International Business Machines Corporation (IBM) Earnings Call Transcript & Summary

Hello, and thank you for joining us. Welcome to IBM's webinar on future-proofing your GRC investment in a changing market. I'm Lindsay Wershaw with the IBM OpenPages with Watson team joined by our experts today from IBM. [Operator Instructions] With us today is Greg Mueller, Director, Worldwide OpenPages GRC Sales at IBM. Greg has, for the past 14 years, been engaging clients in all industries to build a vision for addressing their needs related to integrated risk management and GRC. Also with us is Glenn Peters, Solutions Architect for IBM OpenPages. Glenn provides GRC implementation guidance to the majority of IBM OpenPages customers globally. All right. Let's get started. Greg and Glenn, over to you.

I wanted to connect with you today and address an issue that's been in flight for more than 12 months that the GRC, governance, risk and compliance market, also referred to as the integrated risk management market, is in flux, experiencing more upheaval and change than in the past 6 years. Based on our experiences working in this market, talking with clients, prospective clients, analysts and looking at emerging technologies, it's pretty clear there's a lot of change going on. So what components of change are we seeing? The first is the volume and complexity of external pressures. This is most easily seen in regulatory reach. We're probably all familiar with GDPR, which started its enforcement 2 years ago just this week. And we know it was pretty wide in scope. But in the past 12 months, similar data protection regulations have been enacted in New York state and in California with more governmental bodies around the world following in similar regulation. This is adding compliance complexity to companies and organizations on an increasing basis. And we see, depending on your industry, regulatory flux, both adding and decreasing in scope, which means organizations have a mounding amount of regulatory change to keep up with. According to Thomson Reuters, they publish a potential regulatory change every 7 minutes. It's a lot, and it's been growing. So what other changes are we seeing? According to Promontory Financial Group, there'll be upwards of 300 million pages of regulation in 2020. They've seen $250 billion in sanctions and fines globally. And finally, they estimated $99 billion of annual spend total to address these regulatory requirements. Another component of change has been in the GRC vendor marketplace. In the first quarter of this year, we saw the $2.2 billion sale of RSA, which included the GRC leader brand, Archer, into a consortium of private equity firms, leaving the future direction and investment of that leader in flux. We also saw executive management and leadership change over the past year plus at another GRC market leader, MetricStream. So a lot of change and uncertainty with 2 major players in this space. And finally, we've seen new entrants into the GRC marketplace, which may have big plans, but certainly not as much experience in delivering GRC platform solutions. So there's been a lot -- so we've seen a lot of uncertainty. What I wanted to share with you finally are a few observations that we have heard from recent client interactions and discussions about their GRC journeys and about what they would have benefited from knowing specifically about their GRC or integrated risk management technology provider. So here they are. First, GRC experience and expertise, it matters. While there has certainly been some consolidation of good practices, getting good advice and good guidance versus an order taking partner really helps in this space. Clients have also noted a disconnect from commitments made probably early in the relationship with the GRC vendor. Some specific areas that they referred to are, for example, scalability and stability. That is something that they would have wanted to have checked, whether through references or technical testing for this commitment and this capability. Also, they would have wanted to have explored and understood how a vendor approaches bug fixes and bug fixed backlogs. Another area they would have wanted to know about is a dependency on offshore development, for example, how long did it take to get technical deliverables back from a vendor? And finally, there's an area of extensibility. Extensibility is incredibly important in the GRC space because as we've seen prior here, laws and regulations don't stop changing. The data that we measure evolves and changes. And a platform needs to be extensible -- an effective GRC platform needs to be extensible in order to keep up with that change. So I'll leave you with this final thought. We've seen and have validated by Gartner research a movement regarding the expectations of integrated risk management, technology and capabilities. We're seeing a movement away from traditional backward-looking assurance, compliance and compliance checking focuses and toward a more forward-looking, performance-based and resilience-based point of view. And if these methodologies, these new methodologies, new capabilities and new technologies combine with a proven experienced GRC partner, that is really beginning to build the basis for future-proofing your GRC investments. So with that, I'll hand it over to Glenn Peters, who'll give us some guidance and a point of view that will help you move forward with confidence. Glenn.

Thanks, Greg. So as the risk market changes and the drivers for organizations to better manage their risks increase, more organizations are turning to IBM for help. And IBM has been consistently focused on providing a platform you can build your GRC strategy with. In the last few years, organizations have been very focused on developing a strategic approach to their GRC challenges, and a platform capability like IBM OpenPages provides is becoming a common approach. The IBM OpenPage platform was specifically designed to address the various risk disciplines an organization will need to manage. A very important reason for this is to allow an organization to leverage the risk data that they typically manage for one risk discipline to be used for another. A simple example is a control that's managed by the IT organization that would be used to mitigate not only the risk in the IT organization, but also risks in the business areas related to operational or compliance risk processes. Going a little further in this platform, OpenPages allows the control to become -- if it becomes ineffective, all of the risk process and business owners have an immediate visibility to the issue and to determine if actions are needed to further mitigate their specific risks. The other leverage you gain from IBM OpenPages platform is the fact that the platform is designed to support multiple disciplines through common technologies, beginning with a common data model to allow risk elements to be shared and leveraged anywhere. A common user interface, where users don't need to remember the diverse steps for different solutions just to complete their tasks, there's also an embedded Cognos BI suite to present concise current views of the risk profiles. The platform also provides an ability to automate activities with a powerful embedded workflow capability. And there's an ability to work with data in other environments or solutions via the available integration capabilities. Of course, IBM is leading the industry in applying cognitive or AI capabilities to all sorts of business problems, and risk management can certainly benefit by applying AI how about having backup availability as an integral part of your risk management strategy? The IBM OpenPages already delivers this, and new innovative uses are being identified and developed all the time. Organizations are struggling to achieve a balance regarding how they go about managing their risk activities. Increasingly, organizations are required to further engage the first line of defense in risk mitigation because the scope of risk simply continues to grow. To do this, organizations are looking for ways to simplify the activities and automate elements wherever possible. Ultimately, the result can then be used by oversight and management teams to steer the organization in their risk management objectives. The struggle is compounded by some pretty significant challenges. This starts with the need for alignment across the risk disciplines. Alignment means aspects like the taxonomies used to describe and rate risks, hierarchies that are used to organize the risk data and even the process users follow to manage the risk mitigations. All of these present a significant change impact to an organization. Add to that the fact that most organizations are using multiple risk management solutions have a need to engage users, who already have a day job, and the rapid change in risk management requirements, it's easy to see why organizations need a better way. A different element of challenge for organizations is how to address the many risk disciplines they need to manage. These include the well-known disciplines like operational risk, regulatory and standards compliance or information technology governance, and then the not so common, but just as important disciplines like model risk, vendor risk and others. Ultimately, all of these need to be managed, but the effort to include them can be substantial. Organizations need to manage the different stakeholders, find ways to leverage the efforts performed in one area, such as operational control testing, to address other areas such as compliance risk mitigation, and to do it in a way where an organization is not making a larger issue by duplicating data and having to manage the lineage of that data. The challenge becomes how to approach such a large effort in a coordinated way. As our poor elephant depicts, many organizations feel you need to break this problem down and spread out the approach. We recognize that, that can take a very long time, time most organizations really don't have. So instead, organizations need to address key requirements as they come along. The result of this demand in the organizations results in multiple technology solutions, dispersed and often duplicated data, variations in risk management methodologies and disconnects on how funding and project management can be applied. This is exactly the sort of problem IBM OpenPages can help resolve. So how do you go about building your GRC strategy with IBM? It usually starts with taking stock of the elements of the risk solutions and methodologies you currently have in operation across the organization. Taking stock will require a deeper dive on each area to understand what outcomes they achieve, what data they use, how the process is managed and who's responsible for the management of that discipline. In large organizations, this can span across business areas, countries and regions. Organizations need to align to accomplish a better GRC result. We have found that unless you have a strong executive already driving alignment across the organization, you will need to build and develop a governance organization that allows a consensus-driven strategy to be managed. It's easier said than done in some organizations depending on how the funding is driven, how politics play and how the culture works regarding cooperation. Whether you have a strong executive or conform a governance group, the next element is to develop a road map or strategy to tackle the requirements. A key part of optimizing a GRC approach is to marshal resources, people and money towards a common goal or at least to reduce this GRC sprawl that can occur if everyone continues to go separate ways. Many customers we work with have multiple GRC applications operating to manage the various GRC disciplines. It is pretty common, and there are a number of good reasons why this is sort of environment will exist. Reasons like an urgent requirement to address a regulator finding, a need to eliminate excessive manual processes or wanting to leverage best practice processes that can often be built into offered solutions. There's also the obvious funding impact, change impact to current processes and user experience and priority as compared to other organizational objectives. So how can IBM help you optimize the results across the various solutions? Well, unfortunately, every solution prior doesn't have a strategy to easily integrate to any other solution. So in most cases, you're on your own to determine the best approach. This can be anything from simple batch file processing between solutions to the very complex API integration. We find it's important to prioritize the integration requirements and follow the keep-it-simple principle. In some cases, it may make sense to replicate some elements of data across the solutions to allow test to be completed with all the required influencing data. In other cases, it may be enough to bring across summarized results to support decisioning efforts. With IBM OpenPages, the platform provides multiple methods and capabilities to easily integrate with other solutions to help drive that GRC strategy. In all cases, there needs to be analysis of how much effort, loss of effectiveness and efficiency and potential data quality issues there are with so many different solutions. A lot of our customers are specifically targeting to move away from point solutions and consulting on the IBM OpenPages platform for all the reasons we covered earlier. IBM has been gradually incorporating the Watson capabilities into the IBM OpenPages GRC platform in order to provide embedded options for risk management use cases. As it relates to where AI can provide benefit, IBM primarily sees it in the ability to improve data quality, gain analytic insights based on the quantity of data and to guide users to best practices through AI training. Some examples include, IBM has the ability to leverage the Watson Natural Language Classifier with the IBM OpenPages user interface so a user can request suggestions on how to select key data about an item. When you're dealing with something like an issue or loss event, a user is often required to select categories that issue might be aligned to or staying with the issue example, a user will often need to identify which control is most likely failing causing the issue. For a second line of defense individual, that might not be too difficult to do, but for a first line of defense individual, they'll probably get it wrong. So the capability can go a long way to improve data quality overall. Another useful AI capability for risk management is the chatbot. I'm sure we all have had experience with the chatbot and found some that are extremely helpful and some that are not. This is where the training effort for AI becomes important to make the capability useful for GRC users. If you have a trained chatbot that can be a useful service to support individuals in managing their GRC tasks. They can provide help by retrieving data from the correct areas of the GRC solution or even provide guidance on how a task should be completed correctly. A little bit of a further use case is to consider how an AI chatbot can be providing some data oversight as tasks are being completed and provide context-related guidance. So if an individual selecting or entering data that looks to be of a quality issue, the chatbot can present an option to assist them with instructions or guidance. So to wrap up, with so many capabilities, it's clear why organizations are choosing to build their GRC strategy with IBM. IBM OpenPages is a true GRC platform designed to support all of your GRC requirements and is built to handle the scale of activity organizations need. IBM has market-leading capabilities for big data management and can help apply data integration technologies to your strategy. And probably most important, IBM has the experience and advisory capabilities to help you define governance that is required to manage GRC in a coordinated way. Let me turn this back to our moderator to get ready for questions.

Thank you to Greg and Glenn for your excellent presentation today. And to everyone attending, thank you for joining. Hope you took some valuable information back with you. And as a reminder, please check out the Resources tab, including the schedule of consult link for you to meet with an IBM GRC expert to future-proof your GRC investment as well as the IBM OpenPages e-book. Well, let's go into the Q&A.

Thanks, Lindsay. It looks like we do have a few questions here that we can go through. So the first question I see is, how can a company ensure they're going to future-proof their environment and protect themselves? So Glenn, do you want to take a pass at that answer?

Sure. Yes. Thanks, Greg. Yes, the key for protecting or future-proofing your GRC solutions or strategies is to try to work and make sure that you get across the multiple stakeholders in an organization that are managing different GRC disciplines and look to prevent the sprawl that can take place, multiple different solutions being put in place, multiple methodologies being applied, all those sorts of aspects of GRC management. That allows you to ultimately bring the data together at the end if you are preventing that sort of sprawl. That's really the primary way we find organizations protect themselves from having GRC strategies not really be effective.

Excellent. Thanks. There's another question here, and the question is -- relates to, what integration and integration points do we see are required or needed sort of on a go-forward basis? Glenn, I'll take a pass at least one component of the answer to this, and then maybe you can also add your observations. So one thing we're really seeing is a move and a need for authoritative regulatory and authoritative content. So integration with a variety of content sources is we're seeing a really important need going forward. So whether it's things like guidance, rationalized guidance through UCF regulatory guidance and alerts from -- we happen to have partnerships with Wolters Kluwer and Thomson Reuters and Ascent AI. We're seeing a big driver for those kind of content needs as well as from rating agencies. There's a variety of security and other components of rating agencies that would provide some input, especially for third-party or vendor risk management use cases. That's certainly what I'm seeing. Glenn, do you have a point of view?

Yes. Great, Greg, that the external content certainly is one piece. The other we see a lot is the internal content. So how do we get the information security scans and vulnerability details over to the risk platform? Or where might we have automated testing happening? And how can that feed to the platform, so that users are getting the value out of that data, but not having to go either find it, get it misinterpreted or whatever? And then probably lastly, would be some of the policy aspects internally as well. In some cases, folks manage the policies within the platform. Other times, they don't, but often policies are sort of a connector between, as you mentioned, that authoritative content and then the specific risk data folks need to manage. So those are some of the key integration points that I've also seen as well.

Fantastic. I'm seeing the question here, and, Glenn, I think you might be best suited to answer or address. The question is, what is the migration strategy? And how feasible does it look to bring in data from, I think -- well, these specific 2 platforms are listed as from RSA Archer and/or MetricStream into the OpenPages platform. Can you share any thoughts on that?

Sure. Yes. I guess, two points. So when it talks about migration, we're very careful when we work with organizations to understand what data they need to bring across in a migration. Often folks will say, can you just bring everything over? And our first question is, why would you want to do that? Or how is that going to work if you're often realigning your taxonomies or changing some of your data structure? So there needs to be some thought into what data you migrate over and in what format. In some cases, it might be the historical data is put into viewers, so that you can do forensics or historical reviews. But then the data you do want to bring over is things that are active or that are near-term or recent, like the last assessments you might have conducted or the last control testing results for the last few periods of time, so that you can maintain the trending details that you had. And then you can use that to go forward for your assessment or your scoping or whatever other risk activities you need to do. So it's kind of a tricky question in how do you migrate it or what do you migrate? A little bit of it is a depends question. But the answer that we find that works most often with organizations is to sort of separate things that are historical, need to be available for that, like, again, forensic or review, but doesn't pollute or crowd up the environment with data that may not be really toe-to-toe with the new data formats that you're lining out, as most organizations are usually making some adjustments when they introduce a new solution of any kind. Hopefully that answers the question.

No, that was great. Thanks. And I think that's -- those are the final questions I saw listed here. So I do want to express my thanks to everyone for joining. And Lindsay, I'll pass it to you to sort of wrap us up here.

Great. Thank you, Greg, and thank you, Glenn, and thank you all for joining us today. Final reminder here to check out the Resources tab and to complete the survey to help us with content for future virtual events. Hope you all stay well. And you may now disconnect from the call.