The New Year would probably still be a time of starting anew with a fresh perspective – but towards the end of the old year …?   Perhaps at work instead of having office parties and passing presents around, we’d be totaling up all the things we did not get done.  It would be kind of a sourpuss period of self-loathing and regrets at work.  Instead thanks to Christmas, we pass around secret Santa gifts, take off early to get to our kids’ Christmas pageants, eat lots of sweet stuff, drink too much, and say and do things that hopefully in the joy of the season our friends and colleagues forgive us for by 2 January.

Well, I’m having my office party this afternoon – I’ll get together with a couple of neighbors who also work at home, and we’ll go chug some mocha frappuchinos at the local Starbucks, while looking forward to Sunday, Christmas Day.  Home with family, friends and relatives celebrating a birth 2000 years ago.  Peace, Hope and Love to all.

The events today are an inflection point in social e-governance.

In my presentations on the Six Critical Uncertainties, I’ve said for years that social e-governance is the most pressing IT-led  issue of our time.  The political process is meant to resolve or at least manage public policy issues, but due to the rapid adoption of social technologies for organizing on public policy issues, the old political and governmental institutions for dealing with emerging public policy issues are eroding before our very eyes.  The legacy political process is not failing because it doesn’t work, but rather it’s failing because the traditional institutions for managing emerging social issues – political parties, oversight hearings, the traditional media, regulators, etc – are being bypassed by networks that are much better at organizing through the use of social media and social technologies.  Here’s an interesting account of the OWS protests today: http://www.businessinsider.com/live-occupy-wall-streets-early-morning-march-on-the-ny-stock-exchange-2011-11 And here’s the OWS site, where they even streamed live video feeds of the protests today: http://occupywallst.org/

And it’s not just OWS – social technology enabled groups like the Tea Parties and MoveOn have taken over from the political parties the mobilization of voters and political fundraising – so much so that the political parties are really not much of a resource for a candidate these days.  One group, AmericansElect, is trying to bypass the presidential primary process, which if successful will suck out what wind remains in the political parties: http://www.americanselect.org/

By the way – for those who haven’t seen them before, here are all of the six critical uncertainties:

• Trust in the Connected Economy
• The Pace of Globalization
• The Regulation of Cyberspace
• The 5^th Generation of Warfare
• Social E-Governance
• Sustainability

Everyone alive today has a stake in legacy political processes – the question is, how will they adapt?  Or will they?

Got big data problems?  Got cloud angst?   Just put all your worries in a big iron box.  At least that’s what I took away after two hours of keynotes from Oracle and EMC executives this morning.   Big data and the cloud are euphemisms for huge information management and business challenges, but listening to the keynotes, you’d think it’s just a technical problem.  The proliferation of vast amounts of unstructured content and a revolution in IT provisioning models, and even digital dependent revenue streams are not issues to be trifled with.  But at the opening of Open World, the dumbing down of these challenges is exactly what happened.  The vision communicated is that the solution is that you can put it all in a big data box, or a BI machine.

Argh!!! — what has happened here?  Where’s some vision for businesses who need better analytics, better understanding of rapidly changing business environments in an uncertain economy, and definitely better advice on the business challenges and opportunities of emerging technology.

This concern dates back at least to the Enron failure, in which senior Enron executives and auditors from Arthur Andersen colluded to misrepresent Enron’s earnings.  In the aftermath of this and other corporate scandals ten years ago, Sarbanes-Oxley was enacted.  Ernst & Young, KPMG, and PWC divested themselves of much, but not all, of their non-audit advisory and consulting services.  Deloitte did not, and in many cases continued to do both audit and consulting work for the same clients.  Over the last four years, E&Y, KPMG and PWC have re-built their consulting arms.  Core audit work represents about 50% of Big Four revenue with the rest made up mostly of consulting and tax advisory.

Regardless of the merits of firms providing non-audit consulting and advisory services, or the merits of prohibiting them from doing so, the public policy concern over the independence of audit firms is real.  The financial crisis increased the public distrust of audit firms, who rightly or wrongly are blamed for not raising red flags about the practices of their financial services clients.

So how truly independent are your auditors?  Are they doing non-audit advisory or consulting at your firm?  In customer reference checks  of Big Four firms who provide enterprise GRC consulting, I found that in some cases  Big Four firms were doing both consulting and auditing.  Also it was common for a Big Four firm to be engaged on the basis of a recommendation from one of the client’s executives or board members.  Competition was not as common as an engagement originating from relationships — which certainly raises a question of independence, but not necessarily collusion with the auditors.

However, if you are concerned about conflicts of interests for your audit firm, real or perceived, there is a simple check that you can do.  Ask the senior audit partners to disclose in writing whether any part of their compensation or bonus, or that of other partners and managers on the audit team, is based on the non-audit work that their firm does or could do for your enterprise.  If any of their compensation or bonus is based in part on non-audit work, no matter how much you, senior executives or board members like the firm, simply don’t engage that firm for non-audit work.  And put that practice into written corporate policy.  That way, your auditors will be focused objectively on your audit, and not on trying to help grow the consulting work.

http://www.reuters.com/article/2011/09/24/us-ubs-idUSTRE78L7IB20110924

This is a complete turnaround from his first statement where he said it was not his fault – but good on him. Mr. Gruebel is setting the right tone for his peers – that’s good leadership, even though it follows folly.

After Tony Hayward saying he wanted his life back and Rupert Murdoch blaming everything on his minions, Mr. Gruebel’s decision to step down deserves some admiration.  He’s raised the bar for other execs — there are dire consequences to your career if you captain a ship that runs hard aground.

And as soon as I got back in the office, I saw a news article about GlaxoSmithKline’s $750,000,000 settlement with the Department of Justice — and the whistleblower got $96,000,000! Such a large payout to a whistleblower is unprecedented, but under the new Dodd-Frank rules, it will become the norm.

So boards now have massive incentives to pay attention to ABC compliance.  I expect much more emphasis from legal departments on getting the IT organization involved with technologies that can monitor automatically for potential violations of ethics policies, and Legal GRC solutions which can help corporate compliance officers and general counsels better manage their ABC compliance.

There will be more on this new ABC role for the IT organization in future Gartner research, including an update to the 2009 Hype Cycle for Legal and Regulatory Information Governance which should publish in the next couple of weeks.  In the meantime, check out the 2010 Hype Cycle on Regulations and Related Standards for the impact of regulatory risks, and the 2010 Hype Cycle on GRC Technologies for the broad view of technologies being applied for risk management and compliance.  I’m also seeing more interest from legal departments in Enterprise GRC Platforms which can help corporate compliance officers and general counsels to track the impact of regulatory changes and ensure that employees and business partners have attested to ABC and ethics policies.

1. Common Cloud Controls: These are mature control areas associated with traditional IT
services environments that are also applicable to cloud-based services, and whose audit
mechanisms are considered mature.
2. Delta Cloud Controls: These are higher-risk control areas that have particular relevance to
cloud environments, and whose cloud audit mechanisms are less mature.

In the new guidance, BITS also provides assessment considerations for Delta Cloud Controls in 12 categories:

1. Multi-Tenant Platforms
2. Multi-Client Prioritization
3. Agile Delivery
4. Virtualization
5. Data Location, Cloud Layers and Cloud Providers
6. Cloud Management: Roles and Division of Responsibilities
7. Contracts, Data Privacy and Jurisdictional Issues
8. Identity and Log Management
9. Web Application Security
10. Cloud Vendor Interdependence and Governance
11. Data Retention, Management, Recovery and Destruction Cycles
12. E-Discovery and Forensics

This work by BITS complements the Shared Assessments Program which provides overall guidance for evaluating risks of traditional and cloud service providers.  It should go a long way to enabling effective risk assessments of cloud services, thus beginning to lower the biggest market barrier for cloud providers.  BITS makes no claims that this new cloud risk evaluation guidance is exhaustive, but it’s a good start, and enterprises should use this new guidance as an element of their cloud strategies and vendor risk management efforts.

But something is happening along the way — since so many activities have a direct tie-in to corporate governance — and what doesn’t — there are more and more functions that the enterprise GRC platform needs to support.  Some of the vendors are moving into the IT GRC management area — and you can see several of them in the Gartner IT GRCM marketscope.  Others are adding more quantitative analytics to engage more directly with both the financial services market and meet the increasingly sophisticated needs of risk management professionals in all industries.  Being able to report risk-adjusted business performance is encouraging the ERP vendors and even best-of-breed vendors to add performance management capabilities, and the related emphasis on business process is reflected in GRC offerings from BPM vendors.  Demand for advanced reporting is driving GRC vendors to integrate their offerings with leading BI vendors, and for leading BI vendors to advance their own positions in the GRC market.  Vendors are also adding boatloads of specialized capabilities such as vendor risk management, business continuity planning, and industry specific compliance.  Content is also becoming a significant differentiation, and the three major content services vendors have GRC software strategies.

A big question for the future of this market is can the vendors satisfy multiple buyers — internal audit, enterprise risk management, corporate compliance, finance, IT, legal, and the board — on a single platform.  The vendors in the 2010 Enterprise GRC Platforms Magic Quadrant each have strengths in how they are approaching this challenge.   Still, no single vendor meets all the market challenges, and since the market continues to get more demanding, none are likely to do so for some time yet.   So, there remains the prospect that the market could split along key differentiators such as quantitative capabilities, content services, and buying-center-specific characteristics.

Which raises once again a question John Hagerty and I asked in the first take on the IBM-OpenPages acquisition. Is the market splitting? Here on one side are TR and WK, using EGRC as essentially a knowledge management platform to deliver their content services to GRC professionals, and on the other hand you have IBM, SAS, Oracle, SAP and some of the smaller best-of-breed vendors like BWise, Cura and Strategic Thought trying to deliver both a platform and risk analytics to GRC professionals. And in the middle you have several vendors who have neither an analytics nor a content services focus, but who deliver a good platform for managing GRC programs.

The GRC platform strategy depends upon multiple buyers within a company agreeing to use a common platform.  In that regard, it would seem that buyers who want better content services and those that need better analytical tools would look for vendors that offer both — the note that Dan Miklovic and I wrote on this topic, Combine Content and Workflow to Optimize a GRC Platform, a few months ago comes to mind.  Notably TR and WK have left their primary analytics tools outside their GRC business divisions, so they appear to have consciously decided not to compete with the BI vendors who are in the GRC market on that basis.  Notably LexisNexis does not really have a strong GRC platform play at the moment, leaving them open as a potential partner for those EGRC platform  vendors who are pursuing an analytics strategy but who also would want to pursue a content services strategy.  Or maybe LexisNexis would acquire — stay tuned.

Very few enterprises truly evaluate their risks — rather they take a list of risks common to their industry and just have a tabletop discussion once a year or once a quarter. However regulators are pushing companies to get more serious in their risk management programs.

In talking with clients, I’ve come up with five characteristics of a good enterprise risk management program:

1. Risks are derived from business goals and objectives
2. A framework guides a common approach across the enterprise
3. Risks, including IT risks, are communicated in terms of their impact on the business
4. There is operational support for risk management and accountable ownership of risks
5. There is a business process approach to risk management technology