As someone who has worked with auditors for over a decade implementing software to help streamline their audits, I can undoubtedly say that the auditor stereotypes are mostly untrue. First off, I’ve met several auditors that I would consider “glass half-full” people; the kind that would be more likely to say, “What would we do if Karen won the lottery and quit?!” rather than “What would we do if Karen got hit by a bus?!”
About Evan Stos
Evan leads the professional services team for Onspring solutions.
Entries by Evan Stos
When GRC platforms started becoming a “thing” in the mid-2000s, there were only a few major players in the market. They focused primarily on IT: whether it be controls, policies or risk management. Additionally, with the Enron and Worldcom scandals, SOX and its myriad of financial reporting controls quickly became platform offerings as well. As the market started expanding quickly at the turn of the decade, the concept of “eGRC”, with the “e” standing for enterprise, swept the landscape. Why settle for managing IT processes when many of the tools were capable of managing an entire organizations’ Governance, Risk and Compliance frameworks? The natural progression had begun.
Whether it be ISO27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.
Being a project manager (PM) can be a tough gig; when everything is going fine, you may, at times, be viewed with disdain: a mere “meeting scheduler” who collects status updates from the key stakeholders and SMEs, reporting them upwards. When everything isn’t going fine, they are in the cross-hairs of everyone: the key stakeholders, the SMEs and the higher-ups they report to.
So how do you filter out the noise of bad reviews? By going back to basics: If you know someone who is using or has used a product you’re looking at acquiring, ask them how they like it. Here at Onspring, we’re always happy to refer potential customers to existing ones, even if what is shared between them isn’t 100% sunshine and puppy dogs when it comes to our product.
Sometimes a little pain still brings big gain. Be it football or GRC platforms, rough and bumpy opening scenarios don’t mean you won’t have future success.
When our customers are establishing ERM and Policy Management programs within Onspring, the question of “who owns these risks/policies/controls?” comes up time and time again. Unfortunately, finding the right people to own process-level or content-level items can be quite challenging.
Clients often think that moving from one platform to another is “scarier” than moving from spreadsheets into a platform. But the reality is, the spreadsheet-to-platform conversion is usually more onerous! Evan Stos demystifies the platform-to-platform migration process in four simple steps.
Getting help with software implementation from trained experts is great. But what happens when the consultants are gone? Will you be equipped for success? Evan Stos shares three helpful tips for becoming self-sufficient and “owning” your solutions right away.
Too many decision makers purchase a tool based on the fact that it “can” automate GRC/other business processes, not on “how” it does it for your organization. Just like buying a volume maximizing shampoo will indeed clean your hair…beware the unintended consequences.
I have a running list of recurring phrases in GRC (there are quite a few), and I’d like to share two of them with you: specifically, my favorite and my least favorite. And since I think I read somewhere that it’s always better to lead with bad news (or maybe it was the other way around?), I’ll start with my least favorite: “What are other people doing?”
An application built into a GRC platform to facilitate a business process will never truly be “finished.” When you first implement a business process, think of it like you would a software product. What you just implemented is essentially “version 1.0.” Over time and through repeated end-user exposure, users will request updates. Some of those updates will be minor, like adding a value to a dropdown list, and some will be major, like completely overhauling users’ access.