Posts tagged "compliance"

Why is GRC an Important Topic?

In May, I wrote about the fact that there is no commonly accepted definition of GRC. While it is understood that the acronym stands for Governance, Risk Management and Compliance, each consultant and vendor — to the consternation of practitioners — seems to use a different definition to explain the meaning of GRC. As important as defining GRC is the question, "why talk about it at all?"

Defining GRC

I suggested the definition developed by the Open Compliance and Ethics Group (OCEG). In its GRC Capability Model, Red Book 2.0 (April 2009), OCEG defines GRC as a “system of people, processes, and technology that enables an organization to:

  • Understand and prioritize stakeholder expectations.
  • Set business objectives that are congruent with values and risks.
  • Achieve objectives while optimizing risk profile, and protecting value.
  • Operate within legal, contractual, internal, social, and ethical boundaries.
  • Provide relevant, reliable, and timely information to appropriate stakeholders.
  • Enable the measurement of the performance and effectiveness of the system.”

Putting it even more simply and focusing on the essence of GRC, it's how you run the organization to optimize results. To do this on a sustainable basis, you must manage risks and ensure compliance.
I prefer this definition for a couple of reasons:

  1. It has credibility, as it is independent from any single vendor or service provider. It was developed by a team with representatives from practitioners working within organizations as well as software vendors and business consultants. (Full disclosure requires that I tell you SAP is a charter member of OCEG, and I am an OCEG Fellow).
  2. GRC is not about technology. It is about certain business issues, common to organizations of all forms (public and private, for-profit and not-for profit), in all industries, and all geographies. This definition takes that business perspective.

(Editor's Note: You can read more on the topic of GRC from Norman Marks, starting with What is GRC?)

Why Talk About GRC?

There are two primary reasons why a discussion around GRC has value.

1. The Inter-relationship of Governance, Risk Management and Compliance

Leadership at OCEG talks about something they call “Principled Performance”.

Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.

They have linked the drive towards optimized performance to the management of risk, while emphasizing the importance of remaining in compliance with laws, regulations and society’s expectations for conduct. Who can argue that unbridled focus on rewards without consideration of risks and obligations is unacceptable — and unsustainable in the long term?

The need to relate performance, risk and strategy is further illustrated by several problems that became evident during the financial collapse and economic crisis:

  • The failure to link strategy and risk. While companies may have had risk management processes, they didn’t always adjust strategies when new risks emerged or risk levels changed. In addition, not every company included the consideration of risks, and how they would be managed, in setting strategies and operating plans.
  • The failure of board and executive oversight of risk management. This has been well-documented. Boards have not been focused on risk management, and in some cases the level of risk was not effectively communicated to either top management or the board.
  • A failure to embrace risk management, making it instead “something you do on Fridays”. Too many organizations have implemented periodic risk assessments, but have not made the consideration and management of risk part of their daily business life. Risks change far too quickly for quarterly attention.

2. The Problem of Fragmentation and the Need for ‘GRC Convergence’

Too often, organizations have multiple groups responsible for the various functions and processes involved in GRC. The groups operate in silos, don’t share information and have a multiplicity of frameworks and systems.

The result is not only inefficiency (including redundancy) and likely gaps in coverage, but also a failure to get a clear view of organizational risk levels. This holistic view of risks is necessary if management and the board are to steer the organization and make appropriate decisions based on complete, accurate and timely information.

GRC convergence is about eliminating the silos and fostering coordination. Some talk about ‘federated GRC’, describing how the various groups responsible for different aspects of GRC work in a collaborative fashion — for example, using the same risk language and measures — to optimize overall processes and results.

A GRC Mindset

Technology can help address each of these business issues. For example, risk management software can be integrated with software solutions for strategy management. The same risk management solution can be used by IT, Finance, Supply Chain, Legal and others.

But, before technology can be an enabler, there has to be what I would call a ‘GRC mindset’: the acknowledgement that there is a need to optimize performance through managing risks, while staying in compliance. Performance needs to be principled if it is to be optimized and sustainable.

That’s the value of talking about GRC: it involves looking at how the organization is directed and managed, and recognizing and then resolving the issues of inter-relationship and fragmentation.

linkedFA Offers Social Networking for Financial Advisors, Investors

A Partner, Not a Threat

While the financial industry struggles to figure out how social media can be successfully integrated, linkedFA went ahead and built a model that meets FINRA regulations, while enhancing the professionalism of financial advisors and broadening investors' access to their advisors.

But Byrne wants linkedFA to be seen as a partner, not as a perceived threat to the financial industry. He and other founding members of linkedFA not only understood the challenges being faced by financial advisors, but that there was a great need for CRM at the dealer/broker level. Naturally, social media was the solution.

Released only recently, linkedFA has been positively received. For now, mostly independent advisors are among its users, but large broker houses are on board, just waiting to finalize details and decisions before joining.

Five Key Differentials

While Byrne says that most financial investors acknowledge the merits of social media, linkedFA focuses on five key differentials, designed to maximize communication and compliance.

First, linkedFA may be a social networking site but it’s all business. Its business-centric model allows advisors and investors to talk shop, while keeping the professional separated from the personal.

Figure 1. Investor dashboard

With its advanced compliance controls, linkedFA automatically records and stores all communications and content for at least six years, supporting the financial professional’s unique requirements in meeting regulatory bodies’ legal mandates. This allows financial industry professionals to request a custom communications export under the compliance feature at any time.

“Your personal life is your business, but it’s not good for business,” says Byrne. linkedFA provides a degree of reputation management, requiring advisors to approve any comment posted and offering three different profile templates from which to customize appropriately for the audience intended: advisors, marketers and investors.

Advisors needn’t worry about having their clients poached by the competition. With its privacy protection, other advisors can’t see your investors, unless there is a shared connection.


Figure 2. Message & Notification Settings

Finally, linkedFA believes that social networking is about referrals. When investors invite others to join linkedFA, user are automatically linked to the advisor’s network.

Moving Forward

As feedback from Beta users trickles in, linkedFA is prepared to launch updates as needed. Additionally, as more broker houses come aboard, new features may emerge.

Ultimately, linkedFA aims to bring advisors and investors together while maintaining compliance and transparency.

GRC Roll-up: The Impact of Social Media and Governance

Companies have been contemplating compliance and governance issues for decades. But it’s only recently that they’ve been tackling the challenge that social media brings to corporate governance, risk and compliance. This week we examine a few of the elements impacting the industry.

Social Media Governance

According to Irwin Lazar, vice president of communications and collaboration research at Nemertes Research, enforcing social media governance isn’t just a project for human resources. Lazar says that the responsibility also belongs to message compliance specialists, who need to monitor employees to make sure they aren’t intentionally or inadvertently breaking policy with their posts and tweets.

Breaking policy, as inadvertent as it could be, is an issue. According to the fifth annual Usage Trends, End User Attitudes and IT Impact survey by FaceTime Communications, about 14% of IT managers surveyed in December 2009 reported having data leaked through social networks. Another 18% said they have taken disciplinary action over incidents that occurred through employee use of social media.

Coupled with research recently published by Cisco Systems, which found a significant lack of policies and procedures in place for enterprise social media use, despite the fact that 95% of users said they use social media at work for business or personal reasons. Bottom line? Social media governance is in trouble.

Is Social Media the Answer?

Which may be why Keith Kochberg of says that social media “can be more trouble and expense than it's worth, and it can even do more harm than good.” Considering the previously reported results, such statements may not be so over-reactionary.

Social media, Kochberg says, takes time and lots of oversight to achieve the return on investment that many companies are searching for. Yet, social media can offer lots of interaction and engagement, which can result in elevated customer retention when done correctly.

Social Media Solutions for the Enterprise

If your company is undeterred by the challenges that social media presents to the enterprise, then you might want to check out the new social networking site is a social media site designed specifically for financial advisers to communicate with their investors. Financial advisers can maximize their communication and engagement with investors while also assisting financial advisers in meeting FINRA compliance requirements.

While there isn’t a magic solution for managing social media compliance, all companies are strongly encouraged to create policies that can make governance more manageable. What social media governance strategies is your company initiating?

GRC Roll-up: Google Buzz, HITECH and Protecting High Value Data

This week, GRC chases social media, hospitals find themselves unprepared for new changes in records management and corporations risk losing valuable data.

Privacy v. Google Buzz

It’s not often that the worlds of social media and GRC overlap, but such is the case with Google Buzz. As you probably know, Buzz is Google’s social networking and messaging tool designed to integrate into Gmail.

As the rest of the world tries to figure out how exactly to embrace Buzz, financial advisers are also trying to figure out the compliance and regulatory ramifications. Since Google automatically enrolled Gmail users to the Buzz service and revealed the identities of the people whom they email most frequently — users' full names, not their nicknames — to every one of their contacts.

Additionally, financial advisory professionals must archive their social media content, and at present Buzz doesn’t offer an easy solution. Concerns over privacy are at the heart of the matter, of course. Just another way that social media is shifting the line between private and public that is sure to keep the financial industry up at night.

HITECH Leaves Many Unprepared

New privacy and security requirements for health information technology contained in the economic stimulus law have gone into effect. Already providers are reporting difficulties in complying with the new rules.

The Health Information Technology for Economic and Clinical Health (HITECH) Act is intended to increase the use of Electronic Health Records (EHR) by physicians and hospitals and according to a recent survey, nearly a third of the 200 hospitals said they are not ready to meet all the law’s privacy and security requirements by the deadlines.

Much of the uncertainty points to a requirement of significant resources for implementation, but little guidance for how to do it. 

Protecting High Value Data from Spammers

It’s becoming easier and easier to execute successful spamming strategies online. According to a NetWitness' report, 68,000 account logins were stolen from 75,000 botted PCs in corporate networks and as a result corporations are having a difficult time keeping ahead of it.

Organizations without continuous, real-time monitoring in place will find themselves unable to detect this type of activity. Rather than focusing on the defense of network perimeters or on meeting compliance checklists, corporations can be better prepared by focusing on protecting high-value corporate data.

HP TRIM 7 Provides Records Management for SharePoint

When HP (site) bought Tower in 2008 the reason they gave for doing so was to extend their reach in the information management market. The recent upgrade of the TRIM document management software to TRIM 7 fulfills that ambition by offering an integrated, full suite of solutions for eDiscovery, compliance, records management and archiving.

In fact with TRIM 7, HP has specifically focused on upgrading the records and archiving elements. In this respect, they have created software that enables organizations transparently manage all of their Microsoft SharePoint Server records in a single environment, regardless of the source of those records.

What this means is that it can now capture Microsoft SharePoint files and even entire SharePoint workspaces. It also comes with full DoD 5015.2 v3 certification, making it particularly attractive across the eDiscovery and compliance markets.

TRIM And SharePoint

That TRIM 7 focuses specifically on integrating its records and archiving abilities with SharePoint is not a surprise.

For those unfamiliar with it, TRIM software is an enterprise document and records management system with the ability to scale across large, distributed environments. It enables users to capture, manage and secure enterprise information, from electronic to physical records and from creation to eventual disposal.

When HP bought Tower and its Total Records Information Management (TRIM) in 2008 one of the features it was buying was TRIM’s SharePoint integration capabilities. Tower’s software was based on Microsoft Technologies and was a Gold Partner for SharePoint before the takeover.

This integration enabled HP to enter into the SharePoint eDiscovery and compliance world as so many organizations with SharePoint now find themselves having to look at compliance issues and SharePoint carefully.

TRIM 7 Modules

With the two new modules, HP TRIM 7 enables users capture, search and manage of all types of physical and electronic business information across Microsoft Office SharePoint Server 2007 and the upcoming SharePoint Server 2010.

The two new modules include

  • TRIM Records Management: Provides transparent access to all SharePoint Server content from the SharePoint Server workspace
  • TRIM Archiving: Archives specific list objects in SharePoint Server, or entire SharePoint Server sites, to HP TRIM.

While TRIM’s ability to capture SharePoint records and archive them is not new, up until now the information it could manage was restricted to documents and limited to manual entry.

However, now capture policies can be defined by administrators and can include information that is contained in wikis, blog entries, blog comments, calendar entries and workflow events.

There are other advantages too. They include:

  • Increased compliance and preparation for eDiscovery
  • Apply compliance policy management across the enterprise
  • TRIM can now manage the complete information lifecycle of corporate records
  • Prove the authenticity of information with version control, access control and audit trails
  • Support long-term information access in appropriate formats
  • Support FOI requests by easily finding, redacting and rendering information for secure release
  • Enforce a security structure that governs how information is used
  • Easy-to apply text‑based search capabilities and metadata
  • Apply lifetime policies seamlessly and manage all SharePoint

Given the number of organizations that are now using SharePoint and are considering SharePoint 2010, the new HP TRIM modules are quite timely and probably not the last module we are likely to see for TRIM.

Considering SharePoint does not have DoD 5015 certification for its built in records management capabilities — in SharePoint 2007 or SharePoint 2010 — many organizations using the platform will be looking for an integrated solution such as this one from HP.