In the first post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience and explored GRC resilience again, moved on to Integrity (ESG), then GRC Accountability . . . and we now continue with the fifth trend of five, ENGAGEMENT . . .
ENGAGEMENT is the fifth global trend in the GRC market for solutions and services.
GRC (Governance, Risk Management & Compliance) is as relevant to the front office as it is to the back office. The front lines of the business use GRC systems and need engaging user experiences.
It is not just the front lines. All levels of the organization interact and use GRC technologies, from taking assessments, reading policies, going through training, reporting incidents, evaluation reports, diving through dashboards, and more.
Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third-party relationships such as vendors, suppliers, agents, contractors, outsourcers, services providers, consultants, and temporary workers. Engaging stakeholders at all levels of the organization requires GRC technologies to be relevant, intuitive, easy to use, and attractive. Employees live their personal and professional lives in a social-technology-permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.
It has been stated that:
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.
A primary directive of GRC is to provide GRC engagement that is simple yet gets the job done. Like Apple, with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC goal is simple; it is itself simplicity. Simplicity is too often equated with minimalism. Yet true simplicity is more than just the absence of clutter or the removal of embellishment. It’s about offering the right GRC information in the right place when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.
I have been evaluating GRC technologies for 23 years and find that many have average to poor user experiences. Even some who are recognized as GRC leaders, who would have you believe that their platform could solve the world’s problems, have interfaces that are overly complex, non-intuitive, confusing, and sometimes downright confounding.
What is needed at the core of GRC engagement is a human firewall.
Firewalls protect us. In buildings, it is a wall intended to shield and confine a fire to an area to protect the rest of the building. In a vehicle, it is a metal shield protecting passengers from heat and potential fire in the engine. In network security, it is the logical ingress and egress points securing a network.
Within organizations, there is another firewall that is the most essential but the most overlooked. That is the ‘Human Firewall.’ I have been an analyst for twenty-two years.
Humans are the weakest area of any governance, risk management, and compliance (GRC) strategy. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. In the technical world, we can lock things down and the IT operates in binary. In the world of human interaction, it is not binary but shades of grey. Nurturing corporate culture and behavior is critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.
A decade ago, I was involved with The Institute of Risk Management in London in developing Risk Culture: Resources for Practitioners. In this guidance, there is the A-B-C model. The ‘A’ttitudes of individuals shape the ‘B’ehavior of these individuals and the organization, forming the ‘C’ulture of the organization. And that culture, in turn, has a symbiotic effect, further influencing attitudes and behavior. Culture is one of the organization’s greatest assets. It can spiral out of control and become corrupt quickly but can take years, or even decades, to nurture and build in the right direction. The ‘Human Firewall’ is the greatest bastion/guardian of the organization’s integrity and culture. In today’s focus on ESG – environmental, social, and governance – it is in the Human Firewall that becomes the reality of ESG integrity in the behavior and culture of the organization.
Every organization needs a Human Firewall. So what is a Human Firewall? What is it composed of? The following are essential elements:
- Policy Management. Policies govern the organization, address risk and uncertainty, and provide the boundaries of conduct for the organization to act with integrity. The organization needs well-written policies that are easy to understand and apply to the context they govern. They should be in a consistent writing style, maintained, and monitored. Policies must be well-designed, well-written, consistent, maintained, and monitored, as they provide the foundation for the Human Firewall.
- Policy Engagement. More than well-written and maintained policies are needed; they must also be communicated and engaged with the workforce. It does the organization no good, and can actually be a legal liability, to have policies that establish conduct that is not communicated and engaged to the workforce. All policies should be in a common corporate policy portal to be easily accessed and have a regular communication and engagement plan.
- Training. The next part of the Human Firewall is training. Individuals need training on policies and procedures on proper and improper conduct in the organization’s processes, transactions, and interactions. Training applies policies to real-world contexts and aids understanding, strengthening the Human Firewall.
- Assessments & Controls. Employees at all levels of the organization need a simplified and engaging user experience to answer GRC-related questions on objectives, risks, and controls.
- Dashboards and Reporting. From executives to operational management, risk owners need easily understood and accessible insight into the status of objectives, risks, controls, and issues.
- Issue Reporting. Things will go wrong. Bad decisions will be made, inadvertent mistakes will happen, and the malicious insider will do something wrong. Part of the Human Firewall is providing mechanisms such as hotlines, whistle-blower systems, management reports, and other mechanisms of issue reporting for the employees in the front-office and back-office can report where things are breaking down or going wrong before they become significant issues for the organization.
- Extended Enterprise. Brick-and-mortar walls and traditional employees do not define the modern organization. The modern organization is an extended web of relationships: suppliers, vendors, outsourcers, service providers, consultants, temporary workers, contractors, and more. You walk down the halls of an organization, and half the people you walk by, the insiders, are no longer employees. They are third-parties. The Human Firewall also has to extend across these individuals, a core part of the organization’s processes. Policies, training, and issue reporting should encompass the web of third-party relationships that shape and form today’s organization.
Where are you at in building, maintaining, and nurturing your organization’s Human Firewall to improve GRC Engagement?