LogicGate Named a “Leader” in the Forrester Wave™
Turn up the volume! LogicGate named a Leader in The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q4 2023.
Gartner’s® 5 Ways to Apply Data & Analytics to Your Risk Management Process
Leverage quantitative and qualitative data for proactive risk management
As new technologies and data sources become available, risk management leaders must develop more data-driven risk management processes. Gartner’s report outlines 5 ways to adopt data and analytics into your risk management program to avoid falling behind early adopter peers. Download the Guide to: Unlock the power of unstructured data to identify emerging risks faster Quantify risks with real financial impact to support smarter decisions Streamline risk reporting by integrating data lakes and using real-time analytics Disclaimer: Gartner, 5 Ways to Apply Data & Analytics to Your Risk Management Process, Joel Backaler, Devanshu Mehrotra, 13 January 2025 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.LogicGate's 2025 Culture & Inclusion Report
At LogicGate, we believe that the strongest teams are made up of individuals who bring their different identities,…
We remain committed to fostering an inclusive work environment where all employee differences are celebrated, their ideas matter, and everyone feels safe to bring their authentic selves to work. We believe doing this is essential to our success both internally and externally. We’re excited to share our 2025 Culture & Inclusion Report, which reflects the work done in 2024 and ways we will continue to invest in our culture and employee experience through our 2025 focus areas; Champion Diversity within Our Workforce, Foster and Maintain an Inclusive and Equitable Culture, and Deliver an Empowering Experience for Our Customers.Gartner® Market Guide for Regulatory Intelligence Solutions
Key Trends and Insights for Navigating Compliance Challenges
As regulatory activity continues to evolve and grow in complexity, leaders must adapt. The 2024 Gartner® Market Guide for Regulatory Intelligence Solutions report recognizes vendors, including LogicGate. The report also mentions that legal, risk and compliance teams face increased challenges in maintaining the effectiveness of their regulatory intelligence programs. Download the Market Guide to: Understand general Regulatory Intelligence market trends Gain insights into Regulatory Intelligence best practices Analyze the core capabilities of Regulatory Intelligence solutions Gartner, Market Guide for Regulatory Intelligence Solutions, Lauren Kornutick, Lexi VerVelde, 15 October 2024 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Navigating Regulatory Challenges: A Comprehensive Guide for Financial Institutions
With LogicGate’s Risk Cloud, financial institutions can anticipate, adapt, and manage risk, while ensuring compliance and safeguarding customer…
The current regulatory landscape demands that financial institutions not only comply with evolving rules but also defend against complex cybersecurity threats and manage risks across internal and external ecosystems. This whitepaper explores how adopting a robust Governance, Risk, and Compliance (GRC) program helps institutions mitigate these challenges by centralizing, automating, and streamlining their risk and compliance processes. With LogicGate’s Risk Cloud, financial institutions can anticipate, adapt, and manage risk, while ensuring compliance and safeguarding customer trust.Risk Cloud for Financial Institutions
Designed to scale as you grow, Risk Cloud offers a comprehensive bundle of optional workflows, integrations, and advanced…
Based on insights from numerous real-world financial institutions, LogicGate's purpose-built solutions and expertly-curated content directly address the evolving challenges financial institutions face in today's rapidly changing regulatory and risk environment. Designed to scale as you grow, Risk Cloud offers a comprehensive bundle of optional workflows, integrations, and advanced features to expand and maximize opportunities across multiple stakeholder groups.Future-Proofing Enterprise GRC: Your Roadmap for Migrating to Risk Cloud
Whether you are a Fortune 50 retailer or a up-and-coming enterprise, this guide will provide the insights and…
Move Fast, Stay Safe Are you struggling with outdated GRC systems or cumbersome spreadsheets that no longer meet your growing enterprise needs? Transitioning to LogicGate Risk Cloud is t he solution you've been searching for. In this guide, you’ll learn: LogicGate’s collaborative and security-focused migration methodology. Detailed steps in the data migration process, emphasizing data confidentiality, integrity, and availability. Identification and mitigation of potential migration risks. A successful migration for large-scale enterprises. Whether you are a Fortune 50 retailer or a up-and-coming enterprise, this guide will provide the insights and confidence needed to make the leap to LogicGate Risk Cloud, ensuring your organization is well-equipped for future challenges.How BCU is Operationalizing Their GRC Vision with LogicGate
Learn how BCU is preparing for $10B in assets through a cohesive and scalable GRC program supported by…
NIS2 Compliance: The 5 Key Steps to Secure Your Business
Businesses must now align with these rigorous regulations to safeguard their critical infrastructure, data, and supply chains. To…
The Network and Information Security Directive (NIS2) is ushering in new standards for cybersecurity across the European Union. Businesses must now align with these rigorous regulations to safeguard their critical infrastructure, data, and supply chains. To help organizations take the necessary steps toward compliance, we’ve outlined the five critical actions needed to enhance security and ensure regulatory alignment. Before diving into these key steps, it's crucial to recognize that NIS2 brings broader expectations for businesses. Organizations must develop robust governance structures, maintain incident reporting protocols, and continuously monitor their cybersecurity landscape. These broader responsibilities form the backdrop to the five essential steps we'll explore.DORA Regulation Explained: What You Need to Know
With the increasing reliance on digital infrastructure, regulatory bodies are stepping up to ensure these institutions are not…
What you need to know In today's digital world, financial institutions are under constant threat from cyberattacks, system failures, and other operational disruptions. With the increasing reliance on digital infrastructure, regulatory bodies are stepping up to ensure these institutions are not only secure but also resilient in the face of such challenges. What is DORA? The Digital Operational Resilience Act (DORA) is a groundbreaking regulation aimed at ensuring that financial institutions across the European Union (EU) can withstand, respond to, and recover from all types of digital disruptions and operational risks. Whether it's a cyber-attack, system failure, or third-party service outage, DORA sets the standards to build a robust defense against operational breakdowns.The Strategic Role of KPIs in Governance, Risk, and Compliance
Download this eBook to explore the critical role KPIs play in GRC, and how organizations can harness their…
Organizations face increasing demands for transparency, accountability, and resilience in today's dynamic business environment. At the heart of these efforts lies governance, risk, and compliance (GRC), a crucial mechanism for ensuring that companies meet their objectives while adhering to regulations and managing risks effectively. How can these efforts be measured and optimized to ensure they truly drive business performance? This is where Key Performance Indicators (KPIs) come into play. Download this eBook to explore the critical role KPIs play in GRC, and how organizations can harness their power to strengthen governance oversight, improve risk management, and ensure compliance.From Factory to Store: Scaling GRC in Retail and Manufacturing
Watch this on-demand webinar from LogicGate and OCEG to learn how to turn GRC challenges in the Retail…
In today’s fast-paced world, the retail and manufacturing industries are transforming like never before, with globalization and digital innovation reshaping every corner of the business. But with this transformation comes a new wave of risks that can’t be ignored. Check out our on-demand webinar with OCEG to hear us dive into the critical GRC challenges facing these industries. Whether protecting consumer data in retail or ensuring smooth global supply chains in manufacturing, you’ll learn how to safeguard your business, scale your GRC programs, and prepare for the future. Highlights include: Uncovering the unique GRC challenges in retail and manufacturing Unlocking the power of AI, IoT, and automation to supercharge your GRC programs Mastering third-party risk management by building strong, compliant partnerships Staying one step ahead of tomorrow's challenges by crafting a forward-thinking GRC strategyNavigating the New Era of AI Regulations
A comprehensive whitepaper outlining a pathway to AI governance in light of emerging global standards in AI regulations, specifically the EU…
A comprehensive whitepaper outlining a pathway to AI governance in light of emerging global standards in AI regulations, specifically the EU AI Act. This guide delves into essential strategies for compliance, including AI system risk classification, sandbox testing, and the designation of enforcement authorities. Explore how your organization can employ AI governance tools to streamline risk management, automate policy attestations, and centralize AI model approval processes. Stay ahead of regulatory demands by leveraging holistic approaches to AI governance and proactive measures to ensure AI safety, trustworthiness, and compliance.The Acronyms that Changed the Finance Industry: from AML and BSA to KYC and BaaS
Watch this on-demand webinar from LogicGate and Compliance Week to learn about the acronyms that have revolutionized the…
Governance, risk, and compliance (GRC) have emerged as critical pillars that underpin the stability and growth of financial institutions. As regulatory requirements intensify and risks become more complex, the ability to seamlessly integrate GRC frameworks has become a key differentiator for success. This session with Compliance Week delves into the acronyms that have revolutionized the finance industry–from the Bank Secrecy Act (BSA) and anti-money laundering (AML) to know your customer (KYC) and the Federal Deposit Insurance Corporation (FDIC). Join us to: • Understand the role of AML, BSA, KYC, and the FDIC • Explore the integration of GRC frameworks • Identify best practices for implementing AML, BSA, and KYC in finance • Assess the impact of these regulationsCyber Breach Inevitable: Mastering Operational Resilience for Banks
Proactively managing banking breaches for before and after they occur.
In the banking industry, cyber breaches are not a question of if, but when. Integrating robust Operational Resilience and Risk Management frameworks can build a resilient posture that not only prepares banks for potential threats but also ensures effective response and recovery when breaches occur. These measures are crucial as they will not only protect the bank's infrastructure and data but also preserve customer trust and the institution's reputation. This Guide addresses necessary Operational Resilience and Risk Management program best practices to fortify your bank against the inevitable cyber breaches.The Compliance Programs Guide for Banks Crossing $500M and $1B in AUM
A Regulatory Roadmap and Best Practices for Efficient Banking Compliance
Assets Under Management (AUM) plays a pivotal role in financial regulation, especially within the banking and financial services sectors. Regulatory thresholds linked to AUM dictate the specific compliance requirements that banks must adhere to as they scale. Navigating FDICIA regulatory requirements is paramount for growing financial institutions. Crossing $500 million and $1 billion in AUM triggers specific requirements, including robust audits, detailed reporting, and formal Enterprise Risk Management (ERM) frameworks. These requirements are essential for ensuring financial integrity, transparency, and compliance with ever-evolving regulatory standards. This Compliance Programs Guide is designed to assist banks and credit unions in meeting these regulatory requirements and developing an efficient compliance program when crossing the asset thresholds of $500 million and $1 billion in assets under management (AUM). Leverage this roadmap to adopt key compliance program best practices to ensure regulatory compliance and peak operational efficiency.Proactive AI Compliance: 4 Essential Steps to Minimize Exposure
Watch this on-demand webinar from LogicGate and Compliance Week to learn how compliance teams can proactively identify, assess,…
As artificial intelligence (AI) continues to advance rapidly and organizations expand their usage to optimize efficiency and productivity, implementing internal AI policies to ensure regulatory compliance and minimize exposure remains a hot topic. Hear from LogicGate’s Senior Director of Solutions Engineering & Enablement, Annmarie Rombalski, GRC Content & Strategy Manager, Elli Sullivan, and Senior Manager of Enterprise Security, Anthony Matar, as they explore emerging AI rules, like NIST AI RMF, and how compliance teams can implement effective processes and controls to proactively identify, assess, and mitigate the largest AI risks, ensuring compliance with internal policies and external regulations. Steps will include how to: Gain clarity around AI governance policies and procedures Implement controls for AI risk mitigation Thoughtfully integrating AI governance into cybersecurity Assess AI risk from third-party vendorUnleashing the Potential of AI in Risk Management & Compliance
Watch this on-demand webinar from LogicGate and ITGRC to learn how to integrate AI technologies to optimize risk…
Artificial intelligence (AI) is emerging as a powerful tool that enables a more efficient approach to risk management and compliance. By unleashing the potential of AI, your organization can transform challenges into opportunities, driving growth, resilience, and strategic decision-making. Join LogicGate's Pat Ryan and a panel of experts for valuable insights and best practices on integrating AI technologies to optimize risk management processes and streamline compliance efforts, including: How AI-infused risk assessment tools can identify, assess, and mitigate risks more effectively The various applications of AI for compliance purposes The benefits of collaborative intelligence and AI-enhanced internal reporting systems The strategic use of cutting-edge risk analytics and machine learning solutionsYour Enterprise Cyber Risk Assessment
Learn how to realistically assess your company’s vulnerabilities, including how to prioritize them.
If your company is to survive a growing number of relentless attacks, you had better have eyes everywhere. But no one has that many eyes. The better strategy is to know your weak points and guard those closely. This webinar offers insights on how to realistically assess your company’s vulnerabilities, including how to prioritize them so that you put the most resources into protecting the vulnerabilities that will likely cost the most if exploited. This webinar is all about developing a custom-fitted strategy. You'll learn: How to realistically assess your company's vulnerabilities How to identify and prioritize risks to information and systems How to select controls to mitigate and treat identified risks Methods to improve overall resiliency and cyber posture Why documenting, reviewing, and regularly updating findings is critical22 Quarters at the Top: Risk Cloud Named a Leader on G2 for Winter 2025
Check Out the Winter 2025 Report
For the 22nd quarter in a row, LogicGate Risk Cloud has been named a Leader by G2! Risk Cloud is a no-code risk and compliance platform that scales and adapts to your changing business needs and regulatory requirements. With solutions for every risk and compliance use case in one integrated platform, you’ll have everything you need to build, evolve, and communicate a market-leading risk strategy. Here are some highlights from the report: 99% of users rated LogicGate Risk Cloud 4 or 5 stars 92% of users said they’d recommend LogicGate Risk Cloud to a peer. 96% of users said they think LogicGate Risk Cloud is headed in the right direction. 98% of users were satisfied with LogicGate’s quality of support. 98% said it was easy to do business with LogicGate.The CIO's Guide to Enhancing GRC in 2024
Learn how to make GRC easier and more automated to push your company to the next level.
When structured correctly, Governance, Risk, and Compliance (GRC) can enable enterprises to align IT and business goals, while mitigating risks and abiding by industry and government requirements. Effectively manage your resources and unify your enterprise by utilizing emerging technology that drives data-driven decision making. In this webinar, LogicGate CISO, Nick Kathmann, and Dr. Pape Cissé, Chief Information Officer at AmeriCorps, reveal ways to make GRC easier and more automated to push your company to the next level. Watch now to learn: How GRC safeguards your business from penalties while increasing customer trust How data privacy can impact disaster recovery and risk management Several benefits of GRC implementation for organizations Why GRC requires a unified and collaborative approach from different departments How the future of AI governance will impact GRCOptimizing Risk Classification in Nth Party Relationships
Watch this on-demand webinar from LogicGate and ITGRC to learn the concept of nth party relationships, the inherent…
Understanding the intricacies of nth party relationships is paramount for effective risk management. Optimizing risk classification in nth party relationships entails a multifaceted approach geared towards enhancing visibility, comprehending dependencies, and implementing proactive risk management strategies. Join LogicGate's Sean McGovern and a panel of experts to learn the concept of nth party relationships, the inherent risks involved, and strategies for optimizing risk classification in these relationships, including insights on: Advanced machine learning methodologies and how they can enhance risk scoring and classification systems Strategies to integrate risk scoring and classification systems with diverse data sources The benefits of implementing ongoing monitoring processes and increasing automation in forensic analytics processes How social media and text analytics can help augment risk scoring and classification systems2024 GRC Strategies, Teams, and Outcomes Report
Good GRC practices are simply good business practices. Learn more about how a holistic GRC program can help…
Every industry has specific security, risk, and compliance needs they must comply with to succeed in their dynamic regulatory landscape. But each organization needs a single, comprehensive GRC solution to support its core business goals and desired outcomes. To understand the holistic approach required to better mitigate risk and amplify business value, we partnered with Osterman Research to survey 350 risk, cybersecurity, and compliance leaders from around the world and across industries. Together, these respondents provided insights into their program objectives, team structures, processes, and technology investments - and helped us gauge their GRC program maturity and success. To learn more about how a holistic GRC program can help your organization manage risk and compliance processes, read our 2024 GRC Strategies, Teams & Outcomes Report.4 Gaps in Your AI Governance Strategy: AI Governance Checklist
Leaders now more than ever need guidelines to protect their organizations from the ever-evolving risks that come with…
As artificial intelligence (AI) capabilities rapidly advance, governing the responsible development and use of AI technology has become critical for organizations. Governments and regulatory bodies worldwide are introducing new rules and enforcement actions to ensure AI is deployed safely, ethically, and responsibly. From the U.S. AI Bill of Rights Blueprint to the EU AI Act, a strong focus on AI governance highlighting requirements around security, transparency, and accountability is emerging. AI governance represents a fundamental shift in how businesses must approach AI. It involves implementing robust processes and controls to proactively identify, assess, and mitigate the unique risks AI can introduce across its entire lifecycle. Effective AI governance allows organizations to harness AI’s power while ensuring compliance with internal policies and external regulations. According to OCEG, a global nonprofit think tank that provides standards, guidelines, and online resources to help organizations achieve Principled Performance: 82% of business leaders agree that companies must adopt generative AI or risk being left behind. Even with the majority in agreement, they also state that only 12% of organizations have an AI Governance program in place. This Al Governance Checklist identifies four critical gaps that directly undermine the core objectives of any Al governance program: efficiency (speed to adoption) and effectiveness (holistic risk coverage enterprise-wide). Without addressing these strategic gaps, your Al Governance strategy will hinder competitiveness and leave your organization vulnerable to risks like cybersecurity threats and regulatory non-compliance. Bridging these gaps will drive innovation with accountability.Third-Party Risk Management (TPRM) for M&A Activities
Minimize Risks, Ensure Compliance, and Streamline Integration Efforts With LogicGate's TPRM Application.
Managing third-party risks is critical for the success and longevity of any M&A transaction. LogicGate’s TPRM application empowers organizations to conduct comprehensive due diligence on existing and prospective third-party relationships, assessing various risk factors such as financial stability, regulatory compliance, cybersecurity posture, and reputational concerns.Fortifying Your Attack Surface: How to Defend Against Third-Party Risks
Watch this on-demand webinar from LogicGate and ITGRC for actionable strategies on reducing your attack surface and defending…
Today, most security and IT teams are dealing with an attack surface that is exponentially larger than it used to be, and many organizations lack full visibility into their entire asset landscape. Join LogicGate's Rachael Olsen and a panel of experts for actionable strategies on reducing your attack surface and defending against third-party risks, and for insights on: The different types of attack surfaces Common attack vectors utilized by threat actors Innovative approaches to attack surface reduction Effective strategies to combat threats and mitigate third-party risksPreparing for PCI DSS 4.0: What You Need to Know
Watch this on-demand webinar from LogicGate and ITGRC to learn how to best prepare your organization for the…
The transition to PCI DSS v4.0 is essential for organizations involved in payment data security. Join LogicGate's Patti Struble and a panel of experts to gain valuable insights, practical tips, and expert guidance to ensure your organization's successful transition to PCI DSS v4.0, including: The importance of starting the transition process now to ensure a smooth and efficient shift The significance of maintaining existing security controls How to navigate the changes in PCI DSS v4.0 Customized approaches for PCI DSS v4.0 validationResearch Report: Use of AI for GRC
Find out the top questions GRC leaders should be asking to successfully integrate AI into their risk strategies.
Curious how organizations are planning to integrate AI into governance, risk, and compliance (GRC)? Look no further. LogicGate and OCEG teamed up to develop a comprehensive report focused on how organizations are using, or are planning to use, AI across a variety of risk management activities. Composed of 378 responses from risk professionals from around the world, this report ascertained five key findings: Recognition of the value of AI for GRC is overwhelmingly positive, but actual implementation is still nascent. The most widely used applications of AI for GRC are reported to be Cyber Risk Management and Enterprise Risk Management. Access the full report to discover the other three key findings and supporting data.LogicGate Named a “Strong Performer” in the Forrester Wave™
Pump it up! We’re thrilled to announce that LogicGate has been ranked as a Strong Performer in The…
LogicGate is proud to announce we’ve been ranked as a Strong Performer on the Forrester Wave™: Third-Party Risk Management Platforms, Q1 2024. According to the Forrester report, “LogicGate’s vision centers on the urgency to automate, scale, and mature TPRM programs with a well-funded innovation strategy focused on solving fewer, but bigger, problems for customers.” But, it doesn’t stop there! LogicGate received the highest possible scores in the Interoperability, Workflow, Configurability, Usability, Community, and Innovation criteria. Download the full report to view Risk Cloud’s grid placement and full evaluation scores.LogicGate's 2024 DEIB Report
We are proud of the accomplishments and progress we’ve made in continuing creating an inclusive culture and know…
At LogicGate, our values are at the heart of everything we do. Our efforts on creating an inclusive culture are directly linked to our values, the employee experience, and driving business outcomes. We’re excited to share our 2024 DEIB Report, which reflects the work done in 2023 to foster an inclusive work environment and ways we will continue to invest in and prioritize DEIB. This report highlights our 2024 workforce demographics, and provides a holistic look at our three focus areas moving forward into 2024; Increase and Expand Diversity in Our Workforce, Foster and Maintain an Inclusive and Equitable Culture, and Integrate Our DEIB Mission into the External LogicGate Experience.Attack Prevention Priorities for 2024: Single Point Failure, AI, Supply Chain
Join LogicGate’s CISO, Nicholas Kathmann, and Director of Implementation Services, Chris Clarke, as they discuss critical risk management…
With continued budget cuts, growing third-party relationships, and disruptive technology (hint. hint. AI), security teams must structure their 2024 roadmaps to focus on the most significant and costly impacts to the business, while also preparing for unexpected changes along the way. Join LogicGate’s CISO, Nicholas Kathmann, and Director of Implementation Services, Chris Clarke, as they discuss critical risk management priorities for 2024 and how to pivot when they inevitably evolve.Boosting ROI in Third Party Risk and Compliance with AI
Watch this on-demand webinar from LogicGate and ITGRC to explore how AI technologies are revolutionizing the way organizations…
The use of AI is a game-changer, as it empowers businesses to streamline third-party compliance and mitigation processes, enhancing decision-making and resource allocation. Join LogicGate's Luke Ortegel and a panel of experts to explore how AI technologies are revolutionizing the way organizations manage third-party risk and compliance. You'll learn how to: Convert business requirements into workflows with AI Use AI to dramatically simplify the supplier onboarding process Empower users to kick-start processesLogicGate Named a “Leader” in the Forrester Wave™
Turn up the volume! LogicGate named a Leader in The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q4…
We’re thrilled to announce that LogicGate has been recognized as a “Leader” in The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q4 2023. According to the report, “LogicGate Risk Cloud’s user experience is second to none — reference customers consistently gave it their highest rating compared with other vendors” and “LogicGate is a good fit for lean GRC teams, particularly IT GRC teams, that need a flexible yet balanced capability suite to centralize their risk and compliance work.” Download the report to get an unbiased view of LogicGate’s position in the Governance, Risk, and Compliance technology marketplace.Hot Topic: How Are GRC Leaders Using AI?
Watch this on-demand webinar from LogicGate and OCEG to learn how your GRC peers and leaders are strategically…
As advances in artificial intelligence grow at an exponential rate, we are seeing an increase in the use of AI to enhance efficiency and speed, gather vast amounts of data, and provide insights from data analysis at a deeper and more relevant level. Watch this on-demand webinar from LogicGate and OCEG to: Gain insight from the findings of OCEG's survey on the use of AI for GRC Review the critical AI for GRC questions that you should be discussing with your leadership team Learn how your GRC peers and leaders are strategically vetting, integrating, and planning for AI in risk management25 Questions Leaders Should Ask About The Use Of AI For GRC
Find out the top questions GRC leaders should be asking to successfully integrate AI into their risk strategies.
The use of artificial intelligence in GRC activities and processes is on the rise, enhancing efficiency and speed and providing insights from data analysis that simply cannot be done without the support of Al. However, the associated risks of AI must be taken into consideration so that your organization can develop a strategy that supports long-term success and scalability. Download our eBook, "25 Questions Leaders Should Ask About The Use Of AI For GRC," to access questions GRC leaders should have top of mind, as well as summaries of what the answers might demonstrate about the scope of evaluation and consideration of Al capabilities that could serve the stated need or purpose.Adopting the New SEC Cybersecurity Disclosure Rules for Compliance Resilience
Explore best practices with industry experts for aligning cybersecurity policies and practices with regulatory requirements to ensure compliance.
Cybersecurity and compliance go hand in hand. In this webinar, we will delve into the latest cybersecurity disclosure rules mandated by the U.S. Securities and Exchange Commission (SEC) and explore how organizations can effectively navigate and comply with these regulations. Watch this sponsored webinar on-demand to learn about: The recently enacted SEC cybersecurity disclosure rules and their implications for publicly traded companies. Best practices for aligning cybersecurity policies and practices with regulatory requirements to ensure compliance. The core cybersecurity practices necessary to establish a resilient compliance posture. Actionable takeaways and a roadmap for implementing robust cybersecurity disclosure practices within their organization.Automate to Accelerate: Overcoming Staffing and Compliance Challenges in Cyber Risk Management
Learn how security and compliance teams can improve talent retention, department reputation, time and resource ROI, and more…
In today's cybersecurity landscape, teams dedicate countless hours each year collecting evidence to prove compliance with regulatory and standards mandates. As we face a future with even more regulatory demands, an ever-expanding cyber threat landscape, and a growing number of vulnerable connection points, this burden is set to intensify. This implies that cybersecurity teams will be tasked with more responsibilities, fewer resources, and limited time to guide businesses on harnessing cyber risk for strategic growth. When you watch this on-demand webinar, you'll learn to: Elevate regulatory compliance from a mere checklist item to a catalyst for business growth through automation. Transform cybersecurity and regulatory compliance teams into strategic advisors rather than just cost centers. Improve talent retention, department reputation, time and resource ROI, and more with Automated Evidence Collection.Automate to Accelerate: Overcoming Staffing and Compliance Challenges in Cyber Risk Management
Build a stronger business case for obtaining the people and technology you need to better mitigate cyber risk…
Eliminating unnecessary, time-consuming regulatory tasks not only frees up security departments, but also elevates them as strategic advisors to the business. The most effective path out of the mire of manual evidence collection? Automation. Download this white paper to learn how to: Elevate regulatory compliance from a mere checklist item to a catalyst for business growth through automation. Transform cybersecurity and regulatory compliance teams into strategic advisors rather than just cost centers. Improve talent retention, department reputation, time and resource ROI, and more with automated evidence collection.How to Measure the ROI of Your Risk Management Program
Explore practical strategies, methodologies, and key performance indicators (KPIs) to help you quantify the value your risk management…
In today's dynamic business landscape, effective risk management is essential for organizations to safeguard their assets, reputation, and long-term success. During this webinar, an expert panel will delve into the intricacies of measuring the return on investment (ROI) of your risk management program. We will explore practical strategies, methodologies, and key performance indicators (KPIs) to help you quantify the value your risk management initiatives bring to your organization. You'll learn how to: Define and align measurable objectives for your risk management program. Identify relevant KPIs to assess the effectiveness of your risk management efforts. Techniques for collecting and analyzing data to measure ROI accurately. Evaluate the financial and non-financial impact of risk management activities. Communicate ROI findings to stakeholders for enhanced decision-making.GRC Platform Buyer's Guide
Consistently and efficiently evaluate your vendor shortlist across five categories and dozens of weightable features and capabilities with…
Navigating the crowded GRC vendor market is complicated and time consuming - there are lots of requirements to meet and lots of vendors to sort through. Consistently and efficiently evaluate your vendor shortlist across five categories and dozens of weightable features and capabilities with our free Buyer's Guide. You have full control over every element of our vendor scorecard, so you can align evaluation criteria to your greatest needs.SEC Cyber Compliance Readiness: 4 Steps Every Leader Should Take Now
Organizations, both public and private, have to take quick action to either establish or transform their cybersecurity programs…
Organizations, both public and private, have to take quick action to either establish or transform their cybersecurity programs to come into compliance with new SEC cybersecurity rules and prevent financial, legal, and reputational consequences. Watch LogicGate's Andrew Steioff and Pauline Blatt along with SC Media to learn: How you can ready your organization in 4 steps What SEC regulations mean for both private and publicly traded companies Tips for elevating your overall governance and risk management practicesHow Dignity Used Risk Cloud® to Adapt to an Evolving Regulatory Environment | LogicGate
Dignity Funeral Services launched an entire risk and compliance program from scratch to adapt to new regulations. Find…
LogicGate Risk Cloud®: A Next-Generation GRC Management Platform
The modern risk and compliance environments that our businesses and organizations operate in have become far more complex…
Increasingly sophisticated cyber threats are emerging every day, global uncertainty continues to rise, and regulators are constantly broadening their oversight in an effort to keep things under control. Today’s enterprises need modern governance, risk management, and compliance (GRC) software that is adaptive, integrated, and intuitive enough to meet these challenges head-on. For GRC 20/20’s Michael Rasmussen, the “Godfather of GRC”, LogicGate Risk Cloud is a top contender among those solutions. Explore Rasmussen’s report, “LogicGate Risk Cloud®: A Next-Generation GRC Management Platform,” to learn why Risk Cloud’s no-code interface, low cost of ownership, flexibility, and robust customer support services have earned it top marks in the eyes of one of GRC’s leading minds.11 Ways to Streamline SEC Cybersecurity Compliance with Risk Cloud
Ensure a smooth transition to new SEC cyber rules.
Explore a variety of different methods for bolstering your cyber risk program and keeping up with the new cybersecurity rules from the Securities and Exchange Commission. In this eBook, you’ll learn how to: Centralize risk assessment and incident data to improve disclosure timelines. Determine materiality and business impact of incidents through cyber risk quantification. Improve incident identification, response, and recovery. Enhance cyber risk governance and communication. And more!How to Communicate Cybersecurity Concerns to Executives and Employees
Find out how to enhance your cybersecurity communication skills and effectively convey cybersecurity concerns to executives and employees.
Watch LogicGate's Customer Success Manager, JD Bonnette, and a panel of experts discuss how to enhance your cybersecurity communication skills and effectively convey cybersecurity concerns to executives and employees, including: How to translate technical cybersecurity jargon into business-oriented language that resonates with executives Innovative methods for designing and implementing employee awareness programs that effectively communicate cybersecurity concerns Strategies for fostering a security-conscious culture throughout the organization Techniques for fostering collaborative relationships between cybersecurity teams, IT departments, and executivesAI & GRC: From Risky Business to Business Advantage
Hear from risk and cyber leaders with decades of combined experience leading teams at GEICO, Hewlett Packard Enterprise,…
The promise and potential of AI-powered enterprise technology – particularly in risk management – is high, but there are plenty of places where implementing this cutting-edge technology can go wrong. Hear from risk and cyber leaders with decades of combined experience leading teams at GEICO, Hewlett Packard Enterprise, and Legacy.com on how you can balance speed and safety as you integrate AI into your GRC program. You'll learn how to: Automate and inform manual tasks with generative AI Effectively and quickly analyze large datasets Move from reactive to proactive risk management with predictive analytics and deeper risk insightsBuilding the Business Case for Quantifying Cyber Risk
Cyber attacks are up 38% in the last year, and they’re getting more costly. Do you know how…
It's the cybersecurity question every executive, investor, and board member wants — and needs — to have answered: How much will it cost us if a particular cybersecurity risk materializes and causes a major breach, or worse, and how catastrophic could that loss be for our organization? How do you address that burning question when it’s your turn before the board? Learn to answer confidently using cyber risk quantification techniques in “Building the Business Case for Quantifying Cyber Risk.”Digital Operational Resilience Act
Empower teams to make preparing for and attaining DORA compliance a seamless, frustration-free process with automated controls and…
Empower teams to make preparing for and attaining DORA compliance a seamless, frustration-free process with automated controls and requirements mapping.Reactive to Proactive: TPRM Strategies From The Experts
Join us as experts from Vital4, Black Kite, and LogicGate discuss how risk, compliance, and security teams can…
Let’s face it. It’s time to raise the bar in terms of third-party risk management. As our networks grow at a rapid pace, our risk exposure grows at a rapid pace. It doesn’t have to be this way. Take a proactive approach, and ensure your program matures at a rate that always keeps you ahead. Listen as Tom Cecola, Director of Business Development at Vital4, Jeffrey Wheatman, SVP, Cyber Risk Evangelist at Black Kite, and Mack Sterr, Account Executive at LogicGate discuss how risk, compliance, and security teams can take the necessary steps to: Streamline and automate vendor onboarding Break down department silos for improved reporting and increased agility Identify, quantify, and take action on TPRM risk trends proactivelyBuilding a Roadmap for GRC Maturity at United Community Bank
United Community Bank wanted to take their risk program from under-developed to integrated. Here's how they're using LogicGate's…
Keeping Pace with Changing Regulations
Find out how automation will help you optimize your regulatory compliance program and keep up with changing regulatory…
Is trying to keep up with constantly changing banking regulations causing you a major headache? What if you didn’t have to worry about monitoring, or worse, missing every little change regulators make? That can become a reality with end-to-end automation of your regulatory compliance processes. Join us to hear experts from LogicGate, CUBE, United Community Bank, and JG Wentworth share tips for getting this critical job done. You’ll learn how to: Keep up with changing regulatory requirements with limited people resources and a growing workload. Improve internal compliance systems and processes to power growth and efficiency. Work through implementation anxiety to get the regtech system you need in place quickly and easily.A Deep-Dive into TPRM & NIST Framework Integration
Find out how to align your risk management processes against NIST requirements for Third-Party Risk Management.
Watch LogicGate's Senior Implementation Services Manager, Vince Dour, and a panel of experts discuss the specific security controls for third-party information security management and explain how to align risk management processes against these requirements, including how to: Prioritize and assess third-parties using a cyber supply chain risk assessment process Develop processes for continuously monitoring third-party security postures, and determining control effectiveness Identify security gaps and conduct response action plans with suppliers and third-party providers Track the progress of implementing the NIST framework through a 4-tier maturity scaleManaging Risk in Turbulent Times: Fireside Chat with SAP
Hear from LogicGate’s President of Product and Technology, Jay Jamison, and two risk leaders from SAP as they…
The highest inflation in 40 years? Rogue cybercrime groups crippling organizations’ entire operations? We could go on, but we’ll stop there and just face the facts: We’ve been facing some major global turbulence over the last few years. As risk leaders, it’s our job to make sure our businesses are resilient enough to withstand all of this, and whatever the future throws at us. Larn from LogicGate’s President of Product and Technology, Jay Jamison and SAP’s Keith McCarson and Kenur Talsania as they discuss proven strategies for ensuring risk teams are managing vulnerabilities effectively and remaining compliant, especially during times of such uncertainty and change.Shattering the Silicon Ceiling: Celebrating Women in Cyber Risk
Join us as we celebrate Women’s History Month with five women working at the pinnacle of the risk…
Join us as we celebrate Women’s History Month as LogicGate’s VP of Customer Success and Services brings together four women working at the pinnacle of the risk management and cybersecurity industry for a discussion on their journeys in cyber risk management, tips for navigating the ever-changing space, and advice for growing your own career. Join to hear from: Szuyin Leow, VP of Customer Success and Services, LogicGate Maryam Hamidirad, Head of Risk, Compliance, and Cybersecurity, FISPAN Rebecca Scalchas, Senior Analyst (Cyber Risk Operations), Hyatt Andrea Sherwood, Director, Cyber Security GRC Strategy, NBC Universal Praj Prayag, Director, Information Risk & Internal Controls, Horizon MediaKRIs for ERM: Developing Metrics for Managing Enterprise Risk
Anticipate risk events, make better risk decisions faster, and provide context for your decisions to key stakeholders with…
Not sure which risks need to be prioritized first? Having trouble getting leadership on board to support your risk management initiatives? Stuck in a reactive ERM stance, responding to risks as they emerge? Here’s the solution: Building effective key risk indicators. KRIs help you anticipate risk events, make better risk decisions faster, and provide context for your decisions to key stakeholders. Our new guide, “KRIs for ERM: Developing Metrics for Managing Enterprise Risk”, will teach you how to spin up your own KRIs, from the most basic dashboards all the way up to advanced automation techniques.Fireside Chat: Risk Surface Management Strategies for 2023
Join us to hear about important shifts in risk surface management and navigating vulnerabilities in the year ahead.
Join LogicGate’s CEO, Matt Kunkel, GRC Expert, Chris Patteson, and Black Kite’s CSO, Bob Maley, at an invite-only fireside discussion. We'll explore important shifts in risk surface management and navigating various vulnerabilities in the year ahead. Grab lunch, jump online, and get the rare chance to: Hear from three execs on 2023 risk surface protection trends Explore how resource-strapped teams can “do more with less” Discuss hot topics with industry peers and decision makersRisk Cloud® Platform Overview
Risk Cloud is a no-code governance, risk, and compliance platform that scales and adapts to your changing business…
Streamline and automate your governance, risk, and compliance (GRC) program with a no-code platform that scales with your changing business needs. With Risk Cloud, you can ditch the spreadsheets, avoid the complexities of old-school GRC solutions, and execute your risk strategy without compromise.The Root of the Compliance vs Security Paradox
Join us for a friendly debate on why compliance is so misunderstood and the critical role it plays…
We’ve all heard the argument that compliance doesn’t equate to security. It’s rooted in the fact that security leaders must go beyond “checking the compliance box” by broadly examining the risk surface and the various bad actors and threats we encounter. Regulations and frameworks just cannot keep up. So, no, just being compliant does not make a company secure. But here is where the paradox sets in, without compliance you also cannot be secure. This paradox is created because in discussions peers, pundits and others in the community do not discuss which type of compliance they are referring to when they discuss this topic. In compliance there are actually 3 types! Two little “c” and the BIG C. Here are the 3: Regulatory Compliance - really is just another risk as it relates to the potential of being fined for being non compliance Framework Compliance - This is part of the Big C compliance. Organizations select frameworks that help guide their compliance programs And finally the BIG C. The C in GRC, the organization’s entire compliance program Chris (Cpat) Patteson, GRC Expert, and Praj Prayag-Deb, Director, Information Risk & Internal Controls at Horizon Media, debated and discussed this “paradox” of compliance vs security, the importance of the BIG C, and why without Compliance you also cannot truly be secure. Tune in for tips on finding the right balance between compliance and security in your organization.Straight From a CISO: 4 Cyber Risk Priorities in 2023
Learn how to manage cyber risk during times of economic uncertainty.
Eliminate cyber risk blind spots in the new year. GRC Expert and Risk Wrangler, Chris Patteson, and Former CISO at Malwarebytes and DLL Group, Laura Whitt-Winyard, shared guidance for staying focused on managing cyber risk during times of economic uncertainty. You'll Learn How To: Do more with less across risk management teams Identify and prioritize risks with the largest impact Start translating cyber risk impact into financial terms Brace your team for inevitable change in 2023Horizon Media: Spinning Up a Cyber Risk Program from Square One
As a company grows, so does its responsibility for keeping its customers’ data and assets safe and secure.…
Connect, Optimize, and Scale Your Cyber Risk Management Program
Build a Centralized View of Assets, Risks & Cyber Controls
Cyber risk management is a team sport. Everyone, from the frontline employees to the CISO, has a responsibility to protect your organization’s data and assets. So, start doing more – with less – by building a centralized and connected cyber risk management program that streamlines, automates, and provides maximum visibility across the entire organization. Get a glimpse into the power of connected cyber risk management.Streamlining GRC Controls to Optimize Cybersecurity
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.
Looking to level up your cybersecurity program? LogicGate’s GRC Content & Strategy Senior Associate, Elli Sullivan, and a panel of industry experts sat down to discuss how optimizing cybersecurity risk management processes enables leaders to determine what investments best reduce risk. Check out the recording to learn how to: Simplify GRC and security operations by reducing the number of controls your organization has to deal with Develop a set of controls baselined to the internal and external requirements that your organization needs to meet And more!Enriching Third-Party Risk Processes with Targeted Risk Intelligence
Find out how to incorporate targeted risk intelligence and enrich your Third-Party Risk Management program.
Looking to level up your TPRM program? LogicGate Relationship Manager, Ashley Reece, and a panel of industry experts sat down to discuss how targeted risk intelligence and automated data feeds can enable you to recognize and respond to risk sooner, and increase operational resilience. Check out the recording to learn how to: Identify and prioritize the gaps in your security posture Link data feeds to your TPRM platform and enable real-time visibility Automatically validate information provided in risk assessments And more!Risk Cloud® Platform Accessibility
Building a culture of risk starts with platform accessibility.
It is important to LogicGate that any user of Risk Cloud can use the platform comfortably and contribute equally to their GRC program goals. That's why we are currently working towards compliance (Section 508 and ADA Act regulations) for our end-user experience within Risk Cloud. Learn more about our accessibility efforts by downloading this brochure.How Risk Cloud®️ Unites Privacy and Security Teams Using One Collaborative Platform
Security and privacy management is a team sport. Download our ebook to learn how the right strategy and…
Security and privacy management is a team sport. Download our ebook to learn how the right strategy and tools can help you unify security and privacy teams and build an integrated risk and compliance program.Cyber Risk & Controls Compliance Solution
Prioritize cyber risk mitigation and response with Risk Cloud’s® Cyber Risk & Controls Compliance Solution.
Prioritize cyber risk mitigation and response with Risk Cloud’s® Cyber Risk & Controls Compliance Solution. Risk Cloud helps you link cyber risk to business impact, so you can add context to any risk decision by reporting what matters most to your stakeholders.How Risk Cloud's Intuitive Interface Simplifies The Change Management Experience
During a fireside chat, Edwin Ng, Associate Vice President of Cyber Security at Hyatt, talks about his team's…
During a fireside chat, Edwin Ng, Associate Vice President of Cyber Security at Hyatt, talks about his team's experience of implementing Risk Cloud. Do you want to see this "intuitive interface" for yourself? Request a demo today!Panel Discussion: GRC Trends in Banking
Learn how to navigate the regulated landscape of banking through first-hand advice and stories from senior governance, risk,…
The risk and compliance landscape for banks is complicated. Learn how to navigate the regulated landscape of banking through first-hand advice and stories from senior governance, risk, and compliance (GRC) leaders at three banks. Panelists: Laura Buckley, SVP Tech Risk & Compliance at Cadence Bank Ron Fox, Chief Compliance Officer at United Community Bank Jake VanDaalwyk, SVP, Director of ERM and Corporate Risk Strategy at Associated Bank Moderated by Patti Struble, Customer Success Manager at LogicGate, the panelists share methodologies and tactics for maturing, scaling, and automating your bank’s governance, risk, and compliance (GRC) program. Watch now to learn about: Solving for new regulatory requirements resulting from growth and expansion Risk & compliance trends in banking How they plan to integrate, automate, and mature their banks’ GRC programsHow Texas Mutual Improved Their Third-Party Risk Management Experience
In this excerpt from the GRC & Me podcast, Stephen Crouch, Senior Financial Risk Analyst at Texas Mutual…
Preparing For The Unknown: How Hyatt’s Cybersecurity Team (successfully) Navigated COVID-19
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng,…
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng, about successfully navigating turbulent times with the help of a holistic risk management program. Watch now to learn: How Edwin’s team at Hyatt has modernized their approach to risk management How the Cybersecurity and GRC teams at Hyatt pivoted during the rise of COVID-19 implementing new precautions and strategies How their risk management programs helped them operate quickly and effectively during a time of unprecedented change How Hyatt’s GRC strategy prepares them for future changes and obstaclesEquiniti's Journey to a Connected Risk Program
Learn more about their story and how they use Risk Cloud to grow and scale as changes arise,…
[Webinar] Optimizing Controls to Mitigate Cybersecurity Risks
In this webinar with LogicGate and ITGRC you will learn how to optimize your cybersecurity program using personnel…
Speakers: Colin Whittaker & Andrew Egoroff, ProcessUnity; Dirk Schrader, Netwrix; Henry Jiang, Diligent; and Ashley Arkfeld, LogicGate. No matter how mature a cybersecurity program is, there always remains room for improvement. Digital transformation continually expands the scope of IT processes, and organizations continue to grapple with resource, staffing, and skill challenges. On this webinar, we’ll address how to augment staff expertise and resources with automation and continuous control assessments, enabling IT auditors and risk managers to work smarter and: Enhance security architecture to improve how segmentation is structured or controls are designed Use technology to automate, reduce human error, and focus your team on more strategic areas Reduce the time you need to keep up with risk assessments and meet compliance goals Optimize SOC processes and simplify risk initiatives View WebinarTeaming Up to Solve Third-Party Risk: How to Plan When You Don’t Know What You Don’t Know
Vendor risks aren’t slowing down. You shouldn’t either. Learn how to manage your third parties better.
69% of Enterprise Risk Decision-Makers Reveal that Their Third-Party Risk Program is Manual. You know that third-party relationships play a crucial role in your business’s success. Every third-party relationship you have represents increased exposure for data and privacy risks. Managing this important information manually is not a risk worth taking. This eBook will help you discover a better, more efficient way to manage third-party relationships without exposing your organization to reputational and/or operational risks. Also… Tips on how to build a robust third-party risk management (TPRM) program that connects all the dots Advice on how to make risk a team sport within your organization Insight into what an interconnected risk program looks like and how to make that your realityRisk Cloud Documents™
Automate your documentation and reporting processes.
Tired of wasting time formatting reports? Generate custom-branded templates and reports in PDF, Word, Powerpoint, or Excel format in just a couple of clicks with Risk Cloud Documents.How to Make Your Work Life Exponentially Easier With a Holistic GRC Program
If you want your GRC engine to run smoothly, you need to look at systems holistically. Create a…
You're probably here because "GRC as usual" isn't really working for you and you're hoping there's a better way. We get it. And you've come to the right place. When we say holistic GRC we're talking about finding a program that helps your business operate at optimum speed and efficiency. Sounds pretty nice, right? Download our holistic GRC eBook to: Discover what holistic GRC looks like in action (with real-life examples) Learn how making risk management a “team sport” is better for everyone in the company Break down silos and streamline audits by incorporating them into your GRC program Don't have time to read the eBook? Don't worry, we created an audiobook version (included in the download), too! Download NowInternal Audit: Finding Efficiencies through Analytics
Learn how the internal audit team strengthened their data analytics capabilities and automated their internal audit process to…
Fine-Tune Your Audit Process. Cancel Audit Stress.
With the Right Platform, You’ll Love Conducting Audits. (Or at Least Dread Them a Little Less.)
We’re just gonna say it. Audits get a bad rap. Yes, they can be tedious, time-consuming, and may cause you to pull out your hair and grind your teeth. But that might be because your audit platform isn’t carrying its weight. Risk Cloud® helps you automate and streamline your audit processes, breaking down silos so you have all the documents, processes, and compliance regulations you need in one place. With this holistic GRC tool, you can customize processes, generate reports in one click, and perform due diligence with precision and speed. So relax your jaw, stop yanking out your hair, and check out our infographic to see audits in a whole new light.2021: A (WILD) Year In Review
You liked it. Watched it. Or tried it out. Take a look at our year-end roundup!
2021 was another wild ride. But together, we transformed the twists and turns into some exciting headways. Catch up on the can’t-miss products, hot resources, and customer wins in our year-in-review infographic. Get a snapshot of the big moments — plus, preview what’s in store for 2022.LogicGate Recognized in the Gartner® Market Guide for the Second Consecutive Year
LogicGate is one of 13 vendors to to be named a Representative Vendor in the November 2021 Gartner®…
We're sorry, this resource is no longer available. Check out the following resources instead: How to Make Your Work Life Exponentially Easier With a Holistic GRC Program What is Third-Party Risk? The Definitive Guide to Risk Quantification We’re thrilled to share that for the second consecutive year, we have been named a Representative Vendor in the November 2021 Gartner® Market Guide for Third-Party Risk Management Solutions for Compliance! We think this is pretty cool! The report found that, “The marketplace for compliance third party risk management (TPRM) solutions remains highly fragmented, leaving companies with as many options as compromises in their search for a best-fit foundational solution.” Which we interpret as: it’s hard to find a dependable TPRM solution that’s meeting the full needs of users. As one of 13 Representative Vendors included in the Market Guide, we believe we are recognized for achieving marketing visibility and traction and representing the collaborative work management market as a whole. DISCLAIMER: Gartner, Market Guide for Third-Party Risk Management Solutions for Compliance, 13 December 2021, Nicholas Sworek, Zack Hutto GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Risk Quantification 101: Communicate Risk in Dollars and Cents
In this webinar, LogicGate and Protiviti will explore the fundamentals of risk quantification and highlight how the practice…
Speakers: Mark Tattersall, LogicGate, George Quinlan, Protiviti View Webinar You need a way to effectively communicate risk with key stakeholders. By converting risk into a common language that everyone in the organization can speak, dollars and cents, quantification puts risk into perspective and ensures it’s taken into account from the top down. Access the webinar and watch as Mark Tattersall, VP of Product Management at LogicGate, and George Quinlan, Risk Quantification expert from Protiviti, dive into the foundation of risk quantification and its ability to transform your risk program. On this webinar, you'll explore: - The shortcomings of past risk communication practices - How risk quantification works - Tips for introducing risk at your organizationRisk Cloud Quantify®
Translate risk into financial values.
Quantify and communicate risk in the language every stakeholder understands — money. Risk Cloud Quantify® enhances traditional quantification techniques with Monte Carlo simulations and supports the Open FAIR™ Model. From cyber risk to enterprise risk, we’ll help you communicate risk with clarity and confidence.Risk Cloud Exchange™
All the Applications, integrations, and guidance you need to scale and mature your governance, risk, and compliance program.
Explore how you can level-up your risk management program with Risk Cloud Exchange.The Definitive Guide to Risk Quantification
Validate decisions, see into the future, and start presenting risk in a language your organization understands—money.
Risk can be a confusing topic, summarized in heatmaps with low, medium, and high as the most accurate indicators. While valuable to GRC pros, it’s only a small piece of the puzzle. And, more importantly, it’s decidedly not speaking the same language as the rest of the organization. Risk professionals can now claim their seat at the table with risk quantification. Learn the fundamentals of risk quantification, what to look for in a solution, and how you can set your organization apart. Download Now[Webinar] Strategies to Turn Risk Into an Opportunity for Business Growth
On this panel discussion webinar we will address some of the key steps your organization can take to…
Speakers from: LogicGate, ThreatConnect, Proofpoint, MetricStream A strong proactive risk management culture enables an organization to be more nimble, adaptable, and change-ready. On this panel discussion webinar we will address some of the key steps your organization can take to strengthen your risk management culture now and fuel business growth, including how to: Ask the right questions to accurately assess the risks and put plans and controls in place to mitigate them. Drive enterprise-wide accountability to break down silos. Give your employees appropriate training to enable them to take ownership of risks and identify and manage them more effectively. Develop communications plans for when events negatively affect perception of your organization. Leverage the opportunities that align to your strategic goals. View WebinarLogicGate® Receives Honorable Mention in 2021 Gartner® Magic Quadrant™ for IT Vendor Risk Management Tools
Get an unbiased overview of the IT Vendor Risk Management market in 2021 Gartner® Magic Quadrant™ for IT…
Read the full Gartner® Magic Quadrant™ report to learn: A third-party, unbiased evaluation of each vendor A uniform set of evaluation criteria — so you can easily compare IT Vendor Risk Management Tools Insight into the significant movements in this growing and dynamic market Gartner®, Magic Quadrant™ for IT Vendor Risk Management Tools, Joanne Spencer, Edward Weinstein, Luke Ellery 30 August 2021 We are thrilled to receive honorable mention in this report. Risk Cloud® is a cloud-based platform with a suite of risk management Applications that transforms the way businesses approach their governance, risk, and compliance programs. By combining expansive GRC content and expertise with a progressive and flexible platform, anyone can create a holistic and evolving market leading risk program. The Gartner® document is available upon request from LogicGate®. Gartner® does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner® research publications consist of the opinions of Gartner®’s research organization and should not be construed as statements of fact. Gartner® disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner® and Magic Quadrant™ are registered trademarks of Gartner®, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.Automate Your GRC Document Generation with Risk Cloud Documents
Are you spending hours manually creating your audit reports, policy documents, or incident management memos? With Risk Cloud…
Are you spending hours manually creating your audit reports, policy documents, or incident management memos? With Risk Cloud Documents, this process can be totally automated! Use our out-of-the-box document templates or build your own fully customized templates that match your organization's brand guidelines. Risk Cloud takes your selected data from multiple workflows and instantly merges it with your template, generating a customized report in seconds! This report can be exported in file formats like PDF, Word, PowerPoint, and Excel! No more copy-and-pasting information across systems to manually create documents. Spend time doing the work and let Risk Cloud create the reports. Save time, reduce risk, and create beautiful reports with Risk Cloud Documents.Roadblocks on the Path to Operational Resilience
Use this guide to help you navigate your path to operational resilience.
The path to operational resilience is not always easy, there may be roadblocks that present themselves, but according to the 190 respondents from LogicGate’s 2021 Risk Management Survey, risk leaders agree—achieving operational resilience is a must. Download our infographic to help you navigate your path to operational resilience: Download Now6 Steps to Find the Right GRC Solution for Your Organization
Use these 6 steps to help you select the right GRC solution for your organization that fits in…
There's a lot that goes into finding the right GRC solution for your organization especially when you want to make sure it works well with your existing tech stack. Download our infographic and see our six steps to help you evaluate potential solutions and determine if they are the right fit for your organization: Download NowGRC Today: Risk Renaissance
Matt Kunkel, CEO & Co-founder of LogicGate, chats with Principal GRC Architect, Dustin Owens, about the recent Risk…
GRC & Me Podcast: Exploring Risk Cloud Exchange
After a short break, GRC Today is back with a special episode highlighting the Season 3 premiere of…
Listen to the full episode at podcast.logicgate.com[Live Demo]: The Power of Reporting Insight & Data Visualization in LogicGate’s Risk Cloud
Whether it’s staying on top of a staff analyst’s upcoming deadline or displaying concise cost-saving metrics to an…
In this webinar, we’ll provide an overview of the reporting capabilities within LogicGate’s Risk Cloud. The objective of this session is twofold. First, we will showcase the intuitive report builder which empowers teams to build their own metrics and key performance indicators from the information captured in Risk Cloud. Then, we will highlight valuable reports and dashboards that are frequently used by LogicGate customers in quarterly board meetings. Learn how to glean reporting insights through connected applications. For example, let’s say two separate teams are managing Assets and Controls in the Risk Cloud platform. By establishing a connection between Assets & Controls, this allows for consolidated reports whereby control gaps or remediation plans can be prioritized by asset criticality. Control owners can efficiently coordinate a mitigation plan with the corresponding asset owner. View WebinarLife With a Modern GRC Solution
Risk leaders know their risk management solution is vital to their organizations, but many (almost 50%) say their…
We’re not here to tell you how important risk management is to your organization. You already know that. But if your GRC solution is unreliable and requires a lot of manual work, it can hold your organization back from being proactive and agile when assessing and navigating emerging risks. Fortunately, it’s possible to revitalize your risk management processes and see new opportunities open up around you. With a modern GRC approach and a trusted risk strategy partner, your organization can become nimble in the face of new challenges. Download our infographic to see what life can be like with and without a modern GRC solution: View The InforgraphicOperational Resilience: The New Paradigm for Risk
We asked 190 risk professionals what they’re concerned about, what they’re focusing on in 2021, and how they’re…
No matter the industry, no matter the company size, no matter the location—risk leaders were forced to quickly adjust to a massively evolving landscape in 2020. Did they adapt and keep up with the new challenges being thrown at them? How did they do it? And what are they doing differently now? We asked and 190 risk professionals answered. They shared with us what they’re concerned about, what they’re focusing on in 2021, and how they’re feeling about their risk programs. Download NowGRC Today Episode 4: "Health Days" vs "Sick Days"
On this episode of GRC Today, Matt talks about "Health Days" and why the LogicGate team added them…
On this episode of GRC Today, Matt talks about "Health Days" and why the LogicGate team added them to the employee benefits package. Matt also shares a personal story about how a recent Health Day helped him come back to work more focused. Do you want to join the LogicGate team? See what positions are open right now: https://www.logicgate.com/about-us/join-the-team/GRC Today Episode 2: How Core Values Shape Company Culture
In this episode of GRC Today, Matt Kunkel discusses the importance of core values, how they influence the…
When you talk about a company's "culture," you're really talking about their core values. In this episode of GRC Today, Matt discusses the importance of core values, how they influence the day-to-day operations at LogicGate, and shares some tips on how you can use core values to empower your employees. This web series, hosted by LogicGate co-founder and CEO Matt Kunkel, will discuss all things related to governance, risk, and compliance, as well as feature tips and takeaways from Matt on a variety of topics including leadership, company culture, and values.2020 Year in Review
Check out LogicGate's most popular resources from 2020!
Join LogicGate in revisiting your favorite podcast, blog, success story, and more from this year, and see how Risk Cloud users transformed their risk management programs with the 2020 LogicGate Risk Cloud Year in Review Infographic. Download NowLogicGate and Ziff Davis: From Legacy System to Intuitive Internal Audit
Find out why the LogicGate Risk Cloud was the right choice for Ziff Davis' Internal Audit initiatives
LogicGate Named in 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools
Get an unbiased overview of the IT Vendor Risk Management market in Gartner’s 2020 Magic Quadrant for IT…
Read the full Gartner Magic Quadrant report to learn: A third-party, unbiased evaluation of each vendor A uniform set of evaluation criteria – so you can easily compare IT Vendor Risk Management Tools Insight into the significant movements in this growing and dynamic market Gartner, Magic Quadrant for IT Vendor Risk Management Tools, Joanne Spencer, Edward Weinstein, 24 August 2020 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from LogicGate. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Proactive Risk Management: Transform Your Risk Strategy
In this infographic we share the benefits of transforming your risk strategy from reactive to proactive, and what…
Click here to download the PDF version.Top 4 Takeaways from Agility 2020
Whether you attended every session or didn’t attend, we wanted to share the top 4 biggest takeaways that…
Click here to download the PDF version.GRC & Me Podcast: How LogicGate Uses The LogicGate Risk Cloud
A simple question — “why?” — jumpstarted Heath Anderson’s journey with governance, risk, and compliance (GRC). Today, he’s…
LogicGate's Origin Story
Hear from our three co-founders (Matt Kunkel, Jon Siegler and Dan Campbell) talk about LogicGate's humble beginnings, what…
Hear from our three co-founders (Matt Kunkel, Jon Siegler and Dan Campbell) talk about LogicGate's humble beginnings, what sparked the idea of a flexible, easy-to-use GRC platform and the company's rapid growth.A Rock 'N' Roll Company Culture
LogicGate's Chief Revenue Officer, Karry Kleeman, speaks candidly about why he starts a rock band at every company…
Watch the video above to learn more about LogicGate's Chief Revenue Officer, Karry Kleeman, and the LogicGate culture as a whole![Video] Incident Management with Risk Cloud
LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have…
The Risk Cloud™️ offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary, automated process to manage reported incidents and related activities. Video Transcript: At many companies, incidents just cause confusion. When they occur, managers are left asking: Who owns it? Was it closed? What should we prioritize? What’s even going on? It’s easy to see why. Usually it’s because the incident was submitted through e-mail or some other unsystematic way, leaving managers with no easy way to view all reported incidents in one spot—let alone the assets and controls they’re linked to. All of the tracking, linking, and resolution activities simply can’t be properly captured without a solid system. Imagine these issues at scale! If managing one incident is hard, managing incidents across divisions and geographies is a nightmare. Here’s a typical scenario. A data breach gets logged The dev team just closes it out, not giving it much thought. Little did they know, the breach is tied to data privacy regulations and reporting needs. If these aren’t followed up upon, they can cause problems such as major fines down the road—all because they didn’t communicate the incident to the right people, at the right time. Don’t let this happen to your company. Before your incidents lead to more...incidents...look to LogicGate. LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary process to manage reported incidents and related activities, including the ability to prioritize them by severity rating. Incidents get automatically routed to different groups for action based on what is being reported. From the platform, incidents can be linked to other processes such as regulatory reviews, policies and procedures, vendors, and audits. In one report, you can see how all your incidents are tied to all of your compliance programs. You’ll also be able to put the right process in place so your incidents are resolved according to your company’s service level agreements. Use the conditional workflow builder to route incidents to the appropriate parties, set up notifications, and meet those SLAs. Incidents can be escalated to different roles and groups. Required fields in the LogicGate form builder ensures you capture the information you need. With your process configured, resolution activities and responsible parties can be easily reported on. Productivity reporting helps you identify bottlenecks within your process, so you can allocate time, training, and resources effectively. With standardized incident metrics at your fingertips, you’ll have the vision and understanding to make the right decisions at a large scale. Stop tracking incidents in different places, with different methods, and through different people. Put an incident plan in place. Make better decisions. Look to LogicGate.Risk Cloud® Integrations
Integrate and optimize your risk and compliance program with 100s of integration capabilities insides Risk Cloud
Unlock the full power of your tech stack and gain better visibility into business risk with native and custom integrations from LogicGate Risk Cloud. We’ll help you bring all of your governance, risk, and compliance processes into one, connected ecosystem so you can save time and maximize value from your tech investments.[Video] Compliance Management with Risk Cloud
With LogicGate's Compliance Management solution, you'll keep your team in sync, on top of tasks, and ahead of…
With The Risk Cloud™️ Compliance Management solution, you'll keep your team in sync, on top of tasks, and ahead of deadlines. Video Transcript: Compliance tasks have a funny habit of slipping through the cracks. Do the following sound like your company? Compliance duties are spread throughout your business, and come due at different times of the year Employees don’t have a central place where they can keep track of all their requirements, status updates, and owners—if they know who is responsible for them in the first place. You fear missing a compliance deadline because it will impact the business and your job Deadlines become fire drills: owners chase people through email, phone, smoke signal—whatever it takes to get their sign-off. With LogicGate, you can escape the compliance confusion spiral and your fear of missing a deadline. The platform pulls all compliance tasks into one central system. Task owners can set automatic email reminders and task notifications based on predetermined frequencies, so assigned stakeholders are kept in the loop and held accountable. All parties understand task statuses, from the time they’re generated to the time they’re completed. Within the LogicGate Reporting Suite, managers can take a step back and check on the overall status of the compliance program. Here, they’ll get the big-picture snapshot of tasks, organized by status, owner, and when they are due. From automated notifications to monthly reports, LogicGate puts you in the cockpit of your compliance program. Request a demo today.Assessing the Costs and Benefits of ERM: An Inquisition
Every project must be analyzed from both cost and benefit perspectives, and building a technology-enabled ERM program is…
This eBook offers clarity by prescribing not a precise method for calculations, but rather the right questions executives need to ask before embarking on the project. Download the eBook and learn how to: Articulate a strategy for your ERM program Bring the right stakeholders to the table Understand the non-monetary costs and benefits of an ERM program Sell the program to board members and executives Understand how The Risk Cloud™️ can power your long-term strategy Much more[Video] Questions to Ask Your GRC Software Provider
Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits…
Are you asking the right questions of your GRC vendor? You should demand the features and benefits that will make your program and people as effective as they can be—today, and well into the future. Video Transcript: Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits that will make your program and people as effective as they can be. Let’s look at some examples. With LogicGate, you can start with our industry-standard best practice templates. You can then configure them with our visual workflow builder to align with your company’s unique process, complete with custom fields and assigned user roles. But the power of LogicGate doesn’t end there. Say you start with your control audit process against SOC2 and ISO 27002 requirements. With LogicGate, these automatically map together through the Secure Controls Framework. No manual mapping required. Now let’s fast forward a few months. Let’s say you’re getting close to signing a large contract with the government. Your organization needs to meet NIST 800-53 requirements to demonstrate FISMA compliance in order to move forward with the contract. Now what? You’ll want to link that framework to SOC2 and ISO 27002 to accelerate this process. With LogicGate, you can easily add these frameworks to your program and report on your compliance coverage. It’s also no sweat to change and adjust your existing data structure over time. This means you can start with the data structure you have, and look to the future with confidence knowing you’ll be able to add to and customize your program as it evolves. The same goes every time your team needs to add in a new application. What happens when you need to find the different activities associated with each framework, such as a control evaluation, risk, exception, or policy? With most GRC vendors, you might need to work backward through ISO, SOC2, and the Secure Controls Framework just to find an item. That’s a lot of extra clicking. Why not go straight to it? With LogicGate, you can. In the LogicGate platform, you can start anywhere within your data structure and find the information that it’s linked to. For example, you can go directly to a SOC2 or ISO requirement and see every activity or asset that’s associated with it, such as a policy, exception, risk, system, internal control, or evidence you have gathered. No more endless clicking through various record hierarchies just to get to the information you need. Are you asking whether your GRC vendor can do these things? If so, are you asking how much it will cost? What about how long it will take? How easy is it to actually perform them? With LogicGate, you get a flexible platform that’s ready to grow and adapt with your program—whatever the future holds.Team Select and LogicGate: Managing Change
Find out why LogicGate was just the tool Team Select Home Care needed to achieve its Compliance goals.
[Video] Controls Management with Risk Cloud
LogicGate’s software provides full visibility of your controls in one responsive toolkit.
The Risk Cloud™️ platform provides full visibility of your controls in one responsive toolkit. Video Transcript: Do your company’s risks, controls, and control assessments live in one place? Or do you have to search for them every time you need them? Does it vacuum up valuable time and energy that could be better spent elsewhere? LogicGate’s Controls Management Solution gives your Risk and Control Owners a break from the disorganized mess of spreadsheets, email, and documents. With LogicGate, they’ll be working from one central hub, where they’ll work from industry standard control frameworks or your internally developed control sets. They won’t have to leave LogicGate to manage control activities. Your team will monitor controls assessments, gather evidence, and much more, right in the platform. They’ll seamlessly collaborate and share information, such as tracking findings or triggering automatic emails when an assessment is kicked off. When the right people are notified of updates in the moment, they’ll always be working with the correct, most current information. No more emailing back-and-forth or duplicating work. Since the entire program lives in one place, owners can easily monitor assessment performance over time. They’ll be able to measure control effectiveness and find deficiencies in order to make sure the right work is being done on schedule. If control gaps are found, they can initiate corrective action workflows to ensure steps are taken to address the deficiencies. Your tasks, questionnaires, and reminder notifications, all customized to match your unique process and keep owners accountable. It’s time to take control over your controls. Request a demo today.Controls Compliance Solution
Automate and Scale Your Controls Compliance Program
Avoid control redundancy, automate tedious workflows, and improve program efficiency by dynamically linking risks, controls, evaluations, and evidence in one platform. Risk Cloud® includes dozens of industry-standard frameworks to help you build a connected and automated control management program that scales.[Video] Policy & Procedure Management with Risk Cloud
LogicGate's Policy Management Software gives you the power to automate routine compliance activities. It's like having a personal…
The Risk Cloud™️ for Policy Management gives you the power to automate routine compliance activities. It's like having a personal assistant to help manage your mission-critical risks. Video Transcript: Every company has standard Policies and Procedures, but often they cause something else: PROBLEMS. Policies are important, of course. They keep the company on the right track—but managing these rules is usually easier said than done. Why is this? For one, employees may not all be working from the same policy information. Second, the policy drafting, review, and approval steps may not be standardized across functions—creating a patchwork of inconsistent guidelines. Then once policies are established, they’re scattered in difficult-to-find places, leaving employees in the lurch when they need them the most. It doesn’t have to be this way. LogicGate’s Policy and Procedure management platform pulls your company’s polici into one central platform. Employees only access the most current policy versions that will be used across all business units and processes. When policies are updated, they’re updated everywhere—so your Regulatory, Controls, Compliance, and Risk teams all have their eyes on the right information. Creating new policies begins with a standard, streamlined workflow, from initial drafting to final approvals. Quickly add employee attestation steps to make sure the right people are in-the-know. Create custom tags and unique field captures using our drag-and-drop form builder, so your end users can quickly access and complete their work. You can set also automatic reminders to ensure policies get reviewed on a periodic basis. That’s LogicGate’s Policy and Procedure Management Platform. Request a demo today.GRC & Me Podcast: Terri Sands - Risk and Compliance in Finance
In this episode, Kelley talks with Terri Sands, founder of Secura Risk Management. Terri shares her thoughts on…
EPISODE NOTES Top 3 Takeaways It's tough to keep up without good technology Transparency between parties is difficult in the financial industry A single point of failure can also be a single point of fraud Show Highlights: [02:50] Risk management challenges for smaller financial institutions [07:13] The significant irony in financial institutions [09:01] What Terri brings to the table [10:50] Creating a culture of risk awareness [12:24] Reactive planning versus strategy planning [14:25] The shift Terri has seen [15:32] The unfortunate indicator [16:45] Terri's opinion on banks reducing their operational costs [19:43] One challenging area in heavily-regulated organizations [21:37] What works and what doesn't for acquired financial institutions [25:03] More tips for acquiring financial institutions [26:49] Guilty by association [27:59] Wrapping up with the most shocking fraud story Resources: Secura Risk Management Website Connect with Terri on LinkedIn Connect with Terri on Twitter Ozark Show Episode Transcript HOST KELLEY SPAKOWSKI: I'm going to get us started with a quick tip. Today is actually around data privacy, it's actually two tips to get you started. First, learn about your data sources. Find out where and how long it is being stored and how it's being used. Then, develop a consent policy to process personal data and acquire consent from customers. TERRI SANDS: It's calm water if your strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing in a world of spreadsheets, and because you were so busy there, you missed the big thing that caused a data breach, or reputational damage. KS: Hi, I'm Kelley Spakowski, and this is GRC and Me. A podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space. Here with me today, to discuss risk and compliance in finance is Terri Sands, founder of Secure Risk Management. Secure is a boutique consulting firm, and membership organization that works closely with financial institutions, many of them small banks and credit unions to safely change with growing technology and regulatory requirements. So, thank you for joining me, Terri. I really appreciate you being here. TS: Thank you for having me. KS: We actually met at one of your membership forums. It was awesome. You hosted it in Lake Oconee, am I saying that right? TS: Absolutely. KS: Lake Oconee, Georgia. It was awesome, at a really nice Ritz on a lake there, very quiet. I can't wait to go back. While I was there, I just, I instantly knew I wanted to have you join me on GRC and Me, because you have such a great pulse on the day-to-day challenges in community banking, as well as, the big picture priorities, so you're really able to build a solution approach that is both top-down and bottom-up that drives meaningful change. So, I'm really excited to chat with you about some of your insights in banking. TS: Thank you. KS: So, Terri, you are training many regulatory agencies on payments risk, anti-money laundering practices, enterprise risk and fraud mitigation. What challenges do smaller financial institutions have in their risk management programs? TS: Well, there's a few. The transparency between parties is tough with financial institutions. You have the first, second, and third lines of defense, and because of old habits, there might be a siloed area here, and a siloed area here. Senior management or executive management may not have the transparency that they think they have, so you may have different lines of businesses doing duplicate processes, duplicate workflows, or doing things that do not make sense, but because they're so siloed it's tough. And certainly technology, and what you guys offer, kind of bring that together. The other thing is, it's difficult to keep up with all the regulatory requirements with few people. I work with a lot of smaller financial institutions, but I also see this in good sized financial institutions, where you have like, one person. One person is the BSA Officer, they're also the IT Security Officer, and then they head up Deposit Operations, and Electronic Banking. And so, you have that dynamic where one person is trying to do everything without technology. A lot of times without good technology. And then they're over the first line of defense employees that are trying to keep up with all the regulatory requirements. And so, if you think about some of these regulatory requirements, whether it's regulation E, or whatever regulatory requirement it is, you've got all these deadlines. You've got 10 days, 45 days. If you're trying to keep up with policies or procedures, you update them annually, who owns it, where your risk assessment here. So, it's really tough, and so, without good technology it's really hard, and especially in the world in which we live today with all the fraud that happens. The fraudsters are trying to get to the financial institutions, because they hold the assets. They're holding the money. Then you have that dynamic. So, it's tough to keep up with everything without good technology. And the struggles that we see are data. The inability, or unwillingness to use data to predict future strategies. So, data is another one, and probably the last thing that we see most of, and probably the number one challenge is the usage of spreadsheets, and other inefficiencies. It's kind of using a spreadsheet to enter information, which is tedious. So, financial institutions, they find themselves in these precarious situations with understanding how they have so much risk, "Where did all this risk come from?" Because it's basically, they're spending more time on preparing the data than monitoring and evaluating, and really managing the risks. It's this habit forming spreadsheet world, Kelley, that's when I actually approached LogicGate. I did the demo because I was a big fan of it, because it's simple, it's not overwhelming, and it truly is user-friendly. And the ability for risk management to be better managed through rules based technology is a plus, because it's really hard with all the things that you have to do to also have to prepare to monitor, prepare to do these things. So, technology adds that layer of support. It's like having a virtual employee. So, I like LogicGate, is truly a great resource for smaller financial institutions. KS: Yeah, I appreciate that. One of the things that I thought was really interesting is, a lot of the folks I met at your forum who are performing these functions at these banks and credit unions, this is just one element of their job. They're wearing so many different hats. So, I can't imagine, if I had to go to a spreadsheet to aggregate or manipulate this data, or gather it, that would be totally on the bottom of my list of things to do. TS: Right, exactly. KS: At the end of the day, because that's just not the fun work. It's really tedious, so I hear you, and I agree. In your opinion, is it difficult for these financial institutions to become efficient when there are so many fintech companies to choose from now? TS: Here's the thing, and I talk to so many financial institutions about this, it's overwhelming. I put myself in their shoes, and you've got to think about all the technology companies that are approaching financial institutions, "We can do this for this, and we can do this for this." So, you've got that coupled with the fact that, kind of going back to one of the challenges is, that's not my only job. Sometimes, I've seen with financial institutions, that they're so busy with inefficiencies, they don't have time to be efficient. So, the irony here is significant. Unfortunately, some financial institutions learn of significant inefficiencies through regulatory scrutiny. Sometimes it's the reactive piece of them. They wait, because they think everything is fine, until a regulator comes along, and whether it's a consent order, or almost a consent order, or a super bad audit, they're basically finding themselves having to deficient staffing models. Or, they have good people who simply leave because the environment is so overwhelmingly inefficient that they can't continue in that type of environment. Truly, the problem solver is education, things like this. And also, it's calm water if you're strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor, or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing a world of spreadsheets, and because you were so busy there you missed the big thing that caused a data breach, or other reputational damage. It's really bringing fintech companies, and that's what we love doing, is bringing fintech companies that make sense, to financial institutions. And especially with us, we deal with a lot of smaller financial institutions, but bringing that good technology to a financial institution to say, "This will solve your problem," and that's what I love doing so much. And then when you put really good technology into a financial institution, and they start working it, it's just like, "Why didn't we do this sooner?" Because then, that's when you learn the regulation. When you have the technology helping you keep up and do the enterprise risk management, and do all that, that's when people learn the content. So, it's always really interesting with this, but again, that's the challenge, and quite frankly, the other thing is asking the question, who at the financial institution is going to ask the question, "What takes you the longest to do? What is the most difficult part about managing risk today, and how can I help you do that job better?" Senior management, and I'm seeing a lot of this over the past year, where senior management is really taking a deeper dive into that first line of defense. The people who are doing the work every day and saying, "Okay, what can we do to help you out?" Unless you have that environment, then you're going to be dealing with spreadsheets, and you're forcing yourself into a reactive mode. But the challenges, in terms of fintech companies, is trying to fit what you need with what's out there. And so, that's a big challenge. KS: Yeah. This is across the board. I see this really not just in finance, but in a lot of different industries, that environment that you spoke of. What we're calling it is, creating a culture of risk awareness. You can't do that if you don't have visibility into these areas, and I don't know if this is something that you are noticing in finance as well, but in other industries these different areas, or workstreams if you will, the data is siloed. So, you've got a group of people that are managing compliance related things, another group managing policy and procedure, maybe another team that is responsible for risk management and mitigation, and then you've IT, and there could be different departments that have their own way of measuring and mitigating risk. So, everything is managed separately, and the data is siloed in spreadsheets. So to actually get accountability and visibility across those data points that really tree up into an overall risk strategy for the organization, they just can't do it. We're seeing a shift in other industries to get that more proactive approach, and actually, realize that, "Hey, we can use risk data as a strategy for the organization," to create new business opportunities. Things like identifying a merger acquisition strategy, or gaining a certification, or rolling out privacy as a part of their service level to customers, and actually using these as new business opportunities, and a strategy for a competitive edge. Is this something that you're seeing banks and financial institutions moving towards? TS: It's interesting, in the past year and a half, probably, I have seen a shift in more strategy. I'm happily seeing the steady increase really focusing on strategy planning with financial institutions and companies, rather than reactive planning. Because reactive planning is just not as fun. Reactive planning, it's all about time. You're already in trouble at that point, whether you've had a big fraud event, or regulatory consent, or something even more significant. So, just talking to CEOs and CFOs, and really all types of employees within those financial institutions, it does seem like financial institutions are taking more of a proactive approach to their risk management strategy, and listening to the people who are in the best position to tell them what they need. And so, they're really using risk management as a strategy. The thing that I think, which is great is that, financial institutions, used to, you started with risk management, and then you worked down, so a lot of financial institutions would say, "No, we can't bank that client. No, we can't have that product," but if you have a true blue, enterprise risk management program, where you have technology, like obviously LogicGate, helping you out, you can start with the customer first and say, "We want to bank that customer," Or, "We want to offer that product or service," and then you can work from the customer. Not start with risk management, because the customer is going to be the point from which you're going to say, "What do you need, and what do we need to do?" And so, if you have the technology and the transparency, and every level knows what's going on, you have such a competitive advantage over other financial institutions and companies, because everything is transparent. And then you've got everybody working together. I've also seen a shift, and again, I think this goes hand-in-hand with the technology is, if you have the technology to be able to open all the doors, it's like go into a financial institution and opening all the doors to all of these departments and saying, "Everybody, come into the lobby, and let's all talk." To me, that is truly enterprise risk management, where everybody is collectively agreeing on something, risk management can be managed a lot easier, and you can talk about strategies and technology efficiencies, enterprise risk management. And it's always been my experience that if you do this as a team with good technology, and you listen to everyone's thoughts, it is truly a success. Unfortunately, I see financial institutions still today, work on spreadsheets. To your point, Kelley, you've got somebody working in compliance on their stuff, and you've got the sales folks over here selling it, and fighting back and forth with risk management and compliance people. That is, to me, it's always been the indicator that you do not have an enterprise risk management program with good technology to be able to help you. I've been into financial institutions that they say they have this enterprise risk management program, but it really isn't. They're dealing with spreadsheets, and it's really siloed risk management. So, you really need good technology, and the ability to see, you've got to see the blue sky, because if you're surrounding yourself with spreadsheets, you're trying to manage policies, and vendor management, and risk assessments with spreadsheets, you are truly, and it doesn't matter what size you are, you are truly, in today's environment, with all of the external threats, you're setting yourself up for failure. It's not a sustainable risk management program. KS: Yeah. I think at it's best, you're just behind. You're lacking. But at it's worse, it could be really catastrophic. It could result in something that cripples the business. TS: Right. KS: Yeah, I think that's a great point. You mentioned efficiency. Something we see, financial institutions are wanting to reduce operating costs. In your opinion, what do you see, in terms of banks reducing their operational costs more effectively, competing in the financial industry? TS: This is kind of a hot potato topic these days. It's interesting. You might hear, financial institutions really talking about, "Hey, we want to reduce those operating costs," but then you walk into a room, into the same, you may walk into the operations center, and you're surrounded by stacks of paper. People around you looking like they're about to cry because they don't know what to do with these stacks of paper. But I am happy to say that, like I said, over the past year and a half, there does seem like a lot of financial institutions, and the smaller ones too, we work with financial institutions that are 50 million in assets, but they operate so efficiently and effectively, we've got some financial institutions who have virtual employees. And basically, there is technology that is really running manual reports, doing different things, helping the operational folks. And while the operational folks are really focusing on things like fraud prevention, risk management, compliance management. So, you're seeing a shift in the doers, like I'm sitting there, and I am either typing out something, a spreadsheet, an Excel spreadsheet, I'm dying in the world of Excel, or I am writing all of these things. Instead of that, you're seeing an uptick of people really focusing on risk management. In risk management, you don't have to be typing on a spreadsheet to say that you're doing risk management. Risk management is about monitoring, evaluation data, keeping up with things, understanding things, communicating out to the business line so that they can go sell and do those things. The last thing you want to do is make risk management this dreadful thing that takes way too long to do. Then you've lost your competitive edge to be able to go sell. So, I do think people are looking at operating costs simply because, it is negatively impacting that front line to be able to go sell, and bring in deposits. If I am a sales person, and I'm spending half of my time doing operational risk management functions, half of the time I'm not selling, I'm not bring in deposits. So, that is where that becomes a crippling process. So I think reducing operational costs has a lot to do with the inefficiencies on the front line and on the sales side, because they're doing all of this stuff that they should not have to do. KS: 100%. You know, I'm going to go off on a brief tangent here, but your statement about the stacks of paper making people cry just reminded me of something. I'm speaking with a bank currently, and they are looking at incident management solutions. They are doing the right thing. They are being proactive. They want to streamline this, and one of the things that she asked me, and I think this is also one of the areas of challenge for these types of heavily regulated organizations is, it's like, they're chasing their tale constantly. One of the things she asked me is, "Can we import all of our historical incident cases into your technology?" My answer was yes, but then I was like, "Well, let's dig into this. How much history are we talking? How many cases?" "Hundreds of thousands. We've got a regulatory requirement that, for one of the departments, it requires us to keep the entire history, the lifetime of incidents. So, it's like, more than 10 years of incidents." And I thought, "Oh my God. When are you ever going to reference an incident that happened more than a decade ago?" TS: Right. KS: They are just like, in a sea of non-useful data at that point. TS: Exactly. KS: It's not that we can't meet that need, but I just [inaudible 00:20:42] in that moment, because there is this kind of, I don't know if it's a chicken and egg analogy, but how can we move forward if we are held back by historical data that we can't efficiently manage? TS: Agree. KS: So I thought that was interesting. TS: Yes. KS: So my task to her was, "Hey, go back and challenge your legal team, and find out what you really need to keep, and let me know if it's seven years, five years, three ideal," because less is more in an instance like that. TS: That's exactly right. KS: Do you see anything significant in the risk management space through financial institution merger and acquisitions? We're seeing that this is a trend. It's been a trend for a bit now, but it's definitely going to increase through 2019 and 2020. Specifically, what do you think works, and what do you think doesn't work when financial institutions merge, or get acquired? TS: There's a couple of things. The first thing that I see, financial institutions, if you sit on the sidelines and you watch financial institutions, the acquirer and the one being acquired. I see sometimes it's, the acquirer comes in and just swoops it up and they're not listening. It's who's got the best in show technology? Sometimes it's on both sides. The advice that I would give to an acquiring financial institution is pay attention to all, do an inventory of technology, and see what works best with what the smaller financial institution has, because maybe they have a best in show thing on their side, and maybe you have a best in show technology on your side. So one is, listen to each other, because I think that's important. The other thing I think, if you were an acquiring financial institution, you don't just wake up and become an acquiring financial institution. Most of the time, you're in business to do that. So, a lot of the audits that I've done over the past several years in financial institutions who are acquiring other, they're in the business. They do that. Historically, they do that. They find themselves in an incredibly risky position because their program may not be sustainable for where they are in the moment. And so, when they take over another financial institution, it only gets worse. I talked to several financial institutions. They're either hitting the billion dollar mark, or they go to the three billion dollar mark, or even more significantly, the 10 billion dollar mark, and I will say, "You're dealing in spreadsheets. This monitoring system that you have here was not even made to monitor what you're monitoring." Or, "Your technology is antiquated." Or more so than anything, "There's way too many manual processes." And then you've got layers of people trying to manage to those spreadsheets. So, for financial institutions who are in that business, who are acquiring, they have got to get an enterprise risk management program, because they will find themselves, as you get bigger in asset size, regulatory audits get worse. They just do. They get more intense. And so, the regulators, which they should, because you're responsible for more consumers. You've got more commercial clients, you've got more opportunity for fraud. There's more opportunity for AML risk, regulatory consent risk, it's important that these acquirers get with the program, and make sure that they have a sustainable program for years to come. They need to plan on not just today, because if you acquire a financial institution that's even 200 million in assets, and you're 10 billion in assets, it's still a 200 million dollar organization that you're going to pull in, and 200 million even, pulling into a financial institution that is managing risk to spreadsheets and inefficiencies, is not good. And so, that's unsustainable for even today. So, I think that what I see is, financial institutions acquiring financial institutions, and I've talked to many, and especially over the past six months, is really, what do we need to do to get into a new program that we're growing in. Acquiring financial institutions know their strategic plan. It's not a secret to them. They know what they want to do. So, if you know what that plan is, you're going to work to a three or five year plan. Your enterprise risk management needs to be with a three or five year plan, whatever. But if you're just dealing in the moment, every day is going to be a new day to you, you're just playing with time. And it's just a matter of time before something happens again. And like I have on my website, it takes one regulatory consent order, one thing that can cause you reputational damage, that you would never, ever be able to acquire a financial institution again. So, it's basically being in a sustainable enterprise risk management environment, surrounding yourself with good people, and technology that really works for you. Not that you have this technology in the middle of you that doesn't work. Sometimes I see financial institutions who have enterprise risk management technology, and they don't use it because it's bad, so they do all these workarounds around it, and they let it sit there, and pay for it. The technology is sitting there not being used, so you're working three times as hard for technology, which is completely ironic. So, I think the sustainability of risk management programs, especially for acquiring banks, is significant, and it's something that is on the regulatory radar. When I do training for regulators we, all the time, talk about acquisitions and mergers, because those financial institutions are at risk more than other financial institutions. KS: Yeah. Absolutely. It's funny, too, we have such a crazy environment right now, just in business, but personally, with guilt by association. Just in this whole M&A between financial institutions, just got me thinking, too. My mom always used to say, growing up, "Treat others how you would like to be treated." If you have a good business practice, and process in place for these procedures, you're going to attract other organizations that have those good practices and strategies in place, too. And you want to be doing business with somebody who is doing business that way, because if they've got something hiding in the closet, you are going to be guilty by association. TS: Right, exactly. I think that this is kind of a thing that financial institutions who acquire other financial institutions need to be paying close attention to. KS: 100%. Well, to round out our episode, I know you have rolled up your sleeves, and dealt with a lot of fraud cases. I'm just curious, what is the most shocking fraud story? TS: Several years ago I was doing an audit of a bank, and I came across something that didn't make sense, and I went to the person and asked her, "Can you help explain?" And she was babbling on. Whatever she said did not make sense, and she kept babbling on, babbling on, babbling on. Interesting enough, during that audit, it was the first time that I'd ever caught fraud actually performing an audit. And so, she was responsible for everything. And talk about spreadsheets, kind of bringing this around, she had a stack of papers and spreadsheets, and all of this other stuff, and she was the go-to person for the president of the bank. She was the go-to person for everyone. It was difficult because they fired her. They went through the whole thing. It was pretty significant. The interesting thing, it's like, you have to pay attention to your surround. The interesting thing is that, here's a person who made like, 30 thousand dollars a year. She was responsible for everything, making 30 thousand dollars a year, and she was driving like, a brand new Jaguar. It was some crazy expensive car. So, every single day, they came into work, she pulls in the front with her brand new Jaguar. She goes on vacations. She did all this extravagant stuff, and even when she was not there, she had her backup do the fraud. So, the backup was doing the fraud, so she had organized fraud within the financial institution, and because they were so inefficient, she made things so layered and inefficient, she was able to get by with the fraud. And because everything was so siloed, she was able to get by with that. And I think that was probably the wildest thing, because every day was a new day. No one put things together. No one. So, it was kind of like, all the things we talk about, data, working in silos, one person trying to do everything. That was the point in time when I thought, "You know what?" It was my first opening, grand opening, to fraud mitigation, because it was a lesson to me, and I was just doing the audit. This happens even today, and this was 15 years ago. So, think about the significance of fraud today, and think about your surrounding yourself, so if you're working in silos, and doing all that, you are opening yourself up even more today, than like, 15 years ago. So, this stuff still happens. She was working her own organization in the bank. That was wild. It was just wild. KS: That is wild. So, a single point of failure can also be a single point of fraud, is what you're saying. TS: A single point of fraud, exactly. KS: I'm a big fan of the Ozark show, and it reminds me of that, all the paper shuffling- TS: Absolutely. Exactly. KS: That's crazy. Well, thank you so much for joining me on GRC and Me. I hope you'll come back for another episode. We just scratched the surface today on hot topics in this industry, and we'd love to have you back, and maybe we can feature a key study, something that we've done together. TS: Perfect. Thank you so much for having me.Risk Cloud® Onboarding
Launch your program quickly with step-by-step guidance from our expert Implementation team.
Risk Cloud® Differentiators
Learn why leaders like you choose Risk Cloud.
With so many governance, risk, and compliance solutions out there, choosing the best platform for your needs can feel overwhelming. Learn how Risk Cloud's flexibility, scalability, and ease of use separates us from the rest of the pack.Enterprise Risk Management Solution
Learn More About Enterprise Risk Management With Risk Cloud®
Get complete visibility into your organization’s assets, risks, and controls with Risk Cloud’s Enterprise Risk Management Solution. It centralizes and automates every aspect of your Enterprise Risk Management program, so you can get a holistic view of your risk environment, identify areas for improvement, and unlock insights into your future risk landscape.Automating Your Third-Party Risk Management Program
Register to get up-to-date on successfully implementing an automated third-party risk management program.
Many corporations haven’t adopted automation in their third-party risk management programs. The lack of automation can be traced to a few core reasons. Disparate systems, out-of-date data, and inconsistent policies can all stifle a company’s ability to modernize its third-party risk management program—and companies often suffer from more than one of these. When applied effectively, automation can not only help prevent these roadblocks, it can also drive the efficiencies procurement and compliance leaders are looking for. Join this CPE-accredited panel webinar as our expert panel address some key steps to automating third-party risk management, including how to: Manage an up-to-date vendor master to create one source of truth across the entire corporation Leverage automation and machine learning to standardize data governance Drive efficiencies and reduces costs, while ensuring the highest accuracy in your third-party risk management program[Video] Third-Party Risk Management Solution
Learn More About Third-Party Risk Management With Risk Cloud®
Risk Cloud makes it easy to assess and report third-party risks from one automated platform. It centralizes and connects all your vendor information, controls, audits, and documentation – so you can efficiently assess third-party risks and implement strategies to improve your risk posture.GRC & Me Podcast: Michael Rasmussen, the Father of GRC
In today's episode, GRC2020.com founder Michael Rasmussen joins us to discuss agile solutions and all things GRC. He…
EPISODE NOTES Top 3 Takeaways It’s important to first establish what your company is trying to accomplish with its GRC program. Frameworks are like the human body; you've got multiple systems involved. All those come together to help form a GRC program. In light of data breaches, consumers are picking up on privacy. They're demanding better practices with their personal data. Resources: Connect with Michael on LinkedIn Connect with Michael on Twitter GRC 20/20 GDPR California Consumer Privacy Act Ten Thousand Commandments The Competitive Enterprise Institute Episode Transcript Michael Rasmussen: At the end of the day, GRC is something organizations do, it's not something they buy. I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And from there, can we establish what technology's going to help us accomplish that? Kelley Spakowski: Hi. I'm Kelley Spakowski, and this is GRC And Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more to learn about their methods, solutions, and outlook in this phase. Today we have Michael Rasmussen with us to talk about all things GRC in general. Really excited to have him here. He is known as the father of GRC. Michael, welcome. MR: It's a pleasure to be here. KS: I'm super excited to have you on because you are the father of GRC. Can you give me a little bit more about how that came to be, and how you got involved in this industry? MR: Well, I... there's a dichotomy because there's a what GRC is, but then, there's also how I came to formulate GRC, because GRC is much broader than technology. But, as far as the GRC acronym, back in February 2002, I was working at Forester Research, and it's been seven years at Forester now, 12 years on my own. But, in 2002 on a cold snowy day in the Chicago office of Forester, I just got done with a briefing on a solution that can map risk and controls, and policies, and I; Wow! This is great. MR: When I was an IT Security Consultant in the Chicago [inaudible 00:01:43] markets, I was looking for something just like this. And so then, there's a whole market for this. And so, what do we call it? And at that point, you know, I thought; Well, it has a governance aspect, of, you know, understanding what our objectives are, and the risks to those objectives, and compliance obligations, and so, labeled it GRC, thus creating the GRC market. MR: Now, what's important to understand is, GRC's more than technology. In fact, every organization does GRC today, whether they call it GRC, ERM, IRM, XYZ, ABC. Everybody's got some approach to GRC, whether they use the acronym or not. You're not going to find an organization that says; We don't govern the organization, we can care less about risk or compliance. Every organization has, you know, some approach to Governance, Risk Management, and Compliance. MR: And so, to me, what's important to understand is that, while there's a market for GRC technology, at the end of the day, GRC is something the organization's do, it's not something they buy. I get frustrated all the time when, you know, like an insurance company called me in and said; We just bought GRC, now come and tell us how to do GRC. That's like putting the cart before the horse. KS: Right. MR: It's like, you're doing GRC already today, in some aspect. What are you trying to achieve? What are you trying to improve? How do you want to make things more efficient, effective, and agile? And then, let's talk about how to improve that, because there's some foundation of Governance, Risk Management, and Compliance, whether it's reactive firefighting through more structured and integrated, every organization's doing it in some way right now. KS: Yeah. That's interesting. So, when they say, help me do GRC, do think they're actually referring to; How do I operationalize this? Because, traditionally, we've just had, you know, Becky or one, you know, one person that actually own GRC for the organization. MR: Well, the challenge is, we've had multiple owners of GRC. And, it reminds me of the Winchester Mystery House in San Jose, California, the sprawling mansion that was built in the 1800s. It cost 5.5 million dollars to build in the 1800s. That's one expensive house today when you're calculate inflation. It had, it was built over 38 years, and had about 140 different builders. At the end of the day, it doesn't make a lot of sense. MR: It's got 10 thousand windows. It's got doors that open to walls, 20 foot drops of staircases that go up and down to nowhere. Skylights are in floors instead of ceilings. That's most organizations' GRC programs today. Over the last 38 years, they had to have 140 different builders of GRC in different departments doing their own little thing and manual processes or point solutions, without thinking big picture of how this should be designed. MR: The Winchester Mystery House had no design, no blueprint, no architect, but had 147 different builders. You know, that's exactly where organizations are at with GRC in a lot of cases, is they've had all these different builders without stepping back and saying; How can we design this? KS: I love that analogy. I like that return on investment too. I think I'll run with that. That's a good Segway to, you know, talking about how GRC is really moving from a nice to have, into a priority for a lot of organizations. What do you see going on there? Why do you think that's happening? MR: A lot of it is coming from multi-faceted environments. There's a lot of regulatory change, changing laws, rules, regulations, enforcement actions. It's not just the regulation itself, but, it can be the enforcement of that regulation. You know, global financial services firms are doing a 216 regulatory change events every business day, coming from 905 regulators around the world. That's just one aspect. We're not even talking healthcare and all these other industries. So, lots of regulatory change. There's lots of risk change, changing geopolitical risks all around us. Changing economic risks. Changing technology risks, and society, industry demands. But, at the same time, the business itself is changing. You have changing strategy and processes, changing employees, people moving from one department to another. And people that enter and exit the organization. Third-party risks of changing vendors and suppliers, and outsourcers, and service providers, and contractors, and consultants, and temporary workers where half of our insiders are no longer employees, but they're third parties. MR: And then, the whole area of mergers and acquisitions, and how that impacts and organization. The challenge there, in answering your question, is, you have to keep all that change in sync. Now, I can devote a ton of experts to be knowledgeable about regulatory change, but that doesn't make me compliant. As the business changes, I'm out of compliance. I've got to keep the business change in sync with the risk change, in sync with the regulatory change. And, that's the challenge. KS: Mm-hmm (affirmative). Yeah, great point. So, what we've found is, a lot of organizations, who are looking, or maybe are kicking the tires with solutions to support GRC, and a change, really, in GRC. They, up until this point, have been essentially keeping the lights on. Why is that not a fit anymore? And, I think you've kind of just said it, because all of these moving pieces are not in sync. But, can you elaborate more on why an organization should really ditch the spreadsheets, and email, and have a strategy around GRC? MR: Partly, to answer that, first off, it's because organizations are distributed, dynamic, and disrupted. You know, we've distributed operations across third-party relationships, around the world, and all these different interactions and transactions. And, it's very dynamic and distributed. And, it's dynamic in constantly changing, and it's just referencing on regulatory change, risk change, and business change, which leads constant disruption as well. In that context where you're trying to manage things, the lot of manual processes things slip through the cracks. Things get missed and overlooked. And then, we get into hot waters. I was talking to one bank, in which, you know, they went to more of a technology approach for defensible GRC. Because, the Federal Reserve had come in and said; You're not going to pass your next regulatory exam if you continue to manage GRC in documents, and spreadsheets, and emails. We want to see a complete record, auto trail, a system of record. What was assessed? What day and time? Who assessed it? Then somebody came back a week later, or two weeks later to try to paint the rosy picture to get the organization out of trouble, or, you know, bypass the regulator. They want to see that day and timestamp of that complete auto trail and history of all those different interactions on the assessments, and controls, and policies. Documents, spreadsheets, and emails don't get you that system of record and auto trail that the regulators and auditors are starting to look for. On top of that, you know, it's around efficiency, effectiveness, and agility. How can I make my processes for related to GRC more efficient? Time saved. Dollar saved. More effective being accurate, complete, thorough, as well as agile and responsive to a dynamic business environment. You know, one organization I was talking to is spending 200 FTE hours building an interview report for the Board of Directors and Compliance. Now it takes them less than a minute. But, if it takes you 200 FTE hours to build a report, you're certainly not agile. KS: Yeah. MR: And, if you're trying to find transient patterns and see that where things are going wrong, and if you're doing that once a year, and it takes you 200 hours to build that report, things are slipping through the cracks, and big issues are going unnoticed, if you don't have that at your fingertips. That's an issue. That's a challenge in organizations. We need that visibility. And, documents, spreadsheets, and emails don't get us there. They don't allow us for that ongoing monitoring, and instant understanding of what's going on in the environment, and being able to identify key risk indicators and trends that can be monitored on a minute by minute, second by second basis. KS: Great point. So, for the organizations who are now realizing; Okay, we're ready to take on GRC, they're past this point. And, they're looking at how they can be more strategic in a GRC strategy. There's a lot of different frameworks out there. How do they decide what framework is the best fit? And then, how do they actually take a technology, operationalize it, and then build a strategy around that? MR: Great question. There are a lot of frameworks. And, frameworks are like the human body. You look at the human body, you got multiple systems involved. You've got the skeletal system, the muscular system, the nervous system, the respiratory system, the digestive system. You know, that's like frameworks. There's frameworks that can model the different parts of, like, the body of different components of it. You know, you got risk frameworks. You got compliance frameworks, and audit frameworks. And so, all those come together to help our former GRC program. There's no one framework or standard out there that is a perfect fit for every organization. And so, it's about taking these frameworks, and applying them to your organization, modifying them, so that it makes sense for your organization. And, like the human body has different systems, we might bring together different frameworks to build and compose that. Now, the sort of uber framework to sort of manage all this, that I like is, the OCEG GRC Capability Model. Now, I helped contribute to that, so, I've got an interest in that. But, you know, when we built version one around version three of the GRC Capability Model, now, we've looked over a hundred different, you know, frameworks and things out there from Australia, New Zealand, 4360 was the management standard, which became ISO 31000. MR: Did the ISO 27000 standard, ISO 9000. COSO ERM, COSO Internal Control, COBIT. You name it, we looked at a lot of different frameworks and standards. So, what if some of the common Governance, Risk, and Compliance processes and activities across all these frameworks? And from there, we came up with all these components and elements, and each component to be able to manage that. The existing version three includes the learn, where we understand the environment. The internal and external context, stakeholders and culture of the organization from the align, where we identify risk, we... and compliance, and obligations. And, we assess that. And, we define activities. And, from there, we move into perform, and where we document controls. We have new policies, communication and training programs, and hotlines, and incentives for reporting issues. And to be able to manage that process. And then, we monitor where we provide audited insurance and validation of the program. But, it... to me, the GRC capability models are the good uber framework to encompass all of them. But, really, it provides integration. But, I describe the juice and capability models being really a Rosetta Stone of frameworks that sort of provides some of the common 80% commonality between different frameworks. But, the other frameworks are still needed. It's just sort of more of a translation stone. KS: That makes total sense. So, do the decisions need to be made on the framework and the methodology before the technology? What do you recommend there? Because, I think a lot of organizations really struggle. They say; Well, we haven't quite decided how we want to run our program. We don't know what methodology is a best fit. We haven't decided on a framework. So, we're just not ready for technology. Do you agree with that? And, what's your advice there? MR: It depends. KS: Okay. MR: There's always, you know, little factors and things that can influence that. KS: Yeah. MR: To me, I mean, we can talk about an enterprise GRC type strategy, or multiple departments are coming together to cohesively look in how we approach this. Or, we could talk about, you know, very specific department needs, which are easier to get our hands around. If we don't have that enterprise GRC strategy in place, how can I solve department problems? And, what type of solution can I pick out there from a technology perspective that can, not only solve my department problems, but could eventually be leveraged for other needs across other departments as well? Because, if all I'm looking at is my department, I might pick something that couldn't be leveraged with other departments, and might limit me in the future. And so, looking at what could possibly happens is important. Now, obviously, the best point of reference is, being able to understand, and will be able to build that collaboration across departments so that you can select the right framework and technology to fit that. Ultimately, it's good to understand what framework you're going to have, so the technology can be adapted to it. As I mentioned earlier, I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And, from there, can we establish what technology's going to help us accomplish that? And, what frameworks? KS: Great advice. What trends are you seeing, and what do you think those trends indicate? That's a pretty broad question, but, I'm ready for the broad answer! MR: Well, there's growing regulatory concerns across industries. And, changes in enforcement actions, and increased enforcement on that. A lot of geopolitical unrest, and understanding, you know; What's happening in the world right now with different, you know, political regimes, and changes, and shifts, and different trajectories of different countries and things like that? And, what does that mean to a dynamic and distributed business environment that goes around the world? You talk about Brexit and United Kingdom and things. Or, import and exports, and sanctions, or whatever it might be that, there's a lot of things influencing that. There's a lot of shifts and things internally on greater responsibilities and oversight. Compliance is a function that's maturing rapidly in organizations where it used to buried in the legal department. Now, corporate compliance, more and more is reporting outside of legal, in its own entity in the organization. We're seeing trends there. Internal audits being challenged to be able to do more than just traditional internal controls, or financial reporting-type audits, where we see more and more IT audits over years, but now, operational audits, out in business operations, and even third-party audits. There's a lot of different parts of the organization that are very dynamic in shifting and changing right now. KS: Awesome. What success metric should be priorities for GRC teams? When they're implementing GRC technology, what recommendations do you have for achieving those outcomes? MR: I break it down to those three areas of value; efficiency, effectiveness, and agility. The efficiency metric is; time saved, money saved. You know, before, you know, it was taking me this much time and effort, and cost me this much money to do things related to GRC. Now, I've reduced it to this figure. Effectiveness, you know, how more accurate, complete, thorough, reliable is our GRC related information? How timely is it? That also ties into the third element, the agility. How can we keep up with the changing and dynamic regulatory and risk environment, and business environment, and stay current with the changing business? On top of that, agility is also the ability to be responsive. How can we quickly identify issues and resolve them before they become bigger issues? KS: I love that. The effectiveness piece, do you think that's hardest one for people to get their finger on, because maybe they don't have those data points, even, you know, if they're starting a GRC program from scratch? MR: Effectiveness can be challenging. But, I find that a lot of organizations is the efficiency piece. That, they just haven't measured the actual human capital cost of GRC in their organization. As I mentioned the one organization that was spending 200 FTE hours, after they really dug into it to build one report for the Board of Directors. There's multiple reports. That was just one report on an annual basis for the Board of Directors and Compliance. 200 FTE hours, and it now takes them less than a minute. You can build out a value proposition from there. You know, a firm I was just talking to is spending, you know, their competitor spends six FTEs managing their third-party relationships and suppliers. What they spend, this organization, was one FTE, you know, because they have an automated process. You know, six employees, and you calculate full-time equivalent benefits and salaries, and things out there against one employee with the technology that can enable that. Same amount of suppliers, two different companies. Different contrasts. KS: That's huge. So, those are huge numbers. It comes full circle back to that Winchester House analogy and all the time and resources spent on that. You have people that own little bits of it. And so, the work is really spread around and kind of lost in the scenes. That's interesting. So, in a recent GRC 20/20 piece, you contrasted agile GRC solutions with legacy players. How do you define agile, and what do you think is behind the emergence? MR: Great question. The emergence is, technology that's evolved. I've been monitoring this GRC market since 2002. So, we're in 2019, that's, you know, 17 years now. Technology is not the same today as it was in 2002. KS: No way! MR: We have a lot of different technology. And so, some of these legacy [inaudible 00:17:35], they cost a lot of money to implement. I was doing an analysis of the different ROPs I've interacted on, and found that, those that Gardner enforced are put up in the upper right, in the leader's quadrant of the wave and magic quadrant. They typically have a ratio of every dollar you spend on software license, like subscription license, you're spending three to five dollars in implementation and build out. That's expensive. And, those that are outside that, is more of a ratio of .5 to 1.5. And so, I'm not talking management consulting. I'm just talking about configuration and build out of the platform. You know, technology's changed significantly, and the more established, you know, legacy of being with players are very costly to implement and own in the organization. And, organizations are starting to catch up on that, and understand that there's more agile technology available in the market. The way I define agile GRC technologies, one is the user-interface. How intuitive is it to use? How willing and engaging is it, not only for the second lane of defense, the risk and compliance and security officers and managers? As well as the third line and the auto professionals. But, also the frontline employees, the first line of defense. How easy is it for them to use and read policies, go through training, take assessments, report issues and things? You know, so, when an element of agile as a usability intuitiveness. Another piece of agility is the ability of the solution to be easily configured and adapt to the organization without custom coding that breaks on upgrades, or takes six months to make a change with, you know, a certified expert that costs 130 thousand dollars a year to make that change. You know, how agile is the solution itself to be adapted to the organization rapidly? And then, scalability of it too, is important. You know, can the solution scale with me and help me through mergers and acquisitions as the business evolves and changes? That becomes important. KS: Yeah. The adoption to the business, I think, is huge, which I think gets lost in conversation a little bit. The ability to bring the business users who are actually close to the needs and the requirements, regulatory business and otherwise, bringing them closer to the technology, and actually giving them control over how that's configured, I think is huge, rather than passing it off to an IT resource who might not necessarily know the nuisances of the needs of the business. It reduces a lot of friction there. What are the differentiating factors among GRC solutions that will establish industry leadership positions versus ones that won't? MR: First and foremost, to me, today in this agile market that we need, is the total cost of ownership. What is the cost, not only to acquire the solution, but to actually implement, and own, and maintain the solution? There is a LinkedIn post out there from last August that compared, you know, the implementation. I'm not going to name names here. But, of one of the major GRC BMS platforms that Gardner loves a lot, to the lyrics to the song, Hotel California. That, basically, you're trapped and can't get out. You know, they said, after spending 500 thousand dollars in software licensing, and two million dollars in implementation, three years later, they're just getting some basic functionality working. That's not agile. I mean, today's technology for GRC needs to be rapidly implemented and molded to the organization to be able to bring value and return to the organization. To me, that's critical. KS: Yeah, the evolving piece, I think is, you hit it on the nose. I hear that very commonly. People are very committing to a piece of a technology because they feel as though they're locked in to that, you know, initial configuration at that point, which agile solutions are now really unlocking that for people, so, really great point. Do you foresee massive data breaches to continue? And, if so, how will they shape the future of GRC? MR: Data breaches are definitely going to continue. It's just the complexity of the world that we live in. I mean, you go back a couple years ago to the Target breach, one of the largest credit card breaches in history. The doorway into that was an HVAC vendor. The heating and air conditioning had a connection with the Target Network and Environmental Monitoring. And, a hacker broke in. The heating and air conditioning vendor was able to compromise point-of-sales systems across Targets. That's the interconnectedness. Now, the heating and air conditioning vendor is not a traditionally team vendor. But, they're being connected to the network, and were given access. It could be anybody, a supplier, vendor, outsourcer, service provider. Our risks are multiplying with a lot of these third-party relationships. And, over half of data breaches are not with traditional employees, but they're with third-party relationships now. And now, we have a concern with the Internet of things that the next major breach can come from the microwave in the break room that's connected to the Internet. KS: Right. Exactly! Medical devices, multi-function devices often get overlooked. These are all new things that are being folded into the risk profiles. MR: Yep. KS: So, yes. That's fascinating. And, I agree with you. I don't think it's going to slow down. I think it will just increase. How do you expect the regulatory landscape in the U.S. to evolve in the coming years, and especially in light of GDPR and key California Privacy Consumer Act? MR: That's a loaded question! That can get into political ideology and things too, and... KS: We don't need to go into politics, but, yeah! MR: Yeah! But, one thing that happens year over year with whatever administration it is, is regulations and things grow. I mean, one of my favorite annual reads is the 10000 Commandments that comes out of the Competitive Enterprise Institute from Kolkata Institute on that, you know, just that the actual impacting cost of regulation at the U.S. Federal Government, not even talking about State and Local governments. There's a lot that happens in changes. Now, California tends to be a trendsetter. So, what happens in California, other states pick up upon, and then eventually, it might get implemented in Federal regulation, because organizations say; Oh, but I they didn't want regulation before. So, you... now you got to do something, because now we have, you know, 48 of the 50 states doing something here in different ways. We need consistency. And so, you know, when you look at mandatory disclosure laws that came out, you know, a decade ago. California started that. And then, within two years, it was like 48 states had similar laws. You know, now, with California's Consumer Protection Act, which, you know, is very GDPR-like, from the EUGDPR-type regulation, you're going to see other states pick up on that too. And, at some point, organizations are going to say; This is a mess. Because, the government's got to step up and have over sweeping regulation on this so it's consistent. KS: Yeah. Absolutely. And, I think consumers are really picking up on privacy, and they're starting to dial into that, and you know, start to question some of the companies that they do business with. They want to know about their data. They want to know, is it being protected? They want to know how it's being used, because of all the, you know, the exposure that have happened through breaches like Target, and you know, what's going on with Facebook and other social media platforms. Privacy is top of mind. So, whether it's coming via regulation, it's certainly coming from consumers that are demanding better practices with their personal data. MR: Yeah. KS: Thank you so much for joining me on GRC And Me. It's been a great podcast. Your expertise in this phase because of the complexity is just really, really great to have on, and I know my audience will really appreciate it. So, thank you so much for joining me, and I hope you'll join me again. MR: Certainly will. Thank you.Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle
Catch up on modern frameworks and methodologies for managing your network of third-party vendors and suppliers.
In recent years, companies have increasingly come to rely on networks of third-party vendors to help them compete. These vendor relationships are not only more numerous, but more sensitive information is being shared across them as well—bringing a host of oversight concerns including lack of control, cybersecurity threats, and risks to reputation. In this eBook we'll introduce some methods for managing the relevant parties and keeping third-party risks in check. Topics include: Tools and technologies Methodologies and frameworks Risk assessments Security by Design principles Much moreLogicGate and Intradiem: Promoting Trust
Intradiem needed help with a number of its GRC processes, from ISO and SOC2 controls to Business Continuity…
A Guide to Enabling and Protecting Your Business with Smarter Infosec Strategies in 2020 and Beyond
Learn the four pillars of a sound IT Security program—and why they're so important to your company's mission.
In many companies, Information Security is thought of as something like asset protection—hardly related to the core business activities that contribute to the company's bottom line. In this eBook, we'll explain why this way of thinking is incorrect. Today IT Security is a critical piece of every company's revenue-driving activities—and those that don't recognize it as such could be putting their futures in jeopardy. Download our free eBook and learn how to: Transform compliance into a business driver Shorten the IT audit process Implement a robust Risk Acceptance program Build out an Incident Response plan Perform actionable gap analyses Much moreRegulatory Compliance Solution
Comply With Constantly Changing Regulatory Requirements and Pass Your Next Exam or Audit
Stay compliant with relevant regulations, automate tedious workflows, and avoid fines with Risk Cloud®’s Regulatory Compliance Solution. Risk Cloud dynamically links regulations, obligations, assessments, exams, and findings in one platform and integrates with regulatory content providers to uncover compliance gaps.Internal Audit Solution
Shorten Time to Audit With a Connected View of Controls, Risks, and Evidence
Identify issues and correct compliance gaps before they are discovered by external auditors. With Risk Cloud®, you can perform due diligence with precision and speed, efficiently collect evidence, and report what matters most to your stakeholders.Environmental, Social, and Governance (ESG) Solution
Use Risk Cloud to measure, track, and report on your company’s ESG goals and initiatives — all in…
Measure, track, and report on Environmental, Social, and Governance (ESG) initiatives to show stakeholders progress and results. Risk Cloud’s ESG Solution improves visibility of ESG-related risks, assesses the impact of your ESG initiatives, and tracks performance across the seven key areas outlined in ISO 26000 to evaluate your program’s effectiveness over time.Operational Resiliency Solution
Build Operational Resilience and Recover From Business Disruption
Plan for and recover from disruptive events faster by centralizing business continuity and response planning in a single, easy-to-use platform. With out-of-the-box workflows and checklists, Risk Cloud® helps you identify and track critical functions, systems, and disruptions from one location.Policy Management Solution
Learn how the LogicGate platform can improve your policy management program.
From drafting, reviewing, and approving policies to tracking employee attestations, Risk Cloud® helps you streamline and automate every aspect of your policy management program. Quickly identify and correct compliance gaps as they emerge and remediate policy violations year-round.How to Build Organizational Support for ERM
Gain support from your entire organization for an enterprise-wide ERM program that can change your risk culture.
The demands placed on risk managers have significantly increased over the past five years. One new responsibility involves becoming the champion for risk-management processes within the organization—not always an easy sell. Download our free ebook and learn how to: Build a business case for ERM technology Create a culture of risk in your organization Use technology to facilitate buy-in for your ERM program[Video] LogicGate: Building the Future of GRC Automation
LogicGate can help your organization reduce risk and ultimately improve operational efficiencies.
The Risk Cloud™️: Building the Future of GRC Automation In this video, you will learn how The Risk Cloud™️ can help your organization reduce risk and ultimately improve operational efficiencies. Leave the spreadsheets, emails, and file shares behind by moving to a robust enterprise-grade solution without the costs or implementation time of legacy GRC software.GDPR Compliance
Learn how GDPR could affect your company—as well as how to manage its many compliance requirements—by reading LogicGate's…
GDPR changed the way all multinational companies deal with EU personal data. In this eBook you will receive an introduction to the eight articles of GDPR and how they affect the storage, protection, and usage of personal data. You will also learn the importance of GDPR Compliance and how it can impact organizations across many industries, as well as how to implement and automate GDPR compliance processes.Third-Party Risk Management Solution
Identify, Assess, and Quantify Third-Party Risks With Risk Cloud
Efficiently assess third-party risks, implement strategies to improve your risk posture, and onboard vendors faster. Risk Cloud’s Third-Party Risk Management Solution centralizes and connects all your vendor controls, audits, and due diligence in one secure, collaborative platform.Enterprise Risk Management Solution
Risk Cloud puts you at the center of all Enterprise Risk Management processes so you can identify, assess,…
Quickly assess and take action on the biggest risks facing your organization with a connected view of risks and controls. From automations and integrations to dashboards and analytics, Risk Cloud®’s Enterprise Risk Management Solution includes everything you need to assess, communicate, and strategically mitigate enterprise risk.Data Privacy Solution
Streamline and automate data privacy tasks without hassles — all in one place.
Mitigate compliance gaps and quickly implement process changes by streamlining and automating your data privacy program. From data subject access and consumer rights requests to data processing activity management and impact assessments, Risk Cloud® has you covered.Sorry, no results found.
