Organizations are dynamic and distributed. They are changing minute-by-minute and second-by-second. That is challenging many risk management programs, but the complexity of distributed business further chaos to the organization and makes risk management very complicated. There is no such thing as brick and mortar business, organizations are not defined by employee relationships. Half of an organizations ‘insiders’ are now third parties.

I recently was having a conversation with risk, compliance, and legal management at a global manufacturer with a global manufacturer (about 200,000 employees). Their challenge was managing risk in a distributed and dynamic business. They expressed challenges in which what used to be thought of as an inside risk now extends across a web of third-party relationships. Policies that used to be just for employees, now have impact and governance over a range of individuals from third-party relationships that work and interact with the organization’s internal processes (e.g., outsourcers, suppliers, service providers, contractors, consultants, temporary workers).

I also recently talked to a global European bank that is looking at requiring every individual in their data centers to go through the same GDPR policies and training as employees do. Most of the individuals in their data centers are third parties.

Risk management is not just about the back office of the chief risk officer, but it is also about the front lines of the business that take and manage risk every day in their jobs. Risk management is not about the traditional brick and mortar business but also about the extended enterprise and nested relationships of risk that exposes the business and can hinder it from achieving objectives (or help it).

Organizations need to think holistically about risk management and adapt their programs to the dynamic and distributed business of today. They need to align and integrate risk management with strategic planning, objectives, and performance while still having visibility into risk down in the bowels of the organization’s processes and relationships. In essence, organizations need a 360° contextual view of risk in the organization in the context of both strategy and operations. This requires a top-down view of risk as well as a bottom-up view of risk. It also requires quantitative risk analytics that brings value and order to qualitative methods (which still have use). It requires right-brain creative out of the box thinking of risk as well as left-brain analytical and model thinking of risk.

I will be interacting on next-generation risk management as it transcends the enterprise at the following upcoming events:

Upcoming Risk Events & Interactions

Roundtable Discussion & Coffee in London 

Third Party GRC Management by Design Workshops 

Risk Management by Design workshops are:

Policy Management by Design workshops are:

  • Chicago, Policy Management by Design, April – details forthcoming
  • New York, Policy Management by Design, April 28th
  • London, United Kingdom, Policy Management by Design, June – details forthcoming

Upcoming Risk Conferences . . .

  • Zurich, Switzerland, RiskIn, May 13th to 15th

Upcoming Webinars . . .


Leave a Reply

Your email address will not be published. Required fields are marked *