Monthly Archives: April 2013

Archived Posts

2013-04-22 by: James Bone Categories: Risk Management Value Proposition – TheGRCBlueBook


What is the value proposition of TheGRCBlueBook?  The answer may be best explained by what it is not.  We are not LinkedIn, where groups are siloed by risk specialty, industry or self-declared standards.  TGBB does not promote a framework or espouse a preference for one tool over another.

 TGBB is organized around the tools all risk, audit, and compliance professionals use. 

TGBB understands that silos prevent open and robust conversations about risk.  We endeavor to share what’s working and learn from others without competing.  Risks are not one dimensional nor are they so unique that one industry’s approach to solving problems may lead to new awareness not considered by a risk professional in another industry. 

TGB B is grounded by the database of GRC tools and solutions providers however as each organization implements these solutions your unique lessons learned add color to the benefits and opportunities for improving these tools. 

The challenge: How do I share these lessons while not exposing myself and my firm to reputation risk?  The answer is that no proprietary information is requested.  Lessons learned, product reviews and product ratings can and should be shared as opportunities to learn from others.  What you give can be returned in full measure from the lessons of others.  In the coming months we will lead by example with personals interviews of GRC users and, hopefully informative testimonials as well.

What’s in it for you?  That depends.  If you participate others will begin to share their stories and we all may learn more as a result.  If you have considered a GRC vendor solution and others provide reviews or ratings of these products you will learn from the experience of others.  We have chosen to not write or pay for reviews to prevent inherent conflicts of interest but more importantly this concept is founded on the belief that users are the best source of information for these solutions. 

What we have learned is that the current sources of information about GRC tools and solutions are not sufficient for making informed buying decisions.  Even more critical to the buying decision is a more fundamental question: What is the most effective approach to integrate these solutions in my organization that adds the most value to managing risks and addressing my problems? 

It’s a bold experiment in trust!  Information provided on this site is for the benefit of the members of TheGRCBlueBook.  It’s free and will remain so. 

So what is the value proposition?  YOU!  Your experience, your feedback, your lessons!  You may be surprised that you get more than you imagined by participating. 

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

by: James Bone Categories: Risk Management Risk in Transition


The bombing of the 117th Boston Marathon is but one example of how complex new risks can occur when we least expect them.  As more details emerge about the alleged perpetrators we learn that even with the beefed-up security presence at public events traditional controls are still ineffective at preventing horrific attacks. 

Thankfully, through the vigilance of the general public, law enforcement, and new technology, such as, surveillance cameras and social media our ability to respond to such events has accelerated in real time allowing the capture of these suspects but not without additional tragic loss of life.

Law enforcement’s ability to sort through surveillance footage, cell phone and video footage from the public and other sources would not have been possible 5 – 10 years ago with the speed in which it was done to identify the assailants.  Security spokespersons also credit improved coordination of Federal, State, and Government resources along with new analytical skills for the speed and agility to zero in on the suspects.   

Much will be learned from these events to improve security in the future.  As tragic as these events are there are valuable lessons for senior managers and risk professionals in dealing with less lethal but no less important risks facing all organizations today.

PriceWaterhouseCooper’s April 2013 whitepaper entitled, “Risk in Review, Global risk in the transformation age”, goes further and explores the global threats facing organizations and risk officers responsible for dealing with a host of asymmetrical risks impacting each of us simultaneously and  over consecutive time periods.  PwC uses the term “transformation” however Michael Monahan, CRO for Pitney Bowes, succinctly states, “Transformation is a bit of an overused term.  It is part of how you do business every day now.” 

PwC’s survey and the emerging themes discussed in this report are a reasonable first step in starting a discussion about strategic risks and plans to address a world in transition. 

The themes:

  • Building a Risk Resilient firm;
  • Addressing the talent gap and building a risk aware culture;
  • Understanding social media and developing reputation risk responses; and,
  • Implementing new generation risk analytical capability

According to John Sabatini, Partner Advanced Risk & Compliance Analytics Services at PwC, “the challenge that many organizations face is that they must aggregate disparate and complex data from hundreds of source systems”.  “One in four risk executives expressed dissatisfaction with their ability to identify and forecast emerging risk.”

PwC’s survey poses more questions than answers however the events that unfolded in Boston illustrates that risk is in transition.  The challenges facing healthcare in the form of massive regulatory reform, financial services resulting from anemic economic growth and the protection of personally identifiable information or general industry in the form of supply chain disruptions from natural or man-made disaster require risk solutions that fit each organization.  Traditional GRC solutions are not sufficient to respond with the speed and agility required. 

The lessons from Boston are very clear.  Teamwork and collaboration is most effective when one person is in charge of coordinating events, assets and people to address risk events.  Leadership matters!  The inevitable finger-pointing may not be prevented but can be delayed until the events are resolved. 

Second, technology enabled faster discovery of the facts but does not create the ability to “see around corners”.  The over promise of pattern recognition and resolving risk events before they happen may eventually become a reality but is near impossible not matter how sophisticated the technology. 

Lastly, effective training and preparation through scenario planning and rapid response times help to mitigate the damage.

I hope these events do not happen in your town or organization but if they do I hope that you are better prepared by planning accordingly.

2013-04-20 by: James Bone Categories: Risk Management Beyond GRC

free_221309 images for thegrcbluebook man running across street in suit

A bold new experiment is taking place in the Federal government across a number of agencies to identify and address systemic risk before the next financial collapse occurs.  You may be familiar with the Securities and Exchange Commission’s Division of Risk, Strategy, and Financial Innovation. 

Over the last 3 years, the S.E.C. has revamped this Office into a “think tank” with a multidisciplinary team of professionals from a variety of academic disciplines.  This is not your father’s SEC; the team is made up of 35 PhD financial economists, financial engineers, programmers, MBA’s and other experts. 

Likewise, the Treasury Department has set up a new Office of Financial Research, which was created under the Dodd-Frank bill in 2010 to support the Financial Stability Oversight Council – the group responsible for coordinating the efforts of the top financial regulators. 

Richard Berner, the newly appointed head of the OFR, is tasked with finding threats to financial markets BEFORE they occur.  Berner, a trained economist, has some experience looking around corners as the chief economists for Morgan Stanley he and a colleague revised their forecast of economic growth in 2007 to predict the coming recession before many on Wall Street saw the signs of economic trouble. 

There is an arms race of data analytics unfolding amongst economists and researchers to create tools to recognize and hopefully avoid the next crisis.  Berner is leading this charge and is now building a new forecasting model with the help of academics and financial engineers.  Many market watchers give Berner kudos for these efforts however there are some who question whether a financial model is capable of capturing the complexity of global financial markets.   

Berner faces the same challenge of the providers of Big Data solutions.  How do you standardize all sorts of records to a common data set that everyone agrees with so that the numbers are comparable?  There is no common taxonomy for data across different firms!

The Office of Financial Research may not be able to see the future and avoid all risk events to financial markets but it does mark a new era in how risk management will be conducted going forward. 

What role does GRC play in a world dominated by predictive analytics?  What new skills are needed by risk practitioners in the future?  Berner didn’t see or understand the systemic risks inherent in a correlated global market and missed how risks in US markets might impact our European counterparts overseas.  “There are still pretty big gaps in our knowledge”, Berner said during his interview for the article. 

What is becoming clear is regardless of your business the expectation to understand data and develop a governance model for data is increasingly apparent.  Attempting to tackle this effort alone in isolated silos would be self-defeating.  The best course of action is to begin to socialize the need for data management with key stakeholders in your firm.  Agreeing on a common set of definitions and taxonomy helps create a framework for defining important data and understanding where the gaps exist.

Resist the temptation to discuss risks at this stage of discovery.  Trust the process to reveal new information and potential risks as you learn more about how data is used and managed across your firm.  Rushing to define risks may predetermine outcomes and prevent you from learning gaps you would not have anticipated beforehand. 

You may not be able to “see around” corners when you complete this exercise but you may begin to ask new questions and have a better understanding of the bottlenecks of data that prevent you from achieving higher levels of performance.  Early success is the key to how far you decide to push the envelope in your data analysis. 

Regulators are building a formidable store of information on organizations that will grow and become more sophisticated.  Risk professionals should be prepared to have an equally robust set of data to demonstrate that you are building the same level of proficiency to understand their business.

Original story written by

2013-04-15 by: James Bone Categories: Risk Management OCEG’s 2012 GRC Maturity Survey

free_252493OCEG is a nonprofit think tank dedicated to helping organizations reliably achieve their objectives, while uncertainty and acting with integrity. This is what OCEG calls Principled Performance, and it is a goal that every organization can achieve by integrating and aligning their approaches to the governance, assurance and management of performance, risk and compliance.

The survey was sponsored by SAP and sent to OCEG’s 38,000+ membership.  Approximately 500 respondents participated in the survey results.  At the start of this survey, GRC was described for participants as follows:

• GRC is an acronym describing an integrated approach to the governance, assurance and management of performance, risk and compliance.

• GRC enables an organization to achieve principled performance, which OCEG defines as the reliable achievement of objectives while addressing uncertainty and acting with integrity.

• In each of the questions that follow, we use the term “integration” to mean using the same or similar approaches across silos of interest, in a way that allows for a unified view of the information.

• Some people refer to this as a “harmonized” or “consistent” approach. Integrated does not necessarily mean managed under one director or by one unified team.

This description is applied in all questions using the term GRC.

Highlights from the survey:

  •  Respondents were fairly balanced across oversight functional responsibility: Risk, Audit, Compliance, Governance (fairly new role designation), Ethics, & all others 51.6%
  •  72% of responses stated some integration: [Are performance management activities in your organization integrated to provide a clear view of enterprise-wide performance?]
  • 73.1% reported integrated compliance: [Are compliance activities in your organization integrated to provide a consistent approach and clear view of compliance effectiveness and performance?]
  • 87.7% of responses reported integrated GRC: [What best describes the current level of integration between your processes for governing, assuring and managing performance, risk and compliance (commonly called GRC)?]
  • 78.3% of responses reported improved GRC in last 3 years: [Is there greater GRC integration in your organization today than there was three years ago?]
  • 85.6% of respondents see value in integrating GRC using technology: [Would your organization benefit from integrating and streamlining use of technology for GRC activities enterprise-wide?]
  • 70.8% of respondents have considered GRC tools for future use: [Does your organization have plans to better integrate existing technologies used to support GRC processes or acquire new technologies?]

The results of the survey imply that progress for integration have been achieved without a robust technology solution with respondents suggesting that additional benefit might occur with an integrated platform. 

by: James Bone Categories: Risk Management How to Implement and Align Technology within Your GRC Framework

by James Bone, Executive Director TheGRCBlueBook

GRC Summit panel


GRC Summit – Michael Rasmussen (GRC 20/20), Norman Marks (SAP), Lance J. Freedman (Lockheed Martin Corporation)

Norman Marks’s introduction of the Day Two keynote speaker, Michael Rasmussen demonstrated the dichotomy of the divergent views evolving in GRC.  Norman set up the introduction with an overview of the State of the Industry address.  Marks’s view is informed by developments in predictive analytics and the promise of big data. 

“GRC stands for Governance, Risk and Confusion”, half joked Marks.  “The GRC solution remains elusive as does agreement on definitions and a common taxonomy for implementing an effective framework.”  So how does one align GRC with technology? 

According to Marks, “there is no informed approach that has proved effective in deciding how to purchase a GRC solution.”  The available analyst reports from leading consulting firms were deemed to be insufficient in providing prospective users with the tools needed to make an informed choice between respective risk solutions.  “[Analyst’s] reports are based on a generic set of business outcomes intended to address the preconceived needs of risk managers”, according to Marks.  Even Michael Rasmussen admits that risk managers need more than three client references from GRC vendors.  “Do you expect to receive a bad reference from a GRC vendor?” questioned Michael.

Rasmussen has broadened his view of GRC beyond a strict definition of the features embedded in the platform to now include a focus on GRC architecture.  In Michael’s view, “GRC is about organizing the manual processes, data and accountability to solve for the complexity inherent in today’s business environment”.  

This is what Rasmussen calls “GRC3.0, Enterprise Architecture.”  Rasmussen has adopted the OCEG Red Book framework as his operating model which advocates aligning business objectives and performance with GRC.  “Effective enterprise architecture will require half a dozen or more GRC solutions in order to address the full complement of risks outlined in Michael’s framework.” 

What both evangelists agree on is that the end solutions must have a positive impact on the performance of business objectives.  One of the best lines came from Norman Marks as he described the cause of diluted successes in GRC to date.  “These random acts of improvement lead to uncoordinated progress”, according to Marks.  “The key is aligning GRC for business value from strategy to operations.”

Each of the panelists provided a comprehensive set of examples for why risk tools are needed to manage increasingly challenging regulatory and business objectives while leaving the audience with no more clarity on a prescription for moving forward.  The missing piece to the puzzle remains elusive.  How does one determine which solution is appropriate for their needs given the unique risk challenges each firm faces?

Will there be a convergence of approaches after a critical mass of firms adopts a systemic solution to manual processes and begins to see the benefit of Big Data analytics?  Will predictive analytics make today’s subjective risk assessment irrelevant?  Will a disparate set of solutions be needed, as Rasmussen suggests, once a clear data management program has been implemented with the requisite ability to query data to the business answers one is seeking?

The panelist debate prompted more questions than answers.  What is clear is a prospective buyer of these tools has very few reliable options for choosing the appropriate risk solution.  Given the number of available GRC solutions providers the odds of finding the tool that fits your need is a daunting task.  This task is made less clear by a lack of transparency into the market, generic standards for defining GRC implementation, and no professional consultative services independent of the solutions provider to develop a strategic plan before choosing the solution that addresses one’s needs.

2013-04-05 by: James Bone Categories: Risk Management Science vs the Art of Risk Management

Eisinger-tmagArticleJesse Eisinger, a reporter of Times partner ProPublica, recently sat down with John Breit, former head of market risk insight for Merrill Lynch, to discuss whether the human factor is being lost in risk management.  Data analytics and the hype around Big Data has become the central focus for finding value and improving risk management.  John Breit, a physicist by training was part of the early wave of “quants” to leave academia, government and the military to work on Wall Street.

Breit soon became disillusioned with his role when he realized the limits of building financial risk models and the focus shifted to become a glorified hall monitor for the trading desk. John now believes that risk managers should “develop what spies call humint — human intelligence from flesh and blood sources. They need to build networks of people who will trust them enough to report when things seem off, before they become spectacular problems. Mr. Breit, who attributes this approach to his mentor, Daniel Napoli, the former head of risk at Merrill Lynch, took people out drinking to get them to open up. He cultivated junior accountants.”

A focus on data alone may be misleading.  Cars are designed with windshields for seeing the road and the risks that jump out in front of you as you drive.  The dashboard serves as an indicator of other variables that may impact the condition of the vehicle such as gas level, driving speed, and outside temperature.

Breit’s lesson is that risk managers have been squeezed into a box.  “Regulators have reduced risk managers to box checkers, making sure they take every measure of risk and report it dutifully on extensive forms. It just consumes more and more staff, turning them into accountants and rotting brains.”

The promise of data analytics is still evolving and risk managers have an opportunity to lead by creating context for data analysis however there is the real possibility that risk management may be further marginalized as a result of a purely data driven mindset.

Jesse Eisinger is a reporter for ProPublica, an independent, nonprofit newsroom that produces investigative journalism in the public interest. Email: Twitter: @Eisingerj

by: James Bone Categories: Risk Management Spending on risk management software expected to slow

free_244054  computer key boardSpending on risk IT software is expected to slow according to IDC Financial Insights, which has experienced a 5.45% compound annual growth rate.  Corporate budgets are expected to shrink due to current economic challenges and the expectation that most of the IT projects are completed or close to completion.

Risk IT spending is still expected to exceed $80 billion by 2017 with an emphasis on credit analytics, enterprise risk management, compliance, and information security.  Michael Versace, IDC Financial Insights global research director, “At the same time, executives continue to look for risk technology investment value over the long term by establishing a standard for building risk management into all strategic, business IT, and operation IT initiatives, versus being reactive or bolting on initiatives after the fact.”

2013-04-02 by: James Bone Categories: Risk Management Interview with Vilen Abramov, Vice President, Model Risk Control at KeyBank

You must be logged in to view this document. Click here to login

Vilen Abramov