Every business should conduct some form of governance, risk management and compliance (GRC) process. The problem, according to Michael Rasmussen, chief pundit at GRC 20/20 Research LLC in Waterford, Wis., is that there is often a lack of company-wide collaboration to achieve proper "maturity" of GRC strategy. An increasingly vital component to this maturity is effective third-party management, which Rasmussen calls "one of the fastest-growing areas of the GRC market."
Rasmussen was in Boston earlier this month at the 2014 Governance, Risk Management and Compliance Summit to deliver a keynote presentation called "GRC for the extended enterprise: Effective third-party management strategies." During the conference, Rasmussen joined SearchCompliance editor Ben Cole to further discuss the importance of company-wide collaboration and third-party management to GRC strategy.
What are some of the latest GRC trends that people who come to this year's summit going to be taking away from the conference?
Michael Rasmussen: In general, what we are seeing is there is a lot of interest in how to build collaboration across GRC areas. From my perspective, every organization does GRC already. There's not an organization on the planet that will say they lack governance, lack risk management, are not compliant. Everybody does GRC.
It's more of a question of maturing GRC practices and there's a lot of interest and interaction at the conference on "How do I build collaboration across departments?" to build that maturity within GRC and, more specifically, "How do I build a business case to justify investment in technology to improve my GRC maturity?" There's a lot of interest in the business case and being able to build GRC support.
You're speaking about third-party management for GRC in the extended enterprise during your presentation. Can you talk a little bit about some of these strategies?
Rasmussen: Third-party management is one of the fastest growing areas of the GRC market. Of course, GRC itself is more than a market. It's about strategy and process and approach, but there is technology to underpin that. As an analyst, I look at the market for GRC solutions and third-party management is the fastest-growing area of the GRC market.
More videos from the GRC Summit
Policy transparency, planning keys to BYOD security
In digital age, converged approach to info risk management a must
Advanced security threats force proactive approach to risk management
We're up against a lot. For typical organizations today -- whether it's financial services or retail or manufacturing, supply chains or health care -- it's not uncommon to go into them and find that more than half of their "insiders" are not employees anymore. They're dealing with contractors, consultants, temporary workers, suppliers, vendors, you name it. There is a lot of intricacy there. How do we manage these relationships? How do we manage the risk and compliance of those relationships, from the onboarding due diligence and contracting through regular review and monitoring of those relationships to make sure they are still effective? How do we deliver policy and training across those third-party relationships? How do we conduct assessments?
Some of the attendees are up against conflict mineral requirements under the Dodd-Frank Act, which requires them to do reporting beginning in May 2014 where they have to trace minerals across supply chains to see if they're sourcing tin, tantalum, tungsten and gold from the Democratic Republic of Congo or surrounding countries. That's just one element. There are organizations that are struggling with social accountability on international labor standards across their supply chains and vendors.
For others, it's privacy and information security issues. There are lots of challenges in that third-party management area.
How can companies ensure their GRC solution vendors are going to be right for them? What are the questions that they need to be asking?
Rasmussen: That's tricky, because a lot of the GRC solution providers out there will say, "Oh, we can do that," but a lot of times when you dig deeper you realize that while they can build that, they don't necessarily have that in their product. It's not a feature. It's something they can build, but it's going to take them a year or six months to build out and it's going to cost a lot more than you ever anticipated.
Reference checks are critical, but understand the references the vendor gives you should be glowing references. Usually they are giving you the executive that made the decision. It was their budget and they get a pat on the back and get paraded out at the vendor's conferences. That's OK, talk to them, but what's really important is to ask to talk to someone on their team who uses the GRC solution product every day. Sometimes, you'll get a completely different story from the people who use the product every day than from the people who actually made the purchase decision on the product. To me, that's critical.