DoubleCheck Monthly Newsletter-Oct ’13: “Does GRC stand for “Government Rejects Compromise”?

“Does GRC stand for “Government Rejects Compromise”?

If so, does it offer lessons for the rest of us?

The current impasse in the US Government regarding our budget and priorities seems to be an excellent learning point for us in the business world as well.  GRC is an acronym we use in the business world frequently now, with both vendors, analysts, pundits and end users discussing, arguing and disagreeing over what it stands for and what it ultimately means.  Even the early proponents and evangelists of “GRC” are writing now that an all-encompassing, holistic single solution is not realistic.  Some stats indicate upwards of 85% of so-called GRC Implementations are in fact impacting a relatively small number of functions or departments within a company (eg. Audit, SOX, Risk, Contract Mgmt, Policy Mgmt., etc.).

However, one original premise of GRC I believe still holds merit is that there must be a breakdown of silos within an organization for the best solution to be found from a COMPANY standpoint, not just an individual department’s standpoint.  Compromise is almost always necessary. To me, this is the biggest shift in thinking from an earlier time when each end user could select whatever “best in class” solution they wanted, without regard to the needs of others in the organization.  Now, most people are at least being asked “is it scalable” before they can gain approval to buy software.

I have personally been involved in a number of engagements where failure to compromise among the various constituents within the same company led to a failure to gain funding and management approval.  I have also had department heads tell me specifically to not contact other departments, because they didn’t want them to “complicate” the project.  Ultimately, someone in the approval chain above them is going to ask the scalability question, so this territorial approach is eventually going to backfire in most cases.

As our government leaders are discovering now, intransigence leads to stalemate.  No different in business.  The functional heads of the various components of GRC who decide to hold their cards close to their vest often find themselves holding the losing hand.  Implementing a successful GRC program, in whole or in part, requires communication, prioritization and compromise.  You also need a roadmap, so that your automation plan doesn’t hit a roadblock.  For example, if only Audit Testing is automated, how does the Business Owner manage the Issue Remediation process within the timeline Audit assigns?

I would suggest an approach that does not get hung up on acronyms, but rather addresses the key issues of:

  1.  What is the Need? (Pain level; department AND organization impact)
  2.  Who has that Need? (Primary “owner”)
  3.  Who else is impacted by the Need or its’ Resolution? (Breadth of impact in the organization)
  4.  What are the consequences of addressing (or not addressing) this Need? (Cost of acting/not acting)

These points all have one thing in common; they require communication, prioritization and compromise.  How you accomplish this will vary based on company culture, personalities and “command and control” structure within the organization.  I would submit that the headlines of today’s newspaper provides a birds-eye view into what could happen if you fail to consider this collaborative approach to “GRC”.


Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC

DoubleCheck Monthly Newsletter-Sept ’13: “Is there a cost-efficient method to collect information from large groups of people (A GRC Imperative)?”

There are legitimate reasons that auditors, risk or compliance professionals may need to collect information from large groups of respondents.  For example, it is important to engage a broad base of your company in a GRC program for it to be effective. Examples include hundreds of Control certifications from business control owners (SOX), Risk scoring assessments from Risk Owners or SMEs (ERM or Audit) or broad scale attestations of compliance from an entire employee universe (Corporate Code of Ethics Compliance).

The challenge faced by the person charged with attempting to notify, remind, track responses, aggregate information and report on the status of this data collection is it is oftentimes a time-consuming, laborious manual process.  Even if all your data sets reside in a single spreadsheet, associating the correct data and correct questionnaire with the correct respondent can prove to be a long and potentially error-prone task.  It can also be expensive based on staff man-hours, or even if using an automated survey tool (if all respondents need licenses).

For example, if you send the same spreadsheet to all Control Owners with instructions to find THEIR control on the sheet and answer an attached set of questions, you are violating common-sense Segregation of Duties/Information security protocols.  If you manually copy and paste the correct Control information into individual emails to be sent to each Control Owner separately, you not only have taken on a lengthy project, but you expose the process to manual error (incorrect matching of Control to Owner).

Once you have disseminated your request for information successfully (eg. Survey, assessment, questionnaire, attestation, certification, etc.), you have still only dealt with the tip of the iceberg.  Now you have to encourage and track the compliance to your request.  Do you send reminder emails to everyone after a certain period of time, or do you have a means of tracking who has sent in their response and only remind the laggards?  Do you have a process to schedule multiple reminders on a scheduled basis?  Can you even escalate the request for information to the original respondent’s boss automatically?

Assuming you have been successful in achieving a sufficient level of response from your audience, do you have a process and capability to aggregate the data into useful business information?  Can you roll up the data from an entity level to BU level to Enterprise level automatically?  Can you identify and break out certain groups of respondents based upon a particular set of responses?  Were you able to configure your request for information so that if a respondent answered Question 3 “yes”, they were taken to Question 5, but if they answered Question 3 “No”, they were taken to Question 4 (ie. Branching Assessment)?

Once you have gathered your information from this large body of respondents and aggregated it into useful business information, how do you generate reports and disseminate them to the appropriate audience?  Once again, a manual approach is time-consuming.  An automated report feature with the option of various formats (eg. Dashboard, Excel, PDF, etc.) offers both flexibility and targeting based on the specific audience.

In summary, there are many legitimate business reasons you may need/want to collect information from a large audience.  The goal is to do so in a manner, process and format that maximizes your return (useable business information) and minimizes your investment (staff allocation, time and cost).  A manual approach with desktop tools would appear to be at one end of that continuum; you will need to decide what is best for you at the other end.

Paul Fine
Director of Marketing & Business Development
Atlanta, GA  USA
Phone:  770-565-8616

DoubleCheck Monthly Newsletter-Aug ’13: “Is your company really engaged in GRC?”

GRC programs (eg. Governance, Risk, Compliance and Audit) sometimes face an unfortunate challenge – they can be viewed as a burden, something the company “has to do” and takes away productive time from the “real” business.


Practitioners know that a well-designed and implemented GRC program is exactly the opposite – by understanding and managing risks and compliance requirements, by assuring policies and procedures are well defined and effectively operating, the company has minimized the probability of strategic, financial, operational or reputational problems and has assured the company has the maximum ability to invest resources in business opportunities vs. paying to solve problems.


To have a really effective GRC program, all associates in the firm must have a clear role and responsibilities. Some may be as simple as being aware of and following policies; others are more substantive and include managing policies, assuring processes are well defined and functioning as designed (often to assure compliance with GAAP, SOX or a host of other regulations and standards), that issues are identified and resolved and management and the board are appropriately engaged.


Traditional audit is a key part of engagement. By gathering data and formally testing key and higher risk activities, auditors provide a highly reliable means of assuring compliance with standards and practices. Inevitably however, given the realities of cost and time, in any given year an audit program will cover a relatively small subset of the risks and/or controls important to a business.

Our view? In addition to traditional formal testing, it is very important to have line management involved in the GRC program, reviewing and attesting that processes are defined and control procedures are in place and functioning relative to a defined set of requirements. This kind of engagement assures broader awareness, personal accountability, faster identification of issues and makes tangible the “tone from the top”.


However, from a practical point of view, it can be challenging to interact with the potentially thousands of people who have important roles in the operation of the business and assure they are aware of and performing their responsibilities. Communicating with and gathering data from hundreds (or even thousands) of Control certifications from business control owners (common in SOX, for example), risk scoring assessments from Risk Owners or SMEs (common in ERM or Audit planning) or even attestations of compliance from a myriad of suppliers (Vendor Management) can be an administrative nightmare unless supported by user-friendly intuitive tools with appropriate workflow management and reporting capabilities.

I’ll be discussing key tool capabilities in future newsletters. But, in the meantime, is your company really engaged in GRC?

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA
Phone:  770-565-8616

DoubleCheck Monthly Newsletter: July ’13- “When selecting a GRC or Audit software solution, how important is after-sale customer support to you?”

How important is after-sale customer support to you when selecting a GRC or Audit software solution? Your decision process for acquiring a new GRC and/or Audit software solution is likely filled with a rigorous review of comparative features and functionality, but how much time do you spend investigating what will happen after the contract is signed and the invoice paid?

Regardless of whether you are automating SOX Compliance, Risk Management, Audit or some other element of “GRC”, the software framework and content needs to be configured to meet your organization’s specific needs.  Otherwise, you risk a lower staff acceptance rate of the tool and less than maximum benefits of the software.

Is that what you are being promised, or are you going to get a “generally accepted industry standard” platform that will require you to modify your processes to work within the software’s pre-set framework?  If needed, can you configure multiple frameworks depending upon specific sub-organizational needs (e.g., COSO for Financial, CobIT for IT, etc.)?

How will your new software be implemented?  Does your vendor offer the software in both a client-hosted and SaaS delivery model?  If you prefer a SaaS delivery, will the hosting be multi-tenant (all upgrades/patches occur at the same time for all clients) or a single instance of the software and data that can be timed to fit within your schedule (eg. no updates during Qtr. Close)?   When you ask the vendor “how much time will you invest in our implementation” is their answer going to be “until you are completely satisfied”?

As intuitive and user-friendly as we believe the DoubleCheck™ software to be, we know your Team still needs to be trained on it.  Same is true for anyone else’s software.  So, how is that training done?  Are you given 4 hours of online training, do you have to pay to send your Team to a vendor’s “university” for training, etc?  Or, does a trained employee (not an outside consultant) come onsite to your headquarters for 3-5 days to make sure your Team is fully familiar with the Platform and its’ capabilities?

Once you are up and running, what type of Customer Support will you get?  What is the turnaround time when you phone in; 24 hours or less?  How are issues escalated, if necessary?

If you want to perform Control Self-Assessments, Risk Assessments, etc., can you do this yourself on a scheduled or ad hoc basis, or does the vendor require a 2 week turnaround time to do it for you?  If you are having trouble configuring a particular new report you need, will the vendor do it for you without a “Professional Services” fee?

Are all future upgrades and enhancements included in the subscription agreement, or will you have to pay extra for upgrades?  If you decide to expand the use of the Platform into other departments, is the initial solution scalable?

Have you ever been asked to be a featured Speaker at an industry or trade show event?  If so, would it have been advantageous to be able to ask your software vendor for help in developing the presentation without it becoming a “sales ad” for the vendor?  Would it have been even more helpful to have the software vendor OFFER to assist with the presentation before you even asked (without a “professional services” fee)?

These are the types of questions you should be asking your potential software vendors, as well as their reference clients.  You are making a long-term commitment for this software and you want to know they will be there to support you for the long-term as well.  Before you make a final purchase decision for a new software platform, make sure you are partnering with a vendor who is committed to making you a “Raving Fan”.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA
Phone:  770-565-8616

DoubleCheck Monthly Newsletter-June ’13: The Role of Internal Audit in Validating SOX Compliance

First off, some of you in IA will challenge my headline by stating it isn’t IA’s job to “validate” SOX compliance, or any other type of compliance for that matter.  Rather, IA is responsible for testing or auditing Controls or Processes to confirm or refute they are performing to a pre-set standard (be it regulatory, internal or industry-specific “best practices”).  The overarching purpose of this activity is to monitor/measure/report on the enterprise’s risk profile and exposure.

This is a very broad mandate for Internal Audit, so I have chosen to focus on a specific element of it:  SOX Compliance.  From a SOX standpoint, you are helping to confirm there is sufficient “Internal Controls over Financial Reporting”.

As a starting point, the role of Internal Audit relative to SOX Compliance is influenced by the organizational structure of the enterprise.  This may not conform to some audit industry organization guidelines, but it is a fact.  If SOX testing is performed by the auditors in the IA department, and especially if SOX actually reports into the IA department, the role and responsibilities are more tightly intertwined than if the departments/personnel are segregated.

Where the concept of “validation” can come into play is when the preliminary SOX testing is done by the Business Owners, and then a sampling of those findings are re-tested by Internal Audit.  The most common method of this approach is the Control Self-Assessment.  In this method, an Assessment is sent to a select group of Control Owners (or sometimes Process Owners), which they use to assess the performance of their own Controls.  Once those results are submitted, IA will then select some of them for a more in-depth direct test to validate or confirm those self-assessments.  A variance on this approach is what is sometimes referred to as “Self-Testing” or “Peer-to-Peer Testing”.  In this version, Business Owners are testing someone else’s Control, not their own.

However, an important commonality under any of these scenarios is that Internal Audit is NOT responsible for correcting or mitigating any adverse findings or test results.  That responsibility reverts back to the Business Owner.  That doesn’t mean Internal Audit is done at this point.

Internal Audit will likely be held responsible for tracking and reporting on the progress of the mitigation/resolution of the issue/finding.  This process typically includes steps such as notifying the appropriate Business Owner (ie. Issue Owner), requesting their action plan, following up to ensure the plan is being implemented and confirming completion of the tasks.  This process can prove both laborious (akin to herding cats) and error-prone (if reminders are not sent out, deadlines are sometimes missed).

If Internal Audit has an automated software system to manage the Issue Tracking/Remediation process, it simplifies their task while enhancing their ability to monitor and report on the status of the SOX Compliance remediation work.  It also allows for the automatic escalation of an Issue to appropriate management if due dates are missed, severity/materiality triggers are exceeded, etc.

In summary, Internal Audit can play a pivotal role in validating an enterprise’s compliance with SOX regulations, but they are not responsible for the compliance itself.  Even if Auditors from the IA department are performing the testing on the SOX Controls, maintaining their conformity to the appropriate standards and guidelines falls to the Business Owners.

I welcome any comments or divergent points of view on this; just call or send me an email.

Best regards,

Paul Fine
Director of Marketing & Business Development
Atlanta, GA USA
Phone: 770-565-8616


DoubleCheck Monthly Newsletter: May ’13…SOX Controls Assurance: Direct Testing vs. Self-Assessment…Pros & Cons?

This question arises frequently in my conversations with senior Audit and Compliance executives. The answer for each organization depends upon a myriad of factors, including organizational structure, geographic disbursement, staffing levels and management philosophy (centralized vs. decentralized). For now, I intend to address the pros/cons of each approach, recognizing that success is defined as identifying and fixing issues and, ultimately, providing appropriate assurance that the firm is in compliance while minimizing time and money spent

Direct Testing:

In its simplest form, testing is done to confirm that Controls are functioning properly. As Ronald Reagan once said “trust, but verify”. This is at the heart of SOX Compliance; ensuring and certifying that the organization has sufficient “Internal Controls over Financial Reporting”.

However, the SOX regulations don’t dictate how to meet that standard. Direct testing of key controls by independent parties is generally the most reliable (and usually the most expensive) way to confirm a control is performing properly. And while other organizations provide frameworks and guidance (COSO, COBIT, etc.), there is great latitude in the actual way to test.
Companies implement testing programs in different ways.

For example, some large firms have a separate Internal Controls staff, removed from Internal Audit. Others have Internal Auditors do the SOX testing, with the actual responsibility for SOX compliance remaining with the Business Owners (generally within the Controller’s group). I’m sure there are other combinations and permutations of these options, but they all still end up doing “testing”.

Geographically dispersed organizations (global footprint) will often times use the concept of “Peer testing” to augment lower staffing levels and reduce travel costs. Here, trained staff will conduct tests of Controls outside their area of responsibility (and outside their normal work duties). This might be Controller A testing controls in Controller B’s business unit, B’s testing C’s, etc. Or, the actual testing may be delegated to a trained tester within each Controller’s dept.

Another approach, with additional costs, is to co-source the international testing to a 3rd party accounting/advisory firm with a local presence overseas. This method is also employed by some firms for non-financial controls testing (e.g., IT Controls, PCI, etc.), regardless of the location.

For any of these methods of testing, you want a system (like that offered by DoubleCheck™) that provides the capability for designing, scheduling and managing the tests. It should also include the ability to execute specific test plans, collect and archive appropriate evidence, and sharing the findings, as appropriate, with management for review. The chosen system should also enhance your capability to follow up, post audits and to confirm agreed-to management actions have been executed.


Self-Assessments are the other means many firms use to confirm that Controls are performing to expectations. This method requires that the organization trusts the Control Owners to police themselves, principally by responding to a set of specific questions designed to determine compliance based on the subject matter knowledge of the control owners.

By their very nature, self-assessments can carry more potential risk than direct testing. You are asking the person to potentially report a deficiency that they might be blamed for. It also requires an organizational culture that pushes tasks down the chain of command and encourages delegation and personal responsibility.

That said, some of that risk can be mitigated by requesting documentation support for the responses or doing random testing of some of the Controls after the self-assessment response is received. Once again, “trust but verify”.

The key advantage of self-assessments vs. direct testing is savings in cost and time. If you have a system like the DoubleCheck™ GRC & Audit Platform, you have unlimited FREE licenses for self-assessment respondents. This can add up to a substantial savings in staff, lost productivity (when Peer testing diverts time from normal duties), travel costs and User license fees. Self-assessments can also be very costly in man-hours if you try to do it just with Word/Excel, using manually-generated email notifications and manual response integration and analysis processes.

One key feature that DoubleCheck™ offers when doing assessments is the ability to perform what is called “Branching Assessments”. Often when executing a self-assessment, depending on the answer, you may want to ask follow up questions. For example, if (and only if) a respondent answers a question “No” for which the preferred answer is “Yes” (e.g., “Is this Control still working?”), the system can ask any number of follow up questions to help the assessment manager understand that “No” answer. It can even require an answer in the “Comment” field of the Assessment before the system will allow the response to be submitted.

Many organizations use Self-Assessments to supplement direct testing or help determine what the direct testing plan should be. Others use it for virtually all their SOX Compliance work. For either approach, you benefit from relying on a platform that provides the capability for designing, scheduling, managing and scoring individual assessments.

Assessments can also be integrated with other risk and compliance data. Issues or concerns can be forwarded immediately, as needed, or as scheduled, to appropriate individuals for awareness or action. The DoubleCheck™ Assessment Center also ensures that all respondents do in fact respond, or the system will follow up automatically and escalate as appropriate.

So, what is the correct balance between direct testing and self-assessments of SOX Controls? That answer will vary company by company, but now you have some of the factors to consider when making that decision.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA USA
Phone: 770-565-8616

DoubleCheck™ Monthly Newsletter: April ‘13…“Are you still depending upon Spreadsheets for your SOX Controls Testing?”

Would you be surprised to learn how many Fortune 1000 companies (or even Fortune 100 companies for that matter), are still using spreadsheets for their SOX Controls testing and documentation activities?  I find examples of that environment every day.  Now, I know Excel can be a multi-faceted tool in properly trained hands, but who has time to go through a 1,000 page training manual (yes, I saw an Excel 2013 book that size at Barnes & Noble last weekend)?  I believe there is a more efficient and productive way to perform those SOX tasks.

Case in point…We have all probably faced working with a spreadsheet that had literally hundreds (or a thousand?) rows and dozens or more columns.  The lack of ease in identifying the key data cells and ensuring they were updated correctly and linked to appropriate sub-forms and workpapers was both time-consuming and had an inherently high level of risk for data corruption associated with it.  And if the spreadsheet was created by someone else, the maintenance of the formulas was a mistake waiting to happen.

Similarly, an inordinate amount of time/man hours can be spent trying to export data from multiple spreadsheets into a template report format to be delivered to the Audit Committee or Board.  Do you find spreadsheets to be the most efficient tool to use for the collection and dissemination of important information to Senior Management on a regular basis?  I would suggest “maybe not”.

I sometimes hear from the executives in charge of SOX (eg. VP-IA, VP-IC, Controller, etc.) that they already have an automated solution to “share” documents between testers, reviewers, approvers, issue owners, etc.  This is not the same as having a single electronic repository of DATA.  DATA is not the same thing as DOCUMENTS.  If the data is available in its simplest form (data points), and is housed in an architecture that allows for relational linkage and reporting, then you can truly share INFORMATION.

Importantly, you can then re-configure the various data elements to create a report that is specific to the needs of each individual user (eg. Tester), or user group (eg. Process Owners), rather than just sharing a general spreadsheet that then has to be interpreted or re-formatted by the user.  And if you can do this without requiring IT to help you, it becomes even more convenient.

Understand, I have nothing against the use of spreadsheets per se.  I use them myself on a daily basis.  But they are just one tool, like many others in your toolbox.  If the task is relatively simple and doesn’t require multiple human touchpoints (remember the need for Version Control), then spreadsheets might be sufficient.

But if your objective is to make all key data available to the appropriate people (with varying levels of security access), keep a complete audit trail of any changes to the data, view previous versions of the document, manage the data and tasks/issues via an automated workflow (with notifications to appropriate parties) and have the ability to run and share reports on both a scheduled and ad hoc basis without requiring IT support, then you may want to consider a more robust automation solution.  You should find that a more efficient SOX Controls process conducted within an automated platform will free up your staff to take on more value-added responsibilities, thereby increasing YOUR overall productivity and value to the organization.


Best regards,

Paul Fine
Director of Marketing & Business Development
Atlanta, GA  USA
Phone:  770-565-8616


DoubleCheck Monthly Newsletter: March ’13–“GRC & Audit Software…Do you get it prix fixe or ala carte?”

As GRC & Audit software developers, we often are braced with an initial screening question from Buyers before we even learn what their key requirements are… “what does your software cost?”.  At that stage of the process, I am often tempted to respond “it depends…you want fries with that?”.  However, flippancy seldom results in a sale, so let’s address this inevitable question within a common framework we are all familiar with… ordering at a restaurant.

There are two main schools of thought when acquiring new software, GRC & Audit or most other types for that matter.  Do you want to select an all-inclusive Platform at a set price (prix fixe) or pick and choose what features you want from a “menu” (ala carte)? 

For example, when you order at McDonald’s, you might tend to buy a selection from the Value Meal menu (prix fixe).  In fact, McDonald’s and other fast food companies went to this approach to avoid putting cashiers in the position of “cross-selling” the customer (the famous “you want fries with that” line).  This approach tends to work best when the purchased item is relatively low in price and there is minimal risk of making a bad decision (because you are familiar with the choices).

On the other hand, if you are dining at a fine Steak House (eg. Mortons, etc.) you are going to be presented a menu where EVERYTHING is priced separately.  You want a potato with that steak, that’s extra.  You want creamed spinach, that’s extra.  This pricing model tends to work better when the purchased item is higher in cost, the buyer is less familiar with the product (how often do you eat at a place like this?) and there is the potential for more “blowback” if your add-ons put you over your approved budget (eg. someone questions your expense report).

Coming back to the software acquisition scenario, the increasingly prevailing preference, based on our experience, is Buyers seek to purchase those features needed immediately, but want to acquire a Platform that is scalable into other areas later as need and acceptance of the new product grows.

Thus, a CAE can acquire a solution to manage traditional audit activities (eg. Planning, Scheduling, EWP, Issue Tracking & Notifications, Risk Assessments, etc.) and later scale into Controls Testing for SOX Compliance or ERM.  Under this pricing model, you are only paying for what you need when you need it.  Seems like a pretty reasonable model and one most Buyers are seeking.

A corollary menu analogy is a little less clear however.  Specifically, what are the non-licensing costs of acquiring and implementing the GRC & Audit software?  Some vendors will quote a price and say it includes “implementation and training”.  Others, like DoubleCheck™, break out the Implementation and Training costs ala carte, so the Buyer knows what they are getting and what they are paying for it.  The inherent uncertainty of the “prix fixe” model of pricing the ancillary services is not knowing what is actually included in the generic term “implementation and training”. 

Questions you should ask the vendors before signing that contract include:

1.  What services are included in your Implementation? 

            a.  Configuration to Client’s RACM vs. importation of the vendor’s template?

            b.  Importation of data to populate the system (or does the Client do that?)

            c.  Creation/importation of Client’s audit, test and assessment templates?

            d.  Creation/importation of Client’s key reports?

2.  What type of training is included in this quote? 

            a.  On site or WebEx?

            b.  How many days/hours of training?  Cost of extra time?

            c.  Remedial training after implementation?

3.  What Post-Implementation Customer Support is provided in this quote?

            a.  Configuration of additional reports?

            b.  Modified workflows?

            c.  Configuration of additional assessments or tests?

You should only pay for what you need, but you should also make sure to get what you need for that price.  Add-ons, upsells, extra professional services fees, etc. can quickly make what appears to be an inexpensive prix fixe “Value Meal” into a very expensive ala carte Steak Dinner.  Ask questions; be sure of the answers.  Don’t get surprised after the meal is bought and the check arrives; all you’ll get then is indigestion.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA

DoubleCheck™ Monthly Newsletter: Feb ‘13: “Are you managing your Issues or just tracking them?”

Here at DoubleCheck™, we have been seeing an increased interest from a variety of organizations in an automated solution to help “track” a myriad of Issues.  These issues can be generated by SOX Control Test failures, Audit findings, RAC Audits, IT Security Incidents, Risk Events, etc.  The common theme expressed during initial discussions is a desire/need to be able to track the progress of the resolution or mitigation of these Issues.

However, once we begin drilling into the specific workflow and outcome these organizations are seeking, it becomes apparent that mere “tracking” of the Issues is insufficient.  They must be able to document, assign responsibility, track progress, report on, scope the potential impact; a full management process.  They have learned (or will quickly learn) that a manual approach to this workflow-oriented Issue Management process is both difficult, time-consuming and error-prone.

Common capabilities these organizations are seeking, regardless of their industry, include being able to:

  • Create and describe issues
  • Score issues based on impact, urgency or other criteria
  • Store and access documents and evidence associated with the Issue
  • Optionally have issues reviewed before formally accepted
  • Assign issues to appropriate responsible parties
  • Capture ongoing status, response and remediation actions, losses or related information
  • System-based follow up until the resolution is completed, reviewed and accepted
  • Visibility of information: Role-based reports and notifications delivered on schedule or ad-hoc based on urgency

A key impetus in this increasing interest in managing the Issue process is that various government regulations are increasingly coming into play if certain types of Issues are not identified, reported and remediated in a timely fashion.  Failure to meet specified due dates can result in heavy fines, censure, negative publicity, etc. for the firm. 

Examples include PCI breaches (anyone doing business with credit cards), RAC Audit claims (any provider submitting claims to Medicare), Customer Data breaches (anyone with customer data on their computer system), Code of Conduct violations (Internal impact or external; eg. FCPA), etc.

There are also the seemingly mundane Incidents that can be scoped as Issues that might leave a firm open to civil lawsuits if not properly addressed in a timely manner at the appropriate level of the organization.  A key to avoiding or mitigating the cost of such issues is to be able to prove that there are Policies in place, and properly disseminated to the appropriate staff (and confirmed “read” by the recipients), to demonstrate that “reasonable measures” were taken to mitigate the likelihood of the negative event occurring.

Examples include accidents occurring on company property (eg. slip and fall on a spill in a hospital lobby, hazardous materials stored improperly contributing to the impact of a seemingly small fire, insufficient security at a hotel leading to an attack on a guest, etc.).  We live in a litigious society and the key (as any Insurance Company can tell you) to reducing the financial and reputational impact of a negative event (ie. Issue) is a quick response, with follow up assigned to the appropriate person until the matter has been properly resolved to the satisfaction of all constituencies.

This goal is made simpler and more foolproof if you have a robust software platform ensuring the proper steps are being taken in the necessary timeframe.  The cost of missing the deadlines, regulatory or otherwise, can far outweigh the initial investment in a support system.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA

DoubleCheck Jan. ’13 Monthly Newsletter: “Do you consider the recent Fiscal Cliff deal a Risk Event for your Company?”

There tends to be two divergent schools of thought on the subject of Compromise, including this recent Fiscal Cliff deal last week: 

1.  Any deal is better than no deal

2.  A bad deal is worse than no deal

As we all learn more about the details of the last-minute deal brokered between the Senate, House and President a week ago, it behooves us as business people to consider the impact not just on our personal lives but our corporate lives as well.

If you were to look at the deal in its totality through the prism of a traditional Risk/Control framework, would you consider the passing of the Bill as a “Risk Event”?

If so, what is your opinion on the Root Cause?  Was there a lack of Controls in place, or did they fail?  On paper, I submit we had ample Prevent Controls in place (eg. 3 branches of government) and Mitigating Controls as well (two political parties with very different philosophies and agendas).  That would suggest that the Controls failed, allowing a Risk Event to occur. 

Now, we have to score the Event.  What is the Residual Risk Impact your company will incur as a result of this Control failure?  For example, will there be a short-term transactional impact (eg. temporary reduction in purchases of your goods as consumers adjust to a reduction in take-home pay due to re-instatement of the previous level of Payroll tax rate), or a longer-term impact on your market capitalization as your dividend-paying stock is no longer as attractive to investors due to the increased tax rate on dividends (yes, I understand the capital gains tax rate also increased, but this impact can be deferred until you sell the stock; dividends are taxable the year they are awarded)?

Is there a Mitigation Plan that you can put into effect that will further reduce the severity of the Event impact?  For example, can you reduce employee turnover driven by a desire/need to avoid a drop in take-home pay (eg. finding another higher paying job) by offering a special one-time 2% bonus (similar to the old COLA payments back in the Carter era) to offset the FICA tax increase for the first year?  Most HR experts will tell you it costs less to retain an employee than to hire a new one.

A key point, in my opinion, is to decide if this is an Operational Risk event, or something better scoped under “ERM”, with the corresponding C-Suite and Board focus.  I submit this “Fiscal Cliff deal” is not only a Risk Event in and of itself, but a KRI for the next potential Event coming in a few months; the “Debt Ceiling” battle (too soon to assume it will result in a “deal”).

What will your company do now to mitigate the impact of another Risk Event occurring as a result of that battle?  If you believe that whatever comes from that “event” will impact the country’s debt rating (something Moody is hinting at), should you borrow/issue bonds beforehand to avoid higher rates later?  Are there other more complicated strategies you Risk Managers out there would recommend to your Boards to minimize the impact of one of the possible outcomes of this next “event”?

One thing is certain given our recent experiences regarding the so-called Fiscal Cliff.  Doing nothing to mitigate your own potential Risk Impact, on the assumption that the political controls we supposedly have in place will function properly, will leave you with the illusion of control, not working Controls.

Personally, I hope that I can write on a different theme in my March Newsletter.

Best regards and Happy New Year,

Paul Fine

Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA

Next Page »

Custom Website Design NJ
Reinhart Marketing Group