Topics of Interest Archives: GRC

Rightsizing GRC (2 of 2): Selecting a Solution

Rightsizing GRC2As we discussed yesterday, governance, risk, and compliance (GRC) is a large and fragmented industry. Unlike other areas of enterprise technology, where organizations struggle to understand differences between vendors, the challenge is often to understand what any given “GRC vendor” actually does. We recommended that organizations should begin to assess GRC vendors for their fit according to three dimensions: (1) functional scope, (2) operational scope, and (3) industry scope.

GRC solutions vary widely in their ability to reach across these categories (breadth) as well as the sophistication of their offerings in any one category (depth). From the vendor’s perspective, this is often a question of market and product strategy. There are two common options.

Focus on Breadth

A vendor can maximize their addressable market by seeking to expand the breadth of their exposure across functional capabilities, use cases, and industries. While the strategy opens the door to a great deal of organizations, it often limits a vendor’s ability to develop a great deal of sophistication within any one area. This is the classic “mile wide / inch deep” challenge. Even vendors that focus on common needs of “highly regulated” industries can face challenges going much deeper than lowest common denominators of data and process management. As a result, these solutions may be able to do 80% of the job “out of the box,” but getting to the final 20% requires work to fit the solution to a particular organization’s needs. An important distinction is whether a solution is configurable or customizable, which can have a tremendous impact on the cost and time required to deploy.

MetricStream represents a classic example of this approach. The company focuses on the scope of its software capabilities and is (rightfully) well-regarded for the breadth of its GRC capabilities. It has demonstrated rapid growth and a strategy that focuses on expanding the reach of enterprise GRC within an organization. MetricStream’s strategy creates a lot of opportunity. Its portfolio of capabilities ensures that the company can address a wide array of companies and use cases. Often the company’s solutions are good enough to ensure customers see value at its price point. However, MetricStream (like any organization) has limited resources to put into development and can face challenges when called to support highly specialized needs.

Vendors in this category often include the other “enterprise GRC” players, such as EMC’s RSA Archer, IBM OpenPages, BWise, Thomson Reuter’s Accelus, or SAP GRC. However, smaller providers such as ACL and AdaptiveGRC also take this approach. As a group, these providers tend to focus on platforms that reach across risk and compliance roles to eliminate information silos. Of course, individual providers focus on and stand out in particular areas. For example, SAP (which just launched a new audit management and analytics solution) has historically demonstrated a focus on finance, supply chain, and IT operations.

A breadth strategy does imply that a solution is shallow. Nor is there’s anything wrong with this approach. It does mean that an organization has a responsibility to evaluate whether the solution matches its particular risk and compliance portfolio. Organizations with more specialized needs may find that a niche GRC application is a better fit. At the same time, offerings that focus on the breadth of capabilities are often best suited to organizations planning to build true, unified GRC environments.

Focus on Depth

In the second scenario, the vendor focuses on a particular need or audience. The most extreme examples of this phenomenon are the niche solutions that only address one need. This often takes the form of an operational focus (e.g. financial GRC or IT GRC), an industry-tailored focus, or an even more niche application, such as social media risk.

These solutions face smaller addressable markets but are able to dedicate resources in an extremely targeted manner. Given that GRC implementations often address a single “point” need, rather than an enterprise vision, depth-orientated solutions can often offer easier deployment and greater impact within the scope of the investment. The tradeoff is that organizations may end up with solutions that can’t be scaled into integrated, enterprise environment. This tradeoff depends on the vendor’s focus, with industry-orientated providers often best positioned to balance breadth and depth in their offerings.

Vendors that focus on “use case” range across a spectrum from providers like The Network and NAVEX Global, who both target compliance management to even more security-orientated applications, such as Modulo (which despite its recent march towards “enterprise GRC” is still best suited to IT risk) or Actiance, which targets social media risk and compliance. Wolters Kluwer’s ARC Logics and Summix provide examples of an industry-focused platform. The two solutions solely target financial and insurance industries. Between the solutions, the company offers a comprehensive set of governance, risk, and compliance functions that are adaptable and closely-tailored to industry-specific needs. The company also draws on a library of content and best practices as well as consulting services. QUMAS is another example of this approach, focusing on enterprise platform capabilities within healthcare and bio-science industries.

Generally, depth-orientated vendors are less likely to appear in a wave or a quadrant, but the solutions are often the strongest offering within their area of focus. Still, when considering these solutions, companies should also consider the potential to scale the solution to future needs before making the investment. An industry-orientated solution may possess the breadth of capabilities needed to support an enterprise deployment, but solutions focused on a particular operational need or niche use case will usually mean that the organization must turn to another vendor if it hopes to grow its platform.

Selection

Selecting the right GRC vendor is, in part, a function of determining which sort of solution best fits an organization’s needs and constraints. A focused, niche provider may help respond to a very specific need at an appropriate cost, but close the door to future expansions. By contrast, a solution that focuses on breadth may involve more upfront costs see_related_postsand less depth of support for a particular use case, but provide greater enterprise value in the long run.

The success of a GRC investment depends on tradeoffs between the solution’s investment cost, fit for the immediate need case, fit for industry needs, ease of implementation, and potential for future expansion. As such, organizations will want to understand their goals before exploring solutions, both for the deployment and for it’s plans for future use. This should generate at least an initial understanding of what sort of solution best fits. However, the processes that fall under the purview of GRC involve too many variables and the solution landscape is too fragmented to offer easy answers.

Posted in Blog, General Function, General Industry, Policy and Compliance Management, Research | Tagged | Leave a comment

Rightsizing GRC (1 of 2): Making Sense of the GRC Landscape

Making Sense of the GRC Landscape(1)I wouldn’t be the first to say that the governance, risk, and compliance (GRC) space is fragmented or that enterprise GRC is a hopelessly broad term. A lot of ships sail under GRC flags, but they vary by type, crew, and how they are outfitted. All of these providers share a core set of software functions related to risk assessment, controls, monitoring and alerting, and reporting. However, such an inclusive categorization is only useful as a market shorthand or to set the outlines of a pundit’s bucket. It’s not useful for organizations attempting to understand which solution fits the organization’s needs. In fact, it often makes the process a whole lot harder.

In reality, there are many factors organizations have to consider to understand if a vendor offers the GRC solution that they need. We can draw three rough dimensions that help understand whether a particular GRC platform fits an organization’s needs:

Functional Scope: the software features and functions that the solution includes.  This is the definition we started with above.

Operational Scope: The activities that the solution supports. This captures all the applications of GRC across legal, IT, financial, operational, and enterprise use cases. Generally, we can think of this as the specific use case for the solution.

Industry Scope: The types of industries or organization profiles that the solution supports. While most GRC vendors focus on a collection of “highly regulated” industries (usually with some attention to utility, financial, and health science sectors), different providers focus on different areas.

We can (and should) measure each dimension by two factors: breadth (how much) and depth (how sophisticated). For example, a provider might support a large number of capabilities or industries, but offer just enough to be able to say they do it. Other providers focus on a more narrow audience or set of functionality, but ensure that what they offer addresses that need very well.

In depicting a cube, the image above offers us a representation of a fully realized GRC platform. That is to say: a solution that offers maximum breadth and depth in all three dimensions. This is an idealization. Any GRC solution you could care to map against these vectors would fill that space in dramatically different ways.

The trick is finding the solution that has the right combination of these factors to meet your organization’s needs. If your organization has particular industry-specific needs (perhaps a complex regulation or unique business needs), it is probably going to care a lot more about the vendor’s understanding of that industry than the full scope of capabilities available in its enterprise suite. However valuable a true enterprise GRC platform connecting all of an organization’s use cases within a unified environment might be, most deployments involve a targeted selection of software capabilities to a particular use case (ideally driven by a risk analysis).

This is essentially a process of narrowing to find the solution that falls within the perfect set of coordinates for your organization. Tomorrow, we’ll discuss how to begin to evaluate the providers in the space.

Posted in Blog, General Function, General Industry, Legal, Policy and Compliance Management, Research | Tagged | Leave a comment

Transforming Fear into ROI in Compliance & GRC Investments

Transforming-Fear-into-ROI-in-Compliance-GRC-Investments-More than a few governance, risk, and compliance (GRC) implementations were launched by pain or fear. That’s not always the case, of course, but we hear it often enough. An organization gets hit by a penalty (probably related to something they weren’t paying attention to) or a story appears in the Wall Street Journal about regulators’ interest in a competition and, after some phone calls from directors asking “how do we keep this from happening (again)”, and a mandate is born.

These scenarios are gold mines for GRC vendors, but they are minefields for organizations. That’s not to say that those situations aren’t great opportunities to implement GRC. They are. In fact, for the risk and compliance teams that have been pushing for a GRC platform, the moment is probably never better than when corporate leadership has a clear view of what poor safeguards might cost them. Pain and fear are tremendously great motivators. The problem is that they don’t make for great strategic planning.

Some readers are already nodding along. For others: look at that question again: “how do we keep this from happening again?” As much as crisis events motivate improvements, they also tend to narrow the scope of addressable change. In other words, that penalty might prompt a new GRC investment, but the implementation will probably be focused on whatever regulation and vulnerability gave rise to the problem. The result will be a solution that prevents “that” from ever happening again, but leave the organization’s larger compliance challenges unaddressed. This is how organizations end up with multiple, redundant, and siloed GRC solutions. The IT security sector has the exact same problem. Or as I recall from my own childhood: it is easy to learn to not put your hand on the stove again. It is harder to translate that experience into a comprehensive policy regarding fire.

The outcome is a Catch-22: when organizational demand for GRC is highest, attention to the scope of its value is often the lowest. The solutions are there. GRC vendors have been steadily growing platforms that offer true cross-functional, enterprise visibility, proactive management of compliance risks, and reduction of siloed and redundant compliance functions. In fact, a GRC implementation is most valuable when it addresses these needs to enhance an organization’s compliance limbic system. The deeper paradox is that these deployments present clearer ROI opportunities than any instance of compliance terror.

Massive regulatory penalties get headlines, but most organizations will never encounter these situations (some will encounter them repeatedly). Not only do most firms’ interactions with regulators never see the light of day, they are often based on politic winds as much as continuity. This makes for a tough business case. Investments solely addressing these immediate risk anxieties are not just weak, they beg for review once fear fades and executive scrutiny turns to compliance overhead. Compare this to an investment based on (1) improved efficiency by compliance staff, (2) reduced time demands on line of business stakeholders, and (3) reduced risk of future compliance penalties. I know which bet I’d rather make.

The challenge is translating the anxiety of the moment into a long-term business plan. This is easier said than done, even if in the normal course of business, the “overhead impact” of GRC should be more attractive. I don’t have any particular recommendations for this challenge, except to observe if the threat of harm has risen to such as point as to motivate change, your audience should be receptive to the more mundane business opportunities GRC presents. It might take additional some explanation and exploration, but the long-term value to the enterprise will be significantly greater.  Of course, many GRC providers are attuned to this process, but they do face their own Catch-22 in that organizations begin to mistrust them once they begin to suggest options outside of the organization’s immediate “red zone.” Again, this is an opportunity for compliance officers to shine, provided that the larger business case is there.

Posted in Blog, Enterprise Risk Management, General, General Function, Legal, Research | Tagged , | Leave a comment

Is the Enterprise Legal Management and GRC Gap Worth Bridging?

GRC ELM Gap Worth Bridging?Last October, Gartner released its first ever Magic Quadrant for “enterprise legal management” (ELM – also known as practice management for corporate legal departments). Largely speaking, I was pleased to see the company begin to cover legal technology. One thing that has stuck with me from Gartner’s analysis is the notion that ELM is a subset of enterprise governance, risk, and compliance (GRC) platforms. The report refers to ELM as “part of a growing category” of GRC solutions focused on supporting interactions between general counsel and other executive leadership. While I don’t disagree with the positioning conceptually, I find Gartner’s read to be a bit optimistic.

The idea that ELM is a subset of GRC puts too much faith in the success of the “enterprise vision” of GRC. By and large, I believe in the vision of enterprise GRC, but I am skeptical about the reality. I do not believe most organizations are prepared for true cross-department management of issues from internal incidents to legal matters. In fact, generally speaking, ELM and GRC represent distinct value propositions that address different audiences. ELM generally supports two concerns of general counsel: (1) the management of internal matter workflows, and (2) the management of vendor work and costs when matters are shared outside the organization. The most immediate value gain provided by ELM tends to come in reduced legal spend. That’s discounting the larger “ecosystem” of solutions related to ELM (contract management, ediscovery, IP portfolio management, etc.) which have a number of related value propositions. By contrast, GRC implementations are usually justified in terms of compliance function efficiency and reduced risk portfolios. While these functions overlap, as often as not, they represent different “owners” within the organization… as well as  different budgets.

That said: there is a strong case to be made for the integration of ELM and GRC. The two solutions exist on a continuum. Ideally, GRC addresses the management of legal matters as business operations before they become legal matters. ELM addresses these same issues once they require legal analysis or advocacy in a dispute. There are clear business benefits to be had by creating a common information management environment and collaboration platform that connects strategic legal work to practical application within the organization. Even this only reflects a “linear” approach to compliance and risk, rather than the opportunities available through a continuous feedback loop between litigated matter and compliance management. While I question how many organizations are really ready to consider these to be common processes, it is foolish to reject the potential of combining these solutions.

From a technology perspective, integration between GRC and ELM is not as difficult as creating the enterprise recognition that these represent common processes. Generally, organizations possess a single ELM deployment, as the solution is intended to manage legal processes as a single enterprise function. By contrast, GRC deployments often address disparate enterprise needs, often related to individual compliance functions or regulatory demands. However much vendors focus on the “enterprise vision” of GRC, the reality is trailing the vision. Most organizations are still managing siloed compliance functions and point deployments of compliance and risk management tools. This creates a general technology maturity obstacle that must be addressed before organizations should consider a GRC and ELM integration. Additionally, given the state of  both sectors, the idea of a single, one-size-fits-all solution is optimistic. I expect that the best opportunities will be found in a connected GRC/ELM platform that integrates core compliance and matter management capabilities with connectors to related functions.

While I believe that there is a strong value proposition for an integrated GRC/ELM environment, I don’t think most organizations are ready to make the investment. While many organizations still possess multiple GRC deployments, few are mature enough to realistically consider a combined GRC/ELM platform. The first step is one of recognition: organizations need to recognize how the two solutions support a single, coherent business process. Even if few organizations are “there” today, organizations should consider the potential as they approach future investments.

At the same time, few providers today have the ability to support a combined GRC/ELM environment. In fact, Blue Hill has only identified four vendors that currently offer GRC and ELM capabilities. Only two of these providers currently offer integrated GRC and ELM solutions, while the remaining vendors offer strong, but distinct, solutions that present major opportunities for integrated ELM and GRC environments. Nonetheless, they represent Blue Hill’s “best guess” for vendors who will be able to provide combined ELM and GRC environments as their solutions mature:

Datacert – has gone the farthest to integrate GRC and ELM solutions. Their Passport solution offers a scalable GRC and ELM solution set. This makes the provider one of the few companies to offer a uniform, integrated platform that combines GRC operation, legal matter, and legal spend management. While the company often sells these two solutions as standalone products, it nonetheless has the capability to support a unified GRC and ELM environment. While few organizations are prepared to consider the relationship between these two functions, the potential to support both functions in a single solution as a future vision state should represent a key differentiator for organizations investigating either GRC or ELM solutions. To this end, Datacert’s platform supports modular deployments, allowing organizations to address specific functional needs while leaving the door open for future expansion. While other providers possess the potential to bring these solutions together, organizations currently looking for unified GRC and ELM environments will find that Datacert is currently best positioned to support their needs.

MetricStream – offers a comprehensive and scalable enterprise GRC platform. The provider includes case and matter management as modules of its “legal GRC” solution. This approach recognizes the potential interrelationships of GRC and ELM and offers support for basic matter and billing management tied to the larger GRC platform. While this represents an attention to legal process that is uncommon in GRC platforms, the solution is nonetheless limited as a legal management solution. The technical capabilities are there (and may be sufficient for many organizations), but MetricStream demonstrates a lack of deep understanding of legal practices and workflows needed to create a meaningful solution for the management of legal solutions. Organizations looking for an integrated GRC / ELM environment will want to consider MetricStream but will want to emphasize the actual potential impact for legal in their investigation. In particular, despite the hype that the company attracts, questions remain about their ability to support very large enterprise operations.

Thomson Reuters – is a well-established provider of GRC (in its Accelus product line) and ELM (in its Serengeti solution) tools. Between the two solutions, Thomson Reuters covers the full array of compliance and risk and legal matter management. However, siloed business units currently prevent the provider from combining these toolsets. Accelus  resides in the company’s Financial & Risk unit, while Seregenti falls within its Legal solutions department. That said, the organization is aware of the cross-pollination available between the solutions. While it does not report any specific integration plans, it does recognize the opportunity. Current customers interested in drawing lines between compliance and legal functions should inquire with the organization. While it currently lacks the capability, the company is well positioned to create the integration as market demand increases. It is worth nothing that the company has a track record of integrating based on customer demand. For example, their FATCA solution integrates Financial & Risk and Tax & Accounting offerings.

Wolters Kluwer – provides a powerful and comprehensive GRC platform for the financial industry in its ARC Logics solution. The company also provides a leading legal management solution in its TyMetrix product line. However, as with Thomson Reuters, the two solutions represent distinct business operations for the company. As a result, ARC Logics users will not see any additional benefit by also leveraging TyMetrix in connection with ARC Logics. Nonetheless, the company possesses the opportunity to create a unified platform. I expect to see Wolters Kluwer to integrate its offerings as the markets for GRC and ELM continue to mature and demand for a unified platform grows.

As these examples show, the number of vendors currently offering unified ELM / GRC environments is limited. The four I’ve identified represent my “best bets” as both solution sets mature and expand into one another. However, this is largely my projection. Currently, only Datacert offers a mature unified offering. However, MetricStream, Wolters Kluwer, and Thomson Reuters are all well positioned to follow suit. In addition, a number of other vendors, for example LexisNexis, provide many related GRC and ELM capabilities, but have yet to bridge these tools into integrated suites.

As deployments mature, demand for exactly those kinds of connections will as well.  I believe that the value is there, but I question how long it will take organizations to progress in their own maturity to be prepared to realistically consider unified environments. While the opportunity is strongest as a fresh investment, few organizations can reach this point without making preliminary investments in both GRC and ELM.

Posted in Blog, Enterprise Risk Management, General Function, Legal, Policy and Compliance Management, Research | Tagged , | Leave a comment

Ethics and Compliance as a Business Investment

I have been having a lot of conversations lately with compliance officers about increasing corporate focus on compliance risk. As the topic has gained more attention at board meetings, compliance officers are spending more time with corporate leadership to explain current risks as well as to identify methods for improvement. Some of the compliance officers I’ve spoken with lately have reported better experiences than others. I have noticed a theme.

The compliance officers that de-emphasize the requirements and the potential threat of regulatory penalties in favor of the broader context of understanding business impact tend to be a bit less stressed out. They also tend to be the ones that get approval for their initiatives. I don’t think there is much magic to this. Few executives tend to think in terms of what is allowed or not allowed. Rather, they are trained to assess impacts and develop courses of action that improve business performance. Compliance officers that learn to stop being “the person who says no” and to start putting compliance in terms of business context tend to be more successful.

To some extent, we recognize this, particularly in terms of reputational risk. However, the problem with “reputational risk” is that it’s a fuzzy factor and hard to measure. It is better to take the extra step to discuss potential changes in share price or revenue. Last week, a chief compliance officer at a software company told me that whenever he needs to get a budget increase approved, he brings up the customer feedback he receives on their ethics program. How many companies even collect customer feedback on ethics?

That kind of business context goes a long way, but it’s not always enough. Rather, organizations need to approach compliance projects as business investments. I like to see compliance officers that can put on a CFO hat to consider the tangible return on investment of an initiative. The question I ask is: “if you only had $100 to spend on compliance: how would you get $1,000 in impact?” This is a question that I find is often overlooked. However, understanding where and how to make compliance investments plays a critical role in an organization’s ability to adapt to new demands in a way that presents minimal disruption to its operations and overhead. For example, we’ve been hearing about the boom in compliance hiring for some time. Now, I am all for people getting jobs (especially in a traditionally understaffed function), but simply throwing more bodies at a problem is rarely the most efficient road to a solution.

The successful organizations I speak with take the time to understand what aspects of compliance management will have the greatest impact on organizational exposure and overhead. There’s a shorthand for this. Translating regulatory requirements into compliant operations involves six activities:

- Identify regulatory changes affecting the organization and new requirements imposed;
- Develop new policies incorporating the new requirements;
- Educate employees regarding changes in standards and incentivize compliance;
- Monitor employee activities to identify compliance risks and violations;
- Remediate violations or issues as they emerge;
- Revise and refocus efforts based on identified risks in the organization.

Depending on an organization’s processes or maturity, it might be better or worse at one area or another. The impact of these investments can differ, however, depending on where an organization focuses resources. The first three phases represent the front end of compliance management. Investments here represent preventative steps that help to minimize the risk that issues will emerge which create regulatory violations. The remaining three areas tend to help minimize the impact of violations after they have occurred. These distinctions are not perfectly distinct of course (the sixth activity, in particular, can help to both prevent and minimize). The impact will also depend on the maturity of an organization’s processes in any area. Nonetheless, thinking of investments in these terms can help the organization to identify how to get the greatest impact from their investment.

Even this might not be enough to justify an investment. It’s one thing to be able to describe how an investment should impact performance. Securing corporate buy-in often requires evidence. That puts one more requirement on compliance officers: measurement. This is an area where I tend to see even the best companies fall short. Compliance professionals often do a good job at tracking which employees have completed training, attestation rates, and how long it took to get there. That’s helpful, but it doesn’t help any one understand the impact of training. That’s often not easily measured but I’d at least like to see compliance officers track changes in issues identified (which often go initially up as programs improve), violations found, time required to remediate, and similar measures. The more of these factors that can be measured in the context of business performance, the easier it should be to secure executive buy-in.

Learn more about this topic in Blue Hill’s report Policy and Training Investment: The Front End of Compliance or by joining me on February 11th for a webinar I am giving with The Network.

Posted in Blog, Enterprise Risk Management, General Function, General Industry, Policy and Compliance Management, Research | Tagged , | Leave a comment

Johnson & Johnson’s Compliance Rosetta Stone

Johnson and Johnson Settlement Centralized Governance Risk and ComplianceThis past autumn, Johnson & Johnson made the news for entering a settlement it entered with the United States Department of Justice and several states. The company agreed to pay damages of over $2.2 billion and involved a criminal guilty plea as well as the imposition of a Corporate Integrity Agreement requiring ongoing oversight and reduced control over its compliance operations. The matters involved stemmed from events occurring between 2001 and 2003.

I think this is unfair. Not the settlement itself; I leave it to J&J and the DOJ to reach an appropriate agreement that addresses whatever misconduct may have occurred. What bothers me is that the bad press that J&J received today obscures the strides they’ve made in improving their compliance programs over the last ten years. In fact, the company should be applauded for its efforts to transform its fragmented compliance landscape into a comprehensive enterprise governance, risk, and compliance (GRC) strategy.

An enterprise GRC strategy is not an overnight project. This is particularly true for J&J, which possesses over 250 operating companies with over 110,000 operating in highlight regulated sectors such as medical devices, consumer goods, and pharmaceuticals. Historically, each unit operated independently and was responsible for its own compliance codes and policies.

In that kind of scenario, getting to an enterprise view required a great deal of cross-functional planning at the highest levels.

To my understanding: J&J has done and continues to work on that. Still, what stands out to me in their story is a more modest (although no less difficult) undertaking. J&J recognized that it had a compliance communication problem. Not only were its business units working on compliance independently, but specialization by legal and compliance officers made for a wide range of conflicting compliance priorities. When it comes to compliance requirements and standards, this sort of general compliance communication challenge breeds redundancy and confusion. For J&J, it meant different units employed different risk-assessment philosophies, approaches, and supporting software solutions. The inefficiencies that result don’t just affect compliance management, they impact business functions in the form of unclear requirements, burdensome reporting requests, and redundant audits.

To combat this problem, J&J undertook creating a uniform understanding of compliance requirements. After a review of business processes and various compliance demands, J&J was able to identify similar requirements imposed by different regulations. Once it identified these common areas, J&J was able to create a common set of standards consolidating and simplifying requirements from various sources and silos. They began by creating a single, centralized database for the management of these compliance standards. The key feature of the database was the ability to tailor information by user context. In other words, compliance professionals could see and debate the correspondences between their functions. Line of business managers saw a clear, consolidated list of requirements to implement.

This is a powerful starting point. Without even getting to the operational gains that come with widespread monitoring and audit management support, J&J was able to reduce its compliance costs in a number of ways. A fragmented understanding of compliance requirements inserts costs through:

- Redundancy and overhead in compliance functions

- Loss of value generating activities among business units

- Multiple GRC solutions and databases

- Demands on IT related to administration and management of solutions

- Legal costs and penalties resulting from lack of clarity in compliance requirements

In fact, we started with the last point. While a common understanding of compliance requirements will not prevent employees from taking actions that they know they shouldn’t; it nonetheless helps reduce the risk of inadvertent violations. This isn’t even the strongest benefit (how often do most companies face $2.2 billion penalties?). The real value comes from the reduced burden on the line of business, where increased clarity doesn’t just reduce risk. It buys back time that can be dedicated to value-added tasks.

Learn more about Johnson and Johnson’s efforts to create cross-enterprise compliance standards in Blue Hill’s report Johnson & Johnson and MetricStream: The Value of a Consolidated View of Compliance.

Posted in Blog, Enterprise Risk Management, General Function, Legal, Legal Technology, Policy and Compliance Management, Research | Tagged , | Leave a comment

Compliance Training and GRC: Six Vendors to Watch

Compliance Training and GRC 6 vendors to watchYesterday, I discussed how organizations should approach training as a proactive step in their compliance management strategies. I mentioned how effective training can minimize the risk of noncompliance or related issues occurring as a result of employee internalization of standards. However, organizations often face difficulties making this connection because they lack an understanding of how training relates to larger enterprise compliance needs.

A number of vendors within the enterprise governance, risk, and compliance (GRC) space have begun to respond to these needs, by bringing training capabilities into the GRC platform. In some cases, this means no more than offering a learning management system (LMS) as a module. The deepest integrations between GRC and learning emphasized the ability to collect training information and making meaningful connections to an organization’s compliance performance. These include:

-       Management of training participation, attestation, and certification
-       Cross-references between training content, policies, and compliance requirements
-       Automatic alerting identifying relevant training content as issues emerge
-       Compliance risk analytics based on training performance

By and large, these capabilities generate enterprise value by improving insight into the satisfaction of compliance requirements and by creating a foundation ensuring that training impacts compliance performance. The result is not necessarily improved operational efficiency, but the ability to preempt penalties and other liabilities. This is accomplished by strategically improving employee internalization of codes of conduct and compliance requirements.

A number of enterprise GRC and compliance management providers offer LMS as an integrated component of GRC. Blue Hill Research has identified six vendors that offer compelling packages that combine GRC integrations with content libraries and flexible, engaging delivery models. These six vendors, 360factors, MetricStream, NAVEX Global, The Network, SAI Global, and True Office include leading enterprise GRC companies as well as start-ups and point ethics and compliance providers. They do not all possess the same capabilities or solution maturity, but each has proven to be a vendor-to-watch for their strategic approach to training and compliance performance.

360factors: a compliance change management solution provider focused on utility and financial verticals with its cloud GRC suite, Predict360. Through a partnership with parent 360training, the company offers learning capabilities drawing from 360training’s LMS and pool of content and domain experts. Users are able to connect these training resources to specific need points through Predict360′s alerting capabilities. For example, when the need for corrective action is detected, the system also alerts compliance officers to the training content that aligns to the related requirement. As a result, organizations are able to identify who needs additional training as well as what content to use.

MetricStream: offers training management as a module of its “pervasive” GRC suite. The solution manages training processes, including course details, scheduling, and feedback. Monitoring capabilities provide ‘real-time’ oversight of training initiative progress. Finally, integration with the wider GRC suite provides analytics based on training records and requirements to assess regulatory compliance and impact. MetricStream does not provide content options, but partners with a wide range of content providers to support these needs as well.

NAVEX Global: provides a broad range of training content and delivery options within a suite of policy and case management. While not the comprehensive enterprise GRC platform of other vendors, the company’s integration of LMS within policy management supports reporting and analytics, attestation, and information cross-referencing. Content can be customized by users and delivered via live or online, mobile-enabled channels. NAVEX Global also stands out in its Awareness Program and Burst Learning. The Awareness Program leverages physical artifacts, such as posters and reference cards to create ongoing compliance awareness. Burst Learning uses short, topic-based content to enable organizations to develop modular training programs and increase viewer engagement. Related offerings, such as third party risk management and reporting hotline services are additional differentiators.

The Network: positioning itself as the ‘Apple’ of GRC, The Network delivers ethics and compliance training through configurable, interactive branching scenarios with assessments, role-playing, and games to maintain interest and provide appropriate context. The Network’s content is mobile-ready, permitting users to view it on-demand. The company makes an effort to offer contemporary content that is relatable to end-users. To support training program management, the company offers real-time tracking capabilities to support content evaluation and user experience monitoring. Integration with The Network’s GRC suite permits comparisons against program metrics and supporting analyses, including incidents, surveys and policy attestations.

SAI Global: cloud-based SAI Global provides a learning management system with integrations into its larger platform. The company’s content competencies include regulatory matters as well as a larger array of standards and ethics best practices. The company offers a great deal of breadth in its delivery options, including public courses, on-site learning, elearning and other digital delivery methods. SAI Global uses a “story-based” training that emphasizes in-context scenarios tailored for specific job roles or functional needs. Dynamic linking provides access to relevant corporate policies, certifications, and other needs.

True Office: True Office is unique on this list for its lack of a full GRC suite as well as its approach to experiential compliance learning. True Office provides online games incorporating training content into interactive, scenario-based learning environments. True Office offers content developed by partner organizations, including Thomson Reuters, but also will incorporate customers’ materials into game environments. True Office also provides the ability to conduct analytics derived from employee performance to identify likely compliance risks and take action accordingly. It’s innovative approach and risk assessment capabilities make True Office a good fit for organizations that are not prepared for large-scale investments in enterprise GRC.

To learn more about how to approach compliance learning as a component of GRC and compliance strategy, see Blue Hill’s: Compliance Learning as a GRC Fundamental.  

 

Posted in Blog, Enterprise Risk Management, General Function, Legal, Legal Technology, Policy and Compliance Management, Research, Security & Risk | Tagged , | Leave a comment

The Emerging Legal Cloud: Why Firms Need Secure, Flexible Collaboration

Legal Tech Cloud Document Management SolutionsWhile cloud and mobility solutions are not new to the legal technology market, 2013 saw a number of expansions into the space, particularly supporting practice management.

Thomson Reuters started the year off by rolling out Firm Central, a secure hosted practice management offering. In May, LexisNexis announced a partnership with WatchDox to bring secure file sharing capabilities to its cloud practice management solution, Firm Manager. LexisNexis also launched its TextMap iPad transcript annotation tool. Silicon Valley start-up Velawsity entered the market, offering cloud-based “lawyer-designed” client communication and matter management tools. Secure cloud storage provider Box increased its focus on the legal industry in announcements emphasizing mobile and cloud collaboration as well as strategic partnerships with a wide range of existing players. Meanwhile, cloud practice management veterans expanded mobile capabilities.

Cloud practice management veterans were busy as well. Themis Solutions’s Clio, MyCase, and Rocket Matter all expanded their mobile capabilities. All three companies launched apps putting their practice management capabilities available on the iPhone. MyCase also offers a mobile client portal app, while Rocket Matter puts its practice management capabilities on Android as well.

Most of these solutions are aimed at small and midsize firms, and with good reason. Cloud providers manage the solution administration and infrastructure, making them well suited to small firms, who frequently lack the resources to make on-premise investments. Cloud solutions are generally available on a subscription-basis, which also helps small firms distribute the cost of investment. However, the expansion of cloud and mobile practice tools is about much more than positioning for small firms. Rather, cloud and mobility represent important collaboration and engagement opportunities for attorneys.

Whatever the area of practice might be, matters involve two things: stakeholders and documents. These are diverse categories. Stakeholders can include clients, co-counsel, investigators, paralegals, investigators, and other supporting staff as well as opposing parties and counsel. Documents can include filings, contracts, depositions, certificates, and memos, to name only a few examples. Successfully advising and advocating on a matter requires attorneys to manage all of these related components and to ensure that they can access what they need when they need it. The expansion of cloud and mobile solutions are largely able to extend the ability of attorneys to access what they need, wherever they might be. These solutions also make it easier for attorneys to collaborate with stakeholders by making documents centrally available, but also selectively limiting what is exposed.

This is what the promise of the maturing legal cloud space really provides: secure, collaborative document management that is available anywhere. This is why you have seen providers like LexisNexis, Thomson Reuters, and Box all focus on secure sharing and mobile access. It is also why MyCase stands out among its peers with its mobile client portal tools. These solutions offer a lot of promise in how they can make lawyers more efficient, but also better advocates. Compare the efficacy of an attorney who wheels into court with a cart of bankers’ boxes with an attorney that is able to selectively pull up documents, annotated with context provided from the client and relative case law, from an iPad.

This is a tremendous benefit for any attorney. That said, it is particularly compelling to see how the relative low cost of many of these options can put sophisticated matter management tools that are more familiar to Big Law into the hands of a wider range of practitioners. Of course, there are concerns to address. Attorneys have been using cloud document management options, but it is often at the lowest end of solution maturity and security. I know too many attorneys who use free consumer versions of Dropbox, despite the emergence of professional conduct guidance requiring attorneys to ensure security and confidentiality in cloud solutions.

The solution providers that will best capitalize on this potential will be the ones that are able to:

(1)   Provide easy-to-use, adaptable, and secure sharing options

(2)   Offer the flexibility to permit users to work with their preferred vendors for things like practice management, billing, client management, and litigation support

(3)   Extend document management to the full range of mobile devices for online and offline support

(4)   Integrate with ediscovery platform vendors

At present, no one vendor should be considered a master of all these areas. By virtue of its experience outside of the legal industry and growing partnership network, Box probably comes closest. However, Box does not yet have partnerships with the largest players in the space. Similarly, LexisNexis and Thomson Reuters tend to have a preference for their own wider solution sets over other providers. By contrast, providers like Clio have demonstrated a willingness to work with a wide range of partners, but have yet to expand mobile options beyond the iPhone.

At the end of the day, the best option for a firm will not be the vendor that can be everything to every one. Rather, it will be the provider that is in the best position able to support its specific needs. For this reason, firms exploring cloud options will do well to consider how a vendor’s reach into these four categories aligns to its own needs as well as local requirements.

 

Posted in Blog, Enterprise Risk Management, General Industry, Legal, Legal Technology, Policy and Compliance Management, Research, Security & Risk | Tagged , , , | Leave a comment

Kroll Ontrack's Ediscovery.com Pushes the Ball Forward

Kroll Ontrack EdiscoveryBack in October, ediscovery and data recovery solutions provider Kroll Ontrack launched ediscovery.com, a cloud-based platform for its full suite of ediscovery capabilities. As a cloud-option, ediscovery.com comes with the advantage of a central availability and mobile accessibility. Kroll Ontrack has added to these advantages by building out the project management and collaboration capabilities of the suite.

A number of ediscovery.com’s features deserve attention, particularly its incorporation of Salesforce Chatter into Kroll Ontrack’s Project Wall collaboration hub. Blue Hill reviews how those capabilities interact in our recent report, possibly the most compelling aspect of the announcement is Kroll Ontrack’s vision of ediscovery as a standardized, yet flexible process.

No one enjoys litigation. Discovery, particularly where it involves massive troves of emails, documents, and other electronic information, is often the most painful part of the process. Despite (or because of) this organizations often fail to take the time to think about how to develop systematic ways to address the demands that ediscovery creates for their organization.

Ediscovery is expensive. One estimate puts the typical ediscovery project at 350 gigabytes, or roughly 1,925,000 documents. Estimates of the cost of review vary. Inside Counsel provides a range of: $5,000 to $30,000 per gigabyte. RAND puts the average at $18,000 per gigabyte. Predicting these costs is very difficult. While project-based pricing is on the rise, most attorneys still charge by the hour. Ediscovery vendors typically charge by the amount of data. As such, the costs of ediscovery depend on the length and complexity of litigation and the data involved. These issues can be estimated at the start of litigation, but not always with the greatest accuracy. Information needs also change in the course of discovery, as attorneys come up with new theories or discover new roads of inquiry. These twists and turns can expand the scope of discovery tremendously, pulling in new data sources and potentially rendering previous reviews immaterial.

While not all of this can be controlled, when organizations remain reactive and approach ediscovery on a project-by-project basis, they often contribute needless costs to the process. When projects involve changes in attorneys, custodians, processes, and technologies used, organizations forego the economies of scale of a reliable and repeatable process. Kroll Ontrack is taking the lead by trying to find ways to help its customers to take the step to improve their processes. In some ways, this involves new capabilities (such as the inclusion of project analytics). In others, it involves guidance on how to better use existing tools, such the use of predictive coding to screen information before it’s loaded into the ediscovery.com platform.

Ultimately, this effort is the most compelling aspect of the ediscovery.com launch. While there are some new capabilities, the core TAR technology and web-based delivery are familiar within the market. Rather, in the commitment to helping companies undertake ediscovery in a better way, Kroll Ontrack is poised to push the provider landscape into a more mature “solutions orientated” approach. Of course, it is easy to overstate the issue. Competitors such as kCura, FTI Technology, and Guidance Software, or Recommind offer much the same solution portfolio and each has its own story. Still, Kroll Ontrack’s vision advances the ball enough that it will likely drive some response from the rest of the landscape.

Learn more about Kroll Ontrack’s strategy for ediscovery.com and how your organization should consider the solution for its needs. Read Blue Hill Research’s Kroll Ontrack Offers Collaboration and Control in Ediscovery.com.

Posted in Blog, General Industry, Legal, Legal Technology, Research | Tagged , | Leave a comment

Creating Compliance Incentives: Lessons from Traffic in Boston and Bogotá

Bogata Traffic and Compliance CultureAs compliance becomes a top risk facing corporate leadership, organizations will expand policies and struggle to articulate new requirements to their workforce. This will also likely drive investments in compliance management, monitoring, and remediation solutions, either under the banner of enterprise governance, risk, and compliance (GRC) or as point tools.

While GRC can help reduce operational costs and exposures, the compliance risks currently facing organizations demand more than the reporting and monitoring capabilities involved in basic deployments. For example, last week, I described how Dodd-Frank drives broad GRC use cases within the financial industry. But the problem is far from localized within one sector or regulatory scheme. Nor is it simply a matter of technology.

It is also a problem of culture. Even where organizations face heavy penalties and top-level executive prioritization of compliance, the urgency can be lost on a workforce that is largely insulated from organizational liability. Too often, organizations take a monitor-and-punish approach and only take action once an employee’s behavior escalates to an addressable issue. This encourages employees to avoid detection as much as it motivates meaningful changes in behavior. Rather, encouraging deeper change requires organizations to identify and build programs that respond to the factors that affect employee behavior.

To understand what this means, let’s explore how two cities have dealt with traffic problems.

I’ll use Boston as an example of a monitor-and-punish approach. The city traffic code contains over 90 sections, on top of state and federal driving requirements. Bostonians must demonstrate knowledge of these requirements and their ability to conform before receiving a drivers’ license. Nonetheless, Boston is widely regarded as one of the worst driving and the worst traffic law compliance cities in the United States. Nor is the problem enforcement, Massachusetts is ranked 30th among the states for the likelihood of ticket issuance, putting it in the middle-of-the-curve in enforcement. While the city itself has seen lagging enforcement in recent years, its culture of nonconformance long predates that trend. In other words: education, oversight, and enforcement have done little to change Boston drivers’ essential attitudes to traffic law.

Compare Boston to Bogotá, Colombia at the start of the millennium. Like Boston, Bogotá is a city of complex and over-congested streets. Historically, it has had similar problems with congestion and reckless driving, albeit on a different order of magnitude (Bogotá has a population of over 8 million, Boston of little more than 600,000). Nonetheless, under programs initiated by then-mayor Antanas Mockus, Bogotá transformed to a city of relatively serene traffic flows.

Mockus is rather unique in politics. An academic as well as a politician, he is known for outlandish stunts and unconventional approaches to urban problems. However, his programs are responsible for dramatic changes in Bogotá’s development in the late 90s and early 2000s. Under Mockus, homicide fell 70%, potable drinking water reached every home, and public sewage systems reached 95% of the populace (up from 71%). Traffic fatalities also declined by over 50% (from an average of 1,300 to about 600 Bogotá per year) as citizens became more responsible drivers.

This change had little to do with tickets or police enforcement. Rather, Mockus installed over 400 mimes at city intersections. These mimes publically mocked inconsiderate and reckless drivers and aggressive pedestrians. The program was based on Mockus’s hunch that citizens would fear public embarrassment more than a fine. He was correct, resulting in a vast change in how citizens conducted themselves on the road. When the mimes were removed, the populace largely persisted in their reformed behavior. One critical aspect of this program is that it did not require the additional costs that come with writing a ticket, such as administration, judicial challenges, and processing. However, as Mockus’s programs have drifted deeper into history books, a rapidly growing population and an outdated infrastructure have created renewed challenges.

Mockus demonstrated how an understanding of incentive can yield more meaningful change than traditional monitoring and oversight. While organizations should not engage in public humiliation of its employees, they will benefit by developing similar levers that encourage employees to self-correct. As one example, Jim Kim at Fierce CFO recently recommended linking executive compensation to improved risk management. That might be a good start, although Bogotá’s experience suggests that community-based incentives may be stronger than financial ones.

I’d like to hear other examples. What has your organization done to change its compliance culture? Has it made an impact? Do you think a program like this could work for your organization?

Posted in Blog, Enterprise Risk Management, General Function, General Industry, Legal Technology, Research | Tagged , | Leave a comment