Settling the Risk Quantification Debate
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
Top 3 Takeaways
Michael Rasmussen: At the end of the day, GRC is something organizations do, it's not something they buy. I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And from there, can we establish what technology's going to help us accomplish that?
Kelley Spakowski: Hi. I'm Kelley Spakowski, and this is GRC And Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more to learn about their methods, solutions, and outlook in this phase. Today we have Michael Rasmussen with us to talk about all things GRC in general. Really excited to have him here. He is known as the father of GRC. Michael, welcome.
MR: It's a pleasure to be here.
KS: I'm super excited to have you on because you are the father of GRC. Can you give me a little bit more about how that came to be, and how you got involved in this industry?
MR: Well, I... there's a dichotomy because there's a what GRC is, but then, there's also how I came to formulate GRC, because GRC is much broader than technology. But, as far as the GRC acronym, back in February 2002, I was working at Forester Research, and it's been seven years at Forester now, 12 years on my own. But, in 2002 on a cold snowy day in the Chicago office of Forester, I just got done with a briefing on a solution that can map risk and controls, and policies, and I; Wow! This is great.
MR: When I was an IT Security Consultant in the Chicago [inaudible 00:01:43] markets, I was looking for something just like this. And so then, there's a whole market for this. And so, what do we call it? And at that point, you know, I thought; Well, it has a governance aspect, of, you know, understanding what our objectives are, and the risks to those objectives, and compliance obligations, and so, labeled it GRC, thus creating the GRC market.
MR: Now, what's important to understand is, GRC's more than technology. In fact, every organization does GRC today, whether they call it GRC, ERM, IRM, XYZ, ABC. Everybody's got some approach to GRC, whether they use the acronym or not. You're not going to find an organization that says; We don't govern the organization, we can care less about risk or compliance. Every organization has, you know, some approach to Governance, Risk Management, and Compliance.
MR: And so, to me, what's important to understand is that, while there's a market for GRC technology, at the end of the day, GRC is something the organization's do, it's not something they buy. I get frustrated all the time when, you know, like an insurance company called me in and said; We just bought GRC, now come and tell us how to do GRC. That's like putting the cart before the horse.
MR: It's like, you're doing GRC already today, in some aspect. What are you trying to achieve? What are you trying to improve? How do you want to make things more efficient, effective, and agile? And then, let's talk about how to improve that, because there's some foundation of Governance, Risk Management, and Compliance, whether it's reactive firefighting through more structured and integrated, every organization's doing it in some way right now.
KS: Yeah. That's interesting. So, when they say, help me do GRC, do think they're actually referring to; How do I operationalize this? Because, traditionally, we've just had, you know, Becky or one, you know, one person that actually own GRC for the organization.
MR: Well, the challenge is, we've had multiple owners of GRC. And, it reminds me of the Winchester Mystery House in San Jose, California, the sprawling mansion that was built in the 1800s. It cost 5.5 million dollars to build in the 1800s. That's one expensive house today when you're calculate inflation. It had, it was built over 38 years, and had about 140 different builders. At the end of the day, it doesn't make a lot of sense.
MR: It's got 10 thousand windows. It's got doors that open to walls, 20 foot drops of staircases that go up and down to nowhere. Skylights are in floors instead of ceilings. That's most organizations' GRC programs today. Over the last 38 years, they had to have 140 different builders of GRC in different departments doing their own little thing and manual processes or point solutions, without thinking big picture of how this should be designed.
MR: The Winchester Mystery House had no design, no blueprint, no architect, but had 147 different builders. You know, that's exactly where organizations are at with GRC in a lot of cases, is they've had all these different builders without stepping back and saying; How can we design this?
KS: I love that analogy. I like that return on investment too. I think I'll run with that. That's a good Segway to, you know, talking about how GRC is really moving from a nice to have, into a priority for a lot of organizations. What do you see going on there? Why do you think that's happening?
MR: A lot of it is coming from multi-faceted environments. There's a lot of regulatory change, changing laws, rules, regulations, enforcement actions. It's not just the regulation itself, but, it can be the enforcement of that regulation. You know, global financial services firms are doing a 216 regulatory change events every business day, coming from 905 regulators around the world. That's just one aspect. We're not even talking healthcare and all these other industries.
So, lots of regulatory change. There's lots of risk change, changing geopolitical risks all around us. Changing economic risks. Changing technology risks, and society, industry demands. But, at the same time, the business itself is changing. You have changing strategy and processes, changing employees, people moving from one department to another. And people that enter and exit the organization. Third-party risks of changing vendors and suppliers, and outsourcers, and service providers, and contractors, and consultants, and temporary workers where half of our insiders are no longer employees, but they're third parties.
MR: And then, the whole area of mergers and acquisitions, and how that impacts and organization. The challenge there, in answering your question, is, you have to keep all that change in sync. Now, I can devote a ton of experts to be knowledgeable about regulatory change, but that doesn't make me compliant. As the business changes, I'm out of compliance. I've got to keep the business change in sync with the risk change, in sync with the regulatory change. And, that's the challenge.
KS: Mm-hmm (affirmative). Yeah, great point. So, what we've found is, a lot of organizations, who are looking, or maybe are kicking the tires with solutions to support GRC, and a change, really, in GRC. They, up until this point, have been essentially keeping the lights on. Why is that not a fit anymore? And, I think you've kind of just said it, because all of these moving pieces are not in sync. But, can you elaborate more on why an organization should really ditch the spreadsheets, and email, and have a strategy around GRC?
MR: Partly, to answer that, first off, it's because organizations are distributed, dynamic, and disrupted. You know, we've distributed operations across third-party relationships, around the world, and all these different interactions and transactions. And, it's very dynamic and distributed. And, it's dynamic in constantly changing, and it's just referencing on regulatory change, risk change, and business change, which leads constant disruption as well.
In that context where you're trying to manage things, the lot of manual processes things slip through the cracks. Things get missed and overlooked. And then, we get into hot waters. I was talking to one bank, in which, you know, they went to more of a technology approach for defensible GRC. Because, the Federal Reserve had come in and said; You're not going to pass your next regulatory exam if you continue to manage GRC in documents, and spreadsheets, and emails.
We want to see a complete record, auto trail, a system of record. What was assessed? What day and time? Who assessed it? Then somebody came back a week later, or two weeks later to try to paint the rosy picture to get the organization out of trouble, or, you know, bypass the regulator. They want to see that day and timestamp of that complete auto trail and history of all those different interactions on the assessments, and controls, and policies.
Documents, spreadsheets, and emails don't get you that system of record and auto trail that the regulators and auditors are starting to look for. On top of that, you know, it's around efficiency, effectiveness, and agility. How can I make my processes for related to GRC more efficient? Time saved. Dollar saved. More effective being accurate, complete, thorough, as well as agile and responsive to a dynamic business environment.
You know, one organization I was talking to is spending 200 FTE hours building an interview report for the Board of Directors and Compliance. Now it takes them less than a minute. But, if it takes you 200 FTE hours to build a report, you're certainly not agile.
MR: And, if you're trying to find transient patterns and see that where things are going wrong, and if you're doing that once a year, and it takes you 200 hours to build that report, things are slipping through the cracks, and big issues are going unnoticed, if you don't have that at your fingertips. That's an issue. That's a challenge in organizations. We need that visibility. And, documents, spreadsheets, and emails don't get us there. They don't allow us for that ongoing monitoring, and instant understanding of what's going on in the environment, and being able to identify key risk indicators and trends that can be monitored on a minute by minute, second by second basis.
KS: Great point. So, for the organizations who are now realizing; Okay, we're ready to take on GRC, they're past this point. And, they're looking at how they can be more strategic in a GRC strategy. There's a lot of different frameworks out there. How do they decide what framework is the best fit? And then, how do they actually take a technology, operationalize it, and then build a strategy around that?
MR: Great question. There are a lot of frameworks. And, frameworks are like the human body. You look at the human body, you got multiple systems involved. You've got the skeletal system, the muscular system, the nervous system, the respiratory system, the digestive system. You know, that's like frameworks. There's frameworks that can model the different parts of, like, the body of different components of it.
You know, you got risk frameworks. You got compliance frameworks, and audit frameworks. And so, all those come together to help our former GRC program. There's no one framework or standard out there that is a perfect fit for every organization. And so, it's about taking these frameworks, and applying them to your organization, modifying them, so that it makes sense for your organization. And, like the human body has different systems, we might bring together different frameworks to build and compose that.
Now, the sort of uber framework to sort of manage all this, that I like is, the OCEG GRC Capability Model. Now, I helped contribute to that, so, I've got an interest in that. But, you know, when we built version one around version three of the GRC Capability Model, now, we've looked over a hundred different, you know, frameworks and things out there from Australia, New Zealand, 4360 was the management standard, which became ISO 31000.
MR: Did the ISO 27000 standard, ISO 9000. COSO ERM, COSO Internal Control, COBIT. You name it, we looked at a lot of different frameworks and standards. So, what if some of the common Governance, Risk, and Compliance processes and activities across all these frameworks? And from there, we came up with all these components and elements, and each component to be able to manage that. The existing version three includes the learn, where we understand the environment.
The internal and external context, stakeholders and culture of the organization from the align, where we identify risk, we... and compliance, and obligations. And, we assess that. And, we define activities. And, from there, we move into perform, and where we document controls. We have new policies, communication and training programs, and hotlines, and incentives for reporting issues. And to be able to manage that process. And then, we monitor where we provide audited insurance and validation of the program.
But, it... to me, the GRC capability models are the good uber framework to encompass all of them. But, really, it provides integration. But, I describe the juice and capability models being really a Rosetta Stone of frameworks that sort of provides some of the common 80% commonality between different frameworks. But, the other frameworks are still needed. It's just sort of more of a translation stone.
KS: That makes total sense. So, do the decisions need to be made on the framework and the methodology before the technology? What do you recommend there? Because, I think a lot of organizations really struggle. They say; Well, we haven't quite decided how we want to run our program. We don't know what methodology is a best fit. We haven't decided on a framework. So, we're just not ready for technology. Do you agree with that? And, what's your advice there?
MR: It depends.
MR: There's always, you know, little factors and things that can influence that.
MR: To me, I mean, we can talk about an enterprise GRC type strategy, or multiple departments are coming together to cohesively look in how we approach this. Or, we could talk about, you know, very specific department needs, which are easier to get our hands around. If we don't have that enterprise GRC strategy in place, how can I solve department problems? And, what type of solution can I pick out there from a technology perspective that can, not only solve my department problems, but could eventually be leveraged for other needs across other departments as well?
Because, if all I'm looking at is my department, I might pick something that couldn't be leveraged with other departments, and might limit me in the future. And so, looking at what could possibly happens is important. Now, obviously, the best point of reference is, being able to understand, and will be able to build that collaboration across departments so that you can select the right framework and technology to fit that.
Ultimately, it's good to understand what framework you're going to have, so the technology can be adapted to it. As I mentioned earlier, I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And, from there, can we establish what technology's going to help us accomplish that? And, what frameworks?
KS: Great advice. What trends are you seeing, and what do you think those trends indicate? That's a pretty broad question, but, I'm ready for the broad answer!
MR: Well, there's growing regulatory concerns across industries. And, changes in enforcement actions, and increased enforcement on that. A lot of geopolitical unrest, and understanding, you know; What's happening in the world right now with different, you know, political regimes, and changes, and shifts, and different trajectories of different countries and things like that? And, what does that mean to a dynamic and distributed business environment that goes around the world?
You talk about Brexit and United Kingdom and things. Or, import and exports, and sanctions, or whatever it might be that, there's a lot of things influencing that. There's a lot of shifts and things internally on greater responsibilities and oversight. Compliance is a function that's maturing rapidly in organizations where it used to buried in the legal department. Now, corporate compliance, more and more is reporting outside of legal, in its own entity in the organization. We're seeing trends there.
Internal audits being challenged to be able to do more than just traditional internal controls, or financial reporting-type audits, where we see more and more IT audits over years, but now, operational audits, out in business operations, and even third-party audits. There's a lot of different parts of the organization that are very dynamic in shifting and changing right now.
KS: Awesome. What success metric should be priorities for GRC teams? When they're implementing GRC technology, what recommendations do you have for achieving those outcomes?
MR: I break it down to those three areas of value; efficiency, effectiveness, and agility. The efficiency metric is; time saved, money saved. You know, before, you know, it was taking me this much time and effort, and cost me this much money to do things related to GRC. Now, I've reduced it to this figure. Effectiveness, you know, how more accurate, complete, thorough, reliable is our GRC related information? How timely is it?
That also ties into the third element, the agility. How can we keep up with the changing and dynamic regulatory and risk environment, and business environment, and stay current with the changing business? On top of that, agility is also the ability to be responsive. How can we quickly identify issues and resolve them before they become bigger issues?
KS: I love that. The effectiveness piece, do you think that's hardest one for people to get their finger on, because maybe they don't have those data points, even, you know, if they're starting a GRC program from scratch?
MR: Effectiveness can be challenging. But, I find that a lot of organizations is the efficiency piece. That, they just haven't measured the actual human capital cost of GRC in their organization. As I mentioned the one organization that was spending 200 FTE hours, after they really dug into it to build one report for the Board of Directors. There's multiple reports. That was just one report on an annual basis for the Board of Directors and Compliance.
200 FTE hours, and it now takes them less than a minute. You can build out a value proposition from there. You know, a firm I was just talking to is spending, you know, their competitor spends six FTEs managing their third-party relationships and suppliers. What they spend, this organization, was one FTE, you know, because they have an automated process. You know, six employees, and you calculate full-time equivalent benefits and salaries, and things out there against one employee with the technology that can enable that. Same amount of suppliers, two different companies. Different contrasts.
KS: That's huge. So, those are huge numbers. It comes full circle back to that Winchester House analogy and all the time and resources spent on that. You have people that own little bits of it. And so, the work is really spread around and kind of lost in the scenes. That's interesting. So, in a recent GRC 20/20 piece, you contrasted agile GRC solutions with legacy players. How do you define agile, and what do you think is behind the emergence?
MR: Great question. The emergence is, technology that's evolved. I've been monitoring this GRC market since 2002. So, we're in 2019, that's, you know, 17 years now. Technology is not the same today as it was in 2002.
KS: No way!
MR: We have a lot of different technology. And so, some of these legacy [inaudible 00:17:35], they cost a lot of money to implement. I was doing an analysis of the different ROPs I've interacted on, and found that, those that Gardner enforced are put up in the upper right, in the leader's quadrant of the wave and magic quadrant. They typically have a ratio of every dollar you spend on software license, like subscription license, you're spending three to five dollars in implementation and build out. That's expensive.
And, those that are outside that, is more of a ratio of .5 to 1.5. And so, I'm not talking management consulting. I'm just talking about configuration and build out of the platform. You know, technology's changed significantly, and the more established, you know, legacy of being with players are very costly to implement and own in the organization. And, organizations are starting to catch up on that, and understand that there's more agile technology available in the market.
The way I define agile GRC technologies, one is the user-interface. How intuitive is it to use? How willing and engaging is it, not only for the second lane of defense, the risk and compliance and security officers and managers? As well as the third line and the auto professionals. But, also the frontline employees, the first line of defense. How easy is it for them to use and read policies, go through training, take assessments, report issues and things? You know, so, when an element of agile as a usability intuitiveness.
Another piece of agility is the ability of the solution to be easily configured and adapt to the organization without custom coding that breaks on upgrades, or takes six months to make a change with, you know, a certified expert that costs 130 thousand dollars a year to make that change. You know, how agile is the solution itself to be adapted to the organization rapidly? And then, scalability of it too, is important. You know, can the solution scale with me and help me through mergers and acquisitions as the business evolves and changes? That becomes important.
KS: Yeah. The adoption to the business, I think, is huge, which I think gets lost in conversation a little bit. The ability to bring the business users who are actually close to the needs and the requirements, regulatory business and otherwise, bringing them closer to the technology, and actually giving them control over how that's configured, I think is huge, rather than passing it off to an IT resource who might not necessarily know the nuisances of the needs of the business. It reduces a lot of friction there. What are the differentiating factors among GRC solutions that will establish industry leadership positions versus ones that won't?
MR: First and foremost, to me, today in this agile market that we need, is the total cost of ownership. What is the cost, not only to acquire the solution, but to actually implement, and own, and maintain the solution? There is a LinkedIn post out there from last August that compared, you know, the implementation. I'm not going to name names here. But, of one of the major GRC BMS platforms that Gardner loves a lot, to the lyrics to the song, Hotel California.
That, basically, you're trapped and can't get out. You know, they said, after spending 500 thousand dollars in software licensing, and two million dollars in implementation, three years later, they're just getting some basic functionality working. That's not agile. I mean, today's technology for GRC needs to be rapidly implemented and molded to the organization to be able to bring value and return to the organization. To me, that's critical.
KS: Yeah, the evolving piece, I think is, you hit it on the nose. I hear that very commonly. People are very committing to a piece of a technology because they feel as though they're locked in to that, you know, initial configuration at that point, which agile solutions are now really unlocking that for people, so, really great point. Do you foresee massive data breaches to continue? And, if so, how will they shape the future of GRC?
MR: Data breaches are definitely going to continue. It's just the complexity of the world that we live in. I mean, you go back a couple years ago to the Target breach, one of the largest credit card breaches in history. The doorway into that was an HVAC vendor. The heating and air conditioning had a connection with the Target Network and Environmental Monitoring. And, a hacker broke in. The heating and air conditioning vendor was able to compromise point-of-sales systems across Targets.
That's the interconnectedness. Now, the heating and air conditioning vendor is not a traditionally team vendor. But, they're being connected to the network, and were given access. It could be anybody, a supplier, vendor, outsourcer, service provider. Our risks are multiplying with a lot of these third-party relationships. And, over half of data breaches are not with traditional employees, but they're with third-party relationships now. And now, we have a concern with the Internet of things that the next major breach can come from the microwave in the break room that's connected to the Internet.
KS: Right. Exactly! Medical devices, multi-function devices often get overlooked. These are all new things that are being folded into the risk profiles.
KS: So, yes. That's fascinating. And, I agree with you. I don't think it's going to slow down. I think it will just increase. How do you expect the regulatory landscape in the U.S. to evolve in the coming years, and especially in light of GDPR and key California Privacy Consumer Act?
MR: That's a loaded question! That can get into political ideology and things too, and...
KS: We don't need to go into politics, but, yeah!
MR: Yeah! But, one thing that happens year over year with whatever administration it is, is regulations and things grow. I mean, one of my favorite annual reads is the 10000 Commandments that comes out of the Competitive Enterprise Institute from Kolkata Institute on that, you know, just that the actual impacting cost of regulation at the U.S. Federal Government, not even talking about State and Local governments. There's a lot that happens in changes.
Now, California tends to be a trendsetter. So, what happens in California, other states pick up upon, and then eventually, it might get implemented in Federal regulation, because organizations say; Oh, but I they didn't want regulation before. So, you... now you got to do something, because now we have, you know, 48 of the 50 states doing something here in different ways. We need consistency.
And so, you know, when you look at mandatory disclosure laws that came out, you know, a decade ago. California started that. And then, within two years, it was like 48 states had similar laws. You know, now, with California's Consumer Protection Act, which, you know, is very GDPR-like, from the EUGDPR-type regulation, you're going to see other states pick up on that too. And, at some point, organizations are going to say; This is a mess. Because, the government's got to step up and have over sweeping regulation on this so it's consistent.
KS: Yeah. Absolutely. And, I think consumers are really picking up on privacy, and they're starting to dial into that, and you know, start to question some of the companies that they do business with. They want to know about their data. They want to know, is it being protected? They want to know how it's being used, because of all the, you know, the exposure that have happened through breaches like Target, and you know, what's going on with Facebook and other social media platforms. Privacy is top of mind. So, whether it's coming via regulation, it's certainly coming from consumers that are demanding better practices with their personal data.
KS: Thank you so much for joining me on GRC And Me. It's been a great podcast. Your expertise in this phase because of the complexity is just really, really great to have on, and I know my audience will really appreciate it. So, thank you so much for joining me, and I hope you'll join me again.
MR: Certainly will. Thank you.
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
We sat down with Shannon Harrison, LogicGate’s Senior Director of User Experience, to learn why we’re making accessibility…
On this episode of GRC & Me, we explore business resilience and the differences between proactive, reactive, and…
Build a Centralized View of Assets, Risks & Cyber Controls
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.