Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance enterprise egrc iii management grc solvency software audit selection openpages risk tooling governance ii basel and | 0 Comments | 3,000 Visits
Governance, Risk and Compliance software selection process
A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.
Let’s start with the need for a GRC software platform. Why do you need such?
Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.
Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.
The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.
The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!
So the need is there, now how to make your selection?
In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.
In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.
First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.
Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.
Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.
Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages erm itg risk it-risk coso risk-management | 0 Comments | 2,854 Visits
If you haven't already seen it, it's worth a look – The Committee of Sponsoring Organizations of the Treadway Commission just published a thought paper dealing with risks related to cloud computing. It leverages off COSO's enterprise risk management framework, speaking specifically to issues surrounding hosted services delivered over the internet. The paper is geared not to the techie, but rather to management level personnel who need to understand not only the benefits, but also the associated risks. The paper briefly outlines the many benefits of cloud computing, including greater technology value at lower cost, faster speed of deployment, common technology platforms, reduced need for support personnel and related expenditures, and environmental benefits.
Naturally, most of the focus is on the risks. These include the strategic – with lower barriers of entry for new competitors and related challenge to current business models – and dependency on cloud service providers which in turn drives legal and related risks. Others include lack of transparency, reliability and performance issues, security and compliance concerns, and elevated risk of cyber attack or data leakage. The paper also deals with issues inherent in moving to the cloud, such as the extent to which management considers the impact on the company's organization and IT and other personnel resources, noting "In many cloud scenarios, the organization no longer has complete or direct control over technology and technology-related management processes. Management must determine if it has the risk appetite for the entire universe of potential events associated with a given cloud solution as some of these events extend beyond the organization's traditional borders and include some events that have an impact on the [cloud service provider(s)] supporting the organization."
The paper also discusses cloud issues in the context of COSO's ERM Framework's eight components, outlining how each can be addressed and used in evaluating cloud computing alternatives. It provides suggestions for dealing effectively with the more significant risks, and highlights key decisions to be made by senior management – as well as responsibilities of C-suite executives – and areas on which the board of directors needs to focus its attention. If your company is already in the cloud or considering going there, the paper is worth the read.
John Kelly 270004J7VQ email@example.com | | Tags:  grc enterprise operational risk | 0 Comments | 2,835 Visits
This week I had the pleasure (aside from the Sunday morning flight) of attending the RMA Annual Risk Management Conference in Washington, DC. Based on the standing room only crowd (even in the second repeat session), I’d have to say one of the most popular topics was “Developing a Risk Appetite” delivered by Bill Perotti of Frost Bank and Bob Rose of Brookline Bank. The duo defined Risk Appetite as “the amount of risk you will take in pursuit of a desired financial return”, which makes sense, but an effective risk appetite exercise, the presenters emphasized, really needs to be taken to the next level to reflect risk tolerance in all key areas of enterprise risk management (operational risk, credit risk, reputation risk, compliance risk, liquidity risk, sustainability, etc.).
Several examples were provided for how to develop a risk appetite statement for each of these key areas. One example included Operational risk and provided an example of how to create a risk appetite statement:
Operational Risk Appetite example:
We are committed to implementing practices and controls that will minimize financial losses from failures of systems, people and processes.
Quantitative measure examples:
Most importantly, risk appetite statements should reflect your company’s mission statement and values. Benefits outlined in the session included:
Of course the direction and communication on risk appetite needs to start at the top with the board of directors and CEO and be communicated and demonstrated throughout the organization. Looking forward to more informative sessions.
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  openpages compliance sec fcpa | 0 Comments | 2,773 Visits
We know the Justice Department and SEC in recent years revved up enforcement of the Foreign Corrupt Practices Act, which certainly has gotten the close and widespread attention of the business community. With the vast majority of U.S. companies large and small operating globally, general counsels, compliance officers, boards of directors, and other business executives are focusing on related risks and controls. And now the U.S. Chamber of Commerce’s Institute for Legal Reform, noting that companies want to comply with provisions of the FCPA but unclear enforcement makes it challenging, thinks "it is common sense that the rules of the road are clarified." As such, the Chamber has put forth five recommendations: Adding a compliance defense, limiting liability for the prior actions of an acquired company, adding a “willfulness” requirement for corporate criminal liability, limiting liability for acts of a subsidiary, and defining what constitutes a "foreign official."
It appeared these proposals might gain some traction, and then along came Wal-Mart. The charges of bribery in Mexico and subsequent cover-up seems to have dampened interest in modifying, or some would say softening, the FCPA and related enforcement. Certainly Wal-Mart has put tremendous effort into successfully lobbying legislators in both parties – and supporting the President’s initiatives in health coverage and pollution control, and the First Lady’s on healthy foods to combat childhood obesity – all of which may serve the company in good stead in containing political fallout. But we can also expect notoriety around the Wal-Mart case to signal the continued relevance of the Act and deflect efforts to weaken it.
It seems there’s an interesting analogy here, where the Wal-Mart bribery case might be to the FCPA what WorldCom was to Sarbanes-Oxley. After Enron imploded, there was stirring inside the Beltway about need for legislation, but nothing much was expected to happen – until a few months later when the WorldCom fiasco hit the headlines, thereby generating momentum that turned into a rush to get a law passed. In this instance, it may well be the converse – a law that might have been weakened is more likely to stay as is, with continued strong enforcement by regulators. We’ll stay tuned to see what transpires.
Richard Steinberg 270004HRBG email@example.com | | Tags:  openpages education risk-analytics compliance risk-management risk | 0 Comments | 2,744 Visits
You may remember hearing about problems with the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests. In the recent SAT cheating scandal the College Board and ETS were accused of having lax security and a system that failed to punish cheats. But problems go back further, when a couple of years ago the SAT has serious issues with incorrect scoring of tests. And media reports speak to extensive incorrect scoring and losing test results in England in 2008, with the UK Parliament calling their operation a "shambles." And as far back as 1983 cheating was suspected in California. For details you may want to refer to my blog posting of November 2011, which includes analysis of what the accused organizations did, or rather didn’t do, to right the wrongs.
Well, we now find another player in this industry accused of wrongdoing. Princeton Review, which provides help to students in preparing for college entrance exams and sells study guides, finds itself accused of defrauding the federal government. An arm of the company that provides after-school tutoring to students at troubled schools is said to have falsified records – including forging student signatures, falsifying sign-in sheets, and making false certifications – in order to boost payments due the company. Relevant is that the company was informed of these allegations back in 2006, but prosecutors, who are now suing, say the fraud continued as nothing was done to fix the system. For what it’s worth, Princeton Review reportedly closed its tutoring division and says most of its current management joined the company after the alleged fraudulent activity took place.
But what’s striking is how the few players comprising this industry have had serious problems – not only in allowing fraud to occur, but also in failing to act in the face of wrongdoing. And this is an industry supposedly driving high academic standards! Yes, we know academic institutions are not immune to misconduct, but we can wonder how these industry players each went so very wrong. And food for thought – do we see other industries with an inordinate number of companies experiencing widespread instances of non-compliance, fraud or other misconduct? And what does that say about the culture not only of the individual organizations, but the industry as a whole? Hmmmm.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc research openpages enterprise algorithmics ibm management risk | 1 Comments | 2,709 Visits
In the last 2 months three independent researchers have given their opinion on IBM’s approach to risk management. All 3 are very positive towards the areas of Innovation, Market Presence, Functionality and Enterprise GRC capabilities.
Forrester in the Forresterwave EGRC 2011: The OpenPages platform remains one of the most consistently strong enterprise GRC platforms on the market today. The company’s vision is to enable senior management to make strategic risk and reward decisions to improve business performance and reduce exposure to risks and loss on investments. The OpenPages platform’s GRC management and analytics features are just one example of where this mission will play out."
Gartner in its September update: The OpenPages platform has solid capabilities in all the core functions, has above-average support for ERM and ORM, and is rated very high on financial reporting integrity compliance. It continues to execute consistently on a well-planned road map.”
Chartis published its Risk Top 100 last November with IBM ranked the No.1 vendor in the area of Risk Management. With special rewards for Functionality, Market Presence, Innovation, Fund & Asset Management, Market Risk, Operational Risk and Enterprise GRC.
In the Chartis RiskTech 100 IBM was measured for the first time along the qualitative and quantitative risk capabilities (read the acquisitions of OpenPages and Algorithmics). In the Gartner and Forrester publications the latest Algorithmics acquisition was not taken into account.
Interesting enough researchers praise IBM for immediately adding value to its acquisitions. One year ago IBM was ranked number 7 in the RiskTech 100 and now IBM is on top of the list. Not because the individual products are that good but because the minimal overlap and immediate integrations create added value for customers.
Adding Risk to the area of Business Analytics (Business Analytics is one of the 4 key initiatives of IBM towards 2015, driven by our new CEO Gini Rometty) is a great step into Smarter Risk. Capabilities like predictive intelligence, driver based planning, regulatory reporting, scenario testing, forecasting, dashboarding, scorecarding, reporting and analysis will give a great boost if you apply this to risk. This is where the convergence of performance management and risk management create great value for our customers.>
Blog post from Erwin Boeren, Governance Risk & Compliance Leader IBM Europe
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  risk-management dodd-frank compliance openpages | 0 Comments | 2,517 Visits
As a compliance officer, you’re dealing with increased regulation and expectations, while related resources are subject to budgetary constraints. Yes, senior managements read the headlines and recognize the reputational and related risks associated with legal and regulatory compliance. But what I and others see are compliance functions having to do more, often without a commensurate increase in resources.
These observations are consistent with a recent Thomson Reuters survey of financial services companies’ compliance professionals. The survey shows that compliance officers are struggling to keep up with increasing demands of global regulation – where rapidly growing regulations and increasing responsibilities, together with limited resources and constrained budgets, are causing compliance personnel to reached a “saturation point.” A whopping 84 percent of respondents say they expect to deal with more information from regulators and exchanges this year, with almost half expecting the level to be "significantly higher." The increase is expected to come from such events as splitting of the U.K. Financial Services Authority, added regulatory power of the European Supervisory Authorities, expansion of new and existing U.S. regulatory agencies resulting from Dodd-Frank, and expanded enforcement of such regulations as the U.K. Bribery Act and the U.S. Foreign Account Tax Compliance Act.
The survey results show that compliance responsibilities and expectations are diverging from realistic capabilities. For instance, with a key objective being to coordinate with other company professionals involved with regulatory risk, over half of compliance professionals say they spend less than one hour weekly with internal audit colleagues, and one third spend less than one hour per week with legal and risk professionals. And while 70 percent of respondents expect the cost of senior compliance staff to increase this year, only 11 percent of companies expect a significant increase in budgets.
Also interesting in the statement that: “While keeping executive management informed of regulatory issues is a key part of the compliance role, more than a quarter of respondents say they spend less than one hour a week reporting to their boards. In the U.S., more than half of the companies surveyed spend less than one hour a week reporting to their boards. This raises concerns about whether executive management is being kept sufficiently informed on compliance issues.” Well, it’s not entirely clear from this as to the extent of interaction between compliance officers and senior management – one hour a week with the board may be just fine, as long as there’s significant interaction directly with executive management.
In any event, what we see is compliance departments already working at a fast pace with high efficiency, but they face risks going forward if responsibilities and resources aren’t recalibrated to be in sync.
Osvaldo Jose Oliveira Menezes Rellegus TI 270004D4A7 email@example.com | | Tags:  grc isaca governança ojomenezes | 0 Comments | 2,491 Visits
Coloquemos neste espaço o papel dos profissionais de TI na atuação de GRC.
Podemos dizer que o GRC é recente (2005), e assim sendo, ainda há uma lacuna grande entre os estrategistas de negócio e a área de TI.
Uma coisa fica claro, com o GRC consegue-se administrar muito melhor os investimentos e os retornos sobre os investimentos em TI.
O trabalho para customização do CobiT junto ao Planejamento Estratégico é extenso.
Prezados colaboradores, vamos post
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  risk-management risk_management risk risk-analytics financial-risk | 0 Comments | 2,248 Visits
Many of our GRC members may not be familiar with TH!NK, Algorithmics, an IBM Company’s semi-annual magazine exploring the world of financial risk management. However, the June 2012 issue has something for everyone - and is centered on the perspective that to successfully identify and respond to the economic challenges of our times, we must seek a balance between learning from the past and developing the solutions of the future.
You will find in this issue articles that seek to explore this balance between past wisdoms and new possibilities, like our cover story “Back to the Future,” which revisits capital and its role in the bank of tomorrow. In our latest “In Conversation” piece, IBM’s Brenda Dietrich serves as our first IBM contributor to TH!NK, discussing how research and new data systems are changing the way we think about information. Other articles explore some of the most pressing topics in financial services, such as the interconnectivity of risk on the Buy Side or the very real trading benefits to a bank in establishing a CVA desk. As always, TH!NK seeks to build insight and linkages across seemingly disparate realms – such as social media and financial risk management, which as you will read, may not be so disconnected after all.
I encourage you to "flip through" this valuable resource - and please visit our Discussion Forum if anything in particular piques your inte
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  watson erwin risk governance grc compliance management ii business analytics solvency ibm boeren basel | 0 Comments | 2,103 Visits
IBM Watson found a job as a risk expert!
IBM Watson goes to work in financial services as a risk expert. One of the largest Financial Services institutes and IBM now partner to enhance and simplify the consumer banking experience with faster, more accurate decisions, better risk assessment, and more targeted customer offers.
IBM Watson is transforming expectations for how technology can help individuals live and work in better ways. Its ability to make sense of vast quantities of unstructured information, communicate in natural human language, learn from experience, and offer confidence weighted responses is already a game changer in healthcare. Focusing these capabilities on financial services brings new possibilities for higher service levels to an expanded set of users.
For those who do
not know IBM Watson, Watson is an artificial intelligence computer system
capable of answering questions posed in natural language, developed in IBM's
DeepQA project. As a test of its abilities, Watson competed on the quiz show
Jeopardy!, in the show's only huma
Now what will that bring to our Financial Service clients? Potentially as an assistant to client service professionals to help deliver evidence-based recommendations across multiple areas of the bank, including: credit card; private banking; wealth management; and call centers. Since IBM Watson can think faster than any human being it is able to make cross checks, prevent fraud, determine risk, etc. It is able to analyze data such as client information, online news reports, blogs, Twitter feeds, analyst reports, regulations, credit ratings, and government securities filings which can help to suggest options targeted to a consumers' individual circumstances.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM