GRC 20/20 is providing a specific focus on 3rd Party Governance, Risk Management & Compliance (GRC) in the month of December. This is the fastest growing part of the GRC market as organizations struggle with issues of conflict minerals, anti-bribery & corruption, social accountability, privacy, security, and more . . .
No company is an island unto itself: Organizations are a complex and diverse system of processes and business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern extended business relationships as they stand in the shoes of their agents, vendors, partners, suppliers, and relationships. Business partner problems and issues are the organizations problems that directly impact the organization’s brand and reputation. When questions of business practices, compliance, and controls arise, the organization is held accountable, and it must ensure that business partners behave appropriately.
Businesses must understand business relationships in the context of the governance, risk and compliance (GRC) issues that impact business operations and brand. The challenge before organizations is: “Can you attest that risk and compliance is managed across extended business relationships?” The head of procurement, for example, is often left with managing supplier risk across these business relationships but has inadequate processes and information to effectively monitor them.
This is challenging enough with the distributed and extended nature of business, but it becomes particularly challenging in the current dynamic ever-changing business environment. Risk, regulatory, and business environments are in a constant state of change. The business needs to be current in its governance, risk management, and compliance processes across business relationships. Manual email, spreadsheet, and document centric processes are prone to failure, as they bury procurement and other areas of 3rd party risk/compliance resulting in mountains of documents that are difficult to maintain, aggregate, and report on: consuming valuable resources in data management instead of managing 3rd party risk and compliance. Organizations need an integrated solution to manage 3rd party risk and compliance that brings together frameworks, content, and technology to deliver not only efficiency and effectiveness but also agility.
Extended business relationships — supply chain, value chain, vendors, service providers, outsourcers, and contractors — cannot be left to themselves. Risk across these relationships must be monitored and managed. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits and controls, and other business practices. Organizations need to actively demonstrate an in-compliance and in-control status throughout the extended business environment. Anything that impacts business relationships can taint the organization’s brand — such as child labor, quality issues, fraud, privacy violations, or other misconduct.
Procurement, and other parts of the business, tend to look at the formation of a business relationship and fail to foresee issues that can cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship itself.
The list of exposure areas impacting business relationships can be categorized as . . .
Organizations tend to look at the formation of a business relationship and fail to foresee these issues cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. There is a common failure to manage risk across the lifecycle of business relationships for the following reasons:
Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. Organizations must actively manage and monitor risk and compliance across the lifecycle of a business relationship. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak and unmonitored oversight.
In the past, risk in extended business relationships was predominantly focused on the on-boarding process. After that point, individual business areas may conduct routine audits and assessments or require attestation to a code of conduct, but it is not a coordinated or collaborative function and often lacks accountability.
Document centric processes bury the organization with mountains of out of sync data that takes time to reconcile and report. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships. Business needs defined processes, information, frameworks, and solutions to effectively and efficiently manage 3rd party extended business relationships. The goal is to enable business agility by providing defined and integrated accountability processes that can manage risk and compliance in the context of performance and change across business relationships. A clearly defined approach to managing GRC across extended business relationships requires a consistent lifecycle and program supported by a common information and technology architecture.
Upcoming Research Briefings on this topic are . . .
In my previous article I made the argument that GRC (Governance, Risk Management & Compliance) is as relevant to the front office as it is to the back office. That the front lines of the business use GRC systems and need engaging user experiences.
It is not just the front lines though. All levels of the organization interact and use GRC technologies from taking assessments, reading policies, going through training, reporting incidents, evaluation reports, diving through dashboards, and more.
Employee engagement in GRC 3.0 requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.
It has been stated that:
Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.
A primary directive of GRC 3.0 is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC 3.0 goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.
I have been evaluating GRC technologies for twelve years now and find that many have average to poor user experiences. Even some of those who are recognized as GRC leaders who would have you believe that their platform could solve the worlds problems have interfaces that are overly complex, non-intuitive, confusing, and at times downright confounding.
What I am doing today is drawing attention to some examples of Engaging GRC - solutions that I think are delivering cutting edge interface design focused on intuitiveness, aesthetics, and engaging employees at all levels. However, this is not a blanket endorsement of these products. Some are very strong in what they do others are early on the journey of building out breadth and depth. Please do not see this as a blanket endorsement - it is not. I am happy to answer questions on any of these vendors listed and anyone else being considered by buyers in the GRC ecosystem of technologies.
Examples of the latest in GRC Engagement delivering intuitive and easy to use interfaces are as follows (in alphabetical order, there are other vendors that I think excel in GRC Engagement - these were selected as they had publicly accessible video that at some point in the video in these links has a view into their product I could comment on):
Governance, risk management and compliance (GRC) are a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of the organization. This misperception is a critical issue organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations. They cross partner, vendor and supplier relationships throughout the extended enterprise.
The user experience for GRC has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality and lack of central coordinated efforts for GRC communications. Organizations have ended up with multiple sources of policy, training, surveys, assessments and issue reporting hotlines. Interaction with these systems has consumed human and financial capital. Interaction is often inconsistently logged in documents and spreadsheets, if they are logged at all. There is no coordination of GRC communication and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten.
GRC is not just for back-office risk experts. For GRC to be successful, organizations must engage employees. It is no longer good enough to just have well documented policies and controls. Organizations must demonstrate GRC is active and operational across the organization.
GRC processes and technology can be contrasted with the past experience of employees to the present needs that build the future of GRC:
The bottom line: GRC is only as good as your front-line understanding, participation and alignment with GRC. It is no longer enough to have the right GRC documentation; you have to show it is operationally effective. This requires employee engagement in GRC. This involves bringing GRC to the coal-face. The term coal-face is a term the British use to define frontline operations of the organization. It comes from miners deep in mineshafts at the coal-face harvesting coal. Every organization has a coal-face — the front line employees engaged in business operations. To maintain integrity and execute on strategy, the organization must be able to engage GRC in the context of its coal-face.
GRC solutions in the enterprise should deliver an exceptional end-user experience: getting employees involved by providing intuitive interfaces into GRC that are interactive, engaging and social. GRC solutions need to instruct, inform and be easy to use at all levels. It engages employees in GRC without leaving them overwhelmed and confused. Employee engagement happens through:
The result: Backend management and oversight of risk and compliance is still needed, however the frontend user experience is dramatically improved to engage employees and stakeholders to ensure they are connected to GRC in the context of their role and responsibilities. For GRC to provide value, employee engagement is critical, not optional.
It has been stated that:
Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.
A primary directive of GRC is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.
Note: This blog is an exceprt from GRC 20/20's latest Strategy Perspective:
 This quote has been attributed both to Einstein and E.F. Schumacher.
Tossing and turning, anxiety is stirring me. I am trapped in a labyrinth of quadrants with flying dots that do not make any sense coming at me from all directions. One appears in front of me, I am startled. I remark, “you do not belong here, that does not make any sense, you should really be over in that quadrant.” All around me I eerily here the 80’s group The Cars singing “Uh Oh, It’s Magic, Gartner’s Got a Hold On You . . . “. I tremble. I am overwhelmed . . . I wake up screaming, covered in sweat. My wife once again, as she has done so many times this past month, looks over at me and offers me a Xanax, yet again.
OK, it is not quite that extreme – but it is bad. I have lay awake in bed until two in the morning many nights over the past four weeks pondering the black magical depth of the Gartner GRC Magic Quadrant. Perhaps depth is not the right word – more like the mysterious shallows. Actually, I cannot tell you how deep or shallow it is as Gartner gives me no indication of the depth of their analysis. We are left to assume Gartner has depth and objective criteria and detail to their analysis. Where is it? I am unable to reconcile how Gartner came to this place yet again. It is like Gartner is playing mind games with me – intentional infliction of emotional distress.
GRC. I take it seriously. The GRC market is something I have been tending and caring for since February of 2002 in my early days at Forrester. I have watched the market for GRC solutions, services, and content grow and mature. I watched it grow in GRC 1.0 (2002-2006) as it grappled with SOX and internal controls but yet I knew it was going to do much more than that. The breadth was apparent in the Forrester GRC Wave that I wrote and and it grew rapidly into GRC 2.0 (2007-2012). In the second Forrester Wave it had advanced so much there were four separate Wave graphics as it could not be contained and represented in just one two-dimensional graphic any longer.
Then it happened – the separation. Forrester and I parted ways six years back. The GRC market (which is technology, services, and content that supports GRC strategy and processes) became a joint custody arrangement between Forrester, Gartner, and myself. I continued to see that GRC is a broad market with a lot of segments and sectors within those segments. The proper way to understand the GRC market is as an ecosystem of offerings and as a GRC architecture within a specific organization and not as a single platform. However, the other custodians – they kept GRC back into one two-dimensional graphic. Where I used four graphics before leaving Forrester, Forrester went back to a single graphic. Gartner did the same, but worse. While Forrester objectively tries to model GRC in a way that is transparent and publishes the criteria and scores used, Gartner simply states here is the grade I think you should have and gives us no transparency into how GRC solutions are objectively measured. There is a lot of truth to the Magic Quadrant being Magic - it is beyond our comprehension.
This is my third rant against Gartner on GRC Magic Quadrant. For the past four weeks I have been pursued by many to respond to the new version released in September 2013. I guess I have a loyal following of GRC groupies that are crying foul, down with injustice to GRC! I struggled with responding yet again. I do not want a reputation as an aggressor – it does not interest me. However, I am an idealist to the core and have a soft heart for the mistreated and maligned . . . so I lay awake late into the night fretting over Gartner and their 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms.
For those interested in the historical back and forth, my previous rants are:
In all fairness, I do really like French Caldwell. He is a very gracious nemesis and we have some great discussions. While we debate, and at times collaborate, he is always very engaging and polite. I tell myself it is not French it is Gartner and their confounded approach and process to the Magic Quadrant. That allows me to continue to be cordial and attempt to be half as gracious as French is toward me when my hackles are raised and I am screaming at the injustice done to the GRC market.
There is a lot I would like to say about vendor positioning in the Magic Quadrant, but most of it I will not. Perhaps if you take me out for pint in a nice British Pub (going to London next week) you will get the depth of my thoughts with the dirt and praise on specific vendors. I hold back particularly because I accuse Gartner of not showing objective criteria and scores that map vendors on their graphic and would be doing the same if I tell you where vendors should be positioned and do not give you specific criteria and scores. While I provide my commentary below, I will be agnostic when it comes to specific vendor names.
My grievances with the 2013 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms are:
Honestly, the Gartner GRC Magic Quadrant really does not provide what is needed to make business decisions on GRC solutions. It is not complete, is not consistent, and has issues. The best use for it I have found is to start a fire in my fireplace on this cool autumn day. Sorry French, I know it is a lot of work. The whole process seems like a reality show for GRC . . The Gartner Bachelor with a bunch of GRC solution providers in a beauty contest trying to pull off the slickest short demo (remember just a few hours) to woo the Gartner Bachelor. I say roll up the sleeves and get involved in the solutions, build relationships, be easy to approach and engage, interact on a detailed basis. Go deep.
Let's now see if I can get some sleep tonight . . .
Compliance and ethics is not the same today as it was a few years ago. The forces shaping compliance are likely to continue to influence the trajectory of compliance and ethics for years to come. In the past, compliance was distributed and disconnected. The relationship of ethics to compliance was inconsistent. Organizations may have had a centralized compliance function to manage critical compliance issues bearing down on the business, but compliance in reality was fragmented and distributed with highly redundant approaches taxing the business. This resulted in a maze of processes, reporting, and information. Each department relied on document-centric and manual approaches that did not integrate, and compliance professionals spent more time managing the volume of documents than it did actually managing compliance. There were inconsistent formats for policies and procedures, issue/incident reporting, and assessments.
Like battling the multi-headed hydra in mythology, these redundant, manual, and document-centric approaches were ineffective. As the hydra grew more heads of regulation, ethical challenges, and obligations, the scattered compliance approaches became overwhelmed and exhausted and were losing the battle. These problems led to a reactive approach to compliance, with silos of compliance failing to coordinate and work together. This increased inefficiencies and the risk that serious matters could fall through the cracks. Redundant and inefficient processes led to overwhelming complexity that slowed the business, even as the business environment required more agility.
Compliance and ethics today is in the midst of transformation. The pressure on organizations is requiring us to rethink our approach to compliance. This new approach is focused on what OCEG calls Principled Performance: “The reliable achievement of objectives, while addressing uncertainty and acting with integrity.”
Compliance is evolving to focus on the integrity of the organization. Compliance and integrity is becoming how we do business as opposed to being an obstacle to business. Compliance operations become federated to overcome inefficiencies of the decentralized approaches of the past. This requires a centralized coordinating role for compliance while working with federated compliance functions throughout the business. Organizations are looking to monitor and measure integrity of the organization through information, activities and processes coordinated across the organization.
These trends point in one clear direction: a compliance architecture that is dynamic, proactive, and information-based. That is, a new model for ethics and compliance that:
The result is an approach to ethics and compliance that not only delivers demonstrable proof of compliance effectiveness, but at the same time shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.
Through an integrated compliance architecture the organization will have an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.