GRC Cloud 6.0 Release Webinar – Recorded Presentation and PowerPoint Presentation

      Provide the right information to the right people at the right time to get the job done right!

      CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

      CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

      CLICK HERE to view the GRC Cloud 6.0 Release Notes.

      GRC Cloud 6 introduces a new way for people to work together on your GRC program. The new configurable workflow engine enables you to completely and efficiently manage your Risk and Compliance processes.

      Keeping track of the status of all work within your GRC programs through enhanced reporting. By introducing automated workflows to your GRC Cloud site you can solve many issues that trouble GRC professionals.

      • Ensuring people know the work they are responsible to complete—and their deadlines—with automated messaging and outstanding task views.
      • Achieving greater enterprise-wide buy-in by simplifying tasks and reducing training and oversight requirements.
      • Ensuring people in the program follow the correct business processes
      • Ensuring the proper hand offs happen at the right time.

      GRC Cloud’s workflow builder enables you to build business processes where information is entered by different people in a pre-defined sequence. Each person’s view of the item is tailored to provide just the information they need at that time to complete their task. As each task is completed the next person in the workflow is alerted by e-mail they have work to do. The home page dashboard also advises each user of their current tasks. Other managers who need to know an item’s status can also receive customized alerts. For more details on the value workflow provides, please view our GRC Cloud Workflow Overview presentation.

      CLICK HERE to view the  GRC Cloud 6.0 Release Webinar

      CLICK HERE to view the GRC Cloud 6.0 Release Webinar slide deck.

      CLICK HERE to view the GRC Cloud 6.0 Release Notes.


      Does information overload get in the way of your GRC program’s efficiency?

      One of the obstacles to the effective rollout of enterprise software across a company – and GRC software is no exception – is that it is designed to appeal to so many types of users. Unfortunately though, the screen flow and design often feel less like one-size-fits-all, and more like one-size-fits-no one.

      Simplify GRC by reducing clutterUsers get frustrated at having to look through all sorts of features and information that don’t apply to the task in hand. Some people, particularly infrequent users, can feel like they are being forced to play some cruel game of Where’s Waldo? when they look at an unfamiliar and cluttered interface.

      In GRC Cloud we have worked hard to minimize this issue by making each field configurable for any user role, setting it as editable, read only or hiding it completely from view. In our new Workflow concept we have gone one step further.

      In Workflow, a user may work on an item in more than one step – or state – of a workflow. In each state he or she may be required to complete different information and read different information that has been provided. In fact they may be required to attach evidence in the form of an external file in one state, but need to be prevented from doing so in another.

      GRC Cloud’s Workflow Builder enables you to manage not only what a user can see or change, but when the user can see or change it. This enables your users to complete their work more quickly, as they do not have to search for the relevant information and wonder whether they are doing the right work at the right point of the business process.

      For administrators, by simplifying the interface not only do you have happier users (and thus more buy-in to the program), you can also train people more quickly on what they need to do and when and you get fewer questions from people once they start their work.

      We believe that workflow is all about providing the right information to the right people at the right time. The easier it is for people to work in your GRC program, the more enthusiastically it is adopted and the better input you will receive
      This begs some questions.

      • If you could expand the reach of your governance, risk or compliance program without increasing your training budget or administrative workload, would you do so?
      • Could you ask people to assess more risks or evaluate more controls if they could do the work more quickly?
      • Would you invite more people to participate if you knew your process and software design was intuitive and those additional people would provide valuable insights?
      • Wouldn’t this make your company a more effective GRC organization?

      By the way, the new workflow capability is introduced in GRC Cloud 6 which is being launched in January.

      “Workplace fraud cost $3.2B last year” – and that’s just Canada…

      We’re supposed to be those good natured, excessively polite, overly courteous folks just across the border. And yet a survey of 290,000 small business in this honest country found that “ 26 per cent, of [the] companies had been cheated by an employee.“ A further “20% of those companies experienced fraud at least four times in the year”

      The frauds ranged from misstatements of revenue to straight theft of inventory or cash. The survey was conducted by Certified General Accountants Association of Canada (CGA).
      The top 6 fraud risks in order of decreasing frequency were identified as:

      1. Misappropriation of inventory or assets
      2. Misappropriation of cash
      3. Misrepresentation of employment credentials, internal or external documents
      4. Corruption
      5. Theft of proprietary information and intellectual property
      6. Assets/Revenue overstatement or understatement

      So why are companies so vulnerable? “80% [of companies surveyed] aren’t prepared to deal with fraud in the workplace, the CGA says, and almost 60 per cent don’t go through regular assessments of how at risk they are to fraud.”

      BPS Resolver’s risk assessment software systems are used to identify and assess enterprise risks including fraud by 8 of the top 10 global accounting firms(1) and by hundreds of the world’s best managed companies, large and small. Call today and ask us about our pre-packaged Fraud Risk Assessments.

      Source & Quotes from: http://www.cbc.ca/news/business/story/2011/12/06/cga-fraud-report.html

      (1)- Top 10 ranking from 2010 publication Accounting Today Top 100 Firms

      What makes BPS Resolver ballot such an effective risk assessment tool?

      In a recent survey, 73% of BPS Resolver Ballot operators/facilitators responded that using Ballot in workshops enables their company to make better decisions regarding business risks. Only 1% disagreed with the statement!

      So why is it so effective?

      At its simplest, BPS Resolver Ballot is voting software. (Think in terms of the Ask the Audience lifeline in Who Wants to be a Millionaire.) Risk managers ask a group of managers to rate the likelihood and impact of potential risks on a sliding scale using keypads.

      As part of our product research, from time to time I sit in on customer risk workshops and training sessions. I once attended a risk assessment technique training session at one of the major risk management professional services firms. The program was for new consultants and was given by a long time user and advocate of Ballot at that firm. As he knew I was in the room I think he was being tongue in cheek when he told the new recruits that the risk assessment software had nothing to do with making risk assessment workshops effective. But he did have a serious point.

      If you only want to gather opinions from a group, Ballot is certainly an efficient way to capture information quickly and an interactive and engaging approach for participants. But just because it is quick and fun, does not mean that you get better answers. BPS Resolver Ballot is truly effective when it is used to reach conclusions based on a collaborative, consensus-building process. If you are just using it to collect votes you are missing out on this powerful methodology.

      Here is how the approach works. The first thing to understand is that the voting is anonymous. Therefore people give their views on likelihood or impact of a risk without concern they are going to be identified and directly criticized by a dominant personality or a more senior manager in the group.

      So far, so good, as all views are represented in the voting. But if you just accept the majority vote and move on, you still have nothing more than an efficient system. Voting results are now used to kick-start a discussion. The facilitator uses the spread analysis (see the screen image of the voting results) to see if there are marked differences of opinion represented in the voting and, if so, starts probing the participants. As the votes were anonymous, she has to seek out a volunteer to represent one of the points of view and explain how their experience led to that view. She then seeks out someone to represent the opposing viewpoint. However, during this discussion she gives everyone in the room an opportunity to chip in and build on opinions expressed. As a result, people often hear a new take on a subject from people with different experience from their own.

      OK, so how does the anonymity of the voting translate into a truly open discussion that avoids the risk of strong personalities or senior individuals dominating the discussion? Well, as all participants have seen the votes, they know that there is range of opinions in the room. A person who holds a less popular viewpoint will typically see that he or she is not the only one to do so and therefore is emboldened to share that view, knowing someone in the room will back them up. However, sometimes there is only one “outlier” who may not feel comfortable expressing that view and so the facilitator uses techniques to get other people to be “devil’s advocate” and represent those views. I won’t get into the details of these techniques here, but the end result is typically a healthy banter, that enables all participants, including the senior voices and strong personalities to hear differing points of view. This airing of diverse opinions and perspectives must take place to avoid “Groupthink”.

      When the subject has been more fully discussed, the facilitator puts the question to a re-vote and typically one of two things happen. Either the re-vote doesn’t change the overall result but provides a lot more consensus, or the original minority view has persuaded the other participants to reconsider their views on the issue.

      Either of these outcomes is valuable. Obviously if discussion and consideration have led the team to come to a conclusion they would have otherwise not made this is hugely valuable, preventing the company from making potentially expensive mistakes in under-controlling or over-controlling a risk. However, there is also value in achieving greater consensus. After the workshop has finished there may be mitigations to be put in place. These are more likely to be effectively resourced, prioritized and acted upon when all the people responsible feel they were part of the decision-making process that identified the actions to be done. At a minimum, participants leave the room with a representative understanding of the varying perspectives in the company, an effect which does not occur when the most senior or loudest voices in the room dictate the discussion’s tone.

      So BPS Resolver Ballot risk assessment softwareimproves the efficiency of a workshop for sure, but better risk management decisions emerge when the technology is combined with training in the methodology and skills to bring ideas and opinions out of people. Together they are the cornerstone of probably the most effective way to assess business risks.

      Don’t ask us. Ask Resolver Ballot customers!

      It’s a pleasant surprise. Not the conclusions, but the overwhelming consensus on just how valuable Resolver Ballot is!

      Our product team recently ran a customer satisfaction survey on Resolver*Ballot, our decision support software.  While we have always been proud of this software, we were frankly a bit blown away by the results. Here are some key findings:

      Does Resolver Ballot help your company make decisions more quickly?

      -          An astounding 83% agreed and only 3% disagreed.

      Does Resolver Ballot help your company make better decisions?

      -          73% said they agreed! Only 1% disagreed.

      So at the intersection of these two questions our customers are saying that our software helps them make better decisions and make them more quickly.

      Today we live in increasingly collaborative world where more stakeholders are involved and which makes decisions more difficult.  Consensus-based cultures need to adopt tools and best practices to ensure they get the benefits of collaboration, without getting bogged down by this same process.

      Resolver Ballot, according to our partners and customers, is clearly an important piece of this puzzle!

      Some of the other folks here at BPS Resolver will blog more on the results in the coming days.

      Want to know the unknowable? Use group assessments to understand how risks interrelate.

      You can’t see the future, but you can understand the way different events will impact you.  Resolver*Ballot, BPS Resolver’s risk assessment workshop software, features a great tool called “relationship modeling” which, through a series of questions, helps risk managers paint a picture of the interrelationships between various risks.

      Say what?

      By posing a series of logical questions to a group, Resolver*Ballot creates a visual depiction of patterns of influence that show how one risk event increases the likelihood or impact of another. This picture is generated in real-time in a risk workshop, and can be done together with—or independently  from—the anonymous assessment.  The result is a map of interconnected risks with ratings of the impact on the organization.

      Wow!

      Here’s an example. The screen image below shows the impact that a new acquisition may have on an organization.  As a risk manager, you may or may not have visibility on M&A activity, but this visual representation helps us understand the sequence of risks that are more likely to come about if that event occurs.

      Resolver*Ballot Relationship Modelling Output Chart

      Studies in psychology indicate that people are naturally good at seeing one or two levels of influence, but how many of us would look at an acquisition and immediately think of inadequate IT security (#4) and the increased probability of IP theft (#9)?

      Now take the same picture and simply overlay the impact vote from a regular risk assessment workshop and you get something even cooler.

      Resolver*Ballot Relationship Modelling Output Chart with Color Coding

      From the color coding (green is low impact, yellow is medium and red is high), you can see that according to the group’s votes, the acquisition risk (#7) is ranked as a medium impact risk. But seeing the risks in this view, it prompts us at least to reconsider #7 as a high impact risk, since it leads to an increase in probability for many other risks including, in this case, a high impact risk (#9). (F0r the same reason, risks #4 and #5 should also be considered for upgrading to high impact.

      With this information in hand, a good risk manager who goes through an acquisition simply opens up their model and examines the types of risks that fall out from an acquisition. In this scenario some diligent work in the IT department to beef up the two new joined networks has the potential of stopping the flow of increasing likelihood between the risks.

      I think this is pretty cool but I’d love to hear your thoughts…

      Conducting an Effective Risk Assessment

      I hope it’s safe to say that Risk Management has gained enough attention over the past few years to have become at least a consideration in most managers’ minds.  I hope that before embarking on every project a PM will conduct a project risk identification with key stakeholders and at least try to estimate which risks are the big ones.  I hope that senior managers encourage risk assessments both within departments and across them, and finally I hope this information gets used to make more informed decisions.

      So… wearing my optimist’s hat… there are a lot of people out there conducting risk assessments around a wide range of topics, in varying levels of detail, and with different levels of experience.

      This blog will be the first of a series of that will focus on effective Risk Management. If you have additional suggestions for types of risk assessments, then please do post a comment or contact me.

      Consider this a layman’s guide to an effective risk assessment.  I say “layman” as I am not an accountant, auditor, or lawyer. In fact I’m a nerdy computer science guy, so this is a completely biased but very effective way I personally have managed upwards of 20 corporate wide risk assessments.

      Before you start

      Before you dive into the risk assessment there are some basics to get sorted:

      • Determine what type of results you want out to get out of the session—rankings, discussions, ideas, response plans…
      • Figure out who should be involved – make sure you have representation from all key stakeholder groups
      • Determine what format works for you – interviews, online surveys, workshops…

      Here’s  a quick chart to help you pick which risk assessment type fits your needs, organization and resources or budget:

      Pros and Cons of workshops, surveys & interviews as risk assessment techniques

      [1] The estimated risk that remains after existing controls or mitigating actions.

      Effective Risk Assessment Workshops

      In the rest of this article I will run through my approach to effective Workshop Risk Assessments, how to impress your peers and managers, and how to accurately identify and assess risks as they relate to any objectives.  If you’re a fan of surveys then please check out information on our Survey application.  Please note that Interviews are a great way of gathering information, however they take a long time to conduct and are more expensive due to the time spent aggregating and re-circulating results for agreement.

      1. Preparing for the Workshop

      • Book a reasonable amount of time to cover the topics
      • Determine assessment scales that everyone will understand and get agreement from the two most senior people in the room.  Make sure they have both qualitative and quantitative components and do not focus exclusively on financial risk.
      • Agree on a language for your risks that will reduce confusion. (e.g. don’t put the word “or” in your risks)

      2. Principles of the workshop

      • Ensure you get viewpoints from everyone
      • Use an effective technique for anonymous voting (i.e. Resolver*Ballot)
      • Have a “scribe” – one person dedicated to writing everything down. (Not you, and not one of the participants.)
      Sample 90-Minute Agenda (30 Risks)

      (Your group may be faster or slower depending on the # of risks and the depth of discussion.)

      Context Setting
      Introduce the room to the process you will be following (10 minutes)

      1. Ensure that everyone understands the scales
      2. Inform people that votes will be completely anonymous and that they should be open and honest
      3. Describe your agenda and emphasize the importance of getting through the votes quickly

      Voting
      Quickly and anonymously rank all the risks on both impact and likelihood without discussion (30s/criteria or 60s/risk = 30 minutes)

      1. Voting should be done quickly and silently to avoid “overtalking” each risk. There will be plenty of time for discussion later in the workshop.

        2. Resolver*Ballot Feature: Anonymous voting is done through wireless keypads and should only take about 30 seconds per risk per criteria with our software – compare that to sticky notes or ballot boxes.

      2. If you want to avoid pointless academic discussions vote on Residual Risk  only. Inherent Risk is only really only relevant to auditors, will double the time of the session and will add minimal value
      3. If necessary, make sure that senior managers do not try to influence the vote with their comments

      Clarify
      Examine, discuss and re-vote on the risks with a lack of consensus (20 minutes)

      Resolver*Ballot Feature: You just click on the “Spreads” button and Resolver*Ballot will show you the standard deviation of the anonymous votes.

      1. Get your scribe ready to write.
      2. Examine the wording of the risk. It’s possible people have interpreted the risk in different ways
      3. If not, prompt discussion by asking people to volunteer why they or someone else voted either high or low.  (Remember the voting in Resolver*Ballot is anonymous so don’t corner someone and force them to tell you what they voted. If you didn’t use our software then this will be much more difficult.)
      4. The discussion that emerges here is fantastic. When people have extremely different opinions this may be as a result of experience, personal exposure, education or many other factors. These viewpoints will improve the accuracy of your assessment immensely and are not possible without anonymous voting!
      5. On occasion you will uncover a view point that a person has because of something they know that is personal (e.g. a career change). Make sure you respect people’s privacy and manage the conversation carefully.
      6. Once you have discussed, if it sounds like people have changed their opinions then re-vote and see if the result has changed.

        7. Another shameless Resolver*Ballot plug! If you don’t use anonymous voting the entire category (areas of low consensus) tends to disappear off the radar. The loudest voice or the most senior person will influence the room and the note taker into recording their position. Our software eliminates those problems and ensures that you will capture the different opinions resulting in a better product.

      Discussion
      Look at the results and focus on risks that exceed your risk appetite (20 minutes)

      1. Start with the high impact and high likelihood risks

        2. Resolver*Ballot Feature: Look at the auto generated Heatmap and zoom in on the values you are interested in (e.g top right of the Heatmap).

      2. Get the discussion started on what risks are above appetite, and what that would actually be like for the project/company
      3. Get ideas about what you could do to control them, and document actions.
      4. Make sure your scribe is writing everything down.
      5. If you have time, also look at the high impact and low likelihood risks, the company killers that should “never” happen.  Try to determine which other risks increase the probability of that risk occurring.

       

      3. After the Workshop

      • Share the results and the corresponding actions with participants; this will dramatically improve the process the next time around.
        • Resolver*Ballot Feature: Easily exports to PowerPoint and Excel documents to share with others.
      • Keep the voting results and use them next time to plot change over time. If you are doing a routine assessment (e.g. every quarter) which risks are changing? Which risks are increasing?  Which actions did not get executed on?
        • Resolver*Ballot Feature: Merge multiple files and plot them on a single Heatmap to understand change

      By now hopefully you’ve got some ideas on how to run an effective risk assessment, and our software will improve your results through anonymous voting.  We’ve helped hundreds of companies, large and small, get great results very efficiently.  This includes companies like Sony, Wal-Mart, Philips, Heinz, Deloitte, PwC, Ernst & Young and countless smaller companies.  We’ve even helped the Canadian Government and the United Nations.  Oh, and our software doesn’t cost much since it scales to the number of users that you need.  So, in conclusion, stop reading and buy our software. Or at the very least contact us for a discussion and a demonstration.


      Implementing OCEG Red Book? How BPS Resolver’s GRC Suite supports OCEG’s Capability Model.

      One of the most commonly accepted frameworks to achieve a unified Governance Risk and Compliance approach is the GRC Capability Model defined in the OCEG (Open Compliance and Ethics Group) Red Book. The model views GRC as a single activity with a set of detailed practices and components and is the cornerstone for any corporate sustainability initiative. The BPS Resolver GRC platform provides technology to support the key elements of the OCEG model.

      Implementing OCEG Red Book? Integrated GRC solution from BPS ResolverThe OCEG framework is broken down into several practices and in the table below we have mapped the OCEG GRC elements against key features and functionality in the BPS Resolver GRC Suite.

      OCEG GRC Element

      BPS Resolver GRC Suite features

      CULTURE AND CONTEXT

      Culture plays an integral role in GRC performance within an organization. GRC is no longer being viewed as an “add-on” to normal business activities but rather as a business philosophy that is infused into the culture and its operations.
      • Powerful tools document key organizational structures, cross functional teams, key human capital and technology assets, as well as business processes, products and physical assets.
      • The ability to cascade high-level business objectives, policies and requirements to assurance roles such as internal audit.
      • Analytical reporting and assessment tools that support “tone at the top” rollups of the overall risk environment.
      • The ability to set various indicators and establish targets (KPIs/KRIs) to ensure business objectives are met within defined tolerances.

      ORGANIZE AND OVERSEE

      For an organization to have a successful integrated GRC program it must communicate clear mission and objectives, define organizational roles and determine the implementation scope of the GRC system.
      • A single application with configurable modules fits the organization’s implementation scope – phased vs. enterprise wide
      • Provides embedded project management and reporting, audit trail and user logging facilities.

      ASSESS AND ALIGN

      Assessing risks and aligning the GRC program with business processes is a central component of any GRC initiative. Defining a GRC process model and ensuring that it integrates with the existing business planning activities can accomplish this. The GRC system should offer a portfolio of initiatives, tactics and activities that relate to organization’s moving parts and operational model.
      • Strategic planning and collaborative group decision tools for distributed teams ideal for board based risk assessment process
      • Activities can be prioritized against corporate goals and regulatory requirements.
      • Definition and categorization of risks and their impacts, as well as interrelationships across multiple aspects of the organization.
      • Cross reference assessment programs to any part of the risk management or GRC framework.
      • Define, schedule and link key risk data collection and assessment activities.

      PREVENT AND PROMOTE

      By developing an integrated implementation and management plan GRC activities can be optimized to promote and motivate desirable conduct. These can also prevent undesirable events and activities using a mix of controls and incentives.
      • Create multiple planning templates that promote best practices and awareness.
      • Clear mapping of controls and risk coverage and how they relate to operational processes.
      • Link information to existing and proposed standards and guidance that affect the company’s GRC requirements and track the activities related to these requirements.
      • Roll the process out across the organization on a shared platform to increase program visibility and commitment.
      • Remediation and change management tools that are integrated to ensure that findings are actionable and that change is driven in an organized and prioritized fashion

      DETECT AND DISCERN

      Being proactive in detecting potential risks, losses and undesirable conduct is key for any organization. By providing streamlined methods of gathering data and analysis techniques, organizations can detect and diffuse potential concerns.
      • Visualize enterprise data risk data with simple to use reporting and mining tools.
      • Analyze control and assessment findings, loss incidents and more through a rich library of reports and dashboards.
      • Enterprise workflow technology enables tasks to be driven from alerts and ensures optimal information delivery
      • Notification capabilities helping maintain and prioritize focus.
      • Create and manage information about detective controls across the company, optionally integrating with continuous controls management services

      RESPOND AND RESOLVE

      Process failures and loss events can occur in any organization. Having a nimble process, data, and the tools to analyze and understand root causes is crucial in order to resolve and prevent similar issues in the future. Users need to have confidence in the GRC system and process so that they can easily report and respond to issues effectively while ensuring the privacy and confidentiality of the data during the investigation and analysis phases.
      • Capture and categorize compliance exceptions, audit findings, control failures, risk indicators, incidents and loss events based on the client’s specific set of corporate taxonomies.
      • Manage the creation of action plans with full issue tracking capabilities while ensuring confidentiality of information through sophisticated roles and permission management.
      • Detailed reporting provide analytical insight to refine processes and corrective controls in order to resolve and mitigate future concerns.
      • Templates to support crisis response and disaster recovery scenarios.

      MONITOR AND MEASURE

      Organizations need to periodically evaluate and modify the GRC system to ensure it contributes to evolving business objectives while remaining effective, efficient and responsive to the changing environment.
      • Assessment capability is used to survey business stakeholders providing feedback on the effectiveness of the GRC program as it relates to them.
      • Standardized reports that help identify areas that have too heavy or too light a control paradigm.
      • Support for advanced Extract, Transfer and Load (ETL) technology capable of importing and synchronizing external data (such as regulatory changes and new policy and guidelines) into the GRC framework.
      • The most comprehensive internal assurance (internal audit management) and reporting tools available to enable feedback to the board and management on the effectiveness of the GRC program.
      • Support for the principals and procedures available in the OCEG Burgundy Book.

      INFORM AND INTEGRATE

      At the center of the Capability Model is the ability to capture, document and manage information accurately across the organization as well as external stakeholders. The flow of information needs to efficiently cross functional areas and provide value to its targeted audience.
      • A consolidated repository linking templates, risks, controls, assessments, and key artefacts across the organization.
      • Flexible and secure workflow, notifications and data views promotes transparent flow of the data while ensuring that the appropriate stakeholders have access to the information they need.
      • Over 100 reports and notifications refined through hundreds of engagements with top tier clients

      For more information on  GRC Suite’s capabilities please contact our account team or call 1-888-891-5500 or +1 416-622-2299.

      A Risk-Based Approach to Sarbanes-Oxley

      While the risk and compliance world waits (and will continue to wait) for the Dodd-Frank dust cloud to settle, we continue to live with the reality created by another Senator, and a congressman, Sarbanes and Oxley.

      Two colleagues of mine, Tim and Lauren Leech have recently submitted to Congress a thought provoking paper advocating a re-write of Sarbanes-Oxley.  While the proposal suggests only a minor edit to the Act, the implications are significant, far-reaching and would represent a tremendous improvement to an Act that has generated considerable controversy.

      Essentially Leech & Leech have put forth the idea that Sarbanes-Oxley becomes primarily risk-based in its approach, vs. the current focus at the control level. Their argument (at least part of it) is that without the right attention to – and understanding of – the risk environment, the work done at the control level is often wasteful and not focused on areas that represent a true potential source of unreliable financial reporting.  A risk based approach, according to the authors will help allocate resources to the most statistically probable root causes that account for the majority of materially wrong financial statements.”

      The difference between success and failure in enterprise-wide GRC implementation: Usability.

      If you are tasked with implementing a GRC solution you are almost certainly acquiring software that people outside your own department have to use. As the success of your program is dependent on these people’s willing participation, selecting technology they find intuitive and easy to use is vital.

      When reviewing potential software applications it is vital to view them from the perspective of all your types of users. Some buyers fall into the trap of purchasing the tool that best meets the needs of the “owners” of the GRC program, without considering what is most important to the regular – and irregular users – of the tool.

      At BPS Resolver, we tend to think in terms of three types: Administrators, Heavy Users and Light Users. Although the definition of heavy and light users varies with how the software is used and the company that is using it, Each of these groups has very different usage patterns, needs and preferences.

      The Administrators, who build frameworks, manage permissions, design reports and such, are often daily users who know features and functionality in detail. At the opposite end of the scale are the light users, who access the software quarterly or annually, and frankly forget a lot of what they know between these regular cycles.

      As there are typically more light users than administrators, an intuitive interface and an ability to get to their tasks quickly and easily (i.e. very few clicks from the home page) is vital to assure their ongoing use of the system.  Our experience also shows that easy access to immediate reporting (pre-built or ad hoc) and the ability to click through those reports to underlying information is valuable to many types of user.

      When we configure sites for customers we spend a lot of time thinking through making the site as intuitive as possible to use. Techniques include:

      • Custom roles and permissions, so that a user’s view of content is limited to what they need to read and answer and not cluttered with details that other types of user require
      • Custom workflows that refine the view to show just what is needed in each stage of a process, as well as define the work item’s path through the organization.
      • Corporate terminology, that ensures terms currently used by the company are reflected in the software, rather than the company have to adopt the software’s terms
      • Custom icons that appear on screen and in reports that reflect the corporate terminology or any company’s “house style”.

      In the world of the smartphones, people see their consumer technologies rapidly becoming much easier to use, and thus their expectations of the technology they use at work are also increasing. Although an enterprise GRC application is always going to require more of a learning curve than an iPhone app, people are not afraid to click on things any more. And when they do click on something, they expect something intuitive and useful to happen, such as drilling down from a chart to a report.

      We are regularly contacted by companies whose first GRC software deployment has failed due to their people not accepting the tool provided and who now want to replace their current solution. To ensure a successful software rollout, make sure the application – and professional services team – you select provides customized, intuitive experiences for all your user types.


      Next Posts