Tuesday, May 15, 2012

Mitigating Risk in the Era of the Corporate Bounty Hunter

Business is global, distributed and dynamic. Organizations of all sizes and industries have global client, partner, vendor and supply-chain relationships. Adding to this complexity is the dynamic nature of business — it is ever changing, with a revolving door of employees, partners, technology, processes, and strategies in an environment where risk, economics and regulations are in a constant state of change. The complexity of today’s global, distributed and dynamic business makes regulatory compliance a challenge.

How does an organization validate that it is current with legal, regulatory and other obligations in the face of an ever-changing business environment?

The era of the corporate bounty hunter

Government is increasingly turning to insiders (e.g., employees), incenting them to report wrongdoing and noncompliance. In the U.S., the SEC and DOJ have extended their compliance monitoring into a firm’s activities by enlisting the eyes, ears, and voice of the organization’s employees. The framework for this is established in the Dodd-Frank Act whistleblower provisions, which entice employees to report violations, such as bribery, corruption, fraud, insider trading, and more to the government. Corporate whistleblowers that provide information which leads to a successful SEC enforcement receive 10 to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for non-compliance, this is a significant concern that keeps executives, the board, legal, and compliance professionals up at night.
The organization cannot afford ad hoc approaches to compliance. In the era of the corporate bounty hunter, established processes must be in place to prevent non-compliance from happening. And when it does happen, the ability to demonstrate established compliance and monitoring processes can significantly reduce the penalties imposed upon the organization. The best defense to the era of compliance with the corporate bounty hunter is an active offense. Organizations must be prepared to show they have a strong compliance program in place to mitigate or avoid compliance issues.
In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures. Preventive measures must work alongside detective measures to monitor compliance, and the organization must respond quickly and efficiently.

To mitigate risk in the era of the corporate bounty hunter, organizations needs to:

  • Strengthen ethical and compliance culture: This starts with increasing employee comfort to speak up and report issues and incidents.  It is better to have an employee to report internally than have them go to the government bypassing the organization.  HOWEVER, be prepared to respond – officials will throw the book at an organization if evidence is brought forward that an employee did report internally and the organization did nothing about it. To enable a strong ethical and compliance culture requires that the organization has mechanisms in place for employees to report issues, that they are recorded, and responded to.
  • Understand risk: An organization needs to understand the risk and exposure to non-compliance. This includes periodic assessment (e.g., annual) of exposure to unethical and non-compliant conduct. The risk-assessment process should also be dynamic — conducted when there is significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets).
  • Know who it does business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships. Due-diligence efforts in establishing relationships must make sure the organization contracts with ethical entities. If there is a high degree of risk in a relationship, preventive and detective controls must be established. This means knowing your vendors, partners, suppliers and even your own employees to understand if they are susceptible to corruption and unethical conduct. Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of non-compliance.
  • Established and communicate policies and procedures: Organizations must have documented and up-to-date policies and procedures that address compliance. The code of conduct must filter down to address regulatory requirements and obligations. Requirements and processes must be clearly documented and adhered to.
  • Effective training: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement compliance-training programs to educate employees and business partners. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
Manage business change: The organization must monitor the business environment for changes that introduce risk of non-compliance. The organization must document changes to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that change in business, regulations, and the risk environment be monitored by compliance processes to actively address risk of exposures resulting from change.
Compliance must be an active part of culture and processes to prevent and detect issues before they are reported to government. Compliance processes must be monitored, maintained and nurtured. The challenge is establishing compliance activities that move the organization from an ad hoc reactive mode to one that actively manages, monitors, detects and prevents corruption risk. This requires the organization to implement technology to manage compliance.

This newsletter was sponsored by DoubleCheck Software, for more information on how DoubleCheck helps organization’s address compliance risk in the era of the corporate bounty hunter click on the link below:

Posted by mrasmussen at 17:49 0 Comment

Tuesday, October 4, 2011

ONLINE SEMINAR: State of the GRC Market Q4-2011

Understand the state and direction of the GRC technology market:

State of the GRC Market Q4-2011

Friday, October 14, 2011

Eastern Time 12:00 PM - 2:00 PM / Pacific Time 9:00 AM – 11:00 AM / GMT 4:00 PM – 6:00 PM

ONLINE SEMINAR: State of the GRC Market Q4-2011 . . . 

Today’s complex and competitive GRC market demands that you be at the top of your game.  Corporate Integrity is the leading GRC market research and education firm.  

This webinar is Corporate Integrity’s quarterly uddate on the State of the GRC Market.  This is the summary of Corporate Integrity’s market intelligence that spans several hundred interactions/conversations with GRC technology buyers each year.  It is an excellent opportunity for organizations looking to buy technology to learn what is going on in the market.  It is a necessary educational opportunity for technology providers to understand the GRC market and refine their strategies.

Attendees will be able to answer the following questions:

  • Who are the leading (most active) GRC technology providers?
  • Why are organizations buying GRC technology?
  • What differentiates the GRC technology providers?
  • How do you categorize and define the GRC technology market?
  • What is the market size of the GRC technology market?  Where will it grow?
  • What are the leading risk and compliance drivers for buying GRC technology?
  • What is the value that organizations have achieved by implementing GRC technology?
  • Where is GRC technology headed?
  • What are the different needs of GRC roles (e.g., audit, risk, compliance, IT, finance, legal)?
  • Who are some of the up and comers in GRC technology that I should be watching and why?

NOTES:  Two hour online seminar format. Cost is $95 per attendee. GRC Advisor clients get a 50% discount – if you are a GRC Advisor client please contact mkras@corp-integrity.com for a discount code. You can purchase an access code for your entire company (not per attendee) for $500.  Please contact mkras@corp-integrity.com.

About Your Instructor. . . 

Michael Rasmussen is an internationally recognized pundit on GRC.  With 18+ years of experience, Michael helps organizations improve GRC processes and choose technologies that are effective, efficient, and agile.  He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” – being the first to define and model the GRC market in 2002 while at Forrester. 

Michael has contributed to US Congressional reports and committees, and currently serves on the Leadership Council of OCEG and chairs the OCEG Technology Council. Treasury & Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in “Governance and Compliance: Saving the Planet and the Corporation.” 

Prior to founding Corporate Integrity, Michael was a Vice-President and  ’Top Analyst’ at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm and has specific experience managing compliance and risk within organizations. 

About Corporate Integrity. . . 

Corporate Integrity, LLC (CI) is a GRC strategy advisory firm providing leadership in education, research, and advisory services. CI monitors the challenges and trends of the business roles accountable for governance, risk management, and compliance. 

Through ongoing research, interactions, and analytics CI is the authority in understanding how organizations foster a culture that “walks the talk” – where integrity is central to GRC practices. CI educates professionals to achieve effective, efficient, and agile GRC processes to maintain a position of corporate integrity.

 

Corporate Integrity is a:

  • Client advocate,  by representing the needs of those purchasing solutions and helps them navigate vendor hyperbole. 
  • Product strategist, by assisting vendors in the needs of solution buyers to provide product, market, sales, and partner strategies.
  • Market evangelist, to educate and evangelize GRC strategies, ideas, and the role of technology.

 

Posted by mrasmussen at 19:35 0 Comment

Thursday, June 23, 2011

Investigation Technology Platforms: What to Look For

Investigations management processes are enabled through implementation of the right investigation technology platform. The technology solution is crucial, because it offers the adaptability needed for the dynamic nature and geographic dispersion of the modern enterprise.

Investigation management applications are intended to manage, in one common framework, all departments, divisions, related companies and types of investigations and incidents. This investigation management platform enables investigation team members to be shared across multiple entities (companies, divisions and departments) as needed, or restricted to just one entity or set of discrete participants when appropriate. Investigations platforms offer a common and consistent approach to report incidents (e.g., hotlines), handle escalation, manage investigation processes, and analyze loss. They enable an organization to evaluate the criticality of incidents, assign investigation team members, monitor business impact, manage the investigation process, and report on loss and impact across business areas. It maintains detailed investigation history and audit trails, manages the lifecycle of investigations, links incidents to remediation procedures, and identifies trends to monitor similarities and relationships across investigations.

Organizations considering an investigation management platform should evaluate the following during the selection process:

  • Organization management:Whether it is a business process, a physical asset, an information asset, a business relationship, an individual, or the entire organization, investigations apply to some structure of the organization. An investigation management system needs the ability to model the organization and map investigations to organizational structure categories — whether geographic, process, business unit, or information.
  • Accessibility:Investigations generally require the involvement of multiple individuals across an organization. An investigation management system must provide secure access and a complete system of record that an individual can log into to find required tasks, evidence management, and related policies and procedures to guide investigation activities.
  • Workflow:Investigations require process management through a standardized workflow. This provides the ability to prioritize, assign and track incidents from identification to resolution. Within each incident the organization should have the ability to assign a lead investigator and support staff, and notify personnel when incidents enter their case-management queues.
  • Task management:An investigation management system delivers the ability to track a variety of activities at different stages of execution. Tasks are assigned and communicated based upon roles, responsibilities and incident category, providing a collective overview of each individual’s task list of outstanding work items and due dates, and prompts individuals with reminders of upcoming activities.
  • Content management:An investigations platform requires a breadth of content management functionality, including content repository, version control, access management, and records and retention management. This is typically the portion of the application that will provide collection and management of evidence, as well as details about how the investigation was conducted.
  • Audit trails:Every assignment, person, piece of information collected, developed, changed, distributed, archived, surveyed, notified, and read should be accompanied by an audit trail to document every who, what, where, and when. The level of audit trail needed for investigation management cannot be maintained with manual processes and ad hoc systems spread across an organization.
  • Interaction with other GRC applications:When incidents or investigations occur, it is important to identify not only what went wrong, but to make changes that can prevent similar occurrences. Policy, risk, control, and compliance applications must be cross-referenced to investigations and share information.
  • Enterprise loss analysis: The solution should have capability to categorize, measure, allocate, record, and report on losses across the organization. This includes analytic capabilities to model and report on loss trends — such as root-cause and trend analysis, ability to report on loss and event data to the control environment, as well as the ability to provide for loss distributions and calculations.
  • Remediation management: The solution should have ability to track and manage the remediation process. Specifically, organizations must look for the ability to track and monitor the status of remediation such as recognized control gaps, audit findings, safety violations, and regulatory interactions and reporting.
  • Hotline integration and reporting: An important feature is the ability of the system to integrate with the organization’s anonymous hotline/whistleblower system used to report incidents and events. The system should be able to inquire reporters (whether known or unknown) to communicate investigation status as well as ask further questions needed for the investigation.
  • Security architecture: Investigations management platforms are effective only if the organization can tightly control access to sensitive information. Security is a critical element of consideration in an investigations platform — an inherent weakness in spreadsheets and homegrown databases. Organizations must select a solution with proven security architecture with features such as role-based administration of privileges, integration with directory services, secure-access incident data down to the individual field level, protection of the identity of the individuals involved, and ensuring the integrity of the organization’s confidential information.
  • Reporting and dashboarding: An investigations management platform provides an easy-to-use interface for reporting and managing investigations. Specific features to consider include the ability to monitor investigation status, measure and report on impact, production of reports to track incidents by type, date, person, location, financial impact and other attributes. Dashboards provide management with real-time access to current incidents, resolution status, key metrics, and the relationship of incidents or events, to identify trends and relationships.
  • Configuration flexibility: The strongest solutions support flexible configuration without code customization — configurability refers to the ability to manage structures, rules, data elements, workflow, fields, interface layout, and user-interface characteristics without customization.
  • Usability: Investigation personnel should be able to use the system without being technically savvy. Organizations should select a solution that has an intuitive look-and-feel with navigation, and presentation of information that minimizes the need for user training, particularly when some investigations and participants may use the system infrequently.
  • Scalability: Platforms must be able to handle multiple people accessing the systems from across a distributed enterprise that may span the globe, with many investigations occurring simultaneously and at different stages of the process.

I would love to hear your experiences and thoughts on what to look for in investigation management platforms, please follow the link to comment on my blog.

 

Posted by mrasmussen at 18:42 3 Comments