Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance enterprise egrc iii management grc solvency software audit selection openpages risk tooling governance ii basel and | 0 Comments | 2,727 Visits
Governance, Risk and Compliance software selection process
A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.
Let’s start with the need for a GRC software platform. Why do you need such?
Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.
Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.
The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.
The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!
So the need is there, now how to make your selection?
In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.
In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.
First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.
Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.
Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.
Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance grc governance manufacturing smarter energy&utilities openpages risk enterprise deloitte project | 0 Comments | 1,831 Visits
Smarter Project Risk
Last week I came across project risk, and not for the first time! So, time to spend some words on this topic.
Especially organizations in Energy&Utilities and Manufacturing have huge risks in their assets and in their projects. You think you have all risks identified through the standard risk identification process and you just missed that elephant?! This might impact your yearly financial result or worse!
This is why more and more clients start to look at Project Risk methodologies. My client happened to use the PMBOK methodology. In this methodology you consider standard project phases including standard risks and controls. This is great, since you have most of the standard risks covered. But what about that risk that is just not standard? This is where gate reviews will help you. These gate reviews are held after every project phase. Each gate review contains questions used to identify risks, holds monitoring methodologies to check status and behavior and contains audit like activities. Key element here is that all findings roll up to top level so no significant risk can be missed.
all works for what we call manageable risks, but what about risks that you
cannot manage? How will you anticipate on this? Well these risks can be covered
by sensitivity analysis, simulations and business continuity management.
Especially sensitivity analysis and business continuity analysis will help you.
For simulations you will need data, and a significant amount of data. Only in
case you have many similar projects running in a regular cycle you will be able
to generate enough risk identifications and losses to be able to make a sensible
Now the system is in place, and now we are in control? Wrong! This is where the real work starts. How do I get my organization to adopt risk in her daily business? How do I get input with the right quality? How do I make everyone a risk manager? This takes time and effort. Guide your people in how to make the assessments and make them part of it. Give them back where they contributed to, and make their life easier. That is what we call Smarter Risk.
IBM OpenPages and Deloitte have put together a Risk Methodology for project risk where all these technologic and organizational aspects come together and can be integrated in your enterprise risk platform.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  global cro mf risk | 0 Comments | 1,040 Visits
A recent Congressional hearing on MF Global has shed more light on how well the company did, or didn’t, handle its risk management responsibilities. A couple of weeks ago the House Financial Service Committee’s oversight panel heard testimony from the firm’s chief risk officers. As CRO, Michael Roseman in 2010 raised concerns about the firm’s European Sovereign debt positions, reportedly clashing with top executives but in any event seeing to it that the board of directors was informed of what was going on. (For more on this, you can look back to my December 15 posting.) Then in early 2011 MF Global hired a new chief risk officer, Michael Stockman, who like CEO Jon Corzine was a former Goldman guy. One Congressman reportedly said it appeared “Stockman was hired to tell Mr. Corzine what he wanted to hear,” and another called him a “yes man.” Whether that’s fair or not is debatable, though one wonders why the change of CROs was made in the first place. In defense, Stockman said that for the first several months of his tenure he believed the firm’s “risk profile associated with the company’s European sovereign debt position was acceptable in light of then-prevailing market conditions,” but “as credit markets deteriorated in the summer of 2011, I came to the view that it would be prudent for the company to mitigate the increased risks.” Whether his initial assessment was justified and whether he pushed hard and timely enough with management and the board certainly is questionable.
Fascinating here is what was said by the Congressmen doing the questioning, reportedly saying to Stockman that it was up to the chief risk officer to “rein in their bosses risk taking.” If that indeed was said, then it shows a sad lack of understanding of what a chief risk officer’s role truly is. In highly summarized form, if the role is structured well, the CRO is responsible for establishing a process within the organization where managers timely identify, analyze, and manage risk, with communications systems in place to ensure appropriate upstream reporting. The reporting element is critical, not only within the organizational infrastructure but also going to the very top. The CRO needs to be sure top management and ultimately the board of directors are fully apprised of significant risks. And if management refuses to inform the board, then the CRO has to do it him/herself. CRO Roseman seems to have made sure the board was apprised.
A CRO’s job is not easy, especially when a company takes on what can only be deemed unusually high risk positions. The CRO needs to be sure the risks are identified, analyzed and reported, which seems to be the case here. The board was apprised of the risks when Roseman was CRO, and we’re told the directors considered the risks and acquiesced. A board of course should probe deeply enough to truly understand the risks and surrounding circumstances. If those actions occurred, and the CRO was convinced the board had sufficient understanding and insight, then he has done his job – which does not, as the Congressmen asserted, include the CRO himself reining in the risks.
No doubt more insights will emerge and the picture of what happened will become clearer. Investigators might even find out what happened to the more than $1 billion (one estimate is as high as $1.6 billion) of “missing” customer money, and whether internal controls were faulty or overridden as the firm was about to go under. In any event, it’s important that the different roles of a CEO, CRO and board be fully understood. The CRO does not and cannot be responsible for the ultimate actions of a CEO and board of directors. The CRO’s role includes seeing that top management and the board understand the risks and make well-informed judgments. And yes, those judgments may ultimately prove to be bad, or even fatal as was the case with MF Global.