GRC 7.0 – GRC Orchestrate: Agentic AI and the Autonomous Force Behind Risk, Integrity, and Objectives

Part 3 in the GRC Orchestrate Series

The future of Governance, Risk Management, and Compliance (GRC) is not just digital: it is autonomous, intelligent, and orchestrated. In the first article of this series, we introduced the foundational principles of GRC 7.0 – GRC Orchestrate as a convergence of agile platforms, cognitive intelligence, and business-integrated GRC into a unified, dynamic architecture. In the second installment, we focused on digital twins as the foresight engine of GRC: mirroring the enterprise in real time to simulate futures, assess impact, and guide strategy.

Now, in this third article, we explore the autonomous force behind orchestration itselfAgentic AI. These are the active agents operationalizing GRC. They sense, think, act, and adapt. They do not simply automate tasks, they enable informed decisions based on objectives, risk, performance, and integrity. They are not tools, they are teammates and collaborators, embedded into the GRC fabric of the organization and its systems and processes.

Defining Agentic AI: The Mind of the GRC Orchestrate System

Agentic AI represents a fundamental shift in how artificial intelligence is applied to GRC. Rather than being a passive analytical engine or a rule-execution tool, Agentic AI is characterized by agency; that is, the capacity to observe its environment, make decisions within its assigned objectives and boundaries, and take action autonomously while engaging humans when needed.

Where earlier forms of AI focused on narrow tasks (e.g., classifying documents, detecting anomalies, scoring risks), Agentic AI is oriented toward achieving outcomes. It acts as a digital coworker across GRC functions: risk management, compliance, audit, ESG, IT, resilience, and more. Agentic AI operates with purpose; it is aware of the goals, thresholds, ethical parameters, and operating context of its domain.

Each agent operates in a cycle that mimics intelligent human behavior:

  1. Observe. Constantly gather signals from operational systems, documents, human inputs, regulatory updates, and telemetry.
  2. Analyze. Interpret this information using knowledge graphs, business rules, large language models, and pattern recognition.
  3. Act. Make decisions, trigger alerts, adjust workflows, initiate reviews, or change controls; within its scope of authority.
  4. Escalate. When complexity exceeds the agent’s threshold for action, notify the appropriate human or supervisory system for intervention.

These AI agents are not isolated. They operate within a network of agents, often coordinated across the digital twin analyze outcomes. This allows for highly contextualized responses, cooperative action, and shared intelligence.

Deep Dive: Agentic AI Applications Across the GRC Landscape

Strategic Risk and Objective-Centric Decision Making

Strategic decisions carry the weight of uncertainty, where the stakes are high and consequences are cascading. Agentic AI becomes a strategic partner to the boardroom by continuously interpreting strategic intent, aligning it with real-time performance data, and modeling the likely outcomes of various decisions.

For example, if an organization is considering an expansion into Southeast Asia, the agent would model geopolitical instability, changing tax policies, ESG-related risks, partner network viability, and supply chain logistics. It evaluates alignment with internal ESG policies, regulatory exposure by country, and dependencies across functions. Then, it simulates market entry under multiple time horizons and economic conditions, identifying strategic risks and actionable mitigations.

This allows executive teams to:

  • Stress test strategic moves across macro and micro conditions
  • Evaluate the cascading risk to objectives and suggest risk-adjusted alternatives
  • Reprioritize based on real-time simulations and dynamic scorecards

Agentic AI does not just inform: it helps govern.

Risk Management and Uncertainty Navigation

Risk is not something to avoid or mitigate, in GRC 7.0, risk is seen as a navigable condition within the journey to achieving objectives. Agentic AI becomes a guide that sees what’s ahead, maps the terrain, and adjusts course dynamically.

As the organization’s internal and external data streams shift — from financial performance to supply chain delays to social unrest — agents synthesize signals and calculate uncertainty against objectives. They then suggest response scenarios such as shifting inventory, delaying expansion, or modifying a service contract.

Consider a scenario in which a political uprising occurs in a key manufacturing region. The agent detects the change through geopolitical monitoring services, assesses third-party dependence, calculates the probable delay and cost impact, and recommends alternate sourcing and risk mitigation timelines, all while aligning with business continuity plans and risk appetite.

Agentic AI transforms static risk frameworks into living, breathing guidance systems.

Digital Risk and Resilience

Digital ecosystems have become foundational to business, but also deeply vulnerable. Digital/cyber risk evolves faster than most organizations can respond, making autonomous response essential.

An agent embedded in a financial institution might detect subtle anomalies in user behavior: such as an unusual pattern of late-night database access from an offshore IP address. It evaluates the threat in context: the criticality of the systems accessed, whether the access aligns with the user’s historical profile, and the level of risk posed by the action. If deemed significant, the agent automatically quarantines the session, notifies IT security, and initiates a review of access logs across related systems.

Simultaneously, within the digital twin, the agent simulates the business impact of a worst-case breach and recommends additional segmentation, control hardening, or escalation to regulators.

This real-time loop closes the window of exposure and builds cyber resilience not only in detection, but in systemic foresight.

Third-Party Risk and Extended Enterprise Oversight

Managing vendors, contractors, and supply chain partners has grown exponentially more complex. Risk now lives outside the four walls of the enterprise. Agentic AI becomes the connective tissue that binds the organization’s oversight to its extended enterprise.

Let’s say a multinational manufacturer is reliant on a Chinese component supplier. An Agentic AI scans public news sources, Chinese regulatory filings, and ESG data providers. It detects a potential labor rights controversy unfolding at the supplier. The agent cross-checks the supplier’s role in mission-critical product lines, evaluates SLA breach implications, models contractual exit options, and recommends a proactive response plan.

The value of this isn’t just awareness—it’s precision: understanding exactly where the risk enters your operations, what objectives it threatens, and how to act before reputational or operational damage occurs.

Compliance and Regulatory Change

Compliance today is far too reactive. Organizations often scramble to meet regulatory deadlines, adjust policies, and train employees at the last minute. With Agentic AI, the paradigm shifts from reaction to readiness.

Picture an agent responsible for global financial regulation. It continuously monitors publications from hundreds of global regulators, news outlets, and enforcement actions. One morning, it detects that a regional regulator has just released new anti-money laundering guidance expected to influence cross-border data retention.

The agent maps this against current obligations and policies, identifies areas of overlap and conflict, and updates the compliance register. It then triggers workflows to legal, IT, and operations to evaluate controls, training, and documentation. Executives are briefed through an interactive dashboard showing probable enforcement timelines and estimated compliance costs.

Compliance becomes a living system of adaptive integrity, not static adherence.

ESG and Sustainability Governance

Environmental, social, and governance factors are now central to investor relations, customer loyalty, and regulatory expectation. Yet most organizations treat ESG as a disclosure activity. Agentic AI transforms it into a strategic, real-time accountability and stewardship system.

An agent monitors a firm’s sustainability metrics, drawing from ERPs, procurement platforms, emissions sensors, and partner disclosures. When a critical Scope 3 emission anomaly is detected — due to a logistics partner’s operational changes — the agent flags the deviation, models its long-term impact on net-zero commitments, and recommends alternate vendors or offsets.

This not only keeps reporting accurate, it ensures that strategic ESG objectives are operationalized and maintained.

Audit and Assurance

Internal audit must evolve beyond periodic inspection and point-in-time validation. Agentic AI enables a future where assurance is always on.

Imagine a GRC platform where agents continuously monitor control evidence, incident trends, risk exposure, and business change. Instead of waiting for quarterly testing, agents identify fluctuations in control performance as they happen—prompting alerts, initiating self-assessments, or escalating issues to auditors.

When a new system is deployed without proper change controls, the agent immediately recognizes a break in policy coverage, pulls audit history on similar rollouts, and drafts a preliminary assurance note with linked evidence.

The audit team doesn’t start from scratch: they start with context, clarity, and coherence.

The Road to 2030: GRC Agents Evolving Toward Maturity

Today, we are still in the early stages. Agentic AI has entered the market through specific features — risk scoring, regulatory mapping, chatbot interfaces — but the true orchestration of coordinated agent ecosystems is still in formation.

To reach maturity by 2030, organizations must take proactive steps:

  • Normalize taxonomies and metadata across GRC domains
  • Structure policies, risks, controls, and obligations to be machine-readable
  • Implement ethical and operational guardrails for AI behavior
  • Foster a governance culture that treats AI as a participant, not just a processor

The journey ahead isn’t about replacing humans: it’s about designing hybrid systems of intelligence where humans and agents collaborate across risk, integrity, and objectives.

Final Reflections: Agentic AI as the GRC Operating Core

In the 2025 State of the GRC Market: Hitchhiker’s Guide to the GRC Galaxy, we’ll explore how these ideas are transforming both vendor landscapes and enterprise architectures.

Agentic AI is not a bolt-on enhancement. It is the new operational model for GRC. It is the connective fabric between foresight and function—between policy and performance.

It is how GRC transforms from being something you report on into something you interact with.

Agentic AI will redefine how decisions are made, how uncertainty is interpreted, and how organizations hold themselves accountable to a higher standard of resilience, agility, and ethics.

Stay tuned for Part 4 of the GRC Orchestrate Series: The Hitchhiker’s Guide to the GRC Technology Galaxy, where we explore the structural framework and segmentation that GRC 20/20 has mapped over 600 GRC solutions across domains, from the foundational to the futuristic.

GRC 7.0 is not a destination. It is a system of action. Agentic AI is the force that drives it.

6 Ways to Create a Repeatable, Scalable Compliance Program

Compliance programs are critical in ensuring organizations adhere to established regulations, laws, and ethical standards, fostering trust with stakeholders, employees, business partners, and the public. A repeatable and scalable compliance program ensures consistency and efficiency in managing compliance risks across various operational scales and ensures compliance in the context of regulatory/obligation and business change. Organizations across industries and sizes must create a compliance program that meets the legal requisites and is repeatable and scalable in a dynamic, distributed, and ever-changing business environment.

What’s Required to Establish a Successful Compliance Program?

Creating a scalable and repeatable compliance program requires . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Where Policy Management Fails

After exploring Where Third-Party Risk Management Fails and Where Risk Management Fails, I now turn my attention to my biggest soapbox, Where Policy Management Fails . . .

First it is essential to understand that policies are critically important to governance, risk management, and compliance. Through policies organizations can have reliable processes, transactions, and behavior so it can reliably achieve objectives [governance]. Policies are risk documents, the very fact that there is a policy means there is uncertainty/risk that needs to be governed and controlled [risk management]. Through policies, and their adherence, the organization maintains integrity to its values, ethics, conduct, ESG commitments, regulatory commitments, and contractual commitments [compliance].

HOWEVER, policies also set a legal duty of care and liability on the organization. A policy that is not followed can be used against the organization in a civil, criminal, and/or regulatory matter. What is shocking is how badly policies are managed in the organization given their critical nature to enable the organization to reliably achieve objectives, address uncertainty, and act with integrity. 

I teach Policy Management by Design workshops around the world and have a variety of research papers on policy management. I have also partnered with OCEG in developing PolicyManagementPro.com and the Certified Policy Management Professional certification. Here is where I see policy management fails in many organizations . . .

  • Not knowing what policies the organization has. Policies often are scattered across departments and many organizations do not even know what policies are out there. I was keynoting at a conference and asked a few hundred people in the room who has a master list of all their official policies, only two people raised their hands.
  • Policies scattered on different portals. Too often the organization does not have a singular portal for policies. One insurance company came to me moving into pandemic lockdowns in March of 2020 in a panic as they discovered they had 27 different policy portals from policy file shares to SharePoint sites, to commercial software. It was a maze of confusion and there was no singular point for employees to access policies.
  • Different writing styles and processes. Organizations often do not have a consistent template and writing style for policies, not a standard process to write and approve policies. Basically, they do not have a Policy on Writing Policies (also called a Metapolicy) nor a style guide on how to write policies in consistent grammar, use of active voice, punctuation, formatting, and how to approach gender neutral language. 
  • No standard template for a policy. Yes, I brought this out in the previous point, but it deserves to be mentioned again. Anyone should be able to recognize a policy by the template/formatting of the document (digitally or in print). It should be easily recognizable as an official policy.
  • Not addressing rogue policies. This is a HUGE issue. Too often managers across the organization are opening word processors and writing documents and calling them policies. They communicate this to employees, customers, and partners. Policies, as stated, establish a legal duty of care. If a manager is writing a document and calling it a policy, it exposes the organization to legal liability if it is not followed. 
  • Out of date policies. Organizations struggle with the number of policies that exist indefinitely and are not updated, lack an owner, and are no longer needed . . . or desperately need revision. 
  • Not keeping up with legal, regulatory, and business change. There is a variety of legal, regulatory, risk, and even business change that impacts policies. One bank had a policy that was being revised because of a regulatory change that went through 75 reviewers in a linear fashion of document check in and check out and took six months to get updated. In an industry where there are 257 regulatory change events every day this certainly is not agile and behind the game. Another organization, this one in healthcare, discovered they had 21,000 policy and procedure documents because of all the consolidation and acquisition of hospitals over a few decades. 
  • Not keeping up with employee change. Employees come into the organization, they change roles and departments, they leave the organization. Organizations need to ensure that employees are aware of the policies that apply to their role as they move to different functions and roles, particularly high-risk areas. 
  • Lack of audit trail and system of record. This is another HUGE issue. The legal and regulatory environment demand that the organization have a clear defensible history of what policies were communicated to employees, did they understand it, were they trained, how they were reminded. Look at the latest U.S. Department of Justice Evaluation of Compliance Programs where it focuses on the audit trail and system of record of the policy portal and employee interactions. Having a defensible audit trail on policies and awareness gets the organization out of hot water, ask Morgan Stanley.
  • Outdated policy portals and training. Every month I am getting inquiries from organizations looking for that next generation policy portal that brings together policies and training into one portal. Think about it, employees go out to Facebook and can watch a YouTube video in Facebook. They do not have to click on a link and go out to YouTube and come back to Facebook to comment on it. The same thing NEEDS to happen with the policy portal that brings policies and training on policies into one portal. Millennials and Gen Z expect this. And, mobility access to policies and training is also critical. 

As you can see, this is a soapbox of mine. I am passionate about policies and policy management. They are critical to the organization. Without policies, and policies that are adhered to and enforced, the organization’s behavior is like leaves blowing in the wind. Can you imagine an organization with no policies? What a mess of transactions and behavior. I am literally scratching the surface on all the areas of where policy management fails today. 

Organizations need to address the back-office of policy management, and the front-office of policy engagement . . .

  • Back-office policy management. This is the enterprise-wide consistent process to write, approve, monitor, enforce, manage, maintain, and audit policies in the organization. They key here is collaborative authoring and cooperation across departments supported by strong technology in this space to ensure nothing slips through the cracks and adheres to the Policy on Writing Policies.
  • Front-office policy engagement. This is the portal, training, awareness, and engagement to employees (and third parties) on policies. There should be a singular portal for all the official policies of the organization. Employees should have regular reminders and are properly aware and trained on policies that impact their role/function in the organization.

There are a variety of solutions for policy management in the market. Some focus on certain departments (e.g., EH&S, information security, privacy, HR), others focus on specific industries (e.g., healthcare, banking), and others are broad. Some solutions focus on back-office policy management, others excel in front-office policy engagement. Few do both well. 

Ask GRC 20/20 about our market research and coverage of policy management best practices and the range solutions in the market and what differentiates them and fits your particular need . . . 

Also, register for one of these upcoming webinars on Effective Policy Management . . .

3 GRC Priorities for Your Organization in 2022

The past two years have been a trial for organizations as they have been required to respond to the complications, risks, and intricacies of the pandemic and its impact on business strategy, operations, and objectives.

The focus has been on resiliency with the ability to recover quickly to changing risk conditions to keep the organization moving forward.

GRC, by definition, is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance) (source: OCEG GRC Capability Model).

The organization must be constantly aware of objectives and their achievement. Those objectives can be at the entity level or down into the division, department, process, project, relationship, or asset level. In this context, the organization needs insight into the risk and uncertainty in achieving those objectives and ensure that the organization acts with integrity in their achievement in a distributed, dynamic, and disrupted business environment.

As we head into 2022, this focus on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Tale of Two Futures: Blade Runner or Star Trek?

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way – in short, the period was so far like the present period, that some of its noisiest authorities insisted on its being received, for good or for evil, in the superlative degree of comparison only.

Charles Dickens, A Tale of Two Cities (1859)

I love good literature and Charles Dickens is a favorite, particularly in the Christmas season. However, my thoughts right now are not on A Christmas Carol but on the haunting intro to A Tale of Two Cities. Charles Dickens’s evocative words come to mind as I think about enterprise risk management programs in organizations. We are at a nexus of paths right now that can lead to two very different outcomes for the future of the world, our organizations, and our personal lives.

My question for you: are we focused on the right risks?

The truth is that we are at a critical point in history, a point that can lead to two very different outcomes. In our age of technology advancement and knowledge will this be defined as the ‘age of wisdom?’ Or will it be seen as the ‘age of foolishness?’ The decisions we make and our organization’s make will lead us to a ‘season of light’ or a ‘season of darkness,’ either a ‘spring of hope’ or a winter of despair.’

In my keynotes and presentations, I ask the question: what is our future? 

Are we, as a global society that our organizations are part of, headed toward a Blade Runner future or a Star Trek future? In Blade Runner, you have a dark dystopia of social, ethical, and environmental disasters. In Star Trek, you see a green and prospering world where the environment and society thrive, and there is great social diversity and cooperation across galactic races.

My issue is that many of the enterprise risk management and GRC programs I interact with are limited in scope. If you look at these programs you would think that IT/information risk (e.g, cyber risk, digital risk) are the greatest concern. These are significant concerns, I am not trying to deny that. I cut my teeth in risk management in the 90’s in information security. My point of view is that IT/information risk is a great concern, but environmental risks are a GRAVE concern. And I mean that term literally. But environmental risk seems to be missing from the agenda of the organization’s enterprise risk, operational risk, integrated risk, and GRC agendas.

Look at the World Economic Forum’s Global Risks Landscape 2019. The most significant risks, and there are many, are environmental in focus. Where is this on the organization’s risk management agenda? Fortunately, we are seeing some changes here. I applaud the United Kingdom’s FCA/PRA that is now requiring banks and insurance companies, under the Senior Manager’s Regime/Certification Regime (UK SMCR), to have a senior management function defined and accountable to manage the firm’s risk from climate change.

It is disappointing that the leading analyst firms, Gartner and Forrester, do not cover environmental, health and safety risks in their IRM and GRC research. They are ostriches with their heads in the sand. Both of these firms talk about environmental risk and climate change in other parts of their organization, but it does not appear to be on the radar of their core research in IRM and GRC. Reading IRM and GRC reports from these analysts would leave one to think that environmental risk and climate change are not even on the radar and what we only need to focus on is IT/information risk. While Verdantix, in their Green Quadrant on Operational Risk, has a completely different set of solutions, with only two that appear on the Forrester reports and one on the Gartner report. Fortunately, with OCEG and GRC Capability Model, we have taken a true enterprise view of risk that includes environmental, health and safety, quality, and other risks that Gartner and Forrester do not see as part of their IRM and GRC research. How can a research organization in 2020 have a risk management strategy that does not include these areas? How can organizations themselves not be covering environmental risk in their enterprise and operational risk management programs?

CALL TO ACTION: it is time that our GRC/ERM programs include and integrate with ESG (environmental, social, governance), EHS (environmental, health and safety), CSR (corporate social responsibility), and sustainability initiatives. 

The reality is that organizations do need a true enterprise view of risk, and this view must include environmental risk and climate change impact on the business as well as health and safety risks. IT/information risk is critical, but it is time to ensure that environmental risk is on the radar as well in enterprise risk management programs. If we do not address this now our future will be Blade Runner and not Star Trek as we head to a ‘winter of despair’ and not a ‘spring of hope.’

Have You Hugged Your CECO/CCO Today?

Today is the official National Compliance Officer today! This is a very challenging role in organizations and one that is in the midst of a lot of change. Below is a link to my SWOT Analysis of the CECO role on this topic. I am presenting on this next week at Converge19 as well.

Here is a link with Tom Fox on his podcast discussing my upcoming presentation on the SWOT Analysis of the CECO

Understanding Third Party GRC Maturity: Defined Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

Today we look at Stage 3, the Defined level of Third Party GRC

The Defined stage suggests that the organization has some areas of third-party GRC that are managed well at a department level, but it lacks . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

The Rhythm of Risk: Managing Risk Throughout the Context of Business

Writing about risk management is like trying to have an intelligent conversation today about religion or politics.

Individuals in the risk management community have polarized views and if someone does not agree with you 100% you end up in the crosshairs of an attack. It is sad. Instead of intelligent discussion where we can come together and learn, there are many ready to pounce if you do not express their exact ideology. Some view risk management as purely top-down from objectives and strategy, others are risk professionals down in the bowels of the organization looking bottom-up. Some feel that risk registers, risk appetite, and other aspects of traditional risk management are meaningless, others see this as the core part of how they have managed risk. Some hate heat maps and qualitative approaches, others live by them. Some, I feel, are simply trying to relabel corporate performance management to be risk management, instead of seeing that risk management is a part of performance management.

While I feel there is objective truth when it comes to matters of religion/theology . . . what if that was not the case for risk management?

  • What if the best approach to risk management brought together the top-down and the bottom-up?
  • Used both quantitative and qualitative methods?
  • Leverages risk registers but does not get locked into thinking only in their context?
  • Knew the weaknesses of a heatmap and how to overcome them while still using them as a visualization tool?

My view of risk management is that all sides of the debate have something valid to bring to the table. To truly do enterprise risk management requires a 360° contextual awareness of risk in the context of performance, objectives, and strategy as well as day to day operations and hazards of the business. Organizations need both a top-down view of risk management in the context of strategy and objectives as well as a bottom-up view of risk down in the weeds of operations and hazards. Good risk management requires both.

My favorite approach to risk management I have encountered in my research was with Microsoft when Brad Jewett was the ERM Director there from 2003 to 2008 (I cannot speak to Microsoft today as I have not interacted with them recently, Brad is now the CFO of Corel Corporation). I have served with Brad as an OCEG Fellow over the years and have a deep respect for him as a risk management professional. Brad defined his approach to risk management at Micorosft as ‘The Rhythm of Risk.’ This he defined by his desire to integrate risk management into daily decision making that would follow the corporate calendar for key processes such as multi-year strategic planning, annual planning, mergers and acquisitions, audit planning, SEC reporting, investor communications, product and service roadmaps, etc. It an aspirational agenda but it set the tone and expectation that risk management was a priority that should Influence and be integrated into the way things get done every day. This included the strategic as well as the operational. The top-down as well as the bottom-up

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see the individual risk (the tree), as well as the interconnectedness of risk to strategy and objecrtives (the forest). Many organizations are asking for this to go even deeper, as they need to see the leaf and branch as it connects to the tree, and how it is part of the forest.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and sometimes chaotic, relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both top-down view of risk to objectives as well as a bottom-up view of risk within operations and processes. It can integrate internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling.

Successful risk management requires the organization to provide an integrated process and information architecture. This helps to identify, analyze, manage, and monitor risk, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board that is not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk down in the depth of the business.

Organizations striving to increase risk management maturity in their organization need to be:

  • Aware. They need to have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
  • Aligned. They need to align performance and risk management to support and inform business objectives. This requires continuously aligning objectives and operations of risk management to the objectives and operations of the entity, and to give strategic consideration to information from the risk management capability to affect appropriate change.
  • Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions. This requires that the organization have a bottoms-up view of risk as well as the top-down.
  • Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Mature risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have the confidence necessary to rapidly adapt and respond to opportunities.
  • Efficient. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced capability and related decisions about the application of resources.

My point is simple, there are many perspectives on risk management that brought together properly and in balance can really build an effective and mature risk management program. While there are issues with qualitative methods, heat maps, and risk registers, that does not mean they are useless. They need to be effectively used and their issues and weaknesses understood. The same goes for a complete top-down view of risk management that only focuses on objectives and misses the hazards and issues that lie in the depths of the weeds of the organization that can cause significant harm. The best world is one that brings the strengths of all of these together and avoided throwing the baby out with the bathwater.

I will be presenting my views on how risk management technology enables and mature risk management capabilities in the webinar tomorrow:

I will be presenting my views on how organizations can mature their risk management capability in the webinar this Wednesday:

GRC 20/20 also has the upcoming Risk Management by Design Workshops:

GRC 20/20 has also just updated it’s flagship research paper on this topic:

Michael Rasmussen on GRC value & creating your GRC RFP template

What do you need to include in a GRC RFP? We asked one of the experts in this interview.

Enterprise governance, risk, and compliance (GRC) strategies can help organizations across the board become more efficient and agile in navigating the ever-changing regulatory and risk environment. However, in order to maximize efficiency, effectiveness, and agility, organizations need to approach GRC with a collaborative, inter-departmental strategy.To make GRC software implementation as strong as possible, organizations should have a clear business case, strategy with defined goals, and detailed system requirements.

We sat down with Michael Rasmussen of GRC 20/20 to talk about the components of a successful GRC business case and strategy, how to understand the range of GRC capabilities, how to navigate selecting a solution, and what to include in a GRC RFP. Here are some of his responses.

The value of GRC

Eric Goldberg: How do we go about articulating the value, or the ROI, of a GRC strategy?

Michael Rasmussen: It starts with finding . . .

[This is an interview done with Galvanize, the rest of this post can be found through the button link below]

Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC

This is the 2nd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.

With an understanding of where you are at and where you want to go with 3rd Party Governance, the next step is to make sure your team and systems are ready for the journey. The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC): 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in 3rd Party GRC. What further complicates this is the exponential effect of 3rd party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of 3rd party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives.

The organization needs to have holistic visibility and situational awareness into 3rd party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy. 

The primary directive of a mature 3rd Party GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of 3rd party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

Organizations need to ensure that the various departments and roles involved in governing 3rd party relationships are on board and willing to work together in a cohesive strategy. The goal is to provide the greatest balance in collaborative 3rd party governance and oversight to allow for some department/business function autonomy where needed, but focuses on a common governance model and alignment that the various groups in 3rd party governance utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

The goal is to have centralized 3rd party governance oversight to create consistent and aligned strategy with a common 3rd party governance process, information and technology architecture. Organizations with this collaborative approach report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk and compliance, and greater effectiveness through the ability to report and analyze 3rd party risk and compliance data. The goal should not only to manage risk and compliance, but to integrate 3rd party governance in the context of performance, objectives, and strategy in relationships.

To achieve the full benefits from an 3rd party GRC strategy, GRC 20/20 recommends the following next steps:

  • Gain executive support and sponsorship of the third party governance strategy.The organization needs to work in harmony on third party governance. Different groups doing their own thing handicap the business. Executive support is critical to align the organization.
  • Develop harmonized systems and processes. Key to success is identification of shared processes and information for 3rd party GRC across the enterprise. This includes identifying technology and information solutions to support integrated information and process architecture.

This team needs to be aligned to share a common vision to move to an integrated approach to 3rd party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships.

[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.