Author: The GRC Pundit

The Policy Management Illustrated Series

• Frustrated by policy management?
• Having trouble finding all the policies (both authorized and unauthorized) floating around in your organization?
• Wasting time and resources that could be well applied elsewhere to help the organization achieve its objectives and stay on track?
• Realizing something has to change? 

In our research, we have found that many organizations fail at several key stages of policy management. Too often there is no formal guidance or requirements for the authoring and approval of policies. There is no risk-based consideration to determine which policies should be supported with training. There is no single repository for all policies with version control and linkage to related obligations, processes and controls. And on and on and on. 

In response to this problem, OCEG, in collaboration with GRC 20/20, has developed an educational series of materials and webinars discussing the challenges and the solutions for better policy management. In addition to addressing each stage of the policy management lifecycle, the series will provide context that can help attendees build the business case for better management, demonstrating the value of policies in helping the organization achieve Principled Performance.

Each webinar will be accompanied by the release of a related installment in our Policy Management Illustrated infographic collection.

Whether you are directly responsible for policies or are on a compliance, risk, HR, legal, internal audit or IT team, you will find this series both helpful and enlightening.

Check out more details and register for each webinar by clicking on the titles below.  Sign up early to reserve your spot. 

Upcoming OCEG & GRC 20/20 Webinars . . .

• Policy Management Step – By – Step, November 4 @ 10:00 am – 11:00 am CST
• Standardizing Policy Design and Approval – Why it Matters, November 6 @ 10:00 am – 11:00 am CST
• Beyond the Shelf – Ensuring Policy Understanding with Communication and Training, November 11 @ 10:00 am – 11:00 am CST
• The Policy Enforcement Team – Roles and Responsibilities, November 13 @ 10:00 am – 11:00 am CST
• Engaging Employees – The “Now Generation” of Interactive Policies, November 18 @ 10:00 am – 11:00 am CST
• Keeping Up With Change That Impacts Policies, November 20 @ 10:00 am – 11:00 am CST
• Re-evaluating Policies – Methods for Maintaining Effectiveness, November 25 @ 10:00 am – 11:00 am CST
• Where Policy Management Fits in the GRC Ecosystem, December 4 @ 10:00 am – 11:00 am CST
• Results from the 2019 GRC Maturity Survey, December 5 @ 12:00 pm – 1:00 pm CST
• Building the Business Case for Better Policy Management, December 9 @ 10:00 am – 11:00 am CST
• Why Policies Matter, December 11 @ 10:00 am – 11:00 am CST
• Preparing for the Policy Management Change, December 16 @ 10:00 am – 11:00 am CST

Upcoming Workshops by GRC 20/20 . . .

• Policy Management by Design, London, October 21
• Risk Management by Design, Dublin, October 22
• Policy Management by Design, New York, October 24
• Policy Management by Design, Chicago, October 30
• Risk Management by Design, Chicago, November 5
• Compliance Management by Design, New York, November 12
• Building an Effective Policy Management Lifecycle, London, November 20

Upcoming GRC 20/20 Webinars . . .

• Back to Basics: Internal Audit Success in 2020, October 29 @ 11:00 am – 12:00 pm CDT
• The Rise of Agile GRC in a Dynamic and Disruptive Business Landscape, November 7 @ 10:00 am – 11:00 am CST
• UK SMCR’s Breakfast on Accountability vs Responsibility- The Chicken and the Pig, November 11 @ 4:30 pm – 5:30 pm GMT

Gartner, particularly John Wheeler, is hard at work trying to convince the world that their Integrated Risk Management (IRM) is something new to replace Governance, Risk Management & Compliance. You can check out John’s latest post mischaracterizing and misleading organizations in: GRC May Keep You “Out of Trouble” ,But IRM Will Keep You “ In Business” 

The first thing to note is that every solution in Gartner’s IRM Magic Quadrant and IRM Critical Capabilities reports have been and are GRC solutions. Every one of them has been marketing GRC, most for some time. These are the same platforms that have been calling themselves GRC that Gartner is now calling IRM. 

The second thing to note is that Gartner mischaracterizes what GRC is about by pushing it solely to compliance. I have refuted this time and time again by citing the long-standing official definition of GRC found in the OCEG GRC Capability Model that GRC “is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” I went into great detail on what GRC is in my recent article ‘Navigating Chaos‘ published in Enterprise Risk magazine published by The Institute of Risk Management (the real IRM). GRC since its inception has been focused on Principled Performance with an aim for the organization to reliably achieve objectives. 

If you peel back IRM in Gartner’s reports what do you find? GRC. It is not just the same technology, but the same pillars. Though I would argue it is GRC light as Gartner misses the boat in risk areas of quality, environmental, health and safety, sustainability, corporate social responsibility, and more that impact the modern organization.
Take a look at the recent Gartner IRM MQ and the IRM Critical Capabilities. It breaks IRM into three areas:

• Business Outcome Centric. Gartner says this is “an integration-optimization-based risk practice designed to automate the linkage among relevant insights on key corporate performance-related risks.” Interesting, this sounds like the Governance pillar in the GRC definition in the capability to reliably achieve objectives. 
  
• Operation-Centric. Gartner says “resilience is an adaptability-based risk practice focused on operational and IT risks offering an agile risk program in response to and re3cover form key business disruptions.” Interesting, this sounds like the Risk Management pillar in the GRC definition with the capability to “manage uncertainty.” ISO 31000 defines risk as the effect of uncertainty on objectives. 
  
• Compliance-Centric. Gartner says “compliance is a regulation-based risk practice providing evaluation and evidence in support of relevant legal and regulatory requirements.” Interesting, this even mentions Compliance but only in a limited way focused on regulations. The GRC Capability Model which is about 15 years old now, defines compliance as the “capability to act with integrity.” This is more than regulatory compliance but includes compliance to the risk boundaries of the organization (e.g., tolerance, appetite, capacity); the policies of the organization; the values, ethics, corporate social responsibility commitments of the organization; and the contractual obligations of the organization.

There you have it – IRM at its core is really GRC.

What really strikes me as interesting is that Gartner puts a lot of effort into stating there is a difference in these pillars from a technology perspective. I would agree, but Gartner’s research does not. You look at the IRM Critical Capabilities research and you have the same list of solutions in nearly identical order in each of these three areas. Same solutions on top same solutions on the bottom with very little movement between these areas. Why even break this out Gartner? From this research, you are stating that the same solutions that score high in Business Outcome also are the top for Operation Centric and Compliance Centric. Same solutions and nearly the same order in each of the three areas. It does not make sense.

But what is really ironic, is that I have been discussing this for 15 years this differentiation. My last GRC Wave I wrote at Forrester in 2007 had four Wave graphics. One for overall GRC combined, one for Governance focused on outcomes and objectives, one for Risk Management focused on operational risk, and one for Compliance. They say there is nothing new under the sun, Gartner proves this. They are just taking my approach in 2007 and using it in 2019. Just relabeling/renaming its areas. HOWEVER, if you look at the 2007 Forrester GRC Wave you will find a completely different ranking of solutions in each of the areas and not the same ranking. 

Gartner, drop the IRM facade. I don’t care if you want to call GRC IRM. You can call it ERM, ABC, XYZ. It does not matter what you want to call your category. Just stop misleading the world that saying GRC has failed when you are evaluating the same exact technology solutions that have called themselves GRC. Look at how you break out and define IRM, it maps to how GRC is defined and broken out. 

A haphazard department- and document-centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third-party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third-party governance with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the third-party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc 
2. Fragmented 
3. Defined 
4. Integrated 
5. Agile

Today we look at Stage 5, the Agile level of third-party GRC.

At the Agile Maturity stage, the organization has completely moved to an integrated approach to third-party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third-party relationships. Consistent core third-party GRC processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for third-party governance with minimal overhead.

The Agile Maturity is where most organizations will find the greatest balance in . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 4, the Integrated level of Third Party GRC

In the Integrated stage, the organization has a . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Regulation and oversight – what a burden to business. That is the common expression financial services firms have as they respond to 220 regulatory change events around the world every business day. UK Senior Managers Certification Regime is the uber regulation that puts accountability, teeth, and enforcement to other regulations and risk management practices. But is it as bad as it seems? Let’s take a look at some of the positive outcomes that SMCR brings to the financial services organizations.

First some background . . .

Over the past few years, there has been a growing focus from financial regulators on accountability for risk, compliance, conduct, and control. Accountability upon senior managers, executives, and directors that makes these individuals personally responsible for the lack of due diligence or negligence in risk management, compliance, and controls. This started with the FCA and the UK’s SMCR and has since gone around the world in a spawn of similar regulations from other financial regulators:

• Australia’s Banking Executive Accountability Regulation (BEAR)
• Hong Kong’s Managers in Charge (MIC)
• Ireland’s Senior Executive Accountability Regulation (SEAR)
• Singapore’s Proposed Guidelines on Individual Accountability & Conduct

This list will continue to grow and expand as more regulators put greater emphasis on personal accountability upon individuals to ensure the financial services organization does everything it can to manage the conduct within the organization and ensure risk and compliance is properly managed.

Now to the positive . . .

The financial services organization can either see this as an inconvenience or embrace it as the way of the future and a method to drive greater performance in the organization, through layers of structured accountability and responsibility to ensure the organization reliably achieves with conduct that aligns with the integrity of the organization.

1) Accountability

The Polish poet, Stanislaw Lec, stated; “No snowflake in an avalanche ever feels responsible.” Too often . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at SureCloud site, follow the link below to read more]

Below is Michael Rasmussen’s article found in the Autumn 2019 issue of Enterprise Risk, published by the Institute of Risk Management (The IRM).

The physicist Fritjof Capra once said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was making the point that biological ecosystems are complex, interconnected and require a holistic contextual awareness of the intricacy in interconnectedness as an integrated whole – rather than a dissociated collection of systems and parts. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness and a demand for a 360° contextual awareness apply to the world of business. Organisations need to see the intricate relationships ofobjectives, risks and boundaries of the enterprise. Business operates in a world of chaos. In chaos theory, for instance,the “butterfly effect” means thatsomething as simple as the flutter of a butterfly’s wings in the Netherlands could create tiny changes in the atmosphere that have a cascading and growing force that ultimately impacts the development and path of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a significant issue.

Gone are the years of simplicity in business operations.Exponential growth and change in risks, regulations, globalisation, distributed operations, competitive velocity, technology and business data encumbers organisations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organisations need to understand how to monitor risk-taking, measure whether the associated risks taken are the right risks and review whether risks are effectively managed.

Holistic

Today’s organizations have to have holistic visibility and 360° contextual awareness of risk in the context of objectives across the enterprise. The complexity of business and intricacy, and interconnectedness of risk and objectives, requires that the organization implement governance, risk management, and compliance (GRC) management strategy. GRC, by official definition in the GRC Capability Model, published byOCEG, is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” This definition of GRC provides the framework for what the think tank OCEG calls principled performance. There is a natural flow to the GRC acronym. Governance sets the context by defining the objectives of the organization. These can be entity-level objectives, so division-, department-, process-, project- or even asset-level objectives. It is the evaluation and establishment of objectives that provide the context for risk management. Without context, risk management fails.

Risk management assesses and monitors risk to objectives within the context of governance to take action on risk through identification, analysis and then treatment (risk acceptance, avoidance, mitigation or transfer). ISO 31000 defines risk as to the “effect of uncertainty on objectives” providing a natural flow and integration of governance to risk management.

Compliance provides boundaries to frame risk management. Risk management, by itself, is neutral and analyses options. A risk assessment may very well determine that the organization most likely can get away with an unethical course of action. Compliance frames the ethical principles as well as the obligation boundaries (for example, regulatory requirements, contractual commitments or corporate social responsibility values) for risk management to work within. Compliance provides the follow- through on risk treatment plans to ensure that risk is managed within limits and controls are in place and functioning. Risk management fails without compliance as compliance is needed to ensure controls are in place and operational to mitigate risk.

Three legs

The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organisation.

Every organization does GRC today. They may call it enterprise risk management (ERM), operational risk management (ORM) or integrated risk management (IRM). Some may not have a name for it. Every organization is doing GRC, no matter what they call it. You will not find an organization that states they do not govern the organization, that risk is not managed and compliance is neglected. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

The research organization GRC 20/20 has identified two approaches that organisations take to manage GRC – anarchy and federated. Anarchy is based on ad hoc department silos. This is when the organisation has departments doing different yet similarthings with little to no collaboration between them. Distributed and siloed GRC management initiatives never see the big picture and fail to put risk management in the context of organisational strategy, objectives and performance. The organisation is not thinking big picture about how GRC management processes can be designed to meet a range of needs. An ad hoc approach to GRC management results in poor visibility of the organisation’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be insightful about risk, compliance and performance. The organisation fails to see the web of risk interconnectedness and its impact on performance and strategy, leading to greater exposure than any silo understood on its own.

Federated GRC is an integrated and collaborative approach. The federated approach is where mature organizations will find the greatest balance in a collaborative and connected view of GRC management and oversight. It allows for some level of department and business function autonomy when needed, but also focuses on a common governance model, processes and architecture that GRC functions across the organization can participate in. A federated approach increases the ability to connect, understand, analyze and monitor connectedness and underlying patterns of performance, risk, and compliance. Different functions participate in GRC management with a focus on coordination and collaboration through common processes and integrated technology architecture.

Maturity

The primary directive of a mature GRC management capability is to deliver effectiveness, efficiency, and agility to the business. This is in the context of managing the breadth of risks on organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the extended enterprise. Organizations need a mature GRC capability that brings together a coordinated strategy and processes. This is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, butit does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance. There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organisation. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

Successful GRC management requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature GRC management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives have a much better chance of thriving in today’s complex business world.

BENEFITS OF GRC

Organisations striving to improve their GRC management capability and maturity in their organisation will find they are more:

• Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analysed and shareable in every relevant direction.
• Aligned. They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
• Responsive. Organisations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organisation needs to know to make the right decisions.
• Agile. Stakeholders desire the organisation to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organisation is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
• Resilient. The best-laid plans of mice and men fail. Organisations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary toadapt and respond to opportunities rapidly.
• Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy and misallocation of resources; to make the organisation leaner overall with enhanced GRC capability and related decisions about the application of resources.

---

Michael Rasmussen is an Honorary Life Member of the IRM and an internationally recognised pundit on governance, risk management and compliance (GRC) and founder of GRC 20/20 Research, LLC.