Tag Archives: governance

2013-11-04 by: James Bone Categories: Risk Management TheGRCBlueBook launches new GRC Vendor comparison tool!



Lincoln, Rhode Island; November 4, 2013 – TheGRCBlueBook .com, the largest online directory of GRC vendors on the web, will launch November 10th its newest tool in the GRC Tools & Reviews database.   The GRC Tools & Reviews will allow users to compare thousands of GRC solutions with the click of a key stroke!

Research firms such as Gartner and Forrester sell information and promote a small percentage of GRC vendors for thousands of dollars!  TheGRCBlueBook provides a complete listing of GRC vendors absolutely FREE or charge with no conflicts of interest.

More recently the Open Compliance & Ethics Group or (“OCEG.org”) in collaboration with Michael Rasmussen has jumped in the “pay to play” game for GRC tools!

TheGRCBlueBook is the only web portal with thousands of GRC vendors offered for FREE to its membership!” said James Bone, Executive Director.  Others may try to copy TheGRCBlueBook but why pay for information that is FREE!  TheGRCBlueBook members receive discounts and benefits to events and conferences for risk professionals and new services and products.


2013-08-29 by: James Bone Categories: Risk Management Your Risk Program is Failing and You Don’t Even Know It

stock-photo-19168370-happy-it-proffessionalYou may be asking how anyone can make such a bold statement without knowing the details of your specific risk program.   Actually, I know more about your risk program than you realize and that’s why I know its failing.  I also know that as much as 55% of the cost of all risk programs are wasted!  And more importantly, I can prove it.

Let me demonstrate:  Your risk program (audit, risk management, compliance, ethics, IT and governance) is risk-based.  You have assessed your risks and mapped your controls accordingly.  You have policies and procedures tied to risks and associated internal controls and you monitor the effectiveness of controls on a periodic basis and provide some form of risk reporting using key risk indicators and metrics.  You can effectively articulate the three lines of defense of your risk program.

Independently, internal and external auditors test your controls and you have created some form of management certification to demonstrate that management has signed off on the attestation of the operation of the effectiveness of these controls.  In some cases, you use a combination of off-line and online systems to track the operation of your various risk program activities.   You use one or more risk frameworks as a model for the operation of your risk program.

Some firms have augmented their program with Six Sigma and other quality control measures.  Depending on the level of detail in your organization you have documented hundreds, no thousands, of controls and created heat maps, workflows and graphs to justify the millions of dollars spent on staff and other resources to monitor compliance of your controls. 

Where required by regulatory mandate in your industry; Basel, FINRA, SEC, HIPPA, or some other governmental or quasi self-regulatory agency you may be required to measure or quantify risk capital in the event of losses in your operations or protect against financial fraud.  You may even have advanced governance programs in place with risk committees, detailed reports to the board of trustees, and various board level committees focused on risk management.  You have satisfactorily passed regulatory review and internal and external audit examinations.

These practices are confirmed in industry conferences, training programs and are included in a variety of skills certification courses.  Risk professionals across all highly regulated industries globally say this is what they do with some variation of sophistication noted, yet something is missing. 

The vast majority of these programs are failing!

This is a troubling development given the increase in global competition and rapid advancements in technology.   The cost of failure is significant and rising!  So what is the problem? 

Before I tell you why your program is failing please answer the following questions about your program: 

1.      Do you use Probability or Likelihood versus Impact (or a similar variation) to assess and/or measure risks?

2.    Do you use Risk and Control Self Assessments or operational self-assessments to measure risks?

3.    Do you use surveys, interviews, or some other questionnaire to assess or measure risks?

4.    Does your risk assessment program or processes frequently tell you something you didn’t ask it to tell you?

5.     When you evaluate risks does it include a range of outcomes for each risk event with probabilities and confidence levels assigned to each outcome?

6.    Do you maintain a dynamically updated stochastic library or database of risk incidents that can be used to run scenarios of statistical inference of risk?

If you answered yes to the first three and no to the next three questions your risk program may be failing to detect risks that are buried out of sight!

Here is why!  If your risk program fits the descriptions above it has been designed to assess and measure uncertainty, not risks.  The vast majority of risk programs are designed to assess the likelihood of an event that might occur! 

There is a fine distinction made between a Risk and an Uncertainty.  We know a Risk because it has been made tangible.  The impact of a risk is recognizable by others even if one has not personally experienced it. However, each of us may perceive the same risk differently yet there is an understanding of the need to address it.

Uncertainties are harder to pin down.  Hurricanes are a frequent occurrence and we know the risks BUT we don’t know what the actual impact will be, where the most severe damage will occur and there is little you can do but prepare the best you can.  Fortunately, because of the risk of hurricanes we have learned to model their behavior to reduce the loss of life.

The tools that are used in risk programs to conduct the evaluation of uncertainty are subjective educated guesses with low statistical value because uncertainty is arbitrary and random by definition.  In other words, uncertainty is nearly impossible to measure with accuracy.

On the other hand, risks are measurable.  An operational loss or business disruption can be quantified.  The frequency of a risk can be calculated and modeled with some degree of confidence, if historical patterns remain in tact.  Risks can be reduced to more acceptable levels providing opportunities to save the firm money and improve operations.  However, risks cannot be eliminated entirely yet the choices a firm makes for dealing with risks determines the success or failure of a risk program.

So why do nearly all firms spend 55% or more of its time assessing uncertainty?  Wouldn’t the millions of dollars lost attempting to measure what might happen be better spent reducing real risks?  Of course it would, but there is an insidious reason that risk professionals and business leaders avoid making the necessary changes to dramatically improve the odds of success in their risk programs.  FEAR!

Plain and simple, we are afraid of uncertainty and the factors of surprise it entails.  Uncertainty is hard to explain to management and it is even harder to justify why it happened on your watch.   We have learned from behavioral scientist that losses loom larger than gains, which means that we are willing to spend $0.55 of every dollar to try to avoid uncertainty, rather than keep these savings and reduce risks.

It seems irrational to spend so much money assessing an immeasurable outcome but it is part of a phenomenon called intertemporal choice.  Intertemporal choice is the process each of us uses to make decisions.  It explains why we spend more time planning our vacation activities than saving for retirement.  Or why we are willing to take $100 today rather than $125 one year from now. 

Intertemporal choice also explains why our risk programs are failing.  It is safer, we assume, to do what everyone else is doing and take comfort in the fact that it is called a best practice. 

What’s needed?  Robust diagnostic tools and education!

Medical doctors would be liable for medical malpractice if one common prescription is used to remedy all health risks.  Likewise, risk professionals must develop a robust set of diagnostic tools to learn more about the real risks that exist in their business.  The patient is the organization and it “presents” symptoms that send signals about the underlying risks. 

Advancements in diagnostic tools and processes have accelerated in recent years and risk professionals must begin to become more familiar with how they work and can be used in their business.  This is where education plays a significant role.  The history of data science is still evolving but is critical to building sustainable and robust risk programs.   As risk professionals become more comfortable with a range of diagnostic tools these processes can become operationalized and incorporated into business processes. 

Until these tools and processes are in place risk professionals should begin to discuss the practical steps a business can take to better understand what is known and not known about risks.  This is a journey, not a one shot process!

Uncertainty can also be modeled but not with precision.  We must admit with humility that risk professionals are human and cannot see around corners.  At least not clearly!  When we reach the boundary of our understanding of risk and uncertainty caution is required.  The proper use of data, diagnostic tools and education is enhanced where corporate culture is supportive of the learning process.

No one has solved uncertainty but you can benefit from it if you take measures to understand what you don’t know.   Take Jeff Bezos‘ purchase of the Washington Post.


Bezos has confounded his competitors since the launch of Amazon.com.  There is a great deal of speculation about what Bezos plans to do with the Post.  Only Jeff knows for sure but he has taken the strategic use of uncertainty to an art form and created one of the truly great organizations in America. 

Special thanks to Jerry D. Norton, Partner with Candela Solutions, a CPA firm targeting Governance

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.


2013-07-10 by: James Bone Categories: Risk Management GRC Mergers & Acquisitions heat up with economic recovery

You must be logged in to view this document. Click here to login


Berkery Noyes, Investment Bankers, has tracked the GRC market for two decades and reported 156 M&A deals from 2011 and 2012 alone.  GRC solutions providers are now considered strategic to managing business process and represented a 17% year over year increase during this period.


2013-05-25 by: James Bone Categories: Risk Management Standard and Poors grade Corporate Governance: Only 6% get an A


As of May 2013, Standard & Poors has completed its evaluation of non-financial firm management and governance factors for 2,190 publicly and privately rated North American companies and the results are dismal.  S&P has also scored a global score to 3,868 firms with only 8% receiving its highest rating.

 “Standard & Poors uses the management and governance scores to modify its evaluation of an enterprise business risk profile, a key component of its credit rating.”  S&P’s methodology uses 15 criteria for evaluating corporate governance across five categories. 

The categories include:

  • Management, which includes;

  • Strategic positioning,

  • Risk management/financial management, and;

  • Organizational effectiveness; and

  • Governance

“The Management and Governance criteria for nonfinancial companies consist of eight management subfactors and seven governance subfactors. Depending on how an entity scores along these subfactor dimensions, S&P issues one of four scores: strong, satisfactory, fair, and weak.”

6% of firms scored “Strong”

26% of firms scored “Satisfactory”

65% of firms scored “Fair”

3% of firms scored “Weak”

In its May 13, 2013 press release, S&P disclosed the names of those companies that received a “Strong” or “Weak” designation. See the list in the May 13, 2013 press release.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-04-22 by: James Bone Categories: Risk Management Value Proposition – TheGRCBlueBook


What is the value proposition of TheGRCBlueBook?  The answer may be best explained by what it is not.  We are not LinkedIn, where groups are siloed by risk specialty, industry or self-declared standards.  TGBB does not promote a framework or espouse a preference for one tool over another.

 TGBB is organized around the tools all risk, audit, and compliance professionals use. 

TGBB understands that silos prevent open and robust conversations about risk.  We endeavor to share what’s working and learn from others without competing.  Risks are not one dimensional nor are they so unique that one industry’s approach to solving problems may lead to new awareness not considered by a risk professional in another industry. 

TGB B is grounded by the database of GRC tools and solutions providers however as each organization implements these solutions your unique lessons learned add color to the benefits and opportunities for improving these tools. 

The challenge: How do I share these lessons while not exposing myself and my firm to reputation risk?  The answer is that no proprietary information is requested.  Lessons learned, product reviews and product ratings can and should be shared as opportunities to learn from others.  What you give can be returned in full measure from the lessons of others.  In the coming months we will lead by example with personals interviews of GRC users and, hopefully informative testimonials as well.

What’s in it for you?  That depends.  If you participate others will begin to share their stories and we all may learn more as a result.  If you have considered a GRC vendor solution and others provide reviews or ratings of these products you will learn from the experience of others.  We have chosen to not write or pay for reviews to prevent inherent conflicts of interest but more importantly this concept is founded on the belief that users are the best source of information for these solutions. 

What we have learned is that the current sources of information about GRC tools and solutions are not sufficient for making informed buying decisions.  Even more critical to the buying decision is a more fundamental question: What is the most effective approach to integrate these solutions in my organization that adds the most value to managing risks and addressing my problems? 

It’s a bold experiment in trust!  Information provided on this site is for the benefit of the members of TheGRCBlueBook.  It’s free and will remain so. 

So what is the value proposition?  YOU!  Your experience, your feedback, your lessons!  You may be surprised that you get more than you imagined by participating. 

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.