Michael Rasmussen

Organizations are caught in a swirling vortex of uncertainty in risk and compliance as they strive to be bastions of integrity in the center of chaos. In the midst of a global pandemic, economic uncertainty, racial justice tensions, and employee concerns, organizations are trying to hold fast to, as well as enhance, their corporate culture. They seek to achieve corporate integrity by fostering a culture of accountability, social responsibility, and employee engagement of values from the top of the organization hierarchy down into the front lines of the organization.

“We are what we repeatedly do. Excellence then, is not an act, but a habit.” Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization. 

Aristotle

Integrity is a mirror reflecting what the organization truly is. Does the mirror show an organization that . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Compliance and ethics are a growing challenge and concern in organizations.

Faced with increasing regulatory change, enforcement actions, audits and exams, and liability and exposure, compliance and ethics is in the midst of evolution and maturing. Compliance and ethics is moving from the stigma of being ‘the corporate cop’ to being the bastion of the integrity of the organization as it aims to guide culture and conduct in the context of the obligations and values. I have stated for fifteen years that the Chief Compliance (CCO)/Chief Ethics & Compliance Officer (CECO) is really the Chief Integrity Officer of the organization.

Compliance and ethics is becoming more established as its own function, with its own budget, and direct reporting to senior executives and boards of directors. In many organizations across industries, compliance and ethics is being moved out of the bowels of the legal department to operate independently, but collaboratively, with legal.

As part of this process of growing and maturing, we are seeing an increased focus on what constitutes an effective compliance and ethics program. One element that is getting a lot of attention, but also produces a lot of confusion, is the requirement to take a risk-based approach to compliance and ethics. Most compliance professionals have a history of focusing on check-lists and requirements and are unfamiliar with how to do a risk assessment.

Consider the following . . .

• Principles/Outcome-Based Regulation. What started years ago in the UK FSA moved to the EU with their Better Regulatory Policy to strive for principle/outcome-based regulation. An approach that does not focus on prescriptive checklists of requirements but outcomes. The way one organization approaches compliance may be different from another, but it is the outcome that matters. This requires a risk-based approach to compliance, to identify, analyze, and manage the compliance risk.
• ISO 19600:2014 – Compliance Management Systems. The international standard for compliance takes a risk-based approach to compliance and requires a compliance risk assessment to identify, analyze, evaluate, and treat compliance risks.
• U.S.S.C. Sentencing of Organizations. The United States Sentencing Commission in their Organizational Sentencing guidelines lays out the elements of an effective compliance program for courts to use to measure the culpability and therefore penalties on an organization. It requires that “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”
• U.S. DoJ Evaluation of Compliance Programs. The most recent update to the U.S. Department of Justice guidance on the Evaluation of Compliance Programs keeps a risk-based approach to compliance front and center. Risk is mentioned 53 times in this guidance. Specifically, “Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”

In my Compliance Management by Design Workshops as well as inquiries, I am frequently asked by compliance and ethics professionals how they should manage and assess risk. Most of these professionals have a legal background and have not been trained in how to do a risk assessment. My recommendation, and an exercise I work on with attendees in workshops, is to do a bow-tie risk assessment.

I love bow-ties: both the kind you wear and the ones you use to assess risk. When most people think of risk management they think of numbers and complex models, and those are good and important. Myself, I am a visual person. My father was an accountant, my brother is an accountant, I went to law school. I like words and pictures over math. A bow-tie risk assessment provides a visual picture and assessment of risk that helps organizations think outside the box and engages both the left and right-brains. I am not downplaying the numbers side, that is still important and bow-ties can and do tie in the quantified analysis.

A bow-tie risk assessment gets its name as it takes the shape of a bow-tie:

• The knot is the risk. The center of the bow tie is the knot which is the risk you are evaluating. From a compliance and ethics point of view, this can be many things, so before you do a bow-tie you have to identify your risks (knots) that need to be evaluated. You can have separate knots for bribery/corruption, fraud, anti-trust, harassment, discrimination, privacy, money-laundering, and many more. The knot can be very specific, if you would like, such as the risk of bribery/corruption in a specific project or geography or it can be more general.
• The left-side of the tie is the source of the risk. Stemming off of the knot to the left you focus on the source of the risk or the causes. What can cause bribery/corruption? What could cause harassment/discrimination? You label each cause and connect it to the knot (risk). Then you identify detective and preventive controls to place between the cause and the knot that mitigate the exposure from that event happening.
• The right-side of the tie is the consequences of the risk. On this side, you identify the consequences/outcomes from an actual event happening. These can be regulatory fines, civil action, brand/reputation, loss of revenue, loss of employees, morale, and more. After identifying the consequences you then place detective and responsive controls to mitigate the damage and exposure of those outcomes to the risk.

There is a lot more detail I can go into here on how to do this, but it would go beyond the length of a blog to fully summarize. I am delighted to interact and discuss the benefits and use of bow-tie risk assessments. There are a range of technology solutions I cover in the market as part of my research and analysis that facilitate this format and approach to risk assessment.

Compliance is Not Easy

Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially.

The dynamic and global nature of business is challenging for managing compliance. Compliance activities managed in silos often lead to the inevitable failure of an organization’s and compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its environment.

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat . . .

[the rest of this blog can be found on the CURA website where GRC 20/20’s Michael Rasmussen is a guest author]

In this podcast The GRC Pundit of GRC 20/20 Research, LLC interviews Toni Villanen of Majid Al Futtaim to discuss #riskmanagement #ERM #ORM #GRC – where it has been, where it is now, and where it is going. 

In this podcast, we discuss the challenges today in risk management, how COVID-19 is changing risk management, and how organizations need to engage the front-office (first-line) of the organization in risk management. We also interact on the need for greater risk integration, aggregation, reporting, and the use of bow-tie risk assessments. 

The COVID-19 pandemic has changed everything. What started as a health and safety risk has had a domino impact of other risks that have resulted in changed business practices, processes, objectives, and expectations.

One critical area of impact is the proliferation and support of remote workers. Coming out of the pandemic, it is safe to say that working from home is going to remain a common practice for most organizations, and for some, a primary practice.

For me, this does not change much. I have been working from a remote home office for going on 25 years. I work best from home, but, this is not the case for everyone—for many, remote working is very new and confusing.

Corporate policy confusion

One area of confusion is corporate policies. Over the past three months of quarantine, I have talked to dozens of organizations that are struggling with policy management. As they aim to . . .

[The rest of this blog can be found on the Workvia blog where GRC 20/20’s Michael Rasmussen is a guest blogger]

In this podcast The GRC Pundit interviews Ian Hollowbread and Mukund Umalkar of ING to discuss the future of GRC technology and their GRC Orchestrate Project.

I have a dream. It is futuristic, but realistic. It involves a Star Trek chair and a bank of monitors. It would involve tracking the global flow of funds in close to real time, in much the same way as happens with global weather systems and global internet traffic. Its centerpiece would be a global map of financial flows, charting spill overs and correlations.

Andy Haldane, Bank of England Chief Economist

Take this quote from Andy Haldane of the Bank of England and replace ‘flow of funds’ with ‘risk and compliance’ and you have the exact concept of what ING Labs is architecting with their GRC Orchestrate Project led by Ian Hollowbread and Mukund Umalkar.

Orchestrate is intended to operated as a new entity, offering the market a RegTech platform similar to an ‘App Store’ to both find and consume pre-validated RegTech solutions; in addition providing a technology framework for these solutions to connect seamlessly across each other and alongside existing legacy architecture. Orchestrate aims to remove unnecessary complexity in a world of constant change, support digital transformation and help deliver ‘end-to-end’ enterprise compliance.

Their key design principles of Orchestrate are:

• Customers – open and accessible, client centric design principals
• Culture – user experience first, agile and change resistant
• Connection – modular thinking, simple and homogenous, ecosystem agnostic

Want to learn more? Listen to this episode of The GRC Pundit Podcast as The GRC Pundit interviews Ian Hollowbread and Mukund Umalkar on this fascinating project . . .

The naturalist John Muir stated, “When one tugs at a single thing in nature, he finds it attached to the rest of the world.” This not only applies to nature but also to the reality of the Extended Enterprise in today’s complex and interconnected world. What seems to be one third-party risk cascades and interconnects with a variety of other third-party risks and relationships.

Recently I was talking to a global automobile manufacturer on their third-party risk program. Their challenge was that they need a fully integrated view of third-party risk. Over half of their operations are no longer defined by brick and mortar walls and employees, but is an array of suppliers, vendors, outsourcers, service providers, contractors, consultants, and more. These third parties work on and are part of internal processes and transactions that employees traditionally filled. When it came to governing and managing risk in these relationships, they felt exposed as they did not have a holistic view of third-party risk. Different departments –– IT security, procurement, legal, compliance, and others – each had their individual view of risk, but no one had the complete or aggregate view of risk in any relationship. 

Organizations today need a holistic 360° view into third-party risk to be able to see the aggregate view of risk in any one relationship as well as across relationships. The challenge is they often select the wrong technology architecture to support an integrated view of risk . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ARAVO BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Managing compliance and ethics has become a complex web of processes and information. The modern organization is constantly changing: new employees, shifting employees and responsibilities, evolving business processes, new and changed regulations/obligations, growing ethical concerns, and greater scrutiny from stakeholders, customers, law enforcement, and regulators.

The challenge of compliance and ethics grows more confusing when you look at the scattered approaches and departments. An organization may have a Chief Ethics and Compliance Officer (CECO), but compliance can be scattered. The CECO may be focused on code of conduct, anti-trust, anti-bribery and corruption, conflicts of interest, and more. But other departments have their compliance concerns and approaches such as human resources, information security, privacy, quality, environmental, health and safety, and more.

At the core, there are very similar processes for compliance assessment, issue reporting and hotlines, policy and training management, and case management . . . but each . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Evolution and change happen: sometimes slowly, sometimes rapidly. In the context of compliance and ethics programs, we are seeing a significant and rapid evolution of what is expected of organizations. Organizations are required to have structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, process, and technology architecture to deliver 360° contextual and situational awareness of compliance and ethics.

This is evident in, and being driven forward, by the recent United States Department of Justice (DoJ) guidance on the Evaluation of Corporate Compliance Programs. The DoJ has regularly provided guidance on what is expected of compliance programs. They released guidance in 2017, then again in 2019, and now the latest in June 2020. They have also released previous guidance in specific compliance areas such as anti-bribery and corruption with expectations in the context of the U.S. Foreign Corrupt Practices Act.

The DoJ guidance governs criminal compliance actions against organizations. But do not let this limit your understanding and the influence of this guidance. The influence of this guidance is broad and applies across industries, across organizations of various size and scale, and has a cascading impact on other jurisdictions, enforcement agencies, and regulators globally. The DoJ guidance has a symbiotic impact and influence that integrates with the U.S. Sentencing Commission Organization Sentencing Guidelines, and influences and filters into the guidance and exams of regulators. It has a global impact as it sets the benchmark and requirements of firms that operate in the U.S. but have to structure compliance programs around the world.

This latest guidance, in a nutshell, requires that organizations have a cohesive compliance strategy, process, and particularly technology architecture. The strategy and process requirements are spelled out in the document with one of the most significant changes being to the revisions made to the second of three key questions that frame the evaluation of compliance programs:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

The second key question specifically added the words ‘adequately resourced and empowered.’ Organizations cannot get by with a token compliance and ethics program, they have to demonstrate they have a commitment to compliance where proper funding, resources, and staff are given to ensure that the organizations stays within the boundaries of law and regulations.

What is very apparent throughout the document is that this empowerment of compliance programs can no longer be served by manual processes with documents, spreadsheets, and emails. Organizations need a compliance technology architecture that delivers real-time visibility into compliance in context of operations and transactions. Point-in-time assessments are not good enough. A thorough and defensible audit trail and system of record is also needed for compliance, something that documents, spreadsheets, and emails fail to provide as they do not have a strong audit trail that is defensible in court. It is too easy to manufacture evidence of compliance in documents, spreadsheets, and emails and regulators and enforcement agencies are honing in on this.

The guidance specifically points out that prosecutors are to examine “the comprehensiveness of the compliance program” to ensure the program is:

• Well-integrated into the company’s operations and workforce
• Based upon continuous access to operational data and information across functions (as opposed to point-in-time assessments that only provide a periodic review limited to a snapshot in time)
• Operationally integrated with policies in the context of employees roles/functions and the internal control systems
• Governed with third-party management that is risk-based and integrated
• Effectively implemented, reviewed, and revised, as appropriate, in an effective manner and is not simply a “paper [document] program”

Some key components to an effective compliance program that the guidance is looking for are:

• Policy management. The words ‘policies’ or ‘policy’ are mentioned 31 times in the 20 pages of the document. Organizations need to have defined policy management processes that have strong technology to manage policies and engage employees on policies. There is a whole section in the document on policies, but the reference to policies is throughout the document. Policies are the backbone of a compliance and ethics program and need to be managed, communicated, and maintained in organizations. Without policies, the entire compliance and ethics program falls apart. It is the foundation everything is built upon and intersects and supports other parts of the compliance program such as third parties, hotlines/reporting, cases/investigations . . . it all comes back to what are the policies. Specifically, the guidance requires:
  • Policies are properly designed and maintained
  • Policies are comprehensive and monitored
  • Polices are accessible and in a searchable format [in a portal]
  • Policies are operationally integrated
  • Policies have an evidence trail of who interacted with them, not just attested to. The guidance wants to know if the organization can show how often and by whom policies were accessed on a portal. A documented evidence trail of interaction on policies. I was talking to a global organization (100,000 employees) earlier this week on this. They feel the DoJ guidance requires that they move from their Sharepoint portals for policy to a defined policy management system with a structured process and reporting to meet these requirements.
• Compliance risk management. The guidance requires organizations have a structured approach to managing compliance risks with risk identification, assessment, and maintenance of defined compliance risk profiles. Prosecutors are to consider the “effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on risk assessment.” My particular favorite compliance risk assessment methodology is a bow-tie risk assessment. It requires that organizations have a:
  • Structured compliance risk management process
  • Risk-tailored resource allocation to focus on the most significant compliance risks
  • Regular updates and revision to compliance risk assessments
  • Lessons learned processes to minimize risk from the company’s own experience as well as from peers.
• Training and communication. Individuals not only need to be aware of policies, but they also need to be properly trained on policies. Note the whole section on training and communication centers on policies. It boggles my mind why so many organizations have separate policy portals and training portals. Training, from a compliance and ethics perspective, is on policies. This means organizations should have a portal that brings policies and training together in the same portal. Policies drive the training, not the other way around. Training needs to be risk-based so that high-risk policies, in context with high-risk roles/functions, are properly trained in the context of the compliance risk exposure and policies.
• Third-party management. The guidance is fully aware that the modern organization is not defined by brick and mortar walls and traditional employees. The modern organization is the extended enterprise in which there are nested relationships of vendors, suppliers, contractors, outsourcers, service providers, consultants, temporary workers, contractors, brokers, agents, dealers, and intermediaries. The guidance specifically focuses on whether due diligence and third-party monitoring are done just during onboarding or throughout the lifecycle of the relationship. Organizations need to be able to manage and monitor compliance risk in third party relationships throughout the relationship. The guidance also looks at whether compliance knows the rationale and purpose of the relationship, in addition to the risk of the relationship. Organizations need “ongoing monitoring of the third-party relationships, be it through updated due diligence, audits, and/or annual compliance certifications by the third party.” This process needs to be risk-based and integrated, have appropriate functioning controls in the relationship, properly managed and monitored, and demonstrate real actions and consequences when issues arise in third-party relationships.

These are some highlights, other areas that the document goes into include:

• Hotlines and reporting – confidential reporting structures and investigation process
• Compliance in the context of mergers and acquisitions
• Compliance commitment by senior and middle management
• The autonomy of the compliance function
• Incentives and disciplinary measures
• Does the compliance program work in practice
• Continuous improvement, periodic testing, and review
• Role of internal audit
• Investigations of misconduct
• Analysis and remediation of any underlying misconduct with a root cause analysis

Is your compliance and ethics program up to the task to meet the DoJ evaluation guidance? Do you have the strategy, process, and technology to deliver and operationally integrate compliance in your organization?

I am seeing a huge focus right now in response to this guidance and other compliance demands that is causing a rapid evolution and maturity in compliance strategy, process, and particularly a comprehensive technology architecture that can deliver a 360° contextual and situational awareness of compliance and ethics.