http://www.polivec.com/index.php/blog The GRC Journal is the company blog for Polivec.com en contact@polivec.com Copyright 2008 2008-01-21T23:44:01-08:00 http://www.polivec.com/index.php/blog/post/reasons_why_good_governance_is_hard_to_implement_and_how_to_overcome_them_2/ http://www.polivec.com/index.php/blog/post/reasons_why_good_governance_is_hard_to_implement_and_how_to_overcome_them_2/#When:23:44:01Z Our VP of Pro Services, Robert Freedman, offers the next and final three reasons why good governance is hard to implement and how to overcome them.  You can read the first part of this blog entry by clicking here. Here's Robert starting with Reason number 3: 3)      Make governance data a corporate asset: there’s a lot of conversation about reducing redundant work between different compliance teams supporting different initiatives, but it rarely happens.  Why?  Because when a new regulation or corporate objective pops up, it’s often easier for the owner of that initiative to operate in a silo and just get the job done.  We’ve all been there.  But, see point 2 – if you build the index the right way, there’s at least a foundation for the owner of a new initiative to start with.  And that subsequent initiative owner should be incented to use that foundation and add to it – whether that’s through a bonus for not creating new data and content or a penalty for redundancy.  The situation is really not that different from where things were in the 70s and 80s with regard to financial data: it took weeks to close the financials in a large corporation because all of the subledgers came in on a combination of spreadsheets and incompatible system outputs.  Clearly, no company would stand for that today, yet the situation is being repeated in the realm of corporate governance, arguably one of the most difficult reporting areas facing companies today.  4)      Decentralize the effort: so you’ve got one owner, a foundation to start with and the right plan for leveraging what you’ve already done – by all means DO involve others throughout the organization, but don’t waste their time.  Good governance is a corporate-wide initiative and 99.99% of people in organizations want to behave in the right way.  There’s the argument that even with SOX, ERM and other frameworks, an Enron could still happen.  Absolutely true, but more true is that while most people don’t love their jobs, they like what their jobs provide (paycheck, fulfillment, etc.) and don’t want to see that go away.  So they’ll participate willingly if you involve them in the right way.  Make it easy for them to respond to surveys or provide testing evidence or report incidents.  Make it easy for them to get information they need to show compliance at their level.  Some organizations have put in place compliance goals, objectives and measurements similar to quality control metrics.  These help individuals at all levels to stay focused on what’s critical to the organization and participate in the process.  5)      Don’t do too much: finally, I can’t recall the number of times I’ve heard an auditor say that a company did too much, but contrary to what you might think, it’s been a lot.  Not only that, but the too much in some ways can actually put the company at risk by highlighting problems that don’t actually exist.  Most companies are pretty well run.  Sure, people will cut corners, but they generally want to do their jobs the right way.  So spending extra hours over-documenting that people are doing what they are supposed to be doing is counterproductive and leaves a bad taste in everyone’s mouth.  Sure, auditors are enjoying a heyday right now, but the most effective auditors are not interested in padding their bills by reviewing reams of irrelevant evidence supporting a conclusion that could have been gotten to with 10% of the evidence provided.  Essentially, companies throw up their hands and say, “we don’t know what the heck we need to provide for this regulation, so here are a hundred boxes of data Mr. and Ms. Auditor: you figure it out.”  Or you get the well-meaning department head who makes good governance a crusade, and, again, you wind up with a hundred boxes to sift through instead of ten.  And some hefty bills.  And a disgruntled, over-documented staff who can’t keep track of this week’s policy and procedure updates and whether or not they’ve filled out their TPS reports correctly.  Governance is not easy, but the effort can be simplified and leveraged to build a much more effective organization.  So, while I don’t want to over-emphasize the approach that VP of Audit took a few years back, since a binder and some spreadsheets probably won’t work these days, I do want to remind you that common sense does prevail in governance as in anything, and companies that do a few key things to organize their governance effort are going to have a much easier time adjusting to—and taking advantage of—this new well-governed world as it continues to evolve. - Robert Freedman General 2008-01-21T23:44:01-08:00 http://www.polivec.com/index.php/blog/post/reasons_why_good_governance_is_hard_to_implement_and_how_to_overcome_them_1/ http://www.polivec.com/index.php/blog/post/reasons_why_good_governance_is_hard_to_implement_and_how_to_overcome_them_1/#When:05:23:00Z I'm back (it's me, Tom Grubb—keeper of this blog) after a long break, ready to start anew for the new year. Well, not exactly. Our VP of Pro Services, Robert Freedman, is stepping up to the plate for our first blog entry for 2008. Take it away Robert... As Polivec continues to evolve our methodology around helping companies to “simplify GRC,” I’ve been thinking a lot lately about what it really takes to put in place a good governance program, and I keep thinking back to a VP of Internal Audit at a $1B company I met a few years ago.  He owned regulatory compliance, including SOX, and he shared with me how he was managing the effort.  He had a single binder, and in that binder was a tab for every section of SOX – the big sections that mattered and the smaller sections that needed to be acknowledged but not much else needed to be done.  Within each section, he had all of the appropriate work paper templates, references to findings, etc., that he needed to present to show adherence to and sign-off on that section.  It was a big binder, and since it was SOX Year 1, I suspect that if were still using a binder, it’s grown to a bunch of binders (he’s not using a binder anymore).  But what struck me the most was the simplicity with which he approached the process and how right-on he was.    Today, in a multi-billion dollar corporation, with thousands of individuals whose efforts touch on and are touched by governance activities, and thousands of regulatory and corporate requirements to be aware of and adhere to, a big binder obviously won’t work, but there are some take-aways that do apply to any governance program in any size organization and I wanted to share those: 1)      One neck to choke: someone needs to own this thing—and it can’t be an external consultant.  It must be someone inside the organization.  He or she can and should have advisors from both inside and outside, but one person needs to feel that he or she understands the requirements and implications of each and every governance initiative under their purview.  If one person can’t do it, then the task needs to be split into “ownable” component parts.  Maybe that split is by regulation or by set of regulations.  Maybe that split is by task – e.g. corporate-wide compliance testing falls under one person’s purview while corporate-wide policy distribution and awareness, or self-assessment falls under another.  But make sure that if you’ve componentized the effort, all sub-leaders roll up to one leader.  It may be a dotted line relationship, but that one leader needs the authority to enforce timelines, resource commitments, disciplinary action, etc. – all the responsibilities and capabilities a manager should have.  2)      Be the index not the author: with one guy and a binder, that VP Audit wasn’t going to reinvent the wheel and single-handedly document all of SOX in the timeframe that he was working under (this was back in the uncertainty of the early days).  Instead, he understood that the information he needed was spread throughout the organization and might need to be tuned up a little, but if he indexed it in the right way, he would be fine.  Essentially, his binder was full of pointers to sources throughout the organization for the regulatory paperwork, risk matrices, policy and procedure documents, testing evidence, back-office system data logs, spreadsheets, flow charts, etc. that supported his conclusions.  He in effect became the quality control person for the organization’s content and data related to governance.  I'll have more to say about this in Part 2 of this blog entry—stay tuned.- Robert Freedman  Compliance 2008-01-17T05:23:00-08:00 http://www.polivec.com/index.php/blog/post/survey_says_better_technology_tools_would_help/ http://www.polivec.com/index.php/blog/post/survey_says_better_technology_tools_would_help/#When:22:31:01Z I just finished tabulating the results from an informal survey we did at our booth at last week's ECOA (Ethics and Compliance Officer Association) annual conference in LA. The survey respondants said:Top Priority: operate within the prescribed rulesThe compliance function takes the lead in finding ways to streamline compliance-related activities, and the function usually enjoys a high place in the organizationBetter technology and reporting tools would help get the compliance and ethics job done but working relationships with the IT departments still have a way to go.You can download the whole story, executive summary and results here:http://www.polivec.com/index.php/whitepapers/post/ecoa_polivec_survey/  IT 2007-10-05T22:31:01-08:00 http://www.polivec.com/index.php/blog/post/the_connected_ceco/ http://www.polivec.com/index.php/blog/post/the_connected_ceco/#When:03:59:01Z On my flight down to Los Angeles for the ECOA 2007 Annual Business Ethics & Compliance Conference I read the brand new paper from the Ethics Resource Center titled “Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer (CECO).” This worthwhile paper was developed in conjunction with the ECOA, OCEG, Business Roundtable Institute for Corporate Ethics, and the Society of Corporate Compliance and Ethics.The paper gave me plenty to think about – and talk about with conference attendees. According to the paper, "...the CECO should be connected to company operations in order to build an ethical culture that advances the overall objectives of the business.” How, then, can a CECO get connected to the company operations? I believe automation must play a key role here. Look at what some of what the paper says the CECO must do to manage the entire ethics and compliance program throughout the company:Creating, revision, distribution and enforcement of the codeAuditing and monitoringTraining of the board, employees, and vendors on organization standards, risks, compliance, and resources.Who initiates the search for process improvement within the compliance and ethics function? Check back here in a couple of weeks to learn what the ECOA conference attendees have to say on this question and more when I publish the results of our conference survey. Compliance 2007-09-26T03:59:01-08:00 http://www.polivec.com/index.php/blog/post/the_biggest_challenge_to_operational_risk_management/ http://www.polivec.com/index.php/blog/post/the_biggest_challenge_to_operational_risk_management/#When:20:26:00Z While at the recent Institute of Internal Auditors (IIA) Risk and Control Conference in San Diego I remembered what Ken Wooten, our Director of Product Management had to say about operational risk management last month. Here it is:The Global Association of Risk Professionals (GARP) completed a survey of risk professionals in the area of Operational Risk.  The survey asked risk professionals a series of questions around their current initiatives and challenges, and I thought some of the findings were very interesting.The first question was “What is the largest challenge tied to operational risk?”.  The top two responses were “Risk Measurement” and “Data Integration”.  Together they accounted for almost 70% of the responses.Now I would argue that these are two sides to the same challenge.  Effective risk management can only occur when all of the systems containing relevant data are integrated.   Once a consolidated view of the environment exists, only then can operational risk be identified and measured.   Before the existence of ERP and other integrated business applications, the same challenge existed in the realm of financial risk.    For most organizations the data exists for meaningful quantitative financial risk measurement, but so far this is not the case for operational risk.Further supporting this notion is another question from the survey.  It asks “In terms of measuring and managing risk, my firm uses:”.   Fifty-two percent of the respondents indicated that they use “disparate systems”.The good news is that organizations have come to the realization that this is important and are beginning to address the problem.   A major first step for most companies is just understanding what they need to measure.  Once they get past that, they face two major challenges.  The first is the integration itself.   The second is that fact that much of the information needed to quantify operational risk does not exist in any system with which to integrate.  There is a myriad of manual tasks, piles of paper, scattered spreadsheets and documents that all must be considered. So the fact is that this is not just an integration challenge, but that additional systems will likely be needed to consolidate this data before effective Operational Risk Measurement is possible.Ken's thoughts here echo what I heard from IIA conference delegates in San Diego.    Risk Management 2007-09-05T20:26:00-08:00 http://www.polivec.com/index.php/blog/post/is_grc_an_all_or_nothing_proposition/ http://www.polivec.com/index.php/blog/post/is_grc_an_all_or_nothing_proposition/#When:20:07:01Z Senior research analyst Peter Williams with Bloor Research had a lot to say in his recent article posted at IT Analysis titled “Can unified governance deliver for the emerging GRC market?” I recently spoke with Peter about the current state of GRC. His article reflects some of the same ideas that we discussed. I think that we’re still in the very early stages GRC where most companies are looking at GRC projects rather than embarking on enterprise-wide solutions right out of the gate.This is where GRC platforms that solve an immediate compliance problem at a departmental level or for a specific regulatory initiative are ideal. You can solve a problem relatively quickly without taxing your budget or your resources and use the same approach for more initiatives when you’re ready.Here are some of Peter’s comments from his article I think are worth considering:“…be wary of very large consultancies anxious to work with enterprises on GRC and claiming multi-million dollar open-ended contracts are needed. Try asking them what they are offering to achieve ‘unified GRC' or unified governance.”“…even to get your (or my) head round everything involved in this is difficult—and different for each enterprise—so it is an even bigger ask to turn the theory into practice.”“A unified approach involves bringing together the often separate corporate functions of risk and compliance management, security, business continuity (BC) and general business functions—and applying IT to it. To achieve it also involves a considerable internal culture shift.” “…every business beyond the very smallest needs to be looking in the round at GRC / security / standards / policies and their implementation—unified governance—and its potential benefits.”Peter concludes with the statement “nobody yet has a total answer—but watch the market grow” From the Polivec perspective, as a GRC solution vendor of course I want to see the market grow – and it is – but out where the rubber meets the road it all starts with solving one compliance initiative and another, and another until they fall like dominos. Regulations 2007-08-17T20:07:01-08:00 http://www.polivec.com/index.php/blog/post/compliance_at_any_cost/ http://www.polivec.com/index.php/blog/post/compliance_at_any_cost/#When:22:50:00Z Want to put a number to your cost of compliance? The American Bankers Association can help.Last week while I was doing research to prepare for a presentation I gave on compliance to a group of banking and finance executives, I stumbled across a compliance cost calculator spreadsheet available for download on the ABA website. Before you start plugging your own data into the spreadsheet, here’s some data to help put the overall cost of compliance into perspective: "Over the past few years...budgets that were dedicated to dealing with regulations were rising at a rate that was twice as fast as the IT budgets." —      Jorge Lopez, Managing VP, Gartner Research “AMR Research released a study that predicts the cost of compliance over the next five years will reach the $80 billion mark.” “Extrapolating from an assessment of the federal regulatory enterprise by economist Mark Crain, regulatory costs hit an estimated $1.13 trillion in 2005” You can only control the cost of compliance to your business when you can monitor and measure the cost. Can you really measure the cost of manual compliance tasks all the time? Yes. As they say: everything can (and should) be measured – especially compliance activities.  I’ve seen first-hand the shock when a customer sees the actual cost calculated from our software compared with what they thought it would cost – shock and awe. But the ability to measure compliance costs has given them the ability to reduce costs – and reduce them they have. The ABA spreadsheet model isn’t the same as actually collecting the real costs, but it will get you in the ballpark. A final word of caution before you use the ABA spreadsheet: the website quotes one CEO who after seeing the total cost numbers groaned  --  "That's a scary sum…"  Compliance 2007-06-29T22:50:00-08:00 http://www.polivec.com/index.php/blog/post/who_is_driving_effective_and_efficient_compliance/ http://www.polivec.com/index.php/blog/post/who_is_driving_effective_and_efficient_compliance/#When:04:45:00Z If I had just two words to describe this week's annual Compliance Week conference at the Mayflower Hotel in Washington D.C. they would be "efficient" and "effective."  How do you introduce efficiencies into compliance activities thereby lowering the cost without sacrificing their effectiveness? Is one more important than the other? Your answer depends on how you factor risk into your compliance initiatives and requirements (risk was a hot topic at this year’s conference). Whether it’s efficiency or effectiveness, automation provides the means to achieve both.Who’s responsible for driving efficiency and effectiveness into compliance activities: business owner or IT?  I posed this question to a panel called “Aligning IT & Business Requirements: An Ongoing GRC Strategy” moderated by Lee Dittmar from Deloitte Consulting. The panel emphatically stated they believe the drive for process improvement should come from the business owner – not IT. Who are the business owners? Consider the possibilities: AML Compliance Director, the SOX team, CFO, internal audit committee, Chief compliance officer, Chief Risk officer, VP of HR, VP of Ethics and Compliance, Chief Counsel, and so on and so forth.  Under the business-owner-drives model, they’re all supposed to be initiating and driving improvements by partnering with their IT department.That sounds good, but the people in the trenches are looking for ways to get their job done under increasing pressure with less time and resources. A lot of Excel spreadsheets and Microsoft Access applications are born of this frustration – I heard it more than a few times during the conference. The home grown approach makes compliance activities less efficient, less effective, and more prone to risk. Who’s driving efficiency and effectiveness into your compliance initiatives? Risk Management 2007-06-11T04:45:00-08:00 http://www.polivec.com/index.php/blog/post/what_if_every_day_was_pci_audit_day/ http://www.polivec.com/index.php/blog/post/what_if_every_day_was_pci_audit_day/#When:05:12:00Z  Mike Dahn, an expert on the Payment Card Industry Data Security Standard (PCI DSS) kicked off an interesting blog entry on the PCI Answers website about continuous compliance. Check it out.  Compliance 2007-05-24T05:12:00-08:00 http://www.polivec.com/index.php/blog/post/the_relationship_between_compliance_corporate_culture_and_brand/ http://www.polivec.com/index.php/blog/post/the_relationship_between_compliance_corporate_culture_and_brand/#When:20:30:00Z   The Chief Counsel in charge of compliance at a large food and beverage company gave me some food for thought recently on the relationship between compliance, consumer confidence, and brand. We had a wide ranging discussion on compliance and his company’s culture. He said, “as a consumer product company, if consumers ever lose confidence in our products we are out of business.” Because employees at his company inherently understand that food safety and product quality are critical to their jobs and their business, they are more receptive to compliance training because they understand that inadvertently breaking a rule can have severe consequences on the business – and their job. He says colleagues in other corporations say it’s “a fight” to get everyone to listen at a meeting that involved compliance, where everyone “has to be dragged kicking and screaming” because they see compliance purely as a cost issue. “We all know that human nature is human nature; there will always be people who think they’re smarter than you are, and can get away with breaking the law or stealing. Most will know to do the right thing to play by the rules, but with tens of thousands of employees and contractors around the globe, no matter how good your training program is, some will do the wrong thing on purpose or by accident and put your company and brand at risk.” On policy acceptance, he says “as a lawyer, I want to make an edict but I always look at things from their point of view. If somebody forces something on you, you won’t be too happy about it." He says that the compliance team conducts focus group tests and surveys on their compliance programs to find out what people thought in order to make improvements. "If we do not get the objective acceptance of a program then the effectiveness is undermined.”  How well does your culture embrace policies? How do you know? And what's the risk to your brand?   Risk Management 2007-05-23T20:30:00-08:00