Category Archives: GRC

Connecting the last mile of finance at Workiva Amplify

Key takeaway: Connecting financial close and compliance can help to relieve congestion in the last mile of finance, saving days or even weeks in producing financial disclosures.

Workiva Amplify was a hands-on summit. The majority of sessions in this 17-parallel-tracks summit were hands-on sessions with Workiva, and they were packed. And the attendees were younger than other conferences I’ve participated in over the years — not counting Scouting jamborees. I’ve been to conferences with a lot of buzz, but a conference of auditors, financial managers and compliance professionals with so much energy — I haven’t experienced that before.

Energetic attendees at rock concert one evening
Energetic attendees at a concert one evening
Photo: Workiva

… some companies lock up the key members of the accounting staff on the entire floor of a hotel room for a week

Throughout the summit, attendees were reminded of connected reporting, connected sheets, connected data, and linking. To get a handle on what Workiva means by “connected,” I attended a Workiva hands-on session on 10-K reporting.

For their 10-K preparations, some companies lock up the key members of the accounting staff on the entire floor of a hotel room for a week as they make the final changes of this critical report. Senior execs run room to room to make sure that everyone is in sync, and that changes made in one part of the report are also captured in other parts of the report. It’s a nightmarish week, and it’s also repeated on a smaller scale each quarter with the 10-Q reports.

Hands on sessions were the most attended
Hands-on sessions were the most attended.
Photo: Workiva

In the the hands-on 10-K session, the instructor took us through how to create hyperlinks throughout the document, like between the table of contents and various headings — ho, hum – I can do that in Word, right? Now, here’s what I can’t do so easily in Word — connected data. There are data links throughout the 10-K, and if I change the source data, it changes anywhere that data is used – and it keeps a record of those changes. So, let’s say I find an ERP error in data entry in the accounts receivable of a measly $10million. I correct that, and then it ripples through to anywhere that piece of data is used –perhaps in 15 different spreadsheets (Workiva calls them “connected sheets”), the 10-K, and even the presentation to the board.

… removing humans from boring, trivial tasks with cheap, smart integrations

No more do senior managers and executives chase down dozens of people to make sure they incorporate the change, and no more having to take out an annual lease of a couple of floors of a mid-town hotel for their sequestered accountants.  Plus, with all of this connectedness, data transfer errors are greatly reduced, thus reducing the chance of a misstatement.  I later attended a SOX reporting hands-on session – same thing.  This connected data and reporting made me think of the promises of robotic process automation (RPA), though, in the case of Workiva, the data and documents are either in the Workiva system or are connected through APIs, rather than an RPA tool.  Still, the benefits — removing highly educated humans from boring, trivial data transfer and manipulation tasks with cheap, smart integrations between enterprise applications — are the same.

The last mile of finance is the most congested…. It’s this last mile that Workiva is helping to run smoother.

A good friend at Gartner with whom I worked on several research projects, John Van Decker, called reconciliation, close and disclosure at end of the fiscal year the “last mile of finance.”  Running parallel to reconciliation and close in this last mile are the SOX and financial statement audits.  It reminds me of the most horrendous last mile on the Capital Beltway around Washington, DC, where the express lanes dump into the regular lanes just a mile short of the American Legion bridge crossing the Potomac from Virginia to Maryland.  It’s this last mile that Workiva is helping to run smoother.

And Workiva is not alone on the last mile challenge.  At Amplify, Deloitte announced a new strategic partnership with Workiva.  Speaking with Deloitte representatives, I learned that they are investing in building a number of targeted Deloitte-branded solutions on Workiva’s platform that they believe will further speed up the close process.

I’ve puzzled for years on why more GRC vendors have not invested in developing solutions for the last mile of finance, but for now, Workiva’s capabilities to link SOX compliance and audit to reconciliation, close and disclosure reporting, along with connected sheets and connected reporting are a solely Workiva differentiator in the GRC market.  Workiva would do well to invest in expanding its GRC capabilities beyond its basic SOX and audit solutions, and a very basic ERM application. With a broader GRC portfolio, Workiva’s internal linking capabilities could enable better connections between risk management, compliance, audit, third party management, IT security and other GRC functions.  And the linking capabilities to enterprise financial and performance management solutions could advance integrated risk management.  For instance, connecting performance management and risk management by linking KPIs and KRIs could bring critical insights to decision making on both the planning and execution of strategic business initiatives. 

Note: Workiva did not pay for this article; nor did anyone else.  The opinions and observations in this article are mine alone and not necessarily the views of Workiva.

Share

Trip report: Risk Summit highlights digital transformation and a tech start-up called PwC

On 27 and 28 March 2019, at PwC’s Risk Summit in Boston, PwC senior leaders and consultants in the risk assurance and consulting practices shared with their clients and over three dozen industry analysts their vision of how digital technologies are transforming both risk management and business performance.

Continue reading
Share

Time to put technology at the forefront of your GRC strategy

Having just finished analyzing the data and writing the report on the triennial OCEG GRC technology strategy survey, I stepped into the family room to see that my wife was watching a recent episode of Amazon’s Grand Tour — the season 3 Mo’town Funk episode. Jeremy Clarkson was test driving this fantastic new McLaren Senna. 

Continue reading
Share

Adding another piece to the puzzle of its GRC strategy, SAI Global is buying BWise from Nasdaq

Key takeaways

1 – The acquisition of BWise gives SAI Global a much needed boost to its competitiveness in the financial services sector

2 – SAI Global needs to assure BWise and Compliance 360 customers of its viability and ongoing support for both GRC solutions

Continue reading
Share

3 critical success factors for strategic risk management and 5 questions corporate directors should ask

The announcement from PG&E that the California utility will file for bankruptcy reminded me of a question posed a few years ago by the head of GM’s risk committee: “How do we manage strategic risks?”

Key takeaways —

  1. People can and do die from poor strategic risk management
  2. Due to blind spots in the risk vision of executives and directors, risks can emerge that unbalance corporate strategies and create existential events
  3. The critical success factors for strategic risk management include encouraging and rewarding risk awareness, creating goodwill with stakeholders, and building a strategic risk response plan

NASA’s ARIA team produced this map of damage to Paradise, California, from the Camp Fire, the deadliest wildfire in the state’s history. Image credit: NASA/JPL-Caltech

Continue reading

Share

When to treat family and friends like acquaintances

Key takeaway

Third party risk management is not just for suppliers, IT vendors and service providers.  In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.

See the source image

The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer.  We were discussing best practices in third party risk management.  I asked him  what types of companies he was monitoring and he told me they were subsidiaries.  He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.

The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia.  And of course Danske Bank Estonia was a subsidiary acquired by Danske.

Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents.  Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.

Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny.  Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard?  Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem. 

Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.

Recommendations

1 — Bring high risk subsidiaries into your third party risk management program

2 — High risk customers should also be included in your third party risk management program






Share

New cybersecurity laws are on the way

blogPost-cispaThis week, I joined the Silicon Valley Leadership Group for a visit to Capitol Hill. The group had asked me to share a few thoughts with congressional leaders on how cybersecurity policy affects cloud software companies like my own, MetricStream. We met with congressional leaders who are grappling with cybersecurity issues. House Majority Leader Kevin McCarthy, Homeland Security Committee Chairman Michael McCall, and Representative Patrick Meehan all demonstrated a depth of knowledge on cybersecurity, and how it is affecting businesses. They were focused mostly on cyber intelligence sharing between the federal government and industry, and between companies. To remove roadblocks to sharing, Congress is considering bills from the House and the Senate that will provide anti-trust liability protections to companies that voluntarily share cyber intelligence. Privacy advocates are justly concerned with sharing of information, and protections are being built into the proposed legislation. Whether those protections are adequate is a political issue that is not easily resolved, but regardless some form of a cyber intelligence sharing bill will likely pass this year.   There are several other cybersecurity policy issues remaining, and I expect this bill will break a logjam that has existed on critical infrastructure protection and data breach legislation. More legislation will follow in the current Congress, and that will be mirrored in the EU and other jurisdictions.

While new rules will confront GRC leaders with more requirements, frameworks engendered by those rules like the NIST Cybersecurity Framework are establishing the foundations on which digital business depends. The many opportunities from the digitalization of business can be realized when our GRC programs are robust enough to ensure our organizations’ resilience in the face of new cyber risks, and our ability to meet the new requirements of what is likely to be a rapidly evolving regime of cybersecurity regulations. CROs, CCOs, CIOs, and CISOs will need to work out their own policies for cybersecurity and privacy that account for the variations in laws between different jurisdictions around the world. Cyber risks do not respect geographic boundaries, and in fact bad actors take advantage of those boundaries to protect themselves from discovery and prosecution, seeking havens in locales where enforcement is weak. Companies also find themselves in the unenviable position of being in the midst of cyber wars, and these are wars that will not stop regardless of new rules. While industry, civil liberties, and government leaders work out national policies and new regulations on cybersecurity, it will take real leadership from GRC professionals to interpret these developments and keep their organizations ahead of the curve.

 

Share

Disintermediating the three lines of defense, and the regulators too

Source: University of North Carolina, Charlotte

Source: University of North Carolina, Charlotte

The three lines of defense paradigm for audit, risk management, and compliance is so commonly accepted, so ingrained in the way that we think of GRC functions, that no one questions it.  Until now.  Last week at MetricStream’s London GRC summit, Paul Moore, former chief compliance officer and famed whistleblower at HBOS, said the three lines model doesn’t work.  That conclusion raises the question of what can replace it.

The three lines model assumes that risks will follow the same hierarchical process oriented structure that the organizational model follows.  But we all know the hierarchical org chart is not the real model for how value is created.  Value chains don’t follow organizational hierarchies nor are they limited to a single business entity, and neither do the risks associated with the processes, regulatory requirements, and assets that are incorporated within those value chains.  The real work is done across teams, across divisions, departments, geographies, and even across companies.

The three lines of defense model assumes that business units are identifying and managing the risks, risk and compliance managers are ensuring that the business units have effective controls and risk management processes, and internal auditors are providing an independent opinion to management and the board on the effectiveness of risk management and compliance activities.  This model assumes specialization and segregation of each of the lines of defense, and increasing objectivity from the first to the third lines.

This model leaves out the people closest to the risks.  The person with the best knowledge of a risk should be the person closest to the processes or the assets that create value for the organization.  This might be a front line employee, a business partner, or even a customer.  It’s rarely an auditor, a risk officer, or a business unit leader.  Enabling those people at the front lines to recognize risks, and to manage and mitigate them is critical to sustainable performance.

The three lines model is no doubt going to persist for a while, but already it is  being disintermediated aggressively.  Regulators are demanding more and more corporate data that enables them to independently evaluate risks and controls.  SEC chairwoman Mary Jo White attributes the record number of enforcement actions in 2014 to the innovative use of advanced data analytics technology.

Social media has also served as a check on companies.  As more corporate data is available to crowds of networked individuals, key influencers can mobilize a “social lobby” to respond to what they perceive as poor industry or corporate practices.  Armed with social technologies, the people formerly known as the customers (or the voters, citizens or constituents) become the new regulators.

Companies can learn from these big data and social lobby developments.  Crowd sourcing risk management can be used to tap into the collective intelligence of customers, partners, employees, or experts.  Data based risks and controls monitoring with advanced analytics can enable quicker identification of potential risk events or control failures, and discover risks that might fall between organizational and risk management silos.

Disintermediation is usually not complete.  iTunes has not replaced recording companies for instance, but it and other music industry cybermediaries have forced a huge shift in the recording industry’s business models.  We should expect cybermediaries to arise that offer GRC services that force a shift in the three lines of defense model;  even more revolutionary, imagine GRC cybermediaries that compete with regulators and statutory auditors.

 

Share

Float the market for GRC

Float the Market

Float the Market

Quite a while back, I started setting the stage for a move from Gartner.  I had recognized through hard knocks that GRC in a big analyst firm would be just one of many “very important topics.”  Resources to meet client needs are necessarily split between scores of teams and hundreds of analysts, and no one topic area can possibly get the resources that its strongest proponents want.  Finally, one day in July after having had some vacation time to reflect, as much as it hurt to leave, I decided the time to move was now.  So now I’ve moved to MetricStream whose sole business is GRC.

I’m now in week 4 with MetricStream, and I’m beginning to get my thoughts in order on my role as Chief Evangelist.  Week 1 started in Palo Alto at MetricStream HQ.  I met everyone I could there, and I tried to learn what the expectations were that everyone had for this new role of Chief Evangelist.  Week 2 was spent at a customer site with our sales leaders, and I learned what it takes to go through a detailed proof of concept.  Week 3 was in London at our first ever European GRC Summit.  In a fireside chat on stage, it was my first opportunity to share some thoughts on where the market had been and where it’s going.

One question I that came up in Londonwas about the title of Chief Evangelist — why not Chief Strategy Officer or something along those lines.  I guess that would have been fine, but that would not capture a key element of the role.  The role goes beyond being a strategist for MetricStream, and extends to being an advocate for GRC overall.  This is a new market that has suddenly gotten a good deal of traction, and the message on GRC, and all the practical activities attached to that message, need to float the market.   That’s the goal — for all of us who are in the GRC space — whether a compliance or risk management professional, or a software or services provider — to spread the word on generating real business value from GRC.

Share