April 2014 SAI GLOBAL. Delivering Effective Compliance Solutions & Architecture. Solution Viewpoint Governance, Risk Management & Compliance Insight

Transcription

1 April 2014 SAI GLOBAL Delivering Effective Compliance Solutions & Architecture Solution Viewpoint Governance, Risk Management & Compliance Insight

2 Table of Contents Executive Summary Surmounting Pressures on Corporate Compliance The Winds of Change Blow on Compliance Battling the hydra of compliance:... 4 Compliance in The Midst of Transformation SAI Global: Delivering Effective Compliance Soutions & Architecture.. 4 The Value of SAI Global... 5 Capabilities of SAI Global... 6 SAI Global Delivers on Compliance Solutions & Architecture:... 7 Considerations for SAI Global... 9 GRC 20/20 s Final Perspective TALK TO US... We look forward to hearing from you and learning what you think about GRC 20/20 research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.

3 SAI GLOBAL Delivering Effective Compliance Solutions & Architecture EXECUTIVE SUMMARY The trends and forces shaping compliance transformation require organizations to develop a strategy and architecture for managing compliance in a dynamic, distributed, and demanding environment. The challenge is that compliance and ethics have become moving targets. As a result, compliance is becoming the way we do business as opposed to obstacles to business. To enable effective, agile, and efficient compliance; organizations are developing a compliance information and technology architecture that is dynamic, proactive, and information-based. Compliance architecture transforms the elements constituting an ethics and compliance program to not only make them more effective, but also more efficient and agile. SAI Global is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in distributed and dynamic business environments. SAI Global delivers on compliance architecture through an integrated process, information/ content, and technology platform to enable compliance processes that are effective, efficient, and agile. They do this through a breadth of professional services, technology, and content resources that span the globe, and have demonstrated success in helping organizations across an array of industry verticals. SURMOUNTING PRESSURES ON CORPORATE COMPLIANCE THE WINDS OF CHANGE BLOW ON COMPLIANCE Compliance and ethics is not the same today as it was just a few years ago. The trends and forces shaping compliance transformation require organizations to develop a sustainable strategy and architecture for managing compliance in a dynamic, distributed, and demanding environment. In the past, compliance was distributed and disconnected. Even when organizations had a centralized compliance function to manage critical compliance issues, compliance really was fragmented and distributed across the organization with varying structures, accountability, and approach taxing the business, ultimately leading to inefficient and redundant approaches. Compliance functions relied on document-centric and manual processes that were not integrated, creating challenges in accountability, reconciliation, and reporting. Compliance offices spent more time consolidating the fragmented information than they did actually managing and improving compliance. The line of business was overwhelmed with inconsistent formats for policies and procedures, issue/incident reporting, and assessments that were appearing in their inbox on a weekly basis. With the globalization of business, compliance and ethics has become complex, across jurisdictions, geographies, and cultures as organizations struggle to maintain compliance. This is complicated by the distributed and dynamic nature of the modern organization which has a complex web of employees, suppliers, vendors, contractors, consultants, and other third parties, causing a mesh of compliance risk that is difficult to unravel and manage as the organization is constantly evolving. Business is dynamic: employees, relationships, regulations, risks, economies, litigation, regulation, and legislation are constantly changing. The challenge is that compliance and ethics have become moving targets. Organizations are seeing increased scrutiny and focus on compliance and ethics activities from several sources. Regulatory change in several industries has more than doubled in the past few years. Enforcement agencies have grown more sophisticated in assessing real versus fictional compliance efforts. They are peeling back the paper to look at how effective operational compliance programs truly are. With increased enforcement actions, organizations are seeing greater challenges to managing and monitoring their compliance and ethical risk. The Bottom Line: Compliance architecture transforms the elements constituting an ethics and compliance program to not only make them more effective, but also more efficient and agile GRC 20/20, LLC; Licensed to SAI Global for Redistribution Solution Spotlight 3

4 COMPLIANCE IN THE MIDST OF TRANSFORMATION Compliance is undergoing fundamental change. Surmounting pressure upon organizations require them to rethink compliance across the organization. Compliance is taking more responsibility for the integrity as well as corporate social responsibility of the organization and going beyond mere regulatory compliance. Compliance is moving away from being understood as the corporate cop, as it shifts to focus on the integrity of the organization. Compliance and ethics are becoming how we do business as opposed to obstacles to business. Compliance and ethics oversight is increasingly being centralized under a role of a Chief Ethics and Compliance Officer (CECO) with stronger executive and board relationships. Compliance operations and processes are becoming federated to overcome the inefficiencies of the decentralization of the past. This results in compliance leading to an integrated GRC (governance, risk management and compliance) strategy that often coordinates with other functions of risk and audit. To enable effective, agile, and efficient compliance; organizations are developing a compliance information and technology architecture that is dynamic, proactive and information-based. The goal is to develop a compliance system of record that: Aligns with stakeholder demands for transparency and accountability; Functions as a strategic role of monitoring integrity across business operations, transactions, and relationships; Provides a defensible system of accountability to regulators and others when questions arise; Utilizes the latest technologies to improve compliance effectiveness, efficiency, and agility; Allows compliance practitioners to better target resources, resolve issues, and keep current with changing business and regulations; and BATTLING THE HYDRA OF COMPLIANCE: Like the multi-headed Hydra in mythology, these redundant, manual, and document-centric approaches of the past are ineffective. As the Hydra grows more heads of regulation, ethical challenges and obligations, scattered compliance departments become overwhelmed and exhausted and start losing the battle. A reactive approach to compliance, with silos of compliance operations never coordinating and working together leads to greater risk to the organization. This piecemeal approach increases inefficiencies and the risk that serious matters will go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business; all the while the business environment requires greater agility. Demonstrates the effectiveness of an organizations compliance program, bringing together key compliance information in a format that can be easily analyzed by the compliance office. Compliance architecture not only delivers demonstrable proof of a compliance program but also allows compliance to be proactive and forward-looking. This shift enables the ethics and compliance organization to have greater efficiency in processing and managing information, become more effective in ensuring corporate integrity, and more agile in addressing rapidly changing business, regulatory, legal, and reputational risks. The bottom line: Compliance requires process improvement, technology automation, collaboration, and sharing of information driven by an integrated information and technology architecture. Effective compliance delivers the ability to meet requirements, achieve human and financial efficiency, and meet the demands of a dynamic business environment. Compliance architecture transforms the elements constituting an ethics and compliance program to not only make them more effective, but also more efficient and agile. SAI GLOBAL: DELIVERING EFFECTIVE COMPLIANCE SOUTIONS & ARCHITECTURE Compliance architecture supports compliance processes and utilizes technology with integrated information to provide insight in context of compliance information, drive systemic improvement of compliance processes, and deliver actionable information for metrics and benchmarking. Compliance architecture enables compliance processes to achieve an integrated picture of information and situational awareness. GRC technology can enable a better performing, less costly, more flexible compliance function. SAI Global is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in globally distributed and dynamic business environments. SAI Global delivers on compliance as well as broader GRC architecture through an integrated process, information/ content, and technology platform to enable compliance processes that are effective, efficient, and agile. The array of offerings from SAI Global provides a full portfolio of compliance advisory services, content (e.g., training, regulatory), with a software platform in the Compliance 360 solution that delivers integrated compliance architecture. SAI Global s mission is to help organizations measure and understand corporate and compliance risk, apply best practices to reduce exposure and enable the organization to react quickly to changes in compliance risk and regulatory environments. With SAI Global the organization can inform and educate employees on policies, monitor changes to regulations, track adherence to obligations, document evidence of compliance, monitor enterprise risks, and 4 Solution Spotlight 2014 GRC 20/20, LLC; Licensed to SAI Global for Redistribution

5 manage governance processes such as incidents and audits. With strength across major industry verticals, SAI Global has experience delivering innovative consulting, content, and technology to meet the GRC demands of highly regulated and dynamic organizations. GRC 20/20 has interviewed and engaged several SAI Global customers and finds them to be very satisfied with the GRC solutions over the course of time, and generally optimistic about the direction of the company. While some GRC solution providers have stretched themselves thin by promising the world and not delivering on it, SAI Global has demonstrated focused growth with a commitment to customer success. THE VALUE OF SAI GLOBAL Successful governance, risk management, and compliance (GRC) delivers the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment that requires agility. GRC solutions should achieve better performing processes that utilize more reliable information. This enables a better performing, less costly, more flexible business environment. Clients engage SAI Global with the goals of understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of business change. GRC Efficiency GRC solutions provide efficiency and savings in human and financial capital resources. Technology solutions that support business and GRC processes reduce operational costs by automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. The organizations researched by GRC 20/20 identified the following efficiencies by engaging SAI Global: Reduction in FTEs (full-time equivalent) in compliance processes such as policy management and incident management allowing for reallocation of resources to other compliance tasks. Ease of configuration delivers cost savings, as the organization does not need internal or external programmers to customize the platform. The consistency in how SAI Global solutions integrate and work together reduces the amount of work needed by the organization. The ability to free-up resources that were spending significant time compiling information from documents, spreadsheets, and s allows more time to proactively manage and run the GRC program as opposed to being swamped with tactical tasks and documents. The ease of reporting and accountability through automation minimizes manual unrewarding compliance tasks of the past. GRC Effectiveness GRC solutions achieve effectiveness in risk, control, compliance, audit, and business process. This is delivered through greater assurance of the design and operational effectiveness of controls to mitigate risk, achieve performance, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators. The organizations GRC 20/20 interviewed reported the following effectiveness through utilizing SAI Global solutions: SAI Global solutions are easy to use and therefore have greater use and adoption across the organization making GRC and compliance particularly more effective. The ability to easily build workflows, forms, and configurations makes the SAI Global solution effective for managing compliance in a changing environment. SAI Global has improved client GRC and compliance reporting capabilities resulting in more effective risk management. Their training solutions have shown creativity and enable engagement and understanding of diverse and distributed workforces to comprehend what is required of them to be compliant and meet corporate expectations of values and ethics. Having everything needed and integrated within one solution and one database architecture has greatly While some GRC solution providers have stretched themselves thin by promising the world and not delivering on it, SAI Global has demonstrated focused growth with a commitment to customer success GRC 20/20, LLC; Licensed to SAI Global for Redistribution Solution Spotlight 5

6 improved effectiveness of compliance reporting. SAI Global solutions have allowed the organization to shift overall responsibility and accountability for risk and compliance to the lines of business. The solution delivers better notifications and tracking of compliance reviews, reporting and storing information, and providing an effective and defensible evidence trail of interactions. The solution has enabled more effective risk management by allowing distributed risk owners to take greater responsibility. GRC Agility GRC solutions deliver business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. economic risk, new laws, and regulations). GRC agility is also achieved when organizations can identify and react quickly to control failures/weaknesses, non-compliance, and adverse events in a timely manner so that action can be taken. The organizations interviewed reported the following agilities in their compliance and broader GRC processes through working with SAI Global: Rapid deployment and configurability of the SAI Global solution enables the organization to address new compliance developments on time and reduce compliance risk exposure. The SAI Global solutions have enabled the organization to respond quicker with stronger decision-making. The creativity of SAI Global training solutions and services have allowed their clients to adapt and communicate changes to compliance requirements and business rapidly in an engaging manner. The consistency and ease of use of SAI Global solutions simplifies getting people on board and using the system. The solution has enabled them to move from a reactionary risk approach to an anticipatory risk approach SAI Global has enabled the organization to adapt risk appetite as the organization s internal business environment changes, risks change, regulations change, and customers change CAPABILITIES OF SAI GLOBAL SAI Global solutions help users take control and create a culture of risk management and compliance, allowing stakeholders and the board to be comfortable that they are operating within boundaries of regulations, obligations, and corporate values as the business moves forward on its strategy. GRC 20/20 has evaluated the range of SAI Global offerings and finds that it delivers a comprehensive offering across the pillars of: Technology. The SAI Global Compliance 360 platform offers a GRC platform that provides the core hub for compliance and broader GRC. The solution delivers a platform that has a variety of integrated modules to manage GRC. This is delivered as a Software as a Service (SaaS) solution that is scalable, configurable, and adaptable to client needs. SaaS enables the Compliance 360 platform to be simple to setup with minimal IT resources as well as accessible and easy to use for employees and business partners. Services. SAI Global has a team of consultants that represent a broad range of compliance expertise globally. The SAI Global Advisory and Client Services team spans across three continents and delivers risk assessments, benchmarking against best practices, cultural surveys, subject matter expertise, policy guidance and design, training needs assessments, and software implementation to address compliance and GRC requirements. Learning Content. SAI Global offers organizations extensive content to manage compliance and ethics learning and communication programs, with over 500 training courses and communication tools translated across several languages. These courses are customizable as well as integrated into the SAI Global elearning (e.g., Learning Management System) solution. SAI Global training content also includes social and gamification approaches through Storytoria.and Ethical Moments. Regulatory Content. The Compliance 360 platform has the ability to integrate laws, standards and regulations via SAI Global partners such as LexisNexis and Clear Market Practices. Using SAI Global workflow solutions organizations can assess and mitigate the risks associated with ongoing regulatory change management. The suite of SAI Global offerings of GRC technology, services, and content (including content integration with 3rd parties) sets SAI Global apart in the GRC space. This enables them to deliver across a range of compliance as well as broader GRC needs such as risk and audit management. The breadth of SAI Global offerings delivers the following capabilities to make compliance programs effective as well as efficient and agile: 6 Solution Spotlight 2014 GRC 20/20, LLC; Licensed to SAI Global for Redistribution

7 Unified Architecture. The Compliance 360 platform provides a unified technology and information architecture that acts as the central hub of GRC related processes and content. This includes content and workflow management to automate processes, reminders, alerts, and escalations. The solution contains a single technology code base and information architecture, making it scalable, flexible and adaptable, and is not a combobulation of different solutions. Through a single user interface all of the Compliance 360 modules share common functionality across workflow, content management, reporting, and project management engines. Defensibility. Core to the Compliance 360 platform is a Virtual Evidence Room that provides a defensible record of compliance and GRC interactions and activities. Here an organization can link policies, training, surveys, assessments, attestations, incidents, audits, contracts, projects and tasks to laws, regulations, standards, contracts, and other obligations to demonstrate compliance and ensure an audit ready state. This enables the organization to maintain a complete system of record about what, when, where, how, and why things were done in an organization. This provides defensible evidence that risk, compliance, and control activities are in place and operating. Adaptability. The Compliance 360 solution provides a configurable set of modules with consistent operations and functions. The unified architecture of Compliance 360 delivers flexibility to adapt to new requirements and a changing business. Risk Management. Compliance 360 enables an organization to identify, assess, prioritize, and manage risk in the organization. It facilitates the identification of risk and then automates the assessment of risks through workflow and surveys. Ongoing monitoring for risk is done through documenting evidence of operation of controls. Organizations can link risks to strategic objectives and manage risk treatment strategies such as avoidance, mitigation, acceptance, or transfer of risk. Policy Management. SAI Global provides a suite of services to help organizations review and design effective policies as well as a module within Compliance 360 to manage and communicate policies throughout the organization. Compliance 360 s policy management capabilities include the development, approval, communication, attestation, enforcement, exception management, metrics, reporting, and maintenance of policies enabling full lifecycle management of policies. This includes full workflow and content management capabilities including version control and audit trails. Policies can be accessed by employees and partners through an intuitive user-friendly portal aligned with the organization brand. Employees can easily find the current policy and read it with interactive tools to explain it to them. Policy resources and related forms are part of the Compliance 360 policy module and portal. Training & Communication Solutions. Going hand in hand with policy management is SAI Global s ethics and compliance learning solutions. SAI Global offers a suite of training courses and communication tools that can be configured to the organization s brand and specific needs. The advisory services of SAI Global can be engaged to develop custom training content and programs. Training courses are delivered with Learning Management System (LMS) capabilities to track course completion and certifications. SAI Global s predeveloped course content includes hundreds of titles covering a variety media experiences (including mobile), learning formats, lengths, and languages. SAI GLOBAL DELIVERS ON COMPLIANCE ARCHITECTURE: üüunified Architecture. üüdefensibility. üüadaptability. üürisk Management. üüpolicy Management. üütraining & Communication Solutions. üümonitoring and Assessment. üüinvestigations Management. üüdisclosures Management. üüregulatory Change Management. üümobility. üüthird Party Risk Management. üümetrics. üücontract Management. üüaudit Management. üüfinancial Control Compliance. üücompliance & GRC Program/Project Management GRC 20/20, LLC; Licensed to SAI Global for Redistribution Solution Spotlight 7

8 Monitoring and Assessment. The Compliance 360 platform delivers an architecture to conduct assessments across risk and compliance areas. The data from the Compliance 360 platform can be used by the organization in conjunction with SAI Global Services to provide benchmarking of compliance and GRC data, issues, trends, processes, and activities. The Compliance 360 Compliance Workspace enables the organization to proactively monitor obligations, send alerts, and manage assessments to identify and remediate issues and ensure compliance. Investigations Management. The Compliance 360 platform allows the organization to manage the complete lifecycle of investigations, issues, incidents, events, or cases from intake through resolution. The solution enables the collection of information, collaboration on cases, and automation through workflow and task management. Investigators can track the progress of investigations through resolution of potential issues and compile proof of remediation and preventative measures. It enables the organization to have a single system to record issues, incidents, and events. With an enterprise investigation and incident system the organization can integrate incident and loss data into risk models to improve risk management. Disclosures Management. The Compliance 360 platform enables the automation of gathering information combined with workflow and task management to manage disclosures and other compliance forms and approvals. This enables organizations to collect, store, and track disclosure information relating Conflicts of Interest; Gifts, Entertainment and Hospitality; as well as Charitable Contributions submitted by employees or other business associates, creating a centralized database of disclosures that is auditable and searchable. These disclosures are automatically routed to the proper individual(s) who can approve, deny or request more information. Regulatory Change management. The Compliance 360 platform offers a solution for managing regulatory change as well as organization and risk changes contextually. Through integration with third party data sources, organizations can bring in regulatory content as well as integrate with third party databases such as politically exposed persons. Alerts of changes can be sent to the proper subject matter expert for review and analysis with content throughout the Compliance 360 platform being tagged that is relevant to the change such as policies, controls, risks, incidents, and more. This brings complete situational awareness to the subject matter expert to determine if the change requires action by the organization.the platform supports the overall coordination of legal, regulatory, contractual and corporate policy obligations and responsibilities with associated tasks and records. When the business changes, such as through mergers and acquisitions, the organization can proactively assess and harmonize policies, controls and processes between the organizations, driving efficiency and effectiveness into business change. Mobility. SAI Global has embraced mobile technology on tablets and other devices. Issue reporting can be readily done through mobile devices. Tablets used to deliver policies, training, and other interactive content to employees particularly those without desktop workstation access. Mobile devices can be used to conduct investigations, audits and compliance assessments. Third Party Risk Management. The Compliance 360 platform enables the identification, monitoring, and remediation of third party risks. This includes ongoing due diligence with the ability to integrate with third party due diligence databases to verify business relationships. The solution spans the third party management lifecycle with capabilities across contract management, due diligence, assessments, policy and training communication, and third party audits. Metrics. Compliance 360 offers a customizable dashboard unique to each user that is personalized by including charts and graphs, alerts, reminders, reports, tasks, updates, news feeds, and other dashboard-style monitors and controls. With an information architecture integrated with external content, compliance can report on metrics and trends to track relevant information, developments, trends, and issues including key risk indicators. Contract Management. Compliance 360 enables proactive management of contracts including with vendors, service providers, customers, business partners and others. It facilitates and documents the collaboration of contracts and utilizes workflow for review and approval. Audit Management. Compliance 360 delivers an integrated audit management platform to manage the entire lifecycle of audits across audit planning, work programs, work paper management, and documentation of findings, reports, and follow-up. It also includes calendaring and resource scheduling capabilities. Financial Control Compliance. The Compliance 360 solution enables the management of internal controls for financial reporting to support SOX compliance and other financial reporting requirements. The solution enables the control assessment, compliance tracking, measurement, reporting, and monitoring. 8 Solution Spotlight 2014 GRC 20/20, LLC; Licensed to SAI Global for Redistribution

9 Compliance & GRC Program/Project Management. Compliance 360 delivers complete compliance and GRC program and project management capabilities spanning calendaring, notifications, task management, and the ability to plan specific compliance, training communication, and other initiatives as projects and report on them. CONSIDERATIONS FOR SAI GLOBAL Every solution has its strengths and weaknesses, and may not be the ideal fit for all organizations in all situations. While GRC 20/20 has identified many positive attributes of SAI Global and their extensive offering to enable effective compliance programs and other elements of GRC readers should not see this as a complete and unquestionable endorsement of SAI Global. SAI Global in the market and see them deliver integrated process, information/content, and technology to enable compliance processes that are effective, efficient, and agile. SAI Global has demonstrated focused growth with a commitment to customer success that ranks it among the most client-focused GRC solution providers. Their solution and services enable clients to get away from manual and document-centric approaches for compliance and provides an integrated approach to compliance activities and oversight. While GRC 20/20 has focused predominantly on SAI Global s ability to deliver on compliance, their solutions are also well fit to meet the needs of a range of other GRC roles and be an enterprise GRC platform for organizations across industries and geographies. SAI Global s breadth of GRC offerings is ideally suited for organizations managing diverse compliance risk challenges in dynamic, regulated, and distributed business environments. Its risk capabilities meet the needs of the majority of risk management programs, except for those requiring advanced analytics and modeling. Overall, clients have shown a high degree of satisfaction over the years with SAI Global and particularly Compliance 360. However, SAI Global has changed technology strategy over the past few years that caused uncertainty in a few relationships. GRC 20/20 feels that their acquisition of Compliance 360 in 2012 solidified their technology strategy and gave them the platform to build upon and execute their vision for compliance and broader GRC. Clients have reported that there were some bugs that were quickly addressed as SAI Global made significant changes to integrate Compliance 360 with their other offerings and expand the platform to be an end-to-end solution for effective compliance management. Clients report achieving value in engaging SAI Global through reduced time in gathering and reporting on GRC, reduction in fees paid to external resources such as auditors and regulators, clear accountability of GRC tasks, and a strong stance to demonstrate that the organization has sound practices in place for GRC. Particularly, the platform enables clients to get away from manual and documentcentric approaches to GRC, and provides an integrated information architecture that brings GRC activities together through clear accountability in workflow, task, and project and program management. GRC 20/20 S FINAL PERSPECTIVE... Compliance architecture enables compliance processes through technology and integrated information to provide insight, systemic improvement, and deliver actionable information. GRC 20/20 continues to research and follow 2014 GRC 20/20, LLC; Licensed to SAI Global for Redistribution Solution Spotlight 9

10 ABOUT THE AUTHOR Michael Rasmussen, J.D., GRCP, CCEP and OCEG Fellow Chief GRC GRC 20/20 Research, LLC Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) with specific expertise on the topics of enterprise GRC strategy, process, and technologies. He helps organizations improve GRC processes and choose technologies that are effective, efficient and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the Father of GRC being the first to define and model the GRC market in February ABOUT GRC 20/20 GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. We serve the needs of organizations that seek clarity, guidance and advice in dealing with a dizzying array of disruptive issues, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Whether focused on a specific risk or regulatory issue, or even enterprise-wide GRC strategy, organizations seek clarity through GRC 20/20. This clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers. GRC 20/20 Research, LLC 4948 Bayfield Drive Waterford, WI USA info@grc2020.com RESEARCH METHODOLOGY GRC 20/20 research reports are written by experienced analysts with hands-on experience selecting, developing, and implementing GRC management systems and processes globally for international organizations across industries. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with actual client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion. GRC 20/20 uses a combination of sources to gather market intelligence. These include (but are not limited to): GRC Solutions Provider Evaluation Forms. A detailed set of questions covering functional and nonfunctional aspects of GRC solutions, as well as market factors. GRC Solution User Surveys. As part of its on-going research cycle, GRC 20/20 systematically surveys GRC solution users and buyers, eliciting feedback on solution providers, satisfaction levels, and preferences. Interviews with Subject Matter Experts. GRC 20/20 undertakes comprehensive interviews and briefing sessions with leading industry experts, academics, and consultants to provide insight into market trends, vendor solutions, and evaluation criteria. Customer Reference Checks. These are telephone and reference checks with named customers of solution providers to validate strengths and weaknesses, and to assess experience and satisfaction levels. Vendor Briefings. These are face-to-face and/or web-based briefings and product demonstrations by solution providers. During these sessions, GRC 20/20 asks probing questions to understand the strengths and weaknesses of each provider. Third Party Sources. GRC 20/20 uses other third party sources of information such as conferences, academic and regulatory studies, collaboration with leading consulting firms, knowledge providers, and industry associations such as the Open Compliance and Ethics Group ( GRC 20/20 Research, LLC. All rights reserved. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of GRC 20/20. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable. Please note that the findings, conclusions and recommendations that GRC 20/20 delivers in this research is based on information gathered in good faith, whose accuracy we cannot guarantee and is subject to change. It also consists of opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does 2014 not provide GRC legal 20/20, advice LLC; Licensed or services to SAI and Global its research for Redistribution should not be construed or used as such. Solution Spotlight 10