Skip Ribbon Commands
Skip to main content
Home
 

Current Topic (s):

  • Risk Management and the Proliferation of ALL THINGS

    ​I’ve been hearing a lot about the Internet of Things (IoT) lately. In a modest definition, IoT is “a long term technology and market development based on the connection of everyday objects to the Internet.” This makes it sound relatively simple and unremarkable, but the transformative power and the potential benefits of this development cannot be overstated. Take this brief summary from a McKinsey report: “Pill-shaped microcameras already traverse the human digestive tract and send back thousands of images to pinpoint sources of illness. Precision farming equipment with wireless links to data collected from remote satellites and ground sensors can take into account crop conditions and adjust the way each individual part of a field is farmed—for instance, by spreading extra fertilizer on areas that need more nutrients. Billboards in Japan peer back at passersby, assessing how they fit consumer profiles, and instantly change

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Compensation Incentives for Risk Management? Maybe

    ​In a recent FierceComplianceIT article, Editor-in-Chief Jim Kim suggests tying executive compensation to risk management progress. The idea caught my attention. As Jim notes, a significant challenge is tying compensation to clear objectives, which can be a somewhat subjective - or as he calls it - fuzzy process. By the same token, it’s probably not practical for boards and executive management to be overly prescriptive on the exact ways that risk management processes are conducted. For one, business line directors and managers often have a better understanding of the specific risks they face, and two, different types of risk are often measured differently. For example, a bank’s credit and market risk are measured very differently - typically in quantitative terms - than a bank’s operational risk, which may be measure

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Webinar on The Eight Essential Elements of a Third-Party Anti-Corruption Program Sparks Interesting Discussions

    ​On June 19, 2013, Protiviti hosted “The Eight Essential Elements of a Third-Party Anti-Corruption Program,” a webinar featuring Chris McClean, Forrester Research principal analyst and research director, and Scott Moritz, Protiviti managing director and a former FBI special agent. The webinar was extremely well attended, which reflects growing concern over the increased enforcement of anti-corruption statutes, as well as the significant challenges companies face in building a successful third-party anti-corruption program that ensures compliance with the Foreign Corrupt Practices Act (FCPA).

    After reviewing the current trends and recent issues regarding third-party anti-corruption, Chris and Scott explored the “10 Hallmarks of an Effective Compliance Program” as described in “A Resour

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Risk Assessment: Make It Faster and Easier (Part 2)

    ​In Part 1 of this post, I discussed the benefits of using an eGRC application to help you design your risk assessment procedures. In Part 2, I provide some key methodology considerations when using an eGRC platform such as the Protiviti Governance Portal.

    Define the areas to be assessed. Before creating or updating your risk assessment process, you must first define your universe or scope. The most common items to be assessed are IT applications, business processes and enterprise risks. As Scott Laliberte, a Protiviti managing director, mentions in a Dark Reading article, be careful not to take on more than your team can evaluate comfortably.

    Define who is involved in the

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Protiviti Webinar, Featuring Guest Speaker Chris McClean of Forrester, to Detail the Essential Elements of Third-Party Anti-Corruption Programs

    ​On Wednesday, June 19, 2013, at 9:30 a.m. PDT/12:30 p.m. EDT, guest speaker Chris McClean, Forrester Research, Inc., principal analyst and research director; Scott Moritz, Protiviti managing director and a former FBI special agent; and I will deliver a free live webinar, “The Eight Essential Elements of a Third-Party Anti-Corruption Program.”

    In November of 2012, the Criminal Division of the U.S. Department of Justice, along with the Securities and Exchange Commission, jointly released “A Resource Guide to the Foreign Corrupt Practices Act.” The guide outlines 10 “Hallmarks of an Effective Compliance

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Risk Assessment: Make It Faster and Easier (Part 1)

    ​While working with clients recently to enable their GRC initiatives, I have witnessed a positive trend. New technology is creating great opportunities to improve the GRC process, and more clients are benefitting from new eGRC tools like the Protiviti Governance Portal. Unfortunately, however, existing GRC processes and procedures sometimes limit the value of the enabling technology. Although risk assessment strategies necessarily vary based on industry, scope, and other factors, it is still possible for any organization to conduct an effective risk assessment by instituting some simple procedures and utilizing a quality eGRC application.

    First, embrace the basics.

    Typically a risk assessment methodology has four main components to help with the decision making process:

    1. Interviews with key personnel (e.g. site-level management or risk owners)
    2. Surveys (e.g. your risk assessment evaluation)

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • International Internal Audit Awareness Month

    ​Yes, May is International Internal Audit Awareness Month, and we encourage everyone to check out The Institute of Internal Auditors (IIA) website for information on the importance of the internal audit profession to audit customers, executive management and boards of directors.

    As the Protiviti 2013 Internal Audit Capabilities and Needs Survey reveals, while technology is a highly prized business enabler and catalyst, it often isn’t used as fully and effectively by internal audit departments. The goal of the internal audit function, according to an IIA whitepaper, is to help organizations achieve their goals

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Couldn’t Have Said It Better – The Titanic as a GRC Lesson
    In “Titanic Held Up As a Study in Risk Management,” Ben DiPietro of the Wall Street Journal writes of Michael Rasmussen’s suggestion that risk and compliance executives who don’t fully understand their companies’ risks should take a lesson from the Titanic. Wow, what a perfect metaphor!
     
    Writes DiPietro: “Before making its first–and last–voyage, the builders of the Titanic failed to correct their design problems (use of poor-quality iron ore, rudders and an engine that was too small, not enough life boats for the passengers) and refused to heed warnings about the iceberg once it was at sea.” And Rasmussen comments: “There was an overconfidence in their strategy.”
     
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Regulatory Compliance: It’s Time for Smarter Implementation
    Most companies we work with have accepted that the Dodd-Frank Act is here to stay and they must therefore make their compliance projects repeatable. As Ben Protess wrote in a DealBook article published in December 2012, “…last-ditch lobbying will not erase the unpleasant reality for Wall Street firms. Dodd-Frank is bearing down on them.”
     
    The article also quoted Gary Gensler, chairman of the Commodity Futures Trading Commission, which is writing derivatives trading rules under Dodd-Frank: “We’ve gone from a general law to the specific rules to the super-specific rollout.”
     
    But consider also that according to the March 2013 Dodd-Frank Progress Report, of the total of 398 required Dodd-Frank Act rulemakings, nearly one-third (129 rulemaking requirements) have not even been proposed. Further, 279 Dodd-Frank Act rulemaking requirement deadlines have passed, but 176 of these d
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • 2013 - Predictions!
    Yes, I know it’s only February, but when I think about this year, I’m as excited as I’ve ever been about our plans at Protiviti and the evolution of the GRC industry. We’re getting very positive feedback on the recent release of Protiviti Governance Portal 4.0, and of course we’re already hard at work on the next version, which is based on how we predict the market will evolve over the next year. Some of these predictions, which we’ve shared on Corporate Compliance Insights, include:
     
    • With new and complex regulations related to Dodd-Frank taking effect in 2013, many organizations must adopt new technologies in order to sustain their compliance efforts
    • More organizations will seek to integrate risk management with their business planning and corporate strategy efforts
    • Today’s risk management projects are creating corporate synergies that will eventually lead to the true convergence
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Protiviti Governance Portal 4.0
    Protiviti Governance Portal 4.0
    Great news: Protiviti Governance Portal 4.0 is out! You can read our press release here, but I’d like to provide some additional details about what we believe is a major milestone for Protiviti (and the GRC marketplace) that has been 10 years in the making. Our goal with the 4.0 release was to focus on helping businesses take the leap from simply deploying a database for risk and controls to successfully executing on their GRC strategy across the organization. This has always been the promise of GRC, and Protiviti Governance Portal Version 4.0 delivers on this promise in several ways.
     
    Your GRC
    Of the many enhancements in version 4.0, the most significant is what we’re calling “Your GRC,” which is based on an extensive set of options that enable business users to work in their own domains, such as enterprise performance and risk management, co
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • 2012 Governance Portal User Forum – Another Success!
    We recently wrapped up our 4th annual user conference in Chicago, IL. It was great to see so many clients together in one room. This forum was designed to provide our client community with the opportunity to:
     
    • Network with other users and learn how they use the Governance Portal
    • Meet the Protiviti Governance team and hear client case studies and specific best practices
    • Learn how to use the latest features of the Governance Portal
     
    While we continue to gather feedback, everyone we have spoken to so far has expressed satisfaction and interest in joining us again at next year’s event. We are extremely pleased by these responses.
     
    If you weren’t able to join us, here is a summary of the activities at the conference:
     
    Networking
    From the moment participants arrived, networking was encouraged. Breakfast was provided in a
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Protiviti Positioned as “Challenger” in Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms
    I’m pleased to report that Protiviti has been named a “Challenger” by Gartner, Inc. in the “Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms” (French Caldwell and John Wheeler, October 4, 2012). This is an important step forward for the Protiviti Governance Portal, and we believe it confirms what our customers tell us about the steady maturation of our solution, especially in the areas of ease of implementation and use, and the ability to scale to new GRC domains as their programs evolve.
     
    We will build on this momentum by continuing to take a client-centric approach driven by their feedback and guided by our experts’ experience. While there are common threads that run through our clients’ implementations, they use it for many different GRC disciplines and even within a given dis
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Governance Portal User Forum 2012

    It’s hard to believe it’s already time for our 2012 Governance Portal User Forum, which is taking place October 24 and 25 in Chicago. Last year’s successful event generated very consistent feedback: the Governance Portal User Forum provides attendees with a terrific opportunity to meet other Portal users, understand their various use cases and implementations, participate in a variety of training sessions, hear our strategic vision for the solution, learn about new functionality, and receive an introduction to — and provide feedback on — the upcoming Governance Portal Version 4.0. (And, you can even earn CPE credit by attending!)

     This
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Software at Your Service

    Whether or not you work in the IT domain, by now you are probably familiar with the term ‘Software as a Service’ or SaaS for short. Software as a Service is generally defined as a software delivery model in which software and associated data are centrally hosted in the cloud. Many SaaS offerings deliver a product in a way that is similar to the type of service that you would get from a utility company like water or electricity rather than the type of service that you would receive from a nice restaurant or hotel. Sure, some aspects of a utility are desirable like the consistency and dependability that people take for granted because it’s ‘always on,’ and while that is a very important part of an effective SaaS offering, it’s not everything. In my experience the ‘service’ required in the GRC domain needs to be tailored to a compa

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Tracking Changes that Impact Policies | Webinar Revisited
    I recently had the pleasure of participating alongside industry luminary Michael Rasmussen, Mason Karrer, and Joe LeBas in an OCEG-sponsored webinar titled “Tracking Changes the Impact Policies.” (Registration required)
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Building Employee Awareness

    Over the years, especially since the passage of the Sarbanes-Oxley Act, it has struck me how basically honest people are. If they are aware of what they’re supposed to be doing, and especially if they certify that they are doing it, for the most part, you can trust they are doing it. It has also struck me, however, that large enterprises often lack effective communications, in large part due to over-reliance on email and loosely organized intranets filled with policies no one ever reads or updates. How many emails do you get per day? Are you able to read all of them? Do you find yourself just scanning those with a lot of meat to them because you just can’t get through it all? So is it really practical to think that just because you notify someone about an issue via email you can be sure

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Dodd-Frank Act – Year Two

    A year ago, on the one-year anniversary of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”), I wrote about the uncertainty surrounding the law and the need for organizations to develop the flexibility and adaptability to implement and enforce whatever form the evolving law takes on. A year later, while there’s still plenty of uncertainty, regulated companies must now accept the reality that key portions of the law remain in effect and key compliance dates are fast approaching. In the meantime, Protiviti has been busy positioning its solutions to help companies deal with this reality as rapidly and effectively as possible.

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Can SOX Provide Us With Insights Into Other Areas of GRC?

    Protiviti recently published its 2012 Sarbanes-Oxley Compliance Survey – Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes. It’s our annual in-depth look at the many Sarbanes-Oxley (SOX) issues companies address, from costs and resources to achieving a stronger internal control environment and improved efficiency and effectiveness in operations. This year’s survey was designed to look back on lessons learned and ascertain the effects, both positive and negative, of the legislation.

    Survey respondents included chief audit executives, chief financial officer
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Governance Risk and Compliance (GRC) 101: The Basic Building Blocks

    Working in the compliance software space, I see the term “GRC” used a lot.  Almost every client I work with uses the term, and almost every client I work with has a slightly different interpretation and application of what it means. This got me thinking, “What are the common elements of most GRC exercises?”

    Trying to break GRC down to its basic building blocks is akin to the old adage, “Ask 10 auditors a question and you’ll get 20 answers.” Interpretation and application of GRC varies across companies, industries, and even within a single organization.

     
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Is Evolving Technology Making GRC Easier or Harder? Yes
    GRC is hard. It’s like shooting at a moving target but trickier really, because you can’t track how fast the target is moving and the capabilities of the gun keep changing. But even as we look to technology to make GRC easier, which it does, it also makes it harder.
     
    For example, social media and the consumerization of IT (e.g. relying on online back-up and archiving services) have made GRC activities more difficult by introducing new and difficult-to-track ways for information to leave the company and by creating potentially insecure information sto
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Regulatory Updates: Are You Really Keeping Up?

    Companies in regulated industries face an uphill battle. In financial services, for example, Thomson Reuters reports that companies must account for an average of 60 regulatory updates per day. How can any company be expected to keep pace with that? 

     The overall challenges are extraordinary. First, a company must ensure that it has accounted for every type of regulation that applies to the business based on industry, products, countries of operation, regional and local requirements, etc.

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Client Reflections and Complimentary Roadmap to Compliance Webinar – May 8th, 12:00 p.m. EDT

    As we prepare for tomorrow’s webinar, A Roadmap to Compliance, I’ve been reflecting upon our client experiences and lessons learned.

     All of these clients present unique challenges. Each has its own needs, requirements and approach to managing these complex activities. Yet, we find a common link across each. They find success in manageable increments. They find what works and adjust as they learn.
     

    ...[Read More]

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • A Roadmap to Dodd Frank Compliance: Complimentary Webinar – May 8th, 12:00 p.m. EDT

    On May 8, 2012, from 12:00 to 1:00 p.m. EDT, Protiviti will present “A Roadmap to Compliance,” a complimentary webinar on the critical questions organizations ask on their journey toward compliance with the Dodd Frank Act.

     
    I will be co-presenting with my colleague and Protiviti Associate Director James Ensminger.
     
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • ​​GRC: It’s Better to be Good than Lucky

    There is a saying that “it’s better to be lucky than good.”  It seems, though, that those who are consistently lucky are probably good as well.  They’re probably doing something inherently, even if subconsciously, that produces the desired result repeatedly.  How does this apply to GRC?  GRC isn’t something that companies do or don’t do.  It is a discipline that is performed at varying levels of maturity across the organization.  For many companies, sound governance, discipline and principles  are infused throughout their enterprise based on organizational culture and tone. 

    It strikes me that our industry often speak

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Evolution of audit departments & technology

     As the Protiviti 2012 Internal Audit Capabilities and Needs Survey reveals, technology is a key business enabler and catalyst, offering tremendous opportunities and introducing new challenges. The value of an automated work paper application, for example, evolves over time, delivering moderate value during the initial small steps of getting started, then taking giant leaps in value as it becomes a fully integrated solution.

     
    Over the past dec
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Protiviti’s IT Security and Privacy Policy Report at a Glance

    Protiviti recently released a report, The Current State of IT Security and Privacy Policies and Practices, about how organizations today are classifying and managing data on a daily basis.

     
    The report outlines varied percentages of data classification, preparation, planning, communication and training associated with data security policies and practices across organizations. Most of these variations across companies are likely
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • A Simpler Plan: An Extensible Entity Hierarchy

    While the main focus of version 3.12 of the Governance Portal was on simplifying existing functionality, we have also added some great new features.
     
    One that I’m particularly proud of is an extensible entity hierarchy that allows companies to manage multiple aspects of GRC from a central registry. The driving force behind the development of this feature is that larger enterprises have multiple objectives they are trying to achieve, often requiring unique structures and naming conventions. Our team has done a great job extending the entity hierarchy with a flexible, unlimited-depth framework that supports almost any GRC need. At the same time, we have consolidated the management of entities i
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • More Contributors, More Expertise, a Broader Discussion

    It’s only the end of February, but it’s already been an exciting year at Protiviti. We’ve released v3.13 of the Governance Portal, which will help our clients more seamlessly manage documentation, conduct confidential audits and analyze their data through more dynamic search interfaces. We’ve also kicked off our campaign to assist financial organizations with regulatory reform by initiating implementations of the Governance Portal with two systemically important financial institutions. We’re now heads down preparing for our mid-year 4.0 release. It’s going to significantly improve our clients’ IT organizations’ ability to offer GRC software as a solution to multiple risk, compliance and assurance related programs.  Another important development is the expansion of the GRC Tech Portal Blog.

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Protiviti Named a “Strong Performer”

    Noting that Protiviti "offers a unique perspective in the enterprise GRC market with its strong consulting background, delivering especially impressive technical capabilities in risk and control management and audit management"” Forrester Research named Protiviti a Strong Performer in "The Forrester Wave™: Enterprise Governance, Risk, and Compliance Platforms, Q4 2011" (November 30, 2011). You can view the full report on our website and read our press release here.

    We're particularly pleased that our surveyed client

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Driving Strategy to Execution with ERM

    On Tuesday, December 7, Chris McClean of Forrester Research and I, along with my Protiviti colleague Michael McGarry, delivered Drive Strategy to Execution with Enterprise Risk Management, a webinar that provided a concrete roadmap for how ERM can help companies eliminate the disconnect between their strategy and their execution. I’d like to thank Chris for sharing his client experiences and providing insight into how technology tools can support ERM.

    During the webinar, we focused on ERM's role in strategy articulation and examined three tools (risk assessment, policy and risk tolerances) that can be used to drive strategy to execution. Over the course of the next few weeks, I'll provide some additional insight about each of these topics and respond to the many questions we receiv

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Key Characteristics of an Integrated GRC Program

    Integrating GRC is about bringing people together to work towards common business goals. The biggest obstacles to integration are not the technical components but rather the organizational and cultural changes that to need to take place. The end result? A concerted effort among process, knowledge, frameworks, content, and technology that enables businesses to become more agile and benefit from improved business performance over the longer term. Below are some of the key characteristics of a successfully integrated GRC program:

    • Adoption of Common Risk Language:
      In a previous blog post, I highlighted the importance of having a GRC culture in which the entire company, including legal, IT and business users embrace a single GRC vision that supports business goals. Adoption of a common risk language help
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Enterprise Risk Management Complimentary Webinar– December 7th, 2:00 p.m. EST

    On December 7, 2011 Protiviti will present a complimentary webinar: "Drive Strategy to Execution with Enterprise Risk Management," that will discuss how the effective use of Enterprise Risk Management (ERM) can assist in developing the tools businesses need to define, challenge and execute overall strategy. Joining us as special guest speaker will be Forrester Research Senior Analyst Chris McClean.

    After a decade of high-profile business failures and a subsequent financial recession, companies are now placing higher importance on ERM, noting that effective implementation can better equip management with the tools to effectively execute on a broader business strategy. Webinar attendees will have the opportunity to hear Protiviti Director Michael McGarry and yours truly, along with Forrester’s Chris Mc

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • IT Risk Spending

    We've had a lot of discussions recently about how a variety of trends, such as an increasingly complex regulatory environment, big data, and financial loss from fraud, as well as highly publicized governance disasters, such as unauthorized trading, are driving an increased focus on risk management. Now we have some solid numbers to back this up. According to an ...[Read More]

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Tips for A Successful Implementation

    Through the selection and implementation phases of the Governance Portal, clients often ask me “what are the risk factors” or “what should I be worried about.” Looking back at more than 400 implementations, our team has certainly learned some lessons and developed techniques for managing this process. Considering the continued interest in this topic, I thought I’d share some of our experiences through this forum, cataloged across the following categories:

    Allocate resources to a core project team:
    While we typically manage Governance Portal implementations on behalf of our clients, I cannot stress enough how
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Fraud Awareness Week – November 6-12
    International Fraud Awareness Week, sponsored by the Association of Certified Fraud Examiners (ACFE), encourages businesses and employees to promote anti-fraud awareness and education. According to the ACFE, organizations lose an estimated five percent of their annual revenues to fraud. But even more important than this loss of revenue is the possibility that a successful fraud scheme can put your organization’s entire financial, operational and brand stability at risk.
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Multiple Sources of Assurance
    Our team has just completed our second annual U.S. Governance Portal User Forum, held in Chicago last week., As in Europe, we had a great event with a lot of sharing, learning and discussions among the attendees. The participants were a diverse group – spanning multiple industries and varying in organization size. I found it interesting to see professionals mostly focused on a single GRC domain (e.g. financial controls management or internal audit) interacting with professionals tackling multi-domain GRC. Many of the professionals using our Governance Portal for only one purpose were pleasantly surprised to see how what they do for one set of risks can be applied relatively simply to another set of business challenges. On the other hand, teams tackling multi-domain GRC benefited from the experience of our clients that have
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • A GRC Culture

    In too many companies, there’s a major disconnect—sometimes even a subtle antagonism—between those charged with risk management and those working to reach top-line business goals. Both groups are working for the bottom-line good of the company, but it often seems they’re working at cross purposes, impeding each other’s progress.

     
    It doesn’t have to be this way. In fact, the more efficiently and consistently that risk management and compliance processes are integrated into the business, the better for both the top line and the bottom line.
     
    Writes Ben Cole, associate editor at SearchCompliance.com, in ...[Read More]
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Assessment of Assessments…

    Having just hosted the European Governance Portal User Forum this week, I would like to share some excitement that occurred towards the end of the session when we discussed our 2012 roadmap. I was pleasantly surprised by the response to our upcoming refresh of the Governance Portal’s assessment engine. Don’t get me wrong, it’s going to be a great update, but assessments and surveys have always been part of our software, so the excitement expressed by a large percentage of the attendees prompted me to think about why. My assessment of the assessment response is that because they allow us to solve multiple GRC objectives, we have grown to rely on assessments for many reasons. Surveys, assessments and their wide application in GRC implementations help make us and our colleagues successful within multiple domains. They can help us set a tone, communic

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • GRC – From Strategy to Execution
    In our industry, we’ve seen all too often, the repercussions of what can happen if companies don’t execute an optimized enterprise-wide GRC strategy. Recently, the UBS unauthorized trading case garnered widespread attention, highlighting and reminding us of the importance of not only having an enterprise-wide risk and compliance program that looks and sounds good on paper, but also having the technology tools in place for enforcement. In his InformationWeek article, author Mathew J. Schwartz cites how the financial services industry still has more work to do with GRC, noting, “But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them.” While people talk a lot more about GRC these days, the integration of GRC into daily business p
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • GRC and the Theory of Everything
    I was speaking with a prospective buyer of GRC technology the other day. She had heard of the term “GRC,” and given its rather broad acronym, thought it might be a good fit for the problem she was looking to solve. Of course, being a GRC vendor, my first inclination was an emphatic, “OF COURSE IT’S A GOOD FIT!” However, there was one of those conscientious angels hovering around my left ear whispering, “This is not really a good fit. She needs something else.”
     
    The issue she was looking to resolve in her company related specifically to the analysis of contract terms acr
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • ERM Gains Strategy Chops

    ERM hasn’t always been seen as a strategic cornerstone of business success, but I believe that perception is changing in a fundamental way. We have witnessed companies underperform vis-à-vis the promise of their business strategies because they don’t fully understand the inherent risks in a strategy, or they lack the ability to effectively track the execution of that strategy. In either case, ERM can help.

     

    When it comes to understanding the risks in a strategy, ERM can create a framework that helps management articulate, agree on, and communicate the company’s “risk appetite,” that is, the limits of what a company is willing to do in pursuit of its strategies. Doing this

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Integrated Remediation and Audit Management

    Remediation and audit activities in GRC systems have emerged as central components that align work effort across all GRC stakeholders. [FYI: Protiviti’s recent edition of Internal Auditing Around the World, Vol. VII, looks at strategies for critical integration of internal audit and risk management and addresses some of the elements in this blog post.]

     

    After the first round of silo financial control management and risk management implementations, most GRC system clients are now looking t

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • ERM: From Strategy to Execution

    Compliance Week magazine has just released an eBook that contains various articles about the hot topic of ERM, titled ERM: Expanding Your Compliance and Risk Management Efforts Into Successful, Enterprise-Wide Programs. The eBook includes several compelling articles, including “ERM: From Strategy to Execution” written by yours truly (Scott Wisniewski) and my colleague Michael McGarry, a director within Protiviti’s Risk and Compliance practice and the firm’s Early Mover Center of Excellence. The eBook is complimentary; you just need to register to download it. (In the spirit of full disclosure, Protiviti is a pro

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Breaking Down Your Risk and Compliance Silos for a More Effective Program

    ​Forrester defines grc generally as “a coordinated set of functions that support strategic decisions and actions to maximize business performance within acceptable risk thresholds and increased control.” It’s a mouthful but clear after careful reading. It’s the policies and procedures a business sets up to try to ensure it can perform optimally given its appetite for risk. 


    Because the “coordinated set of functions” for GRC must be coordinated among the varied risk and compliance silos—strategic, financial, operational, regulatory, IT, legal— organizations are adopting “integrated GRC” as the means to increase transparency into all these areas of risk and thereby create a unified program that allows resources and knowledge to be shared efficiently in order to m
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • GRC for Data Governance & Management
    It’s evident that data is growing exponentially in volume and complexity; in fact, as IDC U.S. vice-president of storage and Big Data analyst, Benjamin Woo notes, “In 10 years we are going to grow that data amount 44 times to 35 zettabytes by 2020 and almost 50 per cent of new data generated will be in the Cloud within 10 years, which means someone else is going to be touching your information along the way.” While I wasn’t able to attend Woo’s presentation at the Implementing Information Infrastructure Symposium (IIIS) in Sydney earlier in the month, journalist Harnish Barwick captured some interesting highlights in his story posted on Computerworld.com.
     
    So how does GRC fit in this amorphous mass
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Policy Management – Living Documents or Collecting Dust?

    ​Analysts from Gartner and Forrester have incorporated the concept of policy (or broader content) management into their reviews of GRC platforms, and industry pundits have recently blogged about policy management. In particular, Michael Rasmussen has written insightful commentary on many of the issues organizations face with policies as well as the requirements of a good policy management system. 


    With an increased focus on this topic, and a fair amount of writing related to the associated problems with policy management, it is reasonable to ask why policies are important in the first place. It may seem intuitive that a company should have good policy management, but if it’s a big costly hassle, then why bother to do it? Management of external regulations is an obvious
    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Dodd-Frank Act – One Year Later

    The uncertainty around the Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”) leads to an ironic certainty for enterprises: they must have the flexibility and adaptability to implement and enforce whatever comes out of the evolution of DFA.

     

    This uncertainty has several causes. The first is that regulators have missed deadlines associated with the implementation of DFA, which is the result of the scope and complexity of legislation that includes more than 1,000 pages of text and, according to the U.S. Chamber of Commerce, requires regulatory agencies to enact 350 rules, conduct 47 studies, and issue 74 reports. As of the

    Posted on: | Comments
    Submit a Comment
    RSS Feed
  • Welcome to the GRC Tech Portal Blog!

    We're kicking off our new GRC technology-focused blog to provide industry insiders who deal with governance issues on a daily basis with insights gleaned from our GRC experience.  Technology is often where concept meets reality.  Our goal is to introduce perspectives that distill market-relevant topics and ideas into practical applications.  GRC encompasses a broad set of business activities, so keeping things simple may be a challenge, but we're going to try.  For larger organizations, GRC management involves multiple departments with multiple areas of expertise trying to balance the execution of business strategy and improving operational performance against managing risk.  GRC management should also increase transparency and control within organizations even as they strive for greater agility in the face of mounting pressures—pressures from financial instability, globaliza

    Posted on: | Comments
    Submit a Comment
    RSS Feed

  About the GRC Tech Portal Blog

The GRC Tech Portal Blog – a window into all things related to using technology to manage governance, risk and compliance.
 

  Have a Suggestion for a Topic?

If you have a topic that you would like to add to the conversation or feedback on the topics under consideration, please share it with us.

  Blog Roll

  Tag Cloud