Investigations Management | Corporate Integrity

Monday, September 26, 2011

Role of Technology in Anti-corruption Compliance

With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

Technology can help organizations manage and monitor anti-corruption compliance by enabling and automating:

Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.

Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.

Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.

Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.

Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.

Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.

Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.

Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.

This is the second installment on a three part series on Anti-Coruption. The first article can be found at:

I would love to hear your thoughts on the role of technology in anti-corruption compliance. This series is a collection of pieces from a published paper – the rest of the paper can be found at:

Anti-Corruption: Efficient and Effective Compliance with U.K. Bribery Act, U.S. FCPA, and OECD Good Practices

Thursday, June 23, 2011

Investigation Technology Platforms: What to Look For

Investigations management processes are enabled through implementation of the right investigation technology platform. The technology solution is crucial, because it offers the adaptability needed for the dynamic nature and geographic dispersion of the modern enterprise.

Investigation management applications are intended to manage, in one common framework, all departments, divisions, related companies and types of investigations and incidents. This investigation management platform enables investigation team members to be shared across multiple entities (companies, divisions and departments) as needed, or restricted to just one entity or set of discrete participants when appropriate. Investigations platforms offer a common and consistent approach to report incidents (e.g., hotlines), handle escalation, manage investigation processes, and analyze loss. They enable an organization to evaluate the criticality of incidents, assign investigation team members, monitor business impact, manage the investigation process, and report on loss and impact across business areas. It maintains detailed investigation history and audit trails, manages the lifecycle of investigations, links incidents to remediation procedures, and identifies trends to monitor similarities and relationships across investigations.

Organizations considering an investigation management platform should evaluate the following during the selection process:

Organization management:Whether it is a business process, a physical asset, an information asset, a business relationship, an individual, or the entire organization, investigations apply to some structure of the organization. An investigation management system needs the ability to model the organization and map investigations to organizational structure categories — whether geographic, process, business unit, or information.
Accessibility:Investigations generally require the involvement of multiple individuals across an organization. An investigation management system must provide secure access and a complete system of record that an individual can log into to find required tasks, evidence management, and related policies and procedures to guide investigation activities.
Workflow:Investigations require process management through a standardized workflow. This provides the ability to prioritize, assign and track incidents from identification to resolution. Within each incident the organization should have the ability to assign a lead investigator and support staff, and notify personnel when incidents enter their case-management queues.
Task management:An investigation management system delivers the ability to track a variety of activities at different stages of execution. Tasks are assigned and communicated based upon roles, responsibilities and incident category, providing a collective overview of each individual’s task list of outstanding work items and due dates, and prompts individuals with reminders of upcoming activities.
Content management:An investigations platform requires a breadth of content management functionality, including content repository, version control, access management, and records and retention management. This is typically the portion of the application that will provide collection and management of evidence, as well as details about how the investigation was conducted.
Audit trails:Every assignment, person, piece of information collected, developed, changed, distributed, archived, surveyed, notified, and read should be accompanied by an audit trail to document every who, what, where, and when. The level of audit trail needed for investigation management cannot be maintained with manual processes and ad hoc systems spread across an organization.
Interaction with other GRC applications:When incidents or investigations occur, it is important to identify not only what went wrong, but to make changes that can prevent similar occurrences. Policy, risk, control, and compliance applications must be cross-referenced to investigations and share information.
Enterprise loss analysis: The solution should have capability to categorize, measure, allocate, record, and report on losses across the organization. This includes analytic capabilities to model and report on loss trends — such as root-cause and trend analysis, ability to report on loss and event data to the control environment, as well as the ability to provide for loss distributions and calculations.
Remediation management: The solution should have ability to track and manage the remediation process. Specifically, organizations must look for the ability to track and monitor the status of remediation such as recognized control gaps, audit findings, safety violations, and regulatory interactions and reporting.
Hotline integration and reporting: An important feature is the ability of the system to integrate with the organization’s anonymous hotline/whistleblower system used to report incidents and events. The system should be able to inquire reporters (whether known or unknown) to communicate investigation status as well as ask further questions needed for the investigation.
Security architecture: Investigations management platforms are effective only if the organization can tightly control access to sensitive information. Security is a critical element of consideration in an investigations platform — an inherent weakness in spreadsheets and homegrown databases. Organizations must select a solution with proven security architecture with features such as role-based administration of privileges, integration with directory services, secure-access incident data down to the individual field level, protection of the identity of the individuals involved, and ensuring the integrity of the organization’s confidential information.
Reporting and dashboarding: An investigations management platform provides an easy-to-use interface for reporting and managing investigations. Specific features to consider include the ability to monitor investigation status, measure and report on impact, production of reports to track incidents by type, date, person, location, financial impact and other attributes. Dashboards provide management with real-time access to current incidents, resolution status, key metrics, and the relationship of incidents or events, to identify trends and relationships.
Configuration flexibility: The strongest solutions support flexible configuration without code customization — configurability refers to the ability to manage structures, rules, data elements, workflow, fields, interface layout, and user-interface characteristics without customization.
Usability: Investigation personnel should be able to use the system without being technically savvy. Organizations should select a solution that has an intuitive look-and-feel with navigation, and presentation of information that minimizes the need for user training, particularly when some investigations and participants may use the system infrequently.
Scalability: Platforms must be able to handle multiple people accessing the systems from across a distributed enterprise that may span the globe, with many investigations occurring simultaneously and at different stages of the process.

I would love to hear your experiences and thoughts on what to look for in investigation management platforms, please follow the link to comment on my blog.

Tuesday, March 29, 2011

Investigation Lifecycle Management

Investigation Lifecycle Management (ILM) enables organizations to manage the lifecycle of investigations, resulting in investigations that are handled consistently with collaboration across investigation roles and accountability into how the investigation is conducted and resolved.

Organizations benefit from consistent investigation documentation and process while maintaining data integrity and confidentiality. ILM is the process of managing and maintaining investigations throughout the organization for all categories of investigations (e.g. retaliation, abuse, fraud, privacy, theft, vandalism). The goal of the ILM approach is to document accountabilities, provide audit trails, coordinate with internal and external resources, specify monitoring activities, and provide a consistent process and investigation case review cycle.

The lifecycle is defined in five primary stages:

1 — Something Happened! Something has happened and the organization is faced with the question — should we investigate? The organization needs a clear guide to determine when an investigation should be conducted. An investigation should not be taken lightly, and should be clearly documented. Every organization requires the capability to identify, prioritize, investigate, and resolve issues. Structures (e.g., management, technology, process) should be embedded within the organization to help identify potential inappropriate activity. Drivers to conduct investigations include: employee reports or comments to management, risk indicator thresholds being exceeded, hotline reports, survey feedback results, recognition that controls have been circumvented, and others. An active monitoring process is implemented to identify when an investigation needs to be conducted, this includes:

Hotline: The ability to provide anonymous reporting of actual or perceived misconduct and issues (e.g., anonymous web or call center reporting).
Audits/assessments: Identifies issues to investigate through interviews, data or other testing, surveys, and assessment responses.
Exit interviews: Interviews at employee exit may expose issues that the soon to be former employee is aware of.
Corporate chatter: There is often some truth in rumor, what is the word on the street, around the coffee station, and in the lunch cafeteria?
Social media: Facebook, Twitter and other social media sites are increasingly being used for venting and disclosure of malfeasance.
Reporting to management: Written or verbal disclosures to management, direct reports or otherwise should not be overlooked or taken lightly; management needs to be held accountable to properly record what has been reported to them directly.

2 — Categorize and Assign. After the intake of a potential incident it is critical to understand what happened, who may have been involved, date of occurrence, and initiate the investigation. This involves:

Issue filtering: There may be duplicate reports, misguided reports, and just noise that need to be consolidated or set aside. The goal is to have a quick triage process to identify what is relevant to investigate.
Investigation categorization: The organization is to have established and predetermined categories of issues and response plans to engage appropriate resources and establish the security levels within the process. This categorization creates predetermined activity assignments and identification of information that must be gathered throughout the investigation.
Investigation assignment: Determine what area, investigation lead, and subject matter expertise based on the categorization is the next part of the process. Here, the organization determines competence and independence (e.g., is attorney client privilege needed, should an external party be engaged). Often these business decisions can be predetermined based upon the category or suspects associated with the investigation.
Policies and templates for response: Prepare and plan for what steps are to be taken before you have to respond. When the organization appears to be scrambling and going in different directions investigations fall apart. The organization needs clearly defined policies and process templates defined ahead of time for the various investigation categories it has defined.

3 — Investigate. After classification and assignment the organization next moves into the formal investigation process. Investigation activities can be predetermined to a certain extent and by doing so, critical instructions, considerations and guidance should all be readily available and enforced. Critical components of managing the investigation include:

Evidence handling: Based on the classification of the investigation the organization needs the right capabilities to manage and handle the collection, preservation, and retention of evidence.
Subject matter experts: Specific subject matter experts need to be engaged for the twists and turns an investigation may take. This may include experts in interview/interrogation, documentation, written statements/ depositions, physical and cyber forensics, as well as other areas.
Documentation: Success of an investigation hinges on the correct documentation of how the investigation was conducted, who was involved, and what steps/actions were taken.
Collaboration: A critical component of an investigation is the ability to collaborate between parties. This includes investigation personnel inside and outside the organization, parties involved in performing the investigation, those that reported it, as well as management responsible for overseeing the investigation. Communicating, securing and providing access to need-to-know information maintains the correct level of understanding on status, outcomes, unresolved questions, and actions regarding the matter.
Escalation procedures: During the course of an investigation, it may be necessary to escalate issues to another team and get involvement of higher levels of management or even law enforcement and regulators. Predetermining the criteria necessary to make this decision with the advance approval of company leadership will enable the investigation to continue the course approved by the company without jeopardizing the integrity of the investigation or increasing the risk to the resources involved.

4 — Resolve. The process of concluding an investigation is established to organize, preserve, and direct concluding activities according to established investigation procedures:

Final documentation: The final form of the investigation notes and documentation needs to be complete, addressing the who, what, when, where, why and how in the cause of the matter. This includes documentation of all investigation activities, involved parties, dates, time frames and other relevant information to complete the historical record of how the investigation was conducted and what was found.
Disclosure, restitution, and discipline: The organization needs to follow through with the proper resolution activities to wrap up response. This includes what public or private disclosure, restitution to injured parties, disciplinary actions, or sanctions placed upon companies, groups or individuals have been taken. These actions are to be commensurate with the offense, company policy, and law. Handling these acts with consistency will protect the organization from claims of prejudice and favoritism.
Loss reporting: Losses resulting from incidents and issues that have been investigated are to be documented. This includes calculating the business impact of the issue including tangible loss from: internal and external investigation cost, litigation costs, fines, penalties, judgments, impairment of assets, market cap reduction, workforce turnover, customer turnover, and business interruption. The organization should also put some numbers estimating intangible loss metrics to reputation damage and negative media.
Incident metrics: The organization is to track metrics on each incident including incident type/category, loss, and time for the investigation. Other necessary metrics include date of incident, when it was detected, when it was reported, when and how long it was investigated, and when it was resolved. The goal is to understand the lag between incident and resolution and reduce the window of exposure and loss to the organization.
Lessons learned: A final lessons learned should be documented for incorporating into future risk evaluations and business decision processes which provide historical information relevant to decision making for the today and the future.

5 — GRC Integration. Investigations should not operate as an island disconnected from other GRC processes. The information gathered from investigations is critical to refining and improving other GRC related processes. Organizations are to develop and integrate a GRC information and process architecture that feeds investigation metrics into:

Policy & training: Incidents and issues are violations of policies. Violations that have been investigated are to be communicated and integrated into the policy life cycle management process to initiate policy review activities and drive continuous improvement.
Risk models and assessments: Use of loss information and details of what occurred from the investigation provides valuable information necessary to drive risk models and identify target risk areas. This enables the organization to identify and avert future incidents and loss to the organization.
Remediation of control weaknesses, vulnerability, and exposure: Establish actions items to prevent and or detect similar violations in the future. The critical component is the hand off and monitoring of the remediation activities and the capture of relevant action information with the investigation closure.

In the previous articles we discussed Why Investigations Matter, Varied Approaches to Investigations Scattered Across the Organization, and E stablishing Investigations Oversight. In the meantime, I would love to hear your thoughts on Investigation Lifecycle Management and corresponding GRC strategies.

Sincerely,

Michael Rasmussen, J.D., CCEP, OCEG Fellow
Business Ethics & Compliance Lecturer, Author, & Advisor
mkras@Corp-Integrity.com

Tuesday, March 22, 2011

Establishing Investigations Oversight

In the previous posts we discussed Why Investigations Matter and Varied Approaches to Investigations Scattered Across the Organization, we now turn our attention to the issues of having proper oversight for investigation processes within the organization.

Organizations are developing strategies to consistently manage a growing body of GRC-related processes that have historically been scattered across the organization – the goal is to deepen transparency and collaboration across the organization. Internal investigations are a function of these processes that organizations strive to make more efficient, effective, and agile. GRC works by breaking down functional silos, connecting team members inside and outside the enterprise, and ensuring transparency and accountability for every action.

The goal is to bring the areas of governance, risk, and compliance into harmony. It enables different areas of the business to be accountable where they excel without dominating others: promoting collaboration and information-sharing to achieve a holistic view of GRC across the business. It provides collaboration as well as accountability across GRC-related processes scattered across the business to work together in harmony, delivering increased efficiency, effectiveness, and agility to the business.

A GRC approach to investigation management provides enterprise visibility across investigations processes. It enables investigation teams across the organization to work in harmony in their distributed functions. The goal of a GRC approach to investigations is to provide assurance that investigations will be handled appropriately, consistently, and in a timely manner while providing useful information to other GRC processes such as risk, policy, and audit.

A GRC approach to investigation allows the organization to achieve:

Agility: Business changes rapidly and requires investigation processes that are quick to react to incidents as they arise. Scattered investigation efforts slow down the business and handicap today’s dynamic business.
Consistency: Varying investigation teams in the organization need to work together in an integrated methodology and understand how their roles fit into the big picture. When silos are allowed to go their own way the organization loses visibility.
Efficiency: Leveraging common processes, technology, and information minimizes redundancy and wasted resources. Manual and document-centric processes are inefficient and burden the business.
Transparency: 360-degree visibility across key incident and loss indicators monitor the organization’s health and avert or mitigate disaster. Without full transparency across issues the organization is taken off guard.
Accountability: Increasing governance demands require a system of accountability where the status of issues is apparent, and individuals are accountable for resolution. A lack of accountability and ownership of specific issues is a warning sign for regulators or 3rd parties to dig deeper.

GRC in investigation governance is made possible by three key functional capabilities:

An organized Internal Investigation Committee to govern the oversight and guidance of investigations and ensure investigations are managed consistently across the enterprise.
An individual assigned to the role of Internal Investigation Manager to assure accountability across the investigation lifecycle to the standards and processes defined by the Investigation Management Committee.
A well designed Investigation Lifecycle process that delivers efficiency, effectiveness, and agility to the business.

The Internal Investigation Committee (IIC) provides the structure and connective tissue to coordinate and drive consistency across distributed investigation teams and is comprised of team members that represent the best interest and expertise of the different parts of the organization. This committee is comprised of individuals from legal, compliance, audit, fraud, physical security, IT security, quality, health and safety, and other relevant areas of the business with investigative responsibilities.

The IIC carries out its investigation governance responsibilities by leveraging commonly developed and agreed-upon investigation policies, procedures, processes, and technologies that form the Investigation Lifecycle management. The role of the Internal Investigation Manager is to be the champion that sees that the lifecycle is followed.

In the next post we will look at the Investigations Lifecycle in more detail. In the meantime, I would love to hear your thoughts on Establishing Investigations Oversight and corresponding organizations strategies.

Thursday, March 3, 2011

Varied Approaches to Investigations Scattered Across the Organization

In the previous newsletter/post we discussed Why Investigations Matter, we now turn our attention to the issues of having Varied Approaches to Investigations Scattered Across the Organization.

The problem is that organizations do not have a standardized methodology to consistently address investigations across the enterprise. Today’s typical organization struggles with manual, scattered, and ad hoc investigation processes.

Unfortunately, many organizations implementing GRC strategies have seen investigations as a disconnected component and not core to GRC. Organizations often lack consistency, collaboration, and accountability when it comes to managing investigations. They have multiple investigation processes that do not work introducing redundancy and inefficiency.

When investigations are scattered across the organization the organization lacks 360-degree transparency into the negative events impacting the business. No one can see the breadth and depth of issues the organization has. As a result, investigations:

Suffer from complete lack of universal insight: There is no single authoritative source where investigations are consolidated, maintained, monitored and managed consistently.
Bound by disparate methodologies: With redundant investigation processes, the organization has not fully embraced a common methodology to consistently manage investigations while allowing for unique subject matter experts to be involved in areas of their specialty.
Lack enterprise accountability: There is no enterprise assurance into the consistency of investigations and resolution of issues with limited structures of accountability into understanding who took what action, what is being done to prevent future issues, who is responsible for the impact and loss, is there a trend of similar incidents and issues historically, and is the issue documented correctly.
Deficient lifecycle management: Organizations maintain an ad hoc approach to managing investigations with varied approaches that introduce redundancy and inefficiencies when there is no common system for managing workflow, tasks, documentation, approval, accountability, and escalation processes.
Fail to integrate with policy systems: Investigations are violations of policy, when the organization has no integration into policy systems and lifecycle management it is handicapped to improve policies to prevent future violations.
Disengaged from risk management: Investigation processes that are external to risk management processes are unable to provide necessary historical loss information to adequately identify, measure, and manage risk.
Encumbered by improper technology: Processes are burdened by technology such as spreadsheets and homegrown databases used to document and manage investigations. This approach lacks sufficient audit trails that identify who did what, took what action, and entered notes – providing assurance that they were not modified at a later time to structure a different story or get someone out of trouble.

The organization suffers with ineffective investigation structures, content, coordination, lifecycle management, accessibility, accountability, and communication when this critical GRC process is trapped in silos. There is no 360-degree transparency into the status and impact of all investigations across the enterprise.

How can an organization manage and model risk and compliance without a clear understanding of where issues and events have been in the past? The issues of the past are a critical source of risk intelligence, providing a necessary indicator of where the organization’s future risks lie. Corporate governance, strategic decision-making, and the protection of stakeholder value require an organization to understand where its issues and losses have been.

When the organization is under a microscope, having a detailed document trail of investigations – how they were managed, who was involved, who was implicated, and what actions were taken – provide grounds for defending the organization. Organizations require collaboration and accountability across investigation teams for their ongoing involvement in investigations, the investigation process, evidence management, monitoring incidents, corrective actions, and loss reporting.

Thursday, February 24, 2011

Why Investigations Matter

Investigations have many names, in parts of the organization they may be called issues, loss, matters, events, cases, and incidents. I now turn our attention to a series of posts/newsletters on the topic of effectively managing corporate investigations.

Investigations, done right, minimize or control loss, uncover systemic issues, identify risk areas, and provide information that drive continuous improvement initiatives. As a result, investigations are a critical cornerstone to governance, risk management, and compliance (GRC) efforts in the ability to find and resolve issues to reduce exposure and contain loss to the organization.

GRC activities require that an organization have a solid approach to manage investigations and feed information into other GRC related processes. Consider that. . .

Investigations are a GOVERNANCE activity: Most organizations do not connect investigations with how they maintain corporate culture and policy boundaries by holding parties accountable to policies and procedures. Without a consistent investigation process culture morphs and takes unintended paths.
Investigations influence RISK models: Investigations inform risk management processes where the most significant risks have materialized in the past and drive evaluation and remediation priorities. Loss information gathered from investigations is a critical element of risk modeling.
Investigations are a critical component of COMPLIANCE: Investigations enforce compliance through identification of areas that need improvement and increased monitoring. This includes policy and procedure revision, improved communications, changes to training programs, and enhancements to monitoring activities. Further, investigations are considered a fundamental element of a corporate compliance program (e.g., USSC Organizational Sentencing Guidelines).

Through a consistent investigation process the organization identifies damages, involved parties, evidence of policy violations, impacts, remedies, and maintains boundaries for acceptable behavior of business processes, relationships, systems, and individuals.

The right investigation process is necessary to define and communicate that the organization is serious about its policies, culture, and control and to facilitate enhancements that prevent reoccurrence of similar issues.

Stay tuned – more will be coming on the critical topic of effectively managing investigations. In the meantime, I would love to hear your thoughts on Investigation Management and corresponding organizations strategies. Please feel free to comment below . . .

Friday, September 11, 2009

Chief Punishment Officer

During my latest OCEG GRC Strategy & Red Book 2 Bootcamp, one attendee stated they had seen the job title of Chief Punishment Officer in China. Any takers?

On a related note – one attendee had asked if anyone had a disciplinary matrix – wrongs with associated punishments – for their organization.

My upcoming bootcamps can be found at:

GRC STRATEGY & RED BOOK 2.0 BOOTCAMP
Boston, Massachusetts
Date: October 28-29, 2009

The objective of this Bootcamp is to provide attendees with the knowledge and hands-on practice necessary to efficiently design a GRC program based on Red Book 2.0. Attendees will learn about defining a GRC Strategy aligned with Red Book 2.0 through lectures and practical group exercises. For more detail and registration information, contact us at techchair@oceg.org or log into the new OCEG website (beta) and download the brochure. Register early to secure your space in this limited attendance event.

DEVELOPING YOUR GRC IT IMPROVEMENT PLAN BOOTCAMP
Boston, Massachusetts
Date: October 30, 2009

Held immediately following the GRC STRATEGY & RED BOOK 2.0 BOOTCAMP, at the same location, this is a one-day basic training exercise in developing GRC IT technology architecture and strategy. Attendees will receive value in understanding technology enablement of GRC and developing a GRC technology strategy that delivers sustainability, consistency, accountability, efficiency (cost-savings), and transparency across the organization’s risk and compliance initiatives. For more detail and registration information, contact us at techchair@oceg.org or log into the new OCEG website (beta) and download the brochure. Register early to secure your space in this limited attendance event.

Tuesday, March 31, 2009

Ultimate Legal Management Platform

Legal – the last (OK, perhaps I should state latest) technology frontier – to boldly go where no one has embraced technology before. So it would appear to an observer of the average corporate legal department. Corporate attorneys have been technology agnostics not willing to give up their legal pads and pens in exchange for process efficient technology.

Times are changing. Lawyers have been forced to embrace technology and understand it in more detail with the advent of electronic discovery requirements (e.g., Federal Rules of Civil Procedure). This has caused many a lawyer to get over their severe case of techphobia and come to understand that technology can really improve the performance and governance of the corporate legal department. Inside counsel is now becoming tech savvy and willing to embrace technology to improve business legal processes that have historically been very manual and paper-based.

Corporate Integrity sees a new evolution of legal management software that embraces a holistic view of legal process management. Currently, the market is comprised of several dozen software vendors focusing on specific legal functions. The future will show a few of these vendors successfully creating a solution that manages legal processes in an integrated platform. The goal: to bring sustainability, consistency, efficiency, transparency, and accountability to legal process management.

The legal process management market (part of the GRC – Governance, Risk, and Compliance – Market) incorporates the following components:

Matter Management is the core platform for both inside and outside counsel to document and manage all legal matters the organization is involved in. At its core it offers project, document, resource, and time management for legal matters. Leading matter management platforms today come from Bridgeway, Mitratech, Serengeti, and CT Wolters Kluwer. Other systems include CSC, EAG Case Track, LawTrac/LT Online, Legal Files, and PefectLaw.

Discovery Management is a recent solution area that evolved out of the hailstorm of eDiscovery solutions in response to the revised Federal Rules of Civil Procedure in the United States. These platforms assist in managing the accountability, documentation, and process/workflow of fulfilling discovery requests. In one sense they are a natural extension of matter management platforms. Leading discovery process management solutions include Bridgeway, Exterro, Mitratech, and PSS Systems.

Contract Management solutions manage the contracting process from a legal perspective in assisting in the writing, review, modification, negotiation, execution, and archiving of all legal contracts and obligations of the company. Legal contract management platforms that have had broader adoption in corporate legal departments include Compliance 360, EAG CaseTrack, Emptoris, Mitratech, and Selectica. Archer Technologies and Axentis have also been deployed for contract management – but have not seen the same level of traction within corporate legal departments.

Investigations Management provides a platform for documenting all issues, events, investigations, incidents, and wrongdoing in the corporation. Leading enterprise investigations management platforms targeted at the corporate legal department include Archer Technologies, Axentis, Compliance 360, EthicsPoint, Global Compliance, Mitratech, and PPM 2000.

Hotline/Whistleblower are more than a technology platform as they end up being a service to provide for reporting of incidents (many times anonymously) via the web or telephone hotline. Leading vendors in the hotline and whistleblower space include Allegiance, EthicsPoint, Global Compliance, and The Network. Several of these solutions also offer enterprise investigations management as a platform as well.

Board & Entity Management delivers a solution for the corporate secretary (typically in legal) to manage board papers, communications, and corporate reports/filings. This includes features for board calendaring and scheduling as well as documenting legal entities, structure, relationships, assets, and responsible parties (Executives, Directors). Vendors in this area include BoardVantage, Bridgeway, BWise, Computershare, CSC, ICSA, Mitratech, SAI Global, and CT Wolters Kluwer.

Policy & Procedure Management involves a platform for defining, communicating, provide training, managing, and archiving of corporate policies, procedures, ethics, and code of conduct. Solutions in this space provide a central repository for managing the policy lifecycle. Vendors include Archer Technologies, Axentis, BWise, Compliance 360, Mitratech, OpenPages, QUMAS, and SAI Global. However, not all of these vendors offer the same features. Axentis offers the easiest to use – but complete – policy and procedure management solution. Archer Technologies, Axentis, and Compliance 360 can deliver training modules within their platforms. Mitratech just offers the management of policy lifecycles – but not the communication component.

Training Solutions offer a wide range of legal, ethics, and regulatory training modules to be delivered in other GRC platforms (such as Policy & Procedure Management) or eLearining solutions. Vendors such as Corpedia, Global Compliance, Integrity Interactive, LRN, and SAI Global offer training solutions in this area.

Legal Risk Management & Analysis solutions are designed for defining, managing, modeling, and monitoring legal and compliance risks in the enterprise. This is a relatively new area for technology solutions and is best done with solutions that support decision tree risk modeling to help an organization analyze legal scenarios and outcomes. Solutions focused on this capability include Mitratech and Riskonnect. Amenaza is another vendor but has not focused on the legal market.

Compliance Management involves a platform for documenting requirements (laws, regulations, contractual), mapping them to corporate controls and policies, and providing for the assessment and reporting on the state of compliance. There is a wide range of vendors offering compliance management solutions – many of which grew out of the Sarbanes Oxley/financial controls space such as OpenPages and Paisley. Vendors that have shown particular traction within legal departments for managing compliance include Axentis, Compliance 360, QUMAS, Mitratech, and SAI Global. Other vendors offering compliance management – but do not have demonstrated traction within legal – are Archer Technologies, BWise, and MetricStream.

Legal & Regulatory Intelligence is a particular feature set embedded in legal process management solutions that deliver efficiency and accountability in monitoring changes in laws, regulations, legislation, and court rulings that could impact the company. The leading innovator in this area is Compliance 360 as their solution profiles regulatory and legal interests and directly integrates with Lexis Nexis and Thomson Westlaw and routes new legal developments into a process flow. Mitratech has capabilities in this area as well. Axentis is doing similar management of the accountability and evaluation process – but does not have the integration with content providers. Corporate Integrity fully expects that Lexis Nexis, LRN, SAI Global, Thomson, and Wolters Kluwer will be building out solutions in this area to further leverage their content.

3rd Party Compliance Management involves platforms for communicating ethics, code of conduct, and policies across an organizations 3rd party and supply-chain relationships. Some of these platforms go further into managing self-assessments and audits of the vendors as well. Most companies buying solutions in this space seek a Software as a Service (Saas)/hosted platform for easy accessibility by 3rd party business relationships. Leading vendors in this space include Archer Technologies, Axentis, Compliance 360, and Integrity Interactive.

Corporate Social Responsibility Management is a relatively new space of technology that is just emerging. While there are platforms out there for managing CSR – particularly from an environmental perspective such as Equilibrium – not many platforms have targeted the legal and corporate secretary role in CSR. However, some vendors that have engaged with legal are seeing their platforms retooled for CSR purposes led from the legal department. These vendors include Archer Technologies and Compliance 360.

Information Management consists of applications for identifying and cataloging information assets across the organization. This category would focus on sensitive corporate information (e.g., personal information, corporate records, and even intellectual property) and catalog its location, controls, and policies. Archer Technologies is an example of a vendor that operates in this space.

Intellectual Property Management consists of applications for cataloging intellectual property across the organization including includes ownership rights, regulatory requirements as well as renewal dates, governmental correspondences, and filing status. The focus of this area is on intellectual property (e.g., patents, trademarks, copyrights) and has vendors such as Anaqua, Cognocys, and IPDOX.

The legal process management has many niches – as illustrated above. The begging question – who does it all? Answer: simply no one. Though there are a few notables that provide a fairly complete enterprise legal process management platform. Mitratech and Compliance 360 are providing very complete platforms – but from different angles. Mitratech grew out of the matter management area and has expanded rapidly into other areas. Compliance 360 grew out of the corporate compliance function within legal (initially within healthcare and insurance) and has been expanding out. Other vendors appear to be aggressively focusing on the corporate legal department and providing an end to end solution – these include Archer Technologies, SAI Global, and Wolters Kluwer.

Tuesday, December 9, 2008

The Ultimate Compliance Platform

Christmas (or other holiday tradition you celebrate) is upon us with its associated gift giving. In the spirit of giving and Christmas cheer, I am delivering the beginning of a series of role-plays looking at what different risk and compliance roles would want in their Christmas stockings.

To kick this off- we will initially focus on the role of Corporate Compliance . Each subsequent week we will look at another role (see below for schedule).

To understand what Corporate Compliance desires requires an understanding of what this roles is about and its responsibilities. Unfortunately compliance, like many GRC related terms, has different heads and definitions throughout the organization. Though Corporate Compliance is a specific role that typically reports into legal/general counsel and is focused on the the most pertinent legal/regulatory issues the organization has to comply with. To date I have not met one Corporate Compliance Officer that is responsible for every aspect of compliance throughout the organization. Often fragments of compliance such as SOX, privacy, information security, health and safety, and other other areas often fall outside of the Corporate Compliance area of focus.

Corporate Compliance is typically responsible for managing the most significant and highly visible legal/regulatory compliance issues such as; anti-corruption, ethics, anti-trust, employment/labor issues, etc. In the U.S. this role is centered around adherence to the U.S. Sentencing Commission Organizational Sentencing Guidelines and what is laid out as the seven elements of what a compliance program should look like. This compliance program involves defining and maintaining policies, oversight, due diligence in hiring and access, training/communication, monitoring, investigations, and program improvement. There is also an additioanl requirement to implement at least an annual risk analysis for potential wrongful conduct.

Again there are other view of compliance – IT, finance, audit, business operations – and they have varying but related needs to Corporate Compliance.

So when you think of the Corporate Compliance Officer/Manager this season your first desire may be to give this role the ultimate compliance platform to manage compliance content and processes. In designing this platform, you will find that the best solutions come from a range of providers and not a single vendor. So my Christmas Wish would be for a new platform to be developed that would integrate the following:

Next generation policy & procedure management. Organizations are in a complete disarray in managing corporate policies and procedures – they often are out-dated, scattered across parts of the business, and not manage consistently. Further, the recent trend in legislation and regulatory guidance is to demonstrate training and not just attestation. I desire a platform that is easy to use, manages the lifecycle of policies, and allows dissemination, communication and training (e.g., elearning) on these policies in a single platform.  Axentis is the best example of a platform delivering this today.  Neohapsis (former Certus) has done interesting things with a few clients. QUMAS, has the most robust policy lifecycle management but lacks the integrated eLearning component.

Regulatory intelligence. The Corporate Compliance role struggles with trying to keep abreast of a growing array of regulations, legislation, regulator findings/rulings, and case law. The current situation is to have an army of legal professionals mining legal and regulatory sources for new developments that will impact the organization. My desire is to see this automated. Give the Corporate Compliance role an application that allows the compliance and legal function to profile their organization, link into content providers (e.g., WestLaw, LexisNexis) and then have new developments/alerts be pushed into the application and disseminated to the appropriate person for review and analysis based on responsibility.  Compliance360 is the only company offering something close to this vision today. Though there are some industry specific providers doing interesting things such as CompliNet andFortent in the financial services vertical. ComplianceOnline (by MetricStream) also provides a wealth of regulatory information. SAI Global is also doing some interesting things in this area, with a particular strength outside the US. Further, LRN is another provider that continues to amaze me in their thought leadership and content.

Enterprise investigations management. A struggling area of compliance is enterprise investigations – in most organizations there is no such thing as ‘enterprise’ investigations management. This is unfortunate as organizations fail to get a grasp on the range of issues, events, incidents, wrongdoing, and complaints across the organization. Without a complete view into enterprise issues, events, and investigations an organization’s risk management and compliance strategies become handicapped. On top of this, organizations manage investigations in home grown databases and spreadsheets which often lack any form of audit trail and non-repudiation. Consider solving this problem for corporate compliance buy giving Corporate Compliance a single enterprise investigations management platform that ties into whistle blowing/hotlines for anonymous reporting of incidents.  EthicsPoint, in my humble opinion, offers one of the best solutions on the market for managing corporate investigations across the organization with integrated hotline services. Other contenders are Axentis, QUMAS, and Archer Technologies - but lack the hotline piece of EthicsPoint. BTW – get rid of the spreadsheets, they are difficult to manage and do not have the non-repudiation needed for sensitive compliance processes.

Compliance process management.  Corporate compliance today is a labor intensive and manual process. When it is automated this typically means sending an email. This is unfortunate given the range of process management solutions on the market. Corporate compliance needs a compliance backbone that allows them to manage complex processes and workflow as well as content. The most adaptable backbone for corporate compliance isArcher Technologies. Archer is quickly moving into a broader GRC offering from a focus within IT, and has one of the most flexible and highly configurable risk and compliance solutions on the market today. They allow for complete module customization, and even allow clients to share custom built risk and compliance process modules. On top of this they offer modules for many of the functions I list above – policy and investigations management in particular. There are other GRC platforms focused on process management – going beyond simple workflow – such as Mitratech, Compliance360, BWise, and MEGA. BWise and MEGA have particularly interesting solutions that support visual process modeling.

Time machine.   While compliance is focused on assuring compliance in the hear and now it often has to react to investigations, lawsuits, and regulators that want to understand the state of compliance on a given date and time. In that case how you are compliant today is of little importance. The Department of Justice, regulator, or prosecutor wants to know how you were compliant on this day five years back. This requires that the organization be able to demonstrate who read, was trained, and attested to a policy on a given date and time; how an investigation was handled; and how compliance was managed. I am a Mac user and love Leopard’s Time Machine ability to go back to any date in time and see my system/files on that date. That is what Corporate Compliance needs as well – a compliance Time Machine. There are a few vendors delivering this today such as Compliance360and QUMAS.

There . . . I have provided you some technical stocking stuffers for your corporate compliance department. In the next few years we should see an integrated application that delivers all of this best in class functionality.

Corporate Integrity welcomes your comments and thoughts on this topic in our blog. Upcoming issues of the newsletter will focus on ultimate platforms for:

Enterprise risk management – week of 12/22/08

Operational risk management – week of 12/29/08

Supply-chain risk & compliance – week of 1/5/09

Legal/general counsel – week of 1/12/09

Corporate social responsibility – week of 1/19/09

Audit – week of 1/26/09

Finance/treasury – week of 2/2/09

IT – 2/9/09

Quality – 2/16/09

Environmental, Health, & Safety – 2/23/09

Merry Christmas! (Yes, it is OK to say Merry Christmas),

Michael Rasmussen
President & Research Analyst

mrasmussen@Corp-Integrity.com
LinkedIn · Plaxo

Michael Rasmussen

GRC Pundit

SEARCH

Twitter: MKRasmussen

Please understand @MKRasmussen I am not using anymore - I see a few are following me on this one. The Twitter I am using is @GRCPundit. 05:18:19 PM July 05, 2011 from TweetDeck Reply Retweet Favorite
@MKRasmussen has changed to @GRCPundit 12:53:31 AM April 12, 2011 from web in reply to MKRasmussen Reply Retweet Favorite

@MKRasmussen