Lessons Learned in Compliance Management in 2020

What have we learned from 2020? I think all of us have learned quite a bit in both our personal and professional lives. 2020 has stretched us as individuals and as organizations in various and unexpected ways.

There certainly was a lot of tension, reaction, loss, trials, and tribulation. But there are also positive aspects of agility, adaptation, innovation, and collaboration. It has been a year of health and safety, environmental, information security, conduct, and leadership disasters, but also a year of metamorphosis. As we look to 2021, we all hope for a phoenix rising out of the ashes to take on new heights of ingenuity and advancement.

2020 has its share of business challenges. The year started with the devastation in the Australian wildfires (and later California’s), then entered COVID-19 and worldwide lockdowns and economic and health and safety crisis. Not to be outdone, we have major scandals, regulatory change, business change, and misbehavior. We now conclude the year with a major information security breach devastating government and major organizations in the SolarWinds incident.

From a compliance and ethics angle, what can we learn from 2020 and adjust to build a more resilient organization of integrity going forward?

The Compliance Management lessons learned in 2020 are:

  • Business and operational integrity . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC 20/20’s 2020 Research Year in Review

2020 was certainly a year for the history books. While it has been a roller coaster that moves on into 2021 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. The keywords for 2021 are integrity and resiliency. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency. I see both the terms business and operational resiliency used a lot, they are different but related. Business resiliency is the resiliency of the organization’s strategy, finance/treasury position, and operations. Operational Resiliency is that last piece in business resiliency: operations. Operational resiliency is looking at the risk and resiliency of the organization’s processes, functions, systems, and third party relationships.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2020 organized by topic area. However, it is critical that I refer to three research articles from the last few months of 2019 as they have been referred back to over and over again as foresight from GRC 20/20 into what the year 2020 brought us. These are:

Now let’s look at GRC 20/20’s 2020 Research Year in Review. As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process.

Enterprise GRC and the Broad GRC Market

This starts with GRC 20/20’s flagship annual research briefing that defines, segments, sizes, and forecasts the broad GRC market and its various individual segments:

Other Enterprise GRC research publications that GRC 20/20 led in 2020 are:

Corporate Compliance & Ethics Management

Enterprise & Operational Risk Management

Policy Management

Third-Party (e.g, Vendor/Supplier) Management

Corporate Legal Management

Privacy Management

Internal Control Management

IT Risk Management

Why Spreadsheets, Documents & Emails Fail for GRC

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past two decades has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after two decades of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE TRUOPS BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Complexity of Business Demands a New Paradigm in Legal Governance, Risk Management & Compliance

Understanding the Interrelationship of Legal Risk and the Business

In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes are continually bombarding the organization. The organization continues to see exponential growth of regulatory requirements and legal obligations (often conflicting and overlapping) that must be met, which multiply as the organization expands global operations, products, and services. This requires an integrated approach to legal governance, risk management, and compliance (GRC) with a goal to reliably achieve objectives while addressing uncertainty and act with integrity. This includes adherence to mandatory legal requirements and voluntary organizational values and the boundaries each organization establishes. The legal department, with responsibility for understanding matter management, issue identification, investigations, policy management, reporting and filing, legal risk, and the regulatory obligations faced by the organization, is a critical player in GRC (what is understood as Enterprise or Integrated GRC), as well as improving GRC within the legal function itself (what is defined later in this paper as Legal GRC).

Most organizations today at least try to address legal risks, intellectual property protection, contracts, business requirements, and compliance obligations they face. Both internal and external stakeholders and events have caused many to increase legal monitoring and reporting, especially with regard to changing laws and regulations where demands grow every day. Boards and executive management desire a deeper understanding of how their teams address legal matters, whether activities are effective and efficient, and how they can enhance activities to create the greatest reward for their shareholders and mitigate legal damage. Legal risk is a significant exposure that fits into a broader enterprise risk management strategy to address the strategic, operational, and financial risks bearing down on the organization. As this demand for transparency increases, so increases the need for the legal to manage and monitor legal risks within a defined GRC capability.

The physicist, Fritjof Capra, made an insightful observation on ecosystems that rings true when applied to legal governance in the modern organization: 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Fritjof Capra

Capra’s point is that ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts the entire ecosystem. 

Legal GRC: a New Paradigm for Governing Legal

Legal governance, risk management, and compliance as it is conducted in the business is pervasive, complex, and interconnected; when it comes down to it, legal risk and exposure goes beyond the legal department as it intersects with other departments and their strategy, obligations, processes, transactions, relationships, information, and contracts. Business functions are often taking legal risks without involving legal, or legal does not have the resources to get involved. 

What complicates this is the exponential effect of legal governance on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Silos of data, systems, processes, activities, and transactions can leave the organization with fragments of truth that fail to see the big picture of legal risk exposure. Legal risk, such as in DSARs, could unfold inappropriate use of personal information and exposure of that information that could have a cascading impact on the brand, reputation, as well as fines to the organization. The organization has to have holistic visibility and 360° contextual awareness into legal risk relationships across the enterprise and its operations. Complexity of business combined with the intricacy and interconnectedness of legal data, requires that the organization implement a new strategy and paradigm for legal governance, risk management, and compliance (Legal GRC).

Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they are aligned with business objectives and needs [GOVERNANCE], while addressing legal uncertainty and exposure [RISK MANAGEMENT], and act with integrity to the obligations and ethical commitments of the organization [COMPLIANCE]. This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, Legal GRC delivers:

  • Legal Governance. Governance of the legal function that sets direction and strategy for legal to reliably achieve objectives within the department and support the business in achieving its objectives. 
  • Legal Risk Management. Legal risk management seeks to manage and understand uncertainty in the business, particularly the legal impact of activities by the identification, assessment, and monitoring of legal risk within the context of business and to act on legal risk through acceptance, avoidance, mitigation, or transfer.
  • Legal Compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on legal risk treatment plans to assure that legal risk is being managed within limits and controls are in place and functioning.

The lack of a coordinated strategy for Legal GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between legal risk management and decision-making, business strategy, objectives, and performance. 

The bottom line: Organizations need to adopt a new paradigm of an integrated approach to Legal GRC. This is done through a common Legal GRC strategy, process, information, and technology architecture that supports overall legal activities, as well as integrates and supports the broader business objectives and GRC activities from an enterprise view. Organizations need to clearly define and develop the breadth and depth of their Legal GRC management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of Legal GRC management needs for today and into tomorrow.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design:

Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

At its core, GRC is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. GRC is something organizations do, not something they purchase. They govern, they manage risk, and they comply with obligations. However, there is technology to enable GRC related processes, such as legal and privacy, to be more efficient, effective, and agile.

However, too often the focus on GRC technology is limited to the process management of forms, workflow, tasks, and reporting. These are critical and important elements, but the role of technology for GRC is so much broader to operationalize GRC activities that are labor intensive, particularly in the context of legal and privacy. Simply managing forms, workflow, and tasks are no longer enough. Organizations need to start thinking how they can integrate eDiscovery and data/information governance solutions within their core GRC architecture.

What is needed is the ability to search, find, monitor, interact, and control data throughout the business environment. GRC platforms are excellent at managing forms, workflow, tasks, analytics, and reporting. But behind the scenes there are still labor-intensive tasks or disconnected solutions that actually find, control, and assess the disposition of sensitive data in the enterprise. eDiscovery and information governance solutions have been disconnected and not strategically leveraged for GRC purposes. Together, the core GRC platform that integrates with eDiscovery and information governance technologies builds exponential economies in . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Disclosure Management: Comparing Compliance Solutions

Compliance disclosures are a critical element of an organization’s compliance and ethics management program. The organization requires structured approaches to managing disclosures such as conflicts of interest, and a way to address compliance related forms and processing for gifts, entertainment, and travel or facilitated payments. This requires the ability to intake information, route it for review and approval or denial, document exceptions, and provide a strong defensible system of record of the entire process.

The traditional approach to disclosure management has been manual processes involving print or electronic forms that thread compliance disclosures, like conflicts of interest, through time-consuming manual processes where things often get missed, slip through cracks, or mistakes are made. Manual processes or older software treat disclosures as static entities, making it difficult, if not impossible, for employees to access or update previously filed disclosures. This results in static disclosures that are filed and forgotten, rather than living documents that contain accurate, up-to-date insight into relationships and their potential impact on the business.

The next phase of disclosure management

There is a growing demand for compliance disclosure management solutions that can be more dynamically managed to address Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas of compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

A Business Case for Integrated Third-Party GRC Across the Extended Enterprise

One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.

I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:

Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.

There are two primary items missing from traditional vendor and third-party risk management:

  1. Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
  2. Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.

What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.

What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.

How do you get there? Here are some simple steps:

  1. Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
  2. Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
  3. Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
  4. Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.

Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.

Delivering on Agile Compliance in Dynamic Business

Organizational exposure to compliance risk is rising while the cost of compliance soars. Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with obligations and value. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

However, compliance is not easy. Organizations are complex and dynamic. The modern organization changes by the minute or even second. The organization can go from a state of compliance to non-compliance in a blink of an eye. Processes change. Technology changes. Employees change. Business relationships change. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations?

To maintain compliance, an organization must . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CURA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Efficiency & Agility in Accountability Compliance – SMCR, BEAR, SEAR, MIC, GIAC

Accountability is More Than Responsibility

There is a difference between accountability and responsibility. An individual or organization can outsource or delegate responsibilities, but one cannot do so with accountability. To address the breadth of compliance and ethics failures, as well as risk management, in financial services there have been a growing array of accountability regulations sweeping the world.

It all started with the United Kingdom’s Senior Manager Regime & Certification Regime (UK SMCR). This put accountability on senior management functions (SMFs) for failures in risk, compliance, control, and ethics. If there is willful wrongdoing these SMFs can go to jail. If there is negligence or lack of due diligence in compliance, risk, control, or ethics these SMFs can be personally fined from their personal bank accounts. This framework has sped around the world in Australia’s Banking Executive Accountability Regulation (BEAR), Ireland’s Senior Executive Accountability Regulation (SEAR), Hong Kong’s Managers in Charge Regulation (MIC), and now the stringent requirements in Singapore’s Monetary Authority’s Guidelines on Individual Accountability and Conduct (GIAC). These regulations have a global impact, I have talked to several financial services headquartered in the USA that are struggling with compliance with accountability regulations as they have operations in these countries.

I am a J.R.R. Tolkien fan, so I have characterized accountability regulations as the one ring in Tolkien’s Lord of the Rings. It is the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them. Accountability regulations are the uber regulation that puts the sharp teeth of personal accountability to enforce other regulations and ethical practices. I will be presenting on this in the webinar Escaping the SMCR Quagmire.

There are various stages of compliance. In the context of UK SMCR (noting there are other regimes I have mentioned) solo-regulated firms are just coming into the spotlight. Larger firms have been dealing with this for the past few years but at various stages. Even these large firms have a looming requirement coming up (postponed by the FCA from December 2020 to March 2021) to communicate conduct rules (which are policies) to all employees (except ancillary staff like receptionists and caterers). This requires communicating a policy(ies) to every employee and documenting communication (e.g., attestation). Already these firms have had to document SMFs, certify staff, get approval from regulators, and regularly communicate conduct rules to SMFs and certification staff. Now it extends to all employees (except ancillary staff).

Making Accountability Compliance Efficient, Effective, and Agile

What is becoming apparent is that the ongoing management of accountability regulations, the reporting to regulators, the certification of SMFs, the communication of conduct rules on a regular basis with documentation of communication and attestation, the definition and maintenance of accountability and responsibility maps . . . this is not going away. As financial services firms grapple with ongoing and continuous compliance they are now looking for ways to automate the process.

The approach many firms have taken to accountability regulations is very typical of other regulations, such as when Sarbanes Oxley first hit us in 2002. For the first year or two firms use manual processes involving lots of documents, spreadsheets, and emails. Then as they build their process, address compliance, and realize that this obligation for oversight and reporting is not going away but continuing, they then start to look for technology to automate the process and make it more efficient, effective, and agile. The regulators also crackdown as the audit trails (system of record) are weak and not defensible in manual processes when relying on documents, spreadsheets, and emails. On top of this, business is changing minute-by-minute and second-by-second. Processes change, management changes, employees change, risk changes, regulations change. This all means that accountability compliance has to be agile in a dynamic, distributed, and disrupted business environment. Manual processes with documents, spreadsheets, and emails are cumbersome, slow the organization down, and certainly are not agile.

Technology for accountability compliance falls into three areas:

  1. Solutions focused on aspects of the regulations. Organizations here look for solutions to manage and automate aspects of the regulation, but not the entire regulation. This most often is a policy management solution to communicate conduct rules and track attestations to those rules to provide a documented system of record of these communications. Think about it, if you are a firm with thousands of employees, then manually communicating, tracking, monitoring, and reporting on the communication of conduct rules becomes very time consuming quickly.
  2. Solutions for full accountability compliance. These are solutions built for the regulations (e.g., UK SMCR, BEAR, SEAR, MIC, GIAC). The solutions are designed to manage the process of defining senior management/accountable functions, building responsibility/accountability maps, certifying functions and staff, reporting and interacting with the regulators for approvals of staff, and communicating conduct rules/policies to all employees.
  3. Solutions BECAUSE of accountability compliance. This is the interesting one that has come up a lot this past year. These are not solutions to manage the specific requirements of compliance in the accountability regulation. These are solutions BECAUSE of the regulation. Think about it, if you are an SMF that is personally accountable for an area of ethics, compliance, risk, control – such as vendor risk, GDPR, or operational resiliency – then you will want to make sure your organization is properly managing this area and want visibility into this. After all, it is your personal bank account on the line (or possible prison time).

The good news is that technology delivers across these functions. Technology relieves the burden of ongoing compliance monitoring and reporting. It makes accountability compliance efficient in reduction of human and financial resources, more effective in a strong system of record and audit trail with fewer things sipping through cracks, and agile to keep compliance current in a dynamic business environment where risks, processes, regulations, and particularly employees such as SMFs are changing constantly. Again, I will be presenting on this in the webinar Escaping the SMCR Quagmire (which the details here can also be applied to BEAR, SEAR, MIC, and GIAC).

How is your organization approaching accountability compliance?

A New Framework for Defining and Approaching Information Governance

Information governance has become a critical objective for organizations. In the context of the pervasive use of information throughout the enterprise, operational reliance on information, and increased regulation and liability of information, organizations are building structured approaches to information governance. This is to ensure the proper collection, use, and control of sensitive information – intellectual property, proprietary information, regulated data, personal information – across the organizations. Privacy regulations such as the California Consumer Protection Act (CCPA) and the EU Global Data Protection Regulation (GDPR) are making information governance even a greater priority.

Over the years we have seen a lot of definitions for ‘Information Governance.’ From the straightforward, like . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]