Governance, Risk Management & Compliance Insight. Engaging Employees in the Context of GRC 3.0. Bringing GRC to the Coal-Face of Your Organization

Transcription

1 Governance, Risk Management & Compliance Insight Engaging Employees in the Context of GRC 3.0 Executive Summary Governance, risk management and compliance (GRC) are a part of everyone s job. GRC for the average employee of the organization has been confusing and disconnected from what she does. GRC is only as good as your frontline understanding, participation and alignment with GRC. It is no longer enough to have the right GRC documentation; you have to show it is operationally effective. This involves bringing GRC to the coal-face (the frontlines) of the organization through employee engagement in GRC with systems that are simple, relevant, mobile and easy to use. GRC 3.0 is about delivering GRC technology that minimizes the perception of GRC getting in the way of business. GRC 3.0 delivers engaging GRC user experiences that align with the needs of employees, integrates with organization architecture and systems and delivers relevant content when needed wherever it is needed. To address GRC engagement, organizations need to utilize GRC solutions that not only meet the needs of the back-office oversight and day-to-day management of GRC, but also need to look toward the front-office and engagement of GRC at all levels of the organization. September 2013 Michael Rasmussen, Chief GRC Pundit

2 Table of Contents The Exposure of GRC at the Frontlines of the Organization... 3 GRC in Distributed, Dynamic and Disrupted Business...4 Operationalizing GRC Means Employee Engagement...6 Maturing Perspectives of GRC GRC 3.0: Broader Paradigms of GRC Participation and Engagement... 9 GRC: Back-Office or Front-Office? Characteristics of GRC Engaging GRC at the Frontline of the Organization The Value of GRC Engagement Removing Complexity and Utilizing Simplicity to Engage the Enterprise How GRC 3.0 Delivers Employee Engagement GRC Socialization and Collaboration GRC Mobility GRC Interactive and Relevant Content GRC Gamification GRC Analytics The Final Analysis: GRC Engagement in GRC SOLUTION SPOTLIGHT: Convercent About GRC 20/20, LLC Michael Rasmussen, Chief GRC Pundit Research Methodology

3 The Exposure of GRC at the Frontlines of the Organization Governance, risk management and compliance (GRC) are a part of everyone s job. Employees and stakeholders at all levels of the organization raise up their hands in frustration GRC, stop bothering me and let me get my job done. They have no idea how or why they should be involved in GRC. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of the organization. This misperception is a critical issue organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the frontlines. They are at all levels of management and business operations. They cross partner, vendor and supplier relationships throughout the extended enterprise. The exposure of risk and compliance issues at the frontlines of the organization include: Harassment: Inappropriate interaction between a manager and an office employee opens the door to legal issues and litigation. Sales: What the pharmaceutical sales person just told that doctor what a drug could do but has not been approved by the FDA to do, brings down the next billion-dollar corporate integrity agreement. Bribery: Operations just paid a government official to prioritize their contracts in building facilities in a remote country. Fraud: The teller at the bank is handling transactions all day but fails to understand the basics to identify fraud and money laundering. Intellectual property: A critical business partner has employees that are not aware of policies, or trained on how to handle sensitive information and intellectual property. Privacy: The hospital cafeteria worker just overheard a conversation in the lunch line about the celebrity with the terminal illness and is quick to tweet what he just heard. The scenarios of GRC exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve activity that employees should catch and report. However, GRC is part of everyone s job. From the receptionist at the front desk, to the sales person in the field, to the janitorial staff all have a role in GRC. The organization has to effectively engage employees and educate them about GRC in the 3

4 context of their role in the organization. The challenge is that organizations need to find a way to get everyone involved and owning GRC to build integrity across the whole organization and the extended enterprise. The user experience for GRC has been typically poor in most organizations, resulting in timeconsuming and redundant processes, a check-box mentality and lack of central coordinated efforts for GRC communications. Organizations have ended up with multiple sources of policy, training, surveys, assessments and issue reporting hotlines. Interaction with these systems has consumed human and financial capital. Interaction is often inconsistently logged in documents and spreadsheets, if they are logged at all. There is no coordination of GRC communication and no way to prioritize messages and employee tasks. The result is s and documents that fly about, slip through cracks, are never responded to, or are simply forgotten. GRC in Distributed, Dynamic and Disrupted Business Getting all levels of the organization involved in GRC is complex. Gone are the days of the brickand-mortar organization where employees start and end their careers. Those days were simple. Organizations could train employees and build on that training over years and decades. They became fine-tuned to the organization, its operations and as a result, its controls, policies, risks and compliance obligations. Employees, relying on years of experience within the same organization, understood processes and who could answer questions when they arose. Today, the organization is not only complex, but also chaotic as it is in a constant state of metamorphosis. The organization of the present is: Distributed: Business is not done within traditional brick-and-mortar walls of the organization. Operations are distributed around the world. Even the smallest organization has global clients, suppliers and partners. Employees are scattered geographically with many that do not come into any office regularly, often working at home. It has become impossible to determine who an insider or stakeholder is it certainly is not just employees. Business today is a complex and distributed web of relationships across agents, suppliers, vendors, contractors, consultants, temporary workers, outsourcers, service providers and more. It is not uncommon that more than half of the organization s insiders are not traditional employees, but still have the same level of risk exposure for their conduct and interactions. Dynamic: Business is constantly shifting. The dynamic business of the 21st century has to deal with constantly changing: Business: Mergers and acquisitions, divestitures, new operations in remote 4

5 geographies, new lines of business and products. Organizations must be constantly adapting and changing to remain competitive and contribute to the bottom line growth in the present and the future. This brings challenges in keeping policies, controls, assessments and training current while trying to avoid redundancy that change brings and overwhelming employees with training, assessments, policies and controls resulting from change. Employees: Employees change at a rapid pace. They enter the organization, change roles and responsibilities and leave the organization. In some organizations, such as retail, GRC 20/20 finds turnover can be as high as 90 percent or more annually. How does an organization train employees in such a complex and changing environment? When employees change roles there are GRC implications. The organizations must screen employees to ensure the employee is the right person for that role and does not bring liability and exposure to the organization; that they are properly trained and have the necessary experience. Relationships: Suppliers and vendors bring exposure to operations, agents under contract introduce bribery and corruption risk, temporary workers may not have been screened and are given access to personal financial or health information. The challenge with dynamic business relationships is that change is exponential. Not only is the organization dealing with constant change in its business relationships, each individual relationship is dealing with change in its employees and downstream relationships. All this brings risk exposure back to the organization that sits in the shoes of its extended enterprise relationships. Processes and technology: The organization must also deal with changes to business processes and the technology that supports the organization at all levels. Sometimes controls fail as a system is reconfigured or a process changed; or no one put a control in place at a critical point. Policies and procedures are not updated to address new or modified processes. New technology brings new risks, such as social media and bringyour-own-device trends have illustrated over the past few years. Existing systems may have been secure but new vulnerabilities are discovered that open the doors of exposure to risk and compliance. Disrupted: The intersection of distributed and dynamic business with GRC brings disruption. Change (dynamic business) combined with complexity (distributed operations and relationships) means the organization is easily disrupted in the context of risk and compliance. It is entirely possible that while the organization was fully compliant at noon today, by 12:15 p.m. it is out of compliance. An employee was not trained, a business relationship was entered into without being screened or vetted properly, a transaction occurred that should have been 5

6 flagged as a bribe or other fraud, or a new vulnerability was found with an IT system resulting in exposure to personal information. Operationalizing GRC Means Employee Engagement GRC is not just for back-office risk experts. For GRC to be successful, organizations must engage employees. It is no longer good enough to just have well documented policies and controls. Organizations must demonstrate GRC is active and operational across the organization. Morgan Stanley in 2012 is a case in point. Morgan Stanley had an individual, Mr. Petersen, in the Asian real-estate business that was involved in corruption. The Department of Justice (DoJ) and Securities Exchange Commission (SEC) investigated, and for the first time in more than 35 years of Foreign Corrupt Practice Act (FCPA) they let the organization off the hook and just went after the individual. They praised Morgan Stanley in a memo that stated that Morgan Stanley had the right policies to address corruption, policies were maintained and maintained in the context of changing risks, regulations and the business. Further, Morgan Stanley could demonstrate the frequency and interaction with Mr. Petersen on policies and training. Morgan Stanley also monitored transactions. In this case, Morgan Stanley had more than just good policies it had good processes and systems that showed how employees, like Mr. Petersen, were engaged on policies and training with the evidence trail to show the SEC and DoJ. Morgan Stanley: Case Study in Effective GRC Engagement Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials. Morgan Stanley s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment. Morgan Stanley frequently trained its employees on its internal policies, the FCPA and other anti-corruption laws. Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based personnel on anti-corruption policies 54 times. During the same period, Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times. Morgan Stanley s compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments. Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners. Emphasis added to illustrate elements of effective GRC management and engagement. Source of this statement is at: opa/pr/2012/april/12-crm-534.html. 6

7 In a report in November 2012, the DOJ and SEC stated they have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant... violations because management has failed to effectively implement the program even in the face of obvious signs of corruption. 1 Regulators are tired of paper-based compliance programs that look good on paper but fail in operations and employee engagement. The bottom line: GRC is only as good as your frontline understanding, participation and alignment with GRC. It is no longer enough to have the right GRC documentation; you have to show it is operationally effective. This requires employee engagement in GRC. Maturing Perspectives of GRC GRC is not only an integration but also an engagement of governance, risk management and compliance in the context of business. The official definition of GRC is: A capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance]. 2 GRC is not only an integration but also an engagement of governance, risk management and compliance in the context of business. The reliable achievement of objectives is governance, understanding and addressing uncertainty in the context of business achieving objectives is risk management, and acting with integrity is compliance. All three provide a natural flow. Governance provides strategy and objectives that deliver the context for risk management. Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries and expectations so the organization can reliably achieve those objectives. Compliance ensures the organization stays within the boundaries set by risk management as it aims to reliably achieve objectives. Organizations have done GRC since the dawn of business. Every organization has one or more approaches to GRC: from the ad hoc and disorganized to the mature and agile. GRC is part of every business whether it is called GRC, something else like ERM, or has no name at all. The question to consider is how mature is the organization s approach and employee engagement for GRC? 1 This statement was made by the DOJ and SEC on page 57 of their FCPA Resource Guide found at pdf 2 This is the only definition for GRC found in a publicly vetted and available standard, the OCEG GRC Capability Model. 7

8 While GRC has preexisted its acronym, there have been phases of how organizations have approached GRC as an integrated strategy since the acronym was first used in These are: GRC 1:0 (2002 through 2007) birth of GRC platforms: In this phase organizations focused on documenting internal controls to address regulatory and reporting requirements established by the Sarbanes Oxley Act (SOX) in the wake of major financial and accounting scandals. GRC 1.0 addressed the challenge of internal controls over financial reporting, SOX compliance, as well as related IT controls. GRC platforms came into existence to help bring a cohesive view to documenting GRC in this context. GRC 2:0 (2008 through 2012) the growth of GRC platforms: In this period, GRC took an expanded view to encompass audit, risk management, corporate compliance and IT security. GRC addressed a broader cross-department integration of back-office GRC functions. Most GRC strategies and activities were department-focused with some top-down enterprise GRC strategies done in organizations. GRC solution providers claimed to have it all and were the single answer to all GRC challenges. The truth was that the GRC platform is not a silver bullet. The GRC platform, as represented in major analyst reports, was focused on workflow, task management, surveys, content management, with some dashboarding and reporting across areas of risk, policy, compliance, incident and audit management. GRC 2.0 focused on the back-office functions of documenting and managing GRC but failed to engage employees. GRC 3.0 (2013 and beyond) the evolution to GRC architecture and employee engagement: Organizations discovered GRC platforms are not enough. The growing awareness of the distributed nature of GRC and business data, process and systems combined with risk and regulatory requirements created a fundamental shift in GRC approach. GRC is NOT what a single solution provider offers GRC History in a Nutshell... Before GRC 1.0, GRC was scattered and reactive. With GRC 1.0 there was a focus on a few key risk areas involving select silos and transactions, particularly for internal control over financial reporting (e.g., SOX). GRC 2.0 took a broader view, bringing more functions into perspective while focusing on an integrated perspective of risk and compliance. GRC 3.0 is about aligning strategy, process, information and technology into a GRC architecture to deliver a holistic understanding of risk in the context of strategy amidst organizational velocity and change. This requires employee engagement and participation in GRC at all levels of the organization. 3 The author of this report, Michael Rasmussen, was first noted to define and model an integrated approach to GRC using technology, process, and information and use the acronym in February

9 in a GRC platform; instead, GRC is an architecture that brings together strategy, process, information and technology across a range of business systems, activities and data. The organization strives for the integration and engagement of GRC throughout the enterprise to provide complete situational awareness to how risk is pervasive and interconnected to business strategy and operations. GRC 3.0: Broader Paradigms of GRC Participation and Engagement The core of GRC 3.0 is operationalizing GRC across the fabric of business. This involves bringing GRC to the coal-face of the organization through employee engagement in GRC with systems that are simple, mobile and easy to use at the frontline of the business. The term coal-face is a term the British use to define frontline operations of the organization. It comes from miners deep in mineshafts at the coal-face harvesting coal. Every organization has a coal-face the frontline employees engaged in business operations. To maintain integrity and execute on strategy, the organization must be able to engage GRC in the context of its coal-face. GRC: Back-Office or Front-Office? In GRC 1.0 and 2.0 the focus was on the back office: risk management, finance, security, compliance and audit. This was and still is critical to GRC, but it is no longer enough. GRC needs to move to engage all levels of employees in the organization as each plays a critical role in GRC in the context of distributed roles and responsibilities. The teller in a bank, salesperson in life sciences, field agent in insurance, contractor in the call center of a hospital, the receptionist at the front desk, the factory worker in manufacturing, or procurement personnel onboarding the supply-chain: all have a part in GRC. GRC extends in all directions throughout the organization. Up to executives and the board, down to the frontlines of employees and across the extended enterprise. Characteristics of GRC 3.0 GRC 3.0 is about delivering value, integration and alignment of strategy, process, information and technology throughout the organization in the context of GRC. It is an integration of GRC information, processes and systems to engage employees and agents at all levels of the organization. Characteristics of GRC 3.0 include: Bringing GRC to the coal face: Organizations are recognizing that effective GRC includes those on the frontlines of the business the coal-face of the organization. GRC 3.0 delivers an exceptional end-user experience: getting employees involved by providing intuitive interfaces 9

10 into GRC that are interactive, engaging and social. GRC solutions need to instruct, inform and be easy to use at all levels. It engages employees in GRC without leaving them overwhelmed and confused. Employee engagement happens through intuitive interfaces, socialization, collaboration, mobility and gamification. GRC intuitive interface design: GRC is using leading concepts in interface design to make user experience of GRC applications simpler, easy to navigate, aesthetically appealing and minimizing complexity. GRC socialization and collaboration: GRC collaboration and socialization is used to conduct risk workshops, understand compliance in the context of business and get individuals involved in GRC at all levels of the organization. GRC gamification: GRC gamification is used, where appropriate, through interactive content and incentives to drive the culture of GRC into decision-making. GRC mobility: GRC is embracing mobile technology on tablets and other devices to engage employees in their preferred languages and bring GRC to all levels of business operations. Dynamic integration of actionable content: The integration of content and technology is core to GRC 3.0. This involves the delivery of content from knowledge/content providers through GRC solutions to rapidly assess changing regulations, risks, industry and geopolitical events. Content is tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis. Standardized formats for measuring business impact and review of existing processes, policies and controls can take place. This integration of actionable content with GRC technology delivers on GRC maturity in 3.0 through achievement of risk and regulatory intelligence. 360 GRC contextual awareness: GRC 3.0 brings GRC architecture, operationalization and integrated content so the organization has a complete view of what is happening. Where risk and compliance is monitored and understood in the course of business operations, changing risks and regulations and interactions. Delivery of GRC contextual awareness requires GRC is a central nervous system to capture signals found in processes, data and transactions as well as changing risks and regulations for interpretation, analysis and holistic awareness of risk in the context of business. GRC architecture: The foundation of GRC 3.0 is to understand and approach GRC as an architecture involving strategy, process, information and technology working together across 10

11 the business and its operations. GRC architecture operates in the context of enterprise/ business architecture and requires integration of applications and data to achieve efficiency, effectiveness and agility in a dynamic and distributed business environment. This necessitates that organizations understand the business and how it operates. GRC 3.0 is about integration of applications, processes and data. Operationalizing GRC: Achieving a mature GRC architecture involves operationalizing GRC by integrating business applications, processes and data. It is about enabling GRC within business systems such as business intelligence, performance and ERP environment. This provides realtime insight into business decisions, operational intelligence and monitoring in the context of risk and compliance. This is best done as noninvasively as possible. GRC needs to integrate with a range of applications and share data between them to provide holistic awareness of risk in the context of business. GRC 3.0 is a way to connect and leverage existing investments. Engaging GRC at the Frontline of the Organization GRC 1.0 and 2.0 was successful in coordinating the back-end of GRC. The ability to manage workflow, tasks, conduct assessments, maintain policies, manage incidents, document controls and report and analyze risk. In GRC systems were used to communicate policies and conduct surveys and assessments. However, the experience to the frontlines of the organization has been fair to poor. Most implementations were overly technical with and often confused average employees instead of helping them get questions answered and understand what is expected of them. The result: GRC for the average employee of the organization has been confusing and disconnected from what they do. Too often they see GRC activities as a burdensome task that gets in the way of real work with no real value provided. GRC 3.0 expands the focus on GRC in context of employees and stakeholders at all levels of the organization. Backend management and oversight of risk and compliance is still needed, however the frontend user experience is dramatically improved to engage employees and stakeholders to ensure they are connected to GRC in the context of their role and responsibilities. In GRC 3.0 employee engagement is critical, not optional. The Value of GRC Engagement GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be: 11

12 Effective: At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context. Efficient: GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. Agile: GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner. Removing Complexity and Utilizing Simplicity to Engage the Enterprise Employee engagement in GRC 3.0 requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with. To deliver on the vision of GRC 3.0 and employee engagement requires employees have an interface into GRC. This includes the components of GRC such as policies, training, issue reporting, assessments, metrics and reporting. The challenges most organizations must consider in employee engagement is how does the organization do the following: Get everyone involved: Organizations must deploy systems that are contextually relevant to employees without them having to wade through a lot of information, tabs, screens, or reports to get to what they need. The employee experience needs to be interactive and appealing. GRC should provide the information needed in their language along with links to relationships to other information the employee needs but may not be aware of. 12

13 Align messages with values: GRC engagement must communicate GRC in the context of the organization s objectives, strategy, culture and values. It is critically important that employees understand the why of GRC. Employees and stakeholders need to understand that GRC is more than regulatory bureaucracy and troublesome risk reporting, but something that is relevant in the context of their role in the organization. GRC is about the achievement of objectives in the context of uncertainty and acting with integrity. Use technology to engage: GRC engagement requires alignment of technology to needs of employees. GRC, in the past, has been focused on technology for risk and compliance professionals and not on engaging and interactive experiences for all levels of the organization. This requires interfaces to be engaging, social, mobile and relevant to the broader employees and stakeholders of the organization. Deliver the right content to get the message across: To engage employees requires GRC deliver interactive experiences that provide the right context for the employee. This means integrating content and technology into a cohesive GRC user experience that connects everything together with one thought in mind the employee experience. It has been stated that: Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. 4 A primary directive of GRC 3.0 is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC 3.0 goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It s about offering up the right GRC information, in the right place, when the individual needs it. It s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive. GRC 3.0 can be contrasted with the past experience of employees to the present needs that build the future of GRC: Past GRC approaches offered disconnected systems where an employee gets an about a new policy, clicks on a link to go to the policy and reads it in a text-heavy interface, then has to click on a link to take training on another system, and then has to link to a survey to test their 4 This quote has been attributed both to Einstein and E.F. Schumacher. 13

14 understanding, and in all of this there are no places provided to ask questions or find other relevant resources. Present into the future of GRC is about integrating technologies and content to deliver an engaging experience that is interactive and connected. Where an employee clicks on the new policy and the training is delivered right in the same interface with the policy actually embedded into the same page as the policy flows around it. Other interactive content is delivered such as games that illustrate the policy. How GRC 3.0 Delivers Employee Engagement GRC Socialization and Collaboration GRC 3.0 provides a social experience. This is an era of social networking at both a personal and professional level. GRC engagement is accomplished through socialization of GRC within the organization. This involves: Getting questions answered: Employees need to be able to ask questions and get them answered. This means that GRC solutions should provide contextually relevant information as well as pathways to get questions answered. This may involve an FAQ section for policies and assessments, or a place to comment and interact with other employees and see if a question has been answered before. GRC 20/20 is seeing organizations that want chat features in GRC solutions: if the GRC subject matter expert is at their desk, employees can engage them through the GRC interface to ask questions on a policy, training, issue or assessment. Provide two-way communication: Employees not only need to be able to ask questions and get them answered, they also come up with ideas and ways to improve GRC. Perhaps it is an idea on a new initiative related to corporate values, to report a new risk, or make a control more efficient. GRC needs mechanisms to provide interaction on values, code of conduct, policies, 14

15 trainings, risks or incidents. It is more than just getting employees to take training or read a policy it is about getting employees engaged through interaction and becoming part of GRC. Sharing information: Getting employees engaged is about sharing information, like the ability to like a training initiative and share it with others in the organization. This allows the organization to see what works and keeps employees engaged. It allows a way for employees to share information they find relevant and interesting. It provides feedback into what does not work. Connecting the dots through collaboration: Often elements of GRC, such as risk workshops, are done in ways that are not ultimately effective. A common problem is individuals often modify responses based on what they think people want to hear. This cognitive and behavioral bias in a workshop has an impact on the accuracy of the results. When a group of stakeholders collaborate on risk there can be one or two strong voices and everyone follows suit. When an employee s manager is in the same room and the employee knows the manager strongly disagrees with an opinion, how likely is she to express it? GRC 3.0 bypasses stakeholder interests by using technology to engage individuals in an environment in which to express true opinion, without fear of consequences. Social and collaborative technologies provide a way for individuals in a workshop to anonymously enter thoughts and opinions to captures unbiased information that builds toward stronger discussions and deeper analysis. GRC 3.0 allows for collaboration on GRC across broad geographic boundaries without the need for everyone being in the same physical location. GRC Mobility GRC 3.0 involves GRC engagement through use of mobile technologies to make GRC assessable and efficient. This involves developing mobile, such as tablet, apps for GRC that deliver: Policies and training: A lot of employees do not have computers, and some that did are now being issued tablets. GRC engagement includes delivery of policies and training on mobile devices. This works particularly well in manufacturing and retail environments where a tablet could be deployed as the policy and training kiosk for employees. Surveys and assessments: Employees often have to answer surveys and assessments and can now use mobile devices to get the job done. Consider assessments that require not only answers to questions but also must provide pictures: integrated cameras can capture information related to assessment without need for digital cameras and moving files. Issue reporting: Mobility is an excellent way to capture and report incidents. Employees can 15

16 quickly pull up an app on their phone and report an issue. This could be a coworker committing theft, harassment, or even a health and safety situation. Mobility allows for quick reporting without drawing attention to oneself. It also allows for integrated cameras to capture a visual of the issue at the moment. Investigations: Mobility is an excellent platform for managing investigations and cases. Assessments can be done, evidence photos attached, barcodes on evidence bags scanned and even interviews captured with integrated audio and video. Reporting: Mobility provides an engaging experience to get reports and drill into them wherever and whenever needed. If risk is trending in a certain direction and alerts are going off, risk owners can be alerted and dive into details even while away from their desk. GRC Interactive and Relevant Content GRC 3.0 delivers interactive and relevant content in the context of the user. The user could be a risk manager, but also could be an employee on the frontlines of the business or an employee at a business partner like a supplier. GRC 3.0 brings together the scattered pieces of information into a cohesive system, such as: Policies and training: Policies and training come together into a unified employee experience. Policies are displayed along with training. Training is more than just playing a video but is interactive, showing employees are behind their desk engaged in the activity and not off to get a coffee. Relevant resources are easily accessible and provided in the same interface without hopping between disconnected systems. Issue reporting: Employees can easily report issues and in doing so are provided with relevant policies, procedures and controls for the areas they are reporting incidents and issues around. This gives them contextual information to see if what they are reporting is an issue or not and helps educate them as they engage in GRC. Surveys and assessments: Employees have to answer surveys and assessments. In the past these have been static, with GRC 3.0 it is about interactive content. As employees answer questions they can look up relevant policies and other information in the context of the assessment to be informed so their answers are relevant. GRC Gamification GRC 3.0 is about employee engagement through interactive experiences, recognition and rewards. It 16

17 is not about trivializing GRC, but using content and technology to engage, communicate and allow for broader participation when and where it makes sense. GRC gamification includes: Interactive content: Getting employees involved through video, comedy and games to educate on risk, policy and compliance. It could be an interactive adventure where employees choose their path when presented with different ethical options in the context of business. Games, puzzles and illustrations help answer questions, develop skills and communicate a point. Recognition and awards: Employees can engage GRC to gain points, accomplish levels, earn badges and recognition of skills achieved. Perhaps an employee has gone through all the health and safety training, has read and attested to policies and has taken a quiz to validate understanding. As a result they get a health and safety badge on their corporate profile/avatar. Recognition can be given when people complete assessments, discover and report issues, educate others and champion GRC in different ways. This is all linked back to GRC technology to track and promote this activity as well as broader corporate HR and collaboration technologies. GRC Analytics GRC 3.0 delivers deeper metrics and analytics through stronger employee engagement. This involves integrating data from various business systems (HR, finance, other GRC solutions, etc.) to create dashboards on the health of an organization in the context of GRC. This analysis helps a company create not just better policies and training, etc. but more engaged employees around risk boundaries, ethics and values resulting in a greater understanding of corporate integrity and improved corporate culture. Consider the following: Alignment: Employee engagement feeds into analytics to ensure the culture of the organization, its values and risk boundaries are understood and supported. Reception: It allows employees to rate various policies and training programs to determine what was well received and what was not. Did they understand the policy (on scale of one to five, or thumbs up or down a policy)? Was the training interesting, appropriate and informative? Are there things around policies or training they still don t understand? Relationship: Engaged employees help us show the connection between elements of GRC. Can we show a reduction in issues because of a training program? Are fewer questions asked because of an improved policy? Is there a relationship between risk scores going down and improved ability of employees to recognize and report on risk? 17

18 The Final Analysis: GRC Engagement in GRC 3.0 In the end, GRC 3.0 is about delivering GRC technology that minimizes the perception of GRC getting in the way of business. Instead, through GRC 3.0 and engagement, GRC becomes a part of business and the culture of the organization. There is an element to risk and compliance that will always be inhibitive, GRC 3.0 overcomes this by delivering engaging GRC user experiences that align with the needs of employees, integrates with organization architecture and systems and delivers relevant content when needed wherever it is needed. To address GRC engagement, organizations need to utilize GRC solutions that not only meet the needs of the back-office oversight and day-to-day management of GRC, but also need to look toward the front-office and engagement of GRC at all levels of the organization. 18

19 SOLUTION SPOTLIGHT: Convercent Bringing Employee Engagement to the Frontlines Convercent is a vendor in the GRC market that GRC 20/20 has researched and evaluated. The Convercent solution delivers on providing employee and stakeholder engagement on GRC at all levels of the organization. The Convercent approach is one that leverages intuitive interface design, interactive and relevant content, mobility and collaboration to provide greater operational and contextual awareness of GRC across the enterprise. This comes together in dashboards, reporting and analytics that enables management to immediately identify risk at an individual, group or corporate level. Specific capabilities Convercent delivers that GRC 20/20 has identified as valuable to organizations looking for a strategic approach to GRC engagement across stakeholders and employees are: Integration: Convercent offers an integrated solution that allows the organization to manage policies, track employee education and streamline issue reporting and case management in one platform. The integration of policy, training and case management with the organization s mission and values results in predictive intelligence that lets the organization mitigate risk by staying ahead of problems. Visibility: Through this integration, Convercent solutions provide visibility at all levels of the organization so it can identify risks before they become problems. This provides the contextual awareness of GRC organizations need. Streamlined communication: Integration of policies and training allows organizations ability to send focused communications to identified individuals, groups or the whole organization, including the extended enterprise and track participation. Mobility: Core to Convercent s architecture is mobility. They understand technology is more than workstations and laptops and the organization needs multiple pathways into GRC through tablet and other mobile device platforms. Issue reporting and case management: Abilities, particularly with issue intake and case management, make it simple and easy for the organization to identify and respond to issues. This include multiplatform (computer, calling, mobile, etc.) with intuitive case management. Analytics: The Convercent solutions allows organizations to provide deeper analytics through integration to achieve a complete view or GRC through dashboards and reporting that is easy to use, understand and to drill into. Internationalization: Convercent solutions are built for the global enterprise with international language support in the architecture of the platform. The solution supports approximately 50 languages, including double-byte languages for greater GRC engagement and collaboration. Intuitive and interactive: The solution is designed to be intuitively interactive through two-way communication with employees and stakeholders providing integrated abilities for them to not only be informed, but also to ask questions and get responses. September 2013, Analyst: Michael Rasmussen 19

20 SOLUTION SPOTLIGHT: Convercent Bringing Employee Engagement to the Frontlines Ease of deployment: Using the cloud and mobile technologies, GRC 20/20 finds that the Convercent solution is quick to get up and running in even complex environments. This includes integration points with primary business, HR and ERP applications where necessary. Clients report the ability to get engaged with Convercent solutions in days to weeks and not months. GRC health monitoring: Convercent aligns individual behaviors with corporate values and obligations. Their integrated solution provides instant visibility into the organization so it can identify risk at the individual, department, location or enterprise level and monitor and score overall GRC health of the organization. This includes measuring the progress of various campaigns and initiatives. 20 September 2013, Analyst: Michael Rasmussen

21 About... GRC 20/20, LLC GRC 20/20 provides independent and objective research and analysis on the topics related to governance, risk management and compliance (GRC). Our analysts bring real-world expertise, independence, creativity and objectivity to help organizations understand and apply strategies and technology to meet their GRC challenges. Whether it is focused on a specific issue or an enterprise-wide GRC strategy, clients seek GRC 20/20 analyst advice in achieving sustainable and pragmatic innovation. GRC 20/20 advises the entire ecosystem of GRC solution buyers, solution providers and vendor clients. We serve the needs of organizations that seek insight, guidance and advice in dealing with a dizzying array of disruptive business models and technologies. Michael Rasmussen, Chief GRC Pundit Michael Rasmussen is an internationally recognized pundit on governance, risk management and compliance (GRC) with specific expertise on the topics of corporate compliance, business ethics, policy management and corporate culture. With 18+ years of experience, Michael helps organizations improve GRC processes and choose technologies that are effective, efficient and agile. He is a sought-after keynote speaker, author and advisor and is noted as the Father of GRC being the first to define and model the GRC market in Research Methodology In this report, GRC 20/20 Research, LLC conducted qualitative research and analysis through interviews with GRC professionals in Fortune 1000 organizations along with briefings from GRC solution providers. The focus of these interviews and briefings were to identify drivers and trends influencing GRC processes and technology in the market with a particular focus on GRC engagement across the enterprise. All of GRC 20/20 Research is based on quantitative and/or qualitative research. The foundation for GRC 20/20 comes through interactions with organizations across industries and the GRC professional roles within those organizations. The GRC roles within these organizations span the context of audit, corporate compliance, corporate social responsibility, ethics, finance, health and safety, human resources, information technology, legal, quality, risk management, security and vendors and supply-chain professionals. These interactions provide the foundation GRC 20/20 uses to interact with GRC solution providers through briefings to understand their products and strategy to address the immediate and forthcoming needs of GRC professionals within organizations. GRC 20/20 collects and gathers data through phone interviews, interactions, in-person advisory and surveys. As part of this process, GRC 20/20 collects market information and data on the solution providers and their offerings to size, forecast and trend the GRC market as a whole along with its various segments. All of this is supported by analyst professional experience and years of insight and experience analyzing GRC processes and the role of GRC technology and solutions to make them more effective, efficient and agile to the needs of organizations today GRC 20/20 Research, LLC and/or its affiliates. All rights reserved. This publication may not be reproduced or distributed in any form without GRC 20/20 s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of GRC 20/20 s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although GRC 20/20 research may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such Bayfield Drive Waterford, WI USA info@grc2020.com