• Multi-lingual names: It is great to have a multi-language user-interface so international organizations can work easily on easy2comply. However, what was still problematic to some was that when the UI was compatible with their local language, the content was not.Thus, we are proudly announcing the new feature of translating the control and risk names to your local language and up to 3 languages simultaneously.
  These changes will affect the reports as well.

• Simplified delete options: The delete option was one of those features that received considerable question.  What happened when you deleted?  Did you really delete it?
  So, in response, we have decided to clarify this sensitive feature. Now you will have two different options instead: “Hide” and “Delete”. We have also added a warning message, as well as instructions on how to undo these actions, if needed.

• Colorful buttons: As any other application, ours requires saving the screen once in a while. But as you know, some screens allow you to add, submit, approve or save, and these different, yet similar, buttons can be very confusing. While you may ask yourself over and over again: “Where is the save button?”, we have defined “Save” as “Add” in order to match the purpose of the screen, for instance.
  In order to simplify this, we have created a general color for all “execution” buttons, such as: Save, Add, Send, etc.  You will now notice that this button is orange.

• Aligned fields: Since the beginning of time, people have been trying to put things in order in our world, but with limited success only.
  We, at easy2comply, find it very important that each screen will look well-organized so you won’t feel disconnected or disoriented. So, it took us some time but now all fields have been aligned accordingly and reading information from the screen is much easier than before.

• Font size support: We know some of you use laptops while others use workstations to work on easy2comply. This means that your screen resolution may not best fit the current font size in the application.
  The new “Home screen” led us to believe some screens require a customized font size based on what will fit your resolution. So, from now on, look for the font-size-customization-feature. For instance, if you click on the “Edit” icon of each widget in your “Home screen”, you can change the font size accordingly.

• Error message: I find it very disappointing when an error message is so useless that is serves no purpose beyond informing me something is messed up.
  For this reason, our new error message will try to explain the error’s origin. In the case that we don’t yet know the reason, the message will guide you through how to simulate the problem, as well as how to report it as a bug to our support. This way, we will be able to fix the issue as quickly as possible, and you will know we are on top of it without having to make too much effort.

We were curious about the GRC environment in Scandinavia, and since you might be too we’re sharing an excerpt from a recent session we had with Risk Solutions ApS, Nordic’s software solution affiliate.

Q: What is the level of awareness of the GRC market in Denmark in general and what are the most common regulations in particular?
A:  The general awareness of the GRC challenges is rising in Denmark; though it has been on a pretty low level. To actively integrate the work on governance, risk and compliance will change the way companies think and the possibilities for companies to enjoy real business benefits.

Q: Are there any local regulations in Denmark that differ from EU common regulations?
A:  A very big part of the Danish regulations originate in common EU rules. However, all EU rules have to be implemented in local regulations. Most EU regulations are based on what is called “minimum standards”. The individual countries can choose to implement tougher. Most Danish regulations are tougher than prescribed in the common EU rules.

Q: How do you evaluate the level of awareness and adoption of software solutions as part of implementing structured GRC processes?
A:  In Denmark and the rest of Scandinavia, the level of awareness and adoption of GRC software solutions are very infant. Only a very small percentage of the companies which could benefit from the use of IT solutions as part of a structured GRC process actually use these it tools actively. The potential for enjoying real benefits in Denmark are significant.

Q: Who are the most dominant industries/ verticals in GRC software adoption?
A: It is our belief that the financial sector is the most dominant industry in the adoption of the GRC software solutions. However, even most financial sector companies do not use these tools yet – mostly because they are not aware of the present and real capability of the solutions.

Q: How do you see the GRC market evolving over the next 2-3 years in Denmark?
A:  In Denmark and the rest of Scandinavia we foresee a reel booming market for integrated IT GRC solutions. We do recognize that an IT solution cannot stand alone. We have to work on the content as well.

Q: Please provide a short overview of Risk Solutions APS
A:  Risk Solutions ApS is affiliated with Nordic Risk Management ApS. Risk Solutions ApS main focus is to develop and to be the preferred specialist provider of IT solutions in Scandinavia on governance, risk and compliance.  Nordic Risk Management ApS is our specialist provider of risk management services. We have for years focused on the content of governance, risk and compliance and are among the preferred consultant firms in Denmark for risk management within the insurance sector. We are running full scale implementation projects including capital adequacy calculations.

If you’d like to share similar information about the GRC environment in your part of the world, please contact us.

easy2comply fully supports collection and evaluation of information regarding different types of incidents whether they are:

1. Loss Events – used by the Financial Services industry to report that money has been lost.
2. Security Breaches – used by any firm to indicate a network or application breach.
3. Compliance Events – used by businesses to record regulatory breaches.

With the objective of restoring normal operations as fast as possible, with the least possible impact on either the business or the customer, easy2comply provides the framework necessary for directing how incidents should be handled.

Incident Management Lifecycle

The lifecycle of all Incident Management is fairly standard, even though certain types of incidents and regulations may require the capture of a specific field or group of data:

Capture of this information in easy2comply’s central repository helps Management define:

• improved processes, policies and procedures
• appropriate assignment of roles and responsibilities
• provision of necessary equipment, infrastructure, tools, and supporting materials
• training staff may need to perform the work in a consistent, high-quality, and repeatable manner

in order to prevent future reoccurrences.

New Features and Functionality!

With this in mind, we have enhanced easy2comply’s Incident Management capabilities enabling you to:

• Build your own Incident Type
• Define the Incident Workflow
• Specify which fields must be completed, and who is authorized to do so, in each stage of the workflow
• View Linked Incidents at the level of Unit, Process, Risk / Threat, and Control
• Have Notifications pushed straight to the Inbox of those assigned the responsibility for monitoring risk and managing incidents.

Version 1 of new interactive desktop solution features 4 customizable drag & drop widgets:

• Welcome Messages – customizable by department or group
• My Tasks – a widget for your To Do list (e.g., reminders, sign-offs awaiting approval, incidents pending remediation, exception notices, etc.)
• Charts & Graphs – choose from 5 different compliance calculation dashboards
• Favorites – a widget for your favorite internal and external links

Simply configure your desktop to suit your professional needs and the data will be pushed to you. When your needs change, you can easily make modifications with a few clicks and the convenient drag & drop features.

Currently on our drawing board for a future release: additional widgets and dashboards, and powerful configuration options for a more personalized design. If you have ideas for features you’d like to see in incorporated into easy2comply, please contact us – we look forward to hearing from you.

1. AIG fined $1.6 billion for Accounting Fraud and a bid-rigging scheme with Marsh & McLennan Companies (at the time the largest US insurance broker) that authorities say cost shareholders more than $500 million. AIG also had an arrangement with three private entities, governed and controlled by AIG executives that raised concerns regarding compensation and conflict of interest.
   
   Executives were charged with conspiracy, securities fraud, mail fraud and making false statements to the Securities and Exchange Commission. Investigations also led to the convictions of four General Re Corp. executives for their roles in manipulating AIG’s financial statements.The challenge left for the new CEO was to transform AIG’s secretive culture into a viable business able to play by the rules.
   
   American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries. AIG companies serve commercial, institutional and individual customers through one of the most extensive worldwide property casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States.
2. Siemens A.G. paid a $1.6 billion fine ($800 million of which was paid to the US) for the biggest Bribery case in German history. In reality the cost to the company was around 2.5 billion euros ($3.7 billion) in fines, investigations and back taxes combined for breach of trust over corporate bribery practices to the tune of a $40 million to $50 million annual bribery budget!
   
   Pleading ignorance, in his January 2011 biography, former Siemens CEO and Chairman, Heinrich Von Pierer asked “In what way should I have taken responsibility for events that I didn’t know about?”  Siemens former Accountant, Reinhard Siekaczek, stated during a 2008 interview that he didn’t expect the scandal to hurt Siemens’ business because bribery is common and people will chalk it up to bad luck saying Siemens “broke the 11^th Commandment: Don’t get caught”.
   
   Siemens AG is a German engineering conglomerate, the largest of its kind in Europe, with international headquarters located in Berlin, Munich and Erlangen. The company has three main business sectors: Industry, Energy, and Healthcare; with a total of 15 divisions.
   
3. Halliburton paid an $829 million settlement ($250 million to Nigeria and $579 million to the US) for Bribery and Fraud. Investigations proved that Houston-based engineering firm KBR, a former division of Halliburton, paid $182 million in bribes between 1994 and 2004 to Nigerian officials to secure $6 billion in contracts for a liquefied natural gas project.
   
   The bribery occurred during years in which KBR was owned by Halliburton and involved funneling of money through agents in Tokyo and Gibraltar. 
   
   Halliburton is the world’s second largest oilfield services corporation with operations in more than 70 countries. It has hundreds of subsidiaries, affiliates, branches, brands and divisions worldwide and employs over 50,000 people.
   
   Halliburton’s former subsidiary, Kellogg Brown & Root (KBR), is a major construction company of refineries, oil fields, pipelines, and chemical plants. Halliburton announced on April 5, 2007 that it had finally broken ties with KBR, which had been its contracting, engineering and construction unit as a part of the company for 44 years.
4. WorldCom was fined $750 million for Securities Fraud, Conspiracy, and filing False Statements with the SEC after $11 billion in accounting irregularities were discovered. The “errors” involved the manipulation of its reserve accounts in order to inflate earnings.
   
   This scandal led to the employee retirement plan plummeting because 32% of it was funded by company stock, executives indicted and sentenced to prison, WorldCom filing for bankruptcy protection, and the involvement of two of the Big Five accounting firms in the US at that time.
   
   WorldCom was the United States’ second largest long distance phone company. It grew by aggressively acquiring other telecommunications companies, most notably MCI Communications which was later acquired by Verizon Communications. WorldCom also owned the Tier 1 ISP UUNET, a major part of the Internet backbone.
5. KPMG paid $456 million for Marketing Fraudulent Tax Shelters to help wealthy clients evade taxes. In the largest criminal tax case ever filed, KPMG admitted that it engaged in fraud that generated at least $11 billion dollars in phony tax losses which, according to court papers, cost the United States at least $2.5 billion dollars in evaded taxes.
   
   Nine people, including six former KPMG partners and the former deputy chairman of the firm, were criminally indicted in relation to the multi-billion dollar criminal tax fraud conspiracy.
   
   KPMG operates as an international network of member firms offering audit, tax and advisory services helping clients to mitigate risks.

In the case of the US companies above, in addition to the penalties imposed, the Justice Department ordered retention of independent compliance monitors for 3 or more years. The long-term effect on business today is the creation of the Sarbanes-Oxley Act of 2002 (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices. SOX requires companies to put controls in place to prevent, detect and quickly respond to fraud and misconduct and remedy any harm caused by it.

From your experience (and with the help of your crystal ball), what do you predict will be the largest unregulated risk companies might be challenged by in the near future?

Continuous Controls Monitoring (CCM) provides organizations with effective techniques for monitoring and auditing their IT systems, providing insight into the integrity of individual transactions and the overall efficiency of controls.

easy2comply has just released a new version that provides a CCM feature for automatically managing controls that enables:

• Quick and easy deployment for your most critical needs
• Monitoring of transactions
• Automated routine testing
• Detection of inconsistencies that may trace to fraud, abuse or costly errors
• Compliance with a variety of regulations

This new feature is so easy to use that configuration and implementation for your technical or business controls can be accomplished quickly using your data from a standard data structure.

Configuration can be based on a variety of different regulations or standards such as: Sarbanes Oxley, Basel II, Solvency II, ISO27001, ITIL, PCI-DSS, General Compliance, Internal Audit and many more.

easy2comply’s CCM feature can be configured to run tests on an automated schedule such as daily, weekly, monthly, etc. and will alert you via email whenever problems occur so you will not find yourself unprotected or unaware of any non-functional controls.

If you would like additional information and a free trial of easy2comply, please contact us.

We’re also happy to inform Mexican businesses that need assistance with their Basel II and Solvency II compliance requirements that easy2comply has partnered with MagnaSoft of Mexico. MagnaSoft was founded in 1996 and is a leading IT company focused on providing consulting, services and products in the Governance, Risk Management and Compliance (GRC) areas.  Their expertise is in SOX, ISO 27001, COSO and COBIT, applying tested Quality Strategy Methodologies as Business Process Modeling and Analysis (BPM/A), Business Process Management (BPM) and Balanced Score Card (BSC).

Just in case you’re wondering about the GRC environment in Mexico, here is an excerpt from an interview we recently had with MagnaSoft:

Q: What is the level of awareness of the GRC market in Mexico and what are their most common regulation challenges?
A: The awareness in Mexico is growing because of the need to comply with Basel II and Solvency II by 2012. The most popular areas are SOX and Solvency II.  We see strong interest especially from companies in the insurance sector.

Q: Are there any local regulations in Mexico that differ from the common regulations in the US/ EU?
A: Currently there are no specific domestic regulations in Mexico. We know that the Insurance and Financial National Commission are working on Solvency.mx, which should reflect some customization of Solvency II for Mexican companies.

Q: How do you evaluate the level of awareness and adoption of software solutions as part of implementing structured GRC processes?
A: The largest companies in Mexico have high awareness with respect to adoption of GRC software solutions. Some companies, mainly financial institutions implement enterprise-level GRC software.
We witness a growing number of smaller companies seeking software solutions. Usually their main challenge is lack of knowledge on how to combine their GRC processes and methodology into software and how to approach software evaluation in that sense.
The financial sector is the leader with regard to software adoption, that’s for sure. As mentioned, we do see a growing interest from companies in other sectors as well. Companies from other non-financial sectors are more interested in IT practices, at least at the moment.

We will continue to seek partners throughout Latin America who are interested in sharing easy2comply’s new Spanish version with their clients.
If you would like additional information and a free trial of easy2comply, please contact us.

GRC Summit
The 2011 Governance, Risk Management and Compliance Summit held at the beginning of March in San Francisco focused on Integrating Governance, Risk Management and Compliance this year. Risk and compliance professionals and executives, solution providers and business consultants were inspired and educated by the excellent group of Thought Leaders and Speakers. Attendees discussed current practices in compliance and risk assessment, with real world examples highlighted from companies such as Visa, Ventura Foods and Fiserv. Industry leaders, analysts and consultants discussed best practices of GRC implementation, while exhibiting vendors presented their solutions. easy2comply was presented as an incremental GRC solution by VP sales and business development David Leichner who used the opportunity to highlight Michael Rasmussen’s recently released white paper entitled “GRC: Solving Real Business Problems, Not Just Hypothetical Ones”.

ERM Symposium
From March 14th – 16th, Chicago’s Swissôtel hosted over 400 senior executives, directors, and risk management experts at the ninth annual Enterprise Risk Management (ERM) Symposium. Focusing on regulatory reform, policy leaders from various regulatory bodies explored the directions and impacts of proposed reforms with thought-provoking discussion on successes, challenges, and expectations of enterprise risk management implementations, and the critical role of the Country Risk Officer in the current global environment. The ERM Symposium is the premier educational event for enterprise risk management and easy2comply sparked the interest of many of the attendees as being the only solution provider exhibiting with a complete and comprehensive governance, risk and compliance framework.

Our powerful Task Tool helps you effectively manage your requirements through the flexibility of tasks, sub-tasks for related controls and processes, multi modules for control and more. And just like easy2comply’s other features, it’s easy to use: simply add a new task, set the due date, and you’re ready to start managing your tasks.

We’ve added a few new task-specific features to make Task Management easier:

• Pending Tasks assigned to users automatically appear in their task table.
• Alerts are automatically sent to remind users to perform tasks by their due dates.
• A variety of Task Templates enable customization to meet your needs.
• Multi-stage functionality allows for flexibility in assignment and timing of tasks.
• Support for Segregation of duties.
• Support for Changing Workflow on-the-fly.
• Flexibility in Modification of entities directly from inside the Task editor.

Plus many more features for you to explore.

easy2comply Puts You in Control

Once tasks have been created and assigned to users, keep track of what’s due next by using the sort by due date, pending for you, initiated by you, or any of the additional sort options. Monitor your task list by using the Tasks Table or by generating a Task Report.

We believe you’ll find easy2comply’s Tasks Tool to be comprehensive, yet easy to use. Our goal is to help you to keep on track, organized and stay focused on your tasks.

We hope you’ll enjoy this new feature and eager to get your feedback!

• Pillar 1: calculate the MCR (Minimum Capital Requirements) and SCR (Solvency Capital Requirements)
• Pillar 2: demonstrate that the risk capital calculated provides sufficient coverage for the risks identified.

easy2comply provides smart functionality that divides an organization’s hierarchy into manageable silos to easily define  the set of risks present within the assessment zone, logically assessing those risks, and determining a set of mitigation techniques for managing them.

easy2comply’s Fast Track Steps

1. Define the Organization’s Hierarchy
   • Determine the “Unit of Assessment” – this is the scope of the assessment. Your organizational structure needs to be broken down so that the total of these Units comprise the whole. By assessing the Unit, when aggregated we will have assessed the whole.
   • Complete the Risk Register – identify a set of risks that are relevant for the particular assessment and document them accordingly. You need to ask questions such as “How can this risk impact my business?”, “Has this risk hurt me before?”, and “Who owns this risk?”  Risk identification and documentation are critical aspects – we cannot assess what we don’t understand.
   • Link all Risks to Risk Types – it is likely that your capital model will be driven by risk categories. Therefore a logical Risk Type hierarchy that individual risks can be linked to is necessary. By mapping each risk to a Risk Type, we can easily aggregate information and see how the capital allocation process works in practice.
2. Assess the Risk
   Ideally we want to create “numbers” for all of our operational risks, however, this is not always possible so we need to have a way to deal with risks that we can’t quantify. Do we ignore them or do we assess them separately? In easy2comply we can quantify the risks using Monte Carlo simulations, yet we also allow for a qualitative assessment of the risks using Impact and Likelihood ratings. Often this is more realistic and ensures that operational risks can be assessed in a standardized and structured manner that allows for prioritization.
3. Mitigate the Risk
   Now that we understand what and where our risks are, and how important these risks are to us, we need to specify and manage the mitigation process. This is accomplished through a set of controls and actions that detail the way we want to manage this risk. Some mitigants will affect the impact of the risk if it materializes – such as insurance or third party agreements. Other mitigants will reduce the likelihood that the risk will occur. All are considered mitigants and all should be documented clearly within the framework.