:

  • If GRC 20/20 content has been ordered on a single user basis then it may only be used by the  person whose name is identified on the Order; and
  • If GRC 20/20 content has been ordered on a corporate basis then it may only be used by the employees of the one entity whose company name is identified on the Order. For the avoidance of doubt the company name identified on the Order shall not include Affiliates.
  • All Licences to GRC 20/20 content is granted, subject to these Terms and Conditions, for the purchaser’s sole use and benefit on a non-exclusive and non-transferable basis.
  • All Licences of GRC 20/20 conet permits the purchaser, for internal business purposes only, to retrieve and display the content on a computer screen and print individual pages on paper and store such pages in electronic form on disk and on personal computer (but not on any other server or other storage device connected to an external network).
  • Purchaser may not (without contacting GRC 20/20 to obtain prior written permission):
    • Sell, market or redistribute any GRC 20/20 content or any material contained within GRC 20/20 contetn and the GRC 20/20 website (including by using it as part of any library, archive or similar service);
    • Remove the copyright or trademark notice from GRC 20/20 content;
    • Create a database in electronic or structured manual form by systematically downloading and storing all or any of GRC 20/20 content;
    • Extract any content from GRC 20/20 research and website including text, charts and figures; or
    • Modify, reproduce, develop or in any way commercially exploit any of our Reports and Website content or any material contained within our Reports and Website.
  • The Licences of GRC 20/20 content is  subject to any guidelines that GRC 20/20 may from time to time issue with to GRC 20/20 content.
  • The Licences of GRC 20/20 content shall continue indefinitely.
  • Where a Licence of GRC 20/20 content is granted on a corporate basis purchaser shall make reasonable endeavours to ensure that all your employees, members, directors, partners, whatever the case may be, comply with these Terms and Conditions.
  • If purchaser becomes aware of any potential or actual infringement or misuse of GRC 20/20 content and Intellectual Property Rights, purchaser shall promptly notify that to GRC 20/20.

Consequences of breach of licence

GRC 20/20 takes the protection of its Intellectual Property Rights seriously. If proceedings were to become necessary, for example, because of a breach of the Licence of any of our Reports, the remedies available to us include an injunction, damages or an account of profits, legal costs and interest. Damages may be in the region of a minimum of $50,000 for each breach.

Citation Terms

All external or commercial citation of GRC 20/20 content is prohibited without GRC 20/20’s express written permission. This includes, but is not limited to, uses of GRC 20/20 content in advertisements, press releases, analyst briefings and any sales collateral in any and all types of media.

All citation requests are reviewed by GRC 20/20 on a case-by-case basis.

To seek GRC 20/20 approval relating to any permission contact info@grc2020.com providing full citation and context for request. Please include a draft copy of any press releases and other marketing material such as newsletters, email campaigns, direct mail, etc. GRC 20/20 may charge an administration fee for reviewing citation requests. This fee will reflect the time required to check accuracy and legal impact of the use of GRC 20/20 content. The administration fee will be communicated within two business days of the citation request and before the start of the approval process.

GRC 20/20 reserves the right to change these citation terms at any time, without notice.

Fees

The fee for  provision of GRC 20/20 content (“Fee”) is priced in accordance with the Order and payable immediately.

If purchaser fails to pay any amount due to GRC 20/20 under these Terms and Conditions, then GRC 20/20 shall be entitled but not obliged to charge interest (both before as well as after judgment) at the rate of 4% per annum above the base rate. Such interest shall accrue on a daily basis and be compounded quarterly.

The Fee for GRC 20/20 content does not include any updates to the report. If you wish to receive any updated report which we may publish from time to time then you will be required to purchase such updated GRC 20/20 content as a new order and pay the then published rate.

All payments to be made by purchaser to us under these Terms and Conditions shall be paid without deduction set-off, counter-claim or other withholding.

Purchaser Acknowledgements and Obligations

Purchaser acknowledges that GRC 20/20 is an independent research, publishing and advisory firm. As such the views expressed in GRC 20/20 content will reflect GRC 20/20 analysts’ views. Opinions and recommendations contained in such GRC 20/20 content is submitted solely for advisory and information purposes and is not intended as an offering or a solicitation to buy or sell any securities mentioned.

GRC 20/20 content is issued in good faith but without legal responsibility and is subject to change or withdrawal without notice. GRC 20/20 does not warrant the accuracy, completeness or adequacy of our advice or the contents of our Reports and Website for any purpose or that GRC 20/20 advice and content will meet with your requirements. We do not guarantee that our content will result in the identification of all matters which may be of interest to you.

GRC 20/20 content and website must not be accessed or used in any way that would be illegal in any jurisdiction.

Purchaser acknowledges that it holds adequate and suitable professional indemnity insurance in relation to any professional service that you provide.

Purchaser shall not disclose any of the Reports or divulge their contents to any third party without GRC 20/20 prior written consent (which we may withhold or grant subject to conditions, at our complete discretion). Irrespective of whether GRC 20/20 provides any consent for purchaser to disclose GRC 20/20 content to a third party, GRC 20/20 shall never assume any responsibility to any third party to which GRC 20/20 content is disclosed or otherwise made available.

Purchaser shall keep GRC 20/20 content on a strictly confidential basis, and it is purchaser’s responsibility to ensure that no unauthorized third party gains access to GRC 20/20 content or website.

Purchaser warrants that it has the full power and authority to comply with these Terms and Conditions.

Purchaser shall comply with all applicable laws in performing  obligations and exercising  rights under these Terms and Conditions.

Liability

Nothing in these Terms and Conditions shall operate to exclude or limit GRC 20 /20 liability for:

  • death or personal injury caused by our negligence; or
  • fraud; or
  • any other liability which cannot be excluded or limited under applicable law.

 

GRC 20/20 shall not be liable to purchaser for any loss of profit, anticipated profits, revenues, anticipated savings, goodwill or business opportunity, or for any indirect or consequential loss or damage.

GRC 20/20 aggregate liability in respect of any claims arising out of or in connection with any Licence of any of our Reports and Website, whether in contract or tort (including negligence) or otherwise, shall in no circumstances exceed the total Fee payable (and paid) by the you in respect of that Report.

Purchaser shall indemnify and keep GRC 20/20 indemnified against all liabilities, losses, proceedings, claims and demands brought or threatened against GRC 20/20 by any party other than Purchaser and any reasonable costs and expenses relating thereto, arising out of or in connection with Purchaser breach of any of these Terms and Conditions, regardless of whether such breach is later remedied and regardless of whether or not we have been negligent.

Purchaer shall indemnify and keep GRC 20/20 indemnified against all liabilities, losses, proceedings, claims and demands and any reasonable costs and expenses relating thereto, arising out of or in connection with Purchaser breach of any of these Terms and Conditions.

Termination

The Licence of any GRC 20/20 content purchaser has ordered shall continue indefinitely.

The Licence to use GRC 20/20 content may be terminated by written notice if Purchaser is in material breach of these Terms and Conditions and the breach is not remedied within the period of 14 days after written notice of the breach has been given to Purchaser. If GRC 20/20 reasonably believes you are in breach of the Licence GRC 20/20 may suspend your right to use GRC 20/20 content at any time.

On termination of a Licence to use our Reports:

  • all provisions of the Licence shall cease to have effect, except that any provision which can be reasonably inferred as continuing, or is expressly stated to continue, shall continue in full force and effect; and
  • Purchaser shall promptly return to GRC 20/20, or certify the destruction of the Report.

Privacy Policy

The information that Purchaser provides about itself to GRC 20/20 will only be used by us in accordance with our Privacy policy. Please read the Privacy policy carefully and if you have any questions please email info@grc2020.com

Non-Solicitation of Personnel

In order to protect GRC 20/20 confidential information and business connections Purchaser covenants with us that Purchaser shall not directly or indirectly and either on Purchaser’s own behalf or on behalf of or in conjunction with, any firm, company or person, for 6 months after the date of the Order, offer to employ or engage or otherwise endeavour to entice away from GRC 20/20 any person who is employed or engaged by us in the preparation of GRC 20/20 content contained in the Order.

Notices

All notices shall be given to GRC 20/20 via email at info@grc2020.com or by post at the address referred to at the top of these Terms and Conditions; or to Purchaser at either the email or postal address provides during any ordering process.

Notice will be deemed received when an email is received (or else on the next business day if it is received on a weekend or a public holiday in the place of receipt) or 3 days after the date of posting.

General

The following words and expressions shall have the following meaning in these Terms and Conditions:

  • Affiliates: means in relation to the company name you specified on an Order, any company which is for the time being a holding company of that party or a subsidiary of that party or of any such holding company.
  • Force Majeure Event: any event arising that is beyond the reasonable control of the affected party (including any industrial dispute affecting any third party, governmental regulations, fire, flood, disaster, civil riot or war).
  • Intellectual Property Rights: means all intellectual property rights wherever in the world arising, whether registered or unregistered (and including any application) including copyright, know-how, confidential information, trade secrets, business names and domain names, any and all rankings, patents, design rights, database rights and all rights in the nature of unfair competition rights or rights to sue for passing off.
  • Licence: means as the case may be either the single-user licence or a corporate licence (as selected by you at the time of your Order) to any of our Reports subject to these Terms and Conditions.
  • Marks: means any and all of our or our licensor’s trademarks, trade names, service marks, logos, URLs or identifying slogans and whether or not registered.
  • Order: means an order by Purchaser through our Website for any GRC 20/20 content in accordance with these Terms and Conditions.
  • Reports: means any of GRC 20/20 publlished research and articles which GRC 20/20 may from time to time publish.
  • Website: means our website at http://www.grc2020.com

 

In these Terms and Conditions:

  • Clause headings do not affect the interpretation of these Terms and Conditions.
  • References to clauses are (unless otherwise provided) references to the clauses of these Terms and Conditions.
  • Words in the singular include the plural and those in the plural include the singular.
  • References to including and include(s) mean respectively including without limitation and include(s) without limitation.
  • GRC 20/20 may transfer and/or assign GRC 20/20 rights and/or GRC 20/20 obligations under any Licence. This will not affect Purchaser rights under such Licence. Purchaser may not transfer any of Purchaser’s rights or obligations under any Licence.
  • Nothing in these Terms and Conditions shall confer Purchaser rights on any other person.

 

If Purchaser breaches these terms and conditions and GRC 20/20 ignores this, GRC 20/20 will still be entitled to use GRC 20/20 rights and remedies at a later date or in any other situation where you breach these Terms and Conditions.

This agreement, together with the Privacy policy, represents the entire terms agreed between us in relation to its subject matter and may be amended only by our agreement in writing.

If either of us becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay to perform our obligations under any Licence such party shall forthwith notify the other and shall inform the other of the period for which it is estimated that such failure or delay shall continue. The affected party shall take reasonable steps to mitigate the effect of the Force Majeure Event.

All Licences are made solely for Purchaser benefit and they are not intended to benefit, or be enforceable by, any other person.

If any provision (or part of a provision) of these Terms and Conditions is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

These Terms and Conditions shall be governed by the law of the State of Wisconsin

GRC 20/20 will try to solve any disagreements quickly and efficiently. If you want to issue court proceedings in relation to this agreement you must do so in the State of Wisconsin.