Why Every Organization Should be Focusing on ESG

I recently wrote an article for Aravo’s new publication, Risk & Resilience. Their inaugural issue focused around the important topic of ESG, and is jampacked with great thought leadership content from a variety of experts and perspectives. I invite you to read the article I included below, but also to check out the publication as a whole and learn from the great thought leadership included.

ESG – Environmental, Social, Governance – is a dominant focus in organizations right now getting board-level scrutiny and attention. Organizations around the world and across industries are challenged to define, implement, and report on ESG. These pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations must do something about it.

Previous iterations of ESG were Corporate Social Responsibility (CSR) and Sustainability. These were often passed around the organization like a hot potato and often landed in the lap of marketing as a branding exercise. This is not the case with ESG; the risk exposure to the organization is too great. I find that the Corporate Compliance and Ethics Officer (CECO) is the most common role leading the coordinated/federated ESG strategy in the organization. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

However, understanding ESG is complex. What is happening in organizations is like the parable of the blind men and the elephant. One blind man touches the tail and thinks it is a rope, another touches the body and feels a wall, and another touches a leg and says it is a tree. The same is happening with ESG as different functions/departments see what impacts them. Some focus on the E for the environment and think that is the most important since it leads the acronym ESG. Others are focused on the S, and others the G. All three are critical and intersect with each other.

As a guide, but not exhaustive, ESG covers:

• Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
• Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity, inclusion, working conditions, health and safety, product liability.
• Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.

The reality is that ESG does not start and stop with traditional brick-and-mortar walls and employees. To address ESG requires that organizations address ESG in the context of the extended enterprise of third-party relationships.

Martin Luther King Jr stated, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organization’s relationships in the extended enterprise in the context of ESG.

That is because the structure and reality of business today have changed. It is not the same as it was a few decades back. The modern organization is supported by an interrelated structure of business relationships. It is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and others. Business today relies and thrives on third-party relationships; this is the extended enterprise, and it is the challenge of business today to manage ESG across these relationships.

The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization in the context of ESG. The integrity and ability of the organization to comply to act with integrity in the context of ESG, comply with investor and regulatory requirements, and ensure that ESG commitments and values are followed through in relationships is no easy task. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.

Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. The focus on ESG is restructuring how organizations define and manage risk in the extended enterprise. 

Particularly, there are pending directives and legislation that have an expansive scope that is expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act. 

These laws are more than reporting requirements; they will have teeth. They are not like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption. 

This is going to fundamentally change and restructure TPRM programs to address ESG in the extended enterprise. Organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party governance program that addresses ESG throughout the extended enterprise. This unifies a single approach to govern ESG in third-party relationships and delivers a 360° contextual awareness of ESG risk in relationships. 

The writing is on the wall, organizations need to fundamentally change how they approach ESG internally and across the extended enterprise. Organizations should start defining an integrated strategy for ESG to address these forthcoming requirements and stakeholder demands in a unified and consistent approach.

Thank you again for reading my contribution to Risk & Resilience! Again, I invite you to explore other great articles and interviews in the publication to gain a well-rounded understanding of ESG’s importance.

Check out Risk & Resilience’s issue on ESG

Explore Risk & Resilience on LinkedIn

Upcoming Webinars

• Third-Party Risk Intelligence: Delivering 360° Situational Awareness to the Extended Enterprise
• Accountability & Compliance in the Modern Enterprise
• The Supply Chain and ESG
• GRC 5.0 – Cognitive GRC: Leveraging A.I. to Make GRC Efficient, Effective & Agile
• Addressing ESG Risk in the Enterprise: Focus on the Social

Yes, you read that correctly. Anyone that knows me knows that I am not inclined to use profanity casually. The reality is that this term, clusterf***, is a technical term.

The term has its roots stemming from the Vietnam War, perhaps earlier. It defines a situation where there is a lot of top-down strategy (high-level officers/brass) but not enough on-the-ground information. Things look good from a strategic plan on paper, but the realities in on-the-ground operations are not appropriately considered.

Clusterf*** describes a concern I have for the trajectory of risk management strategies in organizations today. The past has had various departments of on-the-ground risk management doing their different things without any strategic direction. In the last few years, we have seen a shift of focus, propelled by some leading risk luminaries, to a top-down strategic planning view of risk in the context of performance, objectives, and strategy. This is a good thing, but I feel organizations may overcorrect and shift the pendulum too far and adopt a top-down view of risk at the cost of neglecting an understanding of risk down in the organization’s operations.

Focusing just on the top-down view of risk can lead us to disaster. It is like the butterfly effect in chaos theory, where the flutter of the butterfly’s wings in The Netherlands makes tiny atmospheric changes that can influence the development and path of a hurricane in the Gulf of Mexico. The lesson is that the little things matter as much as the strategic things.

While some of my peers seem to argue for a complete top-down view of risk . . . I state we are then headed for a risk management clusterf***. What is needed is a balance that brings both a top-down view of risk in the context of performance, objectives, and strategy management that aligns with a more traditional view of operational risk management down in the bowels, behavior, transactions, processes, and relationships of the organization.

Semantically, this is how I differentiate ERM (enterprise risk management) and ORM (operational risk management). ERM is about the top-down strategic view of risk aligned with the organization’s performance, objectives, and strategy. ORM is focused on risk in the operations, processes, and activities of the organization. ORM is part of ERM, but ERM includes strategic risk management, capital/liquidity/finance risk management, as well as operational risk management.

Good risk management will understand risk from a top-down view aligned and integrated, a part of performance and objectives. But it will also include a bottom-up view of risk in the processes and operations of the organization. We need a balance of both to avoid a risk management clusterf***.

Aligning Risk & Performance Management will be the discussion we will have this week on The GRC Red Flag Series where I will be interviewing executives from Corporater as well Soenke Thun, the Vice President Group Risk Governance at Deutsche Telekom, on how to align risk management with performance management while also maintaining a strong view of risk down in the operations of the organization.

Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.

Mature policy management is about delivering policy that minimizes the perception of getting in the way of business and becoming a part of business, organization change, and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering well-defined processes and an engaging policy user experience that aligns with the needs of employees, integrates with organization systems, and delivers relevant policy content when needed wherever it is needed. 

This means maturing a connected view of policy management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to leverage policies to ensure the integrity and culture of the organization aligns with its mission, vision, obligations, and values. Well-defined processes and technology for policy management make it easier to ensure policies are written, maintained, and communicated consistently across the organizations. 

Lacking an integrated view of policy management results in business processes, services, processes, employees, and systems that behave like leaves blowing in the wind. An integrated and mature policy management strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage policies, increase efficiencies, and be agile to business, risk, and regulatory change. Mature policy management delivers better business outcomes because of stronger policy governance and improved culture and control in the context of the organization and its processes and objective, which will:

• Lower costs, reduce redundancy, and improve efficiencies.
• Deliver consistent and accurate policy in context of the business.
• Improve decision-making and insight into what is acceptable and unacceptable behavior.
• Enable the organization to defend itself with a robust policy audit trail designed to mitigate risk and ensure integrity of the organization.

Five Stages of Policy Management Maturity

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Download the latest GRC 20/20 Research Report on the Policy Management Maturity Model . . .

Register for the webinar on Understanding the Journey to Policy Management Maturity . . .

Register for the next Policy Management by Design Workshop in New York on November 15th . . .

Access the Policy Management Capability Model and become a Certified Policy Management Professional . . .

As Sir Arthur Conan Doyle stated . . .

“It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”

Data is critical to risk management, and the more objective and quantitative the data is, the more value risk provides to the risk owners in the business.

Organizations take risks all the time but fail to quantify these risks effectively in an environment that demands an understanding of the risk exposure to objectives in order to make decisions. Too often, risk management is seen as a compliance exercise and not truly quantitative analysis that is of value to the organization’s strategy, decision-making, and objectives. A cavalier approach to risk management stuck in subjective and qualitative risk assessments leads to the inevitable failure . . . 

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE LOGICGATE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Last week I looked at James Bond 007 and Risk Situational Awareness where we explored how organizations need to be like James Bond and have full situational awareness of risk and uncertainty to objectives. This week we keep on the fictional hero theme with a look at Dr. Strange who is the representative of the ultimate CRO – Chief Risk Officer – managing a multiverse of uncertainty . . . 

Doctor Strange is one of the most intriguing characters in the Marvel pantheon of heroes. His powers are diverse. They include his superior intelligence (as well as great martial arts skills), and his ability to have some control over time and outcomes through time loops, and the ability to see into possible futures, giving him the visibility into the multiverse of possible futures and realities.

This makes Doctor Strange the ultimate prototype of the Chief Risk Officer. Risk, as defined in ISO 31000, is the effect of uncertainty on objectives. It is the job of the risk professional to manage and monitor uncertainty to objectives. So, the ultimate Chief Risk Officer is the one that can provide insight into the future and a variety of scenarios that can play out from the actions, activities, external events/developments, and transactions of the organization as it moves forward to achieve its objectives. Those objectives can be high-level entity strategic objectives, they can be division, department, process, project, or event asset level objectives. 

The modern Chief Risk Officer sees into the multiverse of possible futures and realities of the organization and its objectives. Like Doctor Strange, the Chief Risk Officer understands possible futures to determine how they impact the achievement of objectives of the organization. The ability to understand what leads to those possible futures and what the best route forward is for the organization to optimize value and achieve objectives.

This requires that the modern Chief Risk Officer have these Doctor Strange super abilities:

• Superior intelligence. From my perspective this means that the risk professional needs to be able to enhance left-brain thinking (structured risk models) with right-brain thinking (being able to think creatively and intuitively about risk). Both together provide great risk insight into uncertainty and possible outcomes. 
• Insight into possible futures. This involves strong scenario analysis to pattern and analyze future scenarios how objectives and risks play out in context of uncertainty to determine the best path forward for the organization.

Of course, both elements are enhanced through structured risk information and quantitative risk analysis and data that is also supported by good risk visualization and perspectives. That is why I am a particular fan of both monte carlo risk analysis and bow-tie risk analysis. 

Unfortunately, the one ability that Doctor Strange has that the modern Chief Risk Officer does not have is the ability to use time loops to correct wrong decisions and errors in time. So, it is critical that the risk function has solid risk intelligence and scenario analysis. 

I will be exploring the role of risk management in the performance and objectives of the organization in this month’s episode of The GRC Red Flag Series where we will discuss Aligning Risk and Performance/Objective Management. 

I am so excited about this evening! After a long wait, I am going to the new James Bond 007 movie, No Time to Die! I am making it a big deal. A group of 12 of us are going to the nice Silverspot Cinema that is amazing, with an incredible lounge area. I am dressing up in my black tuxedo, my wife is going to wear an evening gown and be a Bond girl (her choice for those that don’t like the stereotype). We are going to get a vodka martini in the lounge before the movie and enjoy the film. It is going to be a lot of fun, I wish each of you could be there with us.

James Bond is all about risk management. Situational awareness of opportunity, uncertainty, and hazards. He understands and interprets everything around him to leverage and use to his advantage.

Today’s organizations need James Bond risk situational awareness. Risk situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the organization because of the complexity and intricacies of risk management.

Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: Risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. What is James Bond’s objective? What can help him in achieving those objectives? What can hinder him from achieving those objectives? What is he confident in? what is he uncertain of?

The same questions and thought processes can be asked of the organization in its objectives. In the business world, we have all sorts of objectives. They can be strategic entity-level objectives for profit, growth, expansion. They could be a division or department objectives. They can then drill into the process, project, or even asset-level objectives. We need to understand and manage risk (uncertainty) in achieving those objectives.

The business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect,’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades and influences what ends up being a significant issue. Change in one area has cascading effects that impact the entire ecosystem. Dissociated risk information leaves the organization with fragments of truth that fail to see the big picture of performance, objectives, and risk/uncertainty across the enterprise. The organization has to have holistic visibility and 360° risk situational awareness into risk.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and a sometimes chaotic, relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business, the result is often exponential to unpredictable.

Situational risk awareness enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. 

Organizations striving to improve their GRC management capability and maturity in their organization will find they are more:

• Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
• Aligned. They align performance, risk management, and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated risk capability to those of the entity and giving strategic consideration to information from the risk management capability to affect appropriate change.
• Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
• Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
• Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.
• Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced GRC capability and related decisions about the application of resources.

Stay tuned for next week as we look at Dr. Strange, the Chief Risk Officer in the Multiverse of Uncertainty . . .

Martin Luther King Jr stated:

Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.

This statement is valid on a personal level, but it is also true at an organizational level. The actions and behavior of organizations impact and shape the world we live in today and into the future.

Organizations need to address environmental, social, and governance (ESG) practices and reporting. Stakeholders, customers, employees, and investors want to ensure that the companies they interact with and invest in share the same values and commitments that they do. Regulators are keenly interested in ESG practices as governments enforce sustainability, social justice, and corporate governance standards. 

The heart of ESG is about the integrity of the organization. ESG covers a broad spectrum of a company’s conduct:

• E = Environmental: Measures and reports on the organization’s values and commitments regarding stewardship of the natural world and environment. It includes reporting and monitoring the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, etc.
• S = Social: Measures and reports on the organization’s values and commitments regarding how it treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
• G = Governance: Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

In order for an organization to do ESG reporting, they have to have something to report against. This requires that an ESG program be built on the policies of the organization. 

The very foundation of an ESG strategy is an organization’s policies starting with a code of conduct and filtering down into the breadth of policies that support the many dimensions of the E, S, and G in ESG. It is in the policies that what is acceptable and not acceptable is defined. Policies define the behavior of individuals/roles, transactions, processes, and relationships of the organization.

You cannot have an ESG program without policies. Policies define the organization’s conduct, values, ethics, and controls to address risk and ensure that it reliably achieves objectives, including ESG related objectives. 

Any organization developing an ESG program should have the following in place:

• Policy framework and index. An organization should have an overall policy management framework and an index of all of the organization’s policies. Unauthorized policies (rogue policies) can put a significant legal liability and duty of care on the organization. This index should tag the range of policies that apply to the ESG strategy and reporting of the organization, starting with the code of conduct and mapping across department policies.
• Consistent template and style guide for policies. ESG related policies are to be consistently written conforming to the organization’s ‘policy on writing policies’ and style guide. Policies need to be published in an approved template to ensure they are easily recognizable as an official policy of the organization. 
• Singular portal for policies. All policies should be easily accessible through a singular portal by employees and other stakeholders. When policies are scattered on different department portals, they tend to be managed inconsistently and confuse employees. A strong ESG culture means good policy engagement and easy accessibility to policies. 
• Training and education. For ESG policies to be effective, it requires that the individual roles in the organization are properly trained on the policies in their particular context of the organization.
• Processes for monitoring and enforcement. Well-written ESG policies are not enough; they have to be enforced. This means regular audits/assurance activities to measure that policies are adhered to that then feed into ESG reporting.
• Issue reporting. The organization also needs clearly defined pathways to report ESG policy non-compliance issues, complaints, and incidents. This can be through hotlines, management reports, and other vehicles such as surveys and feedback. 

Guidance on how to implement these elements can be found in the open-source (free) Policy Management Capability Model at www.PolicyManagementPro.com.

When the organization does ESG reporting, these reports are built off of the organization’s policies and measure the adherence/conformance to these policies. Without clearly defined, communicated, and enforced ESG related policies, the organization has nothing to measure and report from. Policies are the foundation of an ESG program. 

Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s values, boundaries, practices, and expectations. Policies are the vehicle to ensure culture is defined and does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased. Organizations restructured their strategy, processes, roles, in the context of a work from home environment. In this process, they found policy management a complete mess of a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work-from-home environment and were very confused.

During and coming out of the pandemic organizations find policy management to be a critical element to communicate confidence, ease employees’ frustration, and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees in a hybrid dynamic environment.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management.

There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). There is a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

Policy Management by Design Workshops New Content . . .

I am so excited that my most popular GRC workshop, Policy Management by Design, is back in person for deep interactive, and free, training on policy management! These workshops are interactive and engaging to learn from GRC 20/20 but also from each other. It is a great place to meet your peers in policy management and broader GRC and share your challenges and experiences to learn from others.

What is really exciting . . . there is all new content for this workshop! The updated workshop includes a structured approach to policy management found in the official Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at www.PolicyManagementPro.com. This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world.

Policy Management is a critical enabling element of the organization’s culture, integrity, performance, governance, and risk management. This capability should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model

COMPONENTS

The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

• G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
• D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
• C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
• E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
• I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

ELEMENTS and PRACTICES

Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

Join us for one of the following free Policy Management by Design workshops coming to these popular cities over the next few months . . .

Last week we looked at Regulatory Change RFP/Solution Capabilities this week we look at how to measure the maturity and trajectory of an regulatory change management program . . .

Mature regulatory change management requires the organization to align on regulatory risk. It also involves participation across the organization at all levels to identify and monitor uncertainty and the impact of regulatory change.

GRC 20/20 has developed the Regulatory Change Management Maturity Model to determine an organization’s maturity in regulatory change management processes, as well as information and technology architecture. The GRC 20/20 Regulatory Change Management Maturity Model is summarized as follows:

Level 1 – Ad Hoc

Organizations at this stage lack a structured approach to regulatory change management and are constantly putting out fires and being caught off guard. Few, if any, resources are allocated to monitor regulatory change. The organization addresses regulatory change in a reactive mode—doing assessments when forced to. There is no ownership or monitoring of regulatory change and certainly no integration of regulatory change information and processes. Characteristics of this stage are:

• Lack of a defined regulatory taxonomy
• Ad hoc and reactive approaches to regulatory and business change
• Document and email-centric approaches
• Lack of accountability

Level 2 – Fragmented

In the Fragmented stage, departments are focused on regulatory change management within respective functions—but information and processes are highly redundant. The organization may have limited processes for regulatory change but largely do not benefit from the efficiencies of an integrated approach. Regulatory change management is very document-centric and lacks an integrated process, information, and technology architecture. Positively, there is some structure to regulatory change responsibilities, but the management of regulatory change lacks accountability as it is done largely in documents and emails that lack structures of accountability and automation. Characteristics of this stage are:

• Varied approaches to regulatory change 
• Lack consistent structure
• Lack integration or formal processes for sharing regulatory information
• Reliance on fragmented technology with a focus on discrete documents

Level 3 – Managed

The Managed stage represents a mature regulatory change management program that is using technology for structured workflow, task management, and accountability. Regulatory change functions have defined processes for regulatory change management, as well as an integrated information architecture supported by technology and ongoing reporting, accountability, and oversight. Though there is no integration of regulatory content feeds into the technology platform. Characteristics of this stage are:

• Visibility into regulatory change across the business
• Established processes for regulatory change
• Good use of technology to manage accountability

Level 4 – Integrated

It is at the integrated stage that the organization begins to integrate regulatory content feeds into the technology platform for automation. The organization has consistent regulatory taxonomy, process, information, and technology to streamline regulatory change management processes. The organization is seeing gains in addressing regulatory change through shared information that achieves greater agility, efficiency, and effectiveness in a common technology architecture that enables consistent management of regulatory change. Standardized workflow is integrated into regulatory and legal content feeds. Characteristics of this stage are:

• Strategic approach to regulatory change across departments
• Common process, technology and information architecture
• Integration of legal/regulatory content feeds
• Reporting across departments

Level 5 – Agile

At the Agile stage, the organization has completely moved to an integrated approach to regulatory change management across the organization and is leveraging artificial intelligence to make it more efficient and effective. Horizon scanning is in place to not only monitor regulatory change in the here and now, but what is coming in the future. This results in a shared-services approach in which core regulatory change technology, content, and processes are shared centrally across the organization. The approach is characterized through a mature regulatory taxonomy with integrated and actionable regulatory content, automated by technology that integrates and leverages artificial intelligence. The organization has an enterprise workflow that provides business-process automation for regulatory change with oversight and management of regulatory change. Regulatory content feeds deliver fully analyzed content that identifies relevancy, impacts, and tasks. Characteristics of this stage are:

Regulatory intelligence is achieved through the integration of artificial intelligence and cognitive technologies to read, map, and analyze regulatory content and impact on the organization

• Horizon scanning is in place to monitor trending issues
• Consistent views of regulatory change and impact on operations and policies
• Able to efficiently manage business change in regulatory context

GRC 20/20’s Final Perspective

The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management:

Last week we looked at GRC Architecture to Manage Regulatory Change this week we get more into the specific capabilities that technology should deliver to automate and manage the regulatory change process to make it more efficient, effective, and agile . . .

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine the potential impact on the organization. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates.

Strong technology for regulatory change management has enterprise content, workflow, and task management capabilities with integration to actionable regulatory content. It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements. This involves leveraging artificial intelligence, such as natural language processing, to read regulations. Organizations are finding that machines not only read regulations exponentially faster than individuals, but they are also 30% more accurate in cataloging and mapping regulations and changes. A strong architecture for regulatory change management will encompass horizon scanning to monitor where change is trending and developing to be prepared for the future. Delivering a regulatory change management information and technology architecture involves the integration of artificial intelligence technologies to monitor and manage change and conduct horizon scanning.

Some solutions in the GRC space are delivering across these three areas and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This, at a minimum, requires workflow and task management capabilities, but in mature systems, it provides direct integration with regulatory content providers. These aggregators manage regulatory profiles and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process supported by artificial intelligence technologies that read and analyze changes and their impact on the organization’s processes, policies, and controls.

Specific capabilities to be evaluated in a GRC solution for regulatory change management include:

• Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide integration and automation with artificial intelligence platforms built for regulatory change to conduct horizon scanning to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
• Cognitive GRC – artificial intelligence. Keeping up with regulatory content can be a challenge. Many organizations either hire a lot of compliance/legal experts to comb through mountains of regulatory data, or they subscribe to regulatory content subscriptions that do this. This is changing with the role of artificial intelligence applied to a GRC context called Cognitive GRC. Natural language processing, predictive analytics, and robotic process automation make regulatory change management more efficient, effective, and agile for the organization. As stated, the U.K.’s FCA Rulebook stacks to six feet tall; this would take a human a year or more to read. A machine can read it, sort it, categorize it, and link it in under a minute. Not only is a machine faster at reading regulations, but it is also more accurate. One Chief Ethics and Compliance Officer (CECO) told GRC 20/20 that they found natural language processing 30% more accurate in reading, sorting, categorizing, and linking/mapping regulations/requirements than humans. A machine stays focused; there is no mind to wander and get distracted.
• Content management. The solution should be able to catalog and version regulations, policies, risks, controls, and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods and obsolescence rules that can be set for regulations.
• Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitate regulatory change management in the context of the organization’s operations
• Business impact analysis. The system needs to provide the functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed, or deactivated, the solution assesses the impact of the change and sets up the appropriate responsive actions.
• Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for regulatory change management.
• Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
• Audit trail and accountability. It is absolutely necessary that the regulatory change management solution has a full audit trail to see who was assigned a task, what they did, what was noted, and notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
• Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are, and more. Additionally, by linking regulatory requirements to the various other aspects of the platform – including risks, policies, controls, and more – the reporting should provide an aggregate view of a regulatory requirement across multiple organizational units and business processes.
• Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

The above blog is an excerpt from GRC 20/20’s latest research paper, there is much more detail on regulatory change management in the research paper, Regulatory Change Management: