How to Operationalize ESG with GRC

Take advantage of GRC’s structured guidance to deliver on ESG strategy and processes.

ESG – Environmental, Social, and Governance – is pressuring organizations from every angle. Investors are making investment decisions based on the ESG practices of companies. Individual directors on boards are being voted out based on ESG metrics. Employees are making decisions on whom they work for based on shared values, as well as clients/customers. And regulators are taking focus on ESG, the most recent being the SEC with its proposed disclosure requirements for climate change.

Organizations around the world and across industries are challenged to define, implement, and report on ESG. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships and transactions.

However, understanding ESG is complex. As a guide, but not exhaustive, ESG covers . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SAI360 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Improving FedRAMP: Federal Procurement & Risk Management

The Federal Risk and Authorization Management Program (FedRAMP) has been in place for just over a decade (2011). Its purpose is to provide a “cost-effective, risk-based approach for the adoption and use of cloud services” by the federal government. This is to equip and enable federal agencies to utilize cloud technologies in a way that minimizes risk exposure through security and protection of federal information and processes. It is to promote the use of secure cloud services through the standardization of security and risk assessments with corresponding controls to mitigate risk. Through FedRAMP, federal agencies gain access to FedRAMP authorized and certified cloud services that are vetted and approved to ensure they conform to controls and compliance requirements to minimize risk exposure. 

However, for cloud service providers (CSPs) the FedRAMP process is not easy. It requires a lot of defined structure, controls, and processes for ongoing management of security controls, risk assessments, and response. FedRAMP authorization and certification can be a daunting process. Organizations seeking FedRAMP certification need to ensure they have the right security architecture and processes in place and maintained on a continuous basis with a full audit trail and system of record of FedRAMP requirements, related activities, assessments, and controls. 

Managing and maintaining FedRAMP certification in manual processes will lead to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IGNYTE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Operationalize Compliance to Ensure 360° Visibility into Operational Resilience 

Gone are the years of simplicity in business operations. Rapid growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, compliance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives and management professionals throughout all levels of the business.

The interconnectedness of objectives, compliance, risks, and resilience requires 360° contextual awareness of risk and resiliency. It requires holistic visibility and intelligence of risk and resiliency. Organizations need to see the intricate relationships of objectives, risks, compliance obligations, processes, and controls across the organization’s operations. The complexity of business – combined with the intricacy and interconnectedness of risk and compliance – necessitates that the organization implements a strategic approach to operational resilience.

The past few years have taught us lessons, such as . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

How do you add compliance controls in different parts of your business?

Organizations often fail to monitor and manage compliance controls effectively in an environment that demands agility. This results in the inevitable failure of compliance that provides case studies for future generations on how poor internal control management leads to the demise of organizations: even those with strong brands.

Today’s business environment is complex. Exponential growth and change in risks, regulations, globalization, employees, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, and GRC management professionals throughout all levels of the business. Organizations need to understand how to design effective compliance controls, implement them, and review whether the risks they were designed to control are effectively mitigated continuously.

Compliance control management in the modern organization is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Strategies to Drive Compliance Operationalization

Organizations need to be organizations of integrity. What we communicate to the world about our policies, compliance and ethics practices, values, code of conduct, regulatory commitments, and now ESG statements is a reality in the organization and not fiction. The Chief Ethics and Compliance Officer (CECO) has become the Chief Integrity Officer of the organization. Integrity is a mirror. What we tell the world what the organization is about, is that what is truly reflected back to us in our behavior and operations?

Growing up, I was always told, and I am sure you were as well, that actions speak louder than words. Or you can talk-the-talk but can you walk-the-walk? It was an encouragement to ensure that what we tell people we do is what we actually do. That we do not live a fictitious life by portraying to the world that we are something that we really are not . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

IRM Risk Predictions 2022

IRM – Surprise! But it its not what you think. I have not changed my stance on Gartner’s misaligned Integrated Risk Management. This is the Institute of Risk Management, the real IRM in which I am a Global Ambassador of Risk Management as well as an Honorary Life Member. They published a great report on IRM Risk Predictions 2022 in which I contributed an article. Below is my article, but I encourage you to download the whole report and give it a good read . . .

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.

There has been a lot of focus on resiliency in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. Resiliency is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event. This is critical and I see a lot of organisations moving to bring together risk management and business continuity management into what is now defined as risk and resiliency management. Business continuity management as a separate function in the organization is outdated and over the next two-to -three years we will see a mass migration to an integrated operational risk and resiliency program.

Resiliency is NOT enough though. I am seeing a lot of organisations in 2022 to see how their risk and resiliency programs can make them more agile as well.

Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360  situational awareness to be agile.

To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.

Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.

So, the organisation in 2022 needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organisations need to develop in today’s dynamic, distributed, and disrupted business.

To be agile and resilient, organisations also need to think creatively and not just logically about risk management in 2022 and beyond.

When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.

Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analyses. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated: “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”

I argue that this is not enough to be agile and resilient in 2022. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic.

There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organisation. That requires creatively thinking about risk and risk event scenarios. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler: “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”

Creatively thinking about risk, to be agile and resilient, requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.

Breaking Silos with GRC and Legal

Organizations take legal risks all the time but often fail to integrate these risks effectively in an environment that is continuously changing and requires agility.

Too often legal is seen as a siloed exercise and not truly integrated with the organization’s strategy, decision-making, objectives, and overall enterprise risk management strategy. This results in inevitable exposures in legal risk and compliance, providing case studies for future generations on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Rethinking Risk Across the Enterprise

Gone are the days of simplicity in business operations. The challenges that are thrown by ever-changing regulations, distributed operations, highly competitive business landscape, evolving technologies, and huge volumes of business data encumber organizations of all sizes. Risk management has become a challenge for CXOs, as well as managers throughout all levels of the organization.

The physicist Fritjof Capra said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was indicating that biological ecosystems are complex, interconnected and need a holistic, contextual awareness of the complexity in interconnectedness as an integrated whole – rather than a disconnected collection of systems and processes. Change in one area brings a cascading effect that impacts the entire business ecosystem. He might as well have been talking about risk management in the modern enterprise.

Three Prerequisites of Managing Enterprise Risk Effectively

Organizations must understand the impact of intricate risks on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

A New Paradigm in Risk, Resiliency & Continuity Integration

Lacking an integrated view of risk and resilience results in business processes, services, employees, and systems that behave like leaves blowing in the wind. Organizations need to develop, nurture, and mature a risk and resilience management capability aligned with strategy, performance, and objectives that operate as a risk and resilience central nervous system. Consider the following from Steve Balmer:

“If you think of the human body, what does our nervous system let us do? It lets us hear, see, take input. It lets us think, analyze, and plan. It lets us make decisions and communicate and take action. Every company has a nervous system: companies take inputs, they think, they plan, they communicate, they take action.”

Steve Balmer, former CEO Microsoft

A risk and resilience nervous system connects with other major systems of the body and provides among others analytical capability, strategic thinking, and quick response to the environment. 

Managing risk and resilience effectively requires multiple inputs and methods of modeling and analyzing risk and resiliency. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. Mature risk and resilience management is built on a cohesive and mature strategy, process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events. 

This means maturing an integrated view of risk and resilience management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to spend more time focusing on the analysis of risk in the context of the organization, its strategy, and objectives to enable not only resilience but also agility. Technology makes it easier to share data, while still maintaining the independence of thought and action across the organization. 

Integrated and mature risk and resilience strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage risk and resilience, increase efficiencies, and be agile in response to the needs of a dynamic and distributed business environment. Mature risk and resilience deliver better business outcomes because of stronger risk governance in the context of the organization and its processes and objectives, which will deliver:

  • Efficiency. Lower costs, reduce redundancy, and improve efficiencies.
  • Effectiveness. Deliver timely, consistent, and accurate information.
  • Agility. Improve decision-making and insight into what is happening across risks and operations.

Organizations need to be intelligent about what risk and resiliency management processes and technologies they deploy. A sustainable risk and resilience strategy means looking to the future and mitigating risk, as opposed to putting out fires. It requires that the following risk and resilience elements are in place:

  • Understand your risk. An organization must have a risk-based approach to managing resilience and continuity of operations and services. This includes ongoing monitoring of risk in a dynamic environment as the business is continuously changing and so are its risks to strategy, operations, processes, and services. Risk assessments should cover exposure in specific processes, services, relationships, and geographies.
  • Approach resilience in proportion to risk. How an organization implements risk treatment procedures and controls is based on the proportion of risk it faces. If a certain area of the organization or a business partner carries a higher risk of failure, the organization must respond with stronger resilience controls. 
  • Tone at the top. The risk and resilience program must be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Management must communicate that they support the risk and resilience program. At the same time, they must be well-informed about the effectiveness and strategies for risk and resilience initiatives.
  • Know your business and who you do business with. It is critical to establish a risk and resilience framework that catalogs risks, processes, and services. If there is a high degree of risk exposure, additional controls may be established in response. This includes knowing your third-party relationships as well as the organization is highly dependent on the extended enterprise to deliver goods and services.
  • Keep information current. Risk and resilience assessment efforts must be kept current. These are not point-in-time efforts; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk.
  • Risk and resilience oversight. The organization needs a group that is responsible for the oversight of an integrated risk and resilience strategy. This requires a collaborative relationship where business continuity/resilience reports into risk management. 
  • Established policies and procedures. Organizations need documented and up-to-date policies and procedures that define risk and resilience responsibilities and processes. This starts with an enterprise risk management policy. These requirements and processes must be clearly documented and adhered to.
  • Assessment and continuous risk monitoring. In addition to periodic risk assessment, the organization must also have regular risk and resilience monitoring activities to ensure that risk and resilience is understood in a dynamic context and how it impacts business processes, and services.
  • Manage business change. The organization must monitor for changes that introduce greater risk and resilience issues. The organization must document changes that result from observations and investigations, and address deficiencies through a careful program of change management. 

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

GRC 20/20 will be presenting in detail the market, drivers, and trends to Risk Agility, Resilience, & Integrity (ESG) in the upcoming 2022 State of the GRC Market Research Briefing on March 1st . . .

Building a Mature GRC Program: The Top 5 Considerations

Shadows haunt the organization. Today’s organization is encumbered by things like shadow processes and shadow IT. These are rogue processes and technology that get implemented in the depths of the organization without thought or conformity to a top-down integrated strategy.

The components of GRC – governance, risk management, and compliance – are in every organization. My position is that every organization does GRC. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. The reality is that we have shadow GRC processes that spring up all over the organization in the bowels of operations that lack an enterprise top-down coordination and strategy. 

Too often, GRC is like the Winchester Mystery House in . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE DILIGENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]