French Caldwell
VP and Gartner Fellow
13 years at Gartner
17 years IT industry
French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio
by French Caldwell | May 23, 2013 | 1 Comment
As John Wheeler and I work on the updated Enterprise GRC Platform magic quadrant, I wonder what has happened to many of the vendors that used to brief us. Actually, I know where they are, and now and then I’ll see them at a trade show, or shoot them an e-mail asking for an update. I always tell these vendors to make sure they stay in touch with, at a minimum, an annual briefing. Some do, some don’t.
Not keeping the analysts up to date is a mistake. Everyday I recommend vendors to clients that are looking for solutions, and often those recommendations include vendors who have a special capability, industry domain knowledge, or geographic focus, but who do not meet all the magic quadrant inclusion criteria.
Another thing I do is make sure I include vendors in other research, such as hype cycles. For instance in the enterprise GRC platforms profile on the GRC hype cycle, I include vendors who have updated me in the last year, and I remove any who have not. Same for the continuous controls monitoring profile. So the best way to get yourself removed from the “example vendors” on the hype cycle is to make sure you do not brief the analysts.
Vendors are also often mentioned in technology overview notes. Sure, I’ll reach out to try to get them to brief me for the third party risk management and social GRC notes I’m working on, but could I miss a particular vendor because they have not kept in touch? Yes, I could.
Category: Uncategorized Tags:
by French Caldwell | May 1, 2013 | 1 Comment
I just returned from the MetricStream GRC Summit in Las Vegas where I presented a keynote on risk management and performance. The summit was very well planned, organized, and executed. The speakers and panel participants talked not just theory but provided practical examples of the benefits and challenges of using GRC technologies to improve their risk management and compliance programs.
Last week I made a similar keynote to the Institute of Internal Auditors Quebec chapter. In both keynotes, I focused on the ERM/GRC blueprint concept that John Wheeler and I published in March. This blueprint provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. After each session, attendees asked if I could meet with their boards of directors and share this concept and the strategic drivers of GRC. It’s exciting to see this very positive reaction to the idea that GRC can positively impact business value creation.
In a sidebar conversation at the MetricStream summit, an investor told me that he’s excited that GRC is becoming a true risk management platform that can integrate with processes throughout a company – he sees it as the next ERP. I agree the GRC marketplace is a good investment, but GRC platforms are not going to become super embedded in the enterprise by orchestrating risk management – they will do so by orchestrating business performance. Some vendors are starting to recognize this, and more will follow. In less than three years, all leading GRC vendors will support integrated performance and risk management.
PS — At the MetricStream GRC summit, putting my colleague Paul Proctor on a panel with Network Frontier’s Dorian Cougias was a stroke of genius — no one in that non-IT audience could understand the security geek-speak those two got into, but they were so entertaining that no one cared.
Category: GRC Risk Management Uncategorized Tags:
by French Caldwell | February 6, 2013 | Comments Off
Even as the economic recovery gains momentum, risk management and compliance are still growing in importance. This trend should continue until there is a shift politically and culturally toward deregulation. In the Gartner CEO survey, regulatory risk was ranked as the number one business risk, and in the Gartner Forbes Board survey, risk management, legal and compliance were areas least likely to be cut. The hiring trends reported in this CFO article bear out that demand for risk management and compliance professionals is very strong.
Six Finance Jobs Ripe for Hiring in 2013 (via
CFO.com)
Hiring | February 05, 2013 | CFO.com | US What finance positions in the financial services industry will be hot in 2013? While economic and political uncertainty held back job growth in 2012, this year hiring activity is expected to be strong in six areas in particular, according to a new report from…
[Read more →]
Category: compliance Legal IT Risk Management Tags:
by French Caldwell | January 30, 2013 | Comments Off
I’m on the road this week — first Boston for client visits and then PwC’s industry analyst summit, and now New York for a day at the LegalTech conference. What struck me most with PwC is how they were talking SMAC — the convergence of social, mobile, analytic and cloud technologies — what Gartner calls the Nexus of Forces. All the consulting firms are looking at how they can take advantage of this convergence and most are focusing on marketing as the buyer. What was different about PwC’s SMAC is that they see major dislocation for business models, and hence the opportunity for digital transformation engagements across the enterprise, not just with marketing. At the same time the Nexus is affecting PwC’s business model as well, and to grow they are focusing on how to take advantage of the consulting market consolidation.
Now at LegalTech, it’s easy to see that the legal profession is being hit hard by the Nexus. Technology vendors are responding to new social compliance demands, and the challenges of discovery of social media. And law firms are seeing emerging legal services, and a move toward do-it-yourself technologies for corporate counsel. But the bigger long term issue for corporate counsel and law firms is that SMAC technologies are changing the very way that people engage with corporations and governments, and hence corporate business models and systems of government must rapidly change or they will fail. This is a major challenge for corporate counsels whose basic role is to ensure that their companies and agencies are in compliance with regulations and laws.
Complicating the matter is that corporate counsels are not well supported by the IT organization. A survey by Gartner and ALM showed that 80% of Chief Legal Officers say that the legal department has no formal support from the IT organization. This will only further complicate digital transformation for those companies, and inhibits the CLO’s ability to protect the company legally through a period of tremendous business disruption.
At Gartner, we’ve formed a collaborative working group of analysts who are looking at the challenges and solutions for legal IT support. This group is already producing research on legal IT support — storage and archiving, e-discovery, social media compliance, social risk management, enterprise legal management, GRC and more. And we look forward to working with CIOs and other IT leaders who are building the architectures to better support the CLO.
Category: Cloud compliance Legal IT Social Technology Tags:
by French Caldwell | January 25, 2013 | 1 Comment
I’ve read through new draft guidance from U.S. financial services regulators on the use of social media. What struck me most is that instead of taking a compliance and control point of view, it talks instead of risks, and the need to ensure that social media risks are included in your risk management program. That’s not to say that FSIs should take the guidance as merely advisory – as I learned in the Navy, a suggestion from a senior officer is an order.
So here a few of the orders from the draft guidance:
- Although this guidance does not impose additional obligations on financial institutions, as with any new process or product channel, financial institutions must manage potential risks associated with social media usage and access
- The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing
- Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate
- Components of a risk management program should include the following:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance
- A due diligence process for selecting and managing third-party service provider relationships
- An employee training program
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance
- Appropriate reporting to the financial institution’s board of directors or senior management
And the last sentence of the draft is a comprehensive mandate — As with any product channel, financial institutions must manage potential risks to the financial institution and consumers by ensuring that their risk management programs provide appropriate oversight and control to address the risk areas discussed within this guidance.
What this all means for FSIs is that in the next couple of years, you will have regulators examining your social media risk management programs. Sure, right now they’ve got plenty to keep them busy – Dodd Frank is only about a third done. But let’s not forget, there’s a new kid in town, the Consumer Finance Protection Board; in the social media risk area they don’t face a lot of competition from other regulators – what a great place to carve out quickly some new turf.
CIOs, start working now with your legal counsel and government affairs to draft your comments. And for Gartner clients, I’d recommend that before you submit the comments, you run them by us. My colleagues, Stessa Cohen, Carol Rozwell, Andrew Walls, and I who are tracking social compliance and risk management are pleased to talk with you and provide our feedback.
Some Recommended Reading:
Gartner Fellows Interview With Patricia Flynn, Vice President at Fidelity Investments: Managing Social Media Compliance
Social Media Best Practices That Deliver Bank CEO Priorities
Use Gartner’s Social Business Program Maturity Model to Plan Your Next Move
Security Tools for Control of Social Media Usage
Category: compliance public policy Risk Management Social Technology Tags:
by French Caldwell | January 23, 2013 | Comments Off
“I have seen war…. I hate war.” Whenever I see this FDR quote at his memorial in DC, I unwillingly substitute the word ‘e-mail’ for ‘war.’
I have seen e-mail. It’s blunt force and unwieldy – it turns brilliant discourse into foggy stew.
It’s the default when your processes don’t work.
It’s a panacea for our shy natures – we don’t have to talk to anyone.
It enables procrastination.
It helps us pass the buck – by sending an e-mail we claim we did something, when in fact we did nothing.
I could go on about all the negative sides of our nature enabled by e-mail, but I’ll spare you.
I hate e-mail.
What made me think of this today was a long e-mail string that started with some comment on a McKinsey Quarterly interview of KM guru, Don Tapscott. Dr. Tapscott wants us to use social and collaboration tools, instead of e-mail — which is fine, and for team project oriented work is well proven and perfectly acceptable.
But like it or not, and I don’t like it, e-mail is the default social collaboration tool for most workers these days, and that’s not likely to change even with the advent of social media — in fact, don’t most of us look at social media after we get an e-mail telling us that someone commented or poked us? Well, there ya go, folks.
Category: Social Technology Tags:
by French Caldwell | January 9, 2013 | Comments Off
It could be awfully confusing to try to make sense out of today’s FT. A front page article highlights that the US is headed toward energy independence, which is a boon to energy intensive industries — heavy manufacturing, high tech manufacturing, petrochemicals, and even IT services. On the other hand, a lead opinion piece touts Big Data, not Big Oil, as the salvation of American manufacturing.
So, which is it? It really depends on what you might see as the fundamental economic problem facing the US. Stratfor’s CEO George Friedman published a heartfelt piece yesterday on the crisis of the American middle class. In it he clearly differentiates between economic gains, which the FT piece on Big Data highlights, and the prosperity or lack of it for the middle class. Friedman convincingly illustrates that what’s good for the economy is not necessarily good for middle class workers and families.
The application of Big Data to manufacturing and supply chains can help to make American manufacturing more competitive, mostly through ongoing gains in productivity. For workers who keep their jobs in the next Big Data led productivity push, that’s great, but productivity gains often lead many to lose their jobs. And it may even help to bring some manufacturing back on shore, which is good for the economy, but as highly automated as repatriated manufacturing can be, it is not necessarily a big job booster.
On the other hand, lower and more stable energy costs have a direct impact on the bottom line irrespective of productivity. Bringing supply chains closer to home and low emission, low cost natural gas energy sources will enable gains in well-paid manufacturing employment as well in sustainability performance. My colleague Stephen Stokes predicts: “By 2016, 60% of global manufacturers will focus on the upstream supply chain for sustainability reporting, analysis and performance improvement.”
And new jobs start with the exploration and production of natural gas and oil in regions like the great plains and the mid west that were hit hard by economic shifts over the last several decades. With lower energy costs, and sources of energy close to traditional centers of manufacturing, the US middle class will indubitably benefit, starting at the pump and continuing with gains in employment.
Big Oil trumps Big Data, right? Not quite. With lower energy costs, US CIOs will see the economics of off shoring shift as well. Off shoring has already been hit by higher wages in developing economies, and now with the US having a competitive differentiator on energy costs, data processing and storage could shift back to the US as well. While there is not a lot of correlation between the location of data centers and the analysis and application of big data, off shore centers enable developing economies to develop higher value IT services like Big Data analytics. Lower energy cost in the US could slow that trend enabling the US to maintain a significant lead in the analysis and application of Big Data.
Within manufacturing sectors, we could see the development of a synergistic relationship between Big Oil and Big Data — the former lowering the cost of doing business in the US and re-invigorating the middle class, and the latter driving ongoing gains in productivity and innovation enabling ongoing economic gains — a virtuous circle of Big Oil and Big Data.
Category: Applications public policy Strategic Planning Tags:
by French Caldwell | January 4, 2013 | 1 Comment
Wow — less than two years to settle the Google antitrust case. Remember the Microsoft antitrust case — it seemed to drag on forever.
One difference here is that the Google case was handled by the FTC, which has become the de-facto consumer information technology industry regulator. At the time of the Microsoft case, there was no regulatory regime for the IT industry, and in fact Microsoft was just establishing its Washington based government affairs office. Today both Microsoft and Google have large government affairs organizations, and they are involved heavily with several IT trade associations and other Washington (and Brussels) based lobbying and industry groups.
In 1999 when I joined Gartner the idea that the IT industry would be heavily involved in and impacted by public policy was radical. Yet, I got the support of many of my colleagues to form the Technology and Public Policy research community. That community produced a lot of early Gartner research on public policy, the last of which was a special report when President Obama first took office. The community was also the foundation for the Risk Management and Compliance research community which took off like a rocket after Sarbanes-Oxley and continues this day as a vibrant thought leadership community in Gartner.
Today, the idea that CIOs and enterprise architects should consider public policy and the regulatory environment in the development of their strategies and execution of major IT initiatives is common place. Planning and budgeting professionals often incorporate the idea without even having to explicitly think about it anymore. The same is true of Gartner research — in 1999, the terms compliance, regulatory and risk management were rarely found in Gartner research — now they are commonplace even among analysts who are not regular participants in the Risk Management and Compliance research community — which by the way has expanded to the point that it is now many RCs — Risk Management, Compliance and Legal, IT Audit, Privacy and BCM. None of those existed in 1999.
But what triggered this post is how quickly the Google case was settled. Partly it was due to the FTC handling the case instead of the DoJ — so there is acknowledgement in Washington that the FTC has purview over the consumer facing IT industry. This acknowledgement goes a long way in establishing the long term regulatory regime for IT, but it is by far not conclusive. Two major issues for IT regulation in the U.S. remain outstanding — cybersecurity, particularly as related to critical infrastructure protection, and consumer privacy. These two issues butt up against another area of IT regulation that has also been conclusively established — that is national security, the government’s right to snoop.
Category: Uncategorized Tags:
by French Caldwell | January 3, 2013 | 1 Comment
I had a good discussion with Erik Heidt today about IT GRC management tools. We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market. It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific. The buyer tends to be an IT security buyer. But are the buyers of IT GRCM applications getting anything for their money that they can’t get from other tools? And what are they getting. With EGRC platforms you get the same functionality for policy, compliance, and risk management that you get from an IT GRCM tool. As far as monitoring of automated technical controls, the most visible differentiator between IT GRCM and EGRC platforms, aren’t SIEM applications better at that? Plus, it seems most buyers of IT GRCM don’t integrate with automated controls anyway. So, is the only real difference between IT GRCM and EGRC platforms that the former is a security specific play and the latter is a multi-team, cross enterprise play? If that is so, then as IT security buyers start using tools that also support other enterprise users, the IT GRCM best of breed market could slowly die.
Paul Proctor and Erik Heidt are both working on research around the IT GRCM market — it will be interesting to see what they discover about the future for IT GRCM.
Category: Applications compliance Cybersecurity GRC Risk Management Tags:
by French Caldwell | December 31, 2012 | 1 Comment
At the Gartner Symposium in Orlando, I found just about every 1-1 meeting with attendees and Gartner clients could be boiled down to “things just aren’t working right in my organization.” I found that instead of engaging in discussions about the GRC vendors I cover, I was providing leadership counseling. Fortunately, I had just read David Marquet’s book, Turn the Ship Around.
In the interest of full disclosure, I’ve known David since 1989 when he and I reported aboard the USS Will Rogers, a fleet ballistic missile submarine, or boomer. I was the XO and he was Chief Engineer of the blue crew — boomers have two crews so the missiles can remain hidden under the sea as much as possible. At that time, the Will Rogers blue crew was facing tremendous uncertainty — they had flunked a key nuclear weapons examination and had to be re-certified before they could go on another missile patrol, and the skipper was going to admiral’s mast over a collision with a trawler. I fully expected the skipper to lose his command, but he was retained. The next two years were life-changing for a lot of people in that crew, including David.
When David earned his own command, the USS Sante Fe, a nuclear attack submarine, he vowed to apply a new style of leadership — one in which every crew member is a leader. I am going to say without humility that the one lesson I passed on to David is to stand by first principles no matter what. And I was glad to see that in command he did just that. What’s interesting is that the doubters and the resistance to his principles of leadership were not his bosses. His squadron commodore and the commander of the submarine group were fully supportive. Rather it was middle management, the chief petty officers, that resisted and at times caused David to doubt his own leadership principles.
Yet David survived his own self-doubt, his chiefs became fully vested leaders, and Sante Fe went from worst to first in the course of a year.
So how do you turn your organization around in a year? You can’t — but your people can. Study after study shows that when employees are engaged and they believe in the goals of the organization, then companies actually see their valuations increase. The real challenge is getting those very employees to believe that things will be better if they truly take responsibility — and that’s the magic in this book.
While there are many business books that describe strategies for gaining employee engagement, what’s really different about this book is that David ends each chapter with practical action items and workshops that you can use in your organization, whether that organization is a small IT shop or a global mega corporation — or even your son’s or daughter’s scout troop committee. This book is about creating employee, team, and volunteer leaders, no matter what the organization.
The only downside to the book is a dearth of parallel examples from the business world. Perhaps if readers take on the lessons learned from David’s experience, in his next book he’ll have many examples to share.
And as for my advice to clients on governance and leadership, research areas into which I’ve been pulled by Gartner colleagues and clients, you can bet that when we talk, I’ll suggest that you read David’s book – so why not read it now and then let’s talk.
Happy New Year!
Recommended Gartner Reading: Maverick* Research: Socially Centered Leadership
Category: Uncategorized Tags:
