AIIM White Paper. Managing Governance, Risk and Compliance with ECM and BPM. Sponsored by

Transcription

1 AIIM White Paper Managing Governance, Risk and Compliance with ECM and BPM Sponsored by

2 About the White Paper As the non-profit association dedicated to nurturing, growing and supporting the user and supplier communities of ECM Enterprise Content Management, AIIM is proud to provide this research at no charge. In this way, the entire community can leverage the education, thought leadership and direction provided by our work. Our objective is to present the wisdom of the crowds based on our 80,000-strong community. We are happy to extend free use of the materials in this report to end-user companies and to independent consultants, but not to suppliers of ECM systems, products and services, other than OpenText and its subsidiaries and partners. Any use of this material must carry the attribution AIIM / OpenText Rather than redistribute a copy of this report to your colleagues, we would prefer that you direct them to org/research for a download of their own. Our ability to deliver such high-quality research is made possible by the financial support of our underwriting sponsor, without whom we would have to return to a paid subscription model. For that, we hope you will join us in thanking our underwriter for this support: OpenText 275 Frank Tompa Drive Waterloo, Ontario Canada, N2L 0A1 Tel: Web: Process used and survey demographics The survey results quoted in this report are taken from a survey carried out between 13 March and 06 April 2015, with 211 responses from individual members of the AIIM community surveyed using a Web-based tool. Invitations to take the survey were sent via to a selection of AIIM s 80,000 registered individuals. 76% of respondents are from North America, 14% from Europe, and 10% from elsewhere. They cover a representative spread of industry and government sectors. Results from organizations of less than 10 employees have not been included, bringing the total respondents to Full demographics are given in Appendix 1. About AIIM AIIM has been an advocate and supporter of information professionals for nearly 70 years. The association mission is to ensure that information professionals understand the current and future challenges of managing information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research and member service. Today, AIIM is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, including the Information Governance Certificate course. About the author Doug Miles is Chief Analyst at AIIM. He has over 30 years experience of working with users and vendors across a broad spectrum of IT applications. He was an early pioneer of document management systems for business and engineering applications, and has produced many AIIM survey reports on issues and drivers for Capture, ECM, Information Governance, Records Management, SharePoint, Big Data, Mobile and Social Business. Doug has also worked closely with other enterprise-level IT systems such as ERP, BI and CRM. He has an MSc in Communications Engineering and is a member of the IET in the UK AIIM OpenText 1100 Wayne Avenue, Suite Frank Tompa Drive Silver Spring, MD Ontario, Canada, N2L 0A Managing Governance, Risk and Compliance with ECM and BPM

3 Table of Contents About the White Paper About the White Paper... 1 Process used and survey demographics... 1 About AIIM... 1 About the author... 1 Introduction Introduction... 3 Key Findings... 3 Drivers for GRC Drivers for GRC... 4 Risks... 4 Challenges... 5 Stakeholders... 6 Opinions and Spend Opinions and Spend Spends Conclusion and Recommendations Conclusion and Recommendations Recommendations Appendix 1: Survey Demographics Appendix 1: Survey Demographics Survey Background Organizational Size Geography Industry Sector Job Roles GRC Issues GRC Issues... 6 Managing Regulatory and Standards Compliance... 6 Managing the Policy Lifecycle... 7 Managing Operational Risk... 8 Managing Audit... 9 Managing Supply-Chain Risk... 9 UNDERWRITTEN BY OpenText AIIM Use of ECM/RM/BPM Use of ECM/RM/BPM Role of ECM/RM/BPM in GRC Current Usage GRC Solutions GRC Solutions Solution Selection Managing Governance, Risk and Compliance with ECM and BPM

4 Introduction Governance, risk management and compliance, or GRC, is increasingly being seen as a key discipline. The corporate misdemeanors of the past decade, and the resulting fines, refunds and brand damage have created a situation where the long-term detrimental effect of loose governance is being felt both in business and in government. As a result, organizations in a wide range of sectors are much more aware of potential risks, and the need to assess and measure them, while at the same time, legislators and regulators are imposing more and more laws and rules to tighten up business practice. By its nature, if GRC is worth doing, it is worth doing well, and our survey respondents agree that good quality GRC practices are generally a positive benefit to the business rather than a necessary evil. Operating a best practice GRC regime will involve a number of key steps. Pro-active awareness of changes to laws and regulations; decisions on how to change policies and processes to ensure compliance; documentation and dissemination of these changes; implementation of process changes that embed compliance; recording of actions and due process that are evidence of compliance; and measurement of performance to assure senior management and other stakeholders that risk is under control. ECM, BPM and RM systems (Enterprise Content Management, Business Process Management and Records Management sometimes combined as EIM, Enterprise Information Management) all have a big role to play in the GRC equation including: information governance for policies, operational monitoring, risk tracking and compliance auditing. In our survey, we set out to understand which governance, risk and compliance areas are the biggest concern, if and how organizations are using ECM, BPM and RM to solve GRC challenges, and what their plans are to improve their GRC program, processes, and tools. Key Findings Drivers Reputational risk is twice as big a driver for compliance (44% of respondents) as avoiding fines and penalties (20%). 32% consider being a good corporate citizen to be the prime driver. Keeping policies and procedures up to date is a bigger challenge (40%) than keeping up with new and changing regulations (26%). Managing the paperwork to demonstrate compliance is given as the biggest challenge by 19%. Security risk (56%) and information privacy risks (52%) are of extreme concern. Then come reputational (48%) and regulatory risk (42%). Financial and operational risks are rated less highly, but are of extreme concern for 35% of our respondents. There is a very wide spread of roles deemed to own the GRC program, with Legal (14%) or the GRC committee (12%) most likely - although only 27% have a GRC committee. GRC Issues Adoption of best practice in managing the policy lifecycle is poor. 38% have no scheduled reviews, 28% have no central store for policies, and 18% don t capture employee acceptance. 47% struggle with multiple systems to document compliance requirements and 45% use manual processes to track performance against requirements. 19% use home-grown systems that they admit are not efficient or effective. The biggest issues with managing operational risk are lack of visibility and control (50%) and no way to track key indicators (27%). Not having a central system for records is an issue for 30%, and 25% struggle to provide management with timely reports. 45% of respondents find their biggest challenge with internal audit operations is that processes are manual and inefficient. Having multiple and disparate systems to manage audit information is an issue for 35%. Managing supply-chain risk is made difficult by vendor information not being stored in one place, nor being up-to-date for 35%. Gaining risk visibility of vendors and classifying them by risk profile is problematic for 25%. 81%.support the view that GRC is good for business, although there is crossover with the 42% who consider it to be a necessary evil. 3Managing Governance, Risk and Compliance with ECM and BPM

5 Use of ECM/RM/BPM ECM and RM are used widely for policy management (69%), BPM for tracking and resolution (20%) and GRC tools for managing IT threats (30%), but all four are used across the range of GRC management. 67% see ECM, BPM and RM as essential to solving GRC problems. 27% would like to use these tools for GRC, but the systems they have are not well optimized for this purpose. 40% feel that they are achieving regulatory compliance by using their ECM/RM system, but 78% feel they could get much more value from these systems. GRC Solutions Ability to integrate with existing infrastructure (43%) and ease-of-use (35%) are given as the most important selection factors for GRC solutions, along with price (37%). 46% of the organizations surveyed plan to spend more on GRC software or services in the next 12 months, including 15% spending more on software licences, and 19% on vendor implementation services. Drivers for GRC The traditional justification for investment in compliance has been to avoid fines and penalties from regulators, but as customer perception of the brand has shifted from the controlled media world of advertising and publishing to uncontrolled social media and rolling news, the need to present a clean and responsible image has become paramount. For non-commercial organizations, citizen power and political criticism create just as strong an imperative to protect the brand. As a result, we can see in Figure 1 that twice as many respondents (44%) consider reputational risk to be the prime driver for GRC in their organizations rather than avoiding penalties and fines (32%). In between are 32% who consider it part of good corporate stewardship. Figure 1: What is your organization s main driver for regulatory compliance? (N=197, one answer only) Shareholder/ stakeholder pressure, 5% Avoiding fines and penal es, 20% Reputa onal risk for noncompliance, 44% Risks Being a good corporate ci zen; it s the law, 32% Risk management has also become more sophisticated. 0% 10% It is hardly 20% surprising 30% 40% that 50% banking 60% and 70% insurance 80% 90% 100% businesses would take a more measured view of compliance costs versus compliance risks risk balancing is what they do every day as Informa on part of their security core business. However, they would also be keen to quantify risk, and to ensure that any risk exposure is both measured and monitored. Many of the huge fines incurred in the banking sector have been the Informa on result of over-eagerness privacy to win business, as well as poor monitoring of process. Underestimating the potential fallout from data breaches, price-fixing, money laundering, environmental failures, etc. has proved very damaging to some very large corporations, and strong and durable GRC practices can be an Reputa onal risk important buffer against poor business decisions. Regulatory & compliance risk Financial risk Opera onal risk Corp & social responsibility 4Managing Governance, Risk and Compliance with ECM and BPM

6 Shareholder/ stakeholder pressure, 5% risk for noncompliance, 44% Avoiding fines When rated for significance, Being a good information and penal es, security and privacy are the risks that raise most concern, greater, in fact, than financial or operational corporate 20% risk. With the aggressive growth in digital data and resulting increases in compliance obligations, this finding ci zen; is it s not the surprising. Reputational risk and regulatory risk can result, of course, from a loss of law, 32% Reputa onal sensitive or private information, especially if customer related, and they rank at three and four. risk for noncompliance, Figure 2: Please rate your concern for each of the following types of risk and the potential 44% impact they could have on your organization. (N=197) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Being a good Informa on security corporate ci zen; it s the Informa on privacy law, 32% Reputa onal risk Regulatory & compliance risk 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Financial risk Informa on security Opera onal risk Informa on privacy Corp & social responsibility Reputa onal risk Poli cal & geopoli cal risk Regulatory & compliance risk Supply chain & vendor management risk Financial risk Extremely concerned Very concerned Opera onal risk Somewhat concerned Not too concerned Challenges Corp & social responsibility Given the backdrop of constantly Poli cal changing & geopoli cal regulations, risk one might feel that simply keeping up with the latest rulings and legislation would prove to be the biggest 0% challenge 5% 10% (26%), 15% 20% but 25% it turns 30% out 35% that updating 40% 45% policies, procedures and process instructions Supply chain to reflect & vendor required management changes ranks risk higher (40%). Managing the paperwork and records Keeping associated policy with and demonstrating procedures up-to-date compliance is also a big headache (19%). Taking these two together, we can see that document-centric issues are at the Extremely core of concerned GRC management, Very concerned and are proving Somewhat problematical concerned for many Not too concerned Keeping organizations. up with new and changing regula ons and standards Figure 3: What would you consider your organization s biggest challenge when it comes to Paperwork associated regulatory with demonstra ng compliance or risk management? (Chose only one) (N=198) compliance 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Managing global legisla ve requirements Repor ng to regulatory Keeping bodies policy ( mely and procedures and up-to-date accurately) Keeping up with new and changing regula ons Repor ng to Board and Execu ve and standards Management Paperwork associated with demonstra ng compliance Managing global legisla ve requirements Repor ng to regulatory bodies ( mely and accurately) Repor ng to Board 0% and 10% Execu ve 20% Management 30% 40% 50% 60% 70% 80% 90% 100% Chief Legal Officer/General Counsel GRC Commi ee Chief Informa on Officer Chief Compliance Officer 5Managing Governance, Risk and Compliance with ECM and BPM

7 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Keeping policy and procedures up-to-date Keeping up with new and changing regula ons and standards Stakeholders Paperwork Despite associated the critical with importance demonstra ng that GRC plays in the health and compliance culture of any organization, allocation of key leadership roles for strategy compliance setting and ownership of the program is very broad, with little in the way of consensus as to where this responsibility lies. The Chief Legal Officer or General Counsel is the most likely to Managing own the global GRC legisla ve process, requirements but only in 14% of organizations. Or it may be run by a GRC Committee for 12% of organizations but only 29% of organizations actually have such a committee. Interestingly, the Chief Compliance Repor ng Officer to takes regulatory the lead bodies for just ( mely 10%, and even though 40% of organizations answering the survey have one. 50% have a Chief Information Security Officer accurately) and 35% a Chief Risk Officer. The CIO Repor ng is likely to to Board play and a role Execu ve in most businesses, particularly in the security side of things, and it is reassuring that the CEO is involved Management for 70%, along with the CFO (72%) and the COO (59%). What the findings seem to point to is that there are a number of different functions participating in GRC planning, not only traditional departments like Compliance, Risk and Audit, but also across the financial and operational areas, and, of course, IT. However, there is no obvious choice of leader, which can make it difficult to generate a GRC discipline where one does not exist at present. Figure 4: Which stakeholders play leadership roles in setting the strategy for your governance, risk and compliance (GRC) program? (N=193) Chief Legal Officer/General Counsel GRC Commi ee Chief Informa on Officer Chief Compliance Officer Chief Execu ve Officer Chief Risk Officer Director, Compliance Chief Financial Officer Chief Opera ng Officer Chief Informa on Security Officer Internal Audit Director, Enterprise Risk 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Line of Business Execu ves GRC Issues As we mentioned in the introduction, there are a number of distinct elements of a best practice GRC discipline. Monitoring changes and maintaining awareness of regulatory standards that affect the business is critical, and in order to maintain standards certification or compliance, continuous monitoring is needed. These standards and regulations are likely to be incorporated into operational policies, and these policies need to be managed through their lifecycles of introduction, revision, and retirement. Managing and containing risk in a systematic way is a core requirement, both for internal risk, and for external supply chain risk. Continuous audit and reporting to senior management and stakeholders is also important. Managing Regulatory and Standards Compliance Documenting compliance requirements and outcomes across multiple disparate systems is given as the biggest issue with managing regulatory and standards compliance more so than keeping up with the changes and their potential impact on the business. Using manual processes to capture and track compliance requirements and controls is time-consuming and error-prone. Many organizations have home-grown systems to do this which are not efficient or effective. Owns GRC program Plays a role Does not play a role We do not have one 6Managing Governance, Risk and Compliance with ECM and BPM

8 Figure 5: What have been the biggest issues with managing regulatory and standards compliance (e.g. Sarbanes-Oxley, ISO 9000, ISO 27001, etc.) in your organization? (MAX 3) (N=157) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Having mul ple and disparate systems to document compliance requirements and outcomes Using manual processes to capture and track compliance requirements, controls and mapping Keeping up with changes in regula ons and standards and their impact on our obliga ons Not having clear visibility into our organiza on s risk and compliance profiles Using a home-grown system that is not efficient or effec ve 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Inability Having to generate mul ple and and produce disparate accurate and mely systems reports to document compliance requirements and outcomes Using Inability manual to meet processes compliance to capture deadlines and track from compliance requirements, controls regulators and and mapping audits Keeping up with changes in regula ons and standards and their impact on our obliga ons Managing the Policy Lifecycle Not having clear visibility into our organiza on s Corporate policies are the risk direct and link compliance between an profiles organization s vision and their day-to-day operations. Policies provide the rules to guide employee decision-making, handle issues and set overall business behavior. Managing policy Using changes a home-grown and alerting system staff that to those is not changes efficient is or a major 0% challenge. 10% 20% Policies 30% should 40% be kept 50% up-to-date 60% with 70% effec ve a defined review schedule. Best practice would suggest that all policies be posted in a central repository and managed for We versions. are Inability confident Management to generate that all approvals and our produce policies are are accurate most up-to-date effective and and efficient when controlled by automated document workflows. - Some Employee of our policies training are and out-of-date formal mely policy and reports acceptance require upda ng should be tracked and recorded. Unfortunately, Inability we can to meet see from compliance Figure 6 deadlines that best from practice is losing out in most areas. Only 9% are confident that their We follow a defined policy policies are up-to-date and only 26% regulators review hold regular and schedule audits - Policy reviews and updates are more reac onary reviews. Although most do use a central repository such as ECM or a company intranet for policies, 28% have than no scheduled official location for all policies, and only 15% use automated workflows for policy sign-off. 18% admit that they do not capture or record policy acceptance by employees. All policies are posted in a central repository like an Figure 6: How ECM does or your company organization intranet currently manage the policy lifecycle? - There is no central official loca on for all policies [Select all that apply] (N=159) Policy approvals are done via automated workflows 0% 10% 20% 30% 40% 50% 60% 70% - Approvals for policy crea on and updates are done via We are confident that all our policies are up-to-date - Some We of have our a policies system are to track out-of-date employee and training require comple on and policy acceptance upda ng - We do not capture policy acceptance by employees We follow a defined policy review schedule - Policy reviews and updates are more reac onary than scheduled All policies are posted in a central repository like an ECM or company intranet - There is no central official loca on for all policies Policy approvals are done via automated workflows - Approvals for policy crea on and updates are done via 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% We have a system to track employee training comple on and policy acceptance - We do not Ensuring capture employees policy acceptance read, understand by employees and acknowledge acceptance of policies; Ensuring that policies are regularly reviewed and We can see these contrasting practices highlighted as issues in Figure 7 where ensuring that employees read, updated understand and acknowledge acceptance of policies is given as the biggest issue, along with ensuring that they take training, Keeping and, of course, up with identifying regulatory those changes who that do not may adhere to the policy. Not having a central system of record for all GRC related policies and assessments impact is also policies a significant issue for many. Providing senior management with required metrics, detailed reports and a clear audit AIIM 2015 Not having a central / OpenText system of 2015 record for all policies and related informa on 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 7Managing Governance, Risk and Compliance with ECM and BPM

9 - We do not capture policy acceptance ECM or company by employees intranet - There is no central official loca on for all policies Policy approvals are done via automated workflows - Approvals for policy crea on and updates are done via We have a system to track employee training Figure 7: What comple on have been and the policy biggest acceptance issues with managing the policy lifecycle in your - We do not capture policy acceptance organization? by employees (MAX 3) (N=151, excl. N/As) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ensuring employees read, understand and acknowledge acceptance of policies; Ensuring that policies are regularly reviewed and updated Keeping up with regulatory changes that may impact policies Providing senior management with required metrics, Ensuring detailed employees reports read, and understand a clear audit and Not having acknowledge a central system acceptance of record of policies; for all Ensuring that policies are and regularly related reviewed informa on and updated Iden fying employees who have not adhered to Keeping up with regulatory changes a that policy may impact policies Ensuring employees have taken required training, Providing as senior mandated management by policies with e.g. required ethics metrics, detailed reports and a clear audit Keeping track of policy inventory, currency and Not having a central system of record approvals for all policies and related informa on Iden fying employees who have not adhered to a policy Managing Ensuring employees Operational have taken Risk required training, Operational risk can be as described mandated as by the policies risk of e.g. business ethics operations failing due to human error; and the risks will vary from industry Keeping to industry. track of Anyone policy inventory, tasked with currency managing and and limiting operational risk would love to be able to readily identify where and what those risks are, and even approvals better, to have personal control over them. In reality, risk officers can only strive to do their best with the tools available to 0% them. Even 10% where 20% the risks 30% are known, 40% having 50% an effective 60% way to track and audit them through KPIs and KRIs (Key Risk Indicators) is vital if they are to be reported to senior management Not having and auditors. visibility Once into, and again, control we see over, in Figure the 8 that a central system of record is considered to be very mul tude of internal and external risks facing our important. organiza on Figure Ensuring 8: What that have risk controls been the are regularly biggest reviewed issues with managing operational risk in your organization? and updated (MAX 3) (N=155) Not having a central system of record for all 0% 10% 20% 30% 40% 50% 60% corporate policies, standards, guidelines, and procedures Not having visibility into, and control over, the mul tude Inability to of effec vely internal and external efficiently risks track facing audit our KPIs and KRIs (key risk organiza on indicators) Providing Ensuring that senior risk management controls are and regularly auditors reviewed with required metrics and detailed reports quickly and updated and accurately Not having a central system of record for all Keeping corporate up with policies, risk standards, framework guidelines, changes e.g. and ge ng updates specific to our procedures industry Inability to effec vely and efficiently track audit KPIs None and of KRIs these/not (key risk applicable indicators) Providing senior management and auditors with required metrics and detailed reports quickly and accurately Keeping up with risk framework changes e.g. ge ng updates specific to our industry None of these/not applicable 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 8Managing Governance, Risk and Compliance with ECM and BPM

10 Managing Audit The role of Internal Audit is a critical but sometimes difficult one: to provide independent and objective assurance that an organization s risk management, governance and internal control processes are operating effectively and ethically. Demonstrable confirmation of compliance can only be achieved by suitable and regular audits. The work involved in these is hugely dependent on the efficiency of the audit process, the number of systems involved, and the degree of automated tracking and verification that is in place. For nearly half of our respondents, the internal audit process is manual and inefficient, and documenting requirements and outcomes across the multiple systems and process workflows involved makes things challenging. Figure 9: What have been the biggest issues with managing the internal audit operations in your organization? (MAX 3) (N=153) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% The internal audit process is manual and inefficient Having mul ple and disparate systems to document audit requirements and outcomes 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Keeping up The with internal the growing audit process number is and manual types and of audits inefficient required Inability Having to effec vely mul ple and and efficiently disparate track systems audit to document audit KPIs and requirements KRIs (key risk and indicators) outcomes Keeping Keeping up with up the with growing changes number in regula ons and types and of standards and their impacts on audit audits requirements required Inability to effec vely generate and produce efficiently accurate track audit and KPIs and KRIs mely (key risk audit indicators) reports Keeping up with changes in regula ons and Managing standards and Supply-Chain their impacts on audit Risk requirements Supply chains Inability and to sub-contracted generate and produce operations accurate are becoming and increasingly complex, particularly in the manufacturing sector. Extending internal control and mely visibility audit into reports the supply-chain may involve a wide range of contractors, suppliers, partners, vendors, and other third parties. Generally, findings below show that vendor information is not in one place and is not up-to-date. Many organizations are struggling to keep an inventory of their suppliers, and to classify them by risk profile. It is also apparent that many 0% do 5% not carry 10% out 15% formal 20% vendor 25% on-boarding 30% 35% or conduct 40% reliable assessments to ensure the third parties they work with are compliant. Figure Keeping 10: an What authorita ve have been inventory/database the biggest issues of our with managing supply-chain risk - vendors you do suppliers/vendors that is accurate and current business with such as contractors, suppliers, partners and other 3rd parties? (MAX 3) (N=152) Need to improve the way we classify our vendors, i.e. based on risk they pose 0% 5% 10% 15% 20% 25% 30% 35% 40% Not Keeping having an clear authorita ve visibility into inventory/database our organiza on s of risk our profiles as it pertains to our vendors suppliers/vendors that is accurate and current Need Lack to of improve formal, the repeatable way we classify vendor on-boarding our vendors, i.e. based on risk they process pose Having Not having mul ple clear and visibility disparate into our systems organiza on s to document risk profiles as it pertains supplier to our informa on vendors Lack Not of being formal, clear repeatable on the scope vendor of assessments on-boarding required for each process vendor Having mul ple Suppliers and disparate not mo vated systems to document complete surveys/provide requested supplier info for assessment informa on Not being clear on the scope of assessments required for each vendor Suppliers not mo vated to complete surveys/provide requested info for assessment Managing policy crea on, updates and AIIM / OpenText 2015 dissemina on 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 9Managing Governance, Risk and Compliance with ECM and BPM

11 i.e. based on risk they pose Not having clear visibility into our organiza on s risk profiles as it pertains to our vendors Lack of formal, repeatable vendor on-boarding process Use of ECM/RM/BPM Having mul ple and disparate systems to document supplier informa on Given that many of the GRC challenges we saw earlier are centred on documents and document processes, we would expect Not that being traditional clear on document the scope handling of assessments and records management tools would play a strong part in solving GRC problems. ECM and RM required are particularly for each important vendor for managing policy creation, updates and dissemination, given that collaboration, versioning, audit trails, publication and record-keeping are involved. They also figure strongly in other aspects of the Suppliers GRC process not mo vated such as to an complete internal audit workflow or as the central repository for vendor information. Respondents surveys/provide indicate requested that BPM info also for has assessment a large role to play in GRC, particularly within supply chain/vendor risk management, and in tracking compliance and incident management. Dedicated GRC toolsets are part of the mix for many organizations, particularly for IT security threats. Figure 11: To what extent are you using ECM, BPM, RM and GRC tools to solve the following GRC business problems? (N=143, line-length indicates None of these ) Managing policy crea on, updates and dissemina on Automa ng the audit process Managing supplier/ vendor risk Risk iden fica on, tracking and remedia on Incident iden fica on, tracking and resolu on Managing IT security threats Tracking regulatory and standards compliance (controls monitoring) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% ECM BPM RM GRC Tools Looking in more detail, we asked about specific ECM/RM functionalities that would be important to solving GRC 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% problems. All of the classic capabilities of an ECM or EIM suite come into play, headed up by records management and document management, but also management, and more on the BPM side, audit trails and workflow. Records management E-discovery appears above Enterprise Search, although both will be involved in routine checks, and any investigations or incidents. Auto-classification Document is deemed management important by half the respondents, not surprising given that a leading driver to implement ECM/RM is to meet regulatory records retention requirements. The finding is also a strong endorsement of the need to move away from reliance management on staff to do the right things - filing content in the right places and securing or redacting sensitive information - towards computer analytics where, once set, the rules will be followed every time. We found it interesting that only 24% of respondents Audit trail cited mobile access as important for GRC, although this is in line with mobile access across other areas of content management. Many of those involved with GRC would probably balance the benefits for their own role against BPM and the considerable workflow threat to compliance that general data access on mobile presents. E-discovery Auto-classifica on Enterprise search Capture Repor ng /BI Content analy cs/big data Case management Mobile access Internal/workplace social tools Managing Governance, Risk and Compliance with ECM and BPM 10

12 Managing IT security threats Tracking regulatory and standards compliance (controls monitoring) ECM BPM RM GRC Tools Figure 12: Which of the following ECM/RM functionalities are, or would be important for solving your GRC problems? (N=172) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Records management Document management management Audit trail BPM and workflow E-discovery Auto-classifica on Enterprise search Capture Repor ng /BI Content analy cs/big data Case management Mobile access Internal/workplace social tools Role of ECM/RM/BPM in GRC Based on previous AIIM surveys, many organizations have incomplete ECM and RM implementations; they are struggling to achieve universal adoption, not enabling records management capability or using it poorly. Sometimes organizations can also struggle with BPM or workflow, understanding the value these technologies bring but unable to capitalize on them. So it is reassuring to see that 67% consider these systems to be essential to GRC, and that they need to be optimized for this purpose. We believe that most of the respondents have an understanding that the core components of a GRC platform include a central repository with audit trails, workflow, and reporting capabilities, all inherent in ECM and BPM suites. Figure 13: How do you feel generally about the use of ECM, BPM and RM to solve GRC business problems? (N=168) Managing Governance, Risk and Compliance with ECM and BPM They aren't relevant. There are GRC pure play technologies for that, 2% They can augment GRC-specific technologies but aren t central, 30% They are essen al and should be op mized for that purpose, 67% 0% 5% 10% 15% 20% 25% 30% 35% 11

13 Current Usage When we look at current use of ECM, RM and BPM for GRC, they are either acknowledged as a core part of the GRC program (14%) or they constitute They can augment the main play for governance and compliance, even though there is no official GRC discipline as such (29%). A GRC-specific further 27% feel that they should be a core part of the program, although right now their systems are not optimized technologies to do so, or but as an organization, they have insufficient knowledge in this area. Figure 14: How would aren t central, you best 30% describe the use of ECM, BPM and RM They to solve are essen al GRC business problems in your organization today? (N=171) and should be op mized for that 0% 5% 10% 15% 20% 25% purpose, 30% 67% 35% GRC Solutions They can augment GRC-specific technologies They but aren't relevant. There are aren t central, GRC 30% pure play technologies for that, 2% They are an essen al part of the GRC program in our organiza on We do not have a GRC discipline as such, but our ECM/RM is our main play for governance, risk management and compliance We would like to use them more for GRC purposes, but need to be er understand how They We would are an like essen al to use them part of more, the GRC but program they are not in op mized our organiza on for GRC We We do have not have elements a GRC of discipline a GRC discipline, as such, but our ECM/RM is our main play for governance, but risk management ECM/RM do not and play compliance strongly We would like to use We them don't have more ECM/RM for GRC purposes, but need to be er understand how We would like to use them more, but they are not op mized for GRC Currently using a company-wide Integra ng GRC GRC projects pla orm, across 3% departments, 11% Implemen ng an integrated, One or more GRC company-wide technologies GRC at the pla orm, departmental 14% level, 22% They are essen al and should be op mized for that purpose, 67% We have elements of a GRC discipline, but We have seen that for ECM/RM many organizations, do not play ECM. strongly BPM and RM systems cover or could cover the bulk of their GRC needs, but that a degree of optimization Looking and supplemental to add tools would improve their capability. From Figure 14 we can Looking to replace see that only 8% of our respondents have capability successfully to exis ng implemented an enterprise-wide GRC platform, although 25% are in the process of implementing We one. don't 45% have GRC have system(s), ECM/RM exis ng GRC no GRC 5% solution in place. system(s) with a 22% are using in-house Currently developed using a systems, and a similar number are reliant on their new ERP/finance one, 1% system, albeit that these are not generally company-wide optimized GRC for records management nor document generation, circulation and approval processes. pla orm, 3% Figure 15: How would you best characterize your organization s experience No with system, governance, no risk plans, 14% and compliance (GRC) solutions? (N=171) Implemen ng an integrated, Looking to add company-wide GRC pla orm, 14% Integra ng GRC projects across departments, 11% capability to exis ng GRC system(s), 5% 0% 5% 10% 15% 20% 25% 30% 35% Looking to replace exis ng GRC No system, but system(s) need with to a learn more, new one, 1% 20% No system, no plans, 14% No system, but plans in No the system, next 12but 18 months, need to 11% learn - more, 20% Managing Governance, Risk and Compliance with ECM and BPM One or more GRC 0% 5% 10% 15% 20% No 25% system, 30% but 35% 40% 45% 50% technologies at the plans in the next 12 departmental level, - Ability to integrate with exis ng infrastructure 18 months, 11% 22% Price User experience/ease of use 12

14 Implemen ng an integrated, company-wide GRC pla orm, 14% No system, but need to learn more, 20% Integra ng GRC Solution projects Selection across departments, 11% GRC solutions are offered as an integrated platform as well as discrete applications to solve specific use cases. They are offered in the traditional perpetual license model as well as cloud and subscription-based deployments. A key factor for our One respondents or more GRC in GRC solution selection is the ability to integrate No system, with existing but infrastructure more so than features, technologies vendor reputation at the and formal solution evaluations. The importance plans in the of next integration 12 is likely based on the need for departmental GRC to pull important level, data and information from other source 18 applications months, 11% such - as ERP and other 22% disparate central repositories. Price is the next most important factor, followed by ease of use and the ability to deploy quickly and easily both becoming key requirements for any IT solution these days. Figure 16: What are/would be the most important factors influencing your GRC solution selection? (MAX 3) (N=86, excl. 97 Don t Know) Ability to integrate with exis ng infrastructure Price User experience/ease of use Ability to deploy quickly and easily ( me to value) Advanced solu on features and func onality Vendor reputa on and exper se Placement of product on published analyst reports e.g. Forrester Wave, Gartner Magic Quadrant Cloud/SaaS deployment op ons We have no plans to acquire a GRC solu on. 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Opinions and Spend There is full support of the view that risk management and regulatory pressure are increasing, and that ECM/RM solutions provide capabilities to help meet these needs (85%). In fact 50% are using ECM/RM to achieve regulatory compliance today. A significant number of respondents (78%) feel that their ECM/RM system could provide much more value, indicating perhaps that they have yet to use it to solve GRC problems. Inevitably, 80% feel that cloud is increasing risk, particularly across data privacy and data security, although the benefits need to be weighed against this. As a positive note, 81% would agree that GRC is good for business, although 42% consider it to be a necessary evil, so there must be some overlap here. Managing Governance, Risk and Compliance with ECM and BPM 13

15 Figure 17: How do you feel about the following statements? (N=154) 60% 40% 20% 0% 20% 40% 60% 80% We are more concerned about risk management and under more regulatory pressure than ever before. ECM/RM systems provide capabili es to help organiza ons meet their compliance requirements. 60% 40% Our organiza on could get much more value from our We are more concerned about risk management ECM and solu on. under more regulatory pressure than ever before. 20% 0% 20% 40% 60% 80% We are using our ECM/RM system to achieve regulatory compliance. ECM/RM systems provide capabili es to help organiza ons meet their compliance requirements. Adop ng cloud compu ng introduces new risks and Our organiza on could get much more compliance value from challenges our ECM solu on. We are using our ECM/RM system GRC is to a achieve necessary evil. regulatory compliance. GRC is good for business. Adop ng cloud compu ng introduces new risks and compliance challenges Strongly Disagree Disagree GRC is a necessary evil. Neither Agree nor Disagree Agree Strongly Agree Spend GRC is good for business. 46% of the organizations surveyed plan to spend on GRC software or services in the next twelve months including 15% on licenses and 12% Strongly cloud/saas Disagree services. Disagree As Neither 0% might be Agree 10% expected nor Disagree 20% for such a crucial Agree 30% function, Strongly 40% but Agree 50% 60% where little expertise resides in-house, 24% are looking for help from advisory professional services. So ware licenses for GRC Figure 18: Do you plan to spend anything in the following areas in the next 12 months - for governance, risk management Cloud/SaaS services and for compliance GRC only? (Choose all that apply) (N=147) 0% 10% 20% 30% 40% 50% 60% Vendor implementa on services Independent So ware implementa on licenses for GRC services Managing Governance, Risk and Compliance with ECM and BPM Cloud/SaaS Advisory services professional for GRC services Vendor implementa on External services training Independent We do not have implementa on any spending services plans for GRCspecific investments Advisory professional services External training We do not have any spending plans for GRCspecific investments 14

16 Conclusion and Recommendations GRC is growing in usage as a term to describe the discipline of having executive oversight and management, meeting designated standards, complying with laws and regulations, and assessing and mitigating risk to the organization. Among our survey respondents, only 15% of individuals were not aware of it as a domain, but 29% feel that their organization in general is not aware of the term. Good GRC and ECM/BPM intersect when organizations have sound record keeping practices, a secure central content repository for key records, and business processes are consistent, auditable, and tracked. Many of the elements involved in meeting compliance and regulatory requirements are best managed by content and records management systems, particularly where core business processes are document-centric. ECM and RM also come into their own for the management of policy records, internal audit evidence, or documents related to an incident. BPM and workflow systems can provide automated scheduling and approvals, management dashboard and reporting, and risk and compliance monitoring. We have highlighted many specific issues related to policy lifecycle management, operational risk control, internal audit, and supply chain management, but a common thread we have found is that key documentation is not stored in one place, processes are inefficient and manual, and systems are home-grown. ECM, BPM and RM have important roles to play in solving the GRC challenge and organizations that understand this are often on the higher end of the GRC maturity scale. Recommendations Consider bringing together your multiple compliance, security and risk management groups under a single GRC regime, headed up by a GRC Committee, or a designated Chief Compliance Officer. Involve Legal, IT, HR, Finance and Line of Business departments, and seek endorsement of GRC authority from the highest level. Look to standardize procedures for regulatory awareness and training, policy generation and approval, policy dissemination, staff agreement, operational monitoring and audit. Bring the power of ECM, BPM and RM to your GRC program, defining review, update and approval processes, and where possible, automating collection of important compliance audit trails and reports. Bake compliance into the process by making full use of ECM and BPM, and where possible, using automated analytics to enforce consistent rules and metadata. Establish KPIs and KRIs, and use these to provide senior management with visibility of current performance against GRC objectives, and any related risk exposure. Managing Governance, Risk and Compliance with ECM and BPM 15

17 Appendix 1: Survey Demographics Survey Background The survey was taken by 211 individual members of the AIIM community between 13 March and 06 April 2015, using a web-based tool. Invitations to take the survey were sent via to a selection of the 80,000+ AIIM community members Organizational Size Organizations of 10 employees or less and suppliers of ECM products or services are excluded from all of the results in this report. On this basis, larger organizations (over 5,000 employees) represent 29%, with mid-sized organizations (500 to 5,000 employees) at 41%. Small-to-mid sized organizations (10 to 500 employees) represent 30%. Geography 5,001-10,000 emps, 7% 5,001-10,000 emps, 7% Over 10,000 emps, 22% Over 10,000 emps, 22% 1,001-5,000 emps, 30% emps, 11% emps, 19% 501-1,000 emps, 11% US and Canada make up 76% of respondents, Central, with 14% from Europe Middle East, and 10% elsewhere. S.America, 3% Africa, S.Africa, 3% Asia, Far East, 1% Australia, NZ, 5% Central, Middle East, S.America, 3% Africa, S.Africa, 3% Asia, Far East, 1% Eastern Europe, Australia, Russia, NZ, 2% 5% Eastern Europe, Western Russia, Europe, 2% 7% Western Europe, UK, 7% Ireland, 6% UK, Ireland, 6% 1,001-5,000 emps, 30% emps, 11% emps, 19% 501-1,000 emps, 11% US, 58% Managing Governance, Risk and Compliance with ECM and BPM Canada, 18% US, 58% Canada, 18% Life Science, Retail, Transport, Engineering & Pharmaceu cal, Real Estate, 2% Construc on, 2% 2% Other, 2% Life Science, Retail, Transport, Engineering & Consultants, Pharmaceu cal, 3% Real Estate, 2% Construc on, 2% Government & Public Services - AIIM Media, 2% Entertainment, / OpenText Other, 2% Local/State, 15% Consultants, Publishing, 4% 3% Government & Public Services - 16

18 US, US, 58% 58% Canada, Canada, 18% 18% Industry Sector National and local government, and public services, represent 22%. Finance, banking and insurance represent 17%. Energy 9%. The remaining sectors are evenly split. Life Life Science, Retail, Science, Retail, Transport, Transport, Engineering Engineering & & Pharmaceu cal, Real Pharmaceu cal, Real Estate, Estate, 2% 2% Construc on, Construc on, 2% 2% 2% 2% Other, Other, 2% 2% Consultants, Consultants, 3% 3% Government Government & & Media, Public Media, Public Services Services - - Entertainment, Local/State, Entertainment, Local/State, 15% 15% Publishing, Publishing, 4% 4% Legal Legal and and Government Government & Professional & Professional Public Public Agencies Agencies - Services, - Services, 4% 4% Na onal /Interna onal, Na onal /Interna onal, Healthcare, Healthcare, 4% 4% 7% 7% Document Services Document Services Provider, Provider, 4% 4% Manufacturing, Manufacturing, Consumer Consumer Goods, Goods, Aerospace, Aerospace, Food, Food, Process, Process, 4% 4% Non-Profit, Non-Profit, Charity, Charity, 5% 5% Telecoms, Telecoms, Water, Water, Energy, Energy, Oil & Oil Gas, U li es, & Gas, U li es, 6% 6% IT & IT High Mining, & High Tech Tech,, Mining, 9% 9% Educa on, Educa on, 6% 6% 7% 7% Financial Services, Financial Services, Banking, Banking, Insurance, Insurance, 17% 17% Job Roles 56% of respondents are from records or information management, 23% are from IT, 15% general business and 8% compliance or legal. Corporate Corporate Head Head of IT of Security, IT Security, Compliance/Ethics, Compliance/Ethics, 1% President, 1% President, CEO, CEO, Legal/Corporate 2% MD, Legal/Corporate 2% MD, 3% 3% Counsel, Counsel, 2% 2% Records Records or Risk Risk Management, Management, document management document 3% 3% management staff, staff, 29% Business 29% Business Consultant, Consultant, 8% 8% Line-of-business Line-of-business exec., exec., dept. dept. head head or process or process owner, owner, 4% 4% Managing Governance, Risk and Compliance with ECM and BPM IT Consultant IT Consultant or or Project Project Manager, Manager, 7% 7% Head Head of IT, of 4% IT, 4% IT staff, IT staff, 12% 12% Head Head of records/ informa on of records/ management, informa on management, 27% 27% 17