Guest post from Researcher Nick Hayes.

Take a second to think back to the year 2009. The US was in the thick of the financial crisis; companies were slashing budgets, and the unemployment rate was in double-digits. And do you remember a little thing called the “swine flu”? The World Health Organization (WHO) deemed the H1N1 strain of the swine flu influenza a global pandemic in June 2009. These were just some of the events top of mind for much of the nation and the broader global community three years ago.

2009 was also the year that the annual Forrester And Disaster Recovery Journal (DRJ) Survey focused on the role of risk management in business technology (BT) resiliency and crisis communications programs. Needless to say, the survey was fairly timely. Forrester found risk management was becoming a more common practice for business continuity teams, but that there was still more room for further collaboration with their risk management counterparts.

Fast forward three years, and the 2012 Forrester/DRJ survey is again focusing on the role of risk management in BT resiliency and crisis communications (you can take the 2012 survey by clicking here). A lot has changed since 2009 with a number of new events, technologies, and organizational challenges currently plaguing business continuity and risk management professionals.

Last week saw news that yet another top GRC software vendor has been acquired, following in the footsteps of Paisley, Archer, OpenPages, among others. BWise has always been an impressive vendor in the GRC space, so first off I think congratulations are in order for both parties.

That said, if you didn’t foresee NASDAQ getting into the GRC software space coming, don’t beat yourself up… after seeing the large technology vendors and content providers enter the space over the past 3 years, this wasn’t an obvious move. But looking a little deeper, NASDAQ’s move makes sense for a couple reasons:

-          NASDAQ’s target market cares about GRC. NASDAQ lists its target roles as marketing/corporate communications, board and corporate secretary, investor relations, and corporate finance. All of these roles have a vested interest in better controls, stronger risk management practices, and improved corporate governance.

-          BWise has always focused on the “G” of GRC. More than any other of the top GRC software vendors, BWise targeted governance professionals with capabilities such as entity management.

-          There are immediate integration possibilities. Among NASDAQ’s corporate solutions are products for board management, whistleblower reporting, and XBRL filing. BWise has a host of capabilities (issue management, process management, policy management, reporting, etc.) that could quickly add value to implementations of those products.

But, as always with a deal like this, both parties will have to show the market how they will address some key questions:

In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.

This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.

In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there. 

By Boris Evelson

We all know that the war of fighting the proliferation of spreadsheets (as BI or as any other applications) in enterprises has been fought and lost. Gone are the days when BI and performance management vendors web sites had “let us come in and help you get rid of your spreadsheets” message in big bold letters on front pages. In my personal experience – implementing hundreds of BI platforms and solutions – the more BI apps you deliver, the more spreadsheets you end up with. Rolling out a BI application often just means an easier way for someone to access and export data to a spreadsheet. Even though some of the in memory analytics tools are beginning to chip away at the main reasons why spreadsheets in BI are so ubiquitous  (self service BI with no modeling or analysis constraints, and little to no reliance on IT), the spreadsheets for BI are here to stay for a long, long, long time.

With that in mind, let me offer a few best practices for controlling and managing (not getting rid of !) spreadsheets as a BI tool:

1. Create a spreadsheet governance policy. Make it flexible – if it’s not, people will fight it. Here are a few examples of such policies:
   • - Spreadsheets can be used for reporting and analysis that support processes that do not go beyond individuals or small work groups vs. cross functional, cross enterprise processes  
   • - Spreadsheets can be used for reporting and analysis that are not part of mission critical processes