1. Mission Statement

• Purposeful connection of strategy and tactics

2. Framework – Part A

• Strategic context (“Who are you and what are you trying to achieve?”)
• Without this, there is no reason for ERM or GRC

3. Framework – Part B

• Foundational underpinning (Culture and Governance)
• Connective tissue existing between strategy and tactics
• Underlying essence; these foundations are in place at all times

4. Framework – Part C

• Tactical Execution (4-Step iterative process: identify, assess, mitigate and monitor)

5. Governance Structure

• Clear-cut roles and responsibilities
• Best portrayal: Three lines of defense

6. Universe

• 4 categories – 3 common (“Finance”, “Operational” and “Strategic”) and 1 unique (“Core Business”)
• Dynamic; encompasses emerging risks
• Aligns with always-changing nature of risks themselves

7. Rating Scales

• Understandable
• Severity, likelihood, direction and velocity
• Inherent and residual

8. Policies

• Major risks (dozen or so)
• Each comprised of: definition; goal; roles and responsibilities (1st/2nd/3rd lines); appetite; tolerances

9. Language

• Succinct; simpler is better
• Don’t throw in unnecessary phrases (“I was able to…”)
• Precise; exact
• Iterative; over and over
• Powerful
• One shot; on the mark; needs to resonate
• Use present tense whenever possible (alive, here and now)
• Pragmatic (understands dynamics, keeps big picture in mind)
• Embedded and actionable
• Positive (figure out a way, convince)
• Purposeful and insistent
• Rigorous and disciplined
• Not merely esoteric, hypothetical or academic
• Put away the pom-poms; self-praise is no praise

10. Reporting

• Risk arrow heat map
• Risk owner report

11. Overall Cultural Model

• Code of ethics
• What do your people do when no one is watching?
• Behaviors you expect and tolerate

12. Risk Culture

• Shared understanding towards risk

13. Deputized Risk Owners

• Subject matter experts
• Hold them accountable
• Don’t be afraid to critique or challenge
• Ensure that people are not just going through the motions (e.g. no changes year-to-year)
• Educate them; understand this is not their day job
• Depend upon them, and their perceptions, heavily
• You are only as good as what they provide
• Be respectful of their time

14. Risk Owner Surveys

• Take the opportunity to ask special, “hot-button” questions each year
• Don’t overdo it

15. Risk Appetite

• High, medium, low
• Tolerances – exact point at which appetite exceeded

16. Configurability

• Collaborate with a vendor having a matching mindset

17. The Fuel of Passion Fuel

• Get excited and stay excited
• How many people have this opportunity?
• Keep turning insights into actions
• Don’t be dragged down by leanness of resources, staggering workload, sometimes-mundane nature of work or undervalued role by others

18. The Importance of Pride

• No slouching
• Do not accept a back seat
• No sloppiness or mistakes should be tolerated; prompts the question – what else is wrong? How can I have confidence in anything?
• It’s a huge job; don’t ever forget that
• Keep the mission statement in mind
• Cognizant of the overall framework that melds together strategic context and tactical execution

19. Transferability to Other Risk-Related Areas

• Every single risk-related area could benefit by adhering to these 20 elements

20. Risk Register

• Organizational (“tree”) view as well as workbench view
• workbench for risk owners
• doesn’t need to be exorbitant $
• seemingly fashionable these days to downplay or disparage importance of the risk register
• ERM One – a viable alternative to:
  • doing without an automated tool or
  • tolerating someone else’s system

Closing Thoughts:

• Get ready for the elevator speech
• Trapped in the elevator with CEO and asked to give him/her your impressions of GRC/ERM priorities in 30 seconds
• No excuses – take the time to do the dirty work beforehand
• Connect the dots, dot by dot
• Build the program, brick by brick
• Bold, presumptuous goal (“World-Class”)?
• Shoot for the moon; even if you miss, you’ll land among the stars
• Common denominators
• Better every day; better than yesterday
• Incremental improvements
• Keep attacking
• Heed the children book classic – “Little Engine That Could”
• Mission: reach the boys and girls on the other side of the mountain
• When it found itself in trouble in trouble, neither a shiny new passenger engine, with all sorts of compartments, or a big strong engine was necessary
• All that was needed was a little blue engine who “tugged and pulled”, “pulled and tugged”
• “I think I can” was converted into “I thought I could”

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Why Settle For Less? Twenty (20) Elements in a World-Class ERM or GRC Program first appeared on DoubleCheck Software.

From a vendor’s perspective, GRC refers to an automated suite of capabilities designed to address a broad range of challenges associated with critical disciplines managed by the client (e.g. compliance, risk management, audit, corporate governance etc.), allowing that same company to reduce uncertainty, achieve the entity’s key strategic objectives and meet its stakeholder obligations.

Again, that perspective on GRC, which sounds straightforward enough, is being viewed through the eyes of the vendor.

Probably the same for every vendor, right?

Not so fast.

More holistically, would it be identical to how the client defines GRC?

Another no.

Let’s look at the delineating factors.

From a vendor perspective, what comprises each individual GRC system is totally dependent upon each vendor.

Simply put, not all systems are created with identical features.

The rationale is straightforward and understandable.

Look no further than the broad construct of the GRC umbrella – consisting of risk, compliance and a final element of governance that, drilling down to more specific risks, can be incredibly broad and wide-ranging (e.g. audit, corporate governance oversight, policy management, fraud, model, ESG, AI etc.).

It’s not hard to understand how the inevitable differences in system emphasis and packaging could (and do) result.

As a consequence, the GRC marketplace has found itself flooded with competing vendor-centric solutions, each seemingly in search of the next, new GRC challenge.

A skeptic could argue that each successive GRC solution becomes more inflexible, costly, complex and/or esoteric than the prior one.

With all these drivers, the “ask” of the GRC client often becomes to:

• Accept a system that is unwieldy and inflexible
• Tolerate system features that you don’t need
• Sacrifice other elements that you (or your Board of Directors) really want
• Endure a bevy of reports, scorecards etc. that are neither pertinent nor understandable
• Tolerate service standards that seem average, at best

Needless to say, this is not really music to the client’s ears.

From a client’s perspective, therefore, the pursuit of a GRC solution all too often narrows to a choice that is best termed as “one-size-fits-all” or “take-it-or-leave-it”.

That’s not the way it’s supposed to be, if you roll back the tape and try to comprehend what GRC means, at the 40,000 foot level.  Maybe it’s time to take all this in and perform a sanity check of your GRC system.
After all, system capabilities and design should be all about the client.

With that in mind, how does a client think about GRC and, as a result, how should the vendor “ideally” design the system to meet those client needs?

First, the basic governing premise for GRC needs to be established, as follows:

The profound, pervasive and vitally important challenges that drive GRC emanate from the company, not from the vendor.

This principle, which always has been, and always will be, true, cannot be overstated.

It’s not about forcing the client to perform contortions – and sacrifice functionality – to align with an inflexible, rigid tool.

As a 35-year real-life practitioner in the GRC space (25 years as a corporate risk manager and 10 years in the ERM Governance and Disclosure world), I know whereof I speak.

While the concept of GRC is said to have been created over 20 years ago (2002), the underlying challenges actually constituting those GRC exposures have been around forever.

They were certainly there in front of me on my first day as a risk manager in 1985, well before that “umbrella” concept of GRC was “created” and/or the first automated tool was developed.

Having said that, and mindful that there is no one “best” prescribed system or solution, it can be stated with certainty that a GRC automated tool should possess the following attributes:

• Capable of evolving and growing over time
• Potential upgrades should be straightforward
• Solution must be dynamic, nimble and agile
• As such, it should be configurable
• Can be either modular or holistic
• Data must be able to be shared across modules
• There needs to be cross-functional coordination
• The system must be unified and linkable
• There should be rich, robust functionality
• The system needs to understand the business context of the company (what it does) as well as its culture and stakeholders
• GRC strategy must be aligned with the overall business objectives
• The tactical execution for each of the constituent parts of the GRC automated application must be part of the tool
• Monitoring of GRC system performance must involve a robust, fully-embedded business intelligence platform

With all these features in hand, a unified approach to GRC capabilities within the overall solution should allow a company to leverage GRC information across the enterprise.

By linking key elements across risk, compliance, audit and corporate governance (as well as related disciplines), the solution should be able to streamline processes and maximize utilization of information dashboard and analytics that cross boundaries.

Similarly, linked solutions reduce overlap, share overall insight, reuse work and tackle siloed GRC responses while securing what’s private.

A representative listing of GRC system activities might be, as follows:

Compliance

• Document controls, assess performance, manage exceptions
• Tools to manage regulatory change and document compliance framework
• Test or assess performance, manage remediation and share status results with stakeholders
• Financial (SOX, PCI); Industry (NERC, HIPAA); Departmental (HR, IT)
• Approvals, Attestations, and Certifications

Risk

• Systematic approach to identify, assess, mitigate and monitor risks
• Centers on risk register
• Empower Risk Owners to manage and assess their own topic risk set
• Goal is to collaborate with risk owners and other internal and external associates in a clear and transparent manner
• Board-level reports and scorecards should be available to be generated in order to assess performance and establish risk priorities

Audit

• Program definition based on client-specific reporting
• Management insight into audit execution and planning
• Management review, overrides to final plan
• Engagement planning
• Electronic workpaper management
• Issue and remediation management

Governance

• Policy definition
• Policy review and renewal
• Demonstrable performance

Other GRC-Related Activities

• Model risk surveys, including reliance on Artificial Intelligence (AI)
• Fraud-risk studies
• Cyber risk (information security)

Summary

An “ideal” GRC solution revolves around specific customer needs. Enterprise GRC software that supports Compliance, Risk, Audit or Governance needs should be highly configurable solutions that can be tailored to a company’s users, data and processes. Embedded Business intelligence features should generate dashboards and reports that are needed for internal and external purposes. GRC Solutions should support business processes, not the other way around. Each of the components of GRC are integrally linked to the achievement of a company’s corporate objectives.

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One application.

The post Governance, Risk and Compliance (GRC) – Pursuing the “Ideal” Frame of Reference first appeared on DoubleCheck Software.

While there are no absolute, easy answers, there are some strategies we’ll explore here. Also, there are some basic best practices to apply to any shopping effort for a GRC software solution that can limit your financial exposure and save you a lot of money—often enough to make the whole exploration and evaluation worth your while when you think it’s out of reach. We’ll look at some of those too so you are fully “ready” to make the best choices for your business regardless of how your risks and resources measure up today.

Making The Impossible Possible
Sometimes you are faced with a seemingly impossible situation, where you cannot do without but cannot make do either. I’ve been there. It’s where the spreadsheet approach grew up. It’s where lists and manual processes thrive. It’s not ideal. Even those folks who can script in “Excel-eze” cannot provide all the detail and robust data capture, analysis, and organization needed today. In other articles I’ve noted the value of leveraging data from other processes, particularly ones associated with audits, regulatory and compliance reviews, and even incident management. Those areas may have some software you can somehow borrow services from to configure risk assessments and share data. Such arrangements may not give you ideal flexibility or control, but, in an impossible situation, there needs to be elasticity in solutions. This approach might create something of a sneaker-net scenario where you are running from one platform to another to launch a risk assessment, manage progress, extract data, transfer to an analysis platform elsewhere, take the result to publish and distribute through another borrowed internal service, and so on. It won’t be easy, but any amount of automation you can offer for your stakeholders will likely be received well, even if you’re “spinning a lot of plates behind the curtain” so to speak. There is a potential gem buried here, if you survive this—you know what everyone else has, needs, and already counts upon for similar automated services. Hold onto that information; it will become most valuable later on in this story.

Know What You Need
The beginning to any journey or task is knowing where you want to go. In this case, knowing which features of a GRC platform are most critical to the operation of your risk management program is key. Like shopping for anything laden with features and unique approaches to perceived needs (ever shop for a new car?), it could be easy to get side tracked by the glistening marketing messages and materials crafted to attract your attention. If managing risk assessments and sharing the results in a manner that your senior business leadership can understand is critical, focus upon that before other features. Also, pay attention to what it may take to enable what you want. Some attractive features in some products require robust database management and query skills. Others require scripting or programming through application programming interfaces (API’s). If you don’t have those resources readily available to your risk program at this point, something more out-of-the-box or configurable rather than customizable might be in order. So, build of list of truly “must-haves”, and one of “desirables”. Make certain you hit as many musts as you can. Don’t trade them off for desirables, no matter how many are offered. Be patient, and diligent.

Become An Informed Shopper
There’s no way I know of the acquire GRC software by the pound. But there are strategies to gradually acquire functionality over time as your risk program’s needs mature and become more sophisticated or complex. I have a long standing rule about avoiding redundant or “throw away” efforts wherever they can possibly be eliminated. Repeating an effort because you “didn’t have time” to do it thoroughly the first time wastes time, money, and many other participating or supporting resources. So, if you need to start small, seek solutions that can grow with you at your pace. Many software solutions will present themselves as meeting this requirement. Don’t take a “yes we can” at face value. It’s important to ask “how”! The specifics and details offered will tell you whether the solution you’re exploring truly can gradually grow, or requires a complete reinstall from scratch or something else. What do I mean by growing? Adding capacity for data, support for an increased number of users, revealing or enabling new features or capabilities without having to reinstall or redeploy the software demonstrates a product designed for incremental growth. This growth may also include the ability to integrate other data sources from external systems. Be careful here. Again, ask how. Understand what requirements beyond configuration and set up might be required to make such integration work.

There’s another aspect to being an informed shopper—seeking input from your stakeholders. In addition to being a good partner, there may be useful information to help shape your list of much needed features. You may also discover details about other systems already part of your company infrastructure that can be leveraged now and could feed your new GRC later to help establish it as the system of record for all risk related information. Stakeholder preferences for disseminating risk data analysis and reporting might also reveal features to value and take note of in your search.

Consider Your Vertical
Every business has its own unique risk portfolio. And it changes with time and circumstances as does the business itself. Some industries have specific legal, compliance, and regulatory obligations that demand rigorous, detailed attention to particular sets of controls and practices. Two of these that often are sited as particular examples are financial services and healthcare. Both are heavily regulated. Both have Federal regulations and agencies (FFIEC, NCUA, FINRA, FinCEN, to name just a few) serving as oversight vehicles. Compliance is a big part of their competitive, legal, reputational, financial, and operational risk portfolios. They are also diverse verticals. Financial services take many forms; banks, credit unions, investment firms, stock and bond trading services form a commonly perceived bulk. But there’s also the whole payments industry, credit cards, check cashing services, small lenders, and of course insurance of all different forms. Even the automotive industry blurs the lines with auto lease and purchase financing, often initiated at retail dealerships and “car stores”. There are also all the surrounding advisory professionals operating as financial investment and management consultants. And, for international organizations, there are expanded sets of obligatory controls set by host countries. Each has its own unique flavor of obligatory standards and guidelines that must be followed.

Likewise for healthcare services, there are many regulations, Federal ones well known, like HIPAA and somewhat less known HITECH (Health Information Technology for Economic and Clinical Health Act), but also the Medicare Access & & Children’s Health Insurance Program Reauthorization Act of 2015, or MACRA, to name some more, that require compliance. Some healthcare providing organizations operate through multiple third party relationships and those entwine and complicate compliance efforts too. Medicare and Medicaid themselves have regulations and requirements that CMS (Centers for Medicare & Medicaid Services) imposes upon providers and other supporting healthcare services billing those programs. So there may be a significant third party risk management (TPRM) component to compliance and risk management here.

And of course, online retailers of all sizes have their own bits of compliance. Online wine sales are subject to stringent state regulation, licensing and more. Other retailers are subject to state tax laws, permits, licensing, and of course PCI for those credit card payments. A partial list for sure.

Assessing risk, compliance with controls, organizing and documenting evidence, and supporting regulatory compliance reviews can be a time consuming, tedious process that becomes very costly without support of the automation and administrative control offered by a GRC platform. This regulatory environment thwarts many by creating a significant barrier to entry for some startups and small business ventures, by creating a barrier to growth. If only there was a simple, cost effective entry point into managing this complex governance, risk, and compliance arena that could grow with a company in size and capability as those services were necessary…

Out-Of-The-Box GRC
Out-Of-The-Box GRC, or OOB-GRC is neither a unicorn, nor the offering of a case of snake oil elixir by an alley way “expert”. There are vendors that offer simple GRC solutions, based upon pre-configured instances of their software. They cover a wide array of OOB readiness and can be ready to put to use and begin delivering value in very short timeframes. Most often they are based upon the platform that’s capable of providing the full array of services available in a quality full featured GRC. It’s just that only the basics are “turned on”. Those are usually the ability to conduct and manage a risk assessment, report basic findings, maybe manage some workflow, or include a control standard, and manage the process. They may include access to well known control sets incumbent to standards such as NIST’s Cyber Risk Standard, or HIPAA and/or HITECH’s control sets, or others generally required by one vertical or another. There are several immediate values to such OOB solutions:

• support rapid deployment with minimal client effort
• are cost effective and affordable
• allow you to work as you learn, (helping you determine what’s most needed next, why and when)
• are simplified versions, so training users is streamlined
• may be hosted, reducing reliance upon internal IT resources, while providing security
• incorporate maintenance support
• are capable of expanding in scale, feature richness and scope (without encountering “throw
  away re-work)

This is a representative example of the gains and opportunities afforded by OOB GRC offerings, but not an exhaustive one. Some firms may include more of their features in a pre-configured OOB offering. Ones that favor configuration over customization have a clear advantage here. Also, security is a significant concern. A great deal of your risk related data is likely highly confidential. A GRC solution will offer much more detailed and granular security than a collection of local databases and spreadsheets. This is a feature often overlooked that is really important to consider. And if you have done your own homework and know what you essentially need to get started, your ability to pinpoint which solution offerings OOB may be best for you will be more straightforward and precise. Remember what I noted you might have learned while “making the impossible possible” in that section above? Here’s where it offers to pay you back for all you gleaned. You know what you need right away. You also know where the value trade-offs might exist while comparing solution offerings.

There is, of course, a buyer’s caveat here. Some vendors say they offer an OOB solution, but in reality, they only offer a pre-configured reduced feature set, or one so minimal it’s inoperative without customization and development. And, they may not readily reveal that to perform one function, you need to purchase one or more additional modules holding dependent code. These are not true OOB solutions. A genuine OOB box solution should be able to be launched, configured, and ready for you to begin using, training users, and performing useful work in 30-45 days or less, assuming you have clarity on what you need and how you operate. Remember, an OOB solution may not do things exactly as you have in the past, using makeshift tools and tons of sweat equity. One purpose of bringing a software solution to bear is to introduce new practices through automation, streamline processes and practices, and enable your company to do more, get more, while making the effort more flexible and elastic to growth in scope, size, and complexity over time. The OOB solution delivers that promise in an affordable package, one you can enrich and expand in the future.

The OOB GRC solution is a great way to introduce positive change, improve the overall cost effectiveness and quality of managing risk, while enhancing your ability to manage compliance and provide the best possible alternative to the plate spinning, spreadsheet gathering, manual processes in the past. The OOB GRC is also a great way for companies of all sizes to grow past those interim efforts to enhance the professionalism of risk management, compliance, and the overall operating performance of their companies now and into their tomorrows.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

The post Shopping For a GRC Platform first appeared on DoubleCheck Software.

Evaluating Your Current State
In past blogs we’ve talked about specific vendors operating within a risk management process. Looking at third parties as a category of resources, a different understanding is needed. Imagine a heat map for your TPRM participating companies. How many partners would represent high risks? What does your risk distribution look like? Which suppliers provide critical services? Are there any for which you have no alternative due to their unique capabilities? Are any of those ranked as high risk cases? Ranking and arraying your third party resources will give you a clear snapshot of your third party risk position from a portfolio perspective. This snapshot gives you a clear picture that’s useful to communicate a position, or the change in position of overall TPRM for business leaders concerned with business continuity, planning, and yes, procurement, of course. You can see that many, perhaps most in this case, are high ranking vendors that are also high risk. You could achieve this through a comprehensive listing as well, but I’ve found that the visual presentation of status or “state” data often leads to greater and faster communication and comprehension by recipients across all management levels and fields of expertise. You may find a combination of the two works equally well or even better within your own business culture.

Evaluating Third Party Assessment Processing
Knowing the relative distribution of risk across your portfolio of third party providers is an important step. Exploring the details of their current participation in your risk process helps you evaluate where you are in addressing these risks. There’s a calendar (or should be) noting the schedule for initiating assessments for each of your providers. Some representing high risk for your business may be at least annual, or semi-annual, while low risk providers may be on less frequent schedules. Current contract provisions, or other regulatory obligations may reflect these requirements. Are your assessments beginning on time? Which, if any, have been deferred? For how long? Are the reasons documented? Does the revised timing violate agreements in force? Are there mitigating steps you need to take in the interim? Compare these answers to your risk distribution to see if you have significant issues where risk to your firm, or in the nature of your partner’s engagement with you, offer significant exposure. Also, check to see if your calendar has created seasonal high volume periods followed by gaps of minimal activity. Where possible, check to see if some start dates might be flexible and can help you balance out the distribution of work to reduce or avoid “peak assessment periods”.

Next, take a look at where providers are within the workflow of your assessment process. Take note of several factors, specifically process step, staffing for expert review of submissions, and apparent delays not addressed. Are there bottlenecks in your workflow? If there are, they may be due to dependence upon subject matter expert (SME) review where there are too few SME’s for the workload entering that part of the risk evaluation workflow. There’s a tendency to over-estimate the capacity of these experts to take on these tasks, particularly if these reviews are subordinate to other daily responsibilities. Just as the demand for SME review can require flexibility of scheduling, there also needs to be a capability to provide equally elastic capability to evaluate content from your providers in a timely fashion. Also, if you are using some of the automated workflow services a GRC platform often provides, review your workflow automation configurations and assignments. It’s often useful to establish escalation triggers that automatically advance assignments to alternate or higher level resources after a set period of inactivity. This alerts others to a delay in the workflow, and also point attention to a possible imbalance between SME service demand and capacity. Stepping back, look at the current state of all your assessments, to gain an understanding of where such imbalances might occur before they happen, taking the opportunity to manage your resources to the most effective use you can.

Contract Review
Not all third party risks are cyber in nature. One of the most challenging for some organizations is managing the portfolio of contract provisions resulting from all the different third party providers a firm may employ. There are a number of moving parts to track. Expiration dates, performance obligations, agreement and regulatory compliance obligations, triggers for discounts, interim payments, or any other terms that may be costly or lead to missed opportunities. Not every term or condition in a contract will tie to an annual event calendar. Some may be quarterly, semi-annual, or on other schedules unique to its terms. The risks surrounding contracts aren’t necessarily cyber in nature, but they may be financial and often can incorporate compliance matters. These can have a cascading impact upon other areas, and are equally important to a holistic approach to managing third party risk.

Where Are Your Vendors?
This isn’t a rhetorical question. Are they all located in close proximity to you geographically? If they are, then all your location based risks may have equal or more application to your suppliers and partners. Ideally some primary and secondary partners would be located outside your proximity so that weather or event-driven happenings would automatically compile third party outages with any of your own. One of the benefits of cloud offerings is the opportunity to disperse content across significant geographies to mitigate or prevent disruptions due to an event in one location. It’s important to review your portfolio of third parties and their geographies, both local and extended (if they have services spread across or among a wide geographic range) to identify any clusters of partners or providers set into one geography. If you do, note where. They may not be proximate to your locations, but may reside in places with a very different risk profile you’ll want to factor into the overall assessment of risks related to any specific vendor.

Frameworks, TPRM, and C-SCRM
Certainly, with regard to cyber risk and TPRM it worth a look at NIST’s Key Practices in Cyber Supply Chain Risk Management.  Managing your vendors is a critical component of Cyber Supply Chain Risk Management, or C -SCRM. Having a comprehensive C-SCRM also means extending the scope of your TPRM practices to include:

• Engaging Key Suppliers in Resilience and Improvement Activities
• Assessment and Monitoring Throughout the Supplier’s Relationship
• Incorporating Third Parties in Plans for Full Life Cycle Review
• Where Appropriate, Assessing Suppliers’ Cyber capabilities

Using a framework such as NIST’s C-SCRM 8276 provides you with guidance on the range and scope of activities and practices to employ to build out a program to address and understand your cyber exposure across the full extent of your supply chain practices.

• If you are already applying the NIST Cyber Security Framework,  these practices are largely represented within the details of the standard.
• Also, SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), offers more guidance.

This is essential to your overall risk management program at an enterprise level, and should encompass operational, financial and logistical as well as cyber risks and mitigation strategies. It’s likely you will impact internal policies, contract management, supplier procurement, on-boarding, and compliance along the way. Frameworks will also help you position your supply chain risk issues so it’s clear where the risk resides in processes in addition to suppliers or other actors. This is useful context for expressing cyber and other risk category issues, findings, and recommendations to leadership in a business rather than technical content. Frameworks are useful tools for bridging the distance between technical and business perspectives of your enterprise. They help you organize content and represent it in ways meaningful to senior leadership and other stakeholders.

GRC As A Holistic Platform
I often discuss how a governance, risk, and compliance software platform (GRC) can help address the issues discussed in an article. GRC platforms often afford the ability to aggregate data from many practices and processes to assemble a more complete picture of a subject area’s current risk state. Data from regulatory reviews, audits, risk assessments, incidents, project tracking, financial reports, and operating metrics, to highlight some, may all be incorporated into a GRC to create a more complete and comprehensive understanding of risk state and current dynamics withing a subject area of your organization. On an enterprise level, this data resource can be used to fuel a useful and realistic assessment of your supply chain practices, including key third party services and materials providers. Often, inclusion of content from areas such as Audit are restricted to specific controls compliance with respect to cyber activities or best practices. That’s a short sighted approach and a missed opportunity. Including content from reviews of bills of materials, or other procurement related supply chain process artifacts may reveal some surprising but important knowledge of critical vulnerabilities in your supply chain methods at a holistic view of risk for your enterprise. Likewise, data generated by operating performance metrics, or other data sources, aligned in the presence of data from these other areas may also yield new understanding and insight.

GRC’s may sometimes be like the well known detective’s magnifying glass, focusing upon and offering useful, but concealed insight, by careful inspection or alignment of seemingly incidental or unrelated data. Multiple data sources create context and alternative perspectives. The ability to gather and refocus data into information, through the use of a GRC’s analytical and data presentation tools, represents a clear advantage to your understanding of risk across your enterprise, and a fundamental, holistic awareness of risk for your TPRM practices, and supply chain overall.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

Some observations from DoubleCheck Software on Third Party Risk Management Platforms and Reporting

It is critical to have a holistic viewpoint on your Third Party Risk Management program. Sound, real-time reports and dashboards keep management informed at each step of the TPRM process. Reports 1 & 2 below are examples of TPRM reports generated from the DoubleCheck TPRM system. These reports are all part of an embedded Business Intelligence platform available in every DoubleCheck GRC module.

Report 1 (Third Party Status Report) demonstrates a collective view and status of all Third Party vendors. Report 2 (Third Party Scorecard) dives deeper into a specific vendor and details Contact Information, Evaluation Criteria and Documentation, Recommendations, and Action Items.

Third Party Status Report:

Third Party Scorecard:

Click for more on DoubleCheck’s Third Party Risk Management or Cyber Security Risk Management programs. 

The post Holistic Third Party Risk Management first appeared on DoubleCheck Software.

Today’s tools are dramatically more powerful, as are the portable systems on which they run. Beyond power, the diversity of data manipulation tools, visual display options, formats, presentation options of color, perspective, and style all capable of publication and distribution through multiple electronic means create limitless opportunity to create and present compelling representations of structured and unstructured data to managers and executives eager for reports on performance, profit, customer preferences, brand value, opportunity, and risk. And that brings us to a significant problem facing contemporary business leadership in the 21st century.

A triad of questions defines the problem:

“Do you know what you need to know to effectively run your business?”

coupled with

“As a result of knowing _____, what action would you take?”

The third question is one rarely asked by senior leadership, in my experience…

“If you had answers to the first two questions, would your management team know what to do with the information?”

A Data Feast Amidst Information Hunger
We have plenty of facts and details about all sorts of macro and micro measures. The proliferation and transformation of business processes into digital methods has given rise to volumes of raw data businesses in the late 20th century could only dream of capturing, storing, and exploring. Risk data was far more subjective, unstructured and lacked the precision available today. The same was generally true for many other data categories covering operating, financial, customer, partner, regulatory and compliance data. Facts alone are often incomplete communicators. And while associations possible through data manipulation tools may be novel and “interesting”, they may not be actionable. For example, relating new customer location data with lunar phase data might create something interesting. But, “As a result of knowing this what action would you take?” We cannot manage the phase of the moon. Also, data presented in charts and graphs doesn’t always tell you something useful. Let’s look at a very simple instance and see how a small alteration can lead data down the road toward useful information.

Here’s a simple bar chart in figure 1: By itself it really doesn’t provide much more than a representation of a distribution of values. Perhaps that’s useful, but the measure of actionable information is nearly zero. Now, let’s add a “goal line” to Figures 2 and 3, where values above the line represent clear success and those below opportunities and challenges that should be explored and addressed. Your results, areas for attention and likely next steps vary greatly even between figure 2 and 3. These are very simplistic examples. Today’s graphical arrays are visually more sophisticated, and analytically often more complicated. The point is, the tool alone is not where the “intelligence” is expressed in Business Intelligence software. The intelligence comes from the interpretation and useful combination of data, which requires prerequisite understanding of what the data is, where it came from, how it was created, and when. While these examples are oversimplified, figures 2 & 3 begin to offer some useful and actionable information by pointing out performance against a standard of expectation, leading to follow-up on what is working well, and what is not, and what performance drivers may be adjusted to help marginal performance cases improve. Those answers may lead to changes in a variety of operating, policy, or process directions to correct performance concerns.

This is an example about one very simple metric, using a very simple graphical representation. Today’s business intelligence (BI) tools can do much more with much more complicated data. If you tracked every possible metric you could measure, and presented results this way, you’d overwhelm even the most knowledgeable stakeholder or leader. Knowing and applying context and conditional relationships helps narrow focus, support drill down detail where beneficial, and bring the real power of business intelligence tools to bear.

What Do You Need To Know?
The oft cited, but very wrong answer is “everything”! It’s just not functional. And you’d be buried in data points that told you nothing useful. Do you drive a car? Examine your dashboard. Where is the indicator for each cylinders’ compression ratio? Where is your brake pad temperature monitor? What?! You don’t know the precise volume of fuel remaining in milliliters and ounces? How are you possibly functioning? But you are. You have all the key performance and status indicators needed to operate and direct your car safely to your intended destination. You have transportation. If there was a problem, and your mechanic were to seek out some of these answers as part of a diagnostic exercise, that more concise and focused context brings in the need for different, and more specific detail. You need to know when something is and isn’t working as intended and designed. When you learn of a problem, you need to inform your specialists with the information needed to diagnose the root cause, proscribe solutions, and test remediated functions. Go back to the questions at the start of this article, to test the utility of the metrics you wish to gather. See how many pass successfully through no.’s 2 & 3. Start with that subset.

You also need to know the key driving chains that influence the metrics you do monitor. This is a kind of technical perspective upon context. For each of your key performance indicators (KPI’s) and key risk indicators (KRI’s) you need to map out what business processes influence those measures, where the source data is gathered that is used to calculate each indicator, how often, where it’s stored, and how it’s validated. This is vital context, that can provide actionable direction should an indicator’s value suddenly shift from expected norms.

So, Where Does BI Fit?
Business Intelligence software is a tool. And, like any other tool, its value is in the thoughtful, careful application by its handler. BI software is really good at helping you explore data relationships. It works best when applied in conjunction with your own knowledge of how your business works. Often the relationships between data values and different metrics may be obvious, and some may offer new insights to how seemingly unrelated processes impact one another. Use these features to explore these unique key driving chains. They may reveal important metrics to incorporate onto your standard “dashboard” of key operating metrics.

There’s an implicit benefit here that may not be obvious. Data silos, created by and supporting of dedicated systems for a specific discipline or purpose may be present across your enterprise. One of the key features of a BI tool is its ability to aggregate, interpret, and represent data from a consolidated variety of sources. This is significant. Without this capability the potential to identify useful key driving chains, letting you identify and represent the most insightful KRI’s and KPI’s would be seriously hampered. Embedding BI functionality within a platform that can collect and store data from a variety of disciplines or functions, such as an Enterprise Resource Planning (ERP) or an enterprise Integrated Risk Management (IRM) solution can deliver significant value through its ability to provide a single, authoritative resource for decision data. Value is created in part through streamlined processes, enhanced efficiency, and simplified system management. Additionally, the ability to manage access, protect confidential data, provide vetted information, and efficiently publish business information through a consistent, reliable portal cannot be overestimated.

BI tools can offer insight into how clients and customers engage your business, help inventory managers fine tune reorder horizons to minimize overstocks and stock-outs, and inform you of sales trends, client preferences, and campaign reactions far sooner than training periodical reporting. Having data and BI tools proximate helps polish efficiency in getting actionable information into managers and leaderships’ hands sooner, so that your business runs with clear vision of the road before you.

Visual Tools, Actionable Information
Visual representation of data is a valuable characteristic of BI tools. We are a visual society. While there are some of us who relate best to columns and arrays of numbers or symbols, for the most part people relate to visual representations of data. Pictures over words. It’s a very powerful method for effectively communicating fact, concept, and relationships. Pictures often traverse the boundaries and nuances of words and speech. Pictograms and charts form an almost universal language of their own. Whether you are working with simple heat maps representing significant risk areas, or double axis charts depicting client attributes and revenues, or more complex and sophisticated arrays, data visualization helps you highlight and pinpoint key messages and information. They are able to take large amounts of relatively complex data and create images that simplify and communicate actionable information messages your leadership can employ to manage your business, and maximize its potential to achieve stated goals. Great visualizations are clear pictures of declarative statements. As a best practice, I recommend visuals be titled by a declarative remark stating exactly what the visual is illustrating. Figure 4 reuses our example from earlier in this article, but  note the clarity the title now adds to the image from figure 3. There can be no doubt about the message, and it immediately leads to a discussion of what’s work so well so often, and why not in the one location with disappointing results. More sophisticated visuals can convey other relationships, changes over time, year over year comparisons, the driving chain influences implicit in your KP/RI’s and more.

BI Tools and Your GRC
Your GRC is an integration platform that can host data about many different risk categories, including operational, financial, third party and cyber to name a few. It’s also a place where regulatory and contractual obligations, compliance, and audit processes may be managed, remediation specified, tracked and reported. This single point repository for overall governance, risk, and compliance is a great place to house BI tools to explore the consolidated data, across these disciplines and actions, to help you identify, explore, analyze, and communicate current performance, key relationships, and potential opportunities to protect and enhance your overall performance. BI tools help you realize and maximize the value inherit within your consolidated data. Product and service performance, both current and predictive are within its grasp. Likewise, critical risks, vulnerabilities and opportunities for leveraged remediation become clear. Potential third party issues, whether supply chain related, or implicit in vulnerabilities they impose on your infrastructure become visible. And so much more.

The investment in a GRC tool is enhanced and brought to maximum value in large part through the business questions it answers, the proactive vision it affords, and the informative support it provides leadership. Your BI tools are the glasses that clarify this world and sharpen your vision of your current state, with enhanced acuity to look towards the horizon and anticipate tomorrow.

About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.

—

Some observations from DoubleCheck Software on Business Intelligence tools :

It is critical to have flexibility and simple tools for extracting BI data from your GRC system into comprehensive, visually informative documents and slideware. Reports 1 & 2 below demonstrate different ways to render information to Management, Board of Directors, and team members. Report 1 (Risk Dashboard) provides a snapshot of the entire Risk Register, including overall Risk Status, Risk Distribution via a Heat Map with drillable values, Risk Distribution over Time, and monetary Risk Impact over Time. Report 2 (Enterprise Risks) goes deeper and provides more specific Risk Details.

Report 1

Report 2

The post Harvesting Information From GRC Data—The Promise of Business Intelligence Tools first appeared on DoubleCheck Software.