Category Archives: Technology

Integrated risk management

Integrated risk management, 2020, key findings

In 2020, The Risk Management Association and FCInsight conducted a survey of risk management, compliance, audit, and other business and GRC leaders on the state and maturity of integrated risk management (IRM).  272 risk management, compliance, audit, IT, GRC and business professionals qualified for the survey.  Of those, 180 were in banking and financial services and 171  or those were members of the Risk Management Association.  92 respondents were from industries other than banking and financial services.  

Download a full copy of the report

Considering the potential for different perspectives on IRM, the findings and results were reported in separate sections for the banking and financial services vertical and other industries.

Key findings for banking and financial services

  • 74% of respondents report they are integrating risk intelligence into business activities
  • Strategic planning and strategy execution are top objectives for IRM
  • Most respondents spend 25% or more of their time on ERM – true for all seniority levels
  • Respondents rated IRM as relatively mature, but only 12% were optimizing IRM
  • Business intelligence applications are more commonly used than GRC technology in IRM initiatives

Key findings for non-financial services industries

  • 66% of respondents report they are integrating risk intelligence into business activities
  • 80% report strategic planning as a top objective for IRM, but only 45% report strategy execution as one
  • Most respondents spend 25% or more of their time on ERM – true for all seniority levels
  • Respondents rated IRM as relatively mature, 16% claim to be optimizing IRM
  • Business intelligence applications are just as likely as GRC technology to be used in IRM initiatives 
  • The use of BI and GRC tools did not correlate to greater IRM maturity
voting machines, cybersecurity, Iowa caucusses

Iowa caucuses and the Shadow app: A lesson in critical infrastructure

On Monday 3 February 2020, Iowans caucused at almost 1700 precincts across the state to select their preferences among presidential candidates.  Three days after the Iowa caucuses, the final tallies for the Democratic presidential candidates remained incomplete.  The popular press blames a technical glitch in the Shadow app, but accountability resides with party leaders and the Shadow app executives who allowed technology that had not been previously fielded nor fully tested to be deployed as critical infrastructure.

Continue reading

Connecting the last mile of finance at Workiva Amplify

Key takeaway: Connecting financial close and compliance can help to relieve congestion in the last mile of finance, saving days or even weeks in producing financial disclosures.

Workiva Amplify was a hands-on summit. The majority of sessions in this 17-parallel-tracks summit were hands-on sessions with Workiva, and they were packed. And the attendees were younger than other conferences I’ve participated in over the years — not counting Scouting jamborees. I’ve been to conferences with a lot of buzz, but a conference of auditors, financial managers and compliance professionals with so much energy — I haven’t experienced that before.

Energetic attendees at rock concert one evening
Energetic attendees at a concert one evening
Photo: Workiva

… some companies lock up the key members of the accounting staff on the entire floor of a hotel room for a week

Throughout the summit, attendees were reminded of connected reporting, connected sheets, connected data, and linking. To get a handle on what Workiva means by “connected,” I attended a Workiva hands-on session on 10-K reporting.

For their 10-K preparations, some companies lock up the key members of the accounting staff on the entire floor of a hotel room for a week as they make the final changes of this critical report. Senior execs run room to room to make sure that everyone is in sync, and that changes made in one part of the report are also captured in other parts of the report. It’s a nightmarish week, and it’s also repeated on a smaller scale each quarter with the 10-Q reports.

Hands on sessions were the most attended
Hands-on sessions were the most attended.
Photo: Workiva

In the the hands-on 10-K session, the instructor took us through how to create hyperlinks throughout the document, like between the table of contents and various headings — ho, hum – I can do that in Word, right? Now, here’s what I can’t do so easily in Word — connected data. There are data links throughout the 10-K, and if I change the source data, it changes anywhere that data is used – and it keeps a record of those changes. So, let’s say I find an ERP error in data entry in the accounts receivable of a measly $10million. I correct that, and then it ripples through to anywhere that piece of data is used –perhaps in 15 different spreadsheets (Workiva calls them “connected sheets”), the 10-K, and even the presentation to the board.

… removing humans from boring, trivial tasks with cheap, smart integrations

No more do senior managers and executives chase down dozens of people to make sure they incorporate the change, and no more having to take out an annual lease of a couple of floors of a mid-town hotel for their sequestered accountants.  Plus, with all of this connectedness, data transfer errors are greatly reduced, thus reducing the chance of a misstatement.  I later attended a SOX reporting hands-on session – same thing.  This connected data and reporting made me think of the promises of robotic process automation (RPA), though, in the case of Workiva, the data and documents are either in the Workiva system or are connected through APIs, rather than an RPA tool.  Still, the benefits — removing highly educated humans from boring, trivial data transfer and manipulation tasks with cheap, smart integrations between enterprise applications — are the same.

The last mile of finance is the most congested…. It’s this last mile that Workiva is helping to run smoother.

A good friend at Gartner with whom I worked on several research projects, John Van Decker, called reconciliation, close and disclosure at end of the fiscal year the “last mile of finance.”  Running parallel to reconciliation and close in this last mile are the SOX and financial statement audits.  It reminds me of the most horrendous last mile on the Capital Beltway around Washington, DC, where the express lanes dump into the regular lanes just a mile short of the American Legion bridge crossing the Potomac from Virginia to Maryland.  It’s this last mile that Workiva is helping to run smoother.

And Workiva is not alone on the last mile challenge.  At Amplify, Deloitte announced a new strategic partnership with Workiva.  Speaking with Deloitte representatives, I learned that they are investing in building a number of targeted Deloitte-branded solutions on Workiva’s platform that they believe will further speed up the close process.

I’ve puzzled for years on why more GRC vendors have not invested in developing solutions for the last mile of finance, but for now, Workiva’s capabilities to link SOX compliance and audit to reconciliation, close and disclosure reporting, along with connected sheets and connected reporting are a solely Workiva differentiator in the GRC market.  Workiva would do well to invest in expanding its GRC capabilities beyond its basic SOX and audit solutions, and a very basic ERM application. With a broader GRC portfolio, Workiva’s internal linking capabilities could enable better connections between risk management, compliance, audit, third party management, IT security and other GRC functions.  And the linking capabilities to enterprise financial and performance management solutions could advance integrated risk management.  For instance, connecting performance management and risk management by linking KPIs and KRIs could bring critical insights to decision making on both the planning and execution of strategic business initiatives. 

Note: Workiva did not pay for this article; nor did anyone else.  The opinions and observations in this article are mine alone and not necessarily the views of Workiva.


Trip report: Risk Summit highlights digital transformation and a tech start-up called PwC

On 27 and 28 March 2019, at PwC’s Risk Summit in Boston, PwC senior leaders and consultants in the risk assurance and consulting practices shared with their clients and over three dozen industry analysts their vision of how digital technologies are transforming both risk management and business performance.

Continue reading

Time to put technology at the forefront of your GRC strategy

Having just finished analyzing the data and writing the report on the triennial OCEG GRC technology strategy survey, I stepped into the family room to see that my wife was watching a recent episode of Amazon’s Grand Tour — the season 3 Mo’town Funk episode. Jeremy Clarkson was test driving this fantastic new McLaren Senna. 

Continue reading

Gatwick: attack of the drones

Authors – French Caldwell and Richard Stiennon

Key takeaways –

  1. Air transportation infrastructure is particularly vulnerable to non-lethal attacks by drones
  2. Regulatory controls alone will not stop drone attacks
  3. Attacks like the one at Gatwick this week are a serious reputational blow to the drone industry and rapidly growing drone control software and analytics vendor ecology
Continue reading

Smart mobs in Paris: let them be social

Key takeaways:

1 – With modern social technologies, political movements can coalesce in days, maybe hours

2 – The weak political center and struggling traditional political parties in France provide an opening for the emergence of more political movements enabled through social technologies\

3 – Government leaders should be prepared with strategies to predict, engage, monitor, and respond to rapidly emerging political movements

Over the last three weeks, protests in France that were triggered by a new fuel tax and rising fuel costs have grown through social media to become a national movement.  Watching the yellow vests protestors break out into a violent mob in Paris, and the police response with tear gas and water cannons, reminded me of other protests over the last two decades that have been organized through social technologies.  The very first was the Battle of Seattle where protest organizers used text messaging and online bulletin boards – but that required months and weeks of preliminary planning. As we observe in France, with modern social technologies, political movements can coalesce in a few days, maybe a few hours.

Text me — killing Doha

The anti-WTO protests in Seattle in 1999 are the earliest documented application of social technologies in street-level activism.  In Seattle, protesters networking through cell phones and updates to online websites were able to outmaneuver police and shutdown a round of trade talks.  The round of WTO talks that had led up to Seattle ended inconclusively with no agreement on the major issue of breaking down trade barriers between rich and poor nations.  The subsequent Doha round of talks, which began in 2001 and was scheduled to complete in 2005, picked up on the same theme of breaking down trade barriers between rich and poor countries.  However, ten years after the original deadline the Doha round was still not complete – the smart mob had killed it.

The Arab Spring — not quite social

With the advent of smartphones, social media combined with mobile technology, and Twitter was often identified as an enabling technology for street protestors in the 2011 Arab Spring protests.  Credible research has shown that during the Arab Spring protests, most street activism preceded social media activity, rather than followed it – indicating that most people were tweeting and posting about the events they were seeing on television, rather than using social technologies to organize the protests.

Social technologies help political movements, but leadership still matters

Seattle in 1999 remains the benchmark for organization and execution of street activism using social technologies.  The yellow jackets in France, have yet to demonstrate a similarly high degree of organization, and the protests could peter out.  However, there is a political vacuum in France, with both right and left mainstream political parties having been marginalized in the last elections, raising the specter of a weak center represented by President Macron and his “La République En Marche” party facing a population that has shown that it can self-organize through online and mobile technologies.

So far, Macron’s government has been ill-prepared to deal with a national political movement that appeared in a fortnight. In Macron’s favor is that the yellow vests have shown no cohesive national leadership; yet, that is also a problem for Macron since there is no legitimate movement leadership to engage.


Many government leaders treat social media as another public relations channel, like print and broadcast media.  Instead they should be looking at social and mobile data as a rich source of insights.  Government leaders can use social media analytics to predict, manage, engage and respond to rapidly emerging political movements, as follows:

1 — stress test proposed major initiatives and identify key indicators that can predict the range of societal reactions

2 – identify the people who are the primary influencers and engage appropriately and constructively with them as the indicators warrant

3 — monitor the indicators before and after the initiative is launched, and

4 — if people take to the streets, analyze the mobile and social data to guide the deployment of and response by law enforcement in ways that prevent or limit violence

5 – while mining and analyzing social and mobile data, ensure that policy and procedures to protect individual and group rights of assembly, petition, free speech, and privacy are followed


It’s not just about privacy — and Silicon Valley doesn’t get it

Key Takeaways:

1 – Silicon Valley and Washington, DC, are vying for which capitol – the tech capitol or the political capitol — sets the public policy agenda.

2 – Americans are not so much worried about privacy as they are about Silicon Valley’s threat to their free will.The SV-DC balance of power

I recently attended the Bloomberg Next Summit in Washington, DC, and during a panel discussion on the divide between Silicon Valley and Capitol Hill, Fred Humphries, Microsoft’s Corporate VP for US Government Affairs, made the statement that the technology industry has lost trust on Capitol Hill.  The panel, which also included Niki Christoff, Salesforce’s SVP for Strategy and Government Relations, and Michael Beckerman, President and CEO of the Internet Association, then went on to discuss the prospects of a U.S. privacy law.  Christoff boldly predicted that the next Congress will pass a national privacy law, and Beckerman agreed.  Beckerman added that it is not going to be another GCPR, but will be U.S.-specific.  Humphries offered a dissent, noting that there are many different business models in the technology industry, and these different sectors of the industry would each seek provisions that would impede other sectors, making it difficult to have a privacy regime that would apply across all of them.

Frankly, this panel’s immediate deflection to privacy as the issue that must be addressed to improve trust in the technology industry illustrates that Big Tech just doesn’t get it.  What’s dividing Big Tech and Capitol Hill is power – it’s a fight over who is going to set the direction of public policy for the country.  It’s not a fight that is peculiar to the U.S., but with the global capital of Big Tech being Silicon Valley, the balance of power between Big Tech and Big Gov in the U.S. has a huge impact on that balance in other countries, particularly in other democracies.

Free will, not just privacy is at stake

Certainly, Americans are concerned over their privacy.  According to Pew, 91% believe that people have lost control of personal information and how it is used, and 49% are not confident of the federal government’s ability to do anything about it.

But so what – despite data breaches, identify theft, and all kinds of scams that emerge from these, most Americans still freely share all kinds of personal information online and through their mobile devices.  Increased surveillance seems to be tolerated too – not just government surveillance, of which 82% of Americans are tolerant according to Pew – but almost everyone carries around a smartphone which collects massive amounts of personal data through the dozens of apps that are on each device.

Americans may be worried about the collection and misuse of personal information – but heck, they trust technology more than government.  According to the Edelman Trust Barometer, after a battering year of tech scandals, including sexual harassment at many firms, concerns over how social media may have been used to manipulate the 2016 presidential election, and the Equifax data breach, trust in the technology sector dropped just one point to 75% as opposed to government which dropped 14 points to 33%.

Judging by their continued heavy engagement with mobile devices and online, privacy concerns are not the driving factor dividing Silicon Valley and Washington – it’s really, who is going to be the biggest influence on setting the public policy agenda — how Americans think about the issues and how we organize to achieve societal objectives.

It’s the perception that we are losing our individual and collective free will that is troubling Americans. In 2010, Google CEO Eric Schmidt said: “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”  And knowing what we are thinking about allows Google and other search and social platforms to help their advertisers and partners to influence our actions — not just what to buy, but what issues matter most, and perhaps even how to vote.  Are the FAANGs just one step short of mind control?  That’s what Schmidt implied, and he’s made the same statement many times in many forums.

Capitol Hill’s issues with Big Tech aren’t the same as Americans’

Capitol Hill also has issues with Silicon Valley, particularly with social platforms like Facebook and Twitter.  These platforms are enabling citizens to self-organize around public policy issues – loosely aligned groups like Black Lives Matter and the Tea Party are challenging establishment political parties for primacy in shaping the public policy agenda.  Individual citizens are bypassing Congress, state legislatures, and regulators as they directly challenge businesses to change their behavior and policies.

There is also a concern on Capitol Hill and within traditional policy-making institutions over concentration of power within a small number of Big Tech firms – particularly the FAANGs – Facebook, Apple, Amazon, Netflix, and Google.  Their dominance over control of information flows and news distribution, and the centralization of economic power enabled by their platforms, plus the dominance of these corporations by strong public personalities is concerning.  Both the disintermediation of traditional political and governmental institutions and the concentration of power, enabled by social and e-commerce platforms, diminishes the role of politicians, regulators and other public policy-making institutions.

The possibility that the FAANGs could become more powerful than governments is not lost on politicians globally.  European Union regulators are already taking steps under competition law and privacy law to de-fang the FAANGs, and China has shown that it is possible to have a rapidly growing internet sector with heavy governmental oversight.

While the model of governmental control in China is not transferable to western democracies, there is certainly more regulation to come for Big Tech in the U.S.  A national privacy law will be a start, but that alone will not be enough to calm the unease of Americans and their politicians.


Disruptive technologies are those that overturn the existing social order

Cool Robot

What makes a disruptive technology disruptive?

This is a question that came up in a discussion with my cohort in the doctor in law and policy program at Northeastern, and I’ve been puzzling on it for a few months.  One characteristic is that technologies that emerge with new value propositions come from the convergence of two or more existing technologies.  For instance, cell phones existed for years before they became truly disruptive.  It was when the smartphone converged the cell phone converged with the internet we began to see real disruption from mobile technologies.

With the smartphone, information becomes accessible and sharable anytime and anywhere, and it enables alternatives to existing services.  Smartphones have taken market shares from cameras, music CDs, taxi companies, and even cellular service itself.  They accelerated the disintermediation of the recording industry that had already begun with Web-based music sharing.  Most recently, apps on smartphones have begun the disintermediation of the personal transportation and the hospitality industries.

Convergence and displacement still don’t quite get at the disruptive effect of a new technology-enabled business model.  One more thing is needed — a threat to social order.  Consider the case of farming drones such as those offered by HoneyComb and PrescisionHawk.  These drones and the associated analytic software can enable crop tracking, and better decisions by farmers on where and when to irrigate or apply pesticides and herbicides.  They can provide a level of detail above what a farmer can get by walking the fields, and do so quicker and less expensively than services from agricultural airplane operators.  Many drones are financially within the reach of family farmers, thus disintermediating the farming aircraft operators and services.

However, crop-dusters and aerial surveyors who provide agricultural services have investments in expensive general aviation aircraft and equipment, and drones will destroy business value of these assets.  Hence, most general aviation services incumbents are opponents of drones, and they have cited safety concerns as a reason to ban their use.  For now, FAA rules effectively ban most commercial use of drones.

This government ban is only a short term win for agriculture aircraft business.  Imagine trying to get investment in such a business now?  Investors could be reticent to fund the acquisition of assets that could shortly be obsolete.  On the other hand, with the FAA restrictions they may also feel inhibited from investing in drone-based business services.  This stalemate effectively freezes time for agricultural aviation technology; it’s like in Cuba where 1950s era automobiles are still plentiful.  Even if a crop-duster wishes to shift his business to drone technology, it just isn’t reasonable to do so right now.  But the demand from farmers is there.

Government regulations though are not always able to intercept and freeze the disruptive effects of technology.  New business models that can capture a market rapidly enable the creation of a counter lobby to threatened incumbents.

Uber is a case in point.  This simple app connects the owner of a smartphone to the owner of a sedan or automobile, thus disintermediating limousine services and taxi companies.  Personal transportation services, unlike agricultural aviation services, are used by large numbers of people who can become a social lobby to counter the incumbent lobby.  Usage of emerging consumer apps can spread virally through word-of-mouth and social media, rather than being dependent on trade press and industry conferences.  This wide and rapid adoption enables entrepreneurs to run faster than the regulators.

Furthermore, regulation of personal services typically operates at a state and local level rather than at the national level.  The chance of finding friendly or just plain slow jurisdictions is pretty high, and by the time the incumbent lobby organizes itself, the new technology’s entrepreneurs and investors have the support of a large and growing number of consumers who can mobilize through social media — i.e., a social lobby.  By the time the backlash mobilizes, the entrepreneurs have generated enough revenue, social capital, and momentum to compete effectively in the lobbying game.

To summarize, the most disruptive technologies will include the following characteristics:

1 — Convergence of two or more existing technologies that enables the emergence of a new business model

2 — Displacement of incumbents that have significant investments in legacy assets, and thus a political stake in maintaining the status quo

3 — Disintermediation of the regulators through a vector that enables rapid development of a social lobby in favor of the new business model

Bottomline – Disruptive technologies are those that overturn the existing social order.



Reinventing Me

I’ve reinvented myself before – from a nuclear engineer to a strategist, from a submariner to an industry analyst; I’m right now in the midst of another personal reinvention.  My departure from Gartner is the most visible sign of my reinvention effort, and that was really hard to do.

As another part of my personal reinvention, this weekend I was in Boston for my monthly “intensive” at Northeastern.  I’m working on a doctorate in law and policy which I’ll finish next June.

A year ago, I decided it was past time to reinvent myself, and pursuing a doctorate would help me to shift gears.  My masters degree in international studies had certainly helped me move from engineer to strategist.  My doctorate is helping me to focus on new research into intractable policy issues raised by disruptive technology.  Not wanting to spend six years on a PhD,  I found the two year program in law and policy at Northeastern fit both my interest and my goals.  My research is specifically focused on the impact of disruptive technology on the process of making public policy.

My interest in the intersection of technology and public policy dates back to my early years at Gartner.  In 2000, with the encouragement of Bill Malik and Richard Hunter, I founded the Technology and Public Policy research community.  About 20 analysts participated and we produced a large number of special reports.  However, in 2002 with Enron and other technology-enabled business models falling to scandal, our attention turned heavily to risk management and compliance.  With regulatory proliferation and risk management demanding so much analyst attention, the strategic intersection of technology and public policy received less research attention at Gartner.

However, in the last two years that began to change.  Gartner identified the “nexus of forces,” the convergence of social, mobile, analytics and cloud (SMAC) technology drivers was rapidly introducing new business models, and a new war has emerged over the control of information between individuals armed with social and mobile technologies, governments and companies armed with big data analytics, and criminals taking advantage of vulnerabilities.  Gartner analyst Frank Buytendijk, along with his colleague Jorge Lopez, have addressed this struggle in the Digitopia scenario.

reinvent yourselfReinventing me, I am building on my strategy, governance, risk management and compliance expertise with research into the impact of disruptive technologies on the core issue of how we actually govern ourselves as societies.  We’ve seen over the last few years how new technologies have radically transformed whole industries — the recording industry and journalism have been radically transformed.  Traditional B2C and B2B commerce models are under tremendous pressure from digital business models of Amazon and Alibaba.   With new digital businesses ike Uber and AirBnB, transportation and hospitality industries are transforming rapidly.

With such radical transformation of so many industries, there is every reason to suspect that government and other key players in the public policy process will themselves be disintermediated as digital transformation overtakes the policy industry.  Failure to manage the risks of this transformation is a risk too great to ignore.