|
| Couldn’t Have Said It Better – The Titanic as a GRC Lesson |
Writes DiPietro: “Before making its first–and last–voyage, the builders of the Titanic failed to correct their design problems (use of poor-quality iron ore, rudders and an engine that was too small, not enough life boats for the passengers) and refused to heed warnings about the iceberg once it was at sea.” And Rasmussen comments: “There was an overconfidence in their strategy.”
| |
...[Read More] | |
Posted on: 4/25/2013 |
0 Comment | | Submit a Comment |  RSS Feed
|
 | Regulatory Compliance: It’s Time for Smarter Implementation | Most companies we work with have accepted that the Dodd-Frank Act is here to stay and they must therefore make their compliance projects repeatable. As Ben Protess wrote in a DealBook article published in December 2012, “…last-ditch lobbying will not erase the unpleasant reality for Wall Street firms. Dodd-Frank is bearing down on them.”
The article also quoted Gary Gensler, chairman of the Commodity Futures Trading Commission, which is writing derivatives trading rules under Dodd-Frank: “We’ve gone from a general law to the specific rules to the super-specific rollout.”
But consider also that according to the March 2013 Dodd-Frank Progress Report, of the total of 398 required Dodd-Frank Act rulemakings, nearly one-third (129 rulemaking requirements) have not even been proposed. Further, 279 Dodd-Frank Act rulemaking requirement deadlines have passed, but 176 of these d | |
...[Read More] | |
Posted on: 4/18/2013 |
0 Comment | | Submit a Comment | RSS Feed
|
| 2013 - Predictions! | Yes, I know it’s only February, but when I think about this year, I’m as excited as I’ve ever been about our plans at Protiviti and the evolution of the GRC industry. We’re getting very positive feedback on the recent release of Protiviti Governance Portal 4.0, and of course we’re already hard at work on the next version, which is based on how we predict the market will evolve over the next year. Some of these predictions, which we’ve shared on Corporate Compliance Insights, include:
• With new and complex regulations related to Dodd-Frank taking effect in 2013, many organizations must adopt new technologies in order to sustain their compliance efforts
• More organizations will seek to integrate risk management with their business planning and corporate strategy efforts
• Today’s risk management projects are creating corporate synergies that will eventually lead to the true convergence | |
...[Read More] | |
Posted on: 2/19/2013 |
0 Comment | | Submit a Comment | RSS Feed
|
| Protiviti Governance Portal 4.0 | Protiviti Governance Portal 4.0
Great news: Protiviti Governance Portal 4.0 is out! You can read our press release here, but I’d like to provide some additional details about what we believe is a major milestone for Protiviti (and the GRC marketplace) that has been 10 years in the making. Our goal with the 4.0 release was to focus on helping businesses take the leap from simply deploying a database for risk and controls to successfully executing on their GRC strategy across the organization. This has always been the promise of GRC, and Protiviti Governance Portal Version 4.0 delivers on this promise in several ways.
Your GRC
Of the many enhancements in version 4.0, the most significant is what we’re calling “Your GRC,” which is based on an extensive set of options that enable business users to work in their own domains, such as enterprise performance and risk management, co | |
...[Read More] | |
Posted on: 12/13/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| 2012 Governance Portal User Forum – Another Success! | We recently wrapped up our 4th annual user conference in Chicago, IL. It was great to see so many clients together in one room. This forum was designed to provide our client community with the opportunity to:
• Network with other users and learn how they use the Governance Portal
• Meet the Protiviti Governance team and hear client case studies and specific best practices
• Learn how to use the latest features of the Governance Portal
While we continue to gather feedback, everyone we have spoken to so far has expressed satisfaction and interest in joining us again at next year’s event. We are extremely pleased by these responses.
If you weren’t able to join us, here is a summary of the activities at the conference:
Networking
From the moment participants arrived, networking was encouraged. Breakfast was provided in a | |
...[Read More] | |
Posted on: 11/19/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Governance Portal User Forum 2012 | It’s hard to believe it’s already time for our 2012 Governance Portal User Forum, which is taking place October 24 and 25 in Chicago. Last year’s successful event generated very consistent feedback: the Governance Portal User Forum provides attendees with a terrific opportunity to meet other Portal users, understand their various use cases and implementations, participate in a variety of training sessions, hear our strategic vision for the solution, learn about new functionality, and receive an introduction to — and provide feedback on — the upcoming Governance Portal Version 4.0. (And, you can even earn CPE credit by attending!)
This | |
...[Read More] | |
Posted on: 10/24/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Software at Your Service | Whether or not you work in the IT domain, by now you are probably familiar with the term ‘Software as a Service’ or SaaS for short. Software as a Service is generally defined as a software delivery model in which software and associated data are centrally hosted in the cloud. Many SaaS offerings deliver a product in a way that is similar to the type of service that you would get from a utility company like water or electricity rather than the type of service that you would receive from a nice restaurant or hotel. Sure, some aspects of a utility are desirable like the consistency and dependability that people take for granted because it’s ‘always on,’ and while that is a very important part of an effective SaaS offering, it’s not everything. In my experience the ‘service’ required in the GRC domain needs to be tailored to a compa | |
...[Read More] | |
Posted on: 9/24/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Building Employee Awareness | Over the years, especially since the passage of the Sarbanes-Oxley Act, it has struck me how basically honest people are. If they are aware of what they’re supposed to be doing, and especially if they certify that they are doing it, for the most part, you can trust they are doing it. It has also struck me, however, that large enterprises often lack effective communications, in large part due to over-reliance on email and loosely organized intranets filled with policies no one ever reads or updates. How many emails do you get per day? Are you able to read all of them? Do you find yourself just scanning those with a lot of meat to them because you just can’t get through it all? So is it really practical to think that just because you notify someone about an issue via email you can be sure | |
...[Read More] | |
Posted on: 8/16/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Dodd-Frank Act – Year Two | A year ago, on the one-year anniversary of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”), I wrote about the uncertainty surrounding the law and the need for organizations to develop the flexibility and adaptability to implement and enforce whatever form the evolving law takes on. A year later, while there’s still plenty of uncertainty, regulated companies must now accept the reality that key portions of the law remain in effect and key compliance dates are fast approaching. In the meantime, Protiviti has been busy positioning its solutions to help companies deal with this reality as rapidly and effectively as possible.
| |
Posted on: 7/23/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Governance Risk and Compliance (GRC) 101: The Basic Building Blocks | Working in the compliance software space, I see the term “GRC” used a lot. Almost every client I work with uses the term, and almost every client I work with has a slightly different interpretation and application of what it means. This got me thinking, “What are the common elements of most GRC exercises?”
Trying to break GRC down to its basic building blocks is akin to the old adage, “Ask 10 auditors a question and you’ll get 20 answers.” Interpretation and application of GRC varies across companies, industries, and even within a single organization.
| |
...[Read More] | |
Posted on: 6/12/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Is Evolving Technology Making GRC Easier or Harder? Yes | GRC is hard. It’s like shooting at a moving target but trickier really, because you can’t track how fast the target is moving and the capabilities of the gun keep changing. But even as we look to technology to make GRC easier, which it does, it also makes it harder.
For example, social media and the consumerization of IT (e.g. relying on online back-up and archiving services) have made GRC activities more difficult by introducing new and difficult-to-track ways for information to leave the company and by creating potentially insecure information sto | |
...[Read More] | |
Posted on: 5/31/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Regulatory Updates: Are You Really Keeping Up? | Companies in regulated industries face an uphill battle. In financial services, for example, Thomson Reuters reports that companies must account for an average of 60 regulatory updates per day. How can any company be expected to keep pace with that?
The overall challenges are extraordinary. First, a company must ensure that it has accounted for every type of regulation that applies to the business based on industry, products, countries of operation, regional and local requirements, etc.
| |
Posted on: 5/17/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| GRC: It’s Better to be Good than Lucky | There is a saying that “it’s better to be lucky than good.” It seems, though, that those who are consistently lucky are probably good as well. They’re probably doing something inherently, even if subconsciously, that produces the desired result repeatedly. How does this apply to GRC? GRC isn’t something that companies do or don’t do. It is a discipline that is performed at varying levels of maturity across the organization. For many companies, sound governance, discipline and principles are infused throughout their enterprise based on organizational culture and tone.
It strikes me that our industry often speak | |
...[Read More] | |
Posted on: 4/20/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| A Simpler Plan: An Extensible Entity Hierarchy | While the main focus of version 3.12 of the Governance Portal was on simplifying existing functionality, we have also added some great new features.
One that I’m particularly proud of is an extensible entity hierarchy that allows companies to manage multiple aspects of GRC from a central registry. The driving force behind the development of this feature is that larger enterprises have multiple objectives they are trying to achieve, often requiring unique structures and naming conventions. Our team has done a great job extending the entity hierarchy with a flexible, unlimited-depth framework that supports almost any GRC need. At the same time, we have consolidated the management of entities i | |
...[Read More] | |
Posted on: 3/8/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| More Contributors, More Expertise, a Broader Discussion | It’s only the end of February, but it’s already been an exciting year at Protiviti. We’ve released v3.13 of the Governance Portal, which will help our clients more seamlessly manage documentation, conduct confidential audits and analyze their data through more dynamic search interfaces. We’ve also kicked off our campaign to assist financial organizations with regulatory reform by initiating implementations of the Governance Portal with two systemically important financial institutions. We’re now heads down preparing for our mid-year 4.0 release. It’s going to significantly improve our clients’ IT organizations’ ability to offer GRC software as a solution to multiple risk, compliance and assurance related programs. Another important development is the expansion of the GRC Tech Portal Blog.
| |
Posted on: 2/29/2012 |
0 Comment | | Submit a Comment | RSS Feed
|
| Driving Strategy to Execution with ERM | On Tuesday, December 7, Chris McClean of Forrester Research and I, along with my Protiviti colleague Michael McGarry, delivered Drive Strategy to Execution with Enterprise Risk Management, a webinar that provided a concrete roadmap for how ERM can help companies eliminate the disconnect between their strategy and their execution. I’d like to thank Chris for sharing his client experiences and providing insight into how technology tools can support ERM.
During the webinar, we focused on ERM's role in strategy articulation and examined three tools (risk assessment, policy and risk tolerances) that can be used to drive strategy to execution. Over the course of the next few weeks, I'll provide some additional insight about each of these topics and respond to the many questions we receiv | |
...[Read More] | |
Posted on: 12/22/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Key Characteristics of an Integrated GRC Program | Integrating GRC is about bringing people together to work towards common business goals. The biggest obstacles to integration are not the technical components but rather the organizational and cultural changes that to need to take place. The end result? A concerted effort among process, knowledge, frameworks, content, and technology that enables businesses to become more agile and benefit from improved business performance over the longer term. Below are some of the key characteristics of a successfully integrated GRC program:
- Adoption of Common Risk Language:
In a previous blog post, I highlighted the importance of having a GRC culture in which the entire company, including legal, IT and business users embrace a single GRC vision that supports business goals. Adoption of a common risk language help
| |
...[Read More] | |
Posted on: 12/7/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Tips for A Successful Implementation | Through the selection and implementation phases of the Governance Portal, clients often ask me “what are the risk factors” or “what should I be worried about.” Looking back at more than 400 implementations, our team has certainly learned some lessons and developed techniques for managing this process. Considering the continued interest in this topic, I thought I’d share some of our experiences through this forum, cataloged across the following categories:
Allocate resources to a core project team:
While we typically manage Governance Portal implementations on behalf of our clients, I cannot stress enough how | |
...[Read More] | |
Posted on: 11/17/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Multiple Sources of Assurance | Our team has just completed our second annual U.S. Governance Portal User Forum, held in Chicago last week., As in Europe, we had a great event with a lot of sharing, learning and discussions among the attendees. The participants were a diverse group – spanning multiple industries and varying in organization size. I found it interesting to see professionals mostly focused on a single GRC domain (e.g. financial controls management or internal audit) interacting with professionals tackling multi-domain GRC. Many of the professionals using our Governance Portal for only one purpose were pleasantly surprised to see how what they do for one set of risks can be applied relatively simply to another set of business challenges. On the other hand, teams tackling multi-domain GRC benefited from the experience of our clients that have | |
...[Read More] | |
Posted on: 11/4/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| A GRC Culture | In too many companies, there’s a major disconnect—sometimes even a subtle antagonism—between those charged with risk management and those working to reach top-line business goals. Both groups are working for the bottom-line good of the company, but it often seems they’re working at cross purposes, impeding each other’s progress.
It doesn’t have to be this way. In fact, the more efficiently and consistently that risk management and compliance processes are integrated into the business, the better for both the top line and the bottom line.
Writes Ben Cole, associate editor at SearchCompliance.com, in
...[Read More] | |
Posted on: 10/18/2011 |
2 Comments | | Submit a Comment | RSS Feed
|
| Assessment of Assessments… | Having just hosted the European Governance Portal User Forum this week, I would like to share some excitement that occurred towards the end of the session when we discussed our 2012 roadmap. I was pleasantly surprised by the response to our upcoming refresh of the Governance Portal’s assessment engine. Don’t get me wrong, it’s going to be a great update, but assessments and surveys have always been part of our software, so the excitement expressed by a large percentage of the attendees prompted me to think about why. My assessment of the assessment response is that because they allow us to solve multiple GRC objectives, we have grown to rely on assessments for many reasons. Surveys, assessments and their wide application in GRC implementations help make us and our colleagues successful within multiple domains. They can help us set a tone, communic | |
...[Read More] | |
Posted on: 10/7/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| GRC – From Strategy to Execution | In our industry, we’ve seen all too often, the repercussions of what can happen if companies don’t execute an optimized enterprise-wide GRC strategy. Recently, the UBS unauthorized trading case garnered widespread attention, highlighting and reminding us of the importance of not only having an enterprise-wide risk and compliance program that looks and sounds good on paper, but also having the technology tools in place for enforcement. In his InformationWeek article, author Mathew J. Schwartz cites how the financial services industry still has more work to do with GRC, noting, “But too many businesses may not be taking a crucial next step, from not just having policies, but also the correct tools in place to automate and enforce them.” While people talk a lot more about GRC these days, the integration of GRC into daily business p | |
...[Read More] | |
Posted on: 9/30/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| GRC and the Theory of Everything | I was speaking with a prospective buyer of GRC technology the other day. She had heard of the term “GRC,” and given its rather broad acronym, thought it might be a good fit for the problem she was looking to solve. Of course, being a GRC vendor, my first inclination was an emphatic, “OF COURSE IT’S A GOOD FIT!” However, there was one of those conscientious angels hovering around my left ear whispering, “This is not really a good fit. She needs something else.”
The issue she was looking to resolve in her company related specifically to the analysis of contract terms acr | |
...[Read More] | |
Posted on: 9/25/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| ERM Gains Strategy Chops | ERM hasn’t always been seen as a strategic cornerstone of business success, but I believe that perception is changing in a fundamental way. We have witnessed companies underperform vis-à-vis the promise of their business strategies because they don’t fully understand the inherent risks in a strategy, or they lack the ability to effectively track the execution of that strategy. In either case, ERM can help.
When it comes to understanding the risks in a strategy, ERM can create a framework that helps management articulate, agree on, and communicate the company’s “risk appetite,” that is, the limits of what a company is willing to do in pursuit of its strategies. Doing this | |
...[Read More] | |
Posted on: 9/16/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Breaking Down Your Risk and Compliance Silos for a More Effective Program | Forrester defines grc generally as “a coordinated set of functions that support strategic decisions and actions to maximize business performance within acceptable risk thresholds and increased control.” It’s a mouthful but clear after careful reading. It’s the policies and procedures a business sets up to try to ensure it can perform optimally given its appetite for risk.
Because the “coordinated set of functions” for GRC must be coordinated among the varied risk and compliance silos—strategic, financial, operational, regulatory, IT, legal— organizations are adopting “integrated GRC” as the means to increase transparency into all these areas of risk and thereby create a unified program that allows resources and knowledge to be shared efficiently in order to m
| |
...[Read More] | |
Posted on: 8/30/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| GRC for Data Governance & Management | It’s evident that data is growing exponentially in volume and complexity; in fact, as IDC U.S. vice-president of storage and Big Data analyst, Benjamin Woo notes, “In 10 years we are going to grow that data amount 44 times to 35 zettabytes by 2020 and almost 50 per cent of new data generated will be in the Cloud within 10 years, which means someone else is going to be touching your information along the way.” While I wasn’t able to attend Woo’s presentation at the Implementing Information Infrastructure Symposium (IIIS) in Sydney earlier in the month, journalist Harnish Barwick captured some interesting highlights in his story posted on Computerworld.com.
So how does GRC fit in this amorphous mass | |
...[Read More] | |
Posted on: 8/15/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Policy Management – Living Documents or Collecting Dust? | Analysts from Gartner and Forrester have incorporated the concept of policy (or broader content) management into their reviews of GRC platforms, and industry pundits have recently blogged about policy management. In particular, Michael Rasmussen has written insightful commentary on many of the issues organizations face with policies as well as the requirements of a good policy management system.
With an increased focus on this topic, and a fair amount of writing related to the associated problems with policy management, it is reasonable to ask why policies are important in the first place. It may seem intuitive that a company should have good policy management, but if it’s a big costly hassle, then why bother to do it? Management of external regulations is an obvious
| |
...[Read More] | |
Posted on: 8/5/2011 |
3 Comments | | Submit a Comment | RSS Feed
|
| Dodd-Frank Act – One Year Later | The uncertainty around the Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”) leads to an ironic certainty for enterprises: they must have the flexibility and adaptability to implement and enforce whatever comes out of the evolution of DFA.
This uncertainty has several causes. The first is that regulators have missed deadlines associated with the implementation of DFA, which is the result of the scope and complexity of legislation that includes more than 1,000 pages of text and, according to the U.S. Chamber of Commerce, requires regulatory agencies to enact 350 rules, conduct 47 studies, and issue 74 reports. As of the | |
...[Read More] | |
Posted on: 7/28/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
| Welcome to the GRC Tech Portal Blog! | We're kicking off our new GRC technology-focused blog to provide industry insiders who deal with governance issues on a daily basis with insights gleaned from our GRC experience. Technology is often where concept meets reality. Our goal is to introduce perspectives that distill market-relevant topics and ideas into practical applications. GRC encompasses a broad set of business activities, so keeping things simple may be a challenge, but we're going to try. For larger organizations, GRC management involves multiple departments with multiple areas of expertise trying to balance the execution of business strategy and improving operational performance against managing risk. GRC management should also increase transparency and control within organizations even as they strive for greater agility in the face of mounting pressures—pressures from financial instability, globaliza | |
...[Read More] | |
Posted on: 7/22/2011 |
0 Comment | | Submit a Comment | RSS Feed
|
|
|
|
|
|
|
|
|
|
|
|
About the GRC Tech Portal Blog |
| The GRC Tech Portal Blog – a window into all things related to using technology to manage governance, risk and compliance. |
| |
|
|
|
About the [ENTER BLOG NAME] Blog
|
|
| Welcome to Protiviti Blogs. Use this space to provide a brief message about this blog or blog authors. To edit this content, select "Edit Page" from the "Site Actions" menu. |
|
|
|
|
|
|
|
Fraud, GRC, Internal Audit, Risk Management, Dodd-Frank Act, Regulatory Reform, Regulatory Intelligence, Financial Services, Policy Management, Enterprise Risk Management, Governance Portal, Compliance, Security, Audit, Sarbanes-Oxley, Regulatory Compliance, Big Data, Gartner Magic Quadrant, EGRC, User Forum, Your GRC |
|
|
|