Tag Archives: GRC

2013-04-20 by: James Bone Categories: Risk Management Beyond GRC

free_221309 images for thegrcbluebook man running across street in suit

A bold new experiment is taking place in the Federal government across a number of agencies to identify and address systemic risk before the next financial collapse occurs.  You may be familiar with the Securities and Exchange Commission’s Division of Risk, Strategy, and Financial Innovation. 

Over the last 3 years, the S.E.C. has revamped this Office into a “think tank” with a multidisciplinary team of professionals from a variety of academic disciplines.  This is not your father’s SEC; the team is made up of 35 PhD financial economists, financial engineers, programmers, MBA’s and other experts. 

Likewise, the Treasury Department has set up a new Office of Financial Research, which was created under the Dodd-Frank bill in 2010 to support the Financial Stability Oversight Council – the group responsible for coordinating the efforts of the top financial regulators. 

Richard Berner, the newly appointed head of the OFR, is tasked with finding threats to financial markets BEFORE they occur.  Berner, a trained economist, has some experience looking around corners as the chief economists for Morgan Stanley he and a colleague revised their forecast of economic growth in 2007 to predict the coming recession before many on Wall Street saw the signs of economic trouble. 

There is an arms race of data analytics unfolding amongst economists and researchers to create tools to recognize and hopefully avoid the next crisis.  Berner is leading this charge and is now building a new forecasting model with the help of academics and financial engineers.  Many market watchers give Berner kudos for these efforts however there are some who question whether a financial model is capable of capturing the complexity of global financial markets.   

Berner faces the same challenge of the providers of Big Data solutions.  How do you standardize all sorts of records to a common data set that everyone agrees with so that the numbers are comparable?  There is no common taxonomy for data across different firms!

The Office of Financial Research may not be able to see the future and avoid all risk events to financial markets but it does mark a new era in how risk management will be conducted going forward. 

What role does GRC play in a world dominated by predictive analytics?  What new skills are needed by risk practitioners in the future?  Berner didn’t see or understand the systemic risks inherent in a correlated global market and missed how risks in US markets might impact our European counterparts overseas.  “There are still pretty big gaps in our knowledge”, Berner said during his interview for the article. 

What is becoming clear is regardless of your business the expectation to understand data and develop a governance model for data is increasingly apparent.  Attempting to tackle this effort alone in isolated silos would be self-defeating.  The best course of action is to begin to socialize the need for data management with key stakeholders in your firm.  Agreeing on a common set of definitions and taxonomy helps create a framework for defining important data and understanding where the gaps exist.

Resist the temptation to discuss risks at this stage of discovery.  Trust the process to reveal new information and potential risks as you learn more about how data is used and managed across your firm.  Rushing to define risks may predetermine outcomes and prevent you from learning gaps you would not have anticipated beforehand. 

You may not be able to “see around” corners when you complete this exercise but you may begin to ask new questions and have a better understanding of the bottlenecks of data that prevent you from achieving higher levels of performance.  Early success is the key to how far you decide to push the envelope in your data analysis. 

Regulators are building a formidable store of information on organizations that will grow and become more sophisticated.  Risk professionals should be prepared to have an equally robust set of data to demonstrate that you are building the same level of proficiency to understand their business.


Original story written by jim.tankersley@washpost.com

2013-04-15 by: James Bone Categories: Risk Management How to Implement and Align Technology within Your GRC Framework

by James Bone, Executive Director TheGRCBlueBook

GRC Summit panel


GRC Summit – Michael Rasmussen (GRC 20/20), Norman Marks (SAP), Lance J. Freedman (Lockheed Martin Corporation)

Norman Marks’s introduction of the Day Two keynote speaker, Michael Rasmussen demonstrated the dichotomy of the divergent views evolving in GRC.  Norman set up the introduction with an overview of the State of the Industry address.  Marks’s view is informed by developments in predictive analytics and the promise of big data. 

“GRC stands for Governance, Risk and Confusion”, half joked Marks.  “The GRC solution remains elusive as does agreement on definitions and a common taxonomy for implementing an effective framework.”  So how does one align GRC with technology? 

According to Marks, “there is no informed approach that has proved effective in deciding how to purchase a GRC solution.”  The available analyst reports from leading consulting firms were deemed to be insufficient in providing prospective users with the tools needed to make an informed choice between respective risk solutions.  “[Analyst’s] reports are based on a generic set of business outcomes intended to address the preconceived needs of risk managers”, according to Marks.  Even Michael Rasmussen admits that risk managers need more than three client references from GRC vendors.  “Do you expect to receive a bad reference from a GRC vendor?” questioned Michael.

Rasmussen has broadened his view of GRC beyond a strict definition of the features embedded in the platform to now include a focus on GRC architecture.  In Michael’s view, “GRC is about organizing the manual processes, data and accountability to solve for the complexity inherent in today’s business environment”.  

This is what Rasmussen calls “GRC3.0, Enterprise Architecture.”  Rasmussen has adopted the OCEG Red Book framework as his operating model which advocates aligning business objectives and performance with GRC.  “Effective enterprise architecture will require half a dozen or more GRC solutions in order to address the full complement of risks outlined in Michael’s framework.” 

What both evangelists agree on is that the end solutions must have a positive impact on the performance of business objectives.  One of the best lines came from Norman Marks as he described the cause of diluted successes in GRC to date.  “These random acts of improvement lead to uncoordinated progress”, according to Marks.  “The key is aligning GRC for business value from strategy to operations.”

Each of the panelists provided a comprehensive set of examples for why risk tools are needed to manage increasingly challenging regulatory and business objectives while leaving the audience with no more clarity on a prescription for moving forward.  The missing piece to the puzzle remains elusive.  How does one determine which solution is appropriate for their needs given the unique risk challenges each firm faces?

Will there be a convergence of approaches after a critical mass of firms adopts a systemic solution to manual processes and begins to see the benefit of Big Data analytics?  Will predictive analytics make today’s subjective risk assessment irrelevant?  Will a disparate set of solutions be needed, as Rasmussen suggests, once a clear data management program has been implemented with the requisite ability to query data to the business answers one is seeking?

The panelist debate prompted more questions than answers.  What is clear is a prospective buyer of these tools has very few reliable options for choosing the appropriate risk solution.  Given the number of available GRC solutions providers the odds of finding the tool that fits your need is a daunting task.  This task is made less clear by a lack of transparency into the market, generic standards for defining GRC implementation, and no professional consultative services independent of the solutions provider to develop a strategic plan before choosing the solution that addresses one’s needs.

2013-03-16 by: James Bone Categories: GRC Articles OCEG Red Book

You must be logged in to view this document. Click here to login


OCEG, the Open Compliance & Ethics Group has developed standards for the structure of GRC (Governance, Risk & Compliance).  Although initially focused on GRC as a risk practice OCEG has shifted focus to a new concept called Principled Performance.  OCEG has modified Enterprise Risk into a Principled Performance model that is inclusive of the COSO Enterprise Risk framework.  This shift in focus appears to imply that risk management is responsible for firm performance.

by: James Bone Categories: Risk Management GRC Tools & Reviews News

You must be logged in to view this document. Click here to login

free_170636  software image

2013-03-07 by: James Bone Categories: Risk Management A new renaissance in risk management

You must be logged in to view this document. Click here to login

free_8085  Martian landscape