governance

D&O insurance costs rising

Jim Kim — Wed, 20 Aug 2008 17:55:31 -0400

We've noted that boards of top financial firms haven't really been held accountable for the turbulence over the past year. But the subprime crisis is hitting home in another way: rising D&O insurance costs. Financial Week notes that so far, only banks and financial services firms have been hit with rising costs--for good reason. But the number of subprime suits has exploded, and soon other industries may feel the inflationary ripples. In the wake of the Enron scandal in the early 2000s, the cost of D&O insurance rose 260 percent over two years, driven mainly by lawsuits and the fear of lawsuits. This at a time when most directors feel the need for more Side A coverage, which reimburses directors and executive officers when lawsuits are not covered by other insurance policies.

For more:
- here's the Financial Week article

Top 10 ERM-GRC myths

Jim Kim — Mon, 28 Jul 2008 12:59:00 -0400

A lot of companies have moved to augment enterprise risk management platforms with dedicated governance, risk and compliance (GRC) solutions. That trend isn't going to disappear anytime soon, but some companies will likely come away disappointed with the results. It's fair to say that automation can seem like anything but in a lot of cases. Newsfactor.com offers a list of 10 ERM-GRC myths. I'll mention a couple here. Myth No. 9: CIOs embrace GRC--while this is literally true, it's also true that many parts of the organization were standardized on a common GRC platform, leaving piecemeal approaches intact. Myth No. 5: Traditional audit planning is good enough--you can't afford to scrutinize everything. "Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office?" Fortunately, AS5 sets a good tone on this issue.

For more:
- here's the entire top 10

IT folks struggling with compliance, still

Tue, 20 May 2008 06:59:59 -0400

Is anyone really surprised by this? A recent survey by Shavlik Technologies (vendor survey alert!) has found that IT professionals are still struggling with compliance issues, according to Redmond Channel Partner Online. The survey, which asked questions of attendees at RSA Conference and Infosecurity Europe, said that "the No. 1 difficulty among IT pros was finding an all-encompassing approach to tackle vulnerabilities, protect data and meet compliance objectives--all while doing that pesky thing: their actual jobs." This situation stands to get even worse as budgets shrink. The to priorities are not surprising: 1) Data protection, integrity and information leakage, 2) Internal network security, and 3) IT policy and governance. If there is some sort of breech, you can bet the IT will be among the first questions. They know this all too well.

For more:
- here's the article

Primer: GRC software market

Tue, 13 May 2008 06:59:59 -0400

AMR Research projects spending on government, risk and compliance applications and services will top $32.1 billion in 2008, up 7.4 percent from 2007. In 2009, growth is projected at 7 percent. In a really tough IT spending environment, these are pretty good numbers. This will be a front-burner issue for a lot of folks, so it never hurts to recap what the niche is all about. These software packages started out as Sarbanes-Oxley compliance applications. Financial controls are still key, but the feature set has expanded, notes Financial Week. The list includes "legal (email retention, data privacy), environmental (greenhouse gas inventories), financial (capital adequacy), and technology (IT governance)." Increasingly, the big boys--SAP and Oracle--are moving in with encompassing applications.

For more:
- here's the Financial Week primer

Internal auditors expanding scope of duties

Tue, 13 May 2008 06:59:59 -0400

It's fair to say that in the Sarbanes-Oxley area, internal audits focused on financial risks and related controls. But some have discerned that this focus came at the expense of other issues, such as operational and non-financial IT risks. Now, says Financial Week, the pendulum seems to be swinging back. PwC, among others, thinks internal auditors can "leverage" AS5 to focus on other areas, such as hiring and retention risks, and governance risks. This seems to be underway. PwC has found that the percentage of internal audit groups that dedicated at least half of their resources to Sarbox compliance decreased from 41 percent to 27, the article notes. This likely will be a big-company trend. Smaller companies just ramping up can likely afford anything other than a strict financial focus.

For more:
- here's the Financial Week article

GRC initiatives gaining, compliance still a must-do

Tue, 01 Apr 2008 07:59:59 -0400

We've discussed the idea that compliance initiatives can yield strategic benefits, if done right. A new survey from AMR Research seems to suggest that more companies are getting on board with this idea. Companies will spend more than $32 billion on governance, risk management and compliance (GRC) in 2008. That's an increase of 7.4 percent over 2007. Meanwhile, spending on Sarbanes-Oxley compliance is expected to grow only 2 percent to $6.2 billion. What to make of this? The fact is, that a lot of GRC investment relates to Sarbox compliance. Rather than a Sarbox-specific project, why not include the project as part of larger, more strategic, deployment? Risk-management, intimately related to Sarbox, is seen as a big driver behind the trend.

For more:
- here's the release

Related Articles:
CFOs face complex GRC software decisions. Article
Will the economy zap compliance issues? Article
GRC software seems to be rising. Article
Oracle aims for GRC eco-system. Article

CFOs face complex GRC software decisions

Tue, 26 Feb 2008 06:59:59 -0500

Most people assume that so-called GRC software--governance, risk and compliance--will continue to gather steam, as big boys like Oracle and SAP continue their marketing. It makes sense to automate compliance and risk issues, but the reality of this nascent field is that there really isn't a single point solution. Sure the big guys offer lots of functionality, but you have to weigh that against your budget and specific needs. There are plenty of small vendors out there leaving their marks. Movaris, for example, recently was bought by Trintech, which will round out its service offering for CFOs. John Hagerty of AMR makes the point that most GRC solutions are bought and implemented within silos. While all companies want to offer a complete set of services, the reality is that most companies will have to mix and match to get their optimal solution.

For more:
- here's a note from Hagerty

GRC survey reveals needs

Tue, 30 Oct 2007 07:59:59 -0400

Government, Risk and Compliance vendors have slowly been making headway in making their case to big companies. The Open Compliance and Ethics Group (OCEG) has released its 2007 Governance, Risk and Compliance Strategy Study and the results are interesting. Half of the survey respondents said they have had recent compliance failures that have "caused damage or loss." In many cases, this put managers in a reactive mode that led to short term change that could not be sustained. Sound familiar? Perhaps one benefit of GRC platform is that it allows for long-term changes. Most executives buy into the idea of GRC, but that doesn't mean it will get deployed. It may have to wait until the pain of the disparate as-we-go approach exceeds the cost of deployment.

For more:
- here's a summary from the OCEG

Related articles:
- It pays to think about compliance broadly
- GRC software seems to be rising

Oracle continues to add compliance features

Tue, 16 Oct 2007 06:59:59 -0400

Oracle is a great example of how big IT vendors have ridden the compliance wave. Clearly, Oracle along with IBM and others sense a certain demand out there, which frankly would be hard to miss. Oracle at least seems to be counting on most clients to opt for add-ons to existing products rather than deploying standalone GRC apps, which seem to be multiplying nevertheless. Oracle's latest GRC suite move: It has announced a deal to buy LogicalApps, which markets an Active Governance suite that enables prevention, monitoring and reporting of financial and operational risk, according to ITworld.com.

For more:
- here's the article

Related articles:
- IT Watch: Oracle continues to focus on compliance
- GRC software seems to be rising

Software piracy wanes in part to Sarbox

Tue, 16 Oct 2007 06:59:59 -0400

Ah, the good old days when software licenses meant nothing. For big companies anyway, Sarbanes Oxley has led to a clamp down of sorts. And that's a good thing. Most agree that piracy is much less of an issue for companies that have to comply with Sarbox, which has forced many to get serious about IT governance-related issues. It remains to be seen whether smaller companies will similarly crack down. The anti-piracy trend also reflects some stepped-up enforcement of course. But here is one hardly predicted consequence that is actually good news, for software vendors anyway.

For more on software piracy trends:
- here's an article from SC Magazine

Related articles:
- Software-as-a-service and Sarbox: Good match?
- State of compliance: Automation catching on?