French Caldwell

A member of the Gartner Blog Network

Entries Categorized as 'GRC'


A Revolution in GRC Affairs at Gartner (or burning the EGRC mq)

by French Caldwell  |  February 4, 2014  |  3 Comments

Gartner’s coverage of vendors in the GRC marketplace is about to change.  The main reason for the change, as noted in the most recent Enterprise Governance, Risk and Compliance Platforms Magic Quadrant, is that GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases. A […]

3 Comments »

Category: Applications compliance GRC IT Governance Risk Management     Tags: , , , ,

New FFIEC Guidance on Social Media Risk Management Effective Immediately

by French Caldwell  |  December 13, 2013  |  1 Comment

The final guidance from the FFIEC on social media risk management for financial institutions has been promulgated.  It is effective immediately.  As I mentioned earlier this year, regulatory guidance of this sort is not optional. I did a study recently on the public comments for my doctor in law and policy program at Northeastern University– […]

1 Comment »

Category: Cloud compliance GRC public policy Risk Management Social Technology     Tags: , , ,

GRC Will Be a Performance Platform

by French Caldwell  |  May 1, 2013  |  1 Comment

I just returned from the MetricStream GRC Summit in Las Vegas where I presented a keynote on risk management and performance.  The summit was very well planned, organized, and executed.  The speakers and panel participants talked not just theory but provided practical examples of the benefits and challenges of using GRC technologies to improve their […]

1 Comment »

Category: GRC Risk Management Uncategorized     Tags:

Will IT GRC Begin to Die This Year?

by French Caldwell  |  January 3, 2013  |  1 Comment

I had a good discussion with Erik Heidt today about IT GRC management tools.  We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market.   It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific.  The buyer […]

1 Comment »

Category: Applications compliance Cybersecurity GRC Risk Management     Tags:

A Really Helpful Regulatory Change Tool

by French Caldwell  |  October 26, 2012  |  Comments Off

One of the questions I get all the time is, “Where can I find what regulations apply to me?”  I talked this morning to Fred Diers who has created GRMpedia which tracks regulations and their retention and reporting requirements.   Regs tracked include, marketing, finance, research and development, EHS, contracts, leases, IP, governance, HR and others.  […]

Comments Off

Category: compliance GRC public policy     Tags: , , ,

The Risks Are Always Greener on the Other Side

by French Caldwell  |  October 24, 2012  |  Comments Off

I’m here at Orlando Symposium talking to a good colleague, Neil McDonald, and I ask Neil, “Why don’t IT service providers, who complain so much about the intrusiveness and costs of customer inquiries, inspections and audits of their security controls, just provide their customers an IT GRC dashboard?  That way customers can see for themselves […]

Comments Off

Category: Cloud GRC Risk Management     Tags: , ,

Oh, Michael — Your Rant ….

by French Caldwell  |  October 10, 2012  |  1 Comment

Dear Michael – Good to hear from you.  Thanks for sending me your latest blog post.  I have to say though that when you rant you really do go ballistic — you want to throw six months of my work on the compost pile — ooh, that hurts.  But I get it, it’s not me; […]

1 Comment »

Category: Applications compliance GRC Risk Management     Tags: , ,

Time to Stop Misusing SSAE 16 in Vendor Marketing

by French Caldwell  |  October 9, 2012  |  5 Comments

Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.” SSAE 16 (aka SOC 1) like SAS 70 before […]

5 Comments »

Category: Cloud compliance GRC Standards Vendor Contracts     Tags: , ,

Things That Go Boom — Safety Second!

by French Caldwell  |  August 13, 2012  |  Comments Off

Living inside the capital beltway, you meet all kinds of people that have jobs that just don’t have any equivalency anywhere else:  Like the lady I talked to last week who provides advice on safety issues associated with the modernization program for the nation’s nuclear weapons stockpile.  I mentioned to her a recent GAO report […]

Comments Off

Category: GRC public policy Risk Management Strategic Planning     Tags:

Global CEO Survey Reveals Regulatory Uncertainty and Operating Margin Challenges

by French Caldwell  |  March 22, 2012  |  Comments Off

Gartner conducted a global survey of CEOs and other senior executives concerning their business objectives, investment priorities and challenges. Some of the results related to risk management and compliance include: Regulation (22%) is ranked as the biggest business risk.  Respondents also mentioned a wide variety of other business risk categories most of which were related […]

Comments Off

Category: compliance GRC Risk Management     Tags: