The GRC Pundit

Delivering 360° Third-Party Risk Situational Awareness

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Delivering 360° Third-Party Risk Situational Awareness

A dynamic business environment requires the capability to actively manage risk intelligence and fluctuating risks impacting the organization and its relationships. The old paradigm of uncoordinated third-party risk management is inadequate given the volume of risk information, the pace of change, and the broader operational impact on today’s business environment and operations. Organizations need to address third-party risk intelligence with an integrated strategy and an enterprise-wide information architecture that provides 360° third-party risk situational awareness. The goal is to provide actionable and relevant risk intelligence to support third-party risk governance and oversight to ensure the organization is agile, resilient, and acting with integrity in its business relationships. 

Third-Party Risk Intelligence Architecture: Core Elements

Comprehensive 360° situational awareness requires a system to gather information, weed out irrelevant information, route critical information to subject matter experts (SMEs) for analysis, track accountability, and determine the potential impact on the organization. Therefore, an effective enterprise-wide third-party risk intelligence architecture includes:

  • A comprehensive risk framework. The third-party risk framework should be a hierarchical and comprehensive catalog/index of third-party risk domains with the potential to impact the organization. Third-party risk domains should be further broken into categories comprised of individual risk metrics logically grouped into related areas (e.g., ESG risk domain would include risk categories of Environmental, Social, and Governance. The Social category would include sub-category risk metrics related to diversity & inclusion, pay equality, health & safety, child labor, human rights, etc.). 
  • Intelligence content aggregation. The organization needs to identify the best sources of risk intelligence. Content feeds can come directly from various sources – regulators, law firms, consultancies, news feeds, blogs by experts, etc. – or from content aggregators. It must be mapped to the risk intelligence framework. The most economical and efficient way to address this need is through a risk intelligence provider that leverages automation and AI to aggregate risk content while removing noise and false positives. Additionally, there can be great efficiencies and cost savings that can be realized by leveraging a single solution that can provide a comprehensive and consistent view.
  • Metrics, dashboarding & reporting. To govern and report on the third-party risk intelligence process, the organization needs the ability to monitor metrics and reports to determine process adherence, risk/performance indicators, and risk issues and exposure. The dashboards should provide the organization with a quick view into the current risk exposure and potential emerging risks, which individuals are responsible for triage and/or impact analysis and overall risk impact on the organization.
  • Defined roles and responsibilities. Successful risk management requires accountability: making sure the right information gets to the right person with knowledge of the risk domain and its impact on the organization. This requires the identification of SMEs for each risk category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in categories, metrics, or specific jurisdictions, or who perform specific actions as part of a series of changes to address risk developments and exposure.
  • Workflow and task management. Real-time third-party risk intelligence feeds into a risk management platform providing a system of structured accountability to manage changes based on business impact analysis. Workflow and task management route details and required actions to the appropriate SMEs for further analysis with escalation capabilities when items are past due. The process tracks accountability on who is assigned risk tasks, establishes priorities, and determines the appropriate course of action. Automation is leveraged to handle routine risk mitigation actions, freeing up team members to focus on only the most critical risks that require human intervention. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis of third-party risk developments.

Third-Party Risk Intelligence Architecture: Additional Capabilities

In addition to the core elements, the following additional capabilities provide further value to a third-party risk intelligence architecture:

  • Accountability. A primary directive of a third-party risk intelligence architecture is to provide accountability. Accountability needs to be tracked as risk information is routed to the right SME to review and define actions. The SME should be notified when further evaluation is necessary and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitate risk intelligence in the context of the organization’s operations and its third-party relationships. 
  • Business impact analysis. The architecture needs to provide the functionality to identify the impact of changes in risks on the third-party business environment and its operations and then communicate to relevant areas of the organization how the development impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag risk areas/domains to respective business relationships, services, and operations. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution ensures that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined.
  • Mapping risks, policies, controls, and more. A critical component to evaluate is the architecture’s ability to link third-party risks to assessments, policies, controls, reports, and processes. The ability to map to business lines, products, and geographies allow companies to manage a risk-based approach to third-party developments and strategies. The workflow automatically alerts relevant stakeholders for necessary action and relationship changes. It also supports electronic signoffs at departmental and functional levels that roll up for executive certifications on risk exposure and acceptance. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for third-party risk intelligence.
  • Audit trail and system of record. It is absolutely necessary that the risk architecture have a full audit trail to see who was assigned a task, what they did, what was noted, notes that were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when risks were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The architecture is to provide full reporting and dashboard capabilities for clear visibility into the risks monitored, task assignments, overdue actions, and the identification of issues that pose the most significant risk to the organization’s third-party relationships. Additionally, by linking risk intelligence to the various other aspects of the platform – including relationships, processes, objectives, policies, controls, and more – the reporting should provide an aggregated view of risk across multiple relationships and business owners.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.

DOWNLOAD: 360° Risk Intelligence in the Extended Enterprise

360° Risk Intelligence in the Extended Enterprise

The GRC Pundit Blog, Third Party Management SolutionsPublished onUpdated on1 Comment on 360° Risk Intelligence in the Extended Enterprise

The Modern Organization is an Interconnected Web of Relationships

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships become even more critical. Without effective GRC, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate great uncertainty.  Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices. Recent technological advances in automation, machine learning, and data science enable organizations to be more effective and do more with fewer resources, but unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party GRC comes about when organizations rely on outdated risk practices including: 

  • Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and architecture. The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on the same third party. Without a single pane of visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated. 
  • Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. In reality, truly effective continuous monitoring and mitigation of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone. 
  • Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
  • Limited view of risk vectors. Organizations often over-rely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth parties. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage.
  • Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
  • Overreliance on periodic assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
  • Inadequate incident response. How organizations respond to incidents can often dictate how quickly and adequately they mitigate risk. Most enterprises often respond to an incident today by sending a survey to all their third parties asking them if they have been impacted. This process takes time, often with low response rates and then has the added burden of how to assess and report on the responses. Most importantly, this is at a point in time and so often a wasted effort. Incidents and impact often unfold over time and the best approach is one that is real-time and continuous.
  • Negative news services can overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure. It is time for organizations to step back and move from legacy practices, defined by manual processes and periodic assessments, to a third-party risk intelligence architecture that includes integrated full-spectrum real-time feeds of situational awareness that impacts the extended enterprise and operations. 

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.

DOWNLOAD: 360° Risk Intelligence in the Extended Enterprise

How to Operationalize ESG with GRC

The GRC Pundit BlogPublished onUpdated onLeave a Comment on How to Operationalize ESG with GRC

Take advantage of GRC’s structured guidance to deliver on ESG strategy and processes.

ESG – Environmental, Social, and Governance – is pressuring organizations from every angle. Investors are making investment decisions based on the ESG practices of companies. Individual directors on boards are being voted out based on ESG metrics. Employees are making decisions on whom they work for based on shared values, as well as clients/customers. And regulators are taking focus on ESG, the most recent being the SEC with its proposed disclosure requirements for climate change.

Organizations around the world and across industries are challenged to define, implement, and report on ESG. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships and transactions.

However, understanding ESG is complex. As a guide, but not exhaustive, ESG covers . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SAI360 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

Improving FedRAMP: Federal Procurement & Risk Management

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Improving FedRAMP: Federal Procurement & Risk Management

The Federal Risk and Authorization Management Program (FedRAMP) has been in place for just over a decade (2011). Its purpose is to provide a “cost-effective, risk-based approach for the adoption and use of cloud services” by the federal government. This is to equip and enable federal agencies to utilize cloud technologies in a way that minimizes risk exposure through security and protection of federal information and processes. It is to promote the use of secure cloud services through the standardization of security and risk assessments with corresponding controls to mitigate risk. Through FedRAMP, federal agencies gain access to FedRAMP authorized and certified cloud services that are vetted and approved to ensure they conform to controls and compliance requirements to minimize risk exposure. 

However, for cloud service providers (CSPs) the FedRAMP process is not easy. It requires a lot of defined structure, controls, and processes for ongoing management of security controls, risk assessments, and response. FedRAMP authorization and certification can be a daunting process. Organizations seeking FedRAMP certification need to ensure they have the right security architecture and processes in place and maintained on a continuous basis with a full audit trail and system of record of FedRAMP requirements, related activities, assessments, and controls. 

Managing and maintaining FedRAMP certification in manual processes will lead to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IGNYTE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

Operationalize Compliance to Ensure 360° Visibility into Operational Resilience 

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Operationalize Compliance to Ensure 360° Visibility into Operational Resilience 

Gone are the years of simplicity in business operations. Rapid growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, compliance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives and management professionals throughout all levels of the business.

The interconnectedness of objectives, compliance, risks, and resilience requires 360° contextual awareness of risk and resiliency. It requires holistic visibility and intelligence of risk and resiliency. Organizations need to see the intricate relationships of objectives, risks, compliance obligations, processes, and controls across the organization’s operations. The complexity of business – combined with the intricacy and interconnectedness of risk and compliance – necessitates that the organization implements a strategic approach to operational resilience.

The past few years have taught us lessons, such as . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

How do you add compliance controls in different parts of your business?

The GRC Pundit BlogPublished onUpdated onLeave a Comment on How do you add compliance controls in different parts of your business?

Organizations often fail to monitor and manage compliance controls effectively in an environment that demands agility. This results in the inevitable failure of compliance that provides case studies for future generations on how poor internal control management leads to the demise of organizations: even those with strong brands.

Today’s business environment is complex. Exponential growth and change in risks, regulations, globalization, employees, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, and GRC management professionals throughout all levels of the business. Organizations need to understand how to design effective compliance controls, implement them, and review whether the risks they were designed to control are effectively mitigated continuously.

Compliance control management in the modern organization is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

Strategies to Drive Compliance Operationalization

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Strategies to Drive Compliance Operationalization

Organizations need to be organizations of integrity. What we communicate to the world about our policies, compliance and ethics practices, values, code of conduct, regulatory commitments, and now ESG statements is a reality in the organization and not fiction. The Chief Ethics and Compliance Officer (CECO) has become the Chief Integrity Officer of the organization. Integrity is a mirror. What we tell the world what the organization is about, is that what is truly reflected back to us in our behavior and operations?

Growing up, I was always told, and I am sure you were as well, that actions speak louder than words. Or you can talk-the-talk but can you walk-the-walk? It was an encouragement to ensure that what we tell people we do is what we actually do. That we do not live a fictitious life by portraying to the world that we are something that we really are not . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE

IRM Risk Predictions 2022

The GRC Pundit BlogPublished onUpdated onLeave a Comment on IRM Risk Predictions 2022

IRM – Surprise! But it its not what you think. I have not changed my stance on Gartner’s misaligned Integrated Risk Management. This is the Institute of Risk Management, the real IRM in which I am a Global Ambassador of Risk Management as well as an Honorary Life Member. They published a great report on IRM Risk Predictions 2022 in which I contributed an article. Below is my article, but I encourage you to download the whole report and give it a good read . . .

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.

There has been a lot of focus on resiliency in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. Resiliency is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event. This is critical and I see a lot of organisations moving to bring together risk management and business continuity management into what is now defined as risk and resiliency management. Business continuity management as a separate function in the organization is outdated and over the next two-to -three years we will see a mass migration to an integrated operational risk and resiliency program.

Resiliency is NOT enough though. I am seeing a lot of organisations in 2022 to see how their risk and resiliency programs can make them more agile as well.

Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360  situational awareness to be agile.

To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.

Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.

So, the organisation in 2022 needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organisations need to develop in today’s dynamic, distributed, and disrupted business.

To be agile and resilient, organisations also need to think creatively and not just logically about risk management in 2022 and beyond.

When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.

Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analyses. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated: “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”

I argue that this is not enough to be agile and resilient in 2022. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic.

There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organisation. That requires creatively thinking about risk and risk event scenarios. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler: “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”

Creatively thinking about risk, to be agile and resilient, requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.

Breaking Silos with GRC and Legal

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Breaking Silos with GRC and Legal

Organizations take legal risks all the time but often fail to integrate these risks effectively in an environment that is continuously changing and requires agility.

Too often legal is seen as a siloed exercise and not truly integrated with the organization’s strategy, decision-making, objectives, and overall enterprise risk management strategy. This results in inevitable exposures in legal risk and compliance, providing case studies for future generations on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

REGISTER

Rethinking Risk Across the Enterprise

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Rethinking Risk Across the Enterprise

Gone are the days of simplicity in business operations. The challenges that are thrown by ever-changing regulations, distributed operations, highly competitive business landscape, evolving technologies, and huge volumes of business data encumber organizations of all sizes. Risk management has become a challenge for CXOs, as well as managers throughout all levels of the organization.

The physicist Fritjof Capra said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was indicating that biological ecosystems are complex, interconnected and need a holistic, contextual awareness of the complexity in interconnectedness as an integrated whole – rather than a disconnected collection of systems and processes. Change in one area brings a cascading effect that impacts the entire business ecosystem. He might as well have been talking about risk management in the modern enterprise.

Three Prerequisites of Managing Enterprise Risk Effectively

Organizations must understand the impact of intricate risks on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

READ MORE