The GRC software market has several different sections, ranging from full-fledged integrated GRC platforms to specific point solutions, and each of these can help a company deal with many different problems or tasks. The joining point of all of these different products is that they help answer the questions that the caveman asked eons ago: “How best to manage risk?” and “How best to integrate these risk management solutions into a productive business model while maintaining corporate integrity at the highest regulatory levels (direct translations from cavemen are rarely this coherent)?”
I am what you might call a late bloomer. It took a while, but I finally feel like I’m coming into my own with this whole “being a professional” thing. I share this because in my early days as an internal auditor I didn’t really grasp the concept of why we were doing what we did, let alone how we were helping drive a risk-focused culture in our organization.
Onspring recently conducted a survey, reaching out to audit professionals to find out about future trends in the internal audit field. Putting together tangible questions that deliver concrete results on current practices in internal audit and risks that may impact the field in the future was our target, and that was accomplished.
In my role leading the Solutions team at Onspring, I have the distinct honor of being one of our company’s primary storytellers. When your primary responsibility is helping clients piece together the various, individual aspects of their GRC programs—risk assessment software, compliance and control, and other solutions—into a compelling narrative about the overall health of the organization, you quickly realize that this analogy is apt.
The concept of a risk management system—what it is and consists of—is something that is often misunderstood or misinterpreted. A big challenge many companies face is evolving the management of their risk and dealing with it properly as it changes. While risk itself is a recurring instance for most companies, the problem is not just dealing with different risks, but having a universal definition of what they are and also specifically having a risk identification plan.
When our customers are establishing ERM and Policy Management programs within Onspring, the question of “who owns these risks/policies/controls?” comes up time and time again. Unfortunately, finding the right people to own process-level or content-level items can be quite challenging.
One term you’ll hear while standing around the water cooler with a bunch of risk management professionals (don’t we all?) is risk register. The basic definition is simple: A repository of all risks that could impact a project, a legal entity or an entire enterprise. But when you get beyond the basic definition, you’ll find plenty of variation in the details. To gain a better understand of what a risk register is, why it exists and what information it should contain, I interviewed Evan Stos, a GRC consultant who has helped more than 60 Fortune 500 companies gain control of audit, risk, compliance and information security processes. Here are a few insights from our conversation.
Managing relationships with third-party providers is a major concern in the banking, healthcare, retail and tech industries…and beyond. We’ve gathered recent news, insights and opinions on vendor risk management, contract management, third party assessments and more. Help yourself to this week’s reading roundup!
We love it when clients use our platform in creative ways. Mark Barak, general counsel at Aronson Security Group (ASG), is a prime example. He started using Onspring in 2016 to manage legal matters, but when a need arose for greater efficiency and visibility in the company’s partner relationships, Mark put the platform to work in new ways.
One thing is certain: the unexpected will occur. Storms will pop up and our skills and coping mechanisms will be tested. Organizations must identify where they are exposed, apply an appropriate response for addressing the risk, and implement a mechanism to constantly monitor and reassess the risk and their response to it. Otherwise, we risk getting stuck by the side of the road in a driving rain.
When I’m asked the “How do you compare?” question or one of its many derivatives, I simply respond as follows: “To be honest, I don’t really have any experience with Product X, and anything I’d tell you would just be hearsay, so I can’t honestly make that comparison. Instead I’d like to hear about your goals and objectives so we can figure out a way to leverage Onspring to help you accomplish them in the best way possible.” Period.
When you develop software, there are many stages of the design phase that are highly critical to the final product. Too often, companies are in a rush to push feature releases or changes to their products that are “box checkers.” They’re trying to compare themselves to a competitor in a favorable light, without actually thinking about the problem in depth, or not considering things such as long-term performance and usability.