Policy Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Check out GRD 20/20’s additional policy management resources . . .

Workshop: Policy Management by Design Workshop in Dallas, October 11th

  • This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.

Research Briefing: How to Purchase Policy Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on Policy Management

  • The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: Policy Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Written Research on Policy Management

Information Security in Context: The CISO as a Transformational Role in Risk Management

Information Security at the Center of Risk Chaos

Inevitable Failure: Managing Information Risk in a Silo

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.

The dynamic, distributed, and disrupted nature of business is particularly challenging to information risk management. It is like the hydra in mythology: the organization combats risk only to find more risk springing up to threaten it. As an organization expands operations and business relationships (e.g., vendors, outsourcers, service providers, consultants, and staffing) it’s risk profile grows exponentially because of the interconnected multifaceted risk environment. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Managing information security and other risk activities in disconnected silos leads the organization to inevitable failure. Information risk has a compounding and exponential impact on the business. Business operates in a world of chaos. Risk exposure is an intricate web of risk and vulnerability interrelationship that interweaves through departments, functions, processes, technologies, roles, and relationships. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wing creates tiny changes in atmosphere that ultimately impacts the development and path of a hurricane. What may seem as an insignificant IT or information risk in one area of the organization can have profound impact on other risks.  Information security is at the center of the organizations most significant risk and compliance issues and has become a critical and interrelated business challenge that transcends just the IT department.

When the organization approaches information risk as a silo disconnected from other enterprise risk areas that do not collaborate with each other there is no possibility to be intelligent about risk decisions that could impact business strategy and operations. Siloed initiatives never see the big picture and fail to put information security in the context of organization strategy, objectives, and performance; resulting in complexity, redundancy, and failure. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization. A nonintegrated approach to risk management with information risk as a foundation impacts business performance and how it is managed and executed, resulting in:

  • Redundant and inefficient processes. Organizations take a Band-Aid approach and manage risk in disconnected silos instead of seeing the big picture of risk, and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent risk systems: projects that take time and resources and result in inefficiencies.
  • Poor visibility across the enterprise. A reactive approach with siloed initiatives results in an organization that never sees the big picture. It ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk assessments asking the same questions in different formats. The result is poor visibility across the organization and its environment.
  • Overwhelming complexity. Varying risk frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently: introducing more points of failure, gaps, and unacceptable risk. Inconsistent risk management not only confuses the organization but also regulators, stakeholders, and business partners.
  • Lack of business agility. A disconnected risk management strategy handicaps the organization as it manages systems and processes encumbered with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This is exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes, and disconnected data organized without any sense of consistency or logic.
  • Greater exposure and vulnerability. The result, the organization does not see risk holistically. The focus is on what is immediately before each department and not getting a handle on the complex relationship and interdependencies of information risk intersecting with other risks. This creates gaps that cripple risk management, and an organization that is ill-equipped for aligning risk management to the business.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across the business grows.  Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmented in silos the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.

Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

The Bottom Line: Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. Given the pervasive use of information and technology across the organization, it is a natural path for information security to step up to lead enterprise risk management strategies. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, and data) and externally (e.g., threat, competitive, legal, and geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

GRC 20/20 Related Resources on this topic are . . .

The GRC Economy

I am often asked, “What do you do?” My simple answer, that I do not like, is to say that I am a consultant. This does not always help as the next question is “What type of consultant?”, or “What do I consult on?” I end up having to explain that what I actually am is an analyst and not a consultant. Then it goes into, “What does an analyst do?”

I have found a more interesting answer to this question. I am an economist for the market for governance, risk management, and compliance (GRC) solutions and services. My job is to research and understand what pressures and challenges organizations in different industries and geographies are facing and what processes, approaches, and solutions help them meet these challenges. Particularly I forecast the needs and requirements of organizations, identify which solutions have stronger capabilities over others, and help organizations navigate the world of hyperbole to find solutions that provide real world value.

For organizations looking for solutions to meet their GRC related challenges, I offer complimentary inquiry in which organizations can ask me specific questions on their challenges and what I am seeing from other organizations in meeting those challenges.

In a nutshell, my job is research. That is why I do not like the title of consultant. Often I am being asked what consultants organizations should consider and engage to help them meet their needs. I research the challenges organizations face, identify best practices to address those challenges, and differentiate solutions and services in their capabilities to meet these needs.

The GRC economy (market) has had a very busy Summer. Usually I see a slowdown in activity in June, July, and August . . . but not this year. Consider that . . .

Then there are the several transactions in which private equity and venture firms have invested in GRC providers. I just finished another project with a private equity firm doing market sizing, segmentation, and due diligence on a potential target investment. This is happening on a frequent basis.

Now that we move into Fall, I am in my busiest time I have ever seen in September and October. Lots of activity and interactions are happening. Interest in this space at its highest in the 16 years I have been an analyst covering this market.

My work at GRC 20/20 is defined as follows . . .

20/20 vision is perfect clarity in sight: clarity to see and process surrounding context and achieve situational awareness — to observe the world around you, be aware of risks, and react accordingly.

Clarity of Governance, Risk Management & Compliance

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide independent and objective insight into leading GRC practices and processes, including market dynamics and intelligence; risk, regulatory and technology trends; competitive landscapes; market sizing; expenditure priorities; and mergers and acquisitions.

GRC 20/20 advises the entire ecosystem of GRC solution purchasers within organizations, professional service firms, and solution providers. We serve the needs of organizations that seek clarity, guidance and advice in dealing with a dizzying array of disruptive issues, processes, information and technologies while trying to maintain control of a distributed and dynamic business environment. Whether focused on a specific risk, regulation, department, or enterprise GRC strategy, organizations seek clarity through GRC 20/20. This clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and an array of GRC solution providers who require our research and advise to apply strategies and technology to meet the GRC challenges they face.

GRC 20/20 is a:

  • Buyer advocate. We assist those purchasing GRC solutions to help them navigate hyperbole to select solutions that are practical and deliver on requirements.
    • Simply, we help buyers select the right solution(s) for their needs and get the most out of their investment.
  • Solution strategist. We guide GRC solution providers in understanding the demand and needs of buyers and improve product, marketing, competitive, sales, partner, content, and growth strategies.
    • Simply, we make good GRC solutions into great GRC solutions.
  • Market evangelist. We educate and evangelize GRC strategies that deliver value and results through advocacy of technology, content, and services in making GRC processes efficient, effective and agile.
    • Simply, we define the future of GRC and understand where it is headed.

IT GRC Management by Design, New York

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

September 13th in New York, NY USA

[button link=”http://grc2020.com/event/it-grc-management-by-design-workshop-chicago/”]REGISTER[/button]

The Critical Foundation of Third Party Management is Technology

In previous posts we looked at the following:

  1. How to Develop a Third Party Management Strategy
  2. How to Define a Third Party Management Process Lifecycle

Now we turn our attention to the foundation of information and technology that supports and enables a third party management strategy and process . . .

Third party management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole.  The third party management information architecture supports the process architecture and overall third party management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support third party processes. The third party management information architecture involves the structural design, labeling, use, flow, processing, and reporting of third party management information to support third party management processes.

Successful third party management information architecture will be able to integrate information across third party management systems, ERP, procurement solutions, and third party databases. This requires a robust and adaptable information architecture that can model the complexity of third party information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages:

  • Master data records. This includes data on the third party such as address, contact information, and bank/financial information.
  • Third party compliance requirements. Listing of compliance/regulatory requirements that are part of third party relationships.
  • Third party risk and control libraries. Risks and controls to be mapped back to third parties.
  • Policies and procedures. The defined policies and procedures that are part of third party relationships.
  • Contracts. The contract and all related documentation for the formation of the relationship.
  • SLAs, KPIs, and KRIs. Documentation and monitoring of service level agreements, key performance indicators, and key risk indicators for individual relationships as well as aggregate sets of relationships.
  • Third party databases. The information connections to third party databases used for screening and due diligence purposes such as sanction and watch lists, politically exposed person databases, as well as financial performance or legal proceedings.
  • Transactions. The data sets of transactions in the ERP environment that are payments, goods/services received, etc.
  • Forms. The design and layout of information needed for third party forms and approvals.

Third Party Management Technology Architecture

The third party management technology architecture operationalizes the information and process architecture to support the overall third party management strategy. The right technology architecture enables the organization to effectively manage third party performance and risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.

There can and should be be a central core technology platform for third party management that connects the fabric of the third party management processes, information, and other technologies together across the organization. Many organizations see third party management initiatives fail when they purchase technology before understanding their process and information architecture and requirements. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email. Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring of extended business relationships.
  • Point solutions. Implementation of a number of point solutions that are deployed and purpose built for very specific risk and regulatory issues. The challenge here is that the organization ends up maintaining a wide array of solutions that do very similar things but for different purposes. This introduces a lot of redundancy in information gathering and communications that taxes the organization and its relationships.
  • ERP and procurement solutions. There is a range of solutions that are strong in the ERP and procurement space that has robust capabilities in contract lifecycle management, transactions, and spend analytics. However, these solutions are often weak in overall third party governance, risk management, and compliance.
  • Enterprise GRC platforms. Many of the leading enterprise GRC platforms have third party (e.g., vendor) risk management modules. However, these solutions often have a predominant focus on risk and compliance and do not always have the complete view of performance management of third parties. These solutions are often missing key requirements such as third party self-registration, third party portals, and established relationships with third party data and screening providers.
  • Third party management platforms. These are solutions that are built specifically for third party management and often have the broadest array of built-in (versus built-out) features to support the breadth of third party management processes. In this context they take a balanced view of third party governance and management that includes performance of third parties as well as risk and compliance needs. These solutions often integrate with ERP and procurement solutions to properly govern third party relationships throughout their lifecycle and can feed risk and compliance information into GRC platforms for enterprise risk and compliance reporting where needed.

The right third party technology architecture choice for an organization often involves integration of several components into a core third party management platform solution to facilitate the integration and correlation of third party information, analytics, and reporting. Organizations suffer when they take a myopic view of third party management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time business operates in.

Some of the core capabilities organizations should consider in a third party management platform are:

  • Internal integration. Third party management is not a single isolated competency or technology within a company. It needs to integrate well with other technologies and competencies that already exist in the organization – procurement system, spend analytics, ERP, and GRC. So the ability to pull and push data through integration is critical.
  • External integration. With increasing due diligence and screening requirements, organizations need to ensure that their solution integrates well with third party databases. This involves the delivery of content from knowledge/content providers through the third party technology solution to rapidly assess changing regulations, risks, industry, and geopolitical events.
  • Content, workflow, and task management. Content should be able to be tagged so it can be properly routed to the right subject matter expert to establish workflow and tasks for review and analysis.  Standardized formats for measuring business impact, risk, and compliance.
  • 360° contextual awareness. The organization should have a complete view of what is happening with third party relationships in context of performance, risk, and compliance. Contextual awareness requires that third party management have a central nervous system to capture signals found in processes, data, and transactions as well as changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third party relationships.

Third Party Networks – Streamlining Third Party Management

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual third party relationships (the tree) as well as the interconnectedness of third party relationships (the forest). Third party relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business third party management risks is exponential. Business is chaos theory realized. The small flutter of third party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

The challenge is that third parties are getting inundated with request for information, assessments, and more.  The chaos of these many-to-many communications is slowing down relationships in a time where they need to be more nimble and agile. Organizations are looking to subscribe to a network(s) that provide validated third party profile management and data sharing they can trust.  If further information is needed they can send that request to their third parties, but rely on what has already been submitted for the core of what they do. This reduces the time, cost, and complexity of managing and gathering third party profile information and streamlines third party management for all involved.

When looking at third party management solutions to support the third party management strategy and architecture, organizations should evaluate and keep in mind what the solutions they are evaluating are doing in context of third party networks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management strategy, process, and information/technology architecture. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

How to Define a Third Party Management Process Lifecycle

The third party management strategy and policy is supported and made operational through a third party management architecture. The organization requires complete situational and holistic awareness of third party relationships across operations, processes, transactions, and data to see the big picture of third party performance and risk in context of organizational performance and strategy. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to third party management architecture. The architecture defines how organizational processes, information, and technology is structured to make third party management effective, efficient, and agile across the organization and its relationships.

There are three areas of the third party management architecture:

  • Third party management process architecture
  • Third party management information architecture
  • Third party management technology architecture

It is critical that these architectural areas be initially defined in this order. It is the business processes that often determine the types of information needed, gathered, used, and reported. It is the information architecture combined with the process architecture that will define the organizations requirements for the technology architecture. Too many organizations put the cart before the horse and select technology for third party management first, which then dictates what their process and information architecture will be. This forces the organization to conform to a technology for third party management instead of finding the technology that best fits their process and information needs.

Third Party Management Process Architecture

Third party management architecture starts with the process architecture. Third party management processes are a part and subset of overall business processes.  Processes are used to manage and monitor the ever-changing relationship, risk, and regulatory environments in extended business relationships.

The third party management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes third party management processes, each process’s components and interactions, and how third party processes work together as well as with other enterprise processes.

While third party processes can be very detailed and vary by organization and industry, there are four general third party management process areas that organizations should have in place, these are:

  1. Third party identification & onboarding. This is the collection of processes aimed at automating a standard, objective approach for identifying third parties to work with and onboarding them through the collection of third party data and conducting appropriate due-diligence.
  2. Ongoing context monitoring. On an ongoing basis, and separate from monitoring of individual relationships, is the ongoing process to monitor external risk, regulatory, and business environments as well as the internal business environment. The purpose is to identify opportunities as well as risks and regulatory requirements that are evolving that impact the overall third party management program. A variety of regulatory, environmental, economic, geo-political, and internal business factors can affect the success or failure of any given business relationship. This includes the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. This also involves monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
    • Purpose & identification. This is the process to identify new third parties or existing third parties to contract with for new business purposes. Third party identification will detail the purpose of the relationship and include initial definition of performance, risk, and compliance requirements and concerns in the relationship so the proper relationship can be identified.
    • Qualification & screening. Once a third party has been selected, the next step is the qualification and screening process to validate that the third party can meet the requirements of the relationship and does not introduce unwarranted risk and compliance exposure. The screening process will go through due diligence steps to ensure that the third party is the right fit for the organization. Relationships, particularly high risk ones, are to be evaluated against defined criteria to determine if the relationship should be established or avoided.
    • Contracting & negotiation. Upon passing initial qualification and screening, the next sets of processes are contracting and negotiation processes to come to terms and establish the relationship.
    • Registration & onboarding. When contracting and negotiation processes are complete the organization moves into registration and onboarding. The registration process may have already started in the qualification and screening phase to gather information, but concludes with setting up the third party in the system with master data records, financial and payment information, contact information, insurance, and licensing documentation. Further steps of the onboarding process will be communication of code of conduct and related policies, getting attestations to these, completing associated training requirements, and conducting initial audits and inspections (if more are needed and were not done in the qualification and screening stage).
  3. Third party communications & attestations. These are the set of ongoing processes to manage the communications and interactions with the third party throughout the relationship lifecycle. These are done on a periodic (e.g., annual) basis or when certain risk conditions are triggered.
    • Policy communications & reminders. The regular communication and reminders to third parties about code of conduct and related policies and procedures they need to follow.
    • Training. The regular training of third parties on matters of conduct, policies, and procedures.
    • Attestation. The regular attestation by third parties to their behavior and conformance to policies and contractual requirements.
    • Self-assessments. The regular surveys and assessments sent to third parties for them to evaluate themselves and send back to the organization.
    • Reporting. The regular reporting on third parties on aspects of the relationship and in that context of performance, risk, and compliance.
  4. Third party monitoring & assessment. This stage includes the array of processes to continuously monitor the third party relationship over their lifecycle in the organization. These activities are the ones typically done within the organization to monitor and assess the third party relationship on an ongoing basis.
    • Issue reporting & resolution. Even the most successful business relationships encounter issues. This is the process for capturing issues and their details that arise in third party relationships. Issue reporting processes may be internal and done by employees and management, by the third parties themselves, or through external sources such as customer complaints.
    • Performance monitoring. Performance monitoring processes are in place to monitor the health of the relationship, satisfaction of service level agreements, and value the relationship is providing.
    • Risk monitoring. Risk monitoring processes identify and evaluate potential risks relevant to each third party relationship throughout their lifecycle in the organization.
    • Compliance monitoring & ongoing due diligence. The processes in place to monitor relationships for ongoing conformance to compliance requirements. This includes ongoing due diligence and screening processes.
    • Audit & inspections. The processes in place to exercise right to audit clauses and do onsite inspections of third party premises and facilities.
  5. Forms & approvals. The set of internal processes to collect and report information and route things for approval in context of third party relationships.
    • New vendor/supplier request.
    • Gifts, hospitality & entertainment.
    • Political & charitable contributions.
    • Facilitated payments.
  6. Metrics & reporting.  Processes to gather metrics and report on third party relationships at the relationship level or in aggregate.
  7. Third party re-evaluation. The processes in place to evaluate, maintain, renew, and off-board relationships.
    • Relationship renewal. Managing the process of renewing contracts and relationships under existing, revised, or new terms.
    • Off-boarding & retirement. The off-boarding/retire relationships that are no longer needed.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Other webinars, that build on How to Define a Third Party Management Process Lifecycle, include:

Understanding the Variety of GRC Intelligence & Content Solutions

There are lots of GRC solutions available in the market, most of which do not even call themselves GRC as they are laser focused in specific GRC areas. In fact, I have mapped 843 GRC technology solution providers into and across 17 primary segments of the GRC market (and may sub-segments).

Competition in RFPs, RFI, general sales situations can be tough. When it gets down to it, what can make or break a sale in an organization can often depend on what content you provide in your solution. GRC content and intelligence has become a critical differentiator in GRC opportunities across the board. I have seen enterprise GRC, IT GRC, EH&S, policy management, risk management, and audit management opportunities that were won or lost based on what content was provided and included in the solution.

Content and intelligence integration has become one of the determining factors in selecting GRC related technologies. I am amazed at the number of GRC technology solutions that do not pay much attention to this.

One recent organization I interacted with thought they had a technology winner in the RFP only to find out that the content they thought was there was dated and not kept current. Despite promised feeds for updates, they simply were behind and the content was not current.

Another RFP that is just going out has it as mandatory that the GRC solution (focused on compliance and EH&S) have a very detailed range of compliance regulatory content that is provided and kept current as part of the solution (or integrated with it).

GRC 20/20 has just finished the 2016 update and mapping of GRC content and intelligence solutions. There are 139 GRC content and intelligence providers that combined have over 425 distinct GRC related content and intelligence offerings. GRC solution providers can spend days trying to identify and map potential content partners (it takes me weeks every year keeping data current in this market area).

Or you can attend Monday’s Research Briefing on 2016 Market Overview of GRC Content & Intelligence Providers which will segment, detail, and list providers of GRC Content & Intelligence solutions that supplement GRC related technologies across the following categories (this is essential to solutions looking to expand GRC intelligence and content relationships in their technology solutions, do not miss it):

  • Audit Template & Workpaper Libraries
  • Benchmarking Solutions
  • Control Libraries
  • Compliance Forms & Templates
  • Due Diligence & Financial Monitoring
  • EH&S Libraries
  • Geo-Political Risk Monitoring
  • Industry Risk & Regulatory Reporting
  • Legal Cases & Analysis
  • Loss & Incident Databases
  • Negative News Monitoring
  • Policy Libraries
  • Regulatory Intelligence (actionable insight on reg change, not just a library)
  • Regulatory Libraries
  • Reputation & Brand Monitoring
  • Risk Libraries (including KRI, risk registers)
  • Risk Forms & Templates
  • Sanction / Watch Lists (including PEP lists)
  • Third Party Forms & Templates
  • Third Party Monitoring
  • Third Party Shared Assessments
  • Threat & Vulnerability Monitoring
  • Training Libraries
REGISTER NOW

GRC 20/20 Research Briefings are highly educational.

On demand Research Briefings in this series include:

How to Develop a Third Party Management Strategy

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

Third Party Management by Design

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent. (Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.)

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Different Approaches Organizations Take in Managing Third Parties

The primary directive of a mature third party management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of third party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

GRC 20/20 has identified three approaches organizations take to manage third party relationships:

  • Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed third party initiatives never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how third party management processes can be designed to meet a range of needs. An ad hoc approach to third party management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about third party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on third party performance and strategy leading to greater exposure than any silo understood by itself.
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of third party management that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing third party relationships with the lowest common denominator and watering down third party management. Further, there is no one-stop shop for everything third party management as there are a variety of pieces to third party management that need to work together.
  • Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative third party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in third party management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across third party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

In the end, third party management is more than compliance and more than risk, but is also more than procurement. Using the definition for GRC  – governance, risk management and compliance – third party management is a “capability to reliably achieve objectives [governance], while addressing uncertainty [risk], and act with integrity [compliance]” across the organization’s third party relationships.

Third Party Management Strategic Plan

Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables third party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

The core elements of the third party strategic plan include:

  • Third party management governance team. The first piece of the strategic plan is building the cross-organization third party governance team (e.g., committee, group). This team needs to work with third party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in third party management and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party management charter. With the initial collaboration and interaction of the third party management team in place, the next step in the strategic plan is to formalize this with a third party management charter. The charter defines the key elements of the third party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of third party management, the members of the third party governance team, and define the overall goals, objectives, resources, and expectations of enterprise third party management. The key goal of the charter is to establish alignment of third party management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party management policy. The next critical item to establish in the third party management strategic plan is the writing and approval of the third party management policy (and supporting policies and procedures). This sets the initial third party governance structure in place by defining categories of third parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all third party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 Research has a variety of research available to help organizations develop a Third Party Management Strategic Plan. Check out . . .

Related upcoming webinars, that build on How to Develop a Third Party Management Strategy, include:

Enabling 360° Insight & Control of Third Party Relationships    

The Extended Enterprise Demands Attention

The Modern Organization is an Interconnected Mess of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.[1]

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: “No organization is an island unto itself, every organization is a piece of the broader whole.”

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations now struggle to adequately govern third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

  • The challenge: Can you attest to the governance, risk management, and compliance across the organization’s third party business relationships?
  • Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of the third party relationship. Silos leave the organization blind to the intricate relationships of risk and compliance that do not get aggregated and evaluated in context of the value of relationships and the organization’s goals, objectives, and performance.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others still require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible.  The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. The organization lacks an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches.  When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different solutions and processes for on-boarding and managing third parties, monitor third party risk and compliance, and manage relationships; the organization can never see the big picture.  This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on periodic or continual basis.
  • Inadequate processes to monitor changing dynamics. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Often, metrics through service level agreements (SLAs) and established key performance indicators (KPIs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework.

The bottom line: A haphazard and Wild West approach to third party management compounds the problem and does not solve it.  It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships.  Organizations often need to wipe the slate clean and approach third party management by design with an integrated process, information, and technology architecture that manages the ecosystem of third party relationships with real-time information about performance, risk, and compliance on the organization’s ability to reliably achieve its objectives.

Consider registering for one of these upcoming webinars on Third Party Management that GRC 20/20 is speaking on:

If you are looking for Third Party Management solutions to more effectively manage third party risk and compliance (e.g., vendor, supplier), check out the following Research Briefing (available on demand):

[1] English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Providing 360° Contextual Awareness of Risk

Monitoring and Managing Risk Effectively

A Challenge for Boards, Executives, and Risk Management Professionals

Organizations take risks all the time but fail to monitor and manage risk effectively. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations.  Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business.

Organizations Need to Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls, is nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this misperception, organizations remain keenly interested in how to improve risk management.

Risk is pervasive throughout organizations; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at project and department levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/ regulatory, third party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Selecting the Correct Risk Technology Is Crucial to Success

In addressing this, many organizations look to risk management/GRC platforms to provide the range of capabilities they are looking for. This is done particularly when they have enterprise or operational risk management strategies to provide an integrated view of risk across the organization. Indeed, for many industries risk management is so fundamental to the success of their business model that it is indoctrinated throughout their core policies and operating procedures.

Organizations have adopted a wide range of technologies for risk management. Some are broad enterprise or operational risk platforms. Some solutions can be very narrow and limiting in which different departments lose capabilities they need, while other solutions can be very broad and adaptable. There are a variety of very focused risk solutions that excel at specific areas of risk management. These include:

  • Solutions focused on specific risks. These are solutions designed to manage and assess risk deeply on a very specific risk area. Such as, commodity risk, foreign exchange risk, privacy risk, model risk, and dozens of other risk areas.
  • Solutions focused on department/function risk management needs. These are solutions that are aimed at managing risks within a common department/functional area providing a common platform that specializes in risk within that area. Such as, information security, health & safety, corporate compliance, audit, finance, treasury, and more.
  • Solutions aimed at project risk management. These are solutions that help the organization manage risk in projects.
  • Solutions aimed at finance/treasury risk management. These are solutions aimed at managing an array of financial and treasury risks such as capital, market, liquidity, and credit risks.
  • Solutions aimed at operational risk management. These are solutions aimed at managing operational risks across departments to provide an integrated view of risk across business operations.
  • Solutions aimed at enterprise risk management. These are solutions that take an integrated view of strategic, finance/treasury, and operational risks (legal and compliance risk being part of operational risk). However, many solutions that advertise themselves as enterprise risk management really are only doing operational or department risk management.
  • Tools for risk management. Then there are a range of solutions that assist in risk management, but do not fit in one of the other areas. They are tools to do surveys/questionnaires/assessments. Or they assist in modeling risk such as Monte Carlo tools or Bayesian modeling.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on an information architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations must evaluate:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common information and technology architecture to support overall risk management activities from the project level up through an enterprise view. Whether for a project or department risk management need, or to manage enterprise and operational risk across the organization, risk management solutions are in demand. Organizations need to clearly understand the breadth and depth of their risk management technology requirements and select the solution that is agile and flexible to meet the range of the organizations risk management needs today and into tomorrow.

Watch on demand GRC 20/20’s guidance on the Risk Management technology market and what makes a basic, common, and advanced risk management solution or platform . . .