ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
featured-blog featured-blog

Compliance Management

Blogs

GRC for Generation Z

Blog Image
4 min read

Introduction

There’s a new first line of defense in the workplace. Gen Z is entering the workforce in droves, and will soon make up almost a quarter of the global working population. They will be the ones at the frontlines of the enterprise, managing risks every day in their business transactions, decisions, and interactions with customers.

In some respects, Gen Z-ers are similar to their predecessors, the Millennials. But they also come with distinctive values, attitudes, and of course, risks that GRC teams would do well to be aware of, if they want to effectively harness the potential of this new demographic in building well-governed, risk-aware enterprises.

Gen Z Is Highly Tech-Savvy

Gen Z employees are the first truly digital natives. To them, smart phones aren’t just devices, but a way of life. In fact, the majority of Gen Z now communicates more digitally than in person. They expect information to be delivered instantly, visually, and in bite-sized chunks. They’re also big on personalized digital experiences and apps that can predict and provide what they need.

Engaging this new demographic in GRC might require a rethink of existing GRC tools and processes. Are spreadsheets the way forward for a mobile-first generation? Or are there better, more automated approaches? Can employees use mobile apps to assess risks or attest to policies? Are these tools intuitive and easy to use? Are they visually appealing? And can they be personalized by users to suit their unique preferences?

These are key questions to consider because the more effectively GRC can be adapted to the needs and behaviors of Gen Z employees, the more easily it can be integrated into their daily lives.

Gen Z Is Purpose Driven

A 2017 survey by marketing specialist, Lovell Corporation, found that while Millennials tend to look for jobs that provide security and a good work-life balance, Gen Z is more focused on working for organizations that they’re proud of. They actively seek out employers whose missions align with theirs, and are more likely to stay with companies that value ethics and social responsibility. Having been part of seminal social media movements such as #metoo, Gen Z cares about values like ethics and transparency.

For GRC, therefore, it’s important to foster a corporate culture that Gen Z employees are proud to be part of – a culture based on integrity and trust. To do that, GRC teams need to be asking some fundamental questions: Do our company’s core values exist just for the sake of branding, or do they truly permeate thought and action? Is the leadership team living the core values? Or are they, for instance, setting such aggressive sales targets that employees are forced to compromise on ethics? Are good behaviors rewarded, and offenses penalized appropriately? Do employees feel like they can speak up if they are witness to inappropriate behavior?

It’s no longer enough for companies to pay lip service to cultural values. Gen Z is watching. And if they see their companies being driven more by sales and profits than by a higher purpose or a sense of integrity, they might take their talents and resources elsewhere.

Gen Z Is Changing the Nature of Work

While Millennials may have begun the trend of flexible, independent work, Gen Z is likely to take it further. 47% of them are already freelancing – a higher percentage than any other generation.  44% would be most excited to apply for a job with a flexible work schedule. And almost 60% consider the option to work remotely as a top job benefit.

Clearly, this is a generation that wants freedom and autonomy in their work. As businesses evolve to accommodate these expectations, GRC teams will need to find ways of balancing the associated risks and opportunities. For instance, with remote workers, data security can be a major risk. So, how can training programs and controls be adapted to protect data better?

Similarly, when it comes to freelancers and other third parties, quality could be a key problem. Can GRC teams prevent the issue ahead of time through better due diligence and onboarding programs?

Ultimately, the faster that companies adapt their risk management and compliance strategies to the changing nature of work, the more effectively they will be able to optimize the opportunities ahead.

Gen Z Is All About Diversity

Gen Z will undoubtedly be the most diverse generation yet to enter the workforce. Almost half of them in the US belong to a minority group. 81% have friends of a different race, and 59% of a different sexual orientation. Meanwhile, almost three-fourth of them consider racial equality to be to be an important social issue today.

All of this is good news for organizations that have increasingly been under pressure to improve diversity in the workplace. But as workforces grow more diverse, new risks are likely to crop up. Habits, behaviors, and even forms of dressing that seem normal to some employees due to their religious or cultural orientations, could be perceived as odd or even taboo to others.

From both a GRC and HR perspective, it will be essential to recognize these risks ahead of time, and develop policies and codes of conduct to deal with them. The aim should be to promote an inclusive workplace that treats everyone with dignity and respect. Programs promoting integrity and corporate social responsibility will play a key role here.

As the emerging first line of defense, Gen Z employees can add significant value to GRC programs by taking on more responsibility for risk. At the same time, their entrance to the workplace brings a whole new set of GRC challenges. Understanding and preparing for these challenges and changes will be pivotal to GRC success tomorrow and beyond.

Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

“Why Excel is just not good enough” – Part 1

blog
3 min read

Introduction

I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.

She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.

It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms.  How many other people think, “Excel is good enough”?

A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.

Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.

Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.

This brief narrative reveals two important insights:

First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.

Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, analyst),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.

I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:

  • 8 working hours in a day
  • 5 days in a week
  • 4 weeks in a month

After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:

  • 2 hours of updating spreadsheets
  • 2 hours of reaching out on breaches
  • 2 hours of month end reporting
  • 2 hours on administrative tasks (meetings, emails, phone calls, etc.)

My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!

In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?

Jump to Topic
Ryan-Rodrigue

Ryan Rodriguez-Wiggins

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

3 mega trends transforming governance, risk and compliance

AdobeStock
5 min read

Introduction

What three mega-trends are shaping business actions and objectives, and how can they impact GRC professionals’ roles?

In the 15 years since the term governance, risk and compliance (GRC) was coined, a lot has changed. Once managed as separate initiatives, the three processes are more entwined than ever and are playing a prominent role in helping organisations to achieve performance and growth. The business landscape is consistently evolving and businesses are becoming increasingly savvy in order to overcome new sets of risks and challenges.

Of course, with increased risks come opportunities, and organisations are turning to GRC professionals to guide them. Not only are they being called upon to oversee compliance and rein in wild risk-taking, but they are expected to drive the business forward. These professionals are uniquely positioned to help businesses seize more opportunities by empowering them with the risk and regulatory intelligence they need to make better decisions.

See also: Come together – a federated approach to GRC and risk management

In short, it’s an exciting time to be in the GRC space. Here are three mega trends that GRC professionals need to keep in mind in order to continue driving high performance.

Trend #1: Consumers are becoming the ultimate regulators

Increasingly, consumers are setting the standards for companies globally, and they’re doing so with a voice that’s louder than ever, thanks to social media and other digital platforms.

For example, scores of consumers used social media to push the #DeleteUber campaign, which was a result of the company’s response to a protest in New York. Not only did it lose customers in the local area, but the campaign received global coverage leading to lost customers all over the world.

The industry has also seen Gatorade, one of the largest sports beverage brands in the world, removing a controversial ingredient from its products due to a teenager in Mississippi creating an online petition on Change.org. That’s the power of the collective voice of consumers.

Consumers have, at their fingertips, all the information they need to make informed decisions about the companies they interact with. Their loyalties are determined as much by ‘soft’ business metrics such as corporate social responsibility scores, ethics, and trustworthiness, as by the quality of products and services offered.

See also: Five key drivers to integrating a successful GRC platform

For GRC leaders, that means putting customers at the front and centre of their GRC programmes. It also means ensuring that companies are complying not just with regulatory requirements, but also upholding public trust and confidence. It means building a corporate culture where people, right from the top of the organisation to the front lines, understand their risk and compliance responsibilities in the context of the customer.

A large chunk of corporate value today lies in a company’s brand, reputation, and credibility. GRC professionals have the important responsibility of helping to protect these assets, so that companies can drive greater customer loyalty, and outperform the competition.

Trend #2: The power of ‘now’

In this age of Instagram and Snapchat, people are looking for instant gratification – so much so, that if a video doesn’t load in two seconds, it begins to lose viewers right away, according to a study by Akamai Technologies and the University of Massachusetts Amherst. People want value immediately.

To meet this requirement, GRC professionals can deliver instant value to their companies by making processes simple and pervasive through the easy adoption of consumerist technologies. Easy-to-use GRC tools that work on smartphones, tablets, and other smart devices ensures that relevant real-time and actionable intelligence is collected throughout the entire enterprise.

Delivering instant value also means that GRC technology and infrastructure has to be deployed quickly in the cloud. Gone are the days of long deployments, multi-year projects, and extended time to value. Companies are looking for simple, modular, instant GRC deployments that can work straight-out-of-the-box.

See also: The cyber threat landscape is looking more and more dangerous

Reporting is another area where GRC professionals can meet the need for instant value. Boards and stakeholders want to make quick, risk-informed decisions, but they don’t have the time to consume hundreds of pages of reports. GRC teams need to find ways of condensing large volumes of information into intelligent risk insights, and communicating them in as succinct and engaging a manner as possible.

When business leaders have all the information they need in real-time, they will be well-positioned to make faster, better decisions for their business.

Trend #3: The promise of artificial intelligence

Every technology publication, entrepreneur and business leader is talking about Artificial Intelligence (AI). AI is impacting how we live, work and play. It has applications in just about everything, ranging from pizza-making to filtering fake news – it is fundamentally changing the future of work and the future of human productivity.

In terms of GRC, AI means predictive analytics, advanced visualisations, intelligence in the cloud, and risk mind maps that can help companies understand and anticipate their risks better than ever; there’s exploration into correlation engines that combine vast data sets such as internal losses, consumer sentiment, and unemployment rates to forecast business performance; also, new algorithms are helping companies condense large volumes of regulatory compliance information into nuggets of useful and relevant insights.

See also: Are businesses overlooking risks away from cybercrime?

The scope for AI innovation in GRC is incredible, and we’ve only just begun to scratch the surface. Industries are already witnessing the rise of ‘deep learning’ technology that, for example, can detect new malware threats as quickly and accurately as the human eye can identify something substantial and tangible, like a piece of furniture. Soon, businesses will have access to tools that are able to ‘learn’ from employee actions and behaviour in order to automatically discover risk.

Taking stock

This year and beyond, GRC will be about fresh ideas and perspectives, innovating, as well as a high degree of leadership. The business landscape is only getting more competitive, therefore the organisations that are able to take more informed risks, drive firm-wide compliance, and demonstrate better governance will be the ones who lead with enduring value today, and into the future.

Sourced by Gunjan Sinha, executive chairman at MetricStream

This article was originally published by Information Age and can be found here: 3 mega trends transforming governance, risk and compliance

Gunjan

Gunjan Sinha Executive Chairman, MetricStream

Gunjan Sinha, Executive Chairman, MetricStream, helps lead the overall direction and vision of the company. His focus in on building MetricStream into a global GRC leader with strong teams that are excited about new markets, disruptive technologies and social impact.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Compliance Meaningfulness: Hard to Achieve, Easy to Destroy

shutterstock
5 min read

Introduction

In an article titled, What Makes Work Meaningful- Or Meaningless by Catherine Bailey and Adrian Madden (MIT Sloan Management Review, Summer 2016),  the authors focus upon what makes our work meaningful, with research conducted across multiple industries and responsibilities. While their findings are presented as relevant to the overall workforce, the compliance implications are significant and worthy of discussion.

In sum, meaningful work, which can be “highly motivational, leading to improved performance, commitment and satisfaction” is not easily achieved, and tends to “be intensely personal and individual.” It is not derived entirely from the workplace experience, but is often a part of how employees “see their work and its wider contribution to society in ways that matter to them as individuals.” In other words, it’s related to how an individual views their work as part a greater contribution to society outside the workplace.  However, the opposite is not true- in that meaninglessness, which drives a sense of “futility” in the workplace, is almost entirely derived from the organization and the behavior of its leaders.

So, what are the features of meaningful work? Common characteristics include:

  • Self-Transcendent: Where employees experience their work as “mattering to others more than just to themselves.” In other words, motivation is increased when work is perceived as having impact and relevance “for other individuals, groups, or the wider environment.”
  • Poignant: When work has moments of triumph under difficult circumstances, or having “solved complex, intractable problem(s).” In other words, coping and overcoming obstacles elevates a sense of satisfaction and accomplishment.
  • Reflective: Meaningfulness is not necessarily experienced ‘in the moment’ but comes in retrospect and with “reflection when people were able to see their completed work and make connections between their achievements and a wider sense of life meaning.”
  • Personal: Here a sense of meaning is actualized in the wider context of someone’s “personal life experiences” and “managers and even organizations actually mattered relatively little.”

In sum, as the authors point out, these are “complex and profound” issues which go “far beyond the relative superficialities of satisfaction or engagement- and almost never related to one’s employer or manager.”

The opposite, or meaninglessness, where people might ask themselves “why am I doing this,” is not as complex. It’s almost entirety related to “how people were treated by managers and leaders.” A few of the “seven deadly sins” which I thought as relevant to a global workforce and a compliance program, include:

  • Disconnecting people from their values. This was the greatest single factor from the research, where employees see a tension “between an organizational focus on the bottom line and the individual’s focus on the quality or professionalism of work.”
  • Taking employees for granted. “Lack of recognition for hard work by organizational leaders was frequently cited as invoking a feeling of pointlessness.”
  • Disconnecting people from supportive relationships. Here, “feelings of isolation or marginalization at work were linked with meaninglessness.”

Thus, while the ability to help employees actualize meaningfulness in their work is a not entirely dependent on an organizational and its leaders, meaninglessness is almost completely conditioned on the workplace experience.  So, what are those elements that can be addressed in the workplace that “can foster an integrated sense of holistic meaningfulness for individual employees?” In listing them, I added my own reflections as to what compliance leaders can do to enhance such effectiveness.

Organizational and job focus. Do leaders focus on the “broad purpose of the organization,” and the “positive contribution of the organization to the wider society or environment.” In Blindspots, Bazerman and Tenbrunsel share how compliance programs can contort the decision making process, where decision making is based only on the “costs and benefits of compliance versus noncompliance” without the wider ethical discussion. Thus, are compliance leaders driving the message of how the ethical decision making benefits society at large, and drives economic development, education and welfare on a global basis?

This is a great point which Kristy Grant-Hart makes in How to be A Wildly Effective Compliance Officer. As she shares, compliance efforts and programs provide a valuable contribution to making the world “a more transparent and fair place” and provide a wall against “criminal organizations, gangs, terrorism and violence.” If your workforce doesn’t see how their work is a part of that effort, it’s a huge ‘meaningful’ miss. In other words, as the authors ask, are leaders “encouraging people to see their work as meaningful by demonstrating how jobs fit with the organization’s broader purpose or serve a wider, societal benefit.”

Interactional focus. People find their work more meaningful in an interactional context when “they are in contact with others who benefit from their work” and “in an environment of supportive interpersonal relationships.” In other words, when people see the beneficiaries of their work, that drives a sense of support, and a respectful “climate among colleagues.” Thus, the challenge is to foster those relationships among colleagues, employees, managers, “and between organizational staff and worker beneficiaries.”   Here, compliance leaders have a unique opportunity to “communicate a sense of shared values and belonging” and to engage with the workforce as to how “their work has a positive impact on others.”

Compliance leaders have a unique opportunity to enable employees to find work as a meaningful experience that extends beyond the workplace.  As Kristy shares, compliance is about making “the world a better place” and as such, compliance leaders have an exceptional capacity to really drive meaningfulness into the workplace, one employee at a time, and as a collective group of contributors and beneficiaries.

 

Jump to Topic
Richard

Richard Bistrong Vice President

I was the sales and marketing Vice President in the Law Enforcement and Defense sector for over fifteen years, most of which was as VP for International sales. A fourth generation founding family member of one of the world’s premier brands of bullet resistant armor. I got educated in Foreign Policy, UVa, Masters of Arts, 1987. Studied at the Institute for European Studies, Vienna, Austria, 1983.Worked as a Confidential Human Source (CHS) and Cooperating Witness for the United States Department of Justice, Federal Bureau of Investigation.Served with the City of London Police, HM Revenue & Customs (HMRC) and Crown Prosecution Service (CPS) in a covert and cooperating capacity. Received Immunity from Prosecution from the United Kingdom. Currently, a recognized consultant, blogger, and speaker in the field of anti-bribery compliance, reflecting on front-line issues which impact international business teams and compliance personnel.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Streamlining Compliance Case Management

Blog Image
2 min read

Introduction

In early February this year, the fraud section of the U.S. Department of Justice (DoJ) released a new document with specific guidelines on how they will evaluate corporate compliance programs in organizations going forward. The DoJ clearly specifies in the document that they will look at corporate compliance programs in their entirety and not just at the reporting or investigations part.

With a spate of new regulations coming up, organizations are striving to improve their compliance program. Many are moving up the compliance maturity curve and keeping pace with the rapid regulatory developments happening around them. However, multiple reporting requirements, myriad reporting authorities and structures, and stricter regulations continue to challenge compliance teams, putting pressure on them to develop effective and better ways to address an ever more complex regulatory and business environment. In a recent MetricStream webinar titled “Streamlining Compliance Case Management: Challenges and Best Practices,” Eric Morehead, Principal Consultant, Morehead Compliance Consulting, LLC, provided valuable insights into the challenges organizations face when managing and investigating ethics and compliance cases, how to improve the efficiency of case management programs, and how to track the effectiveness of compliance programs by leveraging technology.

One of the biggest compliance challenges organizations face is in investigating non-compliance cases. Multiple questions arise: What is being reported, to whom, and where? What reports can you provide to your board of directors and regulators and can they be benchmarked based on industry standards?

First – What is being reported? It’s important to adopt a fine-focus approach toward tracking trends such as common sort of issues that get reported on various reporting mechanisms. Cases get reported to various parts of an organization such as helplines, HR, audit, or the board members, depending on the organizational hierarchy. When these cases are aggregated and sent to the compliance office, there is often some disconnect. However, by identifying a common set of issues or trends from the available statistics, organizations can effectively find a solution.

Second – Where is it being reported? Organizations must have ways to abrogate the cases that have come via different channels. This helps them remove duplicate cases.

Third- What report can you provide to the board of directors? In many cases, there is a strong disconnect between what gets reported to the systems and what the board of directors ultimately gets to read. This gap could lead to problems, especially when an organization has to provide reporting and investigation details to regulators. The key is to put serious consideration into what is being reported to the board of directors, and report the good work that has happened or being done within the compliance space. Ask hard questions about the information that gets reported to the board of directors so that the organization can get better information first.

Fourth- Stacking up with competitors and peer organizations. Ask yourself – “Do you have a story to tell”? Both regulators and the board of directors will judge you based on the technology and

processes you use to handle your data. Regulators will ask you tough questions regarding your compliance programs and your investigations. Will you be able to meet those expectations?

Growing regulatory demands and expanding awareness about compliance are driving the enhancement of compliance case management capabilities. Organizations are recognizing this shift, and to remain relevant they need to make the right technological investment. Ultimately, mature case management systems can transform compliance programs.

For updates on our other upcoming webinars, click here.

Jump to Topic
Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Can Marketing and Compliance Share a Playbook?

Blog Image
5 min read

Introduction

I recently read an article in the Winter 2017 MIT Sloan Management Review, Mastering the Market Intelligence Challenge (Chari, Luce & Thukral). In this work, the authors address how “many multinationals simply import their domestic models into emerging markets.” And whilst this work is directed towards those who deal with market intelligence in emerging markets, the conclusions drawn are equally applicable to those who face compliance challenges in such frontier regions. If you review the article and substitute ‘due-diligence’ for ‘market intelligence,’ it reads like a compliance thought piece. So I ask, can both compliance and market leaders share resources and data when it comes to due diligence and market information, as to allow for a more collaborative approach?

The authors state that “for developed-market companies, winning consumers in these new high-growth markets requires a radical change in mindset, capabilities, and allocation of resources.” I would add that such ‘radical changes’ are also applicable to compliance leaders and teams who face the challenges of addressing business development in emerging markets,  where commercial opportunities and corruption risk are often intertwined.

A few of the issues which might de-rail market intelligence or a compliance program in emerging markets might be:

  • Grouping.  Very often from the home office, markets and risks are grouped regionally. But in emerging markets, where each market sector and country present a unique set of risks and opportunities, market and/or risk factors in one emerging market country “may not readily transfer to another as much as they would transfer from one advanced country to another.” So, while one might think of Scandinavian countries as having a similar risk profile, thinking the same of the GCC countries could be problematic.
  • Change. As we see with current events, political, social and economic change in developing countries can sometimes occur via evolution, and sometimes by revolution. Thus, thinking of markets or risks as static in these regions “compounds the information problem.” Compliance and business leaders should be considering this type of dynamic, and the possible monitoring costs of staying abreast of change, before investing initial resources.  As the authors argue, success in such evolving markets requires a more robust calibration and recalibration of intelligence to market conditions, and to which I would add, risk conditions.
  • Spend. The authors argue to be cautious about spending on market intelligence in emerging markets “as a percentage of revenues in the market or on an ad hoc basis.” Indeed, for marketing or compliance investments, looking at costs on such an ad-hoc basis might prove as “insufficient in emerging markets” where more upfront resources are required to gather current, reliable and useful intelligence.

As a result, the authors recommend the following practices for obtaining robust and actionable business intelligence:

  • “Treat and manage market intelligence as a strategic asset.” Strategic intelligence means that “updated market intelligence is considered front and center when multinational corporations take strategic actions in emerging markets.” This is much more than what might be necessary for “advanced economy market entry.” The authors advocate the use multiple data sets, relating to the “economy, business environment, and demographics of each country.” Such data would also be useful for a compliance team in order to gauge risk and opportunity. So, why silo the data when it’s valuable to both teams?
  • “Continuously update market intelligence.” As the authors well state, updated information is “necessary to recognize changing market conditions at the earliest convenience.” To a compliance professional, that might mean ‘don’t vet and forget.’  The authors caution that using “potentially dated market intelligence or assumptions about the market” can lead to bad marketing decisions and poor resource allocations. That same risk would equally apply to a compliance program and due-diligence process. Past behavior and data is not necessarily a gauge for future risk. We have seen that peril, especially in countries with political and regime turnover.
  • “Organize differently for market intelligence in emerging markets.” Here, I found a fascinating organizational discussion. The authors try to balance centralized versus in-country market intelligence. We see a similar challenge in compliance programs, as to the right mix between a centralized and remote function. While the authors don’t strongly advocate either approach, they do address the consequences of not appreciating where they might disconnect. Instead, they argue that market intelligence “should be organized as a shared responsibility between the corporate office and emerging market business executives.” One could see how a compliance function can also benefit from that same sense of shared responsibility and cross-function cooperation.
  • “Use a wide range of sources and methods to obtain market intelligence.” There’s no magic bullet here, or single solution, be it for market or risk intelligence. Rather, “because of the paucity and unreliability of information sources, multinationals need to use a wide range of sources to obtain market intelligence in emerging markets.” Among some of the recommended sources are “in-country partners, market facing staff, business press, social media, internal and external market research, and the company’s own experience.” Again, it seems like these are valuable data sources for both market and risk decisions. But as the authors caution, “no single source is typically able to provide all of the information we need.”

And finally, review, review, review.

As the authors remind us, pooling, sharing, disseminating and discussing information, all ensure that “an organization can gain as complete of a picture” not only of the marketplace,  but of changes within the marketplace. Again, that’s valuable to both compliance leaders and market executives. As they conclude, when information is a shared responsibility among corporate and in-country managers, using a “wide range of sources and methods,” then organizations can “obtain and use the market intelligence necessary to succeed.” So, instead of having a market intelligence playbook and a compliance playbook, how about a “share and share alike” approach to opportunity and risk!

Jump to Topic
Richard

Richard Bistrong Vice President

I was the sales and marketing Vice President in the Law Enforcement and Defense sector for over fifteen years, most of which was as VP for International sales. A fourth generation founding family member of one of the world’s premier brands of bullet resistant armor. I got educated in Foreign Policy, UVa, Masters of Arts, 1987. Studied at the Institute for European Studies, Vienna, Austria, 1983.Worked as a Confidential Human Source (CHS) and Cooperating Witness for the United States Department of Justice, Federal Bureau of Investigation.Served with the City of London Police, HM Revenue & Customs (HMRC) and Crown Prosecution Service (CPS) in a covert and cooperating capacity. Received Immunity from Prosecution from the United Kingdom. Currently, a recognized consultant, blogger, and speaker in the field of anti-bribery compliance, reflecting on front-line issues which impact international business teams and compliance personnel.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Promoting Data Security in the Workplace

shutterstock
4 min read

No matter the workplace, data security is often a top concern for management professionals. Security breaches can end up threatening the livelihood of employees and entire companies alike, depending on how severe they are. There are solutions available to

To learn more about data security in the workplace, checkout this infographic compiled by the University of Alabama at Birmingham’s Online Master of Science in Management Information Systems program.

Employees and General Information Security

Over eighty percent of companies say that their biggest security threat is end user carelessness. Seventy five percent of companies also believe that employee negligence is their greatest security threat. Three percent of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over thirty three percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority of these incidents.

Top Mistakes

Many mistakes committed by employees are entirely avoidable. Things such as sharing passwords with others and leaving their computers unattended outside the workplace all contribute to security problems. Employees are strongly encouraged to use different passwords for different websites, and to change them frequently. Additionally, it is important to delete data when it is no longer being used on the computer, as well as avoid connecting personal devices to company networks and databases.

Largest Threats to Information Security

Senior managers are as much a culprit of problematic behavior as their employees. Over fifty eight percent of senior managers have accidentally sent crucial and private company information to the wrong people. Fifty one percent of all senior managers have also taken private files from the company with them after they left the job. Business owners may end up compromising their own company’s security as well. Over eighty seven percent of all business owners regularly upload files from work to a personal cloud or storage network. Sixty three percent of those same business owners also use the same passwords to log into different systems in both business and personal affairs.

Tips on Promoting Security

There are many solutions that can be taken to help keep the workplace safe. One of the first of these is to implement a strict, written set of security guidelines. Enforcing physical restrictions to personal data is also recommended. Destroying older data in a more timely fashion can also help resolve many security risks. Generally raising security awareness in the workplace by training and educating employees in proper and improper behavior can be a good idea. All business owners and leaders are strongly encouraged to become more vocal about security in the workplace.

Employees and Specialized Training

Proper information and security training on a professional level can also help reduce the frequency and severity of security breaches. Over thirty seven percent of employees had received mobile security training, while over forty percent of employees had received information sharing training. Increasing this number can help spread security awareness in the workplace on a much more efficient level, and businesses are encouraged to introduce some type of professional training program.

Current Bring Your Own Device Practices

Fortunately, while there is room for improvement in many companies, management professionals are also looking into ways to help improve Bring Your Own Device standards and practices. Over forty percent of companies currently consider mobile device insecurities to be a large security concern. Fifteen percent of employees believe that they have minimal, or practically no, responsibility to safeguard the personal data stored on their devices. This type of thinking is what encourages security risks to occur in the first place. As a result, there is going to be an expected increase in security strategies of upwards of sixty four percent for employees concerning the use of their personal devices over the next twelve months.

Information Security Recommendations

Numerous security recommendations are already being considered by many companies and many businesses are planning on introducing more data leakage protection to help control what data mobile employees will be able to send through Bring Your Own Device practices. This can help prevent the transfer of regulated data through unsecured apps. These plans can also help prevent employees from accessing data on unsecured devices, or transferring unsecured data on their own devices. Future demands will also require owned devices to have a password necessary in order to access the stored data. Many training programs are also going to be planned as well, which will inform employees of the necessity of adhering to, and enforcing, data security regulations.

The following blog post was originally posted here and is reposted with the authors permission.

Mike-McBride

Mike McBride Technology Expert

A technology expert with many years of experience spanning the healthcare sector, cyber security, education, marketing, and online commerce. I've spearheaded web projects for Fortune 500 companies, as well as coordinating strategy for small companies to leverage their resources in order to compete alongside industry leaders.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Gearing Compliance to the Tasks at Hand

shutterstock
3 min read

Introduction

The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission.

I recently had the opportunity to travel to Chicago for my first SCCE Compliance and Ethics Institute (CEI), and attended a session  “Keeping Compliance Simple,” which was led by Ricardo Pellafone, CEO, The Broadcat (www.thebroadcat.com) and John Partridge of Gibson Dunn.  It was an engaging session, and it gave me an opportunity to reflect on their work in the context of some recent corporate engagements.

What first caught my attention was when Ricardo started the session by sharing that a compliance training program needs to address “the tasks at hand” to those on the front-lines of business. Does that sound obvious? Well, when we look at the complex challenges facing compliance and commercial teams, it might not be. Thus, I think we should heed to Ricardo and John’s reminder that an engaging compliance program is one that’s calibrated to help people execute with what they have been charted to do. Big and small.

In other words, as Ricardo well states, “give people something they can look at while they are doing their job.” I think that’s excellent thought leadership and advice. Do you expect your commercial teams to be subject matter experts on anti-bribery laws, facilitation payments, and export compliance, to name a few; or, would you rather give them something that they can read, reference, and which serves as a guide and guard-rail to their missions at hand? Ricardo’s right when he shares that “training around risk is problematic,” but compliance training which is oriented towards task completion and simplicity is a compliance program which is an active tool at the field level. And isn’t that we want?

A few weeks after the CEI, when presenting to a multinational, I had the opportunity to hear the CEO share some of his vision for growth, which inspired me to reflect on the ‘simplicity’ panel (FYI, when a CEO presents to a compliance/commercial team event, that’s a very loud spoken and unspoken message).  When addressing corruption risk, he counseled the teams to “have a cleared-eyed view of the risks you face before you’re in the middle them, understand the resources available to make decisions, and then know how to engage.” If I had to think of one sentence which encapsulates what a simple yet resonating compliance program should look like at the front-lines of business, that would be it. While execution might not be so painless, having a compliance program which takes complex laws and regulations, and then translates them into how they apply to real-world scenarios, is a compliance program that comes to life.

Remember, when you hired those on the front-lines, you probably looked for individuals who could aggressively, ethically and compliantly execute on business growth and strategy. You might have even on-boarded some with risk-taking in their DNA.Thus, while it sounds easy to pronounce “grow the market, takes risks, but don’t break the law,” don’t those same teams deserve a  compliance program which is simple, makes sense to their work, and which they can reference as a guide to success:  One task at a time.

The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission.

Jump to Topic
Richard

Richard Bistrong Vice President

I was the sales and marketing Vice President in the Law Enforcement and Defense sector for over fifteen years, most of which was as VP for International sales. A fourth generation founding family member of one of the world’s premier brands of bullet resistant armor. I got educated in Foreign Policy, UVa, Masters of Arts, 1987. Studied at the Institute for European Studies, Vienna, Austria, 1983.Worked as a Confidential Human Source (CHS) and Cooperating Witness for the United States Department of Justice, Federal Bureau of Investigation.Served with the City of London Police, HM Revenue & Customs (HMRC) and Crown Prosecution Service (CPS) in a covert and cooperating capacity. Received Immunity from Prosecution from the United Kingdom. Currently, a recognized consultant, blogger, and speaker in the field of anti-bribery compliance, reflecting on front-line issues which impact international business teams and compliance personnel.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

3D Printing – Boon or Bane

Group
3 min read

Introduction

The 3D printing market is growing at an average of 35% CAGR, and is set to quadruple to $12.5 Billion by 2018 from $3Billion in 2013 (Wohler Associates 2014 report), however at the same time, organizations have to face heavy penalties and loss diminished by brand and reputation due to risks associated with 3D Printing. For instance,mishandling of patient information through 3D Printed software and associated violations of HIPAA compliance has already resulted in $9Million in fines for US-based companies in the last one year alone.

Consumers around the world are converging to newer technologies that allows customization and immediate product deliveries. Just as e-commerce companies have done for consumers, will 3D Printing do the same for organizations?

The 3D Printing industry emerged in the 1980’s, then known as Additive Manufacturing for product developments and rapid prototyping. With new technologies in design and faster printers available, the trend has quickly shifted to mass production. General Electric, as a part of the LEAP project, started to mass produce close to 25,000 aircraft fuel nozzles using 3D Print technologies. Similarly, USPS has partnered with 3D Print Service providers and are planning to purchase printers onsite in order to deliver packages, printed in 3D, to consumers when they need it. This service from USPS will add $485 Million in incremental revenues

To meet this increased demand, organizations small and large are either providing 3D Printing as a service, or manufacturing 3D Printers. For example, HP has been relying heavily on the sales of its 2 newly launched 3D Printer models (HP3200 and HP4200) in May-2016, making up for its declining PC and 2D printing business. Additionally, several startups have received funding to leverage the potential of this growing market.

3D Printing is set to disrupt the Manufacturing industry, however, organizations are cautious about adopting this technology as there are initial upfront costs, design complexities, increased raw material costs, and slow print speeds.

While the market demand, potential and revenue upsides are high, the risks associated with 3D Printing must not be ignored.

  1. Cyber Security

3D Printers work by accepting a CAD/STL design software file when the printer is connected to Internet through Wifi. This makes it vulnerable for hackers to inject a virus into the design file, which can change the orientation of the print head. As a result, this could print products of low quality – in such cases, organizations may have to recall the product and face impact to their brands and reputations.

  1. Counterfeit

Using 3D Printing technologies, products can be duplicated easily and exported as the originals. This can pose security risks, and can infiltrate the supply chain. Blueprints of the products can get into the hands of attackers through the CAD/STL file, which could have a disastrous impact on the company and its relationship with consumers.

  1. Supply Chain

3D Printing technologies are set to disrupt the Supply Chain for many organizations, as their products will now be available at the point-of-use as raw materials. This will be difficult to regulate, especially in the healthcare industry, where the FDA recommends to design controls from the point-of-origin in manufacturing to when the product leaves the facility. In the case of 3D printing, it is unclear what will be regulated – is it the CAD file leaving the facility, or the part that was printed at the point-of-use?

  1. Intellectual Property

Just as the music industry suffer from piracy, the 3D printing industry is vulnerable to similar threats. File sharing will become common online and can cost organizations billions in the loss of IP file designs that can also lead to counterfeiting. This is not common right now, but it is a serious potential risk in the future that we must be mindful of as the market matures.

  1. Drugs

The healthcare industry needs to be cautious when using 3D technology, as patented drugs can be printed by illegal drug manufacturers. Researchers used a sub $2,500 MakerBot 3D printer to manufacture illegal drugs, and to fabricate tiny implants with certain chemicals, which will release specific drugs when placed into the human body. If this isn’t tightly managed, the potential for disaster could be huge.

  1. Weapons

Anyone with CAD/STL design can create input files for 3D Printers. Criminals can get access to such files online for producing guns at home. In 2013, a law student from Arkansas, printed a gun from a 3D Printer. The design file used for the gun was made available online, and was then downloaded over 100,000 times around the world, before the state department ordered to bring it down.

There are great opportunities with 3D printing technology, but understanding its implications and risks, and regulating the process and execution is critical. Public and Private partnerships are needed here, to help us realize the great potential of this growing market, while protecting consumers and organizations alike from risks at hand.

Jump to Topic
Admin_avatar_1498731489

BLOG ADMIN

Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
Blogs

Walking The Line Between Personalization And Privacy

shutterstock_522100201
3 min read

Introduction

2017 promises significant shifts in retailer tactics as they embrace more intimate conversations, leveraging the power of digital devices, analytics and channels. Walking the fine line between becoming a trusted advisor, to intrusion and perceived (or actual) privacy violations, will become as much of a science as it is an art in today’s world.

Here’s a look at the top five trends that will impact the retail industry in 2017.

1. Beyond Mobile Payments: Enhancing The Personal Shopping Conversation

Retailers will provide innovative mobile apps to enhance customer experience, going beyond simple payments to establishing a virtual, real-time, personal shopping conversation — for example, notifying sales associates of a drive-through pickup or return.  Retailers will equip associates with mobile devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while blurring the line between online and in-store shopping.

2. Predicting The Path To Purchase And Preference: Blurring The Line Between Online And In-Store And Satisfaction Based On Actual Use

Omnichannel will reach beyond purchase into actual use as retailers unify online, offline and Internet of Things analytics to understand the 360-degree view of an individual’s needs and behavior and gain insight into preferences. Correlation analysis throughout the shopping journey will increasingly be used to predict an online or offline purchase, using browsing history, reviews read, social media networks and favorites on sites like Facebook or Pinterest — blurring the line between online and in-store shopping.  The focus will shift to helping impatient buyers make faster decisions, and at the same time build long-term loyalty. Most importantly, the Internet of Things will become increasingly critical in providing insight into how products are being used after purchase and predicting a repeat purchase or recommendation.

3. Frictionless Convenience Rules The Wallet

Understanding customer needs, wants and behaviors will drive retailers to strengthen the relationship by using partnerships and connected devices to create a frictionless, real-time experience. Retailers will use devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while establishing a virtual, real-time, personal shopping conversation.  This will be bolstered by a rise in subscription services that provide clear value and built trust like Amazon Dash, 1-click and Amazon Prime. Retailers will leverage partnerships that capitalize on trust built with complementary, highly trusted brands to provide convenient buying experiences.  We will see a rise in combined offers for a specific need – travel, hiking or formal attire — complete with personalized rewards.

4. Privacy Is A Two-Way Street

Consumers will begin to react to privacy concerns that arise from more intimate, personal conversations with their trusted retailers, with whom they allow tracking and analytics. Retailers will need to provide more transparency into actual analytics and increasingly allow consumers to participate in the co-creation and selective editing of their own profiles, going beyond simply opting in to how information will be used.  In addition, retailers will need to provide tangible assurances that their private information is safe, as new cyber threats emerge that target mobile and Internet of Things. Innovative retailers will start to show how their app experience protects data in smart devices.

5. ‘Security by Design’ Throughout The Supply Chain

As consumer data accumulates from the shopping experience, through the supply chain into warehouses and out into the home through the Internet of Things, unencrypted transmissions and card-not-present transactions will present opportunities to hackers to steal personal data captured along this chain. Retailers will start to cooperate and adopt ‘Information Security by Design’ principles, building security deep into processes as opposed to bolting security monitoring onto processes after the fact.

Stay tuned for some astounding innovations by both retailers and the technology vendors that support them. And don’t forget that we are an essential part of these equations. As consumers, we co-create and influence innovations as they unfold in the landscape of our shopping experiences by staying engaged and, ultimately, voting with our (mobile) payments.

The original blog was published via Retail Touch Point. View it here.

Name Yo-Delma

Yo Delmar

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape