Risk Management = No Surprises!

I am in Sweden this week, where tomorrow I provide a keynote to 102 risk officers and directors at the SWERMA (Swedish Risk Management Association)’s ERM Day 2023. In general, I find the risk management thinking in Europe to be more aligned with the business, whereas, in North America, it is more of a compliance exercise, too often tied to Sarbanes Oxley. 

Let me tell you a story . . . 

I taught my Risk and Resilience Management by Design Workshop in Amsterdam in September. During the day, I had a great interaction with a Chief Risk Officer from a European life sciences company. He told me the following story . . . 

After being hired as the Chief Risk Officer, he met the CEO for the first time. The CEO looks him in the eye and states, “So, you are the new CRO. Tell me what that means to me?”

He looked him back in the eye and stated, “My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO thought that was brilliant and the best definition of risk management he ever heard. 

ISO 31000 defines risk “as the uncertainty on achieving objectives.” Risk needs context, and that context starts with the organization’s objectives. They can be financial objectives, they can be operational objectives, or even ethical/ESG objectives. Objectives can be high-level entity objectives that are driven down into division, department, process, project, or asset-level objectives. Even supplier and third-party relationships start with objectives and purpose to the relationship. 

The context for risk management is objectives, as ISO 31000 states. That is why ISO 31000 and its foundation in AUS/NZ 4360 influenced and framed the OCEG GRC Capability Model. GRC, as defined in the OCEG model, is “a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” 

Risk management needs context, and that is the organization’s objectives (at their varying nested levels). As an analyst covering software in the market, I specifically look for how a risk management solution starts with objectives. If it does not, it is not my ideal solution. Even in ESG, I look for how the solution starts with the ESG objectives of the organization. Any ESG solution that starts with risks and not objectives is not worth much. 

As this CRO states, his job is managing uncertainty to ensure there are “no surprises” in achieving the organization’s objectives. Of course, there can still be surprises as things catch us off guard. However, it is the role of the Chief Risk Officer to ensure that executives and the business are fully informed of risks to their objectives to minimize uncertainty and surprises so they can reliably achieve those objectives. 

What also is brilliant about this CRO’s response . . . it puts risk accountability with executives and the business. Risk management’s job is to facilitate risk management across the organization and communicate and engage on risk in the context of objectives. Risk management has done its job if the risk management function has fully communicated this and the business owns and drives forward for gain or loss. It is not the job of risk management to ‘own’ risk but to communicate risk in the context of objectives. It is the role of executives and the business to own the risk in their decisions.

Cognitive GRC: Revolutionizing GRC With Artificial Intelligence

As we venture deeper into the digital era, the role of Artificial Intelligence (AI) in Governance, Risk Management, and Compliance (GRC) cannot be overstated. Cognitive GRC (what GRC 20/20 refers to as GRC 5.0: Cognitive GRC) is the intersection of GRC and AI, promising a future where GRC is not just a bureaucratic necessity but a strategic enabler of business performance and resilience.

Cognitive GRC refers to the application of AI (cognitive technologies) to GRC functions, effectively facilitating intelligent, automated, and informed decision-making processes that minimize risk and ensure compliance. AI brings unprecedented efficiency, effectiveness, resilience, and agility through the cognitive automation of GRC, allowing organizations to respond proactively to risks and compliance and gain insights to navigate the organization and achieve objectives in an era of uncertainty.

Consider the following AI technologies and some examples of their potential Cognitive GRC use cases . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

A.I. Governance, Risk Management & Compliance

Organizations increasingly employ A.I. to enhance efficiency and decision-making processes in the modern business landscape. However, using A.I. presents numerous governance, risk management, and compliance (GRC) challenges that need meticulous attention. Within the scope of an enterprise perspective of GRC is the growing domain of A.I. GRC – the governance, risk management, and compliance over the use of artificial intelligence. The Open Compliance and Ethics Group (OCEG) defines GRC as “a capability to reliably achieve objectives, address uncertainty, and act with integrity.”

Adapting the definition of GRC to address the specifics of A.I., A.I. GRC is the capability to reliably achieve the objectives of A.I. models and their use, to address the uncertainty and risk in the use of A.I., and to act with integrity in the ethical, legal, and regulatory use of A.I. in the organization’s context. 

  • A.I. Governance. Governance in A.I. involves overseeing and guiding A.I.-related initiatives and the use of A.I. technology and models to ensure alignment with organizational objectives and values. Proper governance implies establishing clear A.I. policies, procedures, and decision-making frameworks. These frameworks should help an organization “reliably achieve objectives” of the organizations and ensure that the objectives and design of the A.I. models in their intended purpose are also achieved. Thus, the governance of A.I. involves strategic planning, stakeholder engagement, and performance and A.I. usage monitoring to ensure A.I. projects effectively meet their intended objectives and contribute positively to the broader organizational objectives.
  • A.I. Risk Management. Risk management in A.I. refers to identifying, assessing, and managing the uncertainty associated with developing, using, and maintaining A.I. technologies. These risks range from technical aspects, such as security breaches or system failure, to ethical aspects, like algorithmic bias or privacy infringement. Risk management is about addressing uncertainty. Given their potential to hamper an organization’s operations or reputation, A.I.-related risks require comprehensive risk assessments and robust risk mitigation strategies.
  • A.I. Compliance. Compliance is a critical aspect of A.I. implementation. As A.I. technology evolves, so does the regulatory landscape surrounding its use. Compliance in the A.I. context means adhering to relevant legal requirements, industry standards, and ethical norms. Compliance equates to “acting with integrity.” This involves adhering to regulations like GDPR for data privacy and adopting ethical A.I. practices to maintain transparency, fairness, and accountability in A.I. applications. In today’s era of ESG – environmental, social, and governance – the ethical use of A.I. is part of the organization’s ESG commitments. 

Incorporating core GRC principles in the responsible use of A.I. involves building a culture that values ethical A.I. use and behavior, transparency, and consistent improvement. 

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Upcoming A.I. GRC webinars:

October 18 @ 3:00 pm – 4:00 pm EDT 

November 7 @ 12:00 pm – 1:00 pm CST 

Building a Business Case & RFP for GRC-Related Software

I am an analyst; my job is researching the challenges companies face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and particularly technology and services. Every week, I answer between 10 and 20 inquiry questions from organizations that want insight into GRC-related solutions and services and desire my perspective on the market (I offer an initial interaction at no cost).

My job as an analyst is two-fold:

  1. Horizon Scanning. Forecasting the drivers and trends over the next two to five years and providing insight into what organizations will need and where the market is headed.
  2. The Current Situation. To understand what is being delivered in the market, what differentiates one solution/service from another, and provide insight to buyers of solutions and services on what they should look at and consider meeting their current and future needs. 

We are entering that time of the year when I get a lot of interactions on how to build a business case and prepare for an RFP for GRC-related software as organizations prepare for next-year budgets. 

Note I stated GRC-related. It is not all about one platform that does everything for one thing that does not exist. There may be a core platform for GRC, but there are a lot of best-of-breed and deep solutions that extend the GRC architecture of an organization. There are deeply capable solutions and RFPs for specific domains of GRC, such as third-party risk management, ESG, resilience and continuity, policy management, audit management, regulatory change management, case management, and more. What I go through below can be applied to a broad GRC platform doing various things or a very specific domain and use cases for GRC with dedicated best-of-breed solutions.

I am very busy with many current and developing RFPs. Some are within small to mid-sized organizations that are trying to replace manual processes of documents, spreadsheets, and emails. Others are with the mid to large enterprises that have found several, and in one case nine, different GRC platforms installed across the organization with further complexity of various point solutions and a maze of documents, spreadsheets, and emails.  

Building a business case starts with a current state analysis to understand the present to prepare and architect for the future. Often, organizations find themselves trapped in a chaotic jungle of documents, spreadsheets, emails, and discrete point solutions when managing GRC. A current state analysis is pivotal for:

  • Identifying inefficiencies. A deep dive into the prevalence and breadth of GRC management practices across the organization typically will unearth redundancies, bottlenecks, gaps, and silos in processes and information flow.

Once we understand the current state, we can begin designing/architecting the future state. Some might have a pretty good strategy and process in place that is supported by a robust GRC-related information and technology architecture. These organizations will take a Japanese kaizen approach to GRC processes and technology, with small incremental improvements. Others will find a mess and need a complete overhaul. 

To shape a future where GRC management is streamlined and synergistic, it’s imperative to:

  • Integrate technology where it makes sense by implementing GRC-related software to consolidate data, automate workflows, and enable data analytics.
  • Optimize and re-engineer processes by identifying and eliminating non-value-added activities, leveraging technology to augment process efficiency.
  • Enhance collaboration and visibility by breaking down silos and barriers to foster cross-functional collaboration, ensuring information and best practices are shared across departments.
  • Build a resilient GRC framework with a system that addresses current governance, risks, and compliance requirements and is agile enough to adapt to future changes.

Once a clear understanding of the current state (most likely a mess that looks like an illustration of Dante’s Inferno) and a desired future state is defined. The organization can then begin to build a business case that measures and quantifies the value of the future state in contrast to the current state.

When I work on a business case, I build it around the following four areas:

  1. Efficiency (Time & Money Saved). Implementing GRC software eradicates manual processes and redundant systems, diminishing human error and freeing employee time. It also provides an integrated architecture for information and reporting, reducing costs. One firm I helped with found that 80 of their risk staff time was managing and chasing documents and emails and NOT managing risk. Another was spending 200 hours building a report every year for the board of directors (now takes 5 minutes). 
  2. Effectiveness (Risk Reduction & Enhanced Productivity). This is where we get more done, fewer things slipping through the cracks, a single source of truth and system of record, greater accountability, and enhanced visibility. GRC-related software offers a comprehensive view of organizational risks, enabling better-informed decision-making to reliably achieve objectives; if done properly.
  3. Resilience (Proactive Issue Discovery & Management). GRC solutions with analytics capabilities empower organizations to identify and address issues before they escalate. The organization can address risks, events, incidents, and issues before they become bigger. The organization can recover quickly when things go wrong. 
  4. Agility (Adaptability to Keep Up With Change). Organizations face constant change. Risk changes in the external environment (geo-political, economic, disasters, competitive). Regulations and laws continuously change. At the same time, the business itself is changing with employees, processes, technologies, strategy, mergers and acquisitions, and event third-party relationships. GRC technology enables organizations to be agile in a changing business and forecast and see risks coming at the organization and prepare the organization to reliably achieve objectives, address uncertainty and risk, and act with integrity in meeting obligations amid continuous change and evolution.

Once the budget has been approved, it is time to write the RFP. I have hundreds of requirements from the simple to the complex across GRC domains. Each area/domain of GRC can be a full paper on requirements. When you’re clear about the current state, desired future state, and business case, design a Request for Proposal (RFP) is the ensuing step:

  • Identify Key Requirements. List the functionalities and capabilities the GRC software must have to bridge the gap between the current and desired states.
  • Define Evaluation Criteria. Establish metrics for evaluating potential vendors, such as functionality, technology stack, user-friendliness, customization capabilities, and post-implementation support. This includes demo scripts and use cases.
  • Consider Future Scalability. Ensure that the software can scale and adapt to the future growth and diversification of the organization.
  • Measure Total Cost of Ownership (TCO). Consider not just the procurement cost but also implementation, customization, training, and maintenance costs.

In summary, transforming GRC management (whether a broad strategy or a focused area) from a document-heavy, siloed operation into a streamlined, technology-enabled function necessitates a deep understanding of the current state, a clear vision of the desired future, and a robust business case that underscores the benefits in terms of efficiency, effectiveness, resilience, and agility. By establishing a clear business case and desired future state delivered in a well-crafted RFP, organizations can navigate the complex maze of GRC solutions and services, ensuring they are always ahead in this dynamically evolving business world.

A Preventative Approach To Achieving Compliance In Healthcare

In an era where change is the only constant, organizations are being inundated by a deluge of shifts across risk, business, and regulatory dimensions. Each change brings its own complexities and managing them individually, much less collectively, becomes a herculean task. The challenge is two-fold: not only must businesses keep up with these changes, but they must also ensure that their response is in sync with their overarching business strategy.

The Scope of Regulatory Change

The world of regulatory requirements is an ever-shifting landscape. This turbulence is compounded by the continuous introduction and modification of laws, regulations, enforcement actions, and administrative decisions at local, regional, and international levels. For many, the challenge isn’t merely about staying afloat but preventing drowning in the overwhelming sea of updates.

Several factors contribute to this growing complexity . . .

[The rest of this blog can be read on the SDG blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Charting the Course: Tackling GRC Challenges in Higher Education Institutions

Governance, Risk Management, and Compliance (GRC) in higher education presents unique challenges due to the complex, dynamic, and highly regulated environments in which they operate. Crafting a coherent strategy, adopting streamlined processes, and leveraging appropriate GRC technology are paramount to charting a successful risk and compliance course that maintains an institution’s integrity, reputation, and resources.

Challenges of GRC in Higher Education

Higher education institutions often cross multiple frameworks and their governance structures are complex, leading to specific struggles when implementing an effective GRC strategy. To effectively maintain a sense of order, transparency, and a level of practical accountability within the scope of GRC, the following challenges must first be addressed . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Ensuring Supplier Risk & Resilience in the Extended Enterprise

Here are some thoughts stemming from my Third-Party Risk Management by Design Workshop in London last week and other interactions I have had on my research. I am speaking on this topic next week at my Third-Party Risk Management by Design Workshop in Chicago, as well as a webinar on Building Resilient Supply Chains: Strategies for Success.

In today’s complex and distributed business that largely depends on extended enterprises, supplier risk and resilience have become fundamental components for maintaining operational efficiency. With the increasing interdependence amongst organizations and their suppliers, the significance of developing robust systems to manage supplier governance, risk management, and compliance associated with suppliers cannot be overstated.

Some key challenges organizations face are:

  • Operational Resilience. Operational resilience refers to an organization’s ability to continue to deliver on its key business services during times of operational stress and disruption. In the context of supplier risk, this encompasses ensuring that critical suppliers are similarly resilient, preventing interruptions in the supply chain that may impact business continuity. Within extended enterprises, operational resilience necessitates carefully evaluating and monitoring each supplier’s capabilities, reliability, and stability. This integrated approach helps organizations to anticipate potential supply chain disruptions and enact measures to mitigate risks proactively, maintaining service delivery even under unpredictable circumstances.
  • ESG in Supplier Risk Management. Environmental, Social, and Governance (ESG) criteria have become crucial for evaluating supplier risks. Suppliers’ ESG practices directly impact the reputation and sustainability of the hiring organization. Evaluating suppliers based on ESG metrics is integral to fostering responsible business practices, ensuring long-term sustainability, and mitigating reputational risks. The European Union has been pioneering in imposing stringent ESG standards for businesses. With regulations such as the EU Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), organizations operating within or dealing with the EU market must ensure their suppliers comply with these elevated standards, as non-compliance can lead to hefty fines and reputational damage. This has a global impact across the world.

Developing a comprehensive supplier risk and resilience strategy is imperative to navigate the uncertainties and complexities in today’s business environment. This strategy should encompass risk identification and management and focus on building resilience within the supply chain to ensure uninterrupted service delivery.

  • Risk Identification. Organizations should identify potential risks associated with each supplier, considering geopolitical stability, financial health, operational capabilities, and compliance with ESG standards.
  • Continuous Monitoring. Continuous monitoring mechanisms must be implemented to track changes in identified risks and the emergence of new ones.
  • Actionable Insights. Organizations should leverage technology and third-party risk intelligence to derive actionable insights from the monitored data, enabling timely decision-making and risk mitigation.

Implementing technology solutions that seamlessly integrate with third-party risk intelligence content offerings is crucial for effective supplier risk and resilience management. These technologies facilitate the efficient collection, analysis, and interpretation of vast amounts of supplier data, providing organizations with a clear and immediate understanding of their supplier risk landscape.

As businesses increasingly rely on a network of suppliers for operational success, crafting a detailed supplier risk and resilience strategy becomes non-negotiable. Such a strategy, complete with systematic processes and technologically advanced tools, assists organizations in identifying and managing supplier risks and building a resilient supply chain capable of withstanding disruptions. Given the heightened focus on operational resilience and ESG standards, especially within the European Union’s regulatory framework, companies should proactively develop, implement, and continuously improve their approach to Supplier Risk and Resilience to safeguard their operations and reputation in the dynamic global market.

Are you considering attending Third Party Risk Management by Design in Chicago next week? Here are some comments from the London attendees last week . . .

  • “An engaging and valuable session on TPRM with some great insights on emerging risks (AI in the supply chain and increasing regulation) and the maturity of an integrated risk management response.  Certainly, a number of topics on which to follow up with our Supply Chain risk team” – VP Risk Advisory, Hospitality 
  • “The session was set up well with some great topics to discuss round the table. It was good to see some similar trends on challenges various industries were facing regarding 3rd Party assurance. I enjoyed the overall risk management and senior leadership endorsement, the maturity model and offboarding suppliers as key areas of development. I look forward to your next visit and workshop!” – Cyber Security Risk and Assurance Manager, Transportation
  • “The workshop was very informative and covered a wide range of topics both from yourself and other attendees. Key areas that I took away from the workshop were the implications of AI on third parties both positive and negative as well as highlighting the need for oversight when offboarding suppliers.” – Head of Third Party Governance, Financial Services
  • “It was a very informative experience and a lot to take away from initiating a drive from the 3rd party program to the off-boarding of 3rd parties suppliers. I have a lot to help me start a clearer road map in plugging the gaps within our 3rd party management program.” – Supplier Assurance & Controls Analyst, Energy Company
  • “Thanks for the session yesterday. I found it very informative and I made several pages of notes. I am planning to use the Titanic analogy as a risk awareness session for leaders and managers – with a bit of research I think I can turn it into a great case study and map out the parallels with running a business, how third parties introduce risk, communication, risk appetite, risk blindness, planning, the role of due diligence (or the lack of it), etc. You have also provided some great check lists which we can use to sense check our due diligence process for robustness and where we can improve third party risk management.” – Principal, Health and Safety, EMEA, Architecture Design Firm

Challenges in Third-Party Risk Management

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. 

In an increasingly interconnected world, third-party risk management (TPRM) is becoming an imperative aspect of organizations. Navigating the complex maze of challenges inherent to TPRM can seem daunting.

Yesterday, I held my Third Party Risk Management by Design workshop in London. We had 51 organizations registered, with over 40 attending. Below is a summary of the challenges the attendees expressed and interacted with throughout the day. The same Third Party Risk Management by Design workshop will be in Chicago on October 13th.

The third-party risk management challenges the attendees stated that were keeping them up at night are:

  • Fragmented Requirements. Often, due diligence is mired in fragmented requirements from different third-party risk functions. These functions operate in silos, each wielding its own tools and lacking a unified source of truth.
  • Siloed Risk Insight. Third-party risk information is scattered across multiple departments/functions, leading to inefficiencies and, at times, contradictory and risky actions.
  • Regulatory Disparities. Local regulations can often conflict with the guidelines of the head office, leading to operational hiccups. Additionally, managing compliance across jurisdictions and handing data over to third parties can be perilous.
  • ESG and Due Diligence. Environmental, Social, and Governance (ESG) considerations, especially those pertaining to climate change, harmful chemicals like PFAS, and social accountability, are increasingly becoming focal points. The attendees were concerned about addressing ESG in complying with Germany LkSG and the EU CSDDD.
  • Managing Outcomes of Relationships. Evaluating the material outcomes of risks in relationships is critical, as these can significantly affect an organization’s bottom line and reputation.
  • Data Challenges in Third-Party Risk Intelligence. Data plays a pivotal role. However, accessing disparate third-party risk data sources and ensuring its veracity is challenging.
  • The Unknowns of the Supply Chain. Understanding who constitutes the supply chain, nested entities, and determining the real executor of the work is imperative to managing risks.
  • Resilience. From supplier resilience, safety, and cybersecurity to continuity, organizations must focus on building robust systems. There are significant fines and penalties for not complying with resilience regulations.
  • Big Picture of TPRM. Having a strategic outlook that encapsulates the full spectrum of third-party risks is crucial. Who’s ensuring a holistic view? Are contractual arrangements under scrutiny?
  • Artificial Intelligence. Technology, especially AI, can be a game-changer. While AI can streamline processes, there’s also the inherent risk in not governing it use within third-party relationships.
  • Continuous Due Diligence. Relying on traditional methods like documents, spreadsheets, and emails is passé. Continual due diligence is the need of the hour.
  • Social Accountability. Risks of bribery, corruption, and lack of social responsibility in third-party relationships can’t be overlooked.
  • The Business Case. Building a business case for TPRM involves showcasing its value proposition and garnering top-down senior sponsorship.

The term “Third-party risk governance” or “GRC” resonates more accurately than risk management. It’s about instilling a governance culture to reliably achieve objectives in the relationship, address uncertainty and risk, and act with integrity, with a culture that fosters oversight and continual improvement. Organizations can sail smoothly in the choppy waters of third-party risks by leveraging technology and ensuring top-down buy-in. Remember, in the age of the extended enterprise, mastering TPRM isn’t just a necessity; it’s a strategic imperative.

A.I. GRC: The Governance, Risk Management & Compliance of A.I.

A.I. presents significant risks to organizations regardless of whether they use the technology. There are potentially enormous reputational risks to an organization when technology like generative A.I. reaches a point where it is impossible to distinguish between actual evidence of corporate bad acts and deep fakes intended to harm the organization. This creates a novel set of risks for the organization, regulators, and the general public alike.

A.I. is also an accelerant to other risks. Generative AI could eliminate the awkward language in phishing email attempts that often make them easier to detect. That would allow foreign bad actors to level up their efforts in any language without many of the current telltale red flags. Generative A.I. has already passed the tests given to Google applicants, meaning that any bad actor now has an entry-level Google coder at their disposal to create all kinds of new malware. While there are guidelines designed to limit this type of result, bad actors will likely find workarounds.

The “simplicity risk” factor becomes far more concerning when A.I. is daisy-chained together. Just as the hurdle of linking large non-standardized distributed data sets used to be a natural brake to A.I. prep work, having one A.I. technology work on removing barriers for another A.I. technology could mean developing new models generated by A.I. with no explainability. With  A.I. having such low barriers, if that becomes the front door to creating other, more sophisticated technology, the path is set to have A.I. build A.I., which is an incredibly risky situation.

Organizations need A.I. GRC to ensure the responsible, practical, and appropriate use of A.I. technologies. A.I. GRC enables the organization to:

  • Ensure A.I. systems comply with evolving laws and regulations helps prevent legal issues, financial penalties, and damage to reputation.
  • Manage uncertainty and risk when A.I. can have unintended consequences, including biased decisions or privacy breaches. Effective risk management helps identify and mitigate these risks.
  • Meet ethical standards, ensuring A.I. is used fairly and doesn’t perpetuate harmful biases.
  • Deliver trust and transparency where A.I. GRC practices help organizations demonstrate that their A.I. systems are trustworthy and transparent, essential for customer and stakeholder confidence.
  • Provide strategic business alignment where Strong A.I. GRC ensures that A.I. usage aligns with an organization’s broader strategic goals and doesn’t deviate into potentially harmful or unproductive areas. 
  • Enable agility as the A.I. landscape rapidly changes; A.I. GRC practices help organizations prepare for future regulatory changes. 

A.I. GRC is necessary to ensure legal adherence and uphold ethical standards, manage risks, build trust, align with strategic goals, and prepare for the future. Organizations need A.I. GRC to ensure responsible and ethical use of A.I. technologies. 

Without a structure to govern A.I., risk exposure will grow, resulting in bad decisions from improper use, increased regulatory pressure, and legal liability and exposure. Organizations should not see A.I. GRC as simply a regulatory obligation; A.I. governance enables strategic decision-making and performance management. Short-term A.I. risk management projects may pass regulator scrutiny but fail in the long run to effectively manage risk and performance effectively.

To effectively govern A.I., organizations need a structured approach to:

  • A.I. GRC Oversight. A well-defined A.I. governance framework to manage A.I. use that brings together the right roles, policies, and inventory.
  • A.I. GRC Lifecycle. An end-to-end A.I. management lifecycle to manage and govern A.I. use from development/acquisition, throughout their use in the environment, including A.I. maintenance and retirement.
  • A.I. GRC Architecture. Effective management of A.I. in today’s complex and dynamic business environment requires an information and technology architecture that enables A.I. GRC.

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

I will be speaking on A.I. GRC at the upcoming events:

My keynotes at the upcoming #RISK in Amsterdam and in London is on A.I. GRC

September 27 – September 28

ber 18 – October 19

Upcoming webinars where I am speaking on A.I. GRC

October 10 @ 10:00 am – 11:00 am AEDT 

October 11 @ 12:00 pm – 1:00 pm EDT 

November 7 @ 12:00 pm – 1:00 pm CST 

Other conferences where I am presenting on A.I. topics

October 2 – October 5

Third-Party Risk Workshops where part of the focus will be on A.I. in the Extended Enterprise

September 25 @ 10:00 am – 5:00 pm BST 

October 13 @ 10:00 am – 4:00 pm CDT 

Navigating Third-Party Risk Management: An EU & UK Perspective

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves . . .

[The rest of this blog can be read on the Diligent blog, where GRC 20/20’s Michael Rasmussen is a guest author]