GRC is Transforming - BELIEVING with emperical, granular evidence

This is the 3^rd post in the series Seeing, Understanding and Believing  GRC as it transforms from ad-hoc to optimized as Dynamic GRC.   See the earlier post on Seeing, Understanding and Believing as concepts that usher in this new era. This post is about Believing.  We discussed how Seeing and Understanding gives us the ability to see risks through analytics and in context,  but unless we base our risk assessments and metrics on largely empirical or solid evidence, our management will have a hard time believing that is it necessary to take action. We can have all the fancy visualization of control tests and threat-vulnerability scenarios we like, but if we can’t defend the rationale and the evidence, all is for not.  We need confidence in our measurements, risk calculations, test results and analysis.

There are five ways we can think about Believing being different in Dynamic GRC:  evidence, granularity, measurement type, semantics and integration.  Let’s take them one by one.  And, if you can think of more – or new ways to look at this – do post a comment! I’ve been getting a lot of direct emails on these concepts; it would be great for you to share them on the blog.

Evidence is more empirical. Today, much evidence is based on conjecture, gathered through interviews and surveys. In Dynamic GRC, as much as possible, evidence is collected or ‘harvested’ through existing monitoring and management systems.

Granularity is finer. Today, evidence is based on a block of information; a summary of transactions, a control state that is more static; in dynamic GRC the granularity can be at the transaction level if required.

Measurement type is also fine grained; rather than a PDF or spreadsheet, we can look at the individual indicator level. This is important when we start rolling up evidence and aligning metrics to Key Performance Indicators (KPIs).

Semantic models provide a backdrop in Dynamic GRC; a normalized abstract model that provides uniformity and facilitates classification, master data management and information governance, so critical to both Seeing and Understanding. 

Integration is scalable. Dynamic GRC evolves past point-point integrations which are tend to be brittle and proprietary to more leveragable solutions based on service oriented architectures (SOA), which are more open and sustainable.

So, Dynamic GRC, when viewed this way – is really very different from a static, ‘along-side’ model. Instead, Dynamic GRC leverages what we have today in our information and infrastructure metering, monitoring and management systems to provide the right kind of measurement at the right level of granularity, empirically, from embedded controls that act as ‘prosumers’ (consumers and producers) of GRC information throughout the enterprise.

There are lots of examples of where this happens today in the infrastructure.  It just makes good technical architecture and business sense to use what we already have. Do you have an example to share where you are doing this today – in your storage, security, content management or resource management systems?  We’d like hear from you….

GRC is Transforming - UNDERSTANDING with Contextual Relevance and Traceability

Continuing our discussion about how GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC – this post is about Understanding.  See the earlier post on Seeing, Understanding and Believing as concepts that usher in this new era.  Why do we need a new way of Understanding? The key ways in which Understanding is different in the new era of Dynamic GRC are: contextual relevance, traceability and the way we map the ecosystem. Let’s take them one by one.

Contextual Relevance is richer.  The bottom line is that we need context. Too much information and we will get lost. What are we seeing and how important is it, really? What is the contextual relevance? If it isn’t tied somehow to a  key risk indicator (KRI), why get distracted? What regulatory of business requirement is this in scope for; what policies and assets are relevant; what business processes is a risk? That is why we GRC people are so obsessed with mappings.

Traceability is unbroken. As our environments become more complex and dynamic, human beings can’t keep up with manual mappings.  We need  to be able to traverse the contextual connections- again I quote a CRO I know who told me ‘I need to pull the thread – whether it is PCI or SOX or the latest risk exposure – and know – very quickly where the problem truly is...’ .  GRC 2.0 systems have a sort of ‘segmented’ traceability – you can only go so far – perhaps a regulation is mapped to a policy and control - then you need to search to pick up the thread again. How is this control failure associated with a business process, and through the stack to an asset – ultimately to a measurement – such as the vulnerabilities in the application or on the servers, virtualized or not, that support that business process?

Mapping the eco-system is inference-based. So, ok - we know that understanding absolutely depends on being able to traverse the web in many directions, through requirements, policies, processes, controls, inventories, measurements and metrics in a meaningful way – and we can depend more and more on classifications and mapping to give us that context.  But how do we keep our models dynamically updated to reflect what if often daily or even, hourly significant change?  Well, we need technologies based on inference engines, where many associations are made dynamically, based on rules and transitivity (A is connected to B and B is connected to C so A is also a connected to C….) to do this.  Embedded and harvesting from the systems that we use every day.

That’s two out of three critical concepts in Dynamic GRC: Seeing (providing great visualization and analytics) and Understanding (providing contextual relevance through traceability of the eco-system). There are many great GRC applications and technologies out there today doing exactly this for a small targeted part of the GRC world – let’s hear from you!  Isn’t it time to pull this together across the entire spectrum?

Next time we’ll talk about the third critical concept in dynamic GRC: Believing.

GRC is transforming…. SEEING with Visualization and Analytics

Last week we talked about how GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC. But what does that really mean? Earlier in the What’s the Hoo Ha about GRC we talked about Seeing, Understanding and Believing as concepts that usher in this new era. So, let’s take it apart. What’s the deal with Seeing? Quick review:

Seeing.  As many commenters on this blog point out, we need visibility and  transparency  to see our current exposure and give us the confidence to not only manage risks within our appetite but to exploit new opportunities with quantified risk.  The line of sight from a business or regulatory requirement deep into embedded controls has to be relatively unbroken and unobstructed.  It’s complex – and difficult – but not impossible - to see through the web of our hyper-extended, deeply-stacked, dynamic and increasingly virtual organizations.  Simple pie charts sitting on a single repository simply aren’t going to be enough.  Dynamic GRC needs really good navigation, visualization, data management and analytics, where we can literally see a model, heat map or trend line and use the combined power of our intuition and analysis to gain the insights we need to construct better decisions. Here we take a lesson from business intelligence and apply it to GRC.  We need to be able to see the key risk indicator (KRI) on the say, supplier management system approaching a service level agreement (SLA) threshold, then  drill down, slicing and dicing through the stack from the application layer to the network and server technology assets and controls to the root cause.  Let’s look at the key differentiators – navigation, visualization, data management and analytics:

Navigation is different. Today, many GRC apps use a simple web browser with hierarchal tree to drill down from say, an organizational unit, to business processes or assets with the unit, to perhaps some key risks and then, to controls that may be failing related to those risks. But really, that isn’t enough in a world where control states and other measurements are harvested real-time from IT management systems.  Think: Multi-dimensional traversal, and mash-ups from many sources.

Visualization is different. Not just pie charts and reports. Visualization is better because the underlying GRC intelligence is better. Think: Maps with overlays that show you where your greatest risks are geographically or by business process, with drill down to near-real time data.

Data management is different.  Not just a central, hierarchal data repository.  Dynamic GRC needs federated data sources – meta-data pointers to where the information lives, real-time. This requires Master Data Management so that different versions of the truth are reconciled. Think: Web of information and smooth, direct traversal.

Analytics are different. Not just database queries and simple risk calculations. Dynamic GRC relies on rich, granular data that can be sliced and diced as business intelligence. Think: What-if scenario modeling and sensitivity analysis, where you can see the effect on risk of tightening or loosening a control before there is an impact.

Why is dynamic GRC important? Because we can’t afford to have glacial reports that are frozen time - we need near real -time ‘seeing’.  In today’s economy where new investments need to show ROI within quarters we need to use what we already have. This is not rocket science – performance management systems for the business and resource management systems for IT have this information and are increasingly leveraging this kind of ‘seeing’.  Why should GRC be starved?  It’s part of the natural convergence between performance management and GRC.  And don’t you think it’s part of our responsibility as GRC stakeholders to drive awareness and make these kinds of major improvements that truly add value to our organizations?

Next time let’s talk about the next critical concept in dynamic GRC: Understanding.

GRC is maturing from adhoc, rationalized to optimized.....

Late post this week – I spent the weekend on the 3 Day Breast Cancer Walk – yes my legs are sore, but I am proud to have raised $ for the cause.

I want to throw this out: that GRC itself is going through a maturing process. Let’s call the first ‘ad-hoc’ stage GRC 1.0, and the second, more ‘rationalized’ stage GRC 2.0 and the ‘optimized’ stage we are entering now, GRC 3.0.

When GRC first emerged as a concept in 2002, programs and technologies were quite basic: GRC 1.0. Manual processes supported risk and compliance analysis and reporting. Organizations had mostly weak governance and accountability models and there was minimal adoption of automated monitoring and analysis technology for business of IT.

By about 2008, GRC had matured to a point where many processes were rationalized and partially automated: GRC 2.0. Compliance programs for key regulatory imperatives (SOX, PCI, GLBA) were in place. Basic ‘common systems of record’ and a ‘single version of the truth’ based on surveys had been implemented in many organizations. However, assessments based mostly based on snapshot, conjecture-based surveys are not highly reliable. Risk management is still operating in silos; and for the most part not tied directly to business or regulatory requirement. As a result, minimal reduction of GRC program expenditures have been realized due to programs operating inefficiently in silos.

In 2009, a new era has begun, driven by virtualization and maturing of controls monitoring in both the business processes and the IT infrastructure. It is finally possible to begin the integration of discrete GRC capabilities to provide the synergies GRC promises. This is GRC 3.0 where governance, risk and compliance programs are managed holistically for the extended, virtual enterprise and infrastructure. In this era we will see greater business and IT alignment of policy, compliance and risk appetite. All IT Management processes will be supported: Business Assurance, Policy, Information Lifecycle Management, Backup, Recovery and Archiving, Resource Management, Storage, Change and Configuration and Security Management. GRC analysis will be based on near-real time empirical information, which is highly reliable. Risks will be able to be managed to acceptable levels and organizations are able to capitalize on new opportunities with agility, because risks will be more visible.

I think we are entering this dynamic GRC 3.0 stage now. What's your take? I beleive it is all about the Seeing, Understanding and Believing concepts I covered a few weeks ago. In the upcoming weeks, we can dive more deeply into what the difference really is between GRC 2.0 and GRC 3.0 – this will help us all prepare for the transforming and ride the wave as is comes…..unless of course, you aren't convinced..in whihc case let's hear your thoughts :-)

GRC: Managing the Pursuit of Shareholder Wealth at the Margins

I’ve been thinking more lately about what GRC really is, in its purist, simplest form. How do we explain the real motivation behind combining these three basic elements? I had one of those thoughts that makes you smile during dinner last week with a few of my EMC colleagues.

It’s this: Enterprise is all about creating shareholder wealth. Creating shareholder wealth, however you define it, depends on exploiting the right opportunities: no risk, no reward. GRC then is, very simply, managing the pursuit of shareholder wealth, at the margins. Are we inside or outside of the boundaries of our mission, strategic intent, and performance measures?

It’s that simple. Of course, it is never that simple. J  So, here’s a little more meat. Let’s think of managing risk vs. reward as a cycle of four challenges, questions we must constantly ask ourselves if we are truly creating shareholder wealth.

1.    Translating Strategy into Appetite

What is the appetite for risks given our business strategy and intent? Here we drive that understanding into the day to day cultural fabric of the enterprise by managing to business and regulatory requirements, and rationalizing against policies and control sets. This may mean taking the tone at the top and collaborating, communicating and acknowledging when and how that risk appetite is being comprehended and acted upon.

2.    Managing Information within Appetites

How do we manage our appetite within tolerances while meeting our requirements, and supporting the hyper-extended enterprise with fluid, elastic infrastructures? Here we manage the boundaries while information is exploding and our organizations are becoming more complex, virtual and extended. This may mean building new models of business and technology information and infrastructure management that allow us to 'see around corners'.

3.    Measuring Meaningfully

What are realistic and acceptable thresholds and how do we measure at the appropriate level of granularity? Here we measure precisely what we must, plus a little more to gain the context we need to truly understand when we are close to, or crossing the boundary – staying in the margins. This may mean adopting new technologies that measure continuously, automatically – providing analytics and visualizations at the right level of granularity, when are where it counts.

4.    Evolving and Adapting

What is the appropriate level of agility for a certain stage on the maturity curve? Here we manage to best practices, weighing where our peers are, identifying and exploiting opportunities for competitive advantage while lowering costs and becoming more streamline and efficient. This may mean embracing new approaches like business process analysis across the silos, and technologies like the private cloud.

Each of us, no matter where we are in the enterprise, meets these four challenges, every day, in every way, consciously or unconsciously. Next time you are faced with a dilemma on whether to take a risk, or not, would it help to ask yourself these four questions?  Is it within the enterprise’s risk appetite? Can we manage within the boundaries? Can we measure meaningfully to stay at the margin? Can we evolve and adapt to where we need to be by taking this risk? And now that I have you thinking...are there other GRC-based questions we should be asking, of ourselves, our management, peers, partners and customers in order to manage the pursuit of shareholder wealth at the margins?

GRC – A Simplified GRC Eco-System Model Even Your Mother Can Understand

 

As people try to understand the scope of something and their place in it, eco-system definitions are often the best place to start. GRC analysts have been defining them for years, as have organizations such as OCEG (Open Ethics and Compliance Group). The problem has been that most eco-system definitions are either so abstract or so complex that it is hard to really get your arms around what they mean.  And to further frustrate those on a mission to explain this sprawling space to others, including their management, analysts’ eco-system definitions invariably don’t line up.

Here’s a start at a simple model that you should be able to use to explain to – yes, other members of your family that are not in GRC. And, yes, you CAN try this at home. J

Ok, think about GRC as five layers of increasingly larger circles, which incidentally tend to reflect the size of their markets. Nice diagram here to guide you. Let’s go through these circles one by one.

Layer 1: Core GRC Management

The first layer we call GRC core functions- what the user directly interacts with for policy life cycle management, risk and compliance assessment, remediation and incident management, as well as visualization and analytics. Example companies in this space are bwise, Open Pages and Archer.  In the smaller IT GRC space, examples are Agiliance, CA and Relational Security.

Layer 2: Content

The second layer is comprised of content that GRC vendors typically license or include in their products if it is freely available. Content ranges from regulations such as Sarbanes Oxley or the Payment Card Industry Data Security Standard, to best practice standards like Cobit or the ISO 27000 series, through to risk and control catalogs and training materials. Business rating firms like Moody’s, Standard and Poor’s and Dun and Bradstreet are important to measuring risk of customers and suppliers; regulations are available through sources such as the Federal Register, best practice guidance is available through many sources: the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the IT Governance Institute and ISACA (Cobit), the US Government (NIST),the  Information Security Forum (ISF), and the Open Compliance and Ethics Group (GRC Red Book) to name a few. Industry specific content is available as well - such as Lexus/Nexus for Legal and Complinet for Financial Services. Risk Catalogs can be procured through vendors ranging from SAS to Algorithmics, ORX, Moody’s, the Economist and idefense. Threat and vulnerability information on standards such as CVS and OVAL is available through Mitre,  BITS for Financial Services, and National Institute of Standards and technology ( NIST for a wide range of helpful standards. Elearning for GRC Awareness, Quality, Security or Business Ethics courseware example vendors are Certpoint, Saba, Geolearning, Plateau Systems, SAP, Oracle and LRN.

Layer 3: GRC Supporting Technologies

 The third layer is comprised of GRC supporting technologies such as ediscovery, content management, workflow and business intelligence, which increasingly provide GRC controls embedded directly in the technology itself. For example, many content management vendors now offer add-on modules for policy and records management which allow companies to manage the creation, retention and destruction of records in compliance with policy and regulatory requirements, as information moves through the its life cycle.  In addition, new virtualization technologies are becoming increasingly GRC aware, ensuring that as applications, information and storage elements are virtualized, they are able to retain the attributes that keep them compliant. Examples in this space are many also I will mention a few to give you a flavor. (e)discovery (EMC’s Source One, EMC Ionix, Clearwell, Access Data), Data Loss Prevention/Content Filtering (EMC’s RSA DLP, Verdasys, Reconnex, Websense, Vericept) Content Management/Search (EMC Documentum, Autonomy) Collaboration (Sharepoint, Wikis), Workflow and BPMS (EMC, IBM, Pegasystems) Data Warehouse/Business Intelligence (Microsoft, SAP Business Objects, Cognos)  Dashboards and Visualizations (all the BI vendors and other niche players such as Cordys for Mashups) and Service oriented architectures (EMC, IBM, Layer 7, Progress).

Layer 4: Business and IT Functions internal to organizations

The fourth layer describes business and IT functions that support GRC. The main business functions include Enterprise Risk Management, Performance Management, Quality Management, Audit Management, Legal and Compliance Management, Vendor Management, Project Portfolio Management Incident Management but depending on your organization there could be more, or less! IT functions include Business Continuity/Disaster Recovery, Application level controls, Change Management, Configuration Management, CMDB/Asset Management, Information Management/Governance, Records and Retention Management and of course, Information and Physical Security Management.

Layer 5: Professional Services Advisory Firms  

The fifth layer describes the professional services firms that assist organizations in understanding their regulatory requirements and advise on policies, and governance and implementation of programs, controls and information technology to optimize GRC for the enterprise. These practices vary from firm to firm (PwC, E&Y, KPMG, Deloitte, Protiviti) but include Corporate Governance (Ethics, M&A), Organizational Change Management, Legal  and Compliance, Audit (Internal, External), Corporate Responsibility, Sustainability, Enterprise Risk Management,(Strategic, Financial/Treasury, Geo-Political), Operational Risk Management (IT, HR, Business Continuity, Supply Chain) IT Management, IT Governance and Security Risk Management.

So, you can this GRC space is BROAD. And you probably can find yourself in there, right? It’s big. I read a report last week from 2000 claiming 8% of the US GDP was attributed to compliance activities. My bet it is more now and you are affected by this. Time to start learning a bit more about GRC….

Let us know what you think of this model – what’s missing and why it works/or doesn’t. Post a comment!

Five Forcing Functions Transforming GRC – What’s Your Take?

When we start to see real shifts in the world, whether it is a real change in human perception, say, the universe is expanding/or not, or something a little more close to home like the adoption of new mobile computing technologies, as human beings we naturally seek to understand underlying drivers.  What is forcing this shift? Is it one or two things, or a ‘perfect storm’ of many factors coming together? How is this going to affect/benefit me, my career, and my organization?

Here I am going to outline five ‘forcing functions’ that seem to be the ‘biggies’ underlying the Big Shift in GRC from a static, point in time set of ill-aligned processes to a unified, near-real-time set of processes EMBEDDED in our business, information and infrastructure management systems. I’m very interested in your reaction to this – what other forcing functions are you seeing, and how would you prioritize these?

Forcing Function #1  Information Explosion.  What is taking place in the world of information today and the impact this is having not only on the way we manage information but also on the way we think about scaling GRC, is probably the biggest driver, IMHO.

Study after study (see this great study on the Digital Universe) has said that if we look at this digital world, even with a slowdown, we're going to create 40X more information this year than last year and that as the economy rebounds, that percentage will further increase. 

By 2011, the digital universe will be 10x the size it was in 2006.  70% of information is created by individuals, 95% of what they are creating is unstructured, and 85% of that will end up managed and secured and accessible through big large entities, whether it would be an external cloud, or internal cloud, or the hybrid of that, which EMC is calling the Private Cloud. à Your “digital shadow” is larger than the digital information you actively create about yourself.

All this information needs to be scrutinized and classified for its ‘GRC profile’ and then treated appropriately to ensure compliance with business and regulatory requirements. This process has to be automated; it’s just too big a challenge to attempt manually.

Forcing Function #2  Regulatory Avalanche. It’s hard to get really good numbers on this but all the evidence points to more and more regulation, on more and more aspects of what we do – from business practices, to information management to the delivery of IT products and services. Not only in the US, but globally. Managing the intricacies, dependencies and conflicts is a horrendous challenge for a large, globally entity. àYour organization’s “regulatory shadow” grows larger as the business expands into new markets.

Forcing Function #3 Demand for Near-real time Transparency. This is an interesting and maybe more subtle driver. Most organizations are relying more on more on key-whatever’s to manage their business.  With the evolution of business intelligence, business activity and technology infrastructure monitoring systems, management is getting this transparency, even though in many ways it is still Swiss cheese. The basic point though is: Key Performance Indicators (KPI), which are used to answer the question: “Are we achieving our desired levels of performance?”, Key Risk Indicators (KRI) which are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?” and Key Control Indicators (KCI) which are used to answer the question:”Are our organization’s internal controls effective? Are we ‘in control’?” are management’s first stop on the transparency quest. Key Risk Indicators (KRIs) are tightly related to Key Performance Indicators (KPIs).  Instead of thinking of KPI measuring performance, think of a KPI as really just an indicator that the objective is at risk.  They are really the same thing. See previous post on Dreaming Nirvana: Beyond Compliance into Risk Analysis.
à Your organization’s “Performance Scorecard” is converging with your GRC profile.

Forcing Function #4  Adoption of the Hyper-extended, Virtual Enterprise.  This is a huge driver, fueled by the global economy and technologies where suppliers, partners and customers have deep and intimate ‘electronic reach’ into each other’s eco-systems. Not to mention 2.0 social media impacts. This adoption accelerates the scope and complexity of GRC. à Your organization’s potential for digital reach is exponentially expanding.

Forcing Function #5 Cloudburst of Virtualization.  

Cloud infrastructures, which support elastic scalability and leverage virtualized resources, are increasingly provided as a service. (Here’s a good short interview on Cloud as a Service – CaaS). The good news is that cloud users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. The bad news is that we need to ensure that cloud providers are focused concretely on GRC in the Cloud. Early indications are that cloud services potentially provide even greater opportunities for better governance, lower risk and better compliance (more about that in future posts). In the meantime, if you want to follow very interesting discussions on Private Clouds, check out EMC’s Chuck Hollis blog here. à By 2011, 50% of companies will be have their production environments virtualized.

So, what do YOU think? How are these forcing functions affecting you, even if you aren’t in a GRC-related role? And if you are, whether it is program management, information governance, risk, security, audit, compliance, performance management, human resources or legal - what else is driving you to stretch the boundaries of your world? How can you better leverage and prepare for the impacts of these shifts?  Remember, the better educated you become, the better can respond as these shifts occur, and the better you can add critical value to your organization.

 

Why the big Hoo-ha? What makes G+R+C any better than G,R,C?

One of the biggest debates over the last few years among many technology, security and auditing professionals concerned with what is turning out to be a rabid focus on Risk management is,  ‘Why should we integrate processes supporting Governance, Risk and Compliance?’   Let’s break it down and take a look.

Governance by itself is one thing. It’s all about aligning policy with business intent, and driving that accountability into the day to day fabric of the organization.  Which, of course, can be a real challenge.

And Risk is another – it’s all about managing exposure within your organization’s appetite, if you are blessed enough to know what that is.  Many don’t because there are mini-universes of processes, assets and requirements.   

And well, Compliance, is something else again – it is all about internal controls, and testing for design and effectiveness, (it either works or it doesn’t) whether they are in place to satisfy business or regulatory requirements.  They Pass or Fail, which is much easier.

The question I am often asked is, so why the big hoo-ha on putting them together? Why G+R+C?

The stock answer is synergy, of course. ‘There are overlapping processes underlying G, R and C and we can lower costs and improve our business if we manage them holistically’. Yes, yes, yes, but seriously, Why?

Seeing, Understanding and Believing

So begins the debate. And a good debate it is – because as it turns out, this is a problem that really does need to be solved. (People who really understand these topics will be at a premium in the industry before too long).  A few years later we are emerging from our probing and are starting to connect the dots. The basic answers to why are starting to become clear and I think we can now name them in a very clear and simple way. The first is…

Seeing.  We need visibility and transparency. In order to have this, the line of sight from business or regulatory requirement deep into embedded controls has to be relatively unbroken and unobstructed. That doesn’t mean we have to conduct business inside straight lines, but we do need the technology to ‘see around corners’ – more to the point, into and through the web of our hyper-extended, deeply-stacked, dynamic, complex and increasingly virtual organizations.  That doesn’t mean we have to conduct business inside straight lines, but we do need the technology to ‘see around corners’ – more to the point, into and through the web of our hyper-extended, deeply-stacked, dynamic, complex and increasingly virtual organizations.  Simple pie charts aren’t enough. More often than not, that technology will be visualization and analytics, where we can literally see a model, heat map or trend line and use the combined power of our intuition and analysis to gain the insights we need to construct better decisions. Here we take a lesson from business intelligence and apply it to GRC.  We see the key risk indicator (KRI) on the order management process or system approaching a service level agreement (SLA) threshold, and we drill down, slicing and dicing through the stack from the application layer to the network and server technology assets and controls to the root cause. But that drive to the right decision is not possible without….

Understanding.  We need context. Too much information and we will get lost. What are we seeing and how important is it, really? What is the contextual relevance? If it isn’t tied somehow to the key risk indicator (KRI), why get distracted? Or, if I can’t drive change with this view – why look at it? What’s the real impact? That is why we GRC people are so obsessed with mappings. We need it to provide contextual relevance. We know that seeing absolutely depends on being able to traverse the web in many directions, through requirements, policies, processes, controls, inventories, measurements and metrics in a meaningful way – we depend on classifications and mapping to give us that context. Mappings today are mostly explicitly made – take a regulation like the Payment Card Industry Data Security Standard (PCI), and use a wizard to associate it with the correct policies that support the control, say, for monitoring the network. Explicit mappings are fine in relatively stable world. But as our environments become more complex, and more dynamic, human beings can’t keep up with manual mappings. Increasingly the technology will be inference engines, where many associations are made dynamically, based on rules and transitivity (A is connected to B and B is connected to C so A is also a connected to C….).  Here, we will take our lessons from inference and modeling systems.  I know of a CRO that told me ‘I need to pull the thread – whether it is PCI or SOX or the latest risk exposure – and know – very quickly where the problem truly is..’ and of course, not come back with a ball of knotted yarn.  And that is not possible without ….

Believing. We need to know that what we are seeing is not only in context, but that it is based on fact. That it is true. We can’t make a call to block traffic, take down a service for an urgent change or to protect critical assets against a breach unless we are pretty darn sure of the potential impact if we do not.  So we need empirical evidence that is fresh enough to make the call. Not survey results from six months ago on a control that has gone through a partial overhaul and has not been retested.  We need to be able to drill down from the regulation, the KRI or business requirement, through the web into the real information. Increasingly the technology will be our real-time monitoring and management systems: We will take our lessons from network resource management, storage management, document management and virtualization management systems, to harvest that critically ‘true’ information for GRC. 

All of this, so we can believe what we see and understand what we need to do to make it better, before we act.  When we have all three – seeing, understanding and believing - it is possible to create the cultural impacts needed to have to make GRC a living, breathing entity.  Like it or not, just like the human system, these three fundamentals are interconnected and interdependent and needed to articulate and manage the whole picture.  And that, bottom line, IMHO, is why we have the +’s in G+R+C.

Dreaming Nirvana – Beyond Compliance into Risk Analysis

The Basic Frustration – Why Can’t We Reuse Controls Tests for Risk Analysis?

I’ve spent most of the last 6 years focusing on Governance, Risk management and Compliance issues – as a practitioner, analyst and marketing gal.  From the outset I have been bothered by a fundamental  limitation in the assessment process that hamstrings us all: we have a very hard time leveraging controls evidence we collect for risk analysis, because, well, it’s trapped  in an spreadsheet, or log file, or worse, a screen shot.  We work so hard to test controls, but the value those tests could bring us gets lost, unable to be reused.

The Typical Scenario

Here’s the typical scenario. You are responsible for risk and compliance for your unit. You have to test a number of internal controls (usually A LOT) for the upcoming audit on Regulation X. The compliance procedure is pretty clear –check the control state and give it a pass or fail. You take a peek and document the evidence in a spreadsheet or some other artifact. You are vaguely aware that the control we just tested actually applies to over 5 other regulations that our organization is also required to meet. But alas, it is a different Risk and Control group that will coming by to test that control again, next quarter. And another group the quarter after that.  And, no surprise, they use a different spreadsheet.

So even if we wanted to take that test result and use it in a risk equation: Risk = Likelihood x Impact, where likelihood is the probability that some threat-vulnerability pair will come crashing through the control (or absence of a control) to impact a critical asset - we’d have to dig around in spreadsheet or screen shots or do back flips to get at it.

And in this time of people and dollar constraints, we just want to get the test result in the sheet, and be done  with it. So the risk analysis suffers, or is never really done.

The Dream: Test Once, Report Many, Analyze Across

But it nags at us, because we really do know better. At 2 am after 2 hrs of thrashing over the assessment deadlines we dream of systems that automatically harvest control states and stream them neatly into a common system of record, allowing to us to produce risk and compliance analysis at the push of a button. We roll over for a final few hours of deep relaxed sleep as stress drains out of us… until we wake up to the clear light of day. Yes, we’ve all seen the GRC Management system demos and know that the technology is there tho’ not widely adopted. But, building the integrations to the mess of applications and infrastructure systems that house control states seems overwhelming. And throw virtualization and cloud computing in there, and suddenly it seems more than overwhelming – almost impossible.

But Wait!  – Don’t We Already Have This?

But something quite wonderful has been happening in the background, in our Information and IT and Security Management systems. Near real-time measurement information on control states exist, embedded in performance and resource management systems across the IT infrastructure and in security management systems. 

Simple.  Controls are becoming more and more embedded, up, down and across the physical and virtual stack.

As I meet with more and more EMC customers, I hear this question so consistently being voiced that I am becoming convinced we are on the verge of Really Significant Change – what market strategists like to call a Game Changer. The basic question being asked is: Why build a parallel universe for controls testing when we can harvest what we have from our resource management systems that are becoming increasingly GRC-aware?

And they have point.

Yikes! Is GRC becoming a byproduct of Performance Management?

So, why not? With the amount information exploding (by 2011, the digital universe will be 10x the size it was in 2006) and increasing Regulations – (lots of evidence that isn’t going to stop) and our infrastructures becoming more fluid and elastic (virtualization and cloud computing are more than trend…) – well, we need more than surveys and screen shots to demonstrate compliance and get a handle on what the exposures are – let alone really manage risk to acceptable levels.

So what would it look like - can the dream become a reality? I’m thinking yes, absolutely, totally and if we really look at it, we are actually there. IDC says the market for GRC across the Information IT infrastructure is huge – $50 billion this year - and growing at more than 10% CAGR.  And that further, most organizations are heading for a switch-out of their compliance infrastructure systems in 2011 – because we can’t do it with static, trapped and stale evidence anymore – we are quickly moving to a world of ‘dynamic risk management’ made possible by embedded continuous controls monitoring  that produces the measurement granularity  we need for real risk management.

Yes, there are challenges. Many , and not insignificant. But, we can get there. Virtualization and scalable, service-oriented architectures are giving a path to the Dream that was ‘hitherto unthinkable’. Over the next few weeks I’ll share more thoughts on conversations on how we can do it…. and I’m invited your take on the concept too. One thing is for certain – this need for this kind of risk analysis isn’t going away any time soon. GRC is getting plenty of attention and it is good for you to learn more about it, not just because it is interesting, but because it is good for your career.  

What do you think?

So what’s going on in your world? Are you dreaming of a nirvana where compliance results are leveraged for risk management? Where continuous controls monitoring in our increasingly virtualized environments is a reality? How far away do you think it really is?