Michael Rasmussen

I think best in the abstract and imaginative. My mind is wired to be more intuitive and see relationships and images. I am more like my mother. My brother, he is like my father – wired for math and numbers. I have been competent with math, but it is not what engages me. While my father and brother were CPAs, I pursued theology and law. Just like we are left or right-handed in our dexterity, we also tend to be either left-brained (structured and analytical thinker) or right-brained (unstructured and creative). I would like to think that I am ambidextrous in my brain, but I know I favor the right side of my brain. 

When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.

Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.

In the business world, we have all sorts of objectives. They can be strategic entity level objectives for profit, growth, expansion. They could be division or department objectives. They can then drill into process, project, or even asset level objectives. We need to understand and manage the risk (uncertainty) in achieving those objectives. This requires both left-brain and right-brain risk thinking.

Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analysis. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated, “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.“

I argue that this is not enough. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic. There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organization. That requires creatively thinking about risk and risk event scenarios. Look at the world around you, what started as a health and safety risk in Asia has had a great impact on objectives at all levels around the world. It has cascaded and increased risk exposure to objectives, it has increased risk exposure to IT security, physical security, morale, harassment and discrimination, fraud, bribery and corruption, and more [check out my blog on this last week: The Pandemic & the Dominos of Risk Interconnectedness. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler, “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”

Creatively thinking about risk requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.

Technology enables not only the left-brain structured risk thinkers but also the right-brain creative risk thinkers. Some key things to look for in enterprise risk management technology are:

• Performance management. Any good risk management solution does not start with risk but starts with performance. What are the objectives the organization is trying to achieve and then what are the risks to those objectives? Again, these can be entity, division, department, process, project, or asset level objectives.
• Risk mapping. Can the solution enable multi-dimensional mapping or risk and objective relationships in many to many fashion?
• Risk visualization. Does the solution deliver rich risk visualizations, maps, charts, graphs, and modeling to engage both the left and right-brain risk thinkers?
• Risk quantification. Does the solution deliver structured risk analysis through things like Monte Carlo simulations that can give you solid objective information on risk probability and impact?
• Risk scenarios. Does the solution allow you to create multiple risk scenarios and document and measure multiple impacts and exposure to a risk event to look at various outcomes on different scales?
• Risk normalization and aggregation. This often gets missed. Does the solution allow for risk normalization and aggregation? What happens when one departments/projects high-risk is measurable to another departments/projects low-risk? For an enterprise risk management perspective, it is necessary to be able to compare apples to apples and not apples to oranges.
• Risk workshops. Can the solution support and deliver in-person or virtual risk workshops to analyze and work through risk scenarios collaboratively?
• Risk creativity. This last one is hard to define specifically, as it is abstract itself. Simply, how does the solution enable and engage right-brain risk thinkers to see a lot of pieces/elements of risk in different ways to identify complex outcomes and interdependencies?

What type of risk thinker are you? left-brain or right-brain? I would love to hear your thoughts on this.

BTW – as an analyst, I cover the range of GRC solutions in the market. I can always be engaged through inquiry to interact and discuss which solutions I see delivering on these and other relevant criteria fo risk management.

---

Upcoming Webinars . . .

The Future of Compliance: A Virtual Summit

• June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17

Risk Management to Support Operational Resilience

• June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18

Adapting to Pandemic Disruption: TPRM Lessons Learned

• June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18

How COVID-19 Learnings Will Shape the New Normal of Risk Management

• June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24

Minimize Growing Data Risks: Best Practices for Legal Leaders

• June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30

Why Policy Management Matters

• July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]

The world is in turbulence all around us. What started as a health and safety issue in Asia has had a cascading impact around the world. Economic uncertainty, health and safety, work from home, IT security issues, continuity, and operational resiliency…it is like an intricate pattern of dominos falling over.

In response to the pandemic, business has changed. Business processes have changed, organizations are supporting remote home working on a huge scale, economic and health constraints have business operating with a reduced workforce with employees sharing responsibilities and wearing multiple hats. A time of change and crisis leads to compliance exposure.

One critical area of compliance risk exposure is privacy compliance. As business processes change in context of the pandemic, the flow and use of personal information has also changed.

The pandemic’s threats to data privacy

Access to personal data is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.

A risk event has a domino impact on the organization. What starts with one domino of risk has a cascading impact on other risks. Consider the current global crisis and pandemic of COVID-19. It started as a health and safety risk coming out of Asia. However, it has a cascading impact that causes other risks to materialize and change that impact the organization. It cannot be managed in isolation but has to be understood in the complex web of interconnections of risk and objectives that play out from it.

What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. Consider the following:

• Risk to objectives. As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic. This plays out from the economic and business impacts of the virus.
• Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes. Business continuity in many organizations had an isolated focus on IT security and disaster recovery and was not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global people virus. As employees were cut, processes were changed, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure.
• Risk of information security. With the focus on supporting a broad work from home strategy, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, vendor, or TV in the employee home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data.
• Risk in third party relationships. It is typical that half of the organization is not traditional employees. Brick and mortar walls and employees no longer define the organization. Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
• Risk of company culture and control. With rapidly changing processes to address the pandemic, the organization is lacking controls or navigating around controls. With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
• Risk of fraud. In uncertain economic times and the unfolding of a recession, employees are under more stress to make ends meet. Employees who might never think of stealing/committing fraud during normal times may choose the wrong path when faced with the economic stress and uncertainty they now face.
• Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others. Or to get specific contracts or permits at a time when not much is being done.
• Risk of modern slavery and human rights. We see the unrest of human rights all around us right now. What was an issue before the pandemic has exploded further because of the pandemic. But it goes beyond civil rights and treatment of people groups by those in authority, it also extends into our facilities and supply chains. The pandemic has hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there is increased staffing with child or forced labor and unwanted working conditions.
• Risk of harassment and discrimination. Unrest is abounding. Stepping beyond the protests right now, there was growing discrimination happening because of the virus and a focus of anger on ethnic groups (particularly Chinese where the virus started). People working from home and not in normal office conditions, do not understand that the same rules apply. Communications such as email, text, video calls have become more relaxed and individuals are crossing boundaries and making statements that are sexual harassment.

I can go on and on and on. I have not touched privacy risk, compliance exposure and inability to meet compliance requirements because of changed business processes, and so much more.

The point is that risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacts. I personally love bow-tie risk analysis to explore these connections and relationships.

Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions. Good risk management will also bring together both risk quantification and qualification and it requires left-brain structured thinking as well as right-brain creative thinking on risk and impact. Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

Upcoming Webinars . . .

The Future of Compliance: A Virtual Summit

• June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17

Risk Management to Support Operational Resilience

• June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18

Adapting to Pandemic Disruption: TPRM Lessons Learned

• June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18

How COVID-19 Learnings Will Shape the New Normal of Risk Management

• June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24

Minimize Growing Data Risks: Best Practices for Legal Leaders

• June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30

Why Policy Management Matters

• July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]

The COVID-19 pandemic has caught a lot of organizations by surprise. But, should it have?

We have had pandemics in the past—history teaches us this over and over. The World Economic Forum has regularly reported pandemic risk on their global risk reports over the years. Political and business leaders have warned us of pandemics. 

So, why has it caught so many organizations off guard?

The problem: an unbalanced view of ERM

The reality is that organizations have not had a balanced view of enterprise risk. Too many enterprise risk management programs (including corporate risk management and operational risk management) have been focused on highly visible risks, such as IT security, while not paying attention to the significant, but low-likelihood, risks like a pandemic. 

Risk management will fundamentally change because of the COVID-19 pandemic. We will see a lot of enterprise risk management (ERM) programs become . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE WORKIVA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The past two months have been a crazy whirlwind of webinars, phone calls, and video meetings. Organizations the world over have been asking for calls on how to respond to the pandemic from a GRC perspective, and what the world of GRC will look like and how corporate governance, enterprise risk, and compliance and ethics management will change coming out of the pandemic. From 5:00 am to midnight here in Milwaukee, it has been a full sprint. RFPs, shortlists, strategy calls, competitive analysis of solutions, input on strategy, to market sizing and forecasting of GRC segments for solutions and services . . . it is a crazy time. I have done more webinars in two months than I normally do in an entire year.

One of the fun and unique engagements I did was the GRC Supper Club last week! This is an event that is normally done in person in the United Kingdom and led by my friend Lee Edge. With the pandemic it went virtual. So while the amazing host and many of the attendees were enjoying dinner and drinks in their homes in the UK and Europe, myself and a few others were doing lunch here in the United States.

Lee moderated the event, and I was one of three panelists for the virtual GRC Supper Club (you can access the recording for the virtual GRC Supper Club here). While we were speaking, Lee had an artist capturing the conversation and insight and putting it into the graphic you see above. I love how the graphic turned out! It captures so many of the points and analogies I brought up in the virtual GRC Supper Club. These are (working across the top and then clockwise around the bottom):

• The Pandemic is NOT a Black Swan Event. I stated that being unprepared for risk does not make it a black swan. There were plenty of warning signs, history of events, and people and organizations speaking out on the potential for a pandemic. It does not meet the requirements of a black swan event. I blogged on this here: Being Unprepared for the Crisis Does Not Make it a Black Swan.
• A Tale of Two Futures. Playing on the Charles Dickens novel, Tale of Two Cities, I discussed in the GRC Supper Club how we have a tale of two futures: we are headed toward either a Blade Runner dystopia or a Star Trek future. The choices organizations make today on the environment, climate change, and health and safety impacts what future we are headed toward. I blogged on this here: Tale of Two Futures: Blade Runner or Star Trek?
• The Interconnectedness of Risk & Chaos Theory. Looking at the bat stating, “I am no butterfly but I’ve had a big impact” was in reference to my discussion in the Club about the interconnectedness of risk and how small things matter. I referenced Chaos Theory and the Butterfly Effect in which the flutter of a butterfly’s wings in Amsterdam can influence the development and path of a hurricane in the Gulf of Mexico. What started with a bat at a wet market in China has had a worldwide impact that is more than a health and safety risk but cascades into economic risk, strategic risk, supply-chain third party risk, security risk, geopolitical risk, IT security risk, modern slavery and human rights risk, bribery and corruption risk, and even harassment and discrimination risk (I detail all of this in the Supper Club recording). I have blogged on this here: Navigating Chaos.
• Cover Your Behind & IT Risk. This part of the illustration detailed my discussion on how too many enterprise and operational risk management programs have been operating with a myopic and overly focused view on IT security risk. IT security is a huge risk, but there are other significant risks the organization faces that have not got the same level of attention. Look at the world around you and nothing more needs to be said. IT security has been the dominant risk focus in ERM and ORM programs at the cost of other risks like environmental, health and safety, and quality. I make reference to this in this blog: Forrester GRC Wave = Tsunami of Confusion.
• The Titanic of Risk. Next in the GRC Supper Club illustration and discussion, I referenced the illustration of the Titanic. This is an analogy I have been using in presentations for nearly 15 years. It is about all the risk exposures that contributed to the disaster of the Titanic, including environmental, overconfidence, third party risk issues, lack of control, health and safety, oversight, and more. Further illustrating the interconnectedness of risk. I have blogged on this here: The Titanic: An Analogy of Enterprise Risk.
• Right-Brain & Left-Brain Risk Thinking. In the lower right corner of the illustration you can see my dialogue during the GRC Supper Club in which I shared that good risk management involves both right-brain thinking and left-brain thinking. Too often we focus on the left-brain side of risk models and analytics, but good risk management also involves the out of the box creative thinking on risk and scenarios. I have blogged on this here: Managing Risk in Dynamic & Distributed Business.
• Environment, COVID & The World. This part of the illustration was in reference to my comments on the Economist cartoon from a few weeks back in which the world is fighting COVID in the boxing ring but a much bigger opponent of the environment and climate change is about to step into the ring.
• IT Security and the Home Office Blender. At this point in the GRC Supper Club I was discussing the IT security threats in the home office/work from home environment with the Internet of Things (IoT). I detailed how in my home in Milwaukee I have outlets, TVs, and even a blender that is connected to the Internet. If one of these devices has a vulnerability, or worse, a trojan horse, this could compromise organization data and connections.

It was a great event! There are two upcoming VIRTUAL GRC Supper Clubs you can register for, though I am not speaking on these. Hopefully, it will be back to in-person dinners back in the United Kingdom soon . . .

I am a James Bond fan and eagerly anticipate the next James Bond film, “No Time to Die.” Unfortunately, because of the global crisis we all now face, we have to wait until November 2020 instead of seeing it on the big screen this month. While we wait for this next installment in the 007 sagas, we can still learn and apply what makes the master spy so great to our world of business that is situational awareness.

Today’s organization needs situational awareness. Situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the business but is particularly needed in the context of risk in third-party relationships . . .

The remainder of this article can be found on the SureCloud site where GRC 20/20’s Michael Rasmussen has contributed his thoughts in a guest blog on this site.

In a time of crisis, like what we face with the global pandemic, centralizing compliance and ethics communications and reporting is critical to streamline interactions, maintain corporate culture and integrity, improve employee morale, and communicate expectations.

However, a lot of organizations are finding they are not prepared. Consider that a lot of policies are changing right now, such as remote office worker policies, home office expense policies, and conduct policies. Other policies may not have changed, but employees still need to be reminded of them as they operate in a high-risk environment for fraud, privacy, customer/client communications, health and safety, and security.

In this current crisis, one large organization I was talking to discovered they had over 20 policy portals scattered in different departments. Policies were on different fileshares, Sharepoint sites, and ad hoc technology platforms. Policies looked different on each portal and used language inconsistently. Some policies were out of date.

In a time of crisis when people are working from home, having . . .

[The rest of this blog can be found at the Convercent website where GRC 20/20’s Michael Rasmussen contributed this as a guest blog post]

I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

• World Economic Forum Global Risk Reports. This has been on the chart of top risks by the World Economic Forum for years, including the most recent. It has been a topic of conversation in the past at Davos.
• Business Experts Have Pointed it Out. The most vocal being Bill Gates and his predictions.
• Governments Have Been Reporting On It. Look at this report from the Council of Economic Advisors from the White House.
• History Teaches Us. There has been a recorded history of pandemics, some recent, some going back hundreds of years.

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 

• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies 
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality 
• April 9 @ 12:00 pm – 1:00 pm CEST : Operational Resilience in a Time of Unprecedented Uncertainty
• April 9 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Engaging The First Line Of Defense In A Time Of Crisis
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations 
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit 
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis 
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis 
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management 
• April 28 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Monitoring Risk In The Second Line Of Defense In A Time Of Crisis
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management 
• May 12 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Providing Assurance And The Role Of The Third Line Of Defense In A Time Of Crisis
• May 18 – May 19 : MetricStream GRC Virtual Summit US 2020

Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

• Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
• Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .

• March 31 @ 8:00 am – 9:00 am CDT : How to Maintain a Strong Compliance Culture when Working Remotely
• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management