CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

CLICK HERE to view the GRC Cloud 6.0 Release Notes.

GRC Cloud 6 introduces a new way for people to work together on your GRC program. The new configurable workflow engine enables you to completely and efficiently manage your Risk and Compliance processes.

Keeping track of the status of all work within your GRC programs through enhanced reporting. By introducing automated workflows to your GRC Cloud site you can solve many issues that trouble GRC professionals.

• Ensuring people know the work they are responsible to complete—and their deadlines—with automated messaging and outstanding task views.
• Achieving greater enterprise-wide buy-in by simplifying tasks and reducing training and oversight requirements.
• Ensuring people in the program follow the correct business processes
• Ensuring the proper hand offs happen at the right time.

GRC Cloud’s workflow builder enables you to build business processes where information is entered by different people in a pre-defined sequence. Each person’s view of the item is tailored to provide just the information they need at that time to complete their task. As each task is completed the next person in the workflow is alerted by e-mail they have work to do. The home page dashboard also advises each user of their current tasks. Other managers who need to know an item’s status can also receive customized alerts. For more details on the value workflow provides, please view our GRC Cloud Workflow Overview presentation.

CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

CLICK HERE to view the GRC Cloud 6.0 Release Notes.

Users get frustrated at having to look through all sorts of features and information that don’t apply to the task in hand. Some people, particularly infrequent users, can feel like they are being forced to play some cruel game of Where’s Waldo? when they look at an unfamiliar and cluttered interface.

In GRC Cloud we have worked hard to minimize this issue by making each field configurable for any user role, setting it as editable, read only or hiding it completely from view. In our new Workflow concept we have gone one step further.

In Workflow, a user may work on an item in more than one step – or state – of a workflow. In each state he or she may be required to complete different information and read different information that has been provided. In fact they may be required to attach evidence in the form of an external file in one state, but need to be prevented from doing so in another.

GRC Cloud’s Workflow Builder enables you to manage not only what a user can see or change, but when the user can see or change it. This enables your users to complete their work more quickly, as they do not have to search for the relevant information and wonder whether they are doing the right work at the right point of the business process.

For administrators, by simplifying the interface not only do you have happier users (and thus more buy-in to the program), you can also train people more quickly on what they need to do and when and you get fewer questions from people once they start their work.

We believe that workflow is all about providing the right information to the right people at the right time. The easier it is for people to work in your GRC program, the more enthusiastically it is adopted and the better input you will receive
This begs some questions.

• If you could expand the reach of your governance, risk or compliance program without increasing your training budget or administrative workload, would you do so?
• Could you ask people to assess more risks or evaluate more controls if they could do the work more quickly?
• Would you invite more people to participate if you knew your process and software design was intuitive and those additional people would provide valuable insights?
• Wouldn’t this make your company a more effective GRC organization?

By the way, the new workflow capability is introduced in GRC Cloud 6 which is being launched in January.

The frauds ranged from misstatements of revenue to straight theft of inventory or cash. The survey was conducted by Certified General Accountants Association of Canada (CGA).
The top 6 fraud risks in order of decreasing frequency were identified as:

1. Misappropriation of inventory or assets
2. Misappropriation of cash
3. Misrepresentation of employment credentials, internal or external documents
4. Corruption
5. Theft of proprietary information and intellectual property
6. Assets/Revenue overstatement or understatement

So why are companies so vulnerable? “80% [of companies surveyed] aren’t prepared to deal with fraud in the workplace, the CGA says, and almost 60 per cent don’t go through regular assessments of how at risk they are to fraud.”

BPS Resolver’s risk assessment software systems are used to identify and assess enterprise risks including fraud by 8 of the top 10 global accounting firms(1) and by hundreds of the world’s best managed companies, large and small. Call today and ask us about our pre-packaged Fraud Risk Assessments.

Source & Quotes from: http://www.cbc.ca/news/business/story/2011/12/06/cga-fraud-report.html

(1)- Top 10 ranking from 2010 publication Accounting Today Top 100 Firms

So why is it so effective?

At its simplest, BPS Resolver Ballot is voting software. (Think in terms of the Ask the Audience lifeline in Who Wants to be a Millionaire.) Risk managers ask a group of managers to rate the likelihood and impact of potential risks on a sliding scale using keypads.

As part of our product research, from time to time I sit in on customer risk workshops and training sessions. I once attended a risk assessment technique training session at one of the major risk management professional services firms. The program was for new consultants and was given by a long time user and advocate of Ballot at that firm. As he knew I was in the room I think he was being tongue in cheek when he told the new recruits that the risk assessment software had nothing to do with making risk assessment workshops effective. But he did have a serious point.

If you only want to gather opinions from a group, Ballot is certainly an efficient way to capture information quickly and an interactive and engaging approach for participants. But just because it is quick and fun, does not mean that you get better answers. BPS Resolver Ballot is truly effective when it is used to reach conclusions based on a collaborative, consensus-building process. If you are just using it to collect votes you are missing out on this powerful methodology.

Here is how the approach works. The first thing to understand is that the voting is anonymous. Therefore people give their views on likelihood or impact of a risk without concern they are going to be identified and directly criticized by a dominant personality or a more senior manager in the group.

So far, so good, as all views are represented in the voting. But if you just accept the majority vote and move on, you still have nothing more than an efficient system. Voting results are now used to kick-start a discussion. The facilitator uses the spread analysis (see the screen image of the voting results) to see if there are marked differences of opinion represented in the voting and, if so, starts probing the participants. As the votes were anonymous, she has to seek out a volunteer to represent one of the points of view and explain how their experience led to that view. She then seeks out someone to represent the opposing viewpoint. However, during this discussion she gives everyone in the room an opportunity to chip in and build on opinions expressed. As a result, people often hear a new take on a subject from people with different experience from their own.

OK, so how does the anonymity of the voting translate into a truly open discussion that avoids the risk of strong personalities or senior individuals dominating the discussion? Well, as all participants have seen the votes, they know that there is range of opinions in the room. A person who holds a less popular viewpoint will typically see that he or she is not the only one to do so and therefore is emboldened to share that view, knowing someone in the room will back them up. However, sometimes there is only one “outlier” who may not feel comfortable expressing that view and so the facilitator uses techniques to get other people to be “devil’s advocate” and represent those views. I won’t get into the details of these techniques here, but the end result is typically a healthy banter, that enables all participants, including the senior voices and strong personalities to hear differing points of view. This airing of diverse opinions and perspectives must take place to avoid “Groupthink”.

When the subject has been more fully discussed, the facilitator puts the question to a re-vote and typically one of two things happen. Either the re-vote doesn’t change the overall result but provides a lot more consensus, or the original minority view has persuaded the other participants to reconsider their views on the issue.

Either of these outcomes is valuable. Obviously if discussion and consideration have led the team to come to a conclusion they would have otherwise not made this is hugely valuable, preventing the company from making potentially expensive mistakes in under-controlling or over-controlling a risk. However, there is also value in achieving greater consensus. After the workshop has finished there may be mitigations to be put in place. These are more likely to be effectively resourced, prioritized and acted upon when all the people responsible feel they were part of the decision-making process that identified the actions to be done. At a minimum, participants leave the room with a representative understanding of the varying perspectives in the company, an effect which does not occur when the most senior or loudest voices in the room dictate the discussion’s tone.

So BPS Resolver Ballot risk assessment softwareimproves the efficiency of a workshop for sure, but better risk management decisions emerge when the technology is combined with training in the methodology and skills to bring ideas and opinions out of people. Together they are the cornerstone of probably the most effective way to assess business risks.

Our product team recently ran a customer satisfaction survey on Resolver*Ballot, our decision support software.  While we have always been proud of this software, we were frankly a bit blown away by the results. Here are some key findings:

Does Resolver Ballot help your company make decisions more quickly?

-          An astounding 83% agreed and only 3% disagreed.

Does Resolver Ballot help your company make better decisions?

-          73% said they agreed! Only 1% disagreed.

So at the intersection of these two questions our customers are saying that our software helps them make better decisions and make them more quickly.

Today we live in increasingly collaborative world where more stakeholders are involved and which makes decisions more difficult.  Consensus-based cultures need to adopt tools and best practices to ensure they get the benefits of collaboration, without getting bogged down by this same process.

Resolver Ballot, according to our partners and customers, is clearly an important piece of this puzzle!

Some of the other folks here at BPS Resolver will blog more on the results in the coming days.

Say what?

By posing a series of logical questions to a group, Resolver*Ballot creates a visual depiction of patterns of influence that show how one risk event increases the likelihood or impact of another. This picture is generated in real-time in a risk workshop, and can be done together with—or independently  from—the anonymous assessment.  The result is a map of interconnected risks with ratings of the impact on the organization.

Wow!

Here’s an example. The screen image below shows the impact that a new acquisition may have on an organization.  As a risk manager, you may or may not have visibility on M&A activity, but this visual representation helps us understand the sequence of risks that are more likely to come about if that event occurs.

Studies in psychology indicate that people are naturally good at seeing one or two levels of influence, but how many of us would look at an acquisition and immediately think of inadequate IT security (#4) and the increased probability of IP theft (#9)?

Now take the same picture and simply overlay the impact vote from a regular risk assessment workshop and you get something even cooler.

From the color coding (green is low impact, yellow is medium and red is high), you can see that according to the group’s votes, the acquisition risk (#7) is ranked as a medium impact risk. But seeing the risks in this view, it prompts us at least to reconsider #7 as a high impact risk, since it leads to an increase in probability for many other risks including, in this case, a high impact risk (#9). (F0r the same reason, risks #4 and #5 should also be considered for upgrading to high impact.

With this information in hand, a good risk manager who goes through an acquisition simply opens up their model and examines the types of risks that fall out from an acquisition. In this scenario some diligent work in the IT department to beef up the two new joined networks has the potential of stopping the flow of increasing likelihood between the risks.

I think this is pretty cool but I’d love to hear your thoughts…

So… wearing my optimist’s hat… there are a lot of people out there conducting risk assessments around a wide range of topics, in varying levels of detail, and with different levels of experience.

This blog will be the first of a series of that will focus on effective Risk Management. If you have additional suggestions for types of risk assessments, then please do post a comment or contact me.

Consider this a layman’s guide to an effective risk assessment.  I say “layman” as I am not an accountant, auditor, or lawyer. In fact I’m a nerdy computer science guy, so this is a completely biased but very effective way I personally have managed upwards of 20 corporate wide risk assessments.

Before you start

Before you dive into the risk assessment there are some basics to get sorted:

• Determine what type of results you want out to get out of the session—rankings, discussions, ideas, response plans…
• Figure out who should be involved – make sure you have representation from all key stakeholder groups
• Determine what format works for you – interviews, online surveys, workshops…

Here’s  a quick chart to help you pick which risk assessment type fits your needs, organization and resources or budget:

[1] The estimated risk that remains after existing controls or mitigating actions.

Effective Risk Assessment Workshops

In the rest of this article I will run through my approach to effective Workshop Risk Assessments, how to impress your peers and managers, and how to accurately identify and assess risks as they relate to any objectives.  If you’re a fan of surveys then please check out information on our Survey application.  Please note that Interviews are a great way of gathering information, however they take a long time to conduct and are more expensive due to the time spent aggregating and re-circulating results for agreement.

1. Preparing for the Workshop

• Book a reasonable amount of time to cover the topics
• Determine assessment scales that everyone will understand and get agreement from the two most senior people in the room.  Make sure they have both qualitative and quantitative components and do not focus exclusively on financial risk.
• Agree on a language for your risks that will reduce confusion. (e.g. don’t put the word “or” in your risks)

2. Principles of the workshop

• Ensure you get viewpoints from everyone
• Use an effective technique for anonymous voting (i.e. Resolver*Ballot)
• Have a “scribe” – one person dedicated to writing everything down. (Not you, and not one of the participants.)

Sample 90-Minute Agenda (30 Risks)

(Your group may be faster or slower depending on the # of risks and the depth of discussion.)

Context Setting
Introduce the room to the process you will be following (10 minutes)

1. Ensure that everyone understands the scales
2. Inform people that votes will be completely anonymous and that they should be open and honest
3. Describe your agenda and emphasize the importance of getting through the votes quickly

Voting
Quickly and anonymously rank all the risks on both impact and likelihood without discussion (30s/criteria or 60s/risk = 30 minutes)

1. Voting should be done quickly and silently to avoid “overtalking” each risk. There will be plenty of time for discussion later in the workshop.

Resolver*Ballot Feature: Anonymous voting is done through wireless keypads and should only take about 30 seconds per risk per criteria with our software – compare that to sticky notes or ballot boxes.

2. If you want to avoid pointless academic discussions vote on Residual Risk  only. Inherent Risk is only really only relevant to auditors, will double the time of the session and will add minimal value
3. If necessary, make sure that senior managers do not try to influence the vote with their comments

Clarify
Examine, discuss and re-vote on the risks with a lack of consensus (20 minutes)

Resolver*Ballot Feature: You just click on the “Spreads” button and Resolver*Ballot will show you the standard deviation of the anonymous votes.

1. Get your scribe ready to write.
2. Examine the wording of the risk. It’s possible people have interpreted the risk in different ways
3. If not, prompt discussion by asking people to volunteer why they or someone else voted either high or low.  (Remember the voting in Resolver*Ballot is anonymous so don’t corner someone and force them to tell you what they voted. If you didn’t use our software then this will be much more difficult.)
4. The discussion that emerges here is fantastic. When people have extremely different opinions this may be as a result of experience, personal exposure, education or many other factors. These viewpoints will improve the accuracy of your assessment immensely and are not possible without anonymous voting!
5. On occasion you will uncover a view point that a person has because of something they know that is personal (e.g. a career change). Make sure you respect people’s privacy and manage the conversation carefully.
6. Once you have discussed, if it sounds like people have changed their opinions then re-vote and see if the result has changed.

Another shameless Resolver*Ballot plug! If you don’t use anonymous voting the entire category (areas of low consensus) tends to disappear off the radar. The loudest voice or the most senior person will influence the room and the note taker into recording their position. Our software eliminates those problems and ensures that you will capture the different opinions resulting in a better product.

Discussion
Look at the results and focus on risks that exceed your risk appetite (20 minutes)

1. Start with the high impact and high likelihood risks

Resolver*Ballot Feature: Look at the auto generated Heatmap and zoom in on the values you are interested in (e.g top right of the Heatmap).

2. Get the discussion started on what risks are above appetite, and what that would actually be like for the project/company
3. Get ideas about what you could do to control them, and document actions.
4. Make sure your scribe is writing everything down.
5. If you have time, also look at the high impact and low likelihood risks, the company killers that should “never” happen.  Try to determine which other risks increase the probability of that risk occurring.

3. After the Workshop

• Share the results and the corresponding actions with participants; this will dramatically improve the process the next time around.
  • Resolver*Ballot Feature: Easily exports to PowerPoint and Excel documents to share with others.
• Keep the voting results and use them next time to plot change over time. If you are doing a routine assessment (e.g. every quarter) which risks are changing? Which risks are increasing?  Which actions did not get executed on?
  • Resolver*Ballot Feature: Merge multiple files and plot them on a single Heatmap to understand change

By now hopefully you’ve got some ideas on how to run an effective risk assessment, and our software will improve your results through anonymous voting.  We’ve helped hundreds of companies, large and small, get great results very efficiently.  This includes companies like Sony, Wal-Mart, Philips, Heinz, Deloitte, PwC, Ernst & Young and countless smaller companies.  We’ve even helped the Canadian Government and the United Nations.  Oh, and our software doesn’t cost much since it scales to the number of users that you need.  So, in conclusion, stop reading and buy our software. Or at the very least contact us for a discussion and a demonstration.

The OCEG framework is broken down into several practices and in the table below we have mapped the OCEG GRC elements against key features and functionality in the BPS Resolver GRC Suite.

For more information on  GRC Suite’s capabilities please contact our account team or call 1-888-891-5500 or +1 416-622-2299.

Two colleagues of mine, Tim and Lauren Leech have recently submitted to Congress a thought provoking paper advocating a re-write of Sarbanes-Oxley.  While the proposal suggests only a minor edit to the Act, the implications are significant, far-reaching and would represent a tremendous improvement to an Act that has generated considerable controversy.

Essentially Leech & Leech have put forth the idea that Sarbanes-Oxley becomes primarily risk-based in its approach, vs. the current focus at the control level. Their argument (at least part of it) is that without the right attention to – and understanding of – the risk environment, the work done at the control level is often wasteful and not focused on areas that represent a true potential source of unreliable financial reporting.  A risk based approach, according to the authors will help “allocate resources to the most statistically probable root causes that account for the majority of materially wrong financial statements.”

When reviewing potential software applications it is vital to view them from the perspective of all your types of users. Some buyers fall into the trap of purchasing the tool that best meets the needs of the “owners” of the GRC program, without considering what is most important to the regular – and irregular users – of the tool.

At BPS Resolver, we tend to think in terms of three types: Administrators, Heavy Users and Light Users. Although the definition of heavy and light users varies with how the software is used and the company that is using it, Each of these groups has very different usage patterns, needs and preferences.

The Administrators, who build frameworks, manage permissions, design reports and such, are often daily users who know features and functionality in detail. At the opposite end of the scale are the light users, who access the software quarterly or annually, and frankly forget a lot of what they know between these regular cycles.

As there are typically more light users than administrators, an intuitive interface and an ability to get to their tasks quickly and easily (i.e. very few clicks from the home page) is vital to assure their ongoing use of the system.  Our experience also shows that easy access to immediate reporting (pre-built or ad hoc) and the ability to click through those reports to underlying information is valuable to many types of user.

When we configure sites for customers we spend a lot of time thinking through making the site as intuitive as possible to use. Techniques include:

• Custom roles and permissions, so that a user’s view of content is limited to what they need to read and answer and not cluttered with details that other types of user require
• Custom workflows that refine the view to show just what is needed in each stage of a process, as well as define the work item’s path through the organization.
• Corporate terminology, that ensures terms currently used by the company are reflected in the software, rather than the company have to adopt the software’s terms
• Custom icons that appear on screen and in reports that reflect the corporate terminology or any company’s “house style”.

In the world of the smartphones, people see their consumer technologies rapidly becoming much easier to use, and thus their expectations of the technology they use at work are also increasing. Although an enterprise GRC application is always going to require more of a learning curve than an iPhone app, people are not afraid to click on things any more. And when they do click on something, they expect something intuitive and useful to happen, such as drilling down from a chart to a report.

We are regularly contacted by companies whose first GRC software deployment has failed due to their people not accepting the tool provided and who now want to replace their current solution. To ensure a successful software rollout, make sure the application – and professional services team – you select provides customized, intuitive experiences for all your user types.

The previous four blogs in this series touched on some important concepts companies need to understand and manage in order ensure growth and success: Safeguarding Compliance, Seamless Collaboration, Avoiding Perfect Storms and Data Breach Remediation and Prevention.

Audit is our fifth topic in this series. Any definition of GRC is incomplete without understanding the role, value and unique attributes of audit. In particular it is important to understand that while audit needs to be considered as an integrated element of GRC, it also needs to be understood to sit alongside your GRC initiatives.

The audit function will touch every aspect of the GRC landscape as the Audit team seeks to validate, support and enhance the various activities that are underway within your enterprise.

So what is the benefit to your audit program of a shared GRC Platform? The answer lies in the data. This follows along the theme highlighted in Clark Abrahams’ Seamless Collaboration piece. The modern audit paradigm is really a collaboration with the business, not simply a review.

We have clients who have made significant strides toward lightening the burden of audit on the business. The reason they have been able to achieve this is that information on business processes, risks and controls are organized and managed in a consistent way.

The audit teams are able to access data through the GRC platform and in some cases, make determinations with almost no additional requests for information from the business. The data is there for them and they can see when an area of the business is being managed and controlled according to the policies and standards of the company, and when it is not.

In today’s regulated environment, the business is often asked for information – sometimes the same information – on an almost continuous basis. So any progress towards lightening this burden will create efficiencies and will also be greatly appreciated by the business process owners.

Some of our clients call this ‘self-audit’ and it is a significant reason why audit should be an integrated component of the overall GRC landscape.

Speaking of collaboration, this post was brought to you by:

Steve Taylor | CEO | BPS Resolver Inc.
Clark Abrahams| Chief Financial Architect |SAS Institute Inc.

It appears on both of our company’s blog spaces, so please feel free to post comments on either one of our sites — we want to hear from you!

Many customers already use GRC Cloud’s scoping framework feature to relate risks and controls to corporate financial statements or other methods for determining scope for business processes in their compliance and risk management programs. However, a number of sophisticated users are utilizing this feature as a corporate strategy framework that overlays a typical risk/control framework. This corporate strategy framework relates processes risks and controls to areas such as:

• Balanced Score Card
• Corporate Objectives
• Value Based Management
• Mission, Vision & Values
  and others

Companies can set up any number of overlaying structures to provide a multi dimensional analysis of business issues and measures.

Having built out these strategic frameworks, companies are now able to understand the impact their controls, risks, and most critically gaps have on their key corporate objectives.  Or in other words, the things the Board cares about. One this is established, a company can move into tracking how those seemingly independent compliance objectives, risks and controls change over time, and hence how they affect performance.

From a corporate performance perspective, only part of the information is contained within the GRC system. A recent integration project illustrated a capacity not just to build KRIs and KPIs in GRC Cloud, but also integrate them with other software as a service (SaaS) business applications.

Many customers define quantitative thresholds for KPIs and KRIs and use GRC Cloud’s mathematical functions to measure deviation from these objectives for their risk management and performance management programs. In a recent project we built on this capability to integrate GRC Cloud, via its open API, with Microsoft Dynamics CRM to enable tracking within GRC Cloud based on the number and severity of customer service issues entered into Microsoft Dynamics. Having created KPI/KRI items that were in turn attached to risks related to the quality of customer service in GRC Cloud, we gave users the capability to associate these factors with information such as reports from the CRM system. This provides risk and performance managers visibility into detailed data direct from their risk/performance dashboard. Although in this case we worked with a CRM system, the same integration could have been done with systems used by manufacturing departments, quality assurance, sales, customer service or any other business area.

We would be pleased to demonstrate these capabilities to any organizations who are recognize the value of integration of GRC with strategy and performance management. Please contact your Account Director or our sales team to arrange a meeting.

Clark Abrahams, a colleague of mine at SAS, has authored an excellent Blog outlining the powerful additions SAS has made to their platform as well as the advantages of the integration with the BPS Resolver audit tool.

One of the thought provoking concepts in the piece is the idea that success in business is not only driven by what the business is trying to do, put equally by how it is trying to do it.

Measuring and managing the how is very much the business of GRC.  How refers to everything from the ethical manner in which a company conducts itself – the values of the company – right down to the monitoring of tactical controls that have been implemented to govern the company.

Plotting an effective course requires leadership to understand risk.  This is part of what makes SAS such a powerful partner for us.  Their tagline ‘The Power to Know’ is a great phrase for a company that is in the e-GRC space.  Getting access to data is critical.   This can be historic data on your company and your industry or it can be real time information delivered within seconds of a risk event or the breach of a control.  Great data allows for great decision making.

Strategy and GRC are completely intertwined.  They are two sides of the same coin.  This is why it is also significant that the SAS^® Enterprise GRC platform has been further integrated with the SAS^® Corporate Performance Management solution.

You very likely know what your business is trying to do.  The combined solutions of SAS and BPS Resolver will help you determine how to do it.

I urge you to read Clark’s Blog on the SAS website and learn more!

Steve Taylor, CEO, BPS Resolver Inc.

(c) Public Service Commission of Canada

The Public Service Commission (PSC) has been a BPS Resolver customer since 2009. The PSC’s is an independent agency reporting to the Parliament of Canada, mandated to safeguard the integrity of the public service staffing system and the political neutrality of the public service. The PSC is the first of a number of federal agencies assessing their ICFR activities using GRC Cloud.

Public sector bodies around the world use BPS Resolver software applications for risk management, compliance and audit activities because of their ease of use and the speed cost-effectiveness of deploying Software as a Service (SaaS), also known as Cloud computing.

The full report is available here.

Therefore, in the next release we intend to double the width of this box, to incorporate the longer names. It will look like this:

An issue we stumbled upon was that because this box is twice the width of all the others, it cannot remain as the last item on the page without leading to some strange spacing issues. In other words, if the last row of charts on your home page includes three pies, the My Reports box would need to wrap around to another row, leaving a “ragged” look. Therefore we are going to put the wider My Reports box at the very top of the home page going forward, starting with GRC Cloud Release 5.4.

We would be interested in your thoughts on this. Will the double width My Reports box help you, or do your report names fit fine in the current box? Does having My Reports at the top of your home page avoid you having to scroll down to reach it, or do you prefer seeing your pie charts front and centre?

By the way, we are also going to change how left clicking a report name in My Reports functions. Currently when you left-click on an item overview report, it goes straight to the report itself, whereas for summary and hierarchical report it goes to the report builder. In future, you will be able to set for your site whether the left click goes straight to the report or to the builder page and this setting will apply to all reports.

Please give us your thoughts using the form below or e-mail us anytime at productmanagement@bpsresolver.com.

GRC Cloud recently introduced a number of “logical” mathematical functions. These are tools that enable administrators to create “If/Then” type logic in items.

Terms such as CHOOSE, EQUAL, GREATERTHANOREQUAL, LESSTHANOREQUAL, IF, LOOKUP, AND, OR, NOT, NOTEQUAL, ISINVALID, SET are all new mathematical operators available when building out functions.

The purpose of many of these is not easy to explain without context, although sophisticated Excel users may be familiar with some of the terms. The Help documentation (both the pop up screens in the Function Builder and the full on-line Help) are good resources, but in this article and some future blog entries we will look at some practical applications. The results of these functions can be combined with the existing ability to assign names to function result ranges to provide plain English results.

Example 1

For our first example, let’s imagine that two managers are both required to agree that an issue can be closed, for it to be closed. Each manager is required to complete a simple Yes/No criteria. We can then create a function to show whether both managers agreed or not.

The EQUAL operator

The EQUAL operator is quite straightforward. The syntax or structure of the function is EQUAL(Arg1,Arg2). Arg1 and Arg2 (short for argument) are simply numbers in the formula or anything that evaluates to a number, such as a selection from a drop-down menu or radio button or the result of another function. The operator indicates whether the two arguments are the same (equal) or not. As this is a “logical function”, if the result is true (the arguments are equal) the result is 1. If the arguments have different values, the result is false and therefore 0.

Therefore, for the example above, the Admin could create a function as follows:

EQUAL(manager_approval_a,manager_approval_b) where the two arguments are the criteria for the two managers’ approvals.

If both managers approve the item the result will be 1. If only one manager approves it the result will be 0.

We can now use function result ranges to clearly state the result. The only possible results are 0 and 1, so we can set the result ranges as follows:

No Consensus <=  0  < Consensus

Example 2

Beyond this, you would probably want to know not just whether the managers agreed or not but whether they both agreed the issue should be closed or whether they both agreed it should remain open.

If we want to know when both managers agreed to close an issue, we have to break down the logic. Here is one approach:

We know both managers have approved when:

1. Manager A has approved
   and
2. Both managers  are in agreement

As logical functions work well with 1’s and 0’s we can utilize those values to get the results we need. In the Manager Approval A and Manager Approval B fields we will equate Yes with the value of 1 and No with the value of 0. (By default the second item on the scale would have a value of 2, but this can be changed in the Item editor.)

The IF Operator

You may be familiar with the IF function in Excel, although the one in GRC Cloud works slightly differently. The syntax or structure of the function is IF(Arg1,Arg2,Arg3). Arg1 is a number, value from a drop down or radio button criteria, or the result of a function. If Arg1 is any value other than 0, the result is Arg 2. If Arg 1 equates to 0, the result is Arg 3.

Therefore, the Administratpr could create a function as follows:

IF(consensus,manager_approval_a,0)

Where consensus is the result of the function in Example 1 and manager_approval_a is Manager A’s assessment of whether the issue can be closed or not, as explained in Example 1.

Consensus will result in either 1 or 0. If the value of Consensus is 1 it will display the value from The Manager Approval A field. If the value of Agreement is 0, it will display 0.

Therefore the possible results are:

Where Manager A and Manager B agree, the result of Consensus (Arg1) is 1 and therefore the end result of the IF function is the value generated by the Manager Approval A function (Arg2), which could be 1 or 0.

Where Manager A and Manager B disagreed, the result of the Consensus (Arg1) function is 0 and so it generates 0 (Arg3) in this function.

Once again, we use function result ranges to state the result. The only possible results are 0 and 1, so we can set the result ranges as follows:

Not Approved <=  0  < Both Managers Approved

BPS Resolver’s Solutions Consulting Group can help you solve business problems and build out these and more complex scenarios using GRC Cloud’s new logical function operators. Please do not hesitate to contact the team at 1-888-891-550 or +1-416-622-2299 and ask for Client Support or e-mail clientsupport@bpsresolver.com.

Today marks BPS Resolver’s first release of GRC Cloud, a new name and new look for Resolver*Risk, which has been a leading web-delivered governance, risk and compliance application since 2005.

Following the merger of Resolver Inc. and BPS Inc. at the beginning of this year, a lot of thinking and communication with customers and industry opinion leaders has taken place to determine how the range of software products offered by the two predecessor companies should be aligned to provide a product suite that would appeal both to companies executing on a fully developed GRC strategy, as well as companies that are currently executing specific areas of GRC.

The product line and product names are being rationalized under the banner of GRC Suite, and starting today, Resolver*Risk is now GRC Cloud.

Why GRC Cloud?

Over the years, customers asked us “Why do you call your application Resolver*Risk when we use it for SOX, NERC, IT-GRC, PCI, Bill 198, and Audit as well as Risk Management?” We listened; GRC Cloud now reflects exactly what you use it for, GRC, and how it is typically delivered, via the cloud. If you are not familiar with the term “Cloud”, it encompasses what is also known as software as a service (SaaS), where an application is hosted by the software provider and offered over the Internet. The use of the word Cloud is also significant following BPS Resolver’s migration to a new hosting provider which operates our application on a virtual infrastructure, enabling us to continue to more efficiently ramp up computing power as the number of customers increases.

GRC Cloud v5.3 introduces a number of new features but the revised look to the login page will be the first thing that most users notice. The new appearance is in sync with BPS Resolver’s corporate site and it also provides more ways (Product Update, News and Blog) to update customers on product and corporate developments at BPS Resolver, plus easy access to Support contact information. For more details on what is included in this release, please check the Product Updates section on the login page.

For details on where Resolver*Ballot, Resolver*Net and BPS Suite fit in this strategy and upcoming integration and rebranding, please see my colleague Joe Crampton’s blog entry from last month.

One of the first things users will notice is that the login area has moved to the very top of the screen.

If your site had your company logo on it before, it will still have this on the homepage, located just below the banner of the man sitting on the mountaintop.

There is a lot of frequently updated content at the bottom of the home page. The Product Updates section will list information on new releases, features and enhancements, while the blog will contain articles relating to GRC in general plus BPS Resolver related items of general interest. Meanwhile, News and Events will include corporate news releases, upcoming webinars, other events and so on.

Feel free to look at the preview page (see link above) and check out what’s new under the Product Updates, Blog and News links.

Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy – a distraction.

“What keeps you up at night?” is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask…

“Considering the objective to… (describe a key objective), what events may prevent the organization from achieving this objective?”.

The result will be risk events that are well aligned with management’s goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).

This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.

by Richard Wilson

Today’s reality is that any complete solution will be comprised of multiple vendors (for example BPS Resolver for ERM, Compliance and Audit and SymSure for Continuous Controls Monitoring). Looking at the market, many vendors, including us, have created partnerships and alliances to bring a more complete solution to clients. However, this approach is somewhat limiting and clients can’t really mix and match a solution from any vendor they choose without custom projects. Custom integration projects are required because there is no industry standard common GRC interface or language that would allow GRC systems to consume and publish data.

Enter GRC XBRL. XBRL stands for Extensible Business Reporting Language and is an open standard based on XML to define a common language for business reporting. GRC XBRL (sometimes called GRC XML) is a GRC specific definition built on the foundation of XBRL by the Open Ethics and Compliance Group (OCEG), including members from Approva, Thomson Reuters, Fujitsu, and PricewaterhouseCoopers. The alpha version of the standard was released to peer-review in October 2009 and should be published for widespread consumption in 2010.

Currently, no technology vendor reads or writes data to this open standard. The benefits of all GRC vendors adopting GRC XBRL as a common language would be enormous. To date, all systems integration has been customized and proprietary. If all GRC vendors adopt GRC XML and provide standard interfaces to publish and consume this data, the GRC market would enter a new era of plug and play components. Clients could choose a GRC backbone platform and add specialized components or modules from other vendors that best suit their business needs.

Another interesting opportunity from GRC XBRL is that it provides a common language across companies and industries to share and compare GRC data. In the future, GRC XBRL could be a mechanism for companies to benchmark their progress and practices against their peers in industry and geography.

In the same way that XBRL is transforming the business reporting landscape, GRC XML will soon have a large impact on GRC applications. All vendors with GRC related applications should move to support this new standard.

According to Michael Rasmussen, Microsoft Excel (in concert with SharePoint and Word) is the most widely used Governance, Risk and Compliance (GRC) software. This approach certainly has many shortcomings, including security, data consistency and integrity, ease of reporting and version management. Most users of spreadsheet based approach recognize the need for a true GRC backbone platform. However, Microsoft Excel has some valuable lessons that Governance, Risk and Compliance applications could learn.

1. Simple but Powerful

The concepts behind a spreadsheet are simple yet incredibly powerful. Users can enter almost any kind of information, create functions and relate information. And spreadsheets don’t require a lot of configuration; users can just open a workbook and begin. GRC systems should also be flexible enough to capture any sort of information, provide facilities to calculate or rollup information and allow multiple relationship modeling. All this should be presented in an interface that is obvious and familiar to the user, perhaps in an interactive table similar to Excel.

2. Ubiquitous

It is very rare to find a business desktop that does not have MS Excel installed or a user who does not know how to use it. This application is so pervasive and well known that it is second nature to users. GRC systems should be the same way. They should be deployed on every users’ workstation in the company. Users should employ them as part of their daily life. GRC should become a ubiquitous part of their work experience and ingrained in the deep in the roots of daily activities.

3. Flexible

The spreadsheet was one of the first “killer apps” for the computer. This visible calculator unleashed the power of the pc and its incredible flexibility gave rise an almost infinite amount of uses. GRC platforms must also be flexible and adaptable. The GRC environment is a rapidly changing and evolving and backbone applications must have powerful modeling capabilities to match. This modeling ability must be easy to configure by end users who can take ownership of the system and keep it up to date.

4. Intuitive

Spreadsheets make sense. Generally, users look at them and know exactly what to do. They are accustomed to the table format that allows them to see and interact with large quantities of data at the same time. GRC platforms must also be intuitive to end users. As roles change in an organization, users will come and go and must be able to quickly learn and use GRC platforms as they relate to their duties. GRC platforms must be intuitive, easy to learn and present information in a fashion that users are accustomed to.

5. Unobtrusive

Excel is a normal part of knowledge workers everyday existence. It is an essential tool used in everyday activities. Users don’t think of it as another application they have to learn. It is just part of their life and routine. GRC platforms must also become unnoticeable to end users. They should not inconvenience users or put them out of their normal routine. This is essential if GRC platforms are to have widespread usage and adoption within an organization.

1. Ensure you consider the overall ERM strategy so that it is a sustainable, recurring process rather than doing it piecemeal.  Avoid the temptation to direct your efforts into a “big bang” report for only part of the business. This is particularly important if this effort prevents you from revisiting the business area for years to come.
2. Carefully consider the link between business unit or department risks and enterprise level risks.  The roll-up can be very powerful and convincing and is worth the effort.
3. If you are conducting workshops to better identify and measure risk, consider the use of voting technology to enhance efficiency and build consensus among the participants. Have this information transfer into a Risk Repository. This allows you to build a decentralized program that pulls information from the business units rather than the central team chasing them via email.
4. Knowledge of your industry is vital when selecting a consultant. The language and culture of your industry and even your particular company is a critical tool in ensuring that people are thinking about risk in the right way.  Equally as important is the ability to translate your enterprise risk management program into meaningful real-life scenarios for your business.
5. No executive or board level enterprise risk management report is complete without a view into the root causes and what is being done (or could be done) to prevent them.  Boards of directors are looking for the simplest possible way to understand their top issues and assess if the company is applying the right amount of focus or coverage. Many risk management reports look impressive but ultimately fail the “so what” test (nice heat map – so what?).

At present, the Alternative Investment Fund Manager (AIFM), of which Hedge Funds come under, are regulated predominantly by a number of national financial and company legal regulations. The global financial crisis has highlighted much stronger hazards than initially thought, especially in reflecting cross-border risk.

Hedge Funds have been directly linked to the growth of structured credit markets and asset price inflation resulting in market turbulence throughout the credit crunch. Many have been struggling to withdraw cash for their investors, as they are unable to liquidate assets promptly.

One of the key requirements from the directive is that an AIFM cannot provide services to a Fund unless they have been registered and authorised by ‘a competent authority in the Member State’. In the UK this means the Hedge Fund Manager must be authorised by the FSA (Financial Services Authority) and comply to all Directive requirements in order to continue to provide the service.

There are also stricter requirements for AIFMs to prove that they have risk procedures in place and that they carry out regular ‘stress tests’ and annual reviews on all portfolios and risk management. An annual report for each Fund will be required within four months of the end of the financial year and include a full financial breakdown with all activities to be disclosed. An independent valuator will also be appointed to review each fund on a minimum of an annual basis.

Some of the most controversial changes involve Fund Managers (AIFM) making ‘pre-investment disclosures’ to investors and will also be required to disclose details of any leverage on which they use, which could be restricted by the FSA if it is seen as being high on a regular basis. The requirement for Hedge Fund Managers to disclose all their positions has been met with great resistance by the industry and it remains unclear as to when and how it will be enforced if the Directive is approved.

Where matters get murky is whether or not the Directive applies to the Fund Manager. There are a number of exemptions, for example an AIFM who is managing a Fund portfolio of less than 100 million euro (or 500 million euro with a five year lock in) is not applicable.

The increased level of reporting expected by the new Directive will raise the amount and thoroughness of administrative time required at the very least, although at this point it is unclear how much of the Directive will go through as it stands currently in draft form. If approved later in 2009, it is expected to be enforced by 2011 with a third of countries joining in by 2014; but there is clearly a lot of work to be done in assisting Hedge Fund Managers in complying with the new Directive, if the new compliance regulations do indeed apply to them.

Audits are an important and essential part of managing risk and control effectiveness within an organization. Audit Management Software simplifies the entire auditing process, from planning and scheduling to performing the audit. What Audit Management Software offers you is an easy way to perform the most challenging and complex audits simply and more efficiently.

Why?

Audit Management Software is vital in letting you do more with less. In addition to the existing internal audit requirements, Auditors are now being asked to be proactive with risk management and provide insights into government regulations. It is no wonder that companies are looking for solutions to make these tasks easier and more time efficient. Being able to execute the audit process quickly and effectively to a high standard reduces the risk of non-compliance and provides insights into any potential problems or issues much quicker than conventional approaches to auditing.

Audit Management Software provides you with a system to support all types of audits in your company and seamlessly customize how you would like that information delivered to and viewed by key staff, management and any other authorized users.

All aspects of auditing can become automated to save time and improve productivity and efficiency. As you create them, audit checklists can be saved and used for any future audits. Saved audit checklists can be modified and updated or saved under new titles to prevent you from wasting time by having to start from scratch each time. Checklists can easily be printed off to ensure that your off-line record keeping meets regulations.

Audit Management Software can run audits at any time of the day or night and with any desired frequency. Audits can be scheduled across different departments simultaneously that use the same audit checklist across the entire company without conflict.

Audit Management Software reminds the auditors and their auditees a few days before the audit is due. On the first day of the new audit, the software flags the audit to the auditor and remains on their system until the audit is completed. This helps auditors stay on top of their audit commitments. The software allows auditors to make amendments even when the program is running, which means that alterations can be made as matters arise when the audit is in progress.

The Audit Management software will ‘remember’ previous audits and authorized staff members can have access to this information when and wherever necessary. Since previous audits are stored, the final results of a current audit can easily be compared to past audits.

Once the Audit Management software has completed its cycle, a list of issues and problems will be reported back to the auditor, clearly stating the necessary actions required to remain compliant. The software can track and acknowledge when these tasks have been completed.

It is easy to see why using Audit Management Software can enhance your auditing. With the software at hand you can easily audit any specific area over the whole of your organization.

Where?

To find out more about the latest in professional Audit Management Software, please contact us. We have implemented software solutions across a number of industries including Finance, Utilities and Health. We would love to discuss your auditing processes and how we might be able to help you utilize our Audit Management Software product BPS Audit.

Ok there is no simple answer other then the obvious. The best software is the one that is right for you and for what you are trying to do. I know this doesn’t sound helpful, but it’s true. Think of the car analogy. Next time you are on the highway (carefully) take note of the vehicles around you and think about their designs. Each is clearly doing the basics well, that is, driving on the highway. But each is also purpose built. Trucks are different than compact cars, which are different than motorcycles. If you have lots of stuff you need to haul, but still want to commute every day, maybe you have a pickup. If your life compels you to drive with speed and style, then a sports car may be the obvious choice. Just going from A to B for as little money as possible? Get a small car. For those in between people, you have one of those small sporty SUV’s that are so popular and kind of do everything OK.

The simplest audit tools basically give you a file tree structure and some standard templates that you can fill out to record your work, attach documents and the like. You rename and reuse these concepts if you want to create an issue or a review note, or if you want to get specific about listing risks, controls, objectives and so forth. When you finish filling out the forms and completing the tree structure, you are done and can save your audit for future reference. Most vendors will create some good looking reports including a final audit report which takes your information and re-organizes it into a friendly output. Some of the same tools are applicable to SOX testing and certain regulatory compliance checklists that your company may need to run. Justifying the expense seems easy and there appears to be little in the way of start-up costs. Let call this system Type A

By contrast, the more sophisticated tools give you the options to set up complete living-breathing pictures of your audit universe through some form of multi-hierarchical system. You can separate your legal, organizational and auditable entities and create elaborate relationships between processes, risk, controls, etc. You can run risk assessments across hierarchies (say, processes), have the results roll up using rules you define, then conduct formal targeted audits using other structures (say, your traditional auditable units). You can even compare year-over-year results. Systems like these expect that auditors may work in teams with junior and senior positions so scheduling and workflow (approvals, notifications etc) and secure roles are well developed concepts in the software. Some have centralized controls libraries with the ability to reference policy, risk, KRIs, losses and other data create a rich central control point from which audits are spawned by the system. These features also lend themselves well to integrated controls initiatives, secure and specific sharing of information between risk management and compliance groups and even some advanced analytical reporting. Let’s call this system Type B.

If your needs are strait forward and will always be that way. I think the choice is obvious. Type A. Even if you’re somewhere in the middle you will be able to stretch the A type of system pretty far. It will (with a little help from the vendor) do quite a bit for you. Say it’s a small car, you can get a roof rack for it and haul home a living room set from IKEA on the highway and it will work. Do this every weekend, however, and your going to be longing for a pick up truck.

The second type of system, delivers the more sophisticated and heavier duty functionality because it is designed from the frame up to do so. This system, however, will take a bit more effort to get up and running and for administrators of the system will require more focus and training. It has more moving parts, and is most likely be more expensive. On the other hand, you will most likely never find yourself constrained; it will be easy to modify to meet diverse needs of a larger group and will integrate well into your IT infrastructure. For some companies, buying for the long term, means choosing a system like this one.

Both systems will work for you but they are built on different frames. You can’t turn one into the other any more that you can turn a small car into a pick-up. The car analogy is a bit silly, I grant you that but I use it because it’s easy to tell a compact car from a pickup truck. It is less easy to distinguish audit software tools during an RFP. If the difference is critical to you and your organization, then I would like to offer you some points to consider when looking at audit software:

1 – Do you need a centralized facility to model your audit universe? For many companies this is a lot more than creating a couple of hierarchies and attaching testing plans to them. You may also need to classify and rate risks, controls, processes and other artifacts in multiple ways (principle risk, organizational unit, key business process, key control, etc.). If you are a global organization you may conduct risk assessments at a different granularity than you conduct audits. Add in geography, departmental risk scoring, results from previous audits and assessments, SOX testing, confidentiality requirements and the whole thing can no longer be managed reliably without a more sophisticated tool. A tool that has built all of these elements properly will ensure that you can make the necessary cross references and connection between these elements and that these connections will drive the behaviour and automation you would expect. Less sophisticated audit tools can, in fact, still work for you. The danger is that they are stretching their concepts to achieve the functionality – meaning you may have unexpected compromises in your future. These compromises usually lead to abandoning part of your system in favor of spreadsheets or some other flexible tool.

2 – What are your expectations with respect to work papers automation? Remember that the goal here should be to make it easier for auditors to conduct their work in a complete fashion and support the final report with credibility. If you only need a system of record, then a less sophisticated tool will do. As long as there are plenty of places to type and an easy way to categorize and link things, you will have little problem ensuring that your work is stored electronically and is easy to access and report on.

Work paper automation, however, can also get quite deep. In fact, I recently sat in on a study of audit tools and found that only a handful of vendors (by their own admission) had actually invested to create specific work paper management functionality. These vendors have created dedicated concepts for things like audit approach, key control matrix, risks, controls, tests, assertions, scoping, issues and evidence. Each of these concepts has their own workflows, collaborative facilities and configurable automation that presents to the auditor as needed. The features are designed to streamline the work, minimize the typing and allows for re-use of standard components and knowledge in the company. By far one of the biggest differentiators in the audit tool space is the amount of support for work papers management or automation. It is basically the difference between a general assessment tool and an audit tool and is always present when comparing Type A tools (basic audit functionality) to Type B tools (sophisticated audit functionality).

3 – Audit planning. Many of the tools available to auditors and compliance folks have some concept that allows for planning. From the audit perspective, we are trying to ensure that the effort of auditing is concentrated in the areas of the business that need it most. For many shops, this means a tool that helps them conduct mini-audits or self-assessments so that they can rank each auditable unit in terms of risk. Ultimately this information is used to design an audit plan for the year. Once again, bigger is not always better here. There are Type A products out there that do a fine job of helping auditors with this task. In fact, many of the products that completely fall down in terms of work paper automation actually have great risk assessment and planning features. Given this fact, please ensure that you understand what your real requirements might be. For instance, are the “assessable units” in your company (the smallest unit that you will risk assess) the same as your auditable units (the organization you will plan and execute an audit on)? Larger or more sophisticated shops often do not bring these two concepts into alignment. Ensure that your candidate system can separately handle the ideas of auditable unit, assessments and organizational unit. Ensure that the scoring rules, and how they roll-up, are not dependant on any single hierarchical relationship. This is all sounding quite technical, but it can be an important subtlety for some companies. All I am saying is that one should take extra care to ensure that you don’t buy a system and then find yourself longing for the flexibility of spreadsheets once again. A few other points on audit planning: Do you desire multi-year planning? And do you consider your staffing and resource availability in the planning process? Finally, is the audit plan a living thing that you are constantly updating based on changing conditions? Or is it a static plan that you re-build every year? The final considerations tend to lead prospective buyers to more elaborate audit Type B tools.

4 – ERM and Compliance. Recently I had a conversation with some thinkers at OCEG and they confirmed for me that auditors are being asked to deal with more compliance testing and enterprise risk management information gathering. The discussion of how tools manage this, or should manage this, is so long that it should be broken up over the course of several blogs (this being already too long as it is). I will say that if the first three items that I have discussed in this piece are built with care and appropriate sophistication, then you will most likely be set up well to help manage ERM and compliance problems for your company. Remember that risk definitions vary depending on the regulation or ERM framework you may be adopting. Control definitions are not any exception either. We have seen risks be defined as root causes (supplier ships bad parts), events (company product fails when customer tires to use it) or consequences (lawsuit and bad press). Similarly controls can be preventative (catch bad parts before they get into our product), or mitigating (ensure we have enough insurance). A unified set of definitions and frameworks on which to hang your company policies will always leave gaps, so ensure your audit product has a way to deal with multiple interpretations of the concept of risk and control. Without this ability, your ERM initiative will be divorced from your audit universe.

In conclusion, please forgive the car analogy (it was the best one I had going for now) and I hope you find some of the points here helpful.Four