What is Business and Operational Resiliency?

Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 

I am seeing a lot of interest in risk management and resiliency in my research. In this context, I come across the terms business resiliency and operational resiliency. There is a difference between business resiliency and operational resiliency. I see solution providers using these terms as either synonym, or I see some make the mistake thinking that operational resiliency is for financial services and business resiliency is for other industries. This mistake is because of the operational resiliency regulations in the financial services industry. The reality is that all industries have operations and processes and therefore have operational resiliency concerns. All organizations have business resiliency needs as well. There is not one organization that does not have business and operational resiliency needs.

What is the difference?

Business resiliency is broad, it includes the resiliency in the organization’s strategy, liquidity/cash, diversity/hedging, and operations. So operational resiliency is part of business resiliency just as its counterpart operational risk management (ORM) is part of, but not the same as, enterprise risk management (ERM). 

Here is how I differentiate the two and show that business resilience is broader than operational resiliency but also includes operational resilience.

  • Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
  • Operational resilience is a component of business resilience focused on internal processes, services, people, systems, and relationships.

Let’s Dive Deeper into Operational Resilience

Operational resiliency is not business continuity 2.0. It is much more than that. Operational resiliency is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party GRC/risk management (for example, the FCA/BoE/PRA guidance on operational resiliency references third-party/vendor risk throughout the document).

As for definitions, let’s look at how the financial regulators define operational resilience and I will give you my opinion which is the best definition:

  • UK FCA: We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
  • EU DORA: ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
  • US OCC: Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
  • Basel Committee on Banking Supervision: The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.

Granted these definitions are focused on financial services, so let’s evaluate them objectively in a context that crosses industries (strip out the financial services specific language). 

My least favorite definition is the EU’s DORA (digital operational resilience act). This is because it focused specifically and exclusively on digital operational resiliency. Operational resiliency is so much more than the depths and bowels of the IT department, technology, and information. Operational resiliency is also about people, processes, services, and third-party relationships. I also find the definition to be very reactive and not proactive.

Next in my order of least to best definition is the Basel definition. It is stuck in the idea of disruption and recovery, but has a broader view than DORA and does include elements of risk management. It is also another definition that is more reactive than proactive.

The US Office of the Comptroller of the Currency (OCC) definition is better. I like the fact that it specifically leads with operational risk management and takes it out of a pure business continuity context. This is good, but not good enough. I find the definition still a little weak as it is still focused on prepare and recover from disruption, a reactive approach.

The UK Financial Conduct Authority provides the best definition, and I love this definition. It is the shortest definition, but the only one that takes a strong risk management approach to operational resiliency. It is the only definition that mentions PREVENT as organizations can monitor and address situations before they impact the organization (at least in some situations). The idea of PREVENT gives a strong governance focus to this that ties into objectives and strategy to navigate the organization to manage uncertainty, a concept of agility to avoid disruption. The other element I love about this definition is that it references LEARN as well, so the organization learns from events and disruption so it does not repeat the same mistakes.

The United Kingdom wins again. I personally am a fan of regulations that come out of the United Kingdom (and nearly half my interactions are in the UK). The UK brought us principle/outcome-based regulations back in the FSA days (before the FCA), which then became EU better regulatory policy. The UK is leading in accountability regime regulation with the UK SMCR and now we have Australia BEAR, Ireland SEAR, Hong Kong MIC, and Singapore IA that have followed suit. The UK FCA is leading the world in digitizing the rulebook and regulations. More work is going into the UK Modern Slavery Act with greater requirements and enforcement penalties expected. Now I have digressed into other areas . . .

What are your thoughts on business and operational resiliency? How are they different? How are they related? How would you define them?

GRC 2021: ESG, Risk Management, Compliance . . . Driving GRC Maturity

Last week we looked at the overall three strategic trends in governance, risk management, and compliance (GRC) in 2021. These were integrity, resiliency, and integration. This week we turn our attention to the tactical, but very critical, trends that are driving these three strategic trends . . .

The primary directive of a GRC management capability in 2021 is to deliver effectiveness, efficiency, and agility to the business that needs to manage integrity and resiliency in the midst of uncertainty. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the organization. Organizations need a mature GRC capability that brings together a coordinated strategy and process. 

The strategic drivers – integrity, resiliency, and integration – are supported by several tactical trends impacting organizations in 2021. These are:

  • ESG reporting. GRC strategy and focus is turning to ESG (Environmental, Social, and Governance) reporting at a board level. ESG practices and reporting of an organization dictate the evaluation and monitoring of the organization’s environmental, social, and governance practices across the organization and its relationships. This has been a significant focus in Europe and is now gaining momentum in the USA. Bloomberg, Blackrock, Social Accountability Standards Board (SASB), and the most recent National Association of Corporate Director’s report show this as a growing board and corporate level concern. 
  • Maturing risk management. There is growing pressure to mature risk management in organizations. This includes more focus on risk quantification, aggregation, and normalization. The range of RFPs that GRC 20/20 is monitoring and advising on sees increased focus on these criteria elements. This is also moving forward through standards and regulations, such as in the German IDW PS 340 requirements. 
  • Policy management and regulatory change. Organizations across industries – but particularly financial services, healthcare, and life sciences – are seeing ongoing changes to regulations. Combined with the focus on integrity, organizations are developing enterprise policy management strategies to provide for collaborative policy authoring, management, and engagement. This includes the back-office management, monitoring, and enforcement of policies as well as the front-office engagement and awareness of policies.
  • Compliance and ethics management. It has become clear that organizations need a federated compliance management strategy. There is no single department responsible for every aspect of compliance. Compliance functions have been scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. Organizations are beginning to develop collaboration and federation across these compliance and ethics functions to work together yet retain their autonomy.
  • Employee engagement and culture. 2020 has forced organizations to rethink how they engage employees in 2021. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate risks, controls, policies, and awareness.
  • Compliance and defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, specifically are looking for a robust system of record involving compliance activities. Defensibility also is a focus of the organization’s risk management and assurance practices.
  • Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of increased risk exposure. CCPA is now evolving into CPRA in privacy requirements in California. The Schrems II decision in the EU has shifted strategies. There are new privacy laws coming into effect (e.g., Switzerland). 
  • Information Security. Information security remains a significant focus in 2021, particularly in the wake of the SolarWinds hack reported at the end of 2020 – which impacted over 250 organizations that use SolarWinds. The work from home environment, that is here to stay, has many organizations rearchitecting their strategy, processes, and technology for information security. 
  • Accountability Regimes. There is a sweeping array of accountability regimes/regulations that are putting personal liability on senior management functions (e.g., executives) for conduct, risk, compliance, control, and ethics issues. These individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and most recently Singapore’s Individual Accountability regime. Firms that are not headquartered, but have operations in these geographies, have to comply as well.
  • Third-Party GRC/Risk Management. The interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the ability of the business to manage them. These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance, risk management, and compliance strategies in organizations. 
  • Environmental. It is a central component of ESG but also stands on its own because of the critical nature of environmental issues, risk, and regulation. Environmental change is a significant focus for organizations and corporations. The World Economic Forum in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe and environmental regulations, and this significantly impacts USA organizations. Some regulators, such as the UK FCA in the SMCR regulation, are putting pressure to have senior management functions accountable for managing climate change risk on the organization.
  • Health and Safety. The Pandemic of 2020 has brought health and safety front-and-center to all aspects of governance, risk management, and compliance within the organization and in the extended enterprise. There is a renewed focus on monitoring the health and safety risks in the business from both a human rights (ties into ESG) and a resiliency program. 
  • Greater Assurance. These drivers and trends in 2021 impact the role of internal audit and assurance functions. Audit is being tasked to do more to provide assurance across these areas. Gone are the days of audit being focused purely on internal controls of financial reporting and IT controls. Today’s audit department has to provide a range of assurance activities across operational areas and third-party relationships.
  • GRC Technology. Technology is changing to address these trends. There is a greater focus on RFPs to select solutions that are agile and easy to adapt to the business environment. They also are becoming more engaging to provide contextually relevant information in modern user interfaces to engage front-office/first-line employees, as well as having the depth of analytics and modeling for back-office/second and third line GRC functions. Technology is also embracing the move to cognitive, artificial intelligence, and robotic process automation in 2021 and beyond. 

Successful GRC management in 2021 requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage, and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. This enables GRC management to be a seamless part of governance and operations. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives in 2021 have a much better chance of thriving in today’s complex business world. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):

A CECO SWOT Analysis for 2021: Identifying Your Weaknesses

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Last week we looked at the STRENGTHS of the typical CECO; this week we turn to WEAKNESSES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and your program and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. If you are like me, you do not want to focus on weakness. But we need to identify and address our weaknesses in order to do better. Some weaknesses we can overcome ourselves; others may require outside assistance. Perhaps it means finding capabilities on your team to provide balance to your weak areas.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. The typical CECO today struggles with:

  • Limited technical acumen: Most compliance roles have grown out of legal, which has often been more comfortable with . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2021: An Integrated Focus on Business Integrity & Resiliency

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. 

The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of integrated governance, risk management, and compliance (GRC). Organizations in 2021 need to see the intricate relationships of objectives, risks, obligations, commitments, and controls across the enterprise. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implement an integrated governance, risk management, and compliance (GRC) management strategy. 

GRC is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” There is a natural flow to the GRC acronym:

  • Governance – reliably achieve objectives. This is the governance function of GRC. To set, direct, and govern the reliable achievement of objectives. Objectives can be overall entity-level objectives, but also can be divisional, department, project, process, or even asset level objectives. Governance involves directing and steering the organization to reliably achieve objectives. 
  • Risk management – address uncertainty. This is the risk management function of GRC. ISO 31000 defines risk as “the effect of uncertainty on objectives.” Good risk management is done in the context of achieving objectives; to optimize risk-taking to ensure that organization creates value.
  • Compliance – act with integrity. This is the compliance function of GRC. It is more than regulatory compliance, but the adherence and integrity of the organization to meet its commitments and obligations. These commitments and obligations can be from regulations, but also can be found in ethical statements, values, code of conduct, ESG, and contracts. 

What Have GRC Functions Learned from 2020?

2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.

The year 2020 was a stress test of GRC related strategies, processes, and integration. Some industries and organizations failed, while others were resilient. But there are lessons to be learned looking back on 2020 for all. These lessons showed us:

  • Interconnected risk. Organizations face an interconnected risk environment and risk cannot be managed in isolation. What started with a health and safety risk and became a global pandemic had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resiliency, human rights, and other risk areas.
  • Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives. Objectives became dynamic in reaction to changes in risk exposure. These had to be monitored in the midst of uncertainty in a state of volatility with the pandemic. 
  • Disruption. Business is easily disrupted from international to local events. In 2020, organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly with wildfires), and one of the largest information security breaches in the SolarWinds hack, which impacted over 250 organizations and still is unraveling.
  • Dependency on others. No organization is an island. The year 2020 showed us that disruption and the interconnectedness of risk impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships the organization depends upon, as well as clients. 
  • Dynamic and agile business. Business had to react quickly to stay in business in 2020. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture in the midst of global concern. 
  • Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly in the midst of a crisis, to how they address human rights such as ethnic racism in their business, operations, and third-party relationships.

2020 taught us that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of governance, risk management, and compliance within the organization and across its relationships.

What Can GRC Functions Expect in 2021

This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s GRC processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes the ability of the business to be agile in times of uncertainty.

The elements of distributed, dynamic, and disrupted business are driving significant changes in GRC strategies in organizations in 2021. In addressing governance, risk management, and compliance, GRC 20/20 is observing three strategic trends organizations are focusing on in 2021:

  1. Integrity. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, how risk is managed, conduct with others (e.g., customers, partners), privacy, and security. 
  2. Resiliency. Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries. This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 
  3. Integration. To support a federated GRC strategy in 2021 the organization will look to rearchitect its GRC technology and information architecture. This will involve moving to agile GRC solutions that can manage the range of governance, risk, and compliance needs across the organization and engage back-office risk, compliance, and assurance functions (2nd and 3rd lines), as well as front-office risk-takers and owners (1st lines). Key to this integration is the ability to provide robust analytics and contextual awareness of objectives, risks, and controls to ensure that objectives are met, while uncertainty, risk, and integrity are managed across the business. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):

A CECO SWOT Analysis for 2021: Knowing Your Strengths

Distributed, dynamic, and disrupted business are driving significant changes to compliance strategies in 2021. In addressing compliance, GRC 20/20 observes that organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021, and how they extend and are enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, how risk is managed, conduct with others (e.g., customers, partners), privacy, and security.

2020 taught organizations they need an enterprise-wide compliance and ethics management strategy. The challenge is that there is no single department responsible for every aspect of compliance. Today, compliance functions are often scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. 2020 revealed that manual compliance processes slow down an organization when it needs agility. A federated compliance strategy that is agile requires an integrated compliance process, information, and technology architecture that enables the organization to greater levels of efficiency, effectiveness, and agility in the midst of chaos and change.

To maintain integrity in the midst of a changing and dynamic business requires collaboration across these departments, roles, and functions of compliance. 2020 has shown us that the CECO needs to step up and lead an organization-wide collaboration and strategy on federated compliance across these functions in 2021.

But is the CECO ready to step up and lead an enterprise-wide strategy for compliance across departments?

As you build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. Let’s leverage a CECO SWOT Analysis to evaluate and measure which strengths, weaknesses, opportunities, and threats you identify with. An honest evaluation will inform your strategic plan as you prepare for the rest of 2021, and help you build a compliance and ethics program with an aim of integrity in an era of risk and change.

This week we will start with evaluating the STRENGTHS of the typical CECO. The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future.

Today’s CECO strengths come from the CECO being:

  • An enabler & leader that strives to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Resilient Organization: From Business Resilience down into Operational Resilience

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, processes, employees, distributed operations, competitive velocity, technology, third parties, and business data make continuity a challenge.

The interconnectedness of risks requires 360° contextual awareness of the organization: from the very top-level strategy down into the bowels of processes and technology. It requires holistic visibility and intelligence of risk in the context of objectives to be resilient.

2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders.

Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.

2020 was a year of change

The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed and interconnected across a web of business relationships with stakeholders, clients, and third parties. It is dynamic as business changes day-by-day: processes change, employees change, relationships change, regulations and risks change, and objectives change. 

2020 was the poster child for business and third-party disruption, and it rolls into 2021. The ecosystem of business objectives, uncertainty/risk, and integrity requires contextual awareness of operations and risk to achieve resiliency – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness of risk in the business is driving demand for 360° contextual awareness to be resilient so the organization can reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.

A new focus on resilience

The elements of distributed, dynamic, and disrupted business are driving significant changes in operational resiliency strategies in organizations in 2021. Firms globally and across industries are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2021 Trends in Third-Party Governance, Risk Management & Compliance (GRC)

Looking Forward in 2021: What Can Be Expected 

In the previous blog we reviewed what lessons were learned in third-party risk management in 2020, we now look into 2021 and how organizations will address third-party governance, risk management, and compliance (GRC) . . .

The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day. Processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected, and requires a holistic, contextual awareness of third-party GRC, rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem. 

This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them. 

This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships. 

Five Strategic Trends in Third-Party GRC in 2021 

These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance strategies in organizations. In addressing third-party governance, risk management, and compliance, GRC 20/20 is observing five strategic trends organizations are focusing on in 2021: 

  1. Integrity. The integrity of the organization relies on the integrity of its third-party relationships. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health, safety, conduct with others (e.g., customers, partners), and security in third-party relationships. 
  2. Resiliency. The organization has to maintain operations amid uncertainty and change. This requires a holistic view of third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. Given the reliance on third-party relationships, this requires a holistic view into the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization. 
  3. Governance. Third-party risk management is not enough. The organization is shifting focus in 2021 to third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives, and the governance of those objectives, that risk and uncertainty can be managed in the context of the relationship to deliver those objectives. The organization in 2021 is going to need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in those relationships. 
  4. Federation. 2021 will see new third-party GRC strategies that focus on a federated approach. Instead of operating in silos of procurement, information security, privacy, compliance, ethics, quality, environmental-social-governance (ESG), and more that do not collaborate and talk to each other, the organization will develop a federated, third-party GRC strategy to manage and monitor the governance of third-party relationships, the risk (uncertainty), and compliance (integrity) within those relationships holistically. Consistency in onboarding, ongoing monitoring, auditing/inspections, incident management, assessments, and offboarding will be built across the needs of these collaborating departments. 
  5. Integration. To support a federated, third-party GRC strategy in 2021, the organization will look to re-design Its third-party GRC technology and information architecture. This will involve moving to a solution that can manage the range of governance, risk, and compliance needs across third-party relationships and be able to integrate with ERP and procurement systems and provide robust analysis, assessment, and due diligence processes to ensure that objectives are met, while uncertainty, risk, and integrity are managed in each relationship. 

Key Supporting Drivers of Third-Party GRC in 2021 

The strategic drivers – integrity, resiliency, governance, federation, and integration – are supported by several key drivers impacting organizations in 2021. These are: 

  • Defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of third-party risk and compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, are specifically looking for a robust system of record involving third-party due diligence and compliance activities. 
  • ESG Reporting. The focus is turning to ESG (Environmental, Social and Governance) reporting at a board level. This has had a significant focus in Europe, and interest is gaining momentum in the USA, particularly with the new Biden administration. The recent National Association of Corporate Director’s report shows this as a growing board and corporate level issue. ESG practices and reporting of an organization dictates the evaluation and monitoring of third-party relationships in this context. 
  • Environmental. It is a central component of ESG but also stands on its own. Environmental change is a significant focus for organizations and corporations. The World Economic Forum, in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe in environmental regulations, which impacts the governance of third-party relationships from an environmental perspective. 
  • Health and Safety. The Pandemic of 2020 has brought front and center health and safety concerns to all aspects of governance, risk management, and compliance, including third-party governance. There is a renewed focus on monitoring the health and safety risks in supply chains and other third-party relationships from both a human rights and resiliency program. 
  • Operational Resiliency. Firms globally and across industries are focusing on operational resiliency, which involves third-party governance, business continuity, and risk management. This concept is also a particular focus of regulators in the financial services industry. The United Kingdom’s Financial Conduct Authority, Prudential Regulatory Authority, and Bank of England have been leading in operational resiliency regulation, focusing on third parties as a part of it. This has also influenced the European Union (DORA), and the United States’ Office of the Comptroller of the Currency, to release operational resiliency guidance and regulation.
  • Information Security & Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of third-party risk. The majority of data breaches happen with third parties. According to the latest Ponemon Institute Cost of a Data Breach report, a data breach’s average cost moves from $3.92 million to $4.29 million when a third-party is involved. Security has become a significant focus in third-party relationships, with the SolarWinds hack being reported at the end of 2020 – impacting over 250 organizations that use SolarWinds as a vendor/supplier. 
  • Human Rights & Slavery. There is an increasing focus on legislation and regulation involving human rights and slavery. From US Conflict Minerals, EU Conflict Minerals, to California Transparency in Supply Chains Act, we have had regulation in this area for several years. The end of 2020 brought us more significant reporting requirements to the UK Modern Slavery Act, and Australia is picking up enforcement of the Australia Slavery Act. These require reporting on what the organization is doing to address human rights and modern slavery across the organization and its third-party relationships. The focus on ethnic discrimination in 2020 has brought a renewed focus on discrimination practices and supply-chain/vendor code of conduct assessment and enforcement. 
  • Bribery & Corruption. Anti-bribery and corruption laws that impact third-party relationships have been in effect since 1977 with the US FCPA. This has picked up around the world over the decades from many other countries, such as the UK Bribery Act, Sapin-II in France, and others. Most of the bribery and corruption enforcement actions involve third-party due diligence and transaction issues. With the economic fall-out, lockdowns, restrictions in imports/exports that the pandemic brought in 2020, there is an increased risk of bribery and corruption issues as we navigate these challenges and enter recovery. Law enforcement is closely monitoring these activities with enforcement. 
  • Accountability Regimes. There is a sweeping array of accountability regimes/ regulations that are putting personal liability on senior management functions (e.g., executives) for the conduct, risk, compliance, control, and ethics issues. Individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and in 2020, Singapore’s new accountability regime. While broad in scope, these regulations require a senior management function to be accountable for third-party risk and control. Firms that are not headquartered but have operations in these geographies still must comply as well.

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management:

Michael Rasmussen of GRC 20/20 will be speaking on these trends in the upcoming webinar:
2021 Trends in Third-Party Governance, Risk Management, Compliance (GRC)

Third-Party GRC: Looking Back on 2020, What Was Learned ?

“Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” 

Martin Luther King, Jr. 

This statement by Dr. King is true in our conduct, and it is true in an organization’s conduct and its relationships. 

The structure and reality of business today has changed. It is not the same as it was a few decades back. Brick-and-mortar walls do not define today’s business, nor is it defined by traditional employees. The modern organization is comprised of an interrelated structure of business relationships. Roaming the hallways of an organization – when there is no pandemic lockdown forcing individuals to work from home – means crossing paths with contractors, consultants, temporary workers, and more. Today’s organization is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, etc. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization can reliably achieve objectives in each relationship. The organization’s ability to manage uncertainty, risk, and resiliency requires that risk be managed in third-party relationships. The integrity and ability of the organization to comply with regulations, commitments, and values are measured in the integrity of its relationships as well. 

The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization. The modern business depends on, and is defined by, the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. 

The governance, risk management, and compliance of third-party relationships (third-party GRC) is in a state of growing maturity and evolution. The year 2020 has brought many third-party management lessons through the trials and tribulations worldwide, and as a result, 2021 is aiming for greater resiliency and integrity in third-party GRC. 

Looking Back on 2020: What Was Learned 

We cannot understand the 2021 trends in third-party GRC without understanding what transpired in 2020. The last year has taught organizations many lessons in third-party management which provides the foundation for the 2021 trends. 

2020 brought organizations disruption that impacted operations and third-party relationships. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to re-evaluating conduct rules within the organization and across relationships – followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a major security breach in a third-party context for the history books with the SolarWinds breach. 

A risk event has a domino impact on the organization and its relationships. What starts with one domino of risk has a cascading effect on other risks. Consider the 2020 global crisis and pandemic of COVID-19. It began as a health and safety risk coming out of Asia. It then had a cascading influence that caused other risks to materialize and ultimately change that impact of organizations and their third parties. Third-party risk cannot be managed in isolation but must be understood in the complex web of interconnections of risk and objectives that play out from it. What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. 

Consider the following: 

  • Risk to objectives. As the pandemic unfolded, it had a specific impact on business objectives that further impacted third-party relationships’ objectives. Adapting to the crisis, businesses had to modify corporate objectives and, as a result, objectives in each relationship. Third-party relationship objectives had been modified and risk exposure had to be monitored in the uncertainty of meeting objectives in an environment of volatility with the pandemic. This plays out from the economic and business impacts of the virus. 
  • Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes across third parties. Business continuity in many organizations had a sole focus on IT security and disaster recovery and they were not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global, biological virus. As employees were cut, processes were changed, relationships with third parties modified, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure. 
  • Risk of information security. With the focus on supporting a broad work from home strategy for both employees and third parties, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, blender, or TV in the third-party employee’s home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data. The year ended with the SolarWinds breach in a third-party context. 
  • Risk in third-party relationships. Half of the organization is typically not traditional employees but third parties. There were significant issues where service providers and outsourcers have entirely shut down because of lockdowns and were unable to support organizations and deliver services, including constrained supply chains and the inability to deliver goods. Outsourced data centers went dark and a skeleton crew of staff was left to maintain them, often remotely. 
  • Risk of integrity, culture, and control. With rapidly changing processes to address the pandemic, the organization lacked controls to monitor third-party relationship changes. With reduced staff, employees were wearing multiple hats with greater exposure to segregation of duty conflicts. Individuals, either employees or third-party, were concerned about the economy and their well-being and security. Working from home offices and not in a corporate building contributed to a culture of insecurity for many. 
  • Risk of fraud. In uncertain economic times and the unfolding of a recession, employees and third parties working on internal business systems and processes were under more stress to make ends meet. They might never think of stealing/ committing fraud during normal times but may choose the wrong path when faced with economic stress and uncertainty. 
  • Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increased the risk of bribery and corruption. With customs, imports, and exports coming to a crawl in some countries, and borders shut down, there was greater corruption risk. Heightened exposure that someone may pay a third-party or foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done. 
  • Risk of modern slavery and human rights. There was great unrest of human rights worldwide, which was an issue prior to the pandemic that has only been exacerbated further because of the pandemic. But it goes beyond civil rights and treatment of ethnic groups, it also extends into our facilities and supply chains. The pandemic hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there has been increased staffing with child or forced labor alongside poor and unwanted working conditions. 
  • Risk of harassment and discrimination. Unrest abounding, combined with work from home policies for employees and third parties, contributed to growing discrimination and harassment happening because of the virus and a focus of anger on ethnic groups. People working from home and not in normal office conditions do not understand that the same corporate rules and policies apply. Communications such as email, text, and video calls have become more relaxed and individuals crossed boundaries of harassment and discrimination in statements made in these remote home offices. 

The organization’s continuity and resiliency required close monitoring of third-party relationships to maintain goods, services, and transactions during the pandemic. Enterprise risks do not stop at business boundaries but extend across third-party relationships. Risks themselves are also interconnected. What starts with a health and safety risk for the business and third-party relationships cascaded like dominos into resiliency/continuity risks, fraud risk, IT security risk, bribery/corruption risk, modern slavery/human rights risks, geopolitical risks, and more. 

2020 was the poster child for business and third-party disruption. It taught organization that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of third-party relationships as they serve the organization. This requires an enterprise view of third parties to monitor the interconnections and impact of uncertainty on objectives. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management:

Architecting a New Paradigm in Legal Governance

Exponential growth and change in business strategy, risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Gone are the years of simplicity in business operations.

Managing the complexity of business from a legal and privacy perspective, governing information that is pervasive throughout the organization, and keeping continuous business and legal change in sync is a significant challenge for boards, executives, as well as the legal professionals in the legal department. Organizations need an integrated strategy, process, information, and technology architecture to govern legal, meet legal commitments, and manage legal uncertainty and risk in a way that is efficient, effective, and agile and extends into the broader enterprise GRC architecture.

In my previous blog, Operationalizing GRC in Context of Legal & Privacy: The Last Mile of GRC, I began this discussion, and here I aim to expound on it further from a legal context.

Legal today is more than legal matters, actions, and contracts. Today’s legal organization has to respond to incident/breach reporting and notification laws in a timely and compliant manner, respond to Data Subject Access Requests (DSAR), harmonize and monitor retentions obligations, conduct eDiscovery, manage legal holds on data, and continuously monitor regulations and legislation and apply them to a business context . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Role of Legal & Legal Processes is Changing

The role of legal is growing in significance as it guides the enterprise beyond putting out the fires of legal matters. It is expanding into a proactive role in legal governance, risk management, and compliance – with a focus on preventative law and becoming a critical pillar in an organization’s broader enterprise/integrated governance, risk management, and compliance (GRC) strategy. This requires that legal be an integrated role in the organization’s proactive enterprise GRC capabilities as well as deliver on governance, risk management, and compliance in the context of legal itself, what is called Legal GRC. 

Today’s legal department must have a full understanding of the regulatory, litigation, contractual, transactional, privacy, and intellectual property risks, as well as how they all relate to each other and fit into broader business operational, transactional, and GRC processes. The role of legal must be able to rely on a well-constructed understanding of how legal risks fit into enterprise risk frameworks. The general counsel has a critical role beyond the traditional stance as “protector” of the organization and its assets (via contract negotiation, litigation, and interpretation of legal requirements) and now is an active part of the strategic planning that leads to achieving higher performance and governance of the organization. 

Legal has the opportunity to serve as the hub for collaboration about how best to balance legal risks and opportunities presented by the organization’s decisions and actions. Today’s legal function must lead the organization to higher levels of performance while assuring the board and other stakeholders that the company can also maintain integrity, mitigate risk of legal exposure, and operate within legal and ethical boundaries. This means the organization will take full advantage of opportunities that will help meet its objectives, while staying within the boundaries of laws, regulations, contracts, and corporate commitments. 

As a key player at the center of the GRC strategic team of the enterprise, the role of legal must address wide-ranging stakeholder demands and concerns to:

  • Identify key risk indicators for Legal GRC changes as they occur – which legal is aware of early due to its role in contracts or negotiations, such as merger and acquisition activity, litigation and settlements, licensing arrangements, vendor/partner contracts, and new/changing legislation and regulation.
  • Define legal and/or contractual required controls to mitigate legal risk exposure in transactions and relationships and support business strategy and objectives.
  • Lead the identification of legal requirements and interpreting the need for controls to address them.
  • Monitor contractually and regulatory imposed requirements to ensure controls are correct in the context of the dynamic business environment.
  • Participate in the design of the Legal GRC program regarding confidentiality, access limitations, and information governance.
  • Assess potential impacts of noncompliance to determine correct level of control and allocation of legal and organization resources.
  • Design escalation plans for issues and incidents — when should legal be involved right away, when does privilege have to attach, when does the board or external stakeholder have to be informed, and when does legal conduct certain investigations.
  • Determine actions that may have a cumulative effect; for example, settling an environmental noncompliance matter may cause government contracting debarment if not handled properly.
  • Understand new business opportunities and enable safe and responsible business growth by avoiding unnecessary legal exposure.
  • Articulate to the board why a clear and integrated view of legal governance is critical to the organization’s culture, performance, as well as their fiduciary responsibilities.
  • Manage the legal department in an optimized way that delivers effective, efficient, agile, and responsive service to the rest of the organization.
  • Demonstrate how centralized oversight and supporting technologies for Legal GRC process management drives predictable behavior and performance results.
  • Communicate the benefits of including legal risk management within business performance management and change initiatives.
  • Influence other key functional executives to support legal’s role in the GRC strategy alongside the organization’s achievement of business objectives.
  • Collaborate with key C-suite executives in developing Legal GRC processes that allow for measurable evaluation of legal effectiveness and efficiency.
  • Assist the CEO in evaluating opportunities and preventing adverse legal ramifications and risks from materializing.
  • Equip management to appreciate how an integrated Legal GRC model can improve processes while reducing or eliminating redundant efforts and be leveraged across other functions.
  • Incorporate legal GRC management and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).

Across all of these points, the role of legal must embrace a strategic view that satisfies the demands of all these forces while keeping an eye on the prize — meeting the organizational objectives for value. 

This is driving forward-thinking organizations to define and establish an expanded role for Legal GRC that goes beyond the traditional role of managing litigation, negotiating legal agreements, and protecting intellectual property. Legal is becoming a high-impact GRC advisor that addresses: 

  • Key stakeholders (investors, regulators, NGOs, local communities, etc.) demand transparency. 
  • Board and C-suite need for clear, reliable, and measurable information about legal risk that will impact strategic decisions and future outcomes. 
  • Board needs objective, independent assurance that the legal program is functioning effectively and efficiently as designed.
  • Compliance, ethics, privacy, and security in legal’s role of applying regulations and legislation to the specific business context and meeting reporting, access, disposition, and notification requirements.
  • Line of business need for matter management, issue identification, investigations, policy management, document and information management, reporting and filing, and legal risk assessments that do not disrupt operations, and are consistent to promote desired behaviors and transactions. 
  • An overarching need for improved efficiencies and reduced legal risk throughout the extended enterprise.
  • Growing the business in a safe, responsible manner that keeps it within established legal boundaries of conduct.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design: