Posted on Leave a comment

Is Policy Management Causing More Pain than Gain?

The Policy Management Illustrated Series

  • Frustrated by policy management?
  • Having trouble finding all the policies (both authorized and unauthorized) floating around in your organization?
  • Wasting time and resources that could be well applied elsewhere to help the organization achieve its objectives and stay on track?
  • Realizing something has to change? 

In our research, we have found that many organizations fail at several key stages of policy management. Too often there is no formal guidance or requirements for the authoring and approval of policies. There is no risk-based consideration to determine which policies should be supported with training. There is no single repository for all policies with version control and linkage to related obligations, processes and controls. And on and on and on. 

In response to this problem, OCEG, in collaboration with GRC 20/20, has developed an educational series of materials and webinars discussing the challenges and the solutions for better policy management. In addition to addressing each stage of the policy management lifecycle, the series will provide context that can help attendees build the business case for better management, demonstrating the value of policies in helping the organization achieve Principled Performance.

Each webinar will be accompanied by the release of a related installment in our Policy Management Illustrated infographic collection.

Whether you are directly responsible for policies or are on a compliance, risk, HR, legal, internal audit or IT team, you will find this series both helpful and enlightening.

Check out more details and register for each webinar by clicking on the titles below.  Sign up early to reserve your spot. 

Upcoming OCEG & GRC 20/20 Webinars . . .

Upcoming Workshops by GRC 20/20 . . .

Upcoming GRC 20/20 Webinars . . .

Posted on Leave a comment

Exposing IRM for What it Really is: GRC Light

Gartner, particularly John Wheeler, is hard at work trying to convince the world that their Integrated Risk Management (IRM) is something new to replace Governance, Risk Management & Compliance. You can check out John’s latest post mischaracterizing and misleading organizations in: GRC May Keep You “Out of Trouble” ,But IRM Will Keep You “ In Business” 

The first thing to note is that every solution in Gartner’s IRM Magic Quadrant and IRM Critical Capabilities reports have been and are GRC solutions. Every one of them has been marketing GRC, most for some time. These are the same platforms that have been calling themselves GRC that Gartner is now calling IRM. 

The second thing to note is that Gartner mischaracterizes what GRC is about by pushing it solely to compliance. I have refuted this time and time again by citing the long-standing official definition of GRC found in the OCEG GRC Capability Model that GRC “is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” I went into great detail on what GRC is in my recent article ‘Navigating Chaos‘ published in Enterprise Risk magazine published by The Institute of Risk Management (the real IRM). GRC since its inception has been focused on Principled Performance with an aim for the organization to reliably achieve objectives. 

If you peel back IRM in Gartner’s reports what do you find? GRC. It is not just the same technology, but the same pillars. Though I would argue it is GRC light as Gartner misses the boat in risk areas of quality, environmental, health and safety, sustainability, corporate social responsibility, and more that impact the modern organization.
Take a look at the recent Gartner IRM MQ and the IRM Critical Capabilities. It breaks IRM into three areas:

  • Business Outcome Centric. Gartner says this is “an integration-optimization-based risk practice designed to automate the linkage among relevant insights on key corporate performance-related risks.” Interesting, this sounds like the Governance pillar in the GRC definition in the capability to reliably achieve objectives. 
  • Operation-Centric. Gartner says “resilience is an adaptability-based risk practice focused on operational and IT risks offering an agile risk program in response to and re3cover form key business disruptions.” Interesting, this sounds like the Risk Management pillar in the GRC definition with the capability to “manage uncertainty.” ISO 31000 defines risk as the effect of uncertainty on objectives. 
  • Compliance-Centric. Gartner says “compliance is a regulation-based risk practice providing evaluation and evidence in support of relevant legal and regulatory requirements.” Interesting, this even mentions Compliance but only in a limited way focused on regulations. The GRC Capability Model which is about 15 years old now, defines compliance as the “capability to act with integrity.” This is more than regulatory compliance but includes compliance to the risk boundaries of the organization (e.g., tolerance, appetite, capacity); the policies of the organization; the values, ethics, corporate social responsibility commitments of the organization; and the contractual obligations of the organization.

There you have it – IRM at its core is really GRC.

What really strikes me as interesting is that Gartner puts a lot of effort into stating there is a difference in these pillars from a technology perspective. I would agree, but Gartner’s research does not. You look at the IRM Critical Capabilities research and you have the same list of solutions in nearly identical order in each of these three areas. Same solutions on top same solutions on the bottom with very little movement between these areas. Why even break this out Gartner? From this research, you are stating that the same solutions that score high in Business Outcome also are the top for Operation Centric and Compliance Centric. Same solutions and nearly the same order in each of the three areas. It does not make sense.

But what is really ironic, is that I have been discussing this for 15 years this differentiation. My last GRC Wave I wrote at Forrester in 2007 had four Wave graphics. One for overall GRC combined, one for Governance focused on outcomes and objectives, one for Risk Management focused on operational risk, and one for Compliance. They say there is nothing new under the sun, Gartner proves this. They are just taking my approach in 2007 and using it in 2019. Just relabeling/renaming its areas. HOWEVER, if you look at the 2007 Forrester GRC Wave you will find a completely different ranking of solutions in each of the areas and not the same ranking. 

Gartner, drop the IRM facade. I don’t care if you want to call GRC IRM. You can call it ERM, ABC, XYZ. It does not matter what you want to call your category. Just stop misleading the world that saying GRC has failed when you are evaluating the same exact technology solutions that have called themselves GRC. Look at how you break out and define IRM, it maps to how GRC is defined and broken out. 

Posted on Leave a comment

Understanding Third Party GRC Maturity: Agile Stage

A haphazard department- and document-centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third-party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third-party governance with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk, and compliance, as well as how it impacts the organization.
GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the third-party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

  1. Ad Hoc 
  2. Fragmented 
  3. Defined 
  4. Integrated 
  5. Agile

Today we look at Stage 5, the Agile level of third-party GRC.

At the Agile Maturity stage, the organization has completely moved to an integrated approach to third-party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third-party relationships. Consistent core third-party GRC processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for third-party governance with minimal overhead.

The Agile Maturity is where most organizations will find the greatest balance in . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on Leave a comment

The Intersection of GRC and Policy Management

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place. 

Why policies are critical to GRC

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Workiva site, follow the link below to read more]

Posted on Leave a comment

Understanding Third Party GRC Maturity: Integrated Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

Today we look at Stage 4, the Integrated level of Third Party GRC

In the Integrated stage, the organization has a . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Offboarding

How do you say goodbye to a third party?

This is the third of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the offboarding monitoring process.

This is the third in a three-part guest blog series looking at risk management throughout the lifecycle of a third party relationship. Previously we looked at the onboarding process, then we explored ongoing security monitoring throughout the relationship [link to posted article], now we look at offboarding and terminating a relationship.

Goodbyes are difficult. Humans tend to avoid goodbyes. If it was a beautiful close relationship, or one that ends in frustration, anger, and tears . . . most do what they can to avoid goodbyes because they are difficult. Ironically, this is true of organizations as well.

The most neglected part of the lifecycle of a third party relationship is the goodbye. The termination of the relationship. It doesn’t matter if the relationship was very productive and served, or even exceeded, its purpose, or if the relationship soured and failed. Either scenario, organizations neglect proper offboarding and closure procedures to a relationship.

This is a critical concern in the context of information security. I have encountered in organizations network connections, VPN access, and access to systems that remain active long after the relationship was over. Even if there was no network access, or if that access was terminated, there still may be data and property of the organization that the third party has internally on file servers, physically, and can live on in archives. 

Terminating a relationship is not to be approached haphazardly at the end of a relationship but should be carefully defined in contracts and controls in the onboarding of the relationship. As relationships change overtime, such as expand services, it is also necessary to update scope, controls and responsibilities for termination throughout the relationship. The last thing an organization wants at offboarding is to look for termination provisions and notice they’re missing. 

In terminating a relationship, it is critical that an organization follow these steps . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Posted on Leave a comment

Have You Hugged Your CECO/CCO Today?

Today is the official National Compliance Officer today! This is a very challenging role in organizations and one that is in the midst of a lot of change. Below is a link to my SWOT Analysis of the CECO role on this topic. I am presenting on this next week at Converge19 as well.

Here is a link with Tom Fox on his podcast discussing my upcoming presentation on the SWOT Analysis of the CECO

Posted on Leave a comment

5 Reasons to be Happy About UK SMCR

Regulation and oversight – what a burden to business. That is the common expression financial services firms have as they respond to 220 regulatory change events around the world every business day. UK Senior Managers Certification Regime is the uber regulation that puts accountability, teeth, and enforcement to other regulations and risk management practices. But is it as bad as it seems? Let’s take a look at some of the positive outcomes that SMCR brings to the financial services organizations.

First some background . . .

Over the past few years, there has been a growing focus from financial regulators on accountability for risk, compliance, conduct, and control. Accountability upon senior managers, executives, and directors that makes these individuals personally responsible for the lack of due diligence or negligence in risk management, compliance, and controls. This started with the FCA and the UK’s SMCR and has since gone around the world in a spawn of similar regulations from other financial regulators:

  • Australia’s Banking Executive Accountability Regulation (BEAR)
  • Hong Kong’s Managers in Charge (MIC)
  • Ireland’s Senior Executive Accountability Regulation (SEAR)
  • Singapore’s Proposed Guidelines on Individual Accountability & Conduct

This list will continue to grow and expand as more regulators put greater emphasis on personal accountability upon individuals to ensure the financial services organization does everything it can to manage the conduct within the organization and ensure risk and compliance is properly managed.

Now to the positive . . .

The financial services organization can either see this as an inconvenience or embrace it as the way of the future and a method to drive greater performance in the organization, through layers of structured accountability and responsibility to ensure the organization reliably achieves with conduct that aligns with the integrity of the organization.

1) Accountability

The Polish poet, Stanislaw Lec, stated; “No snowflake in an avalanche ever feels responsible.” Too often . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at SureCloud site, follow the link below to read more]

Posted on 1 Comment

Navigating Chaos

Below is Michael Rasmussen’s article found in the Autumn 2019 issue of Enterprise Risk, published by the Institute of Risk Management (The IRM).

The physicist Fritjof Capra once said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was making the point that biological ecosystems are complex, interconnected and require a holistic contextual awareness of the intricacy in interconnectedness as an integrated whole – rather than a dissociated collection of systems and parts. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness and a demand for a 360° contextual awareness apply to the world of business. Organisations need to see the intricate relationships ofobjectives, risks and boundaries of the enterprise. Business operates in a world of chaos. In chaos theory, for instance,the “butterfly effect” means thatsomething as simple as the flutter of a butterfly’s wings in the Netherlands could create tiny changes in the atmosphere that have a cascading and growing force that ultimately impacts the development and path of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a significant issue.

Gone are the years of simplicity in business operations.Exponential growth and change in risks, regulations, globalisation, distributed operations, competitive velocity, technology and business data encumbers organisations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organisations need to understand how to monitor risk-taking, measure whether the associated risks taken are the right risks and review whether risks are effectively managed.


Today’s organizations have to have holistic visibility and 360° contextual awareness of risk in the context of objectives across the enterprise. The complexity of business and intricacy, and interconnectedness of risk and objectives, requires that the organization implement governance, risk management, and compliance (GRC) management strategy. GRC, by official definition in the GRC Capability Model, published byOCEG, is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” This definition of GRC provides the framework for what the think tank OCEG calls principled performance. There is a natural flow to the GRC acronym. Governance sets the context by defining the objectives of the organization. These can be entity-level objectives, so division-, department-, process-, project- or even asset-level objectives. It is the evaluation and establishment of objectives that provide the context for risk management. Without context, risk management fails.

Risk management assesses and monitors risk to objectives within the context of governance to take action on risk through identification, analysis and then treatment (risk acceptance, avoidance, mitigation or transfer). ISO 31000 defines risk as to the “effect of uncertainty on objectives” providing a natural flow and integration of governance to risk management.

Compliance provides boundaries to frame risk management. Risk management, by itself, is neutral and analyses options. A risk assessment may very well determine that the organization most likely can get away with an unethical course of action. Compliance frames the ethical principles as well as the obligation boundaries (for example, regulatory requirements, contractual commitments or corporate social responsibility values) for risk management to work within. Compliance provides the follow- through on risk treatment plans to ensure that risk is managed within limits and controls are in place and functioning. Risk management fails without compliance as compliance is needed to ensure controls are in place and operational to mitigate risk.

Three legs

The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organisation.

Every organization does GRC today. They may call it enterprise risk management (ERM), operational risk management (ORM) or integrated risk management (IRM). Some may not have a name for it. Every organization is doing GRC, no matter what they call it. You will not find an organization that states they do not govern the organization, that risk is not managed and compliance is neglected. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

The research organization GRC 20/20 has identified two approaches that organisations take to manage GRC – anarchy and federated. Anarchy is based on ad hoc department silos. This is when the organisation has departments doing different yet similarthings with little to no collaboration between them. Distributed and siloed GRC management initiatives never see the big picture and fail to put risk management in the context of organisational strategy, objectives and performance. The organisation is not thinking big picture about how GRC management processes can be designed to meet a range of needs. An ad hoc approach to GRC management results in poor visibility of the organisation’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be insightful about risk, compliance and performance. The organisation fails to see the web of risk interconnectedness and its impact on performance and strategy, leading to greater exposure than any silo understood on its own.

Federated GRC is an integrated and collaborative approach. The federated approach is where mature organizations will find the greatest balance in a collaborative and connected view of GRC management and oversight. It allows for some level of department and business function autonomy when needed, but also focuses on a common governance model, processes and architecture that GRC functions across the organization can participate in. A federated approach increases the ability to connect, understand, analyze and monitor connectedness and underlying patterns of performance, risk, and compliance. Different functions participate in GRC management with a focus on coordination and collaboration through common processes and integrated technology architecture.


The primary directive of a mature GRC management capability is to deliver effectiveness, efficiency, and agility to the business. This is in the context of managing the breadth of risks on organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the extended enterprise. Organizations need a mature GRC capability that brings together a coordinated strategy and processes. This is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, butit does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance. There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organisation. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

Successful GRC management requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature GRC management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives have a much better chance of thriving in today’s complex business world.


Organisations striving to improve their GRC management capability and maturity in their organisation will find they are more:

  • Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analysed and shareable in every relevant direction.
  • Aligned. They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
  • Responsive. Organisations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organisation needs to know to make the right decisions.
  • Agile. Stakeholders desire the organisation to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organisation is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organisations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary toadapt and respond to opportunities rapidly.
  • Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy and misallocation of resources; to make the organisation leaner overall with enhanced GRC capability and related decisions about the application of resources.

Michael Rasmussen is an Honorary Life Member of the IRM and an internationally recognised pundit on governance, risk management and compliance (GRC) and founder of GRC 20/20 Research, LLC.

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring

This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.

Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.

Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.

A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today. 

This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.

Five Necessities of Security Monitoring

Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]