GRC 20/20 Research, LLC

I love my career as an analyst; I research the challenges organizations face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and technology. However, if I could redo my career, I would want to be a geopolitical risk management (honestly, that would be my second choice after being a vicar in a small English parish in an idealized 1950s setting solving mysteries, think Grantchester).

Consider the following . . .

“Organizations that take a serious, systematic, and senior-driven approach to political risk management are likely to be surprised less often and recover better.”

Condoleezza Rice and Amy Zegart, Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity (Hachette, 2018)

Geopolitical risk management is an increasingly crucial aspect of an organization’s Governance, Risk Management, and Compliance (GRC) or Enterprise Risk Management (ERM) program. The global landscape constantly shifts due to political instability, economic changes, and social upheaval. These changes can significantly impact an organization’s objectives, operations, and supply chains across the extended enterprise. Understanding and managing these risks is essential for sustainable growth and resilience.

Geopolitical risks refer to the potential impact that political decisions, events, or conditions in one or several countries can have on an organization’s operational and financial performance. These risks can emerge from various sources, including government policies, regulatory changes, political instability, elections, economic sanctions, trade wars, and terrorism. Natural disasters and other conditions, of course, intersect and play into and influence these as well. The goal is to orchestrate and integrate geopolitical risk management into the organization’s strategy, operations, and decisions to minimize surprises in achieving the organization’s objectives.

Incorporating geo-political risk into an organization’s GRC/ERM program involves several steps:

1. Risk Identification. Identify geo-political risks specific to the organization’s objectives, strategy, operations, markets, and supply chains.
2. Risk Assessment. Evaluate the likelihood, velocity, and potential impact of these risks on the organization and its objectives.
3. Risk Mitigation. Develop strategies to leverage geopolitical risk to the organization’s advantage and objectives while mitigating these risks’ negative exposure.
4. Risk Monitoring and Review. Continuously monitor the geo-political landscape and adjust the organization’s objectives and risk management strategies accordingly.

Geo-political risks can have a direct impact on an organization’s strategic objectives. For example, changes in trade policies can affect market access, while political instability can disrupt operations in a specific region. Economic sanctions can limit business opportunities or increase operational costs.

Operational impacts include:

• Disruption of Supply Chains. Political unrest or border closures can disrupt supply chains, leading to delays or increased costs. We have seen this extensively with the war in Ukraine and the disruption in supply chains during COVID lockdowns.
• Regulatory Compliance. Changes in regulations can require operational adjustments to remain compliant.
• Political Changes. The UK’s decision to leave the EU brought about regulatory and trade changes, impacting European businesses and others worldwide.
• Market Volatility. Political decisions can lead to market uncertainty, affecting investments and financial stability. The U.S.-China trade war significantly impacts global trade, affecting companies with supply chains or markets in these countries.

In my opinion, any good Chief Risk Officer role today (or those in other risk roles like third-party/supply chain risk management) will be an avid reader of The Economist and similar publications. This includes taking int geopolitical risk feeds of developments worldwide daily (GRC 20/20 tracks a variety of these feeds that can plug into GRC/ERM/third-party risk systems to give continuous updates on geopolitical risk across the extended enterprise). This is also a key point of discussion at next week’s Third Party Risk Management by Design Workshop in London. Organizations must integrate geopolitical risk management into their GRC/ERM framework by:

1. Enhance Geopolitical Risk Intelligence Capabilities. Invest in geopolitical risk intelligence feeds and analytics to understand potential geo-political disruptions.
2. Scenario Planning. Develop scenarios for possible geopolitical events and their potential organizational impact on its objectives.
3. Diversify Operations. Reduce dependence on politically unstable regions by diversifying markets and supply chains.
4. Stakeholder Engagement. Engage with governments, NGOs, and other stakeholders to understand and influence the geo-political landscape.

Geopolitical risk management is no longer an optional part of an organization’s risk management strategy; it is a necessity. The dynamic nature of global politics requires organizations to be proactive, agile, and well-informed. By effectively integrating geopolitical risk management into their GRC/ERM programs, organizations can protect themselves from potential threats and identify new opportunities in an ever-changing global landscape.

Building on my recent blogs Risk Management = No Surprises, and particularly The Chief Risk Officer: The Conductor of the Orchestra of Risk Management, we now pick up on that theme and explore the Chief Risk Officer and The Rhythm of Risk in the business . . . 

The concept and term The Rhythm of Risk is not my own but comes from a conversation I had with my friend Brad Jewett (a fellow OCEG Fellow) about fifteen years ago. At the time, he was the enterprise risk director of Microsoft (he is currently the CFO of Corel Corporation). I have expanded on this conversation in my thoughts below.

In the intricate orchestra of business, the Chief Risk Officer (CRO) is tasked with choreographing the organization’s steps around the rhythm of risk, ensuring that every movement is aligned with the company’s strategic beat and performance objectives. ISO 31000 defines risk as “the effect of uncertainty on objectives” as the foundation for this alignment, emphasizing that managing risk is not just about avoiding threats but also about embracing opportunities that contribute to achieving business goals. Here, we explore how the CRO manages risk within the business’s cycles, strategy, performance, and objectives, providing executives with the relevant risk information they need to make informed decisions. . . 

• Setting the Tempo: Risk and Business Cycles. With its ebb and flow, the business cycle is like a musical composition with varying tempos. The CRO must understand these rhythms and set the pace for risk management accordingly. This means identifying the risks associated with different phases of the business cycle, from expansion and peak to contraction and trough, and aligning risk strategies to protect and propel the business through each phase.
• Composing the Strategy: Risk in Strategic Planning. Strategic planning is where the organization’s objectives are composed, and it is here that the CRO must integrate risk management into the broader corporate strategy. By understanding the strategic objectives, the CRO can identify what uncertainties could impact these goals and provide insights on managing them. This ensures that risk management is not a siloed function but a key part of strategic planning, contributing to the overall direction and success of the organization.
• Orchestrating Performance: Risk and Business Objectives. Performance metrics are the score by which a business’s success is measured, and for the CRO, it is crucial to ensure that risk management contributes positively to these metrics. The CRO must provide risk information that is not only timely and accurate but also relevant to the objectives against which executives are measured. This involves translating risk data into actionable intelligence to inform decision-making processes and drive performance.
• Synchronizing Movements: Aligning Risk Information with Objectives. The relevance of risk information is pivotal; it must resonate with the strategic objectives and the key performance indicators (KPIs) that executives use to gauge success. The CRO must, therefore, tailor the communication of risk insights to match the rhythm of the business, ensuring that it aligns with the cadence of the objectives being pursued. This tailored approach helps executives to see risk management as an integral part of achieving their goals rather than as a separate or competing agenda.
• The Crescendo: Leveraging Opportunities. In line with ISO 31000, the CRO’s role is not limited to managing adverse effects but also involves recognizing and seizing opportunities that arise from uncertainty. By providing a balanced view of risks and opportunities, the CRO can help the organization reach a crescendo of strategic success, turning potential threats into advantages that can lead to competitive gains and value creation.

In the rhythm of risk, the Chief Risk Officer plays a critical role in ensuring that the organization moves to the beat of strategic growth and performance objectives. This role is the composer who integrates risk management with business cycles, the strategist who aligns risk with corporate planning, and the conductor who ensures that risk information is in sync with the executive measures of success. Ultimately, the CRO work enables the organization to dance confidently amid uncertainties, turning the rhythm of risk into a pathway to resilience and strategic achievement.

I am in London this week and next week and always love going to the London Symphony Orchestra or more intimate settings like the baroque performances at St. Martin in the Fields.

Navigating the complex and dynamic landscape of organizational risk requires a leader with a keen sense of balance, foresight, and an ability to harmonize diverse elements. Much like a conductor who leads an orchestra through intricate compositions, a Chief Risk Officer (CRO) orchestrates the management of various risks to ensure the smooth operation and sustainable growth of a company. The CRO, much like a conductor of an orchestra, plays a vital role in harmonizing the various types of risks in alignment with the organization’s objectives. The CRO ensures that risks are managed in context, conducting a symphony of resilience and strategic success. By managing uncertainty (risk) in achieving objectives, the CRO works with the business to establish appropriate risk tolerances and proactively sees risks across its silos within the organization to address the complexity of interconnected uncertainties. The CRO guides the organization toward achieving its goals, creating a masterpiece of stability and strategic achievement (similar to my previous blog on Risk Management = No Surprises!).

Just as a conductor leads an orchestra through a symphony, ensuring each section contributes to the overall masterpiece, a CRO orchestrates the management of risk across an organization. This analogy becomes even more vivid when we consider the ISO 31000 definition of risk as “the effect of uncertainty on objectives.” The CRO, like a conductor, ensures that risk is managed in the context of achieving the organization’s objectives, aligning different types of risks to create a harmonious performance.

The Symphony of Objectives and Risk

An organization, much like a piece of music, has its objectives, ranging from entity-wide goals to specific targets for divisions, departments, processes, projects, assets, or relationships. The CRO plays a pivotal role in ensuring that risks are managed in alignment with these objectives, conducting a symphony that balances uncertainty and strategic direction.

The CRO holds the baton of risk management, conducting the different sections of risks to create a balanced and harmonious performance. Just as a conductor has a deep understanding of music and the unique characteristics of each instrument, the CRO possesses an in-depth knowledge of various risk types and how they interact within the organizational framework.

Imagine the following (of course, simplified for the analogy) . . .

• The Melody of Strategy. Just as the string section provides the melody in an orchestra, strategic risks shape the long-term direction of the organization. The CRO ensures that these risks are in harmony with the company’s objectives, guiding the organization toward its aspirations and goals.
• The Rhythm of Operations. Operational risks, represented by the woodwinds, are essential for the daily functioning of the company. The CRO harmonizes these risks, aligning internal processes, people, and systems with the organization’s objectives to maintain a smooth performance.
• The Dynamics of Finance. Financial risks, akin to the brass section, have a powerful impact on the organization. The CRO manages these risks in context of the company’s financial objectives, mitigating exposure to market fluctuations, credit risks, and liquidity concerns.
• The Tempo of Reputation. Reputational risks, represented by the percussion, influence public perception and the organization’s standing in the marketplace. The CRO pays close attention to these risks, ensuring that the company’s reputation is managed in alignment with its objectives for stakeholder trust and market presence.

Anticipating the Crescendos and Diminuendos

The conductor has a unique vantage point, able to see and hear every part of the orchestra. Similarly, the CRO possesses a holistic view of the organization’s risk profile, enabling them to see across different risk categories and anticipate potential challenges.

With the ISO 31000 definition in mind, the CRO’s role extends beyond balancing different types of risks; they must also ensure that risks are managed in the context of the organization’s diverse objectives. They conduct risk assessments and implement mitigation strategies across various risk categories, ensuring that the organization is in tune and aligned with its strategic, operational, financial, and reputational objectives. They use this insight to proactively address risks, ensuring that the organization is prepared to face uncertainties and navigate through turbulent times.

Just as a conductor ensures that no section overpowers the others, the CRO works to maintain a balance between different types of risks. They monitor the risk landscape, identifying when a particular risk category is out of tune or misaligned with the rest. This involves setting and enforcing risk tolerances, conducting regular risk assessments, and implementing mitigation strategies to keep the organization on track.

Just as a conductor anticipates changes in a musical score, adjusting the orchestra’s performance accordingly, the CRO uses its holistic view of the organization’s risk profile aligned with the objectives of the organization to anticipate potential challenges and navigate through uncertainties. The role of the CRO and the enterprise risk department ensures that the organization is prepared for risk crescendos and diminuendos, maintaining a balanced performance in alignment with the organization’s objectives.

In the symphony of organizational success, the Chief Risk Officer plays the vital role of conductor, harmonizing different types of risks to create a balanced and resilient performance. By maintaining a keen awareness of the risk landscape, setting appropriate tolerances, and proactively managing risks, the CRO ensures that the organization stays in tune, aligned, and ready to face the uncertainties of the business world. Like a maestro leading an orchestra through a complex composition, the CRO orchestrates the management of risks, guiding the organization toward harmony, stability, and strategic success.

I am in Sweden this week, where tomorrow I provide a keynote to 102 risk officers and directors at the SWERMA (Swedish Risk Management Association)’s ERM Day 2023. In general, I find the risk management thinking in Europe to be more aligned with the business, whereas, in North America, it is more of a compliance exercise, too often tied to Sarbanes Oxley. 

Let me tell you a story . . . 

I taught my Risk and Resilience Management by Design Workshop in Amsterdam in September. During the day, I had a great interaction with a Chief Risk Officer from a European life sciences company. He told me the following story . . . 

After being hired as the Chief Risk Officer, he met the CEO for the first time. The CEO looks him in the eye and states, “So, you are the new CRO. Tell me what that means to me?”

He looked him back in the eye and stated, “My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO thought that was brilliant and the best definition of risk management he ever heard. 

ISO 31000 defines risk “as the uncertainty on achieving objectives.” Risk needs context, and that context starts with the organization’s objectives. They can be financial objectives, they can be operational objectives, or even ethical/ESG objectives. Objectives can be high-level entity objectives that are driven down into division, department, process, project, or asset-level objectives. Even supplier and third-party relationships start with objectives and purpose to the relationship. 

The context for risk management is objectives, as ISO 31000 states. That is why ISO 31000 and its foundation in AUS/NZ 4360 influenced and framed the OCEG GRC Capability Model. GRC, as defined in the OCEG model, is “a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” 

Risk management needs context, and that is the organization’s objectives (at their varying nested levels). As an analyst covering software in the market, I specifically look for how a risk management solution starts with objectives. If it does not, it is not my ideal solution. Even in ESG, I look for how the solution starts with the ESG objectives of the organization. Any ESG solution that starts with risks and not objectives is not worth much. 

As this CRO states, his job is managing uncertainty to ensure there are “no surprises” in achieving the organization’s objectives. Of course, there can still be surprises as things catch us off guard. However, it is the role of the Chief Risk Officer to ensure that executives and the business are fully informed of risks to their objectives to minimize uncertainty and surprises so they can reliably achieve those objectives. 

What also is brilliant about this CRO’s response . . . it puts risk accountability with executives and the business. Risk management’s job is to facilitate risk management across the organization and communicate and engage on risk in the context of objectives. Risk management has done its job if the risk management function has fully communicated this and the business owns and drives forward for gain or loss. It is not the job of risk management to ‘own’ risk but to communicate risk in the context of objectives. It is the role of executives and the business to own the risk in their decisions.

As we venture deeper into the digital era, the role of Artificial Intelligence (AI) in Governance, Risk Management, and Compliance (GRC) cannot be overstated. Cognitive GRC (what GRC 20/20 refers to as GRC 5.0: Cognitive GRC) is the intersection of GRC and AI, promising a future where GRC is not just a bureaucratic necessity but a strategic enabler of business performance and resilience.

Cognitive GRC refers to the application of AI (cognitive technologies) to GRC functions, effectively facilitating intelligent, automated, and informed decision-making processes that minimize risk and ensure compliance. AI brings unprecedented efficiency, effectiveness, resilience, and agility through the cognitive automation of GRC, allowing organizations to respond proactively to risks and compliance and gain insights to navigate the organization and achieve objectives in an era of uncertainty.

Consider the following AI technologies and some examples of their potential Cognitive GRC use cases . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Organizations increasingly employ A.I. to enhance efficiency and decision-making processes in the modern business landscape. However, using A.I. presents numerous governance, risk management, and compliance (GRC) challenges that need meticulous attention. Within the scope of an enterprise perspective of GRC is the growing domain of A.I. GRC – the governance, risk management, and compliance over the use of artificial intelligence. The Open Compliance and Ethics Group (OCEG) defines GRC as “a capability to reliably achieve objectives, address uncertainty, and act with integrity.”

Adapting the definition of GRC to address the specifics of A.I., A.I. GRC is the capability to reliably achieve the objectives of A.I. models and their use, to address the uncertainty and risk in the use of A.I., and to act with integrity in the ethical, legal, and regulatory use of A.I. in the organization’s context. 

• A.I. Governance. Governance in A.I. involves overseeing and guiding A.I.-related initiatives and the use of A.I. technology and models to ensure alignment with organizational objectives and values. Proper governance implies establishing clear A.I. policies, procedures, and decision-making frameworks. These frameworks should help an organization “reliably achieve objectives” of the organizations and ensure that the objectives and design of the A.I. models in their intended purpose are also achieved. Thus, the governance of A.I. involves strategic planning, stakeholder engagement, and performance and A.I. usage monitoring to ensure A.I. projects effectively meet their intended objectives and contribute positively to the broader organizational objectives.
• A.I. Risk Management. Risk management in A.I. refers to identifying, assessing, and managing the uncertainty associated with developing, using, and maintaining A.I. technologies. These risks range from technical aspects, such as security breaches or system failure, to ethical aspects, like algorithmic bias or privacy infringement. Risk management is about addressing uncertainty. Given their potential to hamper an organization’s operations or reputation, A.I.-related risks require comprehensive risk assessments and robust risk mitigation strategies.
• A.I. Compliance. Compliance is a critical aspect of A.I. implementation. As A.I. technology evolves, so does the regulatory landscape surrounding its use. Compliance in the A.I. context means adhering to relevant legal requirements, industry standards, and ethical norms. Compliance equates to “acting with integrity.” This involves adhering to regulations like GDPR for data privacy and adopting ethical A.I. practices to maintain transparency, fairness, and accountability in A.I. applications. In today’s era of ESG – environmental, social, and governance – the ethical use of A.I. is part of the organization’s ESG commitments. 

Incorporating core GRC principles in the responsible use of A.I. involves building a culture that values ethical A.I. use and behavior, transparency, and consistent improvement. 

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Upcoming A.I. GRC webinars:

October 18 @ 3:00 pm – 4:00 pm EDT 

• Navigating the AI Frontier: Governance, Risk Management & Compliance Considerations

November 7 @ 12:00 pm – 1:00 pm CST 

• Navigating the AI Landscape: Responsibility, Risks, and Compliance

I am an analyst; my job is researching the challenges companies face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and particularly technology and services. Every week, I answer between 10 and 20 inquiry questions from organizations that want insight into GRC-related solutions and services and desire my perspective on the market (I offer an initial interaction at no cost).

My job as an analyst is two-fold:

1. Horizon Scanning. Forecasting the drivers and trends over the next two to five years and providing insight into what organizations will need and where the market is headed.
2. The Current Situation. To understand what is being delivered in the market, what differentiates one solution/service from another, and provide insight to buyers of solutions and services on what they should look at and consider meeting their current and future needs. 

We are entering that time of the year when I get a lot of interactions on how to build a business case and prepare for an RFP for GRC-related software as organizations prepare for next-year budgets. 

Note I stated GRC-related. It is not all about one platform that does everything for one thing that does not exist. There may be a core platform for GRC, but there are a lot of best-of-breed and deep solutions that extend the GRC architecture of an organization. There are deeply capable solutions and RFPs for specific domains of GRC, such as third-party risk management, ESG, resilience and continuity, policy management, audit management, regulatory change management, case management, and more. What I go through below can be applied to a broad GRC platform doing various things or a very specific domain and use cases for GRC with dedicated best-of-breed solutions.

I am very busy with many current and developing RFPs. Some are within small to mid-sized organizations that are trying to replace manual processes of documents, spreadsheets, and emails. Others are with the mid to large enterprises that have found several, and in one case nine, different GRC platforms installed across the organization with further complexity of various point solutions and a maze of documents, spreadsheets, and emails.  

Building a business case starts with a current state analysis to understand the present to prepare and architect for the future. Often, organizations find themselves trapped in a chaotic jungle of documents, spreadsheets, emails, and discrete point solutions when managing GRC. A current state analysis is pivotal for:

• Identifying inefficiencies. A deep dive into the prevalence and breadth of GRC management practices across the organization typically will unearth redundancies, bottlenecks, gaps, and silos in processes and information flow.

Once we understand the current state, we can begin designing/architecting the future state. Some might have a pretty good strategy and process in place that is supported by a robust GRC-related information and technology architecture. These organizations will take a Japanese kaizen approach to GRC processes and technology, with small incremental improvements. Others will find a mess and need a complete overhaul. 

To shape a future where GRC management is streamlined and synergistic, it’s imperative to:

• Integrate technology where it makes sense by implementing GRC-related software to consolidate data, automate workflows, and enable data analytics.
• Optimize and re-engineer processes by identifying and eliminating non-value-added activities, leveraging technology to augment process efficiency.
• Enhance collaboration and visibility by breaking down silos and barriers to foster cross-functional collaboration, ensuring information and best practices are shared across departments.
• Build a resilient GRC framework with a system that addresses current governance, risks, and compliance requirements and is agile enough to adapt to future changes.

Once a clear understanding of the current state (most likely a mess that looks like an illustration of Dante’s Inferno) and a desired future state is defined. The organization can then begin to build a business case that measures and quantifies the value of the future state in contrast to the current state.

When I work on a business case, I build it around the following four areas:

1. Efficiency (Time & Money Saved). Implementing GRC software eradicates manual processes and redundant systems, diminishing human error and freeing employee time. It also provides an integrated architecture for information and reporting, reducing costs. One firm I helped with found that 80 of their risk staff time was managing and chasing documents and emails and NOT managing risk. Another was spending 200 hours building a report every year for the board of directors (now takes 5 minutes). 
2. Effectiveness (Risk Reduction & Enhanced Productivity). This is where we get more done, fewer things slipping through the cracks, a single source of truth and system of record, greater accountability, and enhanced visibility. GRC-related software offers a comprehensive view of organizational risks, enabling better-informed decision-making to reliably achieve objectives; if done properly.
3. Resilience (Proactive Issue Discovery & Management). GRC solutions with analytics capabilities empower organizations to identify and address issues before they escalate. The organization can address risks, events, incidents, and issues before they become bigger. The organization can recover quickly when things go wrong. 
4. Agility (Adaptability to Keep Up With Change). Organizations face constant change. Risk changes in the external environment (geo-political, economic, disasters, competitive). Regulations and laws continuously change. At the same time, the business itself is changing with employees, processes, technologies, strategy, mergers and acquisitions, and event third-party relationships. GRC technology enables organizations to be agile in a changing business and forecast and see risks coming at the organization and prepare the organization to reliably achieve objectives, address uncertainty and risk, and act with integrity in meeting obligations amid continuous change and evolution.

Once the budget has been approved, it is time to write the RFP. I have hundreds of requirements from the simple to the complex across GRC domains. Each area/domain of GRC can be a full paper on requirements. When you’re clear about the current state, desired future state, and business case, design a Request for Proposal (RFP) is the ensuing step:

• Identify Key Requirements. List the functionalities and capabilities the GRC software must have to bridge the gap between the current and desired states.
• Define Evaluation Criteria. Establish metrics for evaluating potential vendors, such as functionality, technology stack, user-friendliness, customization capabilities, and post-implementation support. This includes demo scripts and use cases.
• Consider Future Scalability. Ensure that the software can scale and adapt to the future growth and diversification of the organization.
• Measure Total Cost of Ownership (TCO). Consider not just the procurement cost but also implementation, customization, training, and maintenance costs.

In summary, transforming GRC management (whether a broad strategy or a focused area) from a document-heavy, siloed operation into a streamlined, technology-enabled function necessitates a deep understanding of the current state, a clear vision of the desired future, and a robust business case that underscores the benefits in terms of efficiency, effectiveness, resilience, and agility. By establishing a clear business case and desired future state delivered in a well-crafted RFP, organizations can navigate the complex maze of GRC solutions and services, ensuring they are always ahead in this dynamically evolving business world.

In an era where change is the only constant, organizations are being inundated by a deluge of shifts across risk, business, and regulatory dimensions. Each change brings its own complexities and managing them individually, much less collectively, becomes a herculean task. The challenge is two-fold: not only must businesses keep up with these changes, but they must also ensure that their response is in sync with their overarching business strategy.

The Scope of Regulatory Change

The world of regulatory requirements is an ever-shifting landscape. This turbulence is compounded by the continuous introduction and modification of laws, regulations, enforcement actions, and administrative decisions at local, regional, and international levels. For many, the challenge isn’t merely about staying afloat but preventing drowning in the overwhelming sea of updates.

Several factors contribute to this growing complexity . . .

[The rest of this blog can be read on the SDG blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Governance, Risk Management, and Compliance (GRC) in higher education presents unique challenges due to the complex, dynamic, and highly regulated environments in which they operate. Crafting a coherent strategy, adopting streamlined processes, and leveraging appropriate GRC technology are paramount to charting a successful risk and compliance course that maintains an institution’s integrity, reputation, and resources.

Challenges of GRC in Higher Education

Higher education institutions often cross multiple frameworks and their governance structures are complex, leading to specific struggles when implementing an effective GRC strategy. To effectively maintain a sense of order, transparency, and a level of practical accountability within the scope of GRC, the following challenges must first be addressed . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]