Compliance On Demand

Sorry, no more post from me on this Blog

noreply@blogger.com (Brett Curran) — Mon, 22 Feb 2010 15:10:00 +0000

Those of you that have followed me on this blog, realize that my posts have substantive content on GRC topics. I shared my thoughts, ideas and personal experiences as a former Chief Compliance Officer and IT executive on topics and techniques with the hope that my readers could leverage them to help improve their own company practices.

As a result of AXENTIS acquisition by WolterKluwer/CCH last year, my position was eliminated as of December 2009. This last post is simply intended to inform you as my readers that I am no longer submitting posts for this Blog.

I am now a guest lecturer for the University of Dallas School of Management, graduate course on GRC – what a great thing to see being introduced to young business professionals.

I have also taken on some engagements solely spawned by people that know me within the GRC industry to help companies move forward in marketing, selling and improving their GRC programs and processes.

Ideally however, I would like to continue helping businesses grow and improve in the risk, compliance and ethics field in a full-time capacity which could either mean taking on a Compliance Officer type of role, a marketing and development role with a GRC solution vendor or a management consulting role with a respected provider of consulting services.

I want to thank you for reading and sometimes commenting on my posts and hope that your passion and insights have been fueled by my sharing of experiences.

Please feel free to reach out to me if you need my help and look for me to resurface in the not too distant future.

Thanks again and God Bless.

Brett Curran

Risk Assessments and Records Retention

noreply@blogger.com (Brett Curran) — Fri, 09 Oct 2009 16:06:00 +0000

At a recent Compliance and Ethics conference, I asked another attendee what they hope to gain while they were there. Keeping in mind, the audience has hundreds of experts in their own right and they are coming to both share their own experiences as well as learn from others.

I was quickly reminded as I listened to the reply that records retention programs and schedules needed constant vigilance – why you wonder?

The response to my questions brought back one of the key concerns that I encountered nearly 10 years ago when I was a new CCO. The company was beginning to establish risk management practices and were in the midst of performing enterprise wide risk assessments.

This attendee was in the early stages of developing an ERM program and while discussing the status of the effort with the General Counsel, she was informed that all the responses to the risk assessment questionnaires should be destroyed – fear of the double edge sword.

On one hand, you are doing the right thing by finding your problem areas so that they can be addressed in a timely manner. On the other hand, you are documenting issues that may be held against you.

In my mind, it is a matter of ethics and doing the right thing. If the tone of the company is one of the highest ethical standards, the decision is not quite so difficult. Search for risks, prioritize them, address them – you should be rewarded for your efforts.

A similar situation arises when drafting company policies. The working versions may have all sorts of statements that are changed or omitted from a final version. However, companies often worry that if they get in trouble, these working versions will be discovered and they could get in trouble as someone obviously knew about this yet, the company decision was to do something else that could have prevented a problem.

These are both valid concerns that must be researched and decisions made.

In both of these scenarios, consider the risk of having the information versus not having the information.

1) No company can go error free
2) People (even judges and prosecutors) recognize real effort
3) You must be able to demonstrate reasonable due diligence
4) Doing the right thing will pay long-term dividends
5) Regulations wouldn’t require risk assessments if companies didn’t have risk that needed to be identified and addressed.

The other thing I remembered was to make sure that these record types were included in your records retention schedules. Superseded policies, prior version risk assessments, supporting documentation, etc. should all be accounted for in your records retention program.

So ask yourself, how can you show evidence of good risk and compliance practices if you throw away all your report cards that don’t have gold stars? You should be proud of your efforts if you are truly doing the right things and only hope that you get the chance to let it protect you when something goes wrong.

I'd be interested to hear how your company is managing these types of records so, please send me your comments.

GRC: Whose Job Is It Anyway?

noreply@blogger.com (Brett Curran) — Mon, 08 Jun 2009 15:22:00 +0000

There is so much insight and expertise being discussed and written about these days regarding GRC, its advantages and tactical approaches that anyone even remotely close to risk or compliance management understands the concepts and value.

Most everyone also understands the pressures put on the CEO and other company executives when regulators don’t see that company business practices are what they should be.

So, whose job is it to build and execute an effective and efficient GRC program anyway?

The answer is usually, it depends. And, it depends on a number of data points such as;

1) Who has the attitude and personality to drive change
2) Who has the organization, planning and communications skills
3) Who normally gets assigned and is successful in leading significant change

From this short list of possibilities, it might be the CFO, CCO or CIO as they each have likely championed a successful enterprise change. While we all recognize that the essence of a GRC approach involves everyone in the organization having clear roles and responsibilities in sustaining GRC, it is an entirely different task in designing and redesigning enterprise change.

For this, I would give the edge to the CIO as they are honed day-in and day-out to manage change and enhance sustainable processes. However, the CFO is well versed in managing cost and risk and has probably sponsored some large projects to replace a financial system or two. The CCO on the other hand, is somewhat like the CIO in that changes come in daily and they must communicate and manage frequent changes across the organization as a process.

Because GRC is a business matter and it requires various levels of participation from everyone in the organization, deciding which individual or committee will lead the execution and oversight efforts depends on who will be responsible for reporting on the effectiveness of the overall program to the board or its sub-committee.

Finance is the primary function of the CFO and providing technology services is the primary function of the CIO therefore, the primary function of the CCO is overseeing and executing risk driven compliance. However and as I already mentioned, the CCO needs the CIO and CFO by their side every step of the way as well as other members of the organization.

Often times, the CCO will enlist the services of a seasoned project or program manager from IT because those skills are essential in driving the execution activities designed under the direction of the CCO with support and input from other members of the team.

IT has a particularly significant and challenging role in the business as GRC involves IT as a business department and also as a provider of technology which is needed to support the overall program. Because the program can succeed or fail merely given the appropriate application of technology – the system needed by the CCO and other stakeholders to manage the GRC processes is critical just as the system is that the CFO uses to manage finances.

The term IT GRC has crept into our midst over the last year or two but to me, that eludes to the special needs of IT stakeholders within the larger enterprise GRC spectrum rather than the need for an entirely different solution.

You probably noticed that I omitted the Chief General Counsel from the list of possible candidates and for good reason. While company lawyers have a significant role in supporting the risk and compliance efforts of the company, you want them to provide legal advice independent of the building of the programs processes. Additionally, their training and mindset isn’t generally conducive or aligned with the particular skills sets needed to plan, develop and manage sustainable and often complex processes across the enterprise.

Whatever the title of the person appointed by the board to oversee the day-to-day execution of GRC activities, they all need to work together to evolve from the current way of doing things to a more effective and cost efficient way.

There is always room for improvement and you need a process to build and support the GRC process but having someone in charge to coordinate and report on the progress and effectiveness of the overall GRC program is the job of the CEO and the board. It’s largely about defining, managing and executing based upon clearly defined roles and responsibilities.

So do this part right, and the rest will evolve to the appropriate levels of maturity over time – taking a risk-driven approach to take care of first-things-first and keeping it that way.

Ann Oglanian, President and CEO of ReGroup LLC has put together a terrific slide deck defining the Compliance Officer that should help you in finding the right person for the this role and can be found at: Compliance Officer Toolkit

Do you have a GRC CZAR and if so, what is their title?

Best Practices: What do they mean to you?

noreply@blogger.com (Brett Curran) — Tue, 14 Apr 2009 15:34:00 +0000

Besides ERM and GRC, one of the other buzz words referred to is “Best Practices”. Benchmark is another interesting term but I’ll save that discussion for another time.

Being in the Enterprise GRC application vendor business for a couple years and as a former IT guy that made the transition to a Chief Compliance Officer, I’ve heard this term for more years than I care to share.

In IT, using the term best practices usually meant adapting to some well known industry standards and in the IT space, it was things like ISO 17799 (security program standards), ITIL (IT service delivery standards), COBIT (IT GRC) or something similar. When you begin learning about these types of standards or in this case, best practices, you quickly realize that it is about the processes, procedures and the carrying out of a certain company defined rendition of standards. The adoption and adaptation of the standards can be equated with best practices to provide the confidence and assurance that the company is operating accordingly.

As a result, the IT world often equates industry and discipline focused standards with best practices.

Now let’s talk about how compliance professionals might interpret the term.

While compliance professionals largely consider a similar view as their IT counterparts, there are some very subtle or perhaps not so subtle differences.

Take for example this list of typical compliance activities:

* Identifying and evaluating legal and regulatory changes
* Collaborating on the development and modification of policies and procedures
* Developing and revising training plans
* Scheduling and delivery of training
* Delivering and managing surveys and responses
* Performing assessments – distributing, collecting, evaluating
* Monitoring and reporting on issues and the effectiveness of the compliance programs

Certainly there are standards or best practices that would apply related to effective training programs or how long to keep obsolete policies or procedures and the like but, best practices around these activities should focus first on the processes. I say this because if you can’t sustain the processes, you certainly couldn’t follow standards.

As an example, the process for evaluating the impact of regulatory changes might involve communicating and engaging different stakeholders but a best practice would involve maintaining the right list of stakeholders, a consistent mechanism for tracking the laws and regulations and soliciting input from various business areas, organizing and collecting responses and action plans, the ability to identify and follow-up on activities that are getting done, the ability to track the associations between the regulations, policy changes, actions taken and responsible parties as well as a number of other process activities that would be considered “best practices” in compliance management.

My point is that “best practices” may mean different things to different constituents across your organization. If you are striving to adopt and adapt best practices, you should clarify your teams understanding so you will know them when you see them and give them the right measure of priority and focus. Don’t get side tracked searching for content and standards and that you aren’t prepared to support with best practices.

For GRC, I would give the first order of importance to the strategic approach relative to organization and oversight secondly, the processes to manage the activities and last but not least, industry standards.

I would be interested to hear how other companies are going about the adoption of best practices and what you consider “best practices”.

What Do Regulators Really Want?

noreply@blogger.com (Brett Curran) — Thu, 05 Mar 2009 22:47:00 +0000

No surprise that legal and compliance professionals need to get out and interact with their peers in the industry occasionally, it’s like AA for compliance junkies. Like half-time for players of a sporting event, they need to head off to the locker room and evaluate what just happened, adjust their plan of attack or defense in some cases – and head back to the game with renewed vigor and enthusiasm.

It was no different when I attended a recent HCCA conference in Scottsdale, AZ a week ago. Compliance Officers escaped the confines and calamities of their normal routines to share lessons learned and stir new ideas that could improve and enhance their GRC programs.

There were numerous topics discussed however, one ingredient that that was quite obvious was the attention being given to the Federal Sentencing Guidelines, 7 elements of an Effective Compliance and Ethics Program. Whether the speaker was from industry or a regulatory body, the 7 elements were part of the presentation.

I presented a pre-conference workshop on Training and the Use of Technology and what did I use to help establish the requirements – you guessed it.

I found it particularly validating when subsequent conference sessions all mentioned the same elements regardless of the topic. If you are not familiar with them – THEY ARE IMPORTANT!

The other key takeaway for me was related to the regulators remarks during their sessions and where the rubber meets the road for companies. So, what do regulators and examiners really want to find during an audit or exam?

1) Evidence of a 7 element compliance and ethics program
2) Programs that produce desired outcomes based on their design and execution
3) Legal and regulatory requirements being met

If you periodically evaluate your program and find that you can demonstrate satisfying these expectations, you rock!

If you can’t but have built a plan that is making good progress according to sound risk evaluations, you are definitely on the right track.

If you are not in either of these categories, maybe you need to call half-time, regroup, re-plan and get back in the game.

By the way, whether more regulations begin taking the principle-based approach where outcomes are increasingly the focus or not, the three items I listed above, are.

Extended Enterprise Risk and Compliance: Managing the Approach

noreply@blogger.com (Brett Curran) — Thu, 19 Feb 2009 20:09:00 +0000

I wrote a blog post last summer on the topic of Extended Enterprise Risk Management and it is still a top-of-mind initiative for most companies. The highly regarded GRC visionary Michael Rasmussen, CEO at Corporate Integrity recently posted the Ultimate 3rd Party/Supply-Chain Risk & Compliance Management Platform article to his blog and makes some great points that I wanted to expand upon.

Axentis has worked with a number of customers on developing a practical approach using its single GRC application to manage risk and compliance across thousands of third-parties relative to the exposures present within those relationships.

Can the ultimate risk and compliance management platform be an enabler for improved efficiency and effectiveness? absolutely. Can lessons be learned and applied from others who have created an effective and efficient process? absolutely.

Some of the key elements of successful approaches I would add to the list to managing these 3rd Party risk and compliance challenges are;

* A process of applying risk ratings to vendors, suppliers, etc based on various criteria, like dollars paid, criticality to production, regulations supplier is subject to, etc.

* Associating various risk oriented processes, policies and procedures to them based on risk ratings

* Integrating compliance and risk management assessment functions with the contracting processes

* Integrating third-party user provisioning with compliance training

I produced a white paper last year: Managing Risk in the Extended Enterprise that more clearly articulates the elements needed to effectively manage extended enterprise risk that is still relevant today.

If you’d like to explore this solution further, take a look at the white paper I have prepared and if you like, contact me directly to discuss in more detail.

I’d be interested to hear about similar approaches that you have taken or other effective ways you have constructed to manage and oversee your extended enterprise risk.

Will the Real GRC Please Stand Up?

noreply@blogger.com (Brett Curran) — Tue, 13 Jan 2009 17:20:00 +0000

Just 8 Years ago, no one had heard of the term “GRC” yet today, there are more experts with analyst firms, consulting companies, and software vendors than I could have ever dreamed of. When I began planning and organizing my “Integrated/Federated GRC Environment” in 2001, the only vendor that came even close was Axentis. Remember, I had been in IT for almost 25 years to that point and knew something about technology. GRC had no commonly understood acronym and there weren’t any vendors, consultants or analysts providing guidance let alone technology solutions to help manage the administrative aspects of the myriad of people, processes and information.

So how have all these providers of GRC services and solutions become experts so fast? In many cases they have just expanded marketing of their already in place point solutions referring to themselves now as a GRC solution rather than be burdened with the stigma of a purely point-solution and presumably miss the GRC revolution. Without a clearly defined benchmark to be measured against and being a new term, they have created their own visions and definitions of what GRC means and henceforth, how it should be solved – adding to the confusion.

The reason for this is obvious however, solving the problem is a much more difficult task.

I think it’s about time those of us in the business of GRC, start to confront the confusion we have all created around what G, R and C mean. I won’t name names but I can tell you as I get around and talk to various experts on GRC they may agree on concepts but in practice the solutions are from completely different books not just different pages.

In addition to the GRC practice guidance that OCEG is helping to create, they and their members are working on the whole concept of a GRC technology ecosystem. This will eventually help categorize solutions in a more accurate position within the ecosystem of “GRC solutions”. With guidance from OCEG and the community of contributors from industry Chief Compliance and Risk Officers, Chief Ethics Officers, General Counsels, leading consulting firms and GRC application vendors - we will have real useful information and benchmarks to define the real GRC.

Analyst firms don’t all see GRC the same way either. Their understanding by in large is led by the types of inquiries they receive from their customer base. If their customers are primarily IT focused, the technology requirements for GRC reflect the needs of IT. If they are auditors, they tend to reflect the technology needs of auditors and so forth with other roles across the GRC spectrum. What this promotes is an unbalanced view of what GRC is, what solutions are needed and how solutions compare. It stands to reason that, the guidance and research done by analyst as to the key elements of GRC often target the view from a specific discipline rather than the broad spectrum of stakeholder needs – Enterprise GRC. Not always the case, but how does a buyer or solution vendor really know without the experience of working with a variety of stakeholders or having industry benchmarks from which to measure?

If the company approach to risk and compliance management is unbalanced towards risk or compliance, they are likely overspending and/or underachieving. The application solutions to support these processes need some degree of balance or at least, need to work well within the over-arching technology ecosystem and should make clear where they stand.

I think we have to get real, especially with what “R” means and what “C” means. I am not focusing on G because in some ways R(C) = G (I know this is not exactly true), but lets focus on R and C for now.

“ C” stands for compliance which for many means obeying laws and regulations. That is true but not the whole story. It also means following internal directives, departmental policies and procedures and other requirements based upon management decisions. In other words, compliance is adhering to whatever the process rules are and getting people to follow these rules on a daily basis.

Everyone should recognize that C is a subset of R which is a subset of G. That’s why it’s called GRC, not RCG or CGR or RCG. But one can’t have G without R and it follows one can’t have R without C and that’s my point.

One cannot properly manage risk without managing compliance. If one is simply creating a control framework and assessing or auditing whether procedures and processes are being followed, I guess this is someone’s definition of managing compliance, but in order to assess if something is being done according to the rules you have to tell people what the rules are in the first place. And in order to tell them you have to write it down (we can call that a policy). So in order to really manage risk, sooner or later there are people involved and those people have to be told what they are supposed to do and if they aren’t doing it then someone needs to do something about it and THEY need to know they are supposed to do that. So first comes a requirement and control, then comes a bunch of compliance policy definitions and communications, then comes audit, then comes compliance exception remediation, which auditors don’t do, they are the internal cops, but the process owner in the authority hierarchy needs to be monitoring on their own and also do the remediating, might be a functional person or someone in the legal department, who knows.

My point is, running C isn’t easy, and you can’t run R without it. Now I will bet you are really confused.

I’d like to hear your perspectives on the state of GRC confusion from the solutions and approach perspectives.

Risk-driven Compliance Management

noreply@blogger.com (Brett Curran) — Wed, 19 Nov 2008 02:53:00 +0000

Like everything in life, managing the risks surrounding regulatory compliance at any good size enterprise is as much about setting priorities as it is about risk or compliance management. We’ve worked with some of the biggest, most highly regulated companies on the planet for years and we’ve seen a lot of approaches to managing compliance risk and priorities.

Those who get truly organized around managing compliance risk do it because it lowers the cost of compliance and it provides clarity and consistency around the risk and the business response.

With the focus lately on risk management many are forgetting one simple fact. It is usually human beings that expose these risk and compliance failures, not mega trends in the markets. And it is usually not that these risks weren’t considered but how they were managed day to day among the employees or partners. So the act of risk identification and measurement on the front end and audit on the back end are key GRC components, but in the middle must reside a thorough compliance management system that addresses the behavioral aspects of risk response.

In other words, with such an intense focus on risk management, I wanted to make sure we are keeping this in perspective.

1) A risk management program alone will not produce a compliance program aligned with the US Sentencing Commissions Federal Sentencing Guidelines - 7 elements of an effective compliance program standard.
2) The practices, disciplines and objectives of risk management are considerably different than those of compliance management.
3) A robust internal audit function is not the same as a robust risk management function. These too are significantly different disciplines.
4) Risk Management and Compliance Management must be connected for either of them to provide optimal benefit to the enterprise.

So, how does a company cost effectively deal with these realities given such a dynamically changing environment and the mounting regulatory, financial and societal pressures?

The answer is quite simple, Risk-driven Compliance Management TM

The leading companies we work with have a process, primarily led by the General Counsel and the Chief Compliance Officer, working with other senior management and the board, whereby they leverage risk management practices to prioritize their compliance risks. Once they are prioritized, those that are viewed as the most material can be addressed within an enterprise framework of a seven element compliance management process, aligned with the business.

As a provider of a value added service to their management peers, the corporate compliance office can provide and manage this capability without unduly interfering in how other functional areas run what they do, and in fact, are viewed as a value added partner in assisting the business develop practices that both address the risk and support the operational needs of the business. Furthermore, this process and structure creates risk and compliance experts imbedded within the business to support the risk and compliance values, goals and business objectives. We have seen this work and work well.

These compliance risks, as they are prioritized and addressed, then allow the business to work down the list in a more efficient and formalized manner creating a scalable, repeatable process that can start in a single area and be expanded as the maturity of the process and organization grows.

Just as the CFO designs an effective budgeting process and then involves other functional managers in that process in effect as a service, it is up to those that oversee compliance risk to perform the same service-oriented role in organizing and executing a best in class risk-driven compliance management system.

We have clearly entered an era where risk management and compliance management should be combined into a modern GRC program. Where the roles in GRC are understood and distributed across the business but the oversight and management is driven by focused experts equipped to run a risk driven compliance program.

Axentis, Inc will be publishing a white paper entitled “Risk-driven Compliance Management” as well as a related survey analysis document in the coming days that dives much deeper into the Risk-driven approach. I encourage you to continue checking the website and let me know what you think.

Extended Enterprise Risk Management

noreply@blogger.com (Brett Curran) — Fri, 18 Jul 2008 17:30:00 +0000

As you’ve probably noticed, the focus on vendor and supply chain risk management has increased lately.. Beyond SOX (Sarbanes-Oxley), the BSA/Patriot Anti-Money Laundering Act, and quite a number of other laws and regulations, rating agencies are augmenting their evaluation of companies’ Enterprise Risk Management (ERM) maturity, which is helping to make ERM a household acronym.

So what is Extended ERM? If the enterprise consists of everything within your company walls, then the extended enterprise includes suppliers, services providers, business process outsourcers, consultants, external auditors and any other third parties with which you have a relationship to help you run your business.

Since an extended enterprise increases the vulnerability of your business, your risk management practices should include the vendors within this space. I recently produced a white paper: Managing Risk in the Extended Enterprise that more clearly articulates the elements needed to effectively manage extended enterprise risk.

This approach is fairly simple in concept yet has proven to be a very effective and efficient solution for companies, even those with limited resources and thousands of third parties. The essential components of this approach include:

1) Understand your contracting process so that you can maintain a single list of vendors, suppliers, contractors, etc.;
2) Organize the list by the type of products, services, geographies, etc;
3) Identify the types of risks by category or risk profiles;
4) Develop risk assessment templates for each category/risk profile;
5) Prioritize and/or scheduling your assessments based upon the profiles;
6) Analyze the assessment results and plan your audits according to the responses and risk ratings;
7) Follow-up on the remediation items resulting from the assessments and audit findings.

If you’d like to explore this solution further, take a look at the white paper I have prepared and if you like, contact me directly to discuss in more detail.

I’d be interested to hear about similar approaches that you have taken or other effective ways you have constructed to manage and oversee your extended enterprise risk.

GRC – Finally Coming of Age!

noreply@blogger.com (Brett Curran) — Wed, 11 Jun 2008 01:11:00 +0000

Yes, finally GRC is coming of age. Looking back, I believe that 2008 will be the year when we recognized that integrated GRC was finally embraced by the “C” level executives.

This claim is evidenced by the number of companies that have created new board committees, cross-functional risk and compliance committees, GRC targeted RFI’s and RFP’s, and have increased spending on GRC solutions and services. Add to this the number of groups and associations that help bring risk, compliance and audit professionals together in one place to share experiences and lessons learned, and you have critical mass working to operationalize GRC in a more transformational way.

Some companies began this journey a number of years ago through the often surreptitious efforts of visionary risk and compliance professionals working outside the corporate process norms to solve obvious problems with the idea that they would be able to leverage the same model for not-so-obvious future problems. They were essentially operationalizing GRC under the radar because it was the smart thing to do.

What is ironic is that those who have been unsupported champions in any given company for a more transformational approach to GRC are now the ones being challenged to go faster, and to find a way to leverage their good work across other areas that have yet to gain the advantages of an integrated approach. Also ironic, as the focus moves to making GRC a transformational activity and less mundane, it is the mundane tasks that are often still not well executed across the enterprise to allow for GRC to graduate to being a driver of business performance. These basic building blocks must be in place in my view, for the more expansive effort to attain the desired goals.

So what are the essentials?

1. Management of Organization roles and responsibilities
2. Policy and Procedure management
3. Training and awareness
4. Management of risks
5. Monitoring and oversight
6. Management of issues and incident resolution
7. Testing, evaluation and corrective action

While companies plan and execute the myriad of GRC-related initiatives, they should know how they will sustain these processes in a unified and consistent manner. Details within certain risk areas, procedures within and across various departments and business units could be considered non-essentials as long as they don’t expose other parts of the enterprise to unexpected risks.

Many of these essential elements however, still aren’t happening very well. Keeping in mind that all of these elements must be inextricably linked to provide consistency, accuracy and availability of critical information, let’s use Policy and Procedure management as an example of where not recognizing the essentials is still impeding GRC maturation and enhanced business performance.

Few would argue that companies shouldn’t have a formal process for developing and approving policies and procedures. If different parts of the business are accomplishing this in different ways, how can the company as a whole have clear visibility and understanding of the stated practices of the enterprise?

Taking this one step further – Training and Awareness comes through a link between the organizational roles, responsibilities and the practices prescribed within the policies and procedures.

One can easily continue this line of thinking with risk management, incident management (linked to risks, policies, organization, etc.) to get my point. These concepts and approaches should be at the foundation of your GRC program, not simply taking a bite at the next set of rules and regulations in an ad-hoc fashion.

GRC transformation requires a change in mindset through vision and inspiration. By applying and incorporating these more mundane elements in combination with this vision, you will be able to evaluate and process the next set of rules and regulations into the clearly identified point in the process and address them through normal course of GRC business.

Yes, GRC has come of age. It may still be walking like a new born giraffe, but it clearly has tremendous potential to help you outrun the competition and give you the visibility you need.

GRC Spending Forecast: 2008

noreply@blogger.com (Brett Curran) — Thu, 03 Apr 2008 14:57:00 +0000

You may have read the recent news release from AMR Research on their study showing that companies will spend more than $32B on governance, risk management and compliance (GRC) in 2008.

Besides the prediction of the 7.4% increase this year, there seems to be an increasing inclination to move from point-solution approaches such as those applied for SOX and other compliance mandates to more of an enterprise approach.

While this is good news for service and solution providers in this market, it has been my experience that an enterprise approach didn’t cost more, it actually cost less, produced better results, was easier to maintain and provided much greater value to the business.

Sure, the transformation takes time and effort and maybe even some outside help but the biggest and most critical investment is in the mindset-shift of the board, management and the workforce who by the way, take the lead from the leaders. Once you’ve decided it’s time, start like a number of our customers, by creating a risk and compliance council to bring multiple organizational and domain views together to drive the planning, execution and provide enterprise guidance.

Also, you do not have to start all at once, but as I’ve said in several webcasts, “think big and implement small”, building credibility, creating momentum and establishing processes and technology approaches that can be leveraged into a consistent (but not necessarily homogeneous) enterprise implementation. My GRC colleague Michael Rasmussen at Corporate Integrity, LLC likes to use the term “federated” to further describe this approach.

The Open Compliance and Ethics Group (OCEG) also has a wealth of experience and resources that they continue to gather and organize to help companies move to the next level of GRC maturity. OCEG, Axentis and others continue evangelizing GRC because we see the good has brought to companies as a long term strategy that can bring quick results and improved performance.

Do you know what your company is investing in GRC this year? How much of the investment is contributing towards an enterprise approach?

Business Continuity Planning (BCP), meet GRC

noreply@blogger.com (Brett Curran) — Tue, 18 Mar 2008 16:21:00 +0000

Having spoken frequently on how organizations can address Business Continuity Planning (BCP) more effectively using the principles and processes of GRC at a speaking engagement with the Business Continuity Planners Association last year, I facilitated an exploration of the concepts and characteristics of GRC allowing the attendees an opportunity to simulate and acknowledge how a GRC approach could be applied to managing the BCP process. I more recently read with interest a statistic from Stephanie Balaouras at Forrester Research that of the companies actually having formal BCP processes, only 50 percent use applications of some kind to manage their plans while 50 percent use general software such as Excel spreadsheets.

It’s maybe a little ironic but understandable that the processes and tools to do BCP are often less than resilient themselves. As companies struggle to develop and maintain working plans with limited budgets and resources, it’s easy to see how a “making the best of it” approach could be applied.

With boards, investors and regulatory bodies wanting more visibility to the kinds of governance processes, infrastructures and supply chain risks that are low probability but high impact, such as the recent Internet outages for major parts of India and the Middle East, I propose that it is a good time to review what we have learned from SOX and other GRC practices and apply good principles and processes, and yes software, to BCP.

If you are currently or planning to use a GRC platforms, take a look at what you do for your current approach to BCP, and see if it doesn’t fit well into your GRC processes.

What are some of the things you do in a BCP?
1. Utilize targeted assessments to identify critical assets and priorities
2. Defining and communicating policies and procedures
3. Managing roles and responsibilities
4. Managing program change control activities
5. Manage the periodic testing and remediation activities
6. Maintain auditable evidence of a sound program

Sound familiar? Mature GRC management applications like Axentis support these activities quite well. If you’d like to explore how GRC practices and the United States Sentencing Guidelines can be applied to your BCP processes, send me an email at bcurran@axentis.com Maybe its time to apply a little GRC to BCP.

SOX and Small Companies - Happy Holidays!

noreply@blogger.com (Brett Curran) — Wed, 12 Dec 2007 17:13:00 +0000

With baited breath and clinched fists, small/exempt public companies (generally have market capitalizations less than $75 million) expect to hear today that a reprieve has come from the Securities and Exchange Commission.

S.E.C. Planning to Delay Accounting Rules for Small Companies – New York Times, http://www.nytimes.com/2007/12/12/business/12audit.html?_r=1&ref=business&oref=slogin

Some of these smaller companies have been heeding advice to continue preparing their SOX programs – taking advantage of Audit Standard 5 but, many have not, preferring perhaps for a holiday gift.

In having the additional time to learn from the larger companies as well as being able to leverage the top-down risk-based approach of A.S.5., you shouldn’t miss this chance for a great deal. This should be your wake up call to rally the troops.

If you didn’t start your holiday shopping for your approach, your team and technology to help your company build an effective and efficient program, now is the time to start. Your shopping list should include a federated GRC approach so the rest of your wardrobe works for any event - don’t think just having nice SOX will complete your shopping list.

Happy Holidays!

Principles Based or Rules Based Regulations?

noreply@blogger.com (Brett Curran) — Fri, 07 Dec 2007 16:34:00 +0000

As I mentioned in my last post, there is growing interest in the U.S. to explore a more principled approach to laws and regulations. In a letter dated November 28, 2007 from the NAIC (National Association of Insurance Commissioners) to the Department of Treasury, the NAIC conveys a clear message that “caution” should be the word of the day. TREAS-DO-2007-0018; Written Comments of the National Associations of Insurance Commissioners.

Some key points to ponder;

“The goal of financial services regulation in general and specifically insurance regulation should be to provide comprehensive consumer protection and a robust and efficient market.”
There is no single U.S. insurance market, any regulatory structure must be cognizant of and able to adapt to the differences between the multiple U.S. insurance markets.
The NAIC is clearly in favor of improving the communications and coordination between and across jurisdictions but is confident the existing structure should be left largely intact.
The NAIC cites the ambiguities of a principles based system of regulations as putting the consumer at a disadvantage without explicit rules.
The NAIC cites that U.S. regulation was originally principled based but that problems affecting consumers resulted in the need for more rules based regulations.

While the NAIC presented some impressive budget numbers for themselves, I would be interested in your comments regarding the budget expense for the industry to work within this largely rule based functional structure. Do you agree with the NAIC perspective or have a different view?

Key Compliance Topics Raised at Engage 2007! User Conference

noreply@blogger.com (Brett Curran) — Wed, 26 Sep 2007 20:45:00 +0000

I just got back from Axentis’s annual user conference, Engage!, which took place September 18-20 at Amelia Island, Florida and left with a few things to pass along. This, of course, should not overshadow the progress and the motivation of terrifically talented GRC professionals in attendance. One of the biggest key messages, which I have been advocating for quite some time now, is the concept of an enterprise-wide GRC approach. According to many Engage! attendees I spoke with, this idea is starting to become a reality in many of their organizations.

Engage! attendees brought up many great topics but I thought these were worthy of special notice in addition to their progress on enterprise GRC.

The branding of compliance: Organizations are now carefully communicating the company’s position on ethics and compliance from the top down. What is distributed from the compliance office is taken very seriously – can anyone say “respect?”

Principals-based compliance: There is a growing trend in legislation both locally and abroad towards desired performance or outcomes as opposed to more specific check-lists of legal requirements. As a result, coordination of efforts and practices across the enterprise is gaining even more momentum.

Business relationship risks: Many companies have thousands of vendors and business partners, and thus, inherit many risks affecting those entities. Companies should be more proactive in identifying, tracking and managing the risks posed from these relationships – ongoing.

In the coming weeks, I will be addressing each of these issues in more detail. Feel free to suggest additional challenges, concerns or topics that you believe will soon become influential issues in the GRC.

Compliance Confusion or Organized Chaos

noreply@blogger.com (Brett Curran) — Wed, 12 Sep 2007 20:26:00 +0000

While reading the recent blog post “Compliance Confusion” on SOX First, I couldn’t help but think about a frequently used phrase in this industry: Compliance can be a double-edged sword. On one hand, organizations need to create awareness and educate the business on the compliance topic at hand. On the other hand, a little education without clear focus and direction can be dangerous.

At a past workplace, our corporate compliance office was delivering awareness training to the business to help move the enterprise privacy program along – precipitated by HIPAA. There was a very organized cross-enterprise team that had developed an execution plan that included legal assistance, a technology evaluation, selection processes and an enterprise view to address the requirements. As the training and awareness efforts progressed, it created a certain element of fear throughout the organization.

By no fault of their own, dangerously informed individuals across the business began to act apart from the team and the process, largely because they didn’t know any better. They did what they believed was important in the name of HIPAA, very little of which was appropriate or helpful. This all began happening so fast that it just led to unnecessary expenditures, misconceptions, distractions and chaos. Rapidly, the compliance team had to refocus its awareness training on the bigger vision, the organization and the plan to reign in the harmful actions outside the plan.

This very real issue brings up several points:
1) Know your business and your stakeholders.
2) Make your education and awareness focus broad; everyone wants to jump on the opportunity, so stay alert.
3) Don’t underestimate the marketing and communications needs.

Your catalyst may have been HIPAA, SOX or some other large regulatory obstacle, but the issue is clear. It is not so much about working harder or spending more money, it is actually about organization, vision, planning, execution, communication, communication and communication. Your thoughts and lessons are always welcomed.

GRC Technology Ecosystem

noreply@blogger.com (Brett Curran) — Fri, 24 Aug 2007 19:23:00 +0000

When I was a Chief Compliance Officer, I spoke frequently with our CIO about technology needs. Probably because prior to my compliance career, I spent many years in information technology. During those years in IT, I had seen technologies come and go, some adding great value and others well, never went much further than the software filing cabinet.

I am a firm believer in keeping things simple for many reasons – people come and go, cost of maintenance, ease of use, consistency, adaptability to changing business needs, training demands and several others.

The discussions I mentioned with our CIO went something like this:

CIO: I need you to help me understand the technology needs for compliance. It seems like we have a lot of different technologies being used for similar things but we still don’t have many capabilities that are being requested of IT.

ME: Sure, I totally agree. It’s like, how many systems does it take to track incidents, log and assess risks, manage policies and procedures, etc?

CIO: I want to define a GRC technology platform that supports the different user needs in a consistent manner. This would greatly reduce the user change requests to the various duplicated systems and provide the missing functionality we need. It seems like we just keep adding more point solutions and I don’t have the resources to keep them all going.

ME: I agree. We should be able to define and implement a GRC technology platform to support the standard GRC process requirements. Then as specific needs arise, we can address them collectively with targeted shared solutions.

CIO: Yes, that is exactly the environment I am looking for.

Organize your Ecosystem

If you can relate to the GRC technology discussion above, you might want to keep tabs on the work of the Open Compliance and Ethics Group (OCEG) and Michael Rasmussen - Vice President, Governance, Risk, and Compliance Research, Forrester.

Michael provides insightful information on GRC topics as well as some new work he is doing on Defining the GRC Technology Ecosystem.

Taking the next step

Axentis provides the GRC technology ecosystem for federated GRC and an ideal starting place is by including GRC in your strategic planning and budgeting. However, an alternative is starting with a focus in a specific area with an eye towards the broader GRC. Take a look at the recent Axentis paper mentioned in my previous post, Win As You Go: A Phased Approach to Implementing Enterprise GRC to see how this approach could provide the help you need and share your thoughts.

Win As You Go: A Phased Approach to Implementing Enterprise GRC

noreply@blogger.com (Brett Curran) — Wed, 08 Aug 2007 16:27:00 +0000

In the past, I have blogged about implementing an enterprise-wide governance, risk and compliance (GRC) program. To follow-up, here’s a link to a new Axentis whitepaper, “Win As You Go: A Phased Approach to Implementing Enterprise GRC,” that offers information on the benefits and valuable insights for establishing an enterprise-wide governance, risk and compliance program. The paper should help you find your starting place – establish a working conceptual model of all GRC activities in your organization. This information can easily be organized in a grid, with one axis defined by the specific GRC domains the company must address and the second axis defined by the specific processes that must be implemented to meet the requirements of any GRC domain (see below). This grid approach helps the compliance officer assess the GRC challenges and prioritize them so they can be addressed accordingly. Moreover, this approach can routinely be used to address future GRC problems as they emerge and then extend best practices learned tackling those immediate issues to all other areas of the enterprise GRC map.

Enterprise GRC Assessment Grid:

I encourage you to share lessons learned.

Top-Down Governance

noreply@blogger.com (Brett Curran) — Mon, 30 Jul 2007 18:05:00 +0000

Governance

Why does governance get top billing when it comes to Governance, Risk and Compliance (GRC)? It may be because the Federal Sentencing Guidelines and federal and state agencies have made a point of exhorting companies to take responsibility, to know what is expected of them and to take an active part in their company actions.

SOX requires management certifications, AML requires the appointment of an AML Officer and HIPAA requires a Privacy Officer and a Security Officer - just to name a few instances where this expectation is further clarified. Most companies take these legal requirements to heart and appoint someone in their organization to these roles to formalize the governance of these programs. They form steering committees, work groups and appoint project or program managers to handle the construction of sustainable programs.

They may further solidify the governance organization by board resolution and document with a desired outcome a charter that includes scope, objectives, roles and responsibilities, guiding principles and other elements to establish good governance.

Top-Down Collaboration

Throughout my compliance officer career, I was afforded opportunities to exhibit that my company’s management was clearly in the driver’s seat. Our matrixed GRC organization was more than the appointment of disconnected compliance officers; our organization worked as an enterprise team - efficiently and effectively with limited resources and consistently met the expectations of our customers, agents, employees, and regulators. Governance is not each color within the kaleidoscope, but it is the bigger picture you can see when looking through the spectacle.

If you’ve not yet taken this top down approach, I would recommend that you give some thought to how a top-down collaborative model might improve your GRC governance and tie the loose ends together.

Besides the enterprise model that I helped establish over 6 years ago, I have seen several others that look very similar. If you have a model that ties different governance risk areas together, sharing your lessons learned could help others as well. I look forward to reading your thoughts.

Governance Organizations

noreply@blogger.com (Brett Curran) — Tue, 03 Jul 2007 17:17:00 +0000

I am a member of IBM’s Data Governance Council formed to bring thought leaders together to develop best-practice models in data governance. At a recent council meeting, one member said her company already had several formal governance organizations for various programs, but needed help bringing it all together. This made me wonder if in many respects, most companies were still looking at governance as separate pieces of a puzzle rather than a puzzle with many pieces?

In my role as a former Chief Compliance Officer, I had established a governance organization brought together with one senior level compliance official from each business unit. These individuals collectively formed the Enterprise GRC Committee and provided the much needed centralized high-level oversight.

The beauty of this organization was that it created experts on the requirements within each business unit and the group had an enterprise view of all things related to governance, risk management and compliance. It had the ability to repeat a consistent process, define consistent use of supporting technology and evolve as new demands were placed on the company at any level.

With this time-tested approach under my belt, the thought of distinctly separate governance organizations doesn’t make sense to me. You don’t need a separate governance organization; you just need a consistent organization and process that can continue to evolve as your enterprise program scope expands.

I would be interested to read your thoughts and comments, especially if you have a successful Enterprise Governance organization in place. It would particularly helpful to understand how your governance organization is structured and how broad a scope is being served.

How's Your Ethics?

noreply@blogger.com (Brett Curran) — Thu, 24 May 2007 18:01:00 +0000

Former Coke secretary sentenced to 8 years

Williams convicted of plotting to steal trade secrets from drinks firm

AP Asociated Press
Wednesday, May 23, 2007

ATLANTA - A federal judge ignored a former Coca-Cola secretary’s tearful plea for mercy Wednesday and sentenced her to eight years in prison for conspiring to steal trade secrets from the world’s largest beverage maker.

U.S. District Judge J. Owen Forrester told Joya Williams, 42, that he was giving her a longer sentence than recommended by federal prosecutors and sentencing guidelines because, “This is the kind of offense that cannot be tolerated in our society.”

For the whole story: http://www.msnbc.msn.com/id/18822771/?GT1=9951#storyContinued

Ethics – Everyone has their own!

The problem with ethics is that each person has there own. Companies can send out an annual policy, collect attestations that it was read, understood and will be followed, but what happens when ethics go bad – good case in point.

The details of this case point out that ethics are a people problem, no surprise. If the people with the problem work in your company, the outcomes are not always this good – good for the company anyway. As I read the article, I couldn’t wait to discover what happened to Pepsi-Cola.
Coca-Cola may have done everything right in this case, but as a story it brings up several questions:

This brings up several questions;

Would the sentence have been beyond the Federal Sentencing Guidelines if, the secret ingredients for nearly anything else wasn’t at stake?
Did the ethics program at Coca-Cola include multiple training and awareness touch points (frequent awareness campaigns in addition to the assumed annual policy)?
Did Coca-Cola have a Document and Records Retention Program that included information classifications (was there a technical security breach?)
Was there a physical security breach that gave Williams access to product samples?

Specific technology controls are important to help “lock down” important information and identify more quickly when there are problems, but are not the only answer. It is important to have a top-down risk-based approach to identify, and adapt to risks, particularly when it comes to areas such as information privacy and security. On top of that, it is critical to establish a culture of compliance through effective program oversight, monitoring and auditing. This gives people that have trouble minding their own ethical dilemmas a fighting chance.

It’s like the old adage that "locked doors won’t always keep thieves out but they sure help keep honest people honest".

Tone at the Top - Lessons Learned

noreply@blogger.com (Brett Curran) — Mon, 14 May 2007 22:45:00 +0000

What does your company do when bad decisions are made?

Wall Street Journal - May 14, 2007
At the Pentagon, An 'Encyclopedia Of Ethical Failure'
By Jonathan Karp
Word Count: 1,295

WASHINGTON -- Government workers who are caught misbehaving often are suspended, fired or prosecuted for their misdeeds. Then, when all that is done, they face one last humiliation -- a virtual dressing down at the hands of Pentagon lawyer Stephen Epstein.

Mr. Epstein, the director of the Pentagon's Standards of Conduct Office, is mounting an ethical cleansing offensive from inside the corridors of power. His weapon of choice is the "Encyclopedia of Ethical Failure," a hit parade he publishes on the Internet to regale bureaucrats with tales of shenanigans and shockingly bad judgment that have shot down the careers of ...

Do your Incident Management practices improve your future?

Companies have strong opinions regarding the internal, let alone, the external disclosing of employee wrongdoings. Some see it as a valuable learning tool to build training materials around. Yet others rather see it quietly slip away in the dark of night. In today’s age of self-reporting and full disclosure, perhaps reconsideration of keeping these situations under wraps is in order, so you can benefit from these valuable lessons learned.

If a company continues to keep these dirty little secrets, what does this say about the tone at the top and a culture of compliance? Obviously, there needs to be good judgment and thought used in handling these issues, but just pulling down the shades is probably not taking it as far as you should.

I’m not suggesting that companies take the same actions as the Pentagon, but examining these problems and identifying what went wrong and what could be done to prevent or detect similar problems in the future includes communicating with your workforce.

What better training than real life, in your own backyard lessons could you come up with to help your workforce, your company and your public image?

Procedures and Standards Management

noreply@blogger.com (Brett Curran) — Wed, 02 May 2007 19:42:00 +0000

Everyone Uses Procedures and Standards, don’t they?

If you’ve been to the grocery store, you know the check out procedure. If you are paying at the pump, you know the procedure. If you have electrical appliances, you know that there's a standard that makes one of the prongs on the plug bigger than the other and safe to plug in.

These are everyday applications of procedures and standards -- and you know what happens when the procedures or standards are not followed. Things go wrong: missed appointments, conflicts, embarrassment, unusable equipment -- you name it.

Since everyone can so readily recognize this law of nature, why is it that so many companies have such trouble managing their own procedures and standards? There are laws that require them, there are people that know about them, but too often, they just miss the mark.

Well, for one thing, not everyone knows how to write policies, procedures and standards. Most IT departments have been doing some of this writing for many years but for many business folks, it's not the type of writing that we normally do.

If you want to do your customers, employees and investors a favor -- not to mention pleasing your auditors and regulators -- take a closer look at my Policy Management post, and then take a look at your procedures and standards. In there, I shared my expectations for policies:

Version Control

Available

Consistent format

Consistent terminology

Concise

Simple

Policy Development

Policy Approval

Security

These same elements exist for standards and procedures. If you are fulfilling these expectations efficiently and effectively, then stick with it. If you are on the other end of the spectrum, you may be coming up short due to missing some of these key ingredients.

If you need to improve your organization's ability to develop effective procedures and standards, talk to your current resource pool or consult with technical writers experienced in developing these types of documents, check their work, get references and have them come in for a few weeks to help get you started. It will be time and money well spent -- policies, procedures and standards will be around longer than you and I and the model you establish early on will set the stage for all that is to come.

Policy Management

noreply@blogger.com (Brett Curran) — Wed, 02 May 2007 19:20:00 +0000

What can you expect from your Policies?

All companies have rules and principles – some are written and some are general knowledge, handed down through the ages. These rules and principles are in today’s terms, policies. These policies are intended to make everyone aware of what is expected of them so that, within the scope of the policy, certain behaviors or results can be expected when relevant circumstances arise.

So it is this basic concept of communicating expected behaviors and principles that we have policies.

With the rise in demand both internally and externally for increasing the number of policies, many laws now require much more than just written policy.

My personal experience in having participated in countless internal and external audits, market conduct exams and litigation, made it quite clear that you should expect much more from your policies than just having them.

Here are some of my key policy expectations:

Version Control – You must have version control on policies to know what practices were in place at any given time.

Available – Policies must be readily available and accessible by the workforce; also think about disaster recovery when you may have different resources temporarily performing new duties or your normal systems are not available.

Consistent format – With so many policies and procedures being read by so many people, a consistent look and feel will aid the reader in finding what they need to know – use a company policy template.

Consistent terminology – Maintain a company standard or definitions policy that explains questionable, company specific, industry specific and legal terms that are used in your policies to improve individuals interpretation and use of the policies – use company speak, not legalese.

Concise – Don’t go on tangents, stick to the point.

Simple – Keep the number of requirements being addressed to a minimum and combine similar requirements within the same policy.

Policy Development –Push requirements to a consistent group or development committee for finalizing the draft policies. They should take into consideration all the elements above as well as existing policies. They will also be representing the company's various business units/departments so you want input and feedback from their staff during the development process - to be sure that their local expertise and perspective, as well as a sense of ownership and support, get built in.

Policy Approval – The final draft policies that have already been through business unit review during development need to be approved by the executive management of the company. This should be your Enterprise Compliance Committee or equivalent that would also approve the definitions, standards/formats, etc.

Security – Your company policies are costly to develop and maintain and in some sense may be considered intellectual property. Take reasonable and appropriate steps to protect them as you would other documents in a like classification.

The difference between policies and procedures

Here's how I think of it: Your policies are the “what” and “why” of your practices. Your procedures are the “how,” “when” and “who” of your practices.

There are several key advantages to separating the content of policies and procedures into two separate documents and relating them together. First, this allows you to apply the same policies enterprisewide with assured consistency.

Secondly, it allows different parts of the company in different situations to have different procedures.

The third advantage is that you will be well positioned to distribute training according to individual’s roles across the enterprise.

By first developing and approving the policy, the business units now know what they must comply with. As the business units work to develop and approve their procedures, they tend to leverage (a nice word for "copy") the work done by other business units. This further promotes consistency across the enterprise, not to mention efficiencies. It also makes it very easy to know which areas have not addressed relevant compliance requirements.

Recap

Here is a recap of what it takes to better align your expectations with external expectations and get the most out of your policy management process.

1. See how well you can apply my list of expectations

2. Use the same document management tool for all of your policies, procedures, forms and standards and make sure it has the ability to relate documents.

3. Use the same repository of documents to push your role-based training. For security reasons, it should be aligned with both security access and your organization, so this should become simple and very effective once you lay the foundation. You will have documented evidence of who was trained on what and when.

These concepts and this approach has worked very well for me in practice and I hope that it provides some practical guidance that you can apply in your organization.