Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

To understand what GRC is all about, please see these OCEG videos:

• http://www.nextslide.com/oceg/principled-performance-and-grc

This posting is from my most recent paper - GRC Maturity: From Disorganized to Integrated Risk and Performance.

• Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility.  The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements.  This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
• Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk.  The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats.  The result is poor visibility across the organization and its GRC environment.
• Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business.  Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
• Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business.  The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
• Greater exposure and vulnerability. No one sees the big picture.  No one is looking at GRC holistically across the enterprise.  The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.

• Inability to gain a clear view of risks and their dependencies
• High cost of consolidating disparate data silos and documents
• Difficulty maintaining accurate data
• Failure to report and trend GRC across assessment/reporting periods
• Unreliable or irreconcilable risk assessment results because of different formats and approaches
• Redundancy of risk management and compliance efforts
• Failure to provide intelligence to support decision-making that crosses risk and compliance areas
• Inconsistency in approaches to risk/compliance activities
• Different vocabulary and processes that limit correlation, comparison and integration of information
• Lack of agility to respond timely to changing environments and situations

Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.

2012: The Chinese Year of the Dragon to Mayan Doomsday prophesies – this year certainly proves to be interesting (note: I myself do not hold to these views; feel free if it interests you to ask me my view on providence and the end of the world).

One thing is for sure: it is the year of GRC.  I have never personally been involved in so many GRC strategic plans, training, and RFPs.  There certainly is more activity in the GRC market right now than at any other point in its ten year history.

Which brings us to an important point – HAPPY 10TH BIRTHDAY GRC!

Yes, the GRC market is now ten years old.  It was back in 2002 as an analyst at GiGa Information Group (soon to be acquired at the time by Forrester Research, Inc.) that I was the first to model a market for professional services, software, and content and label it GRC (Governance, Risk Management, and Compliance).  This was right before Sarbanes Oxley (SOX) became law.  That was providence:  all that hard work in defining and scoping a market which may have fizzled and dwindled if it was not for a major law from the U.S. Congress.  While my original vision of the GRC market was well beyond what was defined with SOX it is fair to say that SOX established and advanced the GRC market for several years, and continues to do so today.  Today GRC strategies and spending encompasses the breadth of enterprise and operational risk management, corporate compliance, audit, IT security, financial controls, corporate social responsibility, legal and other areas across the business.

There are over 400 vendors that I categorize into the GRC market.  The market has evolved to embrace many niches.  The analyst firms today do a disservice to the GRC market with a report that plots a handful of vendors against each other.  The GRC market today is more akin to the breadth of the IT security market.  Within the IT security market you have sub-markets for anti-virus, perimeter security, vulnerability scanners, intrusion detection/preventions systems . . . and more.  The GRC market is at the point it cannot fit into one graphic to plot vendors against each other.  It is a whole market with several sub-markets – while some vendors offer solutions that embrace many components of it there is no vendor that covers all of the GRC market.

The needs of the GRC market are varied by industry, role, as well as size of the organization.  Some are looking for solutions strong in elements of compliance while others in risk or audit.  Many GRC strategies start in what is referred to as IT GRC (I prefer IT Risk and Compliance) and expand to other areas. There are many perspectives and starting points.

The market has matured to the point that industry heavyweights such as IBM, Oracle, SAP, and SAS providing stability, solutions, and thought leadership. This is supported by a legion of small to mid-sized vendors solving GRC problems from the narrow and focused to the enterprise GRC strategy.  In the first month of 2012 we have already seen the beginning of what will be several merger & acquisitions in the GRC market – the acquisition of Compliance 360 by SAI Global.  This acquisition provides one of the most complete GRC offerings targeted at corporate compliance and ethics professionals.

GRC technology itself is evolving and changing.  After going through dozens of nominations I have now selected 10 vendors to receive Corporate Integrity’s 2012 GRC Technology Innovation Awards.  These will be announced next week.

A particularly important GRC development is the release of the OCEG GRC Capability Model version 2.1.  This is a significant achievement as it evolves the GRC Capability Model to take a broader understanding of risk and performance with several other enhancements.  For those that are looking for an integrated capability and process framework for GRC the OCEG model is the ONLY publicly vetted and open standard for GRC.  There are many excellent standards focused on niches of risk, compliance, and audit – but the OCEG GRC Capability Model is the only one that provides the integration and harmonization of these other frameworks and standards.  The OCEG GRC Capability Model is the GRC Rosetta Stone for organizations.

Tied to the GRC Capability Model is the release of the OCEG GRC Technology Solutions Guide 2.1.  As the chair of the OCEG Technology Council it is rewarding to see this work moved forward as a framework to define and model GRC technology areas. It incorporates my thoughts with those of several other GRC pundits and thought leaders on the Technology Council.  The OCEG GRC Technology Solution categories, listed below, are how I define, frame, model, and size the market (note: the only change I would make is the addition of a 29th category for identity and access management).  The categories of the OCEG Guide and the framework are:

• Audit and Assurance Management
• Board and Entity Management
• Brand and Reputation Management
• Business Continuity Management
• Compliance Management
• Contract Management
• Control Activity, Monitoring, and Assurance
• Corporate Social Responsibility
• Discovery/eDiscovery Management
• Environmental Monitoring and Reporting
• Environmental, Health, and Safety
• Finance/Treasury Risk Management -
• Fraud & Corruption Detection, Prevention & Management
• Global Trade Compliance/International Dealings
• Hotline/Helpline
• Information/IT Risk & Security
• Insurance and Claims Management
• Intellectual Property Management
• Issue and Investigations Management
• Matter Management
• Physical Security & Loss Management
• Policy Management, Communication, & Training
• Privacy Management
• Quality Management and Monitoring
• Reporting and Disclosure
• Risk Management (Enterprise & Operational)
• Strategy, Performance, and Business Intelligence
• Third Party/Vendor Risk & Compliance

OCEG will be rolling out the GRC Directory in a few months to index GRC solutions around this model for those looking for solutions.

A few further items of note:

• For more detail on the State of the GRC Market, Q1-2012 I will be hosting my quarterly online market training seminar on February 15, 2012.
• The first OCEG Technology Council call will be on February 16, 2012 for those that are members of the OCEG Technology Council.
• Within OCEG I will also be chairing a new Council – the OCEG Policy Management Council aimed to develop a defined policy lifecycle management process with supporting sample templates, policies, and style guide.   This also is for OCEG Enterprise, Technology Council, and Leadership members.

I would love to hear your thoughts, interpretations, and experiences with the GRC software market.  Please comment below!

Policy management is a critical component of a governance, risk, and compliance (GRC) strategy because it describes the desired practices and behaviors of the company under specific circumstances. Too often, the organizational approach to managing corporate policies and procedures is in complete disarray and chaos. The breadth and depth of the voluminous increase in relevant laws and regulations can’t be grasped in the manner enterprise behaviors are currently directed and coordinated.

The typical organization suffers with ineffective policy structures, content, coordination, lifecycle management, accessibility, accountability, and communication. As a result, organizations have:

• Policies scattered across dozens of places: There is no single authoritative source where policies and procedures are consolidated, maintained, and managed. No single portal exists where an individual can see the policies that apply to their role, structured to support efficient access.
• Policies bound by paper: With numerous printed policy manuals, the typical organization has not fully embraced online publishing and ubiquitous access to policies and procedures.
• Policies grossly out of date: In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, many organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness.
• Policies have no owner: The typical organization has numerous policies and procedures that lack an owner responsible for managing them and keeping them current.
• Policies lack lifecycle management: Most organizations maintain an ad hoc approach to writing, approving, and maintaining policy with no defined system for managing the workflow, tasks, versions, approval, and maintenance processes.
• Policies do not map to exceptions or incidents: Typically, an established system to document and manage exceptions to policy is missing. Further, there is a lack of a structure to map incidents, issues, and investigations to policy — the organization is unaware of where policy is breaking down.
• Policies do not map to standards, rules, or regulations: The typical organization does not have the ability to define and maintain a record of policies that address legal, regulatory, or contractual requirements. The organization does not have the ability to easily assess the impact of new or changing regulations that affect policy.
• Policies lack adherence to a consistent style guide: The organization has policy that does not conform to corporate style and templates. Policies use complex language, excessive legalese, and are often written in the passive voice, making it difficult to read.

I would love to hear your thoughts on the chaos, disarray, and hordes of policies you see scattered across organizations and corresponding GRC policy management strategies to address this issue.

Policy, done right, articulate corporate culture, the boundaries of individual and business behavior, and personal conduct. Consider that:

• Policies articulate the governance culture and structure: Without policies there are no written standards about acceptable and unacceptable conduct. Without good policy, culture morphs, changes, and takes unintended paths without a compass to guide its way.
• Policies articulate a culture of risk: This includes risk responsibilities, communication, appetite, tolerance levels, and risk ownership. Every organization takes risk — it is part of business. Without clearly written guidance and ownership, risk governance policy will be ineffective.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements:  communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies establish the values, ethics, commitments, and social responsibility of the organization, when it comes to matters of discretion.

It is important to be clear: Policy does not provide corporate culture, nor does it resolve the issues of  governance, risk or compliance (GRC). An organization can have a wide array of policies that are not adhered to, and end up in very hot water. However, policies are a necessary means to clearly define, articulate, and communicate the organization’s boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot have a strong and established culture without it. The right policy is necessary to define and communicate what the organization is about.

Policies are the vehicle that communicates and defines culture so culture does not morph out of control. This requires policy to be adhered to at every level, exceptions to policy be governed, and violations be dealt with consistently and responsively. Because policy can establish liability, mismanagement of policy can introduce liability to the organization as a policy establishes a duty of care for the organization. Reliance upon policy violation as a duty of care can be used by regulators, prosecuting and plaintiff attorneys, and others to place culpability on an organization. It is paramount for an organization to establish policy it is willing to enforce – but also necessary to closely manage and monitor the policies that are in place.

I would love to hear your thoughts on Why Policies Matter and corresponding GRC strategies.

No matter if you use the term or not – GRC (Governance, Risk Management, & Compliance) is a reality.  We are in 2011 and it has been ten years now since I first started using the term GRC in research and interactions with organizations.

The truth of the matter is – GRC as an acronym is approximately 10 years old, but GRC as part of business is as old as business itself.  Organizations are governed and approach compliance and risk management in some form.  The question before them:

• Are they doing it in a way that makes sense?
• Are they doing it to achieve business agility, effectiveness, and efficiency?

Whether you use the acronym GRC or not does not matter to me – the truth is you are doing GRC in some form or fashion. As we enter 2011 it is time for me to put on the pundit hat and give you my gripes from 2010 and directions for GRC in 2011.

2010 Gripes

It is best to get gripes out of the way first – that way I can get them off my chest and not be weighed down as I discuss directions.  Interestingly, my gripes are mainly focused on technology vendors – I am sure I can find a burr or two under my saddle in other areas, but today I am focused on venting my frustration with GRC technology vendors:

• Ignorance. Yes, vendors often frustrate me – some are great others need a lot of help.  What frustrates me is when vendors ignorantly communicate GRC as being about technology – technology is the enabler for GRC to achieve agility, efficiency, and effectiveness. GRC itself is broader than technology and should align with process and strategy.

• Generic messages. Ignorant vendors have a generic message.  I am tired of seeing vendors come into buyer situations telling them they have the best and most adaptable solution out there – it slices, it dices, it does your laundry.  Good night – GRC is about solving problems, generic answers do not cut it.  Most sales people from vendors completely miss the boat; they cannot put themselves in the shoes of the buyer.  I remember one situation in which a buyer was addressing a Corporate Integrity Agreement (CIA) – several vendors that came into the deal never even read the CIA, which was publicly available and referenced in the RFP.

• Blowing Up Deals. My biggest issue is the fact that the primary GRC vendors are focused on large enterprise deals.  They are pressured to close the big deal – often looking for 7 figures. Vendors come into a situation and are trying to fix organizational political issues/silos that the organization is not ready to address.  I have seen more GRC opportunities trashed or postponed because vendors insist on making the deal bigger than what the organization is ready for today.

2011 Directions

2011 will be an interesting year for GRC strategies, processes, and technology.  I pull out my crystal ball and give you the following predictions:

• Standardized GRC process and definitions. Much of the problem about GRC is a lack of standardized guidance.  As my friend Norman Marks has commented, you can go to a conference and hear a dozen or more definitions of GRC.  This is changing as the OCEG GRC Capability Model has grown in popularity and adoption.  Dell is one company to be among the first to seek process certification for their anti-corruption processes against the GRC Capability Model.

• GRC professional certification. OCEG also is poised to roll out the GRC Professional Certification in the next month.  This is an encouraging process to get more individuals trained and supporting a common GRC framework.  The last two GRC Process, Strategy, and Technology Bootcamps delivered the early version of the test and enabled attendees to be among the first to get the certification.

• Year of corporate compliance. A lot of attention has been given to SOX, audit, and IT risk and compliance.  2011 is the year that the most significant growth will be in the corporate compliance department.  This is a department that has been burdened by manual and ad hoc processes for years and is now becoming aware of how technology, particularly integrated with content, can streamline operations.  Issues such as the UK Bribery Act and other regulatory/enforcement actions continue to drive this role as well as compliance evolving into a champion of values and ethics and not just the corporate cop.

• Performance and ERM. Back to a gripe that I forgot above – ERM.  I continue to be frustrated with many ERM programs that are nothing more than an expanded view of financial controls (an evolution of SOX initiatives).  I see growing interest in ERM being driven by the board down and one focused and integrated into strategy and performance.  BTW – many vendor offerings are inadequate for true ERM as they simply are a replacement for spreadsheets and have very basic models for representing risk.

• Risk & compliance in the extended enterprise. Extended business relationships — those involving the supply chain, value chain, vendors, service providers, outsourcers, and contractors — require the same vigilance in mitigating risks and staying in compliance, as do internal enterprise activities.  Third-party risk management and compliance obligations have steadily increased over the past decade, coming either directly from statutes and regulations or indirectly.  Whether imposed by statute or from a business partner, managing such risk across the constellation of business relationships requires an approach that is effective, repeatable, and defensible.

• Risk & regulatory intelligence. A sound GRC strategy is not just built on technology but also content.  More and more solutions are differentiating themselves by offering packaged content of policies, procedures, risk libraries, assessments and controls.  Leading solutions also integrate with knowledge/content services to keep the organization apprised of relevant risk and compliance developments around the world that impact their business.

• Effective policy management. I am seeing increased interest in developing consistent policies and procedures within organizations and manage them within a well-defined life cycle.  Policies and procedures are a cornerstone of a solid GRC strategy that in the past has often been neglected.  Organizations are finding increased exposure to liability for ineffective policies that are out of date, confusing, and not understood.

• Fixing problems. There are some organizations executing large enterprise-wide GRC strategies that focus on collaboration across GRC roles.  However, this represents only 10 to 20% of GRC deals.  Most GRC deals are focused on fixing specific problems that bear down on the organization.  Organizations want to leverage processes and technologies for other areas – but immediately they want to solve the problem before them.  This will continue over the next several years as organizations remain reactive and only a few focus on strategic proactive GRC initiatives.

• Expansion and consolidation. The market for GRC technology will continue to expand as more vendors enter the market which will be complemented by further consolidation as larger vendors continue supplementing their GRC offerings through acquisition of smaller vendors.  We will also see smaller vendors pull together to broaden their offerings and compete against the larger vendors.

• Mid-market focus. Much of the GRC focus has been on the Global 1000 – attention is now moving to encompass the mid-market companies into.  These companies, as I started this discussion, have GRC strategies whether they call it or not – but are looking to improve their business efficiency, effectiveness, and agility for GRC.  This starts with solving immediate pressing problems and expanding to other areas with consistent processes and technology.

• David and Goliath. The small vendor tends to be more agile, ready to adapt to customer needs, and quick to implement bleeding edge technologies.  While the Goliath’s have entered their challenge and have pulled in smaller vendors to bolster their offering – it is the smaller vendors that tend to have the most intriguing cutting edge offerings that continue to expand how GRC can be managed within an organization.

• Prices come down. Regarding vendors, it is time for prices to come down.  Many GRC technology opportunities are shut down because the primary vendors are looking for very large deals.  I might not be very popular with this – but prices have to come down for GRC technology to achieve broader adoption.  This will be done as a variety of new and existing vendors are poised to offer very feature rich solutions at lower price points – particularly to compete against the large IT companies in the space.

These are my collective thoughts – I could write volumes on this and more.  In 2010 I had personal interactions (e.g., engagements, interviews) with over 100 different organizations implementing GRC strategies to address various problems across industries.  This does not count the scores of interactions with vendors and professional service firms.  Those subscribing to my newsletter and blog have grown to over 7,000.  The Corporate Integrity LinkedIN Group has grown to over 2,300.   It has been a good year – and I expect it to be an even greater year in 2011!

Happy New Year!  May 2011 bring your organization commitment to sound values, ethics, and practices in light of Principled Performance supported by a sound GRC strategy, process, and technology architecture! Please feel free to comment and share your thoughts and experiences on the GRC market . . .

Hordes of regulation bear down on the organization

Business is under siege by legion of laws and regulations. Compliance itself has become difficult as business is bombarded with thousands of new regulations in addition to changes to existing regulations each year.

At the U.S. Federal level alone (not U.S State or local jurisdictions; not other countries) there were over 3,500 new regulations issued last year. This brings the total number of regulations issues since 1995 to nearly 60,000 (from the Competitive Enterprise Institute’s 10,000 Commandments). In addition to that, there are another 4,000 regulations pending – waiting for approval. You add in the breadth of State laws in addition to the laws in other countries that business has to comply with and the sheer volume is staggering.

The Open Compliance and Ethics Group, in compiling its guidance on common requirements across employment labor laws at the U.S. Federal, State, and local jurisdiction level, sifting through more than 3,000 employment/labor laws and regulations across the U.S.

The problem is not just a U.S. problem. A leading Brazilian bank has catalogued over 80,000 regulatory requirements that impact its operations around the world.

Organizations are in a complex environment of regulatory risk. When the organization approaches regulatory risk management and compliance in scattered silos that do not collaborate with each other there is no possibility to be intelligent, let alone wise, about risk decisions that could impact business execution or strategy.

Lack of regulatory intelligence

Organizations suffer from a lack of regulatory intelligence. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize and make changes to policies, procedures, and controls – particularly in an environment under siege by an ever changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, or even court proceedings all can have a significant impact on the organization.

Information itself is not enough – organizations are overwhelmed by data through legal and regulatory newsletters, websites, emails, journals, and content aggregators. In fact, the overwhelming amount of information and duplication of information is part of the problem. Organizations fail in regulatory monitoring itself, which is the first step towards regulatory intelligence. The organization needs regulatory intelligence – getting the right information to the right person to be able to decide how and when, the organization needs to process regulatory change. Organizations need to grasp the breadth of regulatory data and transform this information to intelligence which then brings knowledge that can be acted upon in a measurable and consistent manner.

Regulatory intelligence is about enabling accountability and reliability of changes in the legal and regulatory environment that the business operates in. The primary directive is to alert the organization to regulatory and legal conditions that can impact their business. It is part of a broader risk intelligence strategy that monitors external and internal changes to the business environment, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.

The corporate compliance and legal roles struggle with monitoring a growing array of regulations, legislation, regulator findings/rulings, and case law. Regulatory intelligence systematically streamlines monitoring by using an automated process with workflow, task management and accountability documentation that results in meaningful information to consistently manage regulatory change. The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments across different parts of the business from so many external sources and be able to exhibit their process and state of complying.

The Bottom Line: Organizations need to move ad hoc monitoring and execution of regulatory changes to a regulatory intelligence process.

I would love to hear your thoughts on Regulatory Intelligence and corresponding organizations strategies. Please feel free to comment on this blog.

Sincerely,

Michael Rasmussen, J.D., CCEP, OCEG Fellow
Risk & Compliance Lecturer, Writer, & Advisor
mkras@Corp-Integrity.com
LinkedIn · Twitter

Corporate Integrity LinkedIN Group

Business today requires agility and efficiency to stay competitive. Organizations must respond rapidly to changing conditions, while managing financial and human capital costs.

Compliance processes often work against business agility and efficiency. Requirements and initiatives bear down on the business, and become burdensome and inflexible. When managed manually and/or across numerous siloed business units, compliance can slow down and encumber the business.

Risk can be a burden or a tool that enhances business performance. Healthy risk-taking drives business; however, organizations must understand whether they are taking the right risk, if risk is being managed effectively, and how to monitor risk. A cavalier and uncontrolled approach to risk will result in disaster — even for companies with strong brands.

Poorly managed risk and compliance generates complexity, redundancy, and failure. In this instance, the organization is not thinking about how controls and processes can be architected to meet a range of risk and compliance needs — nor does it gain an understanding of how risk management and compliance impact corporate performance. Too often organizations are reactive and lack a cohesive strategy. This isolated and periodic snap-shot approach to risk and compliance causes organizations to spend excessively on internal management and external auditors.

What may seem like an insignificant risk in one part of the organization may have a different impact when other risks are factored-in, either from another business process or risk category. Organizations are at-risk when they rely upon out-of-sync controls and disconnected corporate policies. Executives are becoming aware of these redundant risk-and-compliance projects, and are identifying the need for an integrated governance, risk, and compliance (GRC) strategy.

Organizations report significant issues and cost associated with manual and basic technology approaches in these areas:

• Common anomalies, malicious activity, and errors go undetected.
• Significant spend on external auditors and consultants.
• Horrendous reporting.
• Unmanageable amounts of paper and spreadsheets.
• Reactive after-the-issue fire fighting.

Success in today’s dynamic environment requires organizations to integrate, build, and support business processes with an enterprise view of GRC. While new risk and compliance issues constantly come to bear, organizations must take care to tackle the problem at its roots. A sustainable enterprise view of GRC means accountability is effectively managed and a complete system of record provides visibility across the key business processes and multiple applications.

Technology should empower business-process owners (who are also the control owners) to manage risk and compliance continuously. Technology can directly integrate controls within business processes, applications, and systems to prevent and/or detect unwanted behavior. IT should not be required to operate the control environment, which will improve the security of the audit trail. Audit does not need to be a quarterly event, but part of everyday activity and good business practices. This leads to cost savings and efficiency, while allowing the organization to remain agile.

A well-designed system of control is not necessarily a well-operating system of control. Many organizations pursue GRC with limited results as they have focused their efforts on GRC documentation. While this concept and approach to GRC is a good start, achieving efficiency in GRC requires a GRC strategy to be operating effectively not just designed (documented). Operating effectiveness is where GRC value is obtained and is built upon design effectiveness:

• Design effectiveness: Begins with understanding of how a GRC system of internal control is effectively designed. To determine this, the organization starts by documenting controls and processes. An assessment is performed, and for each risk and compliance requirement, controls and incentives that mitigate risk are identified. Ultimately, the organization must determine whether these controls and incentives and the system as a whole are designed to satisfy stakeholders and regulators while managing risk and requirements.

• Operating effectiveness: An effectively operating GRC system considers how GRC is being managed within business, and its impact on the business. The organization should determine if the system operates as-designed, and if the system supports the needs of a dynamic business in a way that increases business agility while minimizing use of financial and human capital resources.

Organizations face a complex array of risk and compliance demands that impact the business. The organization must implement control-monitoring processes and technology that streamlines GRC operations, minimizes risk, meets regulatory requirements, and supports business agility and efficiency. GRC control monitoring should exist within the context of business processes and the supporting application environments, and across all potential sources of change to those controls.

Achieving efficiency and value in GRC requires a long-term GRC vision, and shorter-term wins. The more extended and distributed the business is, the more challenging risk and compliance are to manage. A solid GRC foundation provides an extensible technology platform that is adaptable and scalable. An enterprise GRC solution does not operate as a silo unto itself, but integrates with critical business processes and applications. The goal is to:

• Avoid issues and mitigate risk: Organizations must mitigate loss, fraud, error, and risk within acceptable boundaries. GRC automation allows the organization to detect potential or actual issues within key business processes and applications, to avoid negative or unintentional consequences.

• Reduce reporting time: Effective operation of GRC means creating efficiency in human and financial capital resources. It is critical to implement a GRC approach that reduces the amount of time spent by internal and external assurance personnel.

GRC is about protecting the business — staying within defined risk and requirement boundaries to minimize loss while optimizing performance. An organization approaching GRC proceeds through three levels of maturity:

1. Manual and isolated: The first level is a reactive approach to risk and compliance. Different issues are managed in different parts of the organization, relying on burdensome and costly approaches to managing risk and compliance. This ad hoc approach is a manual and labor-intensive process, and results in mountains of paper and electronic documents. This produces a compliance posture that is often full of holes or outright smoke-and-mirrors.

2. Documentation and workflow: The second level is documentation of GRC controls and processes. This is often maintained in document or policy-management systems that have content and workflow capabilities, but little understanding of business processes and no integration with the underlying business application environment. The focus of this level of maturity is the design effectiveness of GRC — to document the business appropriately to satisfy regulators and stakeholders.
3. Control automation and monitoring: The third level focuses on the operating effectiveness of GRC. Here, the organization achieves economies in GRC through processes and controls connected and in-sync with objectives, policies, and risks associated with business processes and applications. Value is created by ensuring that control violations are identified immediately, minimizing loss from fraud and errors, and by greater efficiency in human and financial resources.

The most economical GRC approach focuses on automation and efficiency. The goal is to connect policies and procedures to control objectives and automate monitoring and enforcement of controls. Automated controls can span business processes, applications, and information to reduce inefficiencies in current methods of internal control monitoring and validation.

The importance of automated monitoring increases as the velocity of change steps up within the organization. Change can be good or bad. As companies expand the number of users spread across geographies, there is more opportunity for mistakes, fraud, or operational errors. Growth also multiplies the application levels within which users can make changes, for both end-users and database users. Changes can also come from third-party systems running batch processes, application triggers that are poorly implemented, or stored procedures that do not leave a transaction footprint. Accidental changes can occur during IT system upgrades, patches, or restarts.

When control monitoring becomes a background process of everyday business activities, a continuous real-time audit trail is always available. This eliminates the need for time-consuming investigations that take place when exceptions are identified, weeks or months after the fact. The scope of monitoring can expand beyond a limited subset of key controls required for compliance activities. By empowering business process owners to monitor the integrity of their operations, operational risk from fraud and errors is greatly reduced.

For audit and compliance, this eliminates or greatly reduces sample-based audits while providing a comprehensive control baseline and change history for data and processes. The scope of review can also be significantly expanded without requiring additional resources: Audit processes that were performed once every several years can be done continuously. Once validated, auditors can rely on the existence of automated controls and continuous change-tracking as evidence of compliance.

This posting has been an excerpt of Corporate Integrity’s published research, Achieve GRC Value – Efficient Business Process & Application Monitoring.

I would love to hear your thoughts on the topic of GRC Software. Please feel free to comment in this forum, or send me an email. Please comment on this blog or send me an e-mail.

While GRC is ultimately about collaboration and communication between business roles and processes, technology provides the backbone that enables GRC. To describe this technology, Corproate Integrity has defined the GRC Reference Architecture (this is closely aligned to the second version of the Open Compliance & Ethics Group (OCEG) GRC Technology Blueprint).

This model is meant to be a practical and applicable tool for organizations trying to understand and implement technology for GRC.

GRC today is akin to customer/client relationship management (CRM) in the 1980s. Before CRM systems and processes entered the organization, client information and relationships were being managed. The challenge was that there were scattered silos that created inconsistent and redundant data, with no view into the entire profile of the client and its interaction with the business. CRM systems create a single view of customer information and interaction across business processes and roles. GRC systems and processes aim to achieve the same thing — to provide an integrated picture of governance, risk, and compliance information and processes across the business. This requires an integrated view of GRC business process and technology architecture.

A high-level view of the GRC Reference Architecture comprises the following areas:

• Information architecture: Conceptualizes the interrelationship of GRC-related information that bring agility, efficiency, and effectiveness to the entire organization.
• Enterprise GRC applications: Represents solution areas that span risk and compliance roles and processes. These solutions are not locked to a single business role, function, and process, but are leveraged among all of them.
• GRC role and process-specific applications: Describes GRC-role specific applications. These are solutions designed for a specific business role or function to accomplish a specific set of tasks. These applications are typically used predominantly by one area of the organization.

A firm GRC foundation is built upon solid information architecture. The burden, inefficiency, and ineffectiveness — as opposed to agility, efficiency, and effectiveness — of risk and compliance processes results from a lack of integrated and interrelated information architecture.

An intricate relationship of information from across the organization is the heart of a successful GRC technology strategy. All policies, risks, controls, events, requirements, enterprise assets and processes, responsibilities, and objectives interrelate and support each other. When managed in information silos, each of these areas bring inefficiency to the risk and compliance processes.

For example, organizations must understand which policies set management thresholds for specific risks; which events violate specific policies, materialize risk, and cause infractions of regulatory requirements; which controls are established for specific policies and are defined to control certain risks; and which business objectives involve risk, and how their controls allow pursuit of the objective but stay within acceptable risk-tolerance levels.

Enterprise GRC applications interact, share, and leverage the information model to deliver sustainable, consistent, efficient, transparent, and accountable GRC processes. This requires the application to be used across the business as a platform that touches and interacts with a variety of business roles and information. These foundational applications must deliver on the GRC philosophy of a common architecture and collaboration across business roles and interests.

Dozens of application categories fall outside the enterprise GRC application core — these applications focus on specific business roles and functions, such as quality, environmental, health, and safety (EH&S ), and matter management. The enterprise GRC application core consists of the following applications:

• Audit and assurance management: Audit and assurance management systems manage audit cycles and output — this includes audit resource scheduling and calendaring, audit work paper management, and audit process management.
• Case and investigations management: Case and investigations management software is used to manage investigations, issues, incidents, events, or cases. It specifically provides consistent documentation and management of events — from reporting to managing and documenting the investigation, to recording the loss and business impact.
• Compliance management: Corporate compliance systems support the overall coordination of legal, regulatory, contractual, and corporate policy requirements and responsibilities with associated tasks and records of adherence.
• Control activity and monitoring: Control management and monitoring systems provide the ability to define, record, map, monitor, change, alert and report on information processing (financial and operational data). This includes the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation.
• Hotline/helpline: Employee hotline and helpline systems are confidential, independent information intake and response systems for reporting potential internal fraud, negligence or impropriety by co-workers, partners or contractors. Employees can also use them to seek clarification on policies, and procedures.
• Policy and procedure management: Policy and procedure management systems help develop, record, organize, modify, maintain, communicate, and administer organizational policies and procedures in response to new or changing requirements or principles, and correlate them to one another.
• Risk & Regulatory intelligence and monitoring: Regulatory intelligence and monitoring systems monitor external and internal changes, and alert the organization to regulatory and legal conditions that can impact their business. Risk intelligence and monitoring systems monitor external and internal changes, and alert the organization to risk conditions (e.g., geo-political, economic, natural disaster) that can impact their business.
• Risk management: ERM systems mange implementation of frameworks and processes that apply parameters, indicators, measures, consequential outcomes and business scenarios related to financial and non-financial risks. Operational risk management systems and applications implement and monitor risk processes that define parameters, indicators, consequential analysis and “what-if?” scenarios that stem from performing tasks and from passive activities. Risk analytics and modeling systems help identify specific causes of risk, given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. These tools execute historical reviews, simulations, interpretations and project impacts to operations, assets, or individuals.
• Strategy, performance, and business intelligence: BI, strategy, and performance systems examine the systems, processes and applications that manage collection, integration, analysis, and presentation of all layers of planning, strategy, performance, operational, procedural, and decision-making information.
• Training and awareness: Training and awareness systems manage the learning and understanding of compliance, policy, and risk areas to employees and extended business relationships. They combine training content with learning management system capabilities.

The enterprise GRC application core provides the foundation of GRC across the business. All of these applications can be leveraged from one side of the business to the other, to provide a consistent approach to GRC across silos of risk and compliance. However, a variety of business functions and roles have specific needs that demand applications aimed at their business function. These applications plug into the broader GRC Reference Architecture.

GRC is a federated effort. There is no such thing as one group of the organization that “does” GRC. While there may be a role in leading the collaboration, GRC must extend throughout the business.
Business role and function-specific applications predominantly focus on the needs of a specific business function, process, or role in the enterprise. Applications in this area may have significant risk and compliance relevance and impact on the enterprise — but 80% (or more) are used by a specific user or role subset. The enterprise application core represents applications that span GRC business users and roles across the business.

The business roles and functions with specific need for GRC technologies and applications are scattered across the enterprise. In one sense, every part of the business touches on GRC as it relates to different aspects of performance, risk, compliance, values, and control. Primary, not all-inclusive, business function/role application categories include:

• 3rd/vendor/supply-chain risk and compliance
• Board and entity management
• Brand and reputation management
• Business continuity management
• Contract management
• Corporate social responsibility
• Discovery/e-discovery management
• Environmental monitoring and reporting
• Environmental, health, and safety
• Fraud detection and prevention
• Global trade compliance/international dealings
• Information/IT risk and compliance
• Insurance and claims management
• Intellectual property management
• Loss management
• Matter management
• Physical security management
• Privacy
• Quality management and monitoring
• Risk management – finance and treasury

These roles represent a significant but not exhaustive look at the categories of risk and compliance software solutions targeted at specific areas of the business. The applications must be able to report and feed information into broader GRC reporting systems and dashboards to maintain a 360-degree view of GRC. All are very relevant, and part of a broad GRC strategy.

The GRC Reference Architecture is a model of the technology landscape of GRC solutions. Currently there are more than 400 different technology providers delivering solutions for narrow to broad aspects of governance, risk, and compliance. The GRC Reference Architecture is part of Corporate Integrity’s broader GRC EcoSystem, which catalogs more than 1,300 technologies, professional service firms, and information/content providers. This posting has been just an excerpt of Corporate Integrity’s published research, GRC Reference Architecture: Understanding the GRC Technology Landscape.

I would love to hear your thoughts on the topic of GRC Software. Please feel free to comment in this forum, or send me an email. Please comment on this blog or send me an e-mail.

ONLINE WORKSHOP: The GRC Reference Architecture

Understanding & Approaching GRC Technology for Your Business

GRC – Governance, Risk, & Compliance. Whether you use this specific acronym or not the fact is your organization does GRC. There is not a single executive that will tell you that they lack corporate governance, do not manage risk, and completely ignore compliance. The truth of the matter: GRC has been a part of business since the dawn of business. In this 2 hour online workshop, Corporate Integrity defines and communicates The GRC Reference Architecture. This GRC Reference Architecture is part of my broader GRC EcoSystem of technology, consultants, and information providers (over 1300 firms cataloged to date). And is synchronized to the OCEG GRC IT Blueprint

The GRC Reference Architecture is comprised of: information framework, enterprise core GRC application(s), role/business function specific applications, as well as industry and geographic/jurisdiction specific applications.

The goal is to assist organizations in understanding the breadth of the GRC technology landscape, how different GRC technologies can and should work together, and provide the foundation for developing a GRC technology plan to support your organization’s risk and compliance process requirements.

ONLINE WORKSHOP – The GRC Reference Architecture

Date: Thursday, July 01, 2010 from 11:00 AM – 1:00 PM (CT)