Of all the client inquiries and advisories we get related to risk management, one of the most frequent topics of discussion continues to be the role of risk management. Who should be involved? How? What should our objectives be? How should we measure success?
In an upcoming Security & Risk Council member meeting in London, I plan to take members through each of the five steps of ISO 31000 in an interactive workshop. We will discuss how to build repeatable and consistent processes, demonstrate that process to stakeholders, improve strategy and planning, and show support for relevant corporate functions and business units. If you’re interested in discussing this idea with me and other members of the Security & Risk Council, please consider joining us on March 16 in London. In order to qualify to attend, you must be a senior-level security and/or risk management executive in a $1B+ organization. Please click here for more details on the S&R Council or on the member meeting itself.
Details have been elusive thus far, but reports indicate that multiple breaches occurred, resulting in “suspicious files” on the company’s servers. A statement released by Nasdaq assures us that its trading systems and customer data were not compromised, and those in the know tend to agree that infiltrating the trading systems would be substantially more difficult than breaking into the web environment and leaving a few files behind. As the investigation continues, hopefully we'll learn more, but what can we take away from this story so far?
The list of attractive hacker targets continues to grow. Whoever perpetrated this breach chose not to go after traditionally lucrative targets like customer/employee data or a more difficult and devastating attempt to dismantle one of the world’s biggest exchanges. Instead the target was a more accessible set of extremely sensitive corporate data – details about mergers, acquisitions, dividends, and earnings. Without much sophistication, criminals could use this information to execute rather impressive “insider trading” transactions or simply find an outlet like WikiLeaks for some of the more embarrassing tidbits.
This week we published the first in a series of reports I'll be writing to help clients calculate the return on investment of GRC technologies. This report, How To Measure The ROI Of A GRC Platform, outlines the key factors and suggested metrics to show what GRC can do for your organization.
Of course, my first recommendation is to exhaust your arsenal of arguments before falling back into ROI terrain. GRC is about improving oversight, strengthening controls, and finding ways for the business to succeed within the boundaries of risk tolerance. But these board-level issues can quickly give way to questions of costs and savings... so it's good to be prepared.
The considerations for costs (software, hardware, maintenance, implementation, etc.) are not much different than other large IT projects, nor are the associated risks (requirements, scope, adoption, integration, etc.). What's tough is articulating the benefits. The report offers much more detail, but generally the success factors of a GRC implementation fall into three categories. These are:
Efficiency, which includes product and process consolidation as well as facilitation of processes such as policy development and distribution, risk and control assessments, incident/issue management, data/report aggregation.
Risk reduction, which includes decreases in audit and examination findings, reduction in regulatory fines, faster remediation of issues, and the secondary benefits of these improvements, such as deceased cost of capital and lower insurance costs.
On the heels of Forrester's GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change. Specifically, here is a brief summary of the top five trends we will see next year:
Increasing vendor competition will continue to bring more choices and more confusion. Strong market growth will encourage more technology and service vendors to get into the market, which means the fragmentation (which I've discussed previously) and confusion will continue.
It will come as little surprise to most of you that the overall GRC market is still saturated with relatively small vendors, many of which continue to struggle to maintain their market niches. At the same time, a handful of market leaders (notably BWise, IBM/OpenPages, MetricStream, RSA/Archer, and Thomson Reuters/Paisley) continue to distance themselves from the rest of the pack, while several large competitors (including Oracle, SAP, SAS, Software AG, and Wolters Kluwer) put more and more pressure on the market all the time.
It's been interesting to watch these vendors that competed head-to-head regularly for SOX compliance deals now drifting further apart . . . some focusing more on risk management and analytics, some strengthening their compliance and content offerings, some building deeper integration with IT systems, and others building bridges into audit departments. The current environment of increased government oversight and regulation — and in some cases, reform of whole industries — worldwide promises to bring a strong resurgence to the GRC platform market overall, which means increased competition both from veteran vendors and newcomers alike.
Rarely does vendor consolidation reflect such fragmentation of a market.
Picking up on the recent acquisition trend of independent market leaders, IBM today announced plans to acquire long-time GRC heavyweight OpenPages to strengthen its business analytics offerings, including Cognos and SPSS. It's a good fit for both companies and certainly won't surprise anyone who has been following the space... the OpenPages platform leans on Cognos for its reporting capabilities, so they already have a head start on product integration. The two have also proven successful in the past by combining forces on large risk management implementations, so there are already established use cases to reference.
This deal is most interesting, however, when you consider the other acquisitions of top GRC vendors. Less than two years ago, Paisley was acquired by Thomson Reuters to strengthen its tax and accounting business and content delivery, while EMC acquired Archer Technologies earlier this year as a dashboard (at least initially) to pull together IT risk data and processes as part of its RSA security offerings. While OpenPages has historically competed with Paisley in financial controls management and has recently been moving more into Archer's core IT risk and compliance domain, this acquisition will likely turn the company more toward higher-level corporate performance and enterprise risk management. The GRC vendors will still compete regularly, but their unique selling propositions are starting to look more and more unique all the time.
There has been an interesting PR battle in Washington over the last few weeks about the number of massive regulations still on the administration's agenda. House Minority Leader John Boehner wrote a memo to President Obama citing a list of 191 proposed rules expected to have a more than $100 million impact on the economy (each!) and asking for clarification on the number of these pending rules that would surpass the $1 billion mark. The acting head of the Office of Management and Budget responded, saying that the number of "economically significant bills" passed last year actually represented a downward trend, and the current number on the agenda is more like 13.
For those of you wanting a little more clarification, you can search through the OMB's Unified Agenda and Regulatory Plan by economic significance, key terms, entities affected, and other criteria. Making sense of all of these proposed rules will take time, but it will help you get an idea of issues that your organization may have to face in the near future.
Coincidentally, my latest report, The Regulatory Intelligence Battlefield Heats Up, went live yesterday. In this paper, I offer an overview of different available resources to keep up with new and changing regulations as well as relevant legal guidance.
After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.
Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.
What makes the Forrester Information Security Maturity Model work?
My colleague Boris Evelson, who covers business intelligence for Forrester and serves business process professionals, recently wrote a great post about the use of spreadsheets for business intelligence. He explains that while many BI vendors initially sought to replace spreadsheets in the corporate environment, it's now clear that they are not going anywhere any time soon.
Sound familiar? While many governance, risk, and compliance professionals and GRC vendors continue to work toward helping customers consolidate data and move away from spreadsheets, they are still basically ubiquitous. In fact, several of the top GRC vendors are now working to improve the way their tools interface with Excel... Not just for exporting reports, but for data input and analysis as well.
I recommend reading Boris' post, where he details three best practices regarding the use of spreadsheets for BI:
Create spreadsheet governance policies.
Monitor and enforce compliance with those policies.
Give preference to vendors that work well with spreadsheets.
Creating clear policies for what information will and will not be managed on spreadsheets is critical here, and extremely important for the GRC universe. Unless you have specially-built controls, spreadsheets do not give you the level of security, access control, change control, or audit trail you should have for data related to compliance or risk management. Knowing Office tools are going to be handling substantial amounts of important information for the foreseeable future, so it's worthwhile to review and update your policies and make sure they are being appropriately enforced.
The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."