Businesses are engaged in a continuous struggle to grasp the intricacies of risk management in an interconnected environment. The focus during the past few years has been on operational risk management — managing risk to business operations and processes. However, the standard definition used for operational risk management is flawed: Operational Risk Management: “.……

There has been a lot of consolidation and restructuring in the GRC space already in 2010 – SAI Global takes the next step by acquiring Integrity Interactive.   This is particularly intriguing as SAI Global continues to position itself as a dominant player focused on the C in GRC, that being compliance. Integrity Interactive expands……

As an industry pundit and analyst it is always fun to play match maker. For some time I have been pontificating that SAP and CA are very complimentary in their approach to the GRC market. While one focuses on business processes and applications (SAP), the other (CA) focuses on IT management and security. I was……

  Business today requires agility and efficiency to stay competitive. Organizations must respond rapidly to changing conditions, while managing financial and human capital costs. Compliance processes often work against business agility and efficiency. Requirements and initiatives bear down on the business, and become burdensome and inflexible. When managed manually and/or across numerous siloed business units,……

  While GRC is ultimately about collaboration and communication between business roles and processes, technology provides the backbone that enables GRC. To describe this technology, Corproate Integrity has defined the GRC Reference Architecture (this is closely aligned to the second version of the Open Compliance & Ethics Group (OCEG) GRC Technology Blueprint). This model is……

  I am amazed at the number of risk management programs I encounter that lack an organized structure and approach. So often what we know as ERM (enterprise risk management) is a hodge-podge of processes and assessments that somebody tagged the ERM label on without much thought for what they were doing. In fact, most……

My response to Steven Minsky’s blog on: ERM vs GRC? SEC Says No to Myopic Approach: Costly Example from Goldman Sachs   Steve, You are struggling with understanding GRC. Everything you describe about ERM represents the R in GRC. ERM is the R in GRC if GRC processes (and supporting technologies) are done right. That……

  Whether you use the term or not – the fact is organizations do GRC. You will not get one organization to stand up and state they lack governance, do not manage risk, and can care less about compliance to mandated (e.g., regulatory) and voluntary (e.g., social responsibility) boundaries. The question is: are your organization’s……

Good research and information is the core of a successful strategy. As organizations seek to understand how their corporate compliance program stacks up against others it is necessary to get good data. Good data allows you to compare the direction of your current corporate compliance initiatives to others. To compliance officers/managers understand how their programs……

  I have stated it before and I will state it again: the typical organization is a mess when it comes to managing policies and procedures. Organization size does not matter – I have seen small to large organizations that have horrible policy management practices. Policies are scattered across the business, reside in a variety……

  There are good conferences and bad conferences. Having spent seventeen professional years attending various GRC, risk, compliance, and security conferences – most are categorized in my poor to bad category with only a handful making the good. There are a few conferences that I deeply respect – some put on by vendors others by……