MetricStream is an American Governance, Risk, and Compliance (GRC) apps company with its headquarters in California. It hosted a conference in London recently at which its chief evangelist, French Caldwell, offered his views about the rise and rise of GRC software to Compliance Matters in an interview.

Compliance Matters caught up with the American GRC guru on the sidelines of the MetricStream conference in London last month. More than half the attendees there were from financial services. Our discussion ranged over the whole history of GRC software – a story that is still unfolding – and the increasing integration between compliance software and that of other business functions. Surveillance of employees, the connection or mapping of the same data/document management activities to different rules and the relationship between software and the so-called ‘three lines of defence’ were all topics for heated discussion.

The general theme was the evolution of GRC software through its first five stages, with some predictions from Caldwell about its future direction. Our talk is recorded here in the form of a question-and-answer session.

Compliance Matters: GRC was started 15 years ago by the big four accountancy firms.

French Caldwell: Yes it was. I started in this space when I was at Gartner, between 1999 and 2014, so I became a Gartner fellow while I was here. But back in the early days, I guess it was in my third year at Gartner, we noticed a dramatic increase in inquiries related to records management. At least, I noticed that because it was an area I covered as an analyst.

Records management – the genesis of GRC IT

It was not (yet) to do with regulatory reporting; instead it centred around what records you are legally required to retain. We started digging into this, and wondered why we were getting this big surge in records management, a very mature area from a technology standpoint in 2002. Typically, in a mature area, you don’t get a whole lot of inquiries. We found out that it was due to the US Sarbanes-Oxley Act.

We analysts were not out there in the middle of regulatory compliance at all. We dealt with some IT security but regulatory compliance was not on our radar. Public policy was not on the radar of the big technology companies. Keep in mind that at that time the only big thing from the public policy standpoint that popped up to affect Silicon Valley or any other IT industry was really the Microsoft antitrust lawsuit. In the IT industry there was not a huge awareness of public policy or the impact of rules and regulations. In other words, there was no GRC technology per se.

This started popping up around records management. It turned out that the people really asking the questions were inside counsel and people who were concerned about this new law called Sarbanes-Oxley, which was the result of the impact of new business models, new digital business models that led to the Enron and Worldcom scandals. So it was a very incestuous thing for the IT industry; they had enabled these new business models that people then abused and it led to the new Sarbanes-Oxley (SOX) laws that improved corporate governance. So I think that that was the first time. Over here you had – what was it? - the Turnbull Report.

In the late 90s and early 2000s all around the world we were having this re-look at corporate governance. You had not only the London Stock Exchange rules but the EU company law number 8 – most of these already existed but they were all re-examined. New enforcement mechanisms were put in place and that really was the launch of the GRC industry. Certain interpreters looked at this and said hey, there’s an opportunity here for us to sell something that helps people comply with corporate governance rules, in particular SOX because it seemed to have the most teeth. But there were similar requirements all around the world. Plus you had companies all over the world that had US entities that were listed on the New York Stock Exchange and Nasdaq and they came under SOX.

Unto the second generation

That was really the first generation of GRC technology: how do we comply with SOX? The second generation came about because of the customers who were starting to use this SOX technology for other purposes.

They said “if I can comply with SOX I can also use it to comply and document my control testing and so on, and use it for privacy.” They were helped along by a new EU Data Protection Directive. You started having data breach laws that you needed to comply with. There was a proliferation of more and more rules and regulations.

So that was the second generation. The vendors said oh, well, we need to improve it and enable the technology out of the box to serve for multi-regulatory types of compliance and a lot of these controls that people were putting in place for one law could apply to other laws.

Compliance Matters: Nobody had ever thought of that before?

French Caldwell: No-one had thought of that before.

This was around the 2005/6 timeframe. It really began with the customers starting to do it and the vendors looking in and saying we can fix our solutions to enable multi-regulatory compliance.

At the same time, the regulators were coming back and saying look, if you guys want to do...and, by the way, by multi-regulatory...think about it, under the corporate governance codes including SOX, you have requirements around access control to the financial data. Who can have access outright? Well, same thing exists under data protection rules. Who can have access to what data? Same controls. Why should I be testing the control for every rule and regulation when I can test once and report out many times?

Compliance Matters: Although under the Data Protection Act you have to give your reasons for doing it. So you have to have the compliance officer or information officer, as it is now, doing it.

French Caldwell: You’re right! So the rules became a little more elaborate but still the basic idea was to have data access requirements and in some areas they may be more stringent than others but still these controls are applied to multiple rules and regulations and I can test once, collect the evidence once and report out many times.

The rise of UCF

That was the advantage of multi-regulatory compliance. It was at first something of a pipe dream with some of the early solutions but then we began to see people who would go...and solution providers who would map – go ahead and pre-map – all of these controls to the regulations. So the one out there, it’s almost a standard now, is the unified compliance framework or UCF.

If you look at UCF, for technical controls and for a number of non-technical controls, they have mapped several thousand controls to hundreds and hundreds of rules, standards and regulations around the world. So if I’m complying with ISO 27001 for IT security, how does that map to MiFID? Or to Basel or Solvency II or data protection and so on?

So I pre-map this. The mapping is in the GRC solution thanks to UCF. In our case, we (Metricstream) use the UCF and so do several other GRC members. So it’s already pre-mapped, so now as the customer you can take your controls now, map them into UCF and see how they map to all the different rules and regulations – or you can just use UCF as your controls because it’s already vetted. It’s already gone through a bit of legal vetting. Regulators are fairly familiar with it.

Compliance Matters: So regulators all over the world have meetings about UCF and talk about people using it?

French Caldwell: Many of the regulators will be familiar with UCF, even if they don’t know it by name. They’ll certainly look at the control titles and say this is something I’ve seen before.

Mapping tools

Compliance Matters: Is it like classification in a library for different subjects?

French Caldwell: Yes. UCF is a partner of ours and of other vendors in the GRC space and they have 2,000 controls – actually it’s much more than that now – that have a title. There’s a name for [each] control, a category it falls into and a very detailed description of that control that lasts for at least a page. And then they map those controls to thousands of what they call ‘authority documents’ which are either the law or the regulation itself by section, and they have semanticists who break this down so they can map it to the controls.

They map it also to standards, so for a lot of people they’ll say I’m an ISO27000 once shop, or my auditor has completed a SOC2 [a Service Organisation Control audit report, second version] for security, privacy, confidentiality, integrity and so on and so I can see how that SOC2 and that ISO27001 map back into the UCF, or I can look and say how does it map to the requirements of MIFID II, how does it map to the requirements in other laws and regulations that I have to comply with? So it’s a multi-regulatory compliance programme.

Compliance Matters: What maps what? What happens? What do you see when you’re putting one set of data next to the other set of data?

French Caldwell: There’s actually a grid. They’ll have...you can actually get an Excel spreadsheet version of this, or in our case it’s embedded in the solution, but either way if you look at it you’ll see that you can actually go in by industry or by region. So if I went in by industry I would see all the laws and regulations that appear to apply to my industry.

The involvement of general counsel

Compliance Matters: Then if you fancy going off-piste into another industry it’ll tell you what the equivalents are there?

French Caldwell: Right. It’s not every law and regulation in the world, but it is all the major ones that you will find. I might not have the Data Protection Directive for Sierra Leone or Botswana, but I definitely have the General Data Protection Regulation (GDPR) mapped in there (they’ve already mapped that, by the way) and I’ll have the South African privacy rules mapped in and a very clever compliance professional can now look at the Botswana rule and just say “here’s the sections to map to these sections” and they actually have a mapping tool that will allow you to map in things that may not have been mapped automatically by UCF.

You just have to have somebody who’s at a reasonable level of legal and compliance training. They don’t necessary have to be a compliance lawyer but I always say that you should have competent legal counsel to review what you did, just to be safe.

* The next instalment of this discussion will appear in our web-pages tomorrow.