Gone are the years of simplicity in business operations. Rapid growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, compliance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives and management professionals throughout all levels of the business.
The interconnectedness of objectives, compliance, risks, and resilience requires 360° contextual awareness of risk and resiliency. It requires holistic visibility and intelligence of risk and resiliency. Organizations need to see the intricate relationships of objectives, risks, compliance obligations, processes, and controls across the organization’s operations. The complexity of business – combined with the intricacy and interconnectedness of risk and compliance – necessitates that the organization implements a strategic approach to operational resilience.
The past few years have taught us lessons, such as . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
Organizations often fail to monitor and manage compliance controls effectively in an environment that demands agility. This results in the inevitable failure of compliance that provides case studies for future generations on how poor internal control management leads to the demise of organizations: even those with strong brands.
Today’s business environment is complex. Exponential growth and change in risks, regulations, globalization, employees, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, and GRC management professionals throughout all levels of the business. Organizations need to understand how to design effective compliance controls, implement them, and review whether the risks they were designed to control are effectively mitigated continuously.
Compliance control management in the modern organization is . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
Organizations need to be organizations of integrity. What we communicate to the world about our policies, compliance and ethics practices, values, code of conduct, regulatory commitments, and now ESG statements is a reality in the organization and not fiction. The Chief Ethics and Compliance Officer (CECO) has become the Chief Integrity Officer of the organization. Integrity is a mirror. What we tell the world what the organization is about, is that what is truly reflected back to us in our behavior and operations?
Growing up, I was always told, and I am sure you were as well, that actions speak louder than words. Or you can talk-the-talk but can you walk-the-walk? It was an encouragement to ensure that what we tell people we do is what we actually do. That we do not live a fictitious life by portraying to the world that we are something that we really are not . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
IRM – Surprise! But it its not what you think. I have not changed my stance on Gartner’s misaligned Integrated Risk Management. This is the Institute of Risk Management, the real IRM in which I am a Global Ambassador of Risk Management as well as an Honorary Life Member. They published a great report onIRM Risk Predictions 2022in which I contributed an article. Below is my article, but I encourage you to download the whole report and give it a good read . . .
Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.
There has been a lot of focus on resiliency in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. Resiliency is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event. This is critical and I see a lot of organisations moving to bring together risk management and business continuity management into what is now defined as risk and resiliency management. Business continuity management as a separate function in the organization is outdated and over the next two-to -three years we will see a mass migration to an integrated operational risk and resiliency program.
Resiliency is NOT enough though. I am seeing a lot of organisations in 2022 to see how their risk and resiliency programs can make them more agile as well.
Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360 situational awareness to be agile.
To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.
Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.
So, the organisation in 2022 needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organisations need to develop in today’s dynamic, distributed, and disrupted business.
To be agile and resilient, organisations also need to think creatively and not just logically about risk management in 2022 and beyond.
When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.
Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analyses. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated: “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”
I argue that this is not enough to be agile and resilient in 2022. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic.
There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organisation. That requires creatively thinking about risk and risk event scenarios. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler: “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”
Creatively thinking about risk, to be agile and resilient, requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.
Organizations take legal risks all the time but often fail to integrate these risks effectively in an environment that is continuously changing and requires agility.
Too often legal is seen as a siloed exercise and not truly integrated with the organization’s strategy, decision-making, objectives, and overall enterprise risk management strategy. This results in inevitable exposures in legal risk and compliance, providing case studies for future generations on . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
Gone are the days of simplicity in business operations. The challenges that are thrown by ever-changing regulations, distributed operations, highly competitive business landscape, evolving technologies, and huge volumes of business data encumber organizations of all sizes. Risk management has become a challenge for CXOs, as well as managers throughout all levels of the organization.
The physicist Fritjof Capra said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was indicating that biological ecosystems are complex, interconnected and need a holistic, contextual awareness of the complexity in interconnectedness as an integrated whole – rather than a disconnected collection of systems and processes. Change in one area brings a cascading effect that impacts the entire business ecosystem. He might as well have been talking about risk management in the modern enterprise.
Three Prerequisites of Managing Enterprise Risk Effectively
Organizations must understand the impact of intricate risks on . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
Lacking an integrated view of risk and resilience results in business processes, services, employees, and systems that behave like leaves blowing in the wind. Organizations need to develop, nurture, and mature a risk and resilience management capability aligned with strategy, performance, and objectives that operate as a risk and resilience central nervous system. Consider the following from Steve Balmer:
“If you think of the human body, what does our nervous system let us do? It lets us hear, see, take input. It lets us think, analyze, and plan. It lets us make decisions and communicate and take action. Every company has a nervous system: companies take inputs, they think, they plan, they communicate, they take action.”
Steve Balmer, former CEO Microsoft
A risk and resilience nervous system connects with other major systems of the body and provides among others analytical capability, strategic thinking, and quick response to the environment.
Managing risk and resilience effectively requires multiple inputs and methods of modeling and analyzing risk and resiliency. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. Mature risk and resilience management is built on a cohesive and mature strategy, process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.
This means maturing an integrated view of risk and resilience management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to spend more time focusing on the analysis of risk in the context of the organization, its strategy, and objectives to enable not only resilience but also agility. Technology makes it easier to share data, while still maintaining the independence of thought and action across the organization.
Integrated and mature risk and resilience strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage risk and resilience, increase efficiencies, and be agile in response to the needs of a dynamic and distributed business environment. Mature risk and resilience deliver better business outcomes because of stronger risk governance in the context of the organization and its processes and objectives, which will deliver:
Efficiency. Lower costs, reduce redundancy, and improve efficiencies.
Effectiveness. Deliver timely, consistent, and accurate information.
Agility. Improve decision-making and insight into what is happening across risks and operations.
Organizations need to be intelligent about what risk and resiliency management processes and technologies they deploy. A sustainable risk and resilience strategy means looking to the future and mitigating risk, as opposed to putting out fires. It requires that the following risk and resilience elements are in place:
Understand your risk. An organization must have a risk-based approach to managing resilience and continuity of operations and services. This includes ongoing monitoring of risk in a dynamic environment as the business is continuously changing and so are its risks to strategy, operations, processes, and services. Risk assessments should cover exposure in specific processes, services, relationships, and geographies.
Approach resilience in proportion to risk. How an organization implements risk treatment procedures and controls is based on the proportion of risk it faces. If a certain area of the organization or a business partner carries a higher risk of failure, the organization must respond with stronger resilience controls.
Tone at the top. The risk and resilience program must be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Management must communicate that they support the risk and resilience program. At the same time, they must be well-informed about the effectiveness and strategies for risk and resilience initiatives.
Know your business and who you do business with. It is critical to establish a risk and resilience framework that catalogs risks, processes, and services. If there is a high degree of risk exposure, additional controls may be established in response. This includes knowing your third-party relationships as well as the organization is highly dependent on the extended enterprise to deliver goods and services.
Keep information current. Risk and resilience assessment efforts must be kept current. These are not point-in-time efforts; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk.
Risk and resilience oversight. The organization needs a group that is responsible for the oversight of an integrated risk and resilience strategy. This requires a collaborative relationship where business continuity/resilience reports into risk management.
Established policies and procedures. Organizations need documented and up-to-date policies and procedures that define risk and resilience responsibilities and processes. This starts with an enterprise risk management policy. These requirements and processes must be clearly documented and adhered to.
Assessment and continuous risk monitoring. In addition to periodic risk assessment, the organization must also have regular risk and resilience monitoring activities to ensure that risk and resilience is understood in a dynamic context and how it impacts business processes, and services.
Manage business change. The organization must monitor for changes that introduce greater risk and resilience issues. The organization must document changes that result from observations and investigations, and address deficiencies through a careful program of change management.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.
GRC 20/20 will be presenting in detail the market, drivers, and trends to Risk Agility, Resilience, & Integrity (ESG) in the upcoming 2022 State of the GRC Market Research Briefing on March 1st . . .
Shadows haunt the organization. Today’s organization is encumbered by things like shadow processes and shadow IT. These are rogue processes and technology that get implemented in the depths of the organization without thought or conformity to a top-down integrated strategy.
The components of GRC – governance, risk management, and compliance – are in every organization. My position is that every organization does GRC. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. The reality is that we have shadow GRC processes that spring up all over the organization in the bowels of operations that lack an enterprise top-down coordination and strategy.
Too often, GRC is like the Winchester Mystery House in . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE DILIGENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
Dynamic, Disrupted & Distributed Business is Difficult to Control
The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implements a strategic approach to business and operational risk and resilience.
Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations need to see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.
What Have We Learned from 2020 and 2021?
2020 and 2021 brought organizations lots of disruption to objectives, operations, processes, and employees. It has been a risk and resiliency rollercoaster. Some industries and organizations failed, while others were held firm and navigated events with agility. But there are lessons to be learned. These lessons showed us:
Interconnected risk. Organizations face an interconnected risk environment and risk, and resilience cannot be managed in isolation. What started with a health and safety risk became a global pandemic and had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resilience, human rights, and other risk areas.
Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives in reaction to changes in risk exposure.
Disruption. Business is easily disrupted from international to local events. Organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly wildfires), and information security breaches (e.g., SolarWinds, Colonial Pipeline).
Dependency on others. No organization is an island. The past two years have shown us that disruption and the interconnectedness of risk and resilience impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships in the extended enterprise that the organization depends upon.
Dynamic and agile business. Businesses had to react quickly to stay in business. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture amid global uncertainty.
Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly during a crisis, to how they address human rights.
The past two years have taught organizations that to be resilient requires a 360° view of objectives, risk, processes, and services within the organization and the extended enterprise.
The Risk Challenge to Boards, Executives, and Management
Organizations take risks all the time but fail to monitor and manage this risk effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. It results in the inevitable failure of risk management, providing case studies for future generations on how poor risk and resiliency management leads to the demise of organizations – even those with strong brands.
Keeping risk, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout all levels of the organization. This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management. Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively to ensure the resilience of the organization.
Risk and resiliency management in the modern organization is challenging because the organization is:
Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts bury the organization when managed in silos.
Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resiliency. The velocity, variety, veracity, and volume of risk data are overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution.
Integrated Risk & Resilience is the Way Forward
The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.
This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s risk and resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.
Firms globally and across industries are focusing on integrating their risk management resilience (historically business continuity/disaster recovery) programs. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view of the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity.
Business or Operational Resilience?
Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . .
Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.
Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.
Providing 360° Integrated Awareness of Risk and Resilience
Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. The business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. The complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement.
Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased risk and resilience maturity in the organization.
This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.
Looking for a path to environmental, social and governance (ESG) insights in a forest of GRC data
The last two years have shone a light on GRC – governance, risk management, compliance – processes and shifted many attitudes towards risk. Yet many organizations are left with many questions: What are the best practices to identify, analyze, monitor, and manage risks specific to your organization? Do these risk activities support future business growth, and should you implement ESG controls or reporting?
2021 was a year of resiliency as we rode the waves of the pandemic while facing surmounting pressures to address ESG – environmental, social, governance – within organizations. 2022 will continue these themes of resiliency and integrity but brings in agility.
Firms globally and across industries are focusing on . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SAI360 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]
