The Forrester Wave is one of the most respected analyst reports, helping organizations make informed technology purchases. For the report, Forrester conducted a rigorous 23-criteria evaluation of 14 GRC technology vendors. In addition to this review of current GRC offerings, the report also offers a look at GRC trends, such as regulatory compliance issues and emerging risks.
Here are our five key takeaways from the report.
Download the full report for more detailed product evaluations, feature comparisons and industry analysis. Download your free copy here.
1. ‘Riskonnect GRC includes support for 72 languages, strong workflow, and extensive dashboarding and reporting.’
Forrester ranks vendors in four categories. These categories are challengers, contenders, strong performers, and leaders. Riskonnect was recognized in the leaders category. According to Forrester, “Riskonnect is an appealing option for Salesforce.com users and deserves a look on its own for its solid GRC capabilities.”
Riskonnect leverages the Force.com platform for its functional foundation,” says the Forrester report. “Riskonnect built its GRC offering on the Force.com platform, which in essence means the engineers of Salesforce actively work to develop and maintain the product’s underlying capabilities.”
Forrester also noted that Riskonnect’s use of the Force.com platform “… allows Riskonnect to focus on use case development, content, and analytics for GRC.”
2. Pure SaaS GRC vendors viewed as business partners
“Customers of SaaS GRC vendors note that these companies are hyperengaged and help them improve their GRC program with a continuing business relationship well beyond implementation,” Forrester states in the report.
Being a partner rather than just a provider has always been the aim of Riskonnect. We want to help clients reach their long-term GRC goals and continue to introduce innovative products to support their initiatives and provide the best user experience possible.
As a pure SaaS offering, we are positioned to deliver agile, low-code configurable solutions with speed and at a lower total cost of ownership in comparison to providers that are not pure SaaS. Learn more about our Force.com platform.
3. Regulatory fines are skyrocketing
“With the uncertain regulatory landscape, managing compliance is becoming a challenge for most risk managers,” says Forrester in the report.
To help our clients successfully ensure regulatory compliance, our Regulatory Compliance Management solution includes functionality that helps automate processes, improves data integrity and enhances visibility of regulatory adherence across the organization.
For example, with automated control updates from the Unified Compliance Framework, organizations are able to conduct side-by-side comparisons between old and new regulations.
Eliminating documents and spreadsheets stored in email and streamlining highly manual compliance processes result in better implementation and reduce the chance of errors.
4. Key differentiators are cloud, analytics and customer support
“Vendors that can provide cloud, analytics, and customer support position themselves to deliver successful risk management programs to their customers,” Forrester states in the report.
A cloud-based platform, Riskonnect scored well in both the analytics category and ability to provide excellent client support. In 2017, we introduced Riskonnect Insights, which provides the intelligence needed to power effective integrated risk management, by surfacing, connecting and communicating risk information in ways that drive faster, smarter business decisions.
5. New risks are being introduced all the time
“The shared economy business model stands out because of its amplified regulatory, strategic, and operational risks,” says Forrester in the report.
With Riskonnect’s acquisition of Aruvio, we have immediately enhanced and expanded our suite of GRC solutions to help simplify and automate all your current compliance and risk management initiatives and easily adapt to those that arise in the future.
We would be remiss if we didn’t thank all our clients, partners, and global community who have helped Riskonnect grow. We’re more motivated than ever to help integrate all risk management efforts across your organization through our solutions to reduce costs and enhance value.
Riskonnect announced today that research and advisory firm Forrester Research, Inc. (NASDAQ: FORR) has named global Integrated Risk Management vendor Riskonnect a Leader in The Forrester Wave: Governance, Risk, And Compliance Platforms, Q1 2018.
The report, the most rigorous and influential source of vendor reviews for corporate governance, risk management and compliance buyers worldwide, is based on a 23-criteria evaluation, briefings, demos, customer surveys and interviews.
Forrester assessed the GRC vendor landscape and invited only 14 vendors to participate. In its debut within the report, Riskonnect achieved a Leader designation, which only six other vendors in the evaluation received. Criteria for selection and scoring included the vendors’ ability to support a wide range of GRC capabilities, requirements and use cases as well as their market presence and relevance.
“Riskonnect built its GRC offering on the Force.com platform, which in essence means the engineers of Salesforce actively work to develop and maintain the product’s underlying capabilities. Among many benefits, this means Riskonnect GRC includes support for 72 languages, strong workflow, and extensive dashboarding and reporting,” stated the Forrester report. “Riskonnect is an appealing option for Salesforce.com users and deserves a look on its own for its solid GRC capabilities.”
Riskonnect earned the highest possible score in the following criteria: End User Experience, Risk and Control Management, Integration Capabilities, Organizational Context, Document Management, Input/Output, Distribution and Communication and Language Support.
“We believe this report further validates Riskonnect’s ability to consolidate and integrate risk management solutions to reduce costs and enhance client value,” said Roger Dunkin, Riskonnect’s co-founder and vice president of development. “We believe Forrester recognized the value our platform brings to organizations in every industry and around the world.”
Companies often struggle to justify investing in a governance, risk management and compliance (GRC) solution. It’s tough getting buy-in from senior executives to automate compliance, security, quality, safety programs, etc. They “know” they need to do it, but it never seems to reach the priority queue. Why?
In traditional financial justification, you look to balance the total investment versus the return in terms of hard cost savings or soft cost impact on the business. Or you may look at dollars invested versus the increase in revenues, etc. This is all well and good when those can be calculated, and much easier in revenue generating departments where there is a direct impact on the business.
But, what about parts of the business that aren’t customer facing? What about the departments that are so back office, no calculable return could justify the investment. We are not going to fire anyone by automating X, so the return on investment from automating a process argument is bunk. So what happens?
Either the fear of something terrible—like a lawsuit, fines, or penalties—is sufficiently tangible enough to trigger action, or the investment doesn’t get made. You almost have to be in a lot of pain or be facing some stiff financial costs to get this to rise to the top: “The hospital in the next county just got fined some serious dollars for a lapse in process. We gotta do this!”
In short, the risk of failure in a normal ROI calculation skews the equation. However, we can fool ourselves into calculating odds of success or costs. Just because you have a 2 percent chance of dying doesn’t mean the cost of failure is not real.
For example, skydiving out of a perfectly good plane with a low percentage chance of the chute not opening doesn’t make it safe. You are putting your life on the line. That is why even the best experienced instructors have someone else check their chute. That is why they follow best practices. That is why they carry a second chute. Things don’t go bad often, but when they do they can be catastrophic.
GRC as a category of programs is similar in that most companies can get by doing the bare minimum. But, the investment model is skewed. Leaders underestimate the impact of a failed GRC program, believing it’s more efficient and cost effective to remedy any problems that arise, than to invest in preventative measures up front. This could be a dangerous under-estimation.
Return on failure is often catastrophic to the business, our customers, society, or more real to people who are involved in the process. Insurance is a good example of ROF. I get no tangible value from insurance until something bad happens. Then it is supposed to kick in to prevent failure. Could your ROI justify insurance based upon the cost versus return if nothing happened?
GRC is becoming a more critical component to business. Not just because regulations are increasing; or because auditors are becoming stricter; or because fines are becoming more stringent; but, because all of these things are pushing up the ROF. The percentage of something bad isn’t increasing. The cost of failure in the process of preventing catastrophes is becoming more expensive.
Riskonnect’s Jay Lechtman contributed an article to the February 2018 issue of Compliance Today. The article, titled Maintaining HIPAA compliance as OCR modernizes: Two questions to ask, discusses how updates to the Breach Reporting Tool are an opportunity to examine the systems your organization uses to report privacy breaches. Download the article.
New York State’s cyber security requirements for financial companies influenced NAIC’s model law.
NAIC’s model law is different from an enacted law.
Insurance businesses should prescribe to specific cyber security practices.
Company boards are expected to take the lead when it comes to cyber security efforts.
Ultimately, the NAIC framework for maintaining a solid information security program focuses on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cyber security event—all areas where risk management technology can help, whether you’re the insurer or the insured.
While risk management technology is not security software, per se, it certainly can help with an organization’s cyber security efforts—institutionalizing the cyber security framework and automating all related tasks to ensure it’s a true line of defense.
Risk management technology assists with ongoing risk assessment
Ongoing risk assessment actually requires its own framework for continually assessing risks; identifying risk owners; and easily configuring and sharing data. It also requires being able to evaluate real-time data, instead of rear-view data.
The right risk management technology can automate all workflows associated with assessing risk on an ongoing basis, including alerting stakeholders of tasks they need to complete in the interest of data security.
In fact, the configuration, workflow and collaboration capabilities can be so simple within risk management technology that streamlining daily tasks and repeating processes becomes as easy as a few clicks.
If it’s cloud based, such technology can further enable ongoing risk assessment by automatically collecting, updating, formatting and disseminating data in real-time. This results in spending less time manually consolidating data across the enterprise. Even more, data will be dynamic—updated and visualized in real time—so you spend more time acting and less time reacting.
Risk management technology assists with managing third-party service providers
If another cloud-based technology vendor sounds like one more opportunity for cyber attacks, you’re right: Fewer technology vendors can actually mean improved data security.
With fewer applications or systems to manage, and less burden on your internal server, your IT department might have more time to focus on broader cyber security efforts that will make more of an impact. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance.
However, instead of viewing risk management technology as another third party tech vendor on the list, you should view it as one of the few broad solutions out there with so much power that it can actually consolidate a whole host of other vendors.
Risk management technology by its very nature is built to span across a variety of departments and business challenges. Just as organizational risk is broad, so are the solutions housed within a risk management information system.
In fact, risk management technology can oftentimes replace the following solutions (and more) that are singular offerings from some vendors:
Risk management technology can assist with reporting cyber security events
Preventing cyber events is obviously important, but meeting data security compliance requirements is just as critical…and difficult.
IT compliance is a specialized set of activities to ensure that an organization meets the requirements of contractual obligations and government-imposed IT regulations for the protection of data assets and processes. Failure to adequately perform this function can result in substantial fines and contractual penalties, as well as loss of business.
Risk management technology features that can help mitigate these risks include: a full audit trail of all compliance activity, including attestations; an unlimited asset register with relationships used to define location, possession, configuration, software, etc.; solutions that are fully configurable to your organization’s requirements; and reports that enable quick identification of all instances of any asset type.
Risk management technology can also assist with automatically triggering your disaster recovery plan in the event of a breach—alerting stakeholders of the event and next steps accountable individuals need to take.
Not only will a well-oiled and timely approach likely help with reputation management in such scenarios, it could help with compliance, too, as requirements are increasing globally for how data and subsequent breaches must be handled.
Adopt processes and tools that can spare your business financial peril
According to 2018 risk forecasts, Cyber security is a top concern for organizations this year. Those businesses that adopt processes and tools that can help mitigate cyber risks by enabling ongoing risk assessment, third party vendor management, and compliance and reporting are best suited to survive these often financially damaging events.
Focal Point Data Risk, LLC (Focal Point) and Riskonnect Inc. (Riskonnect), two leaders in the competitive Integrated Risk Management (IRM) space, today announced a strategic partnership that aligns Riskonnect’s best-in-class IRM software solutions with Focal Point’s implementation and risk management consulting services.
Gartner predicts that by 2021, half of large enterprises will use an IRM solution to provide better decision-making capabilities. This transition, driven by business leaders looking to understand the full scope of their digital risks, will require IRM solutions with robust feature sets and consulting partners able to implement and integrate these systems across the business.
“This partnership puts Focal Point and Riskonnect in a unique and advantageous position. Both companies are on the leading-edge of the IRM changes, and together they solve some of the most pressing concerns of today’s business leaders,” said Jannie Wentzel, Focal Point’s eGRC practice leader. “This combined offering, leveraging the best features of two great organizations, allows our clients to benefit from increased risk visibility, better decision making, and streamlined compliance.”
Riskonnect’s highly configurable technology is ideal for forward-thinking organizations facing increased scrutiny and accountability for corporate governance, strategy and strategic risk. Their solutions facilitate the ability to plan for and respond intelligently to all risks that could potentially harm an organization and its competitive position, damage corporate reputation and/or restrict strategic growth.
“We’re excited to formally begin this partnership with Focal Point. Demand for our Integrated Risk Management solutions continues to grow, and Focal Point is the right firm to assist our clients with integration into their business,” said Riskonnect’s vice president of strategic marketing, Quin Rodriguez. “Integrating IRM solutions into your business is the key to elevating your risk management program, and we’re committed to working with Focal Point to bring this offering to as many organizations as possible.”
Focal Point is an experienced provider of enterprise GRC (eGRC) and Integrated Risk Management services. Focal Point assist clients with platform implementations, customized integrations, and a full range of project management services. Focal Point also regularly helps organizations set up GRC governance structures, develop GRC frameworks, and build process implementation roadmaps.
Winter weather has arrived, dumping measurable amounts of snow across the nation and creating problems for businesses unable to operate at full capacity. This is especially problematic in those parts of the country where such weather isn’t the norm, and the communities are ill equipped to manage through snow and ice.
Winter Weather Woes
Impassable roads, electrical outages and delayed services are all common struggles tied to winter storms. They can also be a recipe for disaster for businesses if their operations are interrupted—including their revenue-generating business hours, supply chains and property functionality or accessibility.
Organizations that are not adequately prepared to rapidly address a disruption in their business—regardless of whether it stems from snow or any other unanticipated problem—run the risk of experiencing long-term damage to operations and reputation, some of which cannot be overcome.
But even those businesses that stay up and running during inclement winter weather are not immune from weather-related claims, including worker, customer or vendor injuries that stem from slips and falls on icy premises; or damaged commercial fleets that result from auto accidents on slippery roads or in areas with limited visibility.
These very real challenges demonstrate the importance of having business continuity and safety management plans in place—helping to ensure your business is resilient in the wake of unpredictable winter weather.
Still, even the most solid planning won’t be enough if you don’t have the processes and tools in place to execute on those plans to truly mitigate disaster. But that’s where risk management information technology can help—automating your business continuity and safety plans to they are easier to mobilize, as well as streamlining the incident reporting and claims process for those events that do occur when winter weather strikes.
Risk Management Technology and Business Continuity in the Wake of a Winter Storm
First and foremost, the right risk management technology will automate your entire business continuity plan—automatically triggering alerts of impending emergencies (like a winter storm), as well as triggering workflows that set emergency action plans into action.
Here’s how it works: Geocoding technology within a risk management information system can pinpoint information specific to an organization’s business—like properties, locations, key vendors, means of transport, key personnel or any other location important to a business. From there, the system can then determine any properties and/or vendors that may be in close proximity to an event type, such as a winter storm.
Once that’s determined, the system will then mobilize the predetermined emergency action plan that your organization thoughtfully created and embedded within your risk management information system. Stakeholders will be notified of next steps, and as they complete and report completion of their assigned tasks within the system, the next steps will be triggered.
The continuous flow of information allows everyone to stay on top of their emergency plan-related assignments, as well as anticipate problems and take corrective actions sooner—such as diverting your fleet away from the storm; engaging a backup supplier if your typical supplier is at risk of not being able to deliver; or ensuring property maintenance crews or vendors are prepared to address any facility issues that could hinder operation.
The functionality doesn’t stop there, though. Beyond automating and streamlining emergency preparedness plans to keep your business up and running, the right risk management technology can also help automate and streamline how you capture any incidents or manage any claims that might stem from winter weather.
Risk Management Technology Helps Reduce Liability in the Wake of a Winter Storm
Unfortunately, when mother nature strikes, incidents and accidents can still occur, despite well thought out emergency planning and execution of those plans. For instance, workers, vendors and even visitors can slip and fall due to icy conditions on your organization’s premises. This can lead to expensive claims and even legal action if such incidents are not well documented and well managed.
First, from an automation perspective, the right system keeps communication about an incident or claim flowing—automatically notifying organization stakeholders of any incident or claim, and enabling consistent and timely communication among the organization, claims professional and the injured party.
This will enable you to intervene faster, ensuring the injured party is getting the right medical attention and feels the organization is vested in his or her recovery. It will also help to keep claims moving so they can be closed faster. In effect, injured workers, vendors or visitors are less likely to feel like your organization has forgotten about them or is trying to keep them in the dark regarding their claims—feelings that can often result in injured parties taking legal action.
From an analytics perspective, the right risk management technology will also be able to benchmark a claim against other similar claims, and then trigger alerts regarding potential outlier claims. This can help you to identify riskier claims that can spiral out of control because of costs, as well as potentially help you identify fraudulent claims—reducing your claims costs and legal liability.
Don’t Get Left Out in the Cold
When Old Man Winter rears his ugly head, risk management technology can help ensure your business isn’t left out in the cold by keeping your business continuity plan on track and reducing liabilities that might stem from injuries related to snow and ice on your property.
An estimated billion people use Excel. Clearly, the business community has bought into its effectiveness. And it’s no wonder: Excel has many great features. However, when it comes to managing Governance, Risk and Compliance (GRC), spreadsheets can actually be a dangerous tool.
GRC is not a singular challenge for organizations. In fact, governance, risk and compliance are merely categories for a whole host of challenges and risks embedded within each of those categories. While there is no universally accepted definition of GRC, its three elements are usually characterized roughly as follows:
Governance refers to the overall management processes of a given organization, which is essentially driven by the senior management (C-level) team.
Risk Management refers to an organization’s attempts to identify and analyze threats to its operations. Often, these threats involve failure to conform to government regulations.
Compliance refers to corrective actions made by the organization to mitigate risks that have been previously identified.
That being said, GRC is complex. And if you’re using silo-inducing spreadsheets, which “speak the language” of only one department or one type of data set in each document, the likelihood of being able to manage through that complexity is almost nil. Here are three reasons spreadsheets actually get in the way of managing GRC:
They are difficult to manage.
They are prone to errors.
They do not provide a chain of evidence.
Spreadsheets Are Difficult To Manage
Searching a spreadsheet is easy. Searching many of them, not so much. With that in mind, are reams of spreadsheets an effective way to find information? Not really. Of course, you could always consolidate your many spreadsheets into one, but this is just as labor intensive.
It’s likely your risk and compliance team members spend enormous amounts of hours constructing, posting, editing, and reporting via spreadsheets. It’s critical work but is it efficient? Or cost effective? Or easy to build good reports? And finally, do they scale well? More often than not, the answer to these questions is “no.”
Spreadsheets burn through your payroll, consuming time and resources–requiring your staff to be Excel wizards instead of actual GRC experts who could be leveraged to solve critical challenges.
As such, spreadsheets either lead to a false sense of knowledge and accuracy, or, conversely, they lead to complete data distrust. Either way, poor decision making is often the outcome.
Spreadsheets Do Not Provide A Chain Of Evidence
Version control and data security are real struggles with spreadsheets. Much uncertainty exists around if and when information has been updated and who updated the information. It can leave users asking
Is this the correct date? Or was it changed?
Is this an accurate entry? Or was it modified?
Did I make this entry? Or did someone else?
This can further contribute to mistake-laden data, as well as a lack of accountability for faulty information that could negatively impact your business.
How To Prevent Spreadsheets From Threatening GRC
Spreadsheets have many advantages, but not when it comes to managing governance, risk or compliance. Integrated Risk Management technology, on the other hand, solves for many of the problems that spreadsheets create—simply because of its design.
First and foremost, such technology operates in the cloud—automatically collecting and updating data in real time. It surfaces relevant GRC information from wherever it’s hiding in your organization; connects it with other internal and external data; and then normalizes it with data processing tools to ensure consistency among the data you’re comparing.
As such, it’s easy to access and analyze up-to-the second risk management data with just a few clicks instead cobbling together a bunch of spreadsheets into a mega spreadsheet that will essentially be out of date once it’s time to report.
Even more, the right Integrated Risk Management technology will be specifically tailored for managing GRC—providing a whole suite of applications to improve efficiency and consistency of all business processes and decisions related to corporate governance, risk and compliance.
Don’t let spreadsheets stand in the way. Integrated Risk Management technology can simplify and automate your GRC programs—allowing you to implement, tailor, extend and scale your GRC capabilities.
Believe it or not, we’re already a couple weeks into the new year. Have you set your professional goals or resolutions, and aligned them with the goals of your organization? If not, perhaps we can provide you with some inspiration.
But other resolutions included reducing claims expenses and launching company-wide transformation/change initiatives—excellent resolutions, both of which we will discuss, along with how integrated risk management technology can help you attain these goals.
Reduce claims expenses
Reducing claims expenses is not a surprising goal among risk, claims and insurance professionals. But it might be one that professionals are reluctant to set if they don’t have the tools or action plan in place to actually execute. That’s where integrated risk management technology comes into play.
Further, the right risk management technology can automate the entire claim management process: System workflow tasks initiate, automate and facilitate communication, actions and even analyses. All of this can decrease the length of time a claim is open, and since shorter claims are typically less expensive, you’ll be well on your way of reducing claims expenses.
Also helping to reduce claims expenses is the power of the analytics that truly integrated risk management technology can provide. Not only can the data be automatically updated and consolidated, it can be visualized and easily put into context so you can:
Identify factors that may extend absences
Quantify the impact of individual claims
Speed up detection of future high-cost claims shortly after injury by identifying current low-cost claims that are likely to increase substantially
Increase the effectiveness of claim administration dollars by focusing resources on future high-cost claims
Change management or organizational transformation is not something that can just happen. It requires focused goals, benchmarks and metrics, and organization-wide support—from the top down AND from the bottom up. It has to be everyone’s initiative, which requires transparency and tools that can support that transparency. Integrated risk management technology can help: It’s not just another siloed technology that only serves the risk management department.
It’s functionality can actually meet the needs of many departments across an organization—from procurement, human resources and legal departments to safety, compliance and risk management departments. That’s why so many organizations turn to integrated risk management technology when attempting to consolidate their overabundance of technology vendors.
Integrated Risk Management Technology can surface relevant risk information from wherever it’s hiding in an organization, connect it with other internal and external data, and normalize it securely in the cloud. It can also make risk data dynamic—updated and visualized with meaningful graphs, charts, etc., in real time. Such data storytelling is critical for transparency, quality decision making and engagement.
For instance, if your organization aspires to adopt a culture of safety, such an initiative cannot live in the safety department alone. You have to arm the front lines with the ability to easily collect standardized data on incidents and accidents, as well as help them understand the importance of collecting and reporting such data.
You must also assure them that they need not fear reporting. This of course means management and leadership are on board incentivizing and promoting safety, as opposed fear-based management around incidents and accidents. However, such an approach is more likely to resonate with management once they trust the quality of the data collected and see how it perpetuates sound decision making and impactful corrective actions.
Finally, not only does Integrated Risk Management Technology engage and empower employees, but it also has a more practical application: It enables productivity by automating and streamlining administrative tasks. This can actually lead to innovation as employees will have more time to do higher-value work. This, too, can lead to organizational transformation
As we enter into each new year, we often spend a lot of time and energy focusing on the emerging risks that might impact our business—thinking of them as one off challenges with one off solutions, instead of a small piece to a puzzle.
Don’t let this be another year of fire drills and spinning wheels. Integrated risk management technology can put a single framework around the many emerging risks facing your organization, while also solving for the ever-present challenges holding your business back from true transformation.