Which is why I don’t much care for any manner of compliance-based assessments that are self-administered.

Companies have had this crazy notion for more than a decade now that the best way to identify and address risks inherent within the infrastructure is to ask key stakeholders a somewhat generic set of questions and use their responses to figure out what’s what.  Most of the time the people driving these initiatives are either information security professionals or corporate compliance people who either believe they already know where the problems are or are looking for the simplest and easiest way to satisfy some requirement.  But what they often fail to grasp is that it’s almost impossible to draft a common set of questions that either apply to the vast majority or worse, will be interpreted consistently across the stakeholder population.  Plus the perceived benefit of using a self-assessment approach to reduce effort and required support resources is almost always an illusion.  Most of the time saved in not having someone ask the questions and record the answers is instead consumed by needing to explain the format, explain the questions or trying to clarify and clean up the responses.  While supporting one such program recently each assessment required a kick-off meeting, a follow-up meeting to review the status of the assessment, a third meeting to review the initial draft of the questionnaire, a fourth meeting to review the resulting report(s) and a largely untracked number of hours to help generate all of the related support documentation.  Regardless of the size of the entity being assessed each one consumed somewhere close to eight hours.  While that might seem like a scary large number, the really scary part was that based on which risk analyst was responsible for the assessment and the personality/mindset of the stakeholder completing it the results looked very different from one another.  It was almost impossible to generate meaningful metrics across the assessment population because a “Yes” answer for one question might mean the same as an “N/A” in another; there was no way to know that.

Another issue I’ve always had with the self-assessment approach is that while some stakeholders take it seriously and do a remarkably thorough job, others race through it with little hesitation just to fill in the blanks and get it off their desk.  Sometimes you can detect which is which, sometimes you can’t.  Plus the approach fails to capture much of the rich and relevant information related to each question and the underlying risk behind it.  I recall conducting a team-driven risk assessment years ago where one stakeholder after the next covering a very broad sampling of the infrastructure kept lamenting on the lack of a proper disaster recovery plan.  They had something to show auditors/examiners but to a person no one believed it was a truly viable plan.  All but the CIO brought it up as a concern and when pressed a bit about why that was they all shared a common concern: If their main office was closed unexpectedly for twenty-four hours, regardless of the reason, they were likely out of business.  A related self-assessment question would ask “Do you have a current and recently tested DR plan?” – most respondents on that engagement would simply have selected “Yes” and moved on to the next question without ever being challenged to share their concerns.  Where’s the value in having a repository of questions and answers when it fails to capture the true essence or dimension of risk? 

And the biggest issue I’ve always had with self-assessment questionnaires and their related templates is that they’re so often poorly designed.  I can guarantee you that each of them has at least one question which makes zero sense to anyone who reads it.  They either answer it based on what they think it’s asking, answer with an “N/A” or require follow-up with the people managing the process to have it explained.  And you’d be amazed how many times even the author is challenged to provide a meaningful answer (including this guy).  One thing’s for certain, a self-anything needs to be designed and written so that everyone understands what they need to do without having their hand held.  Plus it’s rare that questionnaires are customized so that each stakeholder is only asked those questions that truly make sense.  An application owner should never be asked if their anti-virus solution is current and up-to-date.  A business process owner should never be asked about software change management.  Yet seldom have I encountered a self-assessment process which does anything like this and so the audience is burdened with time consuming yet unnecessary questions.

Really though in the end my overriding problem with the self-assessment approach is that it fails to capture the expertise and guiding hand of true risk and assurance people.  The process is often supported by analysts who don’t really have a feel for conducting assessments and are satisfied that all of the blanks are filled in.  I have a nose for when there’s something beyond a simple answer and know when to scratch at the surface to bring it to light.  By not allowing expert hands to guide the process potentially huge amounts of valuable and possibly critical details are being missed thus undermining any perceived value of the process.  When you consider that all tolled and tallied the self-assessment approach versus the guided assessment approach doesn’t really save you much time (if any) and that it results in a weaker finished product, why would you elect to use it?   One answer is that regulators push for it because perhaps it’s better than nothing (I can’t get any of those I know to comment).  Another is that the people sponsoring these initiatives lack the fundamental comprehension to understand their options and chose what they perceive as the less complicated approach (again, I don’t know for sure it’s just a theory).  What I do know is that when done right a risk assessment is managements best friend, a fundamental belief behind the recent spike in ERM activity.

While recently having my car serviced the mechanic discovered a nest of some sort in the engine block, he thinks it was probably squirrels.  Because of this discovery he went searching for all the wired connections to make sure they weren’t chewed up and destroyed, quite a few were as it turns out (the car had been idle for several months).  The bill only added the cost of the replacement wires but nothing significant for the time it took to first find which were affected and then replace them.  Had I attempted the repair myself I might have noticed the nest and likely would’ve cleared it but know for certain I never would’ve thought to check the wires, where to look for them or what to look for.  I was smart enough to rely on a professional with a nose for that sort of thing and it saved me time, money and best of all the aggravation of having the car break down somewhere unexpectedly.  Good thing I didn’t go the self-repair route.

Now I’ve designed and supported more than my fair share of related content.  I understand that sometimes the best way to tell a story is to paint it in the form of a picture; I get that part.  But way too many times I’ve witnessed such initiatives spiral out of control to the point where it takes an army of people working ridiculous hours to pull together a deck of metrics that either fails to answer anyone’s questions or, even worse, generates requests for more metrics to provide clarity.  And once a metric becomes a standard part of any reporting package it often stays there until management changes, and sometimes even beyond.

But I think there’s a bigger issue with metrics that exceeds my simply not thinking they’re “all that and a bag of chips”.  Where are the controls around generating them?

Seriously, we have this vastly complex framework wrapped around financial reporting (SOX) to provide reasonable assurances that what management is reporting to its investors is accurate.  We have industry, federal and state legislation requiring all manner of controls around sensitive information.  There are auditors (internal and external) and regulators from all over the place that comb over everything with a fine tooth comb (or at least claim to) to make sure everything being done is done right – but in my nearly fifteen years in the audit/assurance industry I have never heard of a finding or issue regarding the veracity of metrics.  Which is only a problem if the people running an institution or company rely on them to make decisions.

The reason why it’s a problem is because so much of the metrics out in circulation is pulled together from disparate sources, cobbled together in spreadsheets or non-production databases and manually generated.  There’s no easy way to verify the source data, or know that it’s unaltered in any way or even know if it’s the right information.  And even if the data source used is from a secured production-like environment, still there’s no real auditing conducted to ensure the information is accurate or better yet, is even the right information.

I once took over a change management process and assumed responsibility for a series of reports that were generated for the Managing Director who in turn used that as part of his reporting package shared with the CIO.  One of the key metrics being reported on was scheduled releases and the IT departments on-time implementation percentage.  The numbers looked great showing that they were on-time more than ninety-five percent of the time over a two year period.  The only problem I could see with the metric was that it was misleading to the point where it was almost a lie.  The scheduled release date was being pulled from the system used to migrate changes into production and that date was only determined once the development team had completed all of their work.  So the scheduled implementation date was chosen once they knew they were ready to move into production.   Of course the on-time numbers looked great, they always knew they were ready before committing to it.  The Managing Director incorrectly assumed that there was a legitimate release schedule with forecasted dates and that the on-time numbers reflected on a well run process; wrong.   No one ever questioned the numbers or their source and had I not inserted myself into what was described as a well honed, efficient process the problem might have never been identified; and there a few more just like it.  My trust in metrics was permanently altered after that.

Metrics represents an excellent way for decision makers to quickly understand status and identify problems.  I’ve quoted here before about how someone I respect quite a bit was fond of asking her team “If you can’t measure it, how can you manage it” and she’s absolutely right.  Metrics is the ultimate management means of measuring key activities and issues within their world.  But how far do you go and how much effort do you expend pulling the related reports together?  And even if you’re able to automate the process and shorten the time necessary to generate the reports, how do you know that you’re either measuring the right things or that the underlying data is unaltered?  Ultimately I think that senior managers should be provided with something akin to a cost-benefit analysis for each metric they’re given.  Have them understand the degree of complexity and the amount of effort required to generate a number before deciding whether or not it’s worth it.  Perhaps I’m being naive but I’d like to think that most C-level executives would eliminate a significant amount of their reporting if they could see how much it was really costing them.

Here’s the part that should really concern you the most though: Metrics is a key component of Board reporting, they make all sorts of decisions based on what these reports tell them.  How can that be allowed unless the process used to generate them is locked down and audited?  Where are the regulators in all of this?

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

Is it possible that this incredibly important and still developing concept known as GRC can be hijacked and used instead to almost marginalize the sum total of all it’s related parts?  Until this week I would never have even thought of something like this as possible but there it was, right in front of me and a bit of a shock.

There are likely two main drivers behind this disturbing trend: GRC software and the overwhelming volume of compliance-based activities.  So many of the GRC solutions currently on the market tend to be rather broad in their scope.  While most of them are oriented towards one particular point within the GRC spectrum they have all expanded to try and touch on as much as they can justify.  So whereas you have a product that may have been designed to manage policy content it now also offers risk assessment, audit and overarching governance features.  But still what it does best is manage policy content.  The license for the product isn’t cheap and senior management has been sold to some degree on the promise of automating much of the required work via this new and costly solution.  Thus we have the first driver behind the blurring of GRC lines: “We paid a lot for it so we better use the heck out of it”.  And so there’s a slow but steady march through the organization looking for things that can be brought into the fold.  However not everything belongs in every GRC solution because as noted previously, each offering no matter how effective tends to favor one specific location within the GRC spectrum.

But even when you have a solution that’s broad enough to accommodate most of what you need to accomplish there’s the other driver coming into play, massive compliance requirements.  I’ve had clients who don’t even care so much about if what they need to do to comply makes sense for them but will do anything to pass an exam.  And so there’s this mad, Lemming-like dash in a single direction to shoehorn everything and anything into this thing called GRC that might even be remotely related.  There’s little thought put into how best to get the work done with the primary concern being “we have to have something to show the examiner”.  The result is a hodgepodge of seemingly related activities being coordinated under a single function or initiative but with almost zero effort made to try and normalize the workload and gain the efficiency’s that GRC promises.  How thoroughly depressing for us practitioners.

And it’s fantasy to think that once things are setup to be done a certain way they’ll ever change.  Unless an examiner or auditor tells you something needs to change everything stays the same.  So a poorly designed GRC function remains poorly designed forever.  And an unnecessary GRC activity continues because no one typically cares if you’re doing too much, only too little.  It’s almost like people just want to stuff everything remotely related to the discipline into the GRC closet and then make sure guests never open that door.

I know we’re still early in the GRC life cycle (Michael Rasmussen recently noted in an article that it’s been ten years since he first conceived of the acronym and concept) but what if this trend isn’t derailed sometime soon?  What if because of the weak economy (I’m being polite, I should swap “weak” for “horrible”) companies continue to just sweep everything under the GRC rug and don’t exploit the benefits of the concept?

I’m reminded of the old joke about the immigrant who decides he’s going to use his lumberjack skills in the U.S.A. to make a living and invests his life savings in a chainsaw.  After repeatedly failing to achieve any appreciable gains in his productivity he finally returns to the store to find out what’s wrong with the machine.  Once they pull the ripcord and fire it up he jumps back in surprise asking “what’s that noise”.  I have this image in my head of some internal controls manager managing his/her company’s GRC program ten years from now stumbling across an OCEG document, reading it and jumping back in surprise and exclaiming “what a great idea, why aren’t we doing this sort of thing”.  Don’t laugh, I can all but guarantee it’s going to happen at this rate.

But why is it that no one can ever truly and honestly agree on what exactly GRC is?  I first wrote about this very issue in 2008, then again in 2009 and 2010 and once again earlier this year.  Beyond the too few thought leaders on the topic there’s very little clarity.  And most of the credible GRC sources seldom extend from the theoretical to the practical (my opinion but let’s remember, this is my blog).  For those in the trenches who have a vested interest in trying to apply the most basic elements of the discipline there’s very little out their available to help them figure out where to begin and what to do.  When you throw into the hodgepodge of concepts the dozens of vendor spawned interpretations it becomes nearly impossible for any two people to ever agree on something close to a common definition.

What a shame.

It’s a shame because conceptually GRC is too important of an evolutionary step within the audit and compliance space to be botched.  The huge pile of industry and government requirements seems to grow almost daily, the amount of resources available to manage the work only seems to shrink daily and these trends show no sign of slowing down.  The blueprint for a better and more efficient approach is right there before us practitioners and yet we can’t quite see the forest for the trees.  I’m not sure what the primary reasons are or if they can even be boiled down to just a few but I’m gonna give it a try just the same.

First, stop listening to the software vendors explain what GRC is or isn’t.  They have solutions to sell and while some of them are truly impressive they’re going to align their GRC definition with the capabilities of their product.  Second, stop reading white papers and frameworks.  There is some very important content available in the industry published by some very, very bright people but in the abstract much of it is at best daunting to internalize or understand and at worst suffocating to the point where you’ll just get frustrated and put it away for another time.  Third, don’t think you can simply bring in an advisory firm to either define or develop  a related program.  My experience in working on GRC inspired projects is that both the corporate culture and its capabilities are way too important of an element to either overlook or underestimate.  An external perspective often can’t detect these nuances and so what they design is doomed for failure because it can’t be sustained in the real world.

What can you do to overcome these all too common pitfalls?  Your homework.

There’s no real shortcut to identifying where to begin laying down your most fundamental steps for a GRC program.  Only you and others in your institution can identify both the pain points and also the most obvious opportunities.  All too often the first step involves forming a committee which is usually a recipe for delay (someone I worked with years ago once advised that if you want to make sure a project never happens bury it under a committee).  But what you can do is seek out and enlist the support of partners that share a like mind or a common goal.  I don’t usually recommend engaging internal audit at the onset but you might want to include a trusted member of its team.  You might even consider reaching out to your examiner for suggestions and where to begin.  Perhaps you have control owners within your infrastructure who spend way too much time generating content to satisfy compliance requirements and are willing to lend a hand if it means easing their burden at some future point.  But whatever you do to start forming a team and outlining ideas you need to think it through with your expert knowledge and understanding of your institutions capabilities.

Once you begin forming that plan with some deliverable’s and goals you can consider augmenting your efforts with an expert GRC hand to guide you.  Once you firm up what you think your organization is capable of and have had the chance to vet that plan with key stakeholders you can research GRC products that are closely aligned with what you’re looking to accomplish (the right vendor will want to learn about what you’re trying to do rather than tell you how to do it, trust me.  And yes, I’m biased).  And once you have a stronger sense of what you’re looking to accomplish you can engage the structured approach of a framework.

Oh and as for a single definition of GRC I’m clinging to the one I’ve been using since first reading about it several years ago.  GRC harmonizes efforts across previously detached disciplines that existed in their own silos within an organization (this is my fancy version).  In simpler laymen’s terms it’s the point of integration between related functions reducing redundant activities and allowing the left and right hand to work together. And the only wrong way to try and implement some of its elements is to not even try.

No matter its size your institution is neither too small nor too complex to benefit from GRC.  No matter how many times you may have tried to build something unsuccessfully it’s entirely possible to accomplish.  No matter how overwhelming or confusing you’ve found the concept to be at the point where you tried to get the rubber to meet the road there’s a simpler more viable approach.

Make it your corporate New Years resolution for 2012, I implore you.

Here’s my reply:

“It’s no longer even a matter of whether or not your institution has time to track the various activities and statuses, it’s quickly becoming a measurable practice of its own within the oversight circles. We’ve recently encountered several exam comments addressing the concept of compliance management which focuses on how an institution demonstrates a working knowledge of and compliance with the broad spectrum of requirements.

I think the days of last minute program (policy and procedure) updates and testing in the days leading up to an exam are near an end; the examiners are quickly losing their appetite to allow such flexibility and are expecting management to clearly establish that they’re taking compliance seriously.”

I’m sharing this exchange with you for a couple of reasons.  First, my reply was one of four and quite literally each answer seemed to be addressing four separate questions which I found both curious and concerning.  One person interpreted the question to be about keeping up with newly emerging and changing laws, one person replied as if though it was about keeping track of what needs to be done internally and one person thought it was more about governance and engaging stakeholders.  And while I’m not sure which, if any of us answered the question correctly I am certain that all four brought out into the open the bigger issue which is how does anyone keep up with the speed at which compliance is evolving?

Which brings me to my second reason for bringing up the exchange.  Are you prepared to demonstrate to an examiner how you manage all of your compliance initiatives?  If not you’d better get busy because it’s something you’re likely going to need to do in the near future.  There have been at least two clients my practice works with that have recently shared with us that their examiners have been slicing off time reviewing what’s being called “compliance management”.  Simply put it’s the overall approach an institution takes to tracking the various regulations and ensures that they’re complying where applicable.

What that means to you is that it’s no longer enough to present the various program artifacts upon request to the examiner, you now have to demonstrate how you track each of those elements and determine their status.  It also means that you have to demonstrate an awareness of new and/or changing requirements and maintain some measure of program change management.  Gone are the days of pulling a new program together in the days leading up to the exam just so you have something to show for it.  Gone too are the days of scrambling to bring everything up-to-date via herculean efforts by logging long nights and weekends in the weeks leading up to the kick-off meeting.

I remember how when Red Flags was about to go live back in 2008 I asked an audience I was presenting to how many had their programs board approved and in-place with only a few hands going up.  I asked how many expected to have their program at least finalized by the go-live date and again only a few hands went up.  But when I asked how many planned to wait until two weeks before their next exam to get around to designing something almost the entire room laughed and then sadly raised their hand.  But those days are about to come to an end.

Ultimately what I’m thinking is going to happen is that this import shift in oversight strategy is going to accelerate the adoption of the principles of GRC.  I’ve been beating that drum quite a bit lately (even more than usual) and am all the more confidant that my thinking is right.  An important element of GRC is the ongoing monitoring (governance) of the various risk and compliance activities and that’s what your examiners are going to be looking for.  My best guess is that we’re about a decade away from widespread acceptance and that GRC will follow a growth curve similar to that recently charted by ERM.    Right now GRC seems a bit exotic to senior management and more theoretical than practical but that will continue to change.  As more practitioners incorporate elements of the methodology into how they meet the various challenges it will become increasingly common-place.  And when the economy finally starts to rebound and funding isn’t as hard to come by institutions will accelerate the pace and GRC will become  part of the every day vernacular for compliance professionals and their management.

For now though practitioners like me will simply have to keep introducing elements of GRC into the solutions we develop for our clients without identifying it as such.  For those of us fortunate enough to know there’s a better way there’s no reason to wait and it’s a win-win for the institutions we work with.  As I recently advised a client in regards to an upcoming exam, have a plan, collect evidence that the plan is being followed and prove that there’s a process to periodically assess the plan for accuracy, viability and relevance.  That they liked but had I introduced it as a component of GRC I wonder if it would have appealed to them as much.

How else can you keep pace with compliance?

The very first prediction was that the Iomega Zip Drive was going to accelerate the push into portable mass storage devices.  For about two years it blazed the trail soon followed by others but I knew the first time I laid eyes on the device I was looking at the future.

The second prediction was that Borland was going to be bought by either Microsoft or IBM.  They had launched their new Delphi development software and it was blindingly fast and easy to use and clearly set them apart from the competition in the client-server domain.  For reasons still unknown it never happened and so while I was wrong I still think I read things correctly (it’s my ego, it won’t let me be wrong for too long).

The third prediction changed my career direction.  As Y2K was nearing I outlined a concept where companies could leverage all the repositories they developed and maintained to ensure a smooth transition into the new millennium and convert it into an ongoing management tool.  It was a discipline that eventually matured into what we now call portfolio management.  While I wasn’t in a position to pursue my theory I knew I was onto something and as it turned out I was right.  Why this prediction changed my career is because it gave me the confidence to both trust my instincts and pursue new ideas even when no one else thought it would work.

Which leads me to my fourth prediction.  Back in 2002 while with Metlife I was put in charge of a bizarre project that came to be referred to as “Server Consolidation”.  After working with a vendor not of my choosing for six months and with nothing to show for my time I discovered VMware about ten minutes after they went public and knew this was what the company needed.  I immediately brought it to my bosses attention and instead of trusting me to make us all look brilliant I was instead admonished for not doing what I was told and VMware had to wait another five years before the company embraced the technology.  But while it indirectly cost me my job (I was laid-off six months later) I knew I was right and still believe it was worth taking the risk.

My instincts are screaming at me again and so allow me to share my fifth bold prediction.

My readers know that I’m a huge believer of GRC as a concept.  I write about it almost monthly and at least quarterly and track its progress closely.  I’ve participated in several related projects and constantly try and insinuate myself into newly emerging GRC-based initiatives.  The idea that each of the three core disciplines break out of their silo’s and work together is just flat out the right approach.  But that’s not the prediction.

Almost all of GRC-related activity now is driven by regulatory and/or industry compliance requirements.  While most companies would publicly reject that statement and insist that their approach is based on risks that they identify and manage, the truth is most of those risks are already being targeted by one of the many compliance requirements they operate under and need to comply with.  And after nearly a decade of dealing with one new set of requirements after another quite literally every company I’ve encountered has multiple frameworks and related initiatives to ensure compliance.  It’s resulted in massive duplication of effort and wasted time, money and bandwidth.  And because those same companies can barely keep up  with supporting these activities there’s little chance they’ll ever find a way to reorganize and consolidate their efforts so that they can reuse steps to satisfy multiple requirements.

And so here comes the prediction.  Network Frontiers Unified Compliance Framework will become to GRC what COBIT became to SOX.

For those of you who aren’t familiar with the UCF it’s a series of documents that basically maps every single regulation, requirement and framework known to man (including coincidentally COBIT) and reveals the many points of intersection that exist but are almost impossible to identify while on the ground.  While there’s more to their library than just the mapping it’s really  where their bread gets buttered.  I first discovered UCF in 2009 while working on a governance project and have been a fan ever since continuing to follow their progress and trying to spread the word about what they’re doing.

Here’s what they ‘re doing: They examine every regulation and requirement and map them to a set of generic control activities so that they identify where one activity satisfied multiple requirements.  They follow a fairly extensive process in doing so and all of their work is vetted through legal review to ensure they’re not overreaching during the process.  And they’re constantly updating the framework to make sure that as existing regulations change and newer ones emerge the UCF captures it.  Considering the accelerated pace at which regulations are being enacted these days that’s no small task.  The way the framework is leveraged is by finding the appropriate control activity that matches what you’re working on and reading across the line (it’s delivered in spreadsheet format) to find out which regulations or requirements it satisfies.  So if you’re reviewing application access in support of SOX it’s possible that same test would also satisfy GLBA requirements.  Imagine how much time and effort can be reclaimed if your GRC program was whittled down to testing a control only once and using it many times?  Also imagine how that might look to senior management.

So why am I making my bold prediction now?  Last week I learned that Network Frontiers is making their content more readily available in an online format and for free.  This will allow a broader audience to begin accessing their impressive content without first having to get someone in their management food chain to approve its purchase.  I’ve tinkered with it a bit and while I still prefer the spreadsheet format (I’m a geeky kind of guy) I love knowing that someone can read this blog post and immediately signup at their website and begin exploring.  By making it easier for the masses to access their content it will likely accelerate broader acceptance throughout the corporate world – once that happens, once program offices start relying on the content provided there will be no turning back.

I realize that GRC is way more than testing controls but consider that the UCF will also allow a company to identify where risk assessments, policies, procedures  and programs hit multiple targets as well.  It truly allows for economies of scale to be realized in ways that were just never as easy to pursue in the past.  While the framework doesn’t tell you how to build or manage a GRC initiative it will become one of its primary tools, I’m certain of it.   I’ve pointed several people in the direction of the UCF over these past two years and almost to a person their initial reactions is “wow”.  They all immediately saw its value and started considering how best to exploit it’s offerings.  And until I meet someone who upon viewing the framework shrugs their shoulders and says something along the  lines of “I don’t get it” you’ll find me standing behind my prediction. ]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/grc-is-about-to-see-its-future/feed/ 0 http://itknowledgeexchange.techtarget.com/regulatory-compliance/does-grc-scale-to-size/ http://itknowledgeexchange.techtarget.com/regulatory-compliance/does-grc-scale-to-size/#comments Tue, 08 Mar 2011 16:58:56 +0000 David Schneier http://itknowledgeexchange.techtarget.com/regulatory-compliance/?p=643 We were having an internal conversation this past week about governance, risk, and compliance (GRC) and I was asked about its role in the small and mid-sized community banking space. The question, to be more specific, was did I think that GRC would work for smaller institutions whose business infrastructure wasn’t nearly as complex as the larger ones that typically are at the forefront of such initiatives.

I couldn’t spit out my “yes” answer fast enough. Not only did I think it would work for scaled down institutions, in some ways I thought its impact would be more dramatic.

GRC at its core is really just about coordinating the related disciplines so that economies of scale are realized where applicable and ensure that all three work with and not against one another. While some of my fellow practitioners are all too happy to bury that simplified interpretation under a deluge of formula’s and/or related methodologies I prefer to keep things simple. I do so because the only way GRC works at an institution is if it receives the full support from the C-level community (tone-at-the-top is a must) and if you make the message difficult to understand, well, no one understands it.

So the question begs to be asked; why wouldn’t a CEO/CFO/COO be interested in applying a methodology that would allow their institution to address compliance in a way that encourages efficiencies and reduced effort? The answer of course is that they would be interested, likely very interested. The problem is that for the small and mid-sized banking space no one is offering or marketing GRC in any measurable way and so business continues as usual.

As it stands right now, most conduct the related GRC work in a one-off fashion. They schedule audits to occur based on when they were last conducted and independent of a recent risk assessment. They schedule Board review and approval of the various policies at the same time each fiscal year regardless of whether the related audit and compliance activities have occurred to validate their effectiveness. As for risk assessments, those typically only occur if they’re required and almost never happen as part of an overall strategy. Then there’s almost always a mad scramble before each of the exams trying to pull everything together.

But think about how applying the principles of GRC would benefit a smaller institution. Imagine if all of the work required over the balance of a year is organized so that they work together and are timed so that one feeds into the next. Imagine if they kick-off the compliance cycle by conducting the various risk assessments that are either required or recommended and use the output to adjust their audit plan so that they’re testing what needs to be tested. Consider how effective their efforts would be if at various points along the way they assessed these activities against what’s required to ensure that where applicable they’re tied together. How much stronger would a financial institutions risk posture be if when senior management and the board of directors signed off on the various elements it conveyed more than a tacit approval of the work; what if their acceptance was more than a required step to appease the examiners and actually allowed them to make informed decisions?

GRC solves a different set of problems for scaled down institutions than those encountered in the larger ones. It requires that a true plan be developed to coordinate the related activities, something that’s often missing in smaller banks and credit unions. It allows for a review of these activities to both understand their interdependencies and identify reusable artifacts and test steps which just about never happens because no one has time to spare to do such things. It also allows management to achieve a holistic view into these activities thus affording them a chance to make corrections when or where necessary and before they become a bigger issue waiting to be discovered by an examiner. Perhaps the best byproduct of applying GRC – it allows your institution to avoid the all-too-common mad scramble leading up to an exam. If you can demonstrate to an examiner that a required activity isn’t scheduled to occur until later in the year, show them the plan and provide evidence that it’s being adhered to they typically consider that a valid response. So instead of pulling the late nights and long weekends trying to update documentation or conducting assessments, you can wait to do the work when it’s scheduled to happen.

GRC doesn’t necessarily mean less work (though that’s likely) but it always results in an institution working smarter, not harder. In those GRC projects in which I’ve participated in, there was clearly an improvement in the value the company derived from its audit and compliance work. Regardless of the size and complexity of an organization, that has to hold appeal to its management.

GRC is not a one-size-fits-all solution, it’s a one-size-fits-all concept. Regardless of whether you’re a single branch CU or a global bank it’s a concept that will work if only you give it a chance.

I don’t need to recite the article’s contents, you can click on the link above and read it for yourself.  I mention it here because there were a few things that didn’t make it to the final version that I wanted to share with you.

I had asked two associates of mine to be interviewed for the article; they agreed but were traveling out of the country for several weeks and we could never get together.   I selected them because they were instrumental in applying some of the key concepts of GRC to ease the suffocating burden compliance work had placed upon their IT organization.  Not only were they successful, but they also proved that GRC works.  And the best part was that they didn’t rely upon complex theories or expensive software solutions but rather good old-fashioned common sense.  Although their stories didn’t make it to print, I’ve asked them to honor their commitment to me and be interviewed for a GRC follow-up article right here in a future Regulatory Reality post; stay tuned.

I had also invited Michael Rasmussen from Corporate Integrity to participate.  It’s sort of difficult to separate Mr. Rasmussen from any conversation about the GRC movement because while he may not be its official leader, there’s certainly no greater advocate of its myriad benefits.  Plus, his perspective is broader than what I typically cover as he targets the entire organization and not just information security and the underlying technology architecture.  I plan to loop back to him in the near future for an interview; once I do, you’ll hear about it right here.

Lastly I wanted to shine just a little bit more spotlight on the folks at Network Frontiers who bring us the Unified Compliance Framework.  It was shortly after I first discovered the UCF collection of mappings that the idea for an article about GRC started forming.  GRC is all about gaining efficiencies and reducing effort and there’s no more significant tool available to consolidate the number of controls and related tests than the UCF.  Every practitioner I’ve shared this product with has become an instant fan.

Oh, one more thing.  I have a bit of a track record in spotting trends or technologies that are about to hit the mainstream.  I don’t pick many, but those that I have all panned out.  GRC is going to continue to grow and become huge in corporate America about 30 seconds after the economy bounces back.  If you’re not already doing so, start keeping an eye on how things are developing around it. Trust me on this.

I’m not sure if I can legally mention the institution’s name and so I won’t, but I wish I could.  I wish I could because from working there just over two years ago, I know it was not an institution being mismanaged or poorly run.  Quite to the contrary.  I met with roughly half of the firm’s management team while conducting an information security risk assessment and what I recall is an institution that was well managed and took regulatory compliance seriously.  The people responsible for the infrastructure were on top of things, smart and capable.  As a matter of fact, I developed a new technique to frame risk-related information for them so that they could continue to use the information to guide their compliance activities after the engagement concluded.  They didn’t want only a point-in-time assessment but also the ability to track related activities to ensure ongoing compliance.  Does that sound like an institution that would be ripe for closure?

I don’t understand enough of what goes into the balance sheet to assess their overall management and business strategy.  These are tough times and previously viable institutions are being caught in the still tightening grip of the real estate crisis all the time.  But I’ve come across financial institutions that were not nearly as organized, where the people I interviewed didn’t present nearly as well. If I was asked to pick five banks I’ve work with that might be closed I’m not sure the one shut down Friday would have even crossed my mind.

Now that the banking crisis has a face (or two) I can associate with it, I’m pretty much certain I won’t have any clever quips to make when the next round of FDIC bank closing announcements lands in my inbox.