The GRC Pundit

Here are some thoughts stemming from my Third-Party Risk Management by Design Workshop in London last week and other interactions I have had on my research. I am speaking on this topic next week at my Third-Party Risk Management by Design Workshop in Chicago, as well as a webinar on Building Resilient Supply Chains: Strategies for Success.

In today’s complex and distributed business that largely depends on extended enterprises, supplier risk and resilience have become fundamental components for maintaining operational efficiency. With the increasing interdependence amongst organizations and their suppliers, the significance of developing robust systems to manage supplier governance, risk management, and compliance associated with suppliers cannot be overstated.

Some key challenges organizations face are:

• Operational Resilience. Operational resilience refers to an organization’s ability to continue to deliver on its key business services during times of operational stress and disruption. In the context of supplier risk, this encompasses ensuring that critical suppliers are similarly resilient, preventing interruptions in the supply chain that may impact business continuity. Within extended enterprises, operational resilience necessitates carefully evaluating and monitoring each supplier’s capabilities, reliability, and stability. This integrated approach helps organizations to anticipate potential supply chain disruptions and enact measures to mitigate risks proactively, maintaining service delivery even under unpredictable circumstances.
• ESG in Supplier Risk Management. Environmental, Social, and Governance (ESG) criteria have become crucial for evaluating supplier risks. Suppliers’ ESG practices directly impact the reputation and sustainability of the hiring organization. Evaluating suppliers based on ESG metrics is integral to fostering responsible business practices, ensuring long-term sustainability, and mitigating reputational risks. The European Union has been pioneering in imposing stringent ESG standards for businesses. With regulations such as the EU Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), organizations operating within or dealing with the EU market must ensure their suppliers comply with these elevated standards, as non-compliance can lead to hefty fines and reputational damage. This has a global impact across the world.

Developing a comprehensive supplier risk and resilience strategy is imperative to navigate the uncertainties and complexities in today’s business environment. This strategy should encompass risk identification and management and focus on building resilience within the supply chain to ensure uninterrupted service delivery.

• Risk Identification. Organizations should identify potential risks associated with each supplier, considering geopolitical stability, financial health, operational capabilities, and compliance with ESG standards.
• Continuous Monitoring. Continuous monitoring mechanisms must be implemented to track changes in identified risks and the emergence of new ones.
• Actionable Insights. Organizations should leverage technology and third-party risk intelligence to derive actionable insights from the monitored data, enabling timely decision-making and risk mitigation.

Implementing technology solutions that seamlessly integrate with third-party risk intelligence content offerings is crucial for effective supplier risk and resilience management. These technologies facilitate the efficient collection, analysis, and interpretation of vast amounts of supplier data, providing organizations with a clear and immediate understanding of their supplier risk landscape.

As businesses increasingly rely on a network of suppliers for operational success, crafting a detailed supplier risk and resilience strategy becomes non-negotiable. Such a strategy, complete with systematic processes and technologically advanced tools, assists organizations in identifying and managing supplier risks and building a resilient supply chain capable of withstanding disruptions. Given the heightened focus on operational resilience and ESG standards, especially within the European Union’s regulatory framework, companies should proactively develop, implement, and continuously improve their approach to Supplier Risk and Resilience to safeguard their operations and reputation in the dynamic global market.

Are you considering attending Third Party Risk Management by Design in Chicago next week? Here are some comments from the London attendees last week . . .

• “An engaging and valuable session on TPRM with some great insights on emerging risks (AI in the supply chain and increasing regulation) and the maturity of an integrated risk management response.  Certainly, a number of topics on which to follow up with our Supply Chain risk team” – VP Risk Advisory, Hospitality 
• “The session was set up well with some great topics to discuss round the table. It was good to see some similar trends on challenges various industries were facing regarding 3^rd Party assurance. I enjoyed the overall risk management and senior leadership endorsement, the maturity model and offboarding suppliers as key areas of development. I look forward to your next visit and workshop!” – Cyber Security Risk and Assurance Manager, Transportation
• “The workshop was very informative and covered a wide range of topics both from yourself and other attendees. Key areas that I took away from the workshop were the implications of AI on third parties both positive and negative as well as highlighting the need for oversight when offboarding suppliers.” – Head of Third Party Governance, Financial Services
• “It was a very informative experience and a lot to take away from initiating a drive from the 3^rd party program to the off-boarding of 3^rd parties suppliers. I have a lot to help me start a clearer road map in plugging the gaps within our 3^rd party management program.” – Supplier Assurance & Controls Analyst, Energy Company
• “Thanks for the session yesterday. I found it very informative and I made several pages of notes. I am planning to use the Titanic analogy as a risk awareness session for leaders and managers – with a bit of research I think I can turn it into a great case study and map out the parallels with running a business, how third parties introduce risk, communication, risk appetite, risk blindness, planning, the role of due diligence (or the lack of it), etc. You have also provided some great check lists which we can use to sense check our due diligence process for robustness and where we can improve third party risk management.” – Principal, Health and Safety, EMEA, Architecture Design Firm

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. 

In an increasingly interconnected world, third-party risk management (TPRM) is becoming an imperative aspect of organizations. Navigating the complex maze of challenges inherent to TPRM can seem daunting.

Yesterday, I held my Third Party Risk Management by Design workshop in London. We had 51 organizations registered, with over 40 attending. Below is a summary of the challenges the attendees expressed and interacted with throughout the day. The same Third Party Risk Management by Design workshop will be in Chicago on October 13th.

The third-party risk management challenges the attendees stated that were keeping them up at night are:

• Fragmented Requirements. Often, due diligence is mired in fragmented requirements from different third-party risk functions. These functions operate in silos, each wielding its own tools and lacking a unified source of truth.
• Siloed Risk Insight. Third-party risk information is scattered across multiple departments/functions, leading to inefficiencies and, at times, contradictory and risky actions.
• Regulatory Disparities. Local regulations can often conflict with the guidelines of the head office, leading to operational hiccups. Additionally, managing compliance across jurisdictions and handing data over to third parties can be perilous.
• ESG and Due Diligence. Environmental, Social, and Governance (ESG) considerations, especially those pertaining to climate change, harmful chemicals like PFAS, and social accountability, are increasingly becoming focal points. The attendees were concerned about addressing ESG in complying with Germany LkSG and the EU CSDDD.
• Managing Outcomes of Relationships. Evaluating the material outcomes of risks in relationships is critical, as these can significantly affect an organization’s bottom line and reputation.
• Data Challenges in Third-Party Risk Intelligence. Data plays a pivotal role. However, accessing disparate third-party risk data sources and ensuring its veracity is challenging.
• The Unknowns of the Supply Chain. Understanding who constitutes the supply chain, nested entities, and determining the real executor of the work is imperative to managing risks.
• Resilience. From supplier resilience, safety, and cybersecurity to continuity, organizations must focus on building robust systems. There are significant fines and penalties for not complying with resilience regulations.
• Big Picture of TPRM. Having a strategic outlook that encapsulates the full spectrum of third-party risks is crucial. Who’s ensuring a holistic view? Are contractual arrangements under scrutiny?
• Artificial Intelligence. Technology, especially AI, can be a game-changer. While AI can streamline processes, there’s also the inherent risk in not governing it use within third-party relationships.
• Continuous Due Diligence. Relying on traditional methods like documents, spreadsheets, and emails is passé. Continual due diligence is the need of the hour.
• Social Accountability. Risks of bribery, corruption, and lack of social responsibility in third-party relationships can’t be overlooked.
• The Business Case. Building a business case for TPRM involves showcasing its value proposition and garnering top-down senior sponsorship.

The term “Third-party risk governance” or “GRC” resonates more accurately than risk management. It’s about instilling a governance culture to reliably achieve objectives in the relationship, address uncertainty and risk, and act with integrity, with a culture that fosters oversight and continual improvement. Organizations can sail smoothly in the choppy waters of third-party risks by leveraging technology and ensuring top-down buy-in. Remember, in the age of the extended enterprise, mastering TPRM isn’t just a necessity; it’s a strategic imperative.

A.I. presents significant risks to organizations regardless of whether they use the technology. There are potentially enormous reputational risks to an organization when technology like generative A.I. reaches a point where it is impossible to distinguish between actual evidence of corporate bad acts and deep fakes intended to harm the organization. This creates a novel set of risks for the organization, regulators, and the general public alike.

A.I. is also an accelerant to other risks. Generative AI could eliminate the awkward language in phishing email attempts that often make them easier to detect. That would allow foreign bad actors to level up their efforts in any language without many of the current telltale red flags. Generative A.I. has already passed the tests given to Google applicants, meaning that any bad actor now has an entry-level Google coder at their disposal to create all kinds of new malware. While there are guidelines designed to limit this type of result, bad actors will likely find workarounds.

The “simplicity risk” factor becomes far more concerning when A.I. is daisy-chained together. Just as the hurdle of linking large non-standardized distributed data sets used to be a natural brake to A.I. prep work, having one A.I. technology work on removing barriers for another A.I. technology could mean developing new models generated by A.I. with no explainability. With  A.I. having such low barriers, if that becomes the front door to creating other, more sophisticated technology, the path is set to have A.I. build A.I., which is an incredibly risky situation.

Organizations need A.I. GRC to ensure the responsible, practical, and appropriate use of A.I. technologies. A.I. GRC enables the organization to:

• Ensure A.I. systems comply with evolving laws and regulations helps prevent legal issues, financial penalties, and damage to reputation.
• Manage uncertainty and risk when A.I. can have unintended consequences, including biased decisions or privacy breaches. Effective risk management helps identify and mitigate these risks.
• Meet ethical standards, ensuring A.I. is used fairly and doesn’t perpetuate harmful biases.
• Deliver trust and transparency where A.I. GRC practices help organizations demonstrate that their A.I. systems are trustworthy and transparent, essential for customer and stakeholder confidence.
• Provide strategic business alignment where Strong A.I. GRC ensures that A.I. usage aligns with an organization’s broader strategic goals and doesn’t deviate into potentially harmful or unproductive areas. 
• Enable agility as the A.I. landscape rapidly changes; A.I. GRC practices help organizations prepare for future regulatory changes. 

A.I. GRC is necessary to ensure legal adherence and uphold ethical standards, manage risks, build trust, align with strategic goals, and prepare for the future. Organizations need A.I. GRC to ensure responsible and ethical use of A.I. technologies. 

Without a structure to govern A.I., risk exposure will grow, resulting in bad decisions from improper use, increased regulatory pressure, and legal liability and exposure. Organizations should not see A.I. GRC as simply a regulatory obligation; A.I. governance enables strategic decision-making and performance management. Short-term A.I. risk management projects may pass regulator scrutiny but fail in the long run to effectively manage risk and performance effectively.

To effectively govern A.I., organizations need a structured approach to:

• A.I. GRC Oversight. A well-defined A.I. governance framework to manage A.I. use that brings together the right roles, policies, and inventory.
• A.I. GRC Lifecycle. An end-to-end A.I. management lifecycle to manage and govern A.I. use from development/acquisition, throughout their use in the environment, including A.I. maintenance and retirement.
• A.I. GRC Architecture. Effective management of A.I. in today’s complex and dynamic business environment requires an information and technology architecture that enables A.I. GRC.

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

I will be speaking on A.I. GRC at the upcoming events:

My keynotes at the upcoming #RISK in Amsterdam and in London is on A.I. GRC

September 27 – September 28

• #RISK EU 2023: Amsterdam

ber 18 – October 19

• #RISK 2023: London

Upcoming webinars where I am speaking on A.I. GRC

October 10 @ 10:00 am – 11:00 am AEDT 

• Practical Applications of AI in Governance, Risk & Compliance

October 11 @ 12:00 pm – 1:00 pm EDT 

• How to Use AI in Third-Party Risk Management

November 7 @ 12:00 pm – 1:00 pm CST 

• Navigating the AI Landscape: Responsibility, Risks, and Compliance

Other conferences where I am presenting on A.I. topics

October 2 – October 5

• Mitratech Interact 2023

Third-Party Risk Workshops where part of the focus will be on A.I. in the Extended Enterprise

September 25 @ 10:00 am – 5:00 pm BST 

• Third-Party Risk Management by Design Workshop, London

October 13 @ 10:00 am – 4:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Chicago

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves . . .

[The rest of this blog can be read on the Diligent blog, where GRC 20/20’s Michael Rasmussen is a guest author]

The healthcare sector is ensnared in a relentless vortex of risk and regulation amid unanticipated disruptions and transformations. Navigating through this dynamic environment, healthcare entities grapple with a myriad of compliance obligations and frustrations that encompass patient safety, privacy, information security, operational practices, service delivery, billing protocols, and electronic medical records management.

Maintaining steadfast compliance and risk mitigation during times of smooth operation is challenging enough; doing so amid continuous change magnifies the challenge exponentially. Healthcare organizations frequently approach risk and compliance separately with a disjointed strategy that relies heavily on isolated documents, spreadsheets, emails, or outdated solutions, inadvertently escalating the cost, complexity, and risk of ensuring compliance.

Some of the compliance struggles within healthcare include . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In the modern business landscape, enterprises are increasingly intertwined through complex networks of suppliers, vendors, and other third-party relationships. While this extended enterprise system brings immense benefits, like specialization and economies of scale, it also introduces challenges in terms of ESG, compliance, and operational resilience. As organizations lean more heavily on their external partners, ensuring that these partners share values, meet regulatory requirements, and can withstand potential disruptions becomes paramount.

Compliance isn’t just about adhering to laws and regulations. In the realm of supplier and vendor management, compliance also encompasses. Resilience is about how your extended enterprise responds to unforeseen challenges. Recent global events have shown that disruptions can arise rapidly, from pandemics to geopolitical tensions. A resilient supplier and vendor network can mean the difference between continuity and chaos.

It’s crucial that partners have congruent ESG objectives, commitments, values, and standards. When an organization’s suppliers and vendors comply with shared values and standards, there’s less risk of reputational damage, financial loss, or operational disruptions. Increasingly, consumers and stakeholders demand that businesses act responsibly. Ensuring that your suppliers and vendors also uphold these standards can cement your reputation as a responsible enterprise. With digital resilience, protection, and other privacy regulations taking center stage, it’s vital that your partners treat data and processes with the care and respect it demands. Any breach on their part can have ripple effects, damaging trust and possibly resulting in hefty fines. One CIO was recently personally fined £80 million pounds for a third-party risk/resilience failure.

Organizations need to consider . . .

1. Diversify Supplier Bases: Don’t put all your eggs in one basket. By diversifying, you reduce the risk of a single point of failure.
2. Regularly Review and Update Resilience Plans: Make sure every stakeholder knows their role in case of disruptions. This should include communication protocols, resource allocations, and backup suppliers.
3. Invest in Technology: Modern supply chain technologies, like blockchain and AI, can provide real-time insights, helping to identify potential choke points and ensure smoother operations.

Organizations globally are gearing up to respond to a whole range of EU regulations and UK regulations/laws that impact this intersection of resilience, ESG, compliance, and the extended enterprise.  

• EU Corporate Sustainability Reporting Directive (EU CSRD)
• EU Corporate Sustainability Due Diligence Directive (EU CSDDD)
• EU Corporate Sustainability Reporting Standard (EU CSRS)
• EU Digital Operational Resilience Act (EU DORA)
• EU Cybersecurity Resilience Act (EU CRA)
• Germany’s LkSG (Supply Chain Due Diligence Act)
• UK FCA/PRA/BoE Operational Resilience Act
• UK Senior Manager Regime/Certification Regime (SMCR – a CIO was personally fined £80 million for a third-party risk/resilience failure)
• UK Governance Code (UK SOX, recently proposed revisions . . . which require resilience statements and a focus on ESG)

Many firms in the USA and the rest of the world have to respond to these laws. If your clients/prospects are anywhere in an EU supply/value chain, then many of these apply to them. Just the first three on Corporate Sustainability (what I call the EU ESG Trifecta as they all work and support each other) impact 50,000 firms directly, but exponentially many more in vendor and supplier relationships. There is a lot of movement right now on EU DORA as organizations become aware that it has a very broad net, including anyone that services and supports the financial services industry, with a lot of downstream impact.

Organizations must understand that their reputation, operations, and success are deeply linked to their extended enterprises to truly thrive in today’s interconnected world. By ensuring compliance and resilience in supplier and vendor relationships, businesses safeguard their operations and position themselves as trusted partners in an increasingly complex ecosystem.

Ultimately, these relationships aren’t just about transactions but trust, collaboration, and shared growth. As we look toward the future, organizations prioritizing these values will undoubtedly stand out as leaders in their respective industries.

Here are some of the events GRC 20/20 is involved in on this topic over the next few months . . .

September 14th Webinars

• A risk-based approach to operational resilience: When prevention isn’t always better than a cure.
• Third-Party Risk & Resilience: From Uncertainty to Business Confidence

September 18th Webinar

• Future of GRC in Complex, Distributed & Autonomous Environments

September 20th Webinar

• 3 – Terminating: Risk Management in the Vendor Relationship Lifecycle

September 25th Workshop in London 

• Third-Party Risk Management by Design Workshop, London

September 26th Seminar/Roundtable in Amsterdam

• Designing GRC programs to Manage Risk, Regulatory Compliance, Third-party, and Digital Operational Resilience Requirements 

October 10th Webinar

• Building Resilient Supply Chains: Strategies for Success

Governance, Risk, and Compliance (GRC) isn’t merely a buzzword but an essential strategy and framework (OCEG GRC Capability Model) for corporations to succeed in today’s complex and dynamic business environment. With increasing risks and regulations, it is evident that businesses require an effective GRC strategy. But while understanding the importance of GRC is one thing, effectively implementing and managing it is another challenge altogether.

The Challenges in GRC . . .

[The rest of this blog can be read on the CAMMS blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In John Donne’s famous line, “No man is an island, entire of itself; every man is a piece of the continent, a part of the main,” the seventeenth-century poet’s words are startlingly relevant to modern businesses. Translated into contemporary terms, it suggests, “No organization is an island unto itself; every organization is a piece of the broader ecosystem.”

The architecture of today’s business landscape has vastly changed, making the notion of self-contained entities antiquated. Traditional brick-and-mortar businesses, defined by physical locations and in-house employees, have transformed into intricate networks. The modern organization is now an elaborate, interconnected web of relationships that extends far beyond standard employment to include a multitude of third parties—such as suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, brokers, and partners. This growing complexity is evident in multilayered supply chains and subcontracting relationships, making it clear that the concept of an “extended enterprise” has evolved from a theoretical construct to a business imperative.

Navigating this web of relationships comes with its own set of challenges, particularly in governance, risk management, and compliance — GRC. Traditional siloed approaches to managing third-party risks and compliance are insufficient; they do not capture the holistic impact on an organization’s objectives or the interconnected nature of modern risk. A failure in third-party governance can lead to catastrophes that reverberate across an organization, damaging both its reputation and bottom line. Be it issues related to delivery timelines, ethical conduct, privacy measures, quality control, human rights, resiliency, corruption, or environmental sustainability, the organization bears ultimate responsibility.

This interconnectedness becomes even more complex when considering Environmental, Social, and Governance (ESG) criteria and the inclusion of per- and polyfluoroalkyl substances (PFAS) in the supply chain. ESG standards focus on a company’s broader impact on society, the environment, and governance practices. Misalignment of ESG criteria within the extended enterprise can expose organizations to reputational and financial risks that are often difficult to quantify but devastating in impact. For instance, if a supplier is found to be in violation of environmental norms, the onus falls upon the company to rectify. It may result in the severance of critical business relationships.

Similarly, the inclusion of PFAS, a group of man-made chemicals used in a wide range of products from textiles to packaging, in the supply chain complicates risk management due to evolving regulations and increasing public scrutiny and legal liablity over their health and environmental implications. Organizations must ensure that their third-party partners align with regulatory and organizational standards regarding PFAS, demanding a more intricate and rigorous governance process.

In recent conversations with a global hospitality firm, a global pharmaceutical firm, and a global food and beverage firm . . . they all listed ESG risks, particularly to Germany’s LkSG and now the EU CSDD, as their number one third-party/supply-chain risk. Second, they each listed PFAS as their second greatest supply chain risk.

Given the amplifying nature of risks—akin to the ‘butterfly effect’ in chaos theory, where a small event can lead to substantial consequences—businesses require a strategically integrated approach to third-party governance, risk management, and compliance (third-party GRC). The disparate data and fragmented insights yielded by a traditional department-centric approach inadequately address the nuanced complexity of today’s organizational ecosystem. Instead, companies need an integrated strategy, processes, and architecture that allow for real-time risk intelligence and comprehensive situational awareness across all third-party relationships.

In conclusion, the fabric of modern business is woven with threads of myriad third-party relationships. For organizations to reliably achieve their objectives, effectively manage uncertainty, and act with unassailable integrity, it is essential to harmonize governance, risk management, and compliance across the extended enterprise. This calls for a robust, integrated strategy that manages and anticipates the complexities and interconnected risks of our modern business landscape. This is only delivered on a robust third-party risk intelligence and management platform.

In an era characterized by ethical, social, and regulatory challenges, many organizations are finding it difficult to navigate the complex maze of compliance. Particularly in an ESG context. The daily news cycle frequently highlights companies falling short of regulatory expectations, painting a picture that corporate ethics is often judged by what firms do when they believe no one is watching.

Understanding the Compliance Conundrum

Compliance is not a one-size-fits-all endeavor. The larger and more global the organization, the more intricate its operational dynamics and associated compliance responsibilities become. In the ever-evolving corporate landscape, elements such as employee turnover, expansion into new markets, product launches, and changing regulations reshape the business environment constantly.

For compliance and ethics programs, this ever-shifting landscape poses unique challenges. As businesses grow and develop diverse partnerships—be it vendors, consultants, or expanding their supply chain—their compliance risk magnifies exponentially. Thus, there’s a pressing need for systems that vigilantly monitor both internal and external compliance risks.

Dismantling Compliance Silos

The age-old practice of managing compliance within isolated silos and manual processes is a recipe for disaster. It is the inevitability of failure. This fragmented approach:

• Promotes Redundancy. The organization wastes time and resources on redundant tasks using unique processes and approaches for each compliance function.
• Reduces Visibility. Different departments may use various methods for compliance checks, making it hard to have a holistic view of enterprise-wide compliance risks.
• Compounds Complexity. Non-uniform processes introduce ambiguity and confusion, leading to increased compliance and ethical risks, as well as gaps in compliance.
• Diminishes Agility. With every compliance area following different and non-integrated approaches, the organization finds it hard to pivot quickly in the face of change.
• Elevates Compliance Risk Exposure. By only focusing on immediate function needs and ignoring enterprise-wide interdependencies, businesses inadvertently create more compliance exposure and it impacts the ethical culture of the organization.

Rethinking Compliance Management

While many organizations are diligent about meeting legal and compliance obligations, the realm of compliance is rapidly transforming. It’s not just about addressing legal requirements but acting as the pillar of corporate integrity.Today’s compliance is evolving beyond just ticking regulatory checkboxes. It’s about championing corporate integrity. As a result, compliance departments are being granted greater autonomy and are increasingly reporting directly to CEOs or boards, especially in highly regulated sectors.

This shift means compliance teams need to be well-versed with the organization’s ethical, regulatory, and cultural risks, particularly in an ESG context. Relying on strong, integrated processes will ensure that compliance measures are both effective and efficient. For today’s businesses, it’s paramount that compliance isn’t just a written policy but embedded into daily operations. A robust compliance program should prioritize risks that pose the greatest threat to the organization’s values and ethos.

In summary, traditional compliance approaches are no longer viable. Boards are keen to understand the organization’s compliance framework, its efficacy, and its contribution to enhancing shareholder value. Modern challenges necessitate a comprehensive compliance program, one that is firmly rooted in integrated processes and transparent information.

Gone are the years of simplicity in business operations. Organizations today are evolving into more complex, distributed, and autonomous entities. While this evolution ushers in unprecedented growth and opportunities, it has also introduced challenges in ensuring consistent governance, risk management, and compliance (GRC). The digital age, characterized by its interconnectivity and advanced technological infrastructures, has added further challenges to this while also delivering GRC solutions in complex, distributed, and autonomous environments. Today’s organizations can be a complex array of distributed and autonomous businesses that still need some level of coordination and reporting centrally. 

The interconnectedness of risks and compliance requires 360° contextual awareness of integrated GRC within a business and across businesses. Some organizations have an operating model that allows subsidiaries and divisions autonomy but still needs centralized consistency and reporting. Professional service firms also engage diverse organizations in a consistent framework and methodology and look to do benchmarking across clients. Across these various businesses, organizations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls. It requires holistic visibility and intelligence of GRC. The complexity of business necessitates that the organization implements an integrated GRC management strategy, process, and technology/information architecture that can allow distributed and diversified businesses to work autonomously but provide some consistency in management and reporting. 

Many organizations also require some level of autonomy within distributed businesses and operations while still providing centralized governance and reporting. This is also a need within professional service firms that manage a portfolio of clients in a GRC context. Organizations facing these challenges should look for technology that enables distributed and autonomous businesses to manage GRC in their context while still providing centralized governance, reporting, and benchmarking. The best reference to this is called Hub and Spoke^TM GRC (note: this is a trademarked term by one vendor in the space, 6clicks, used with permission in this blog). This allows a master entity a framework for overall governance, risk management, and compliance control and engagement across a range of diverse, distributed, and sometimes autonomous entities with specific GRC needs and privacy and isolation requirements. 

The use cases for this approach to GRC . . .

• Conglomerates/global holding companies/diversified businesses which need to track and manage GRC activities across a range of disparate entities businesses. 
• Private equity portfolios that own a range of companies and need insight into their portfolio companies in a GRC context.
• Franchises, this one has come up a few times in the past few months, providing a consistent framework for GRC management and reporting across franchises.
• Managed services/consulting/professional service firms that have established methodologies and services for GRC-related engagements across their portfolio of clients. 
• Insurance companies that must manage their brokers’ compliance (and other GRC activities) where brokers/entities can be profiled and grouped, then managed consistently to meet regulatory obligations.
• College/university campuses that house a range of entities that need to be governed in a consistent GRC context but also allow autonomy and independence. 
• Hospital networks comprising a range of complex and diversified businesses that need consistent GRC frameworks applied in different contexts. 

As you can see, the various use cases can continue. Many modern organizations are characterized by complex, distributed, and autonomous structures that present unique challenges in ensuring consistent GRC. Addressing these challenges requires a strategic GRC technology architecture that few solutions deliver in the space. Organizations need to be very selective in evaluating solutions that address these scenarios; those that do will ensure their GRC survival and carve out a competitive advantage in today’s highly complex business environment.

Curious about the solutions that can deliver this? Ask an inquiry of GRC 20/20 Research in our market coverage of the range of governance, risk management, and compliance solutions available in the market.