Why Policies, and Policy Management, Matters

It is finally here! For the past year, I have been working hard with OCEG on the Policy Management Illustrated eBook. I have spent countless hours behind Adobe Illustrator working hard on doing the design, layout, concepts, and process of policy management in these illustrations in collaboration with OCEG and many other firms. Below is my lead article in the eBook (which you can download for free). Please enjoy the Illustrations I have labored on in my passion for policy management. I look forward to hearing your thoughts as you go through these.

Michael Rasmussen

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting with the policy of all policies – the code of conduct – they filter down to govern the enterprise at all levels.

GRC, by definition, is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”

OCEG GRC Capability model

Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization. Without a policy, there are no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of the corporate culture. Without a policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

A policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and non-compliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecutors, and plaintiff attorneys use policy violations and noncompliance to place culpability.

An organization must establish a policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, but it cannot achieve a strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Despite the value of policy, many organizations have:

  • Policies managed in documents and fileshares
  • Reactive and inefficient training programs
  • Policies that do not adhere to a consistent style
  • Rogue and out of date policies
  • Policies without lifecycle management
  • Policies that do not map to exceptions or incidents
  • Policies that fail to cross-reference standards, rules, or regulations

Inevitable Failure of Ad Hoc Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The haphazard department and document-centric approaches for policy and training management of the past compound the problem. It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.


Here are some other resources:

OCEG Policy Management Resources

OCEG GRC Resources

Policy Engagement In A COVID & Post-COVID World

The world has changed, business has changed. A worldwide pandemic has caused restructuring of processes, employees, and activities. It has forced organizations to look for agile ways to manage a dynamic business environment.

As organizations went into lockdown and moved employees to a work from home environment they were confronted with issues, such as:

  • Reduced workforce. There were layoffs and restructuring. Business processes and roles had to adapt. Employees needed clear guidance and understanding of what is required of them as they had multiple roles and responsibilities in a different environment.
  • Shifting requirements. Regulations and business strategy changed impacting the way organizations needed to conduct themselves. Policies changed to meet these requirements and address new risks.
  • Increased risk exposure. The pandemic . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE METACOMPLIANCE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Ensuring Integrity in the Extended Enterprise

The value of a third-party risk management strategy

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define your organization. The modern organization is the extended enterprise: an interconnected maze of relationships and interactions that span traditional business boundaries. These relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships.

The challenge today is that issues of integrity in your extended business relationships are your organization’s issues. You stand in the shoes of your third-party relationships. Third-party integrity problems are the organization’s integrity problems and directly impact the brand, as well as reputation while increasing exposure to risk and compliance matters. Compliance and ethics challenges do not stop at organizational boundaries.

An organization can face reputation and economic disaster by establishing or maintaining the wrong third-party relationships, or by allowing good business relationships to sour because of weak governance of the relationship. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.

Third party risk management challenges

Maintaining integrity across the extended enterprise is challenging, as your organization faces . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Rethinking Risk Management RFP Requirements

Risk management is a hot topic and focus within organizations. We are surrounded with acronyms of GRC (governance, risk management, and compliance), ERM (enterprise risk management), ORM (operational risk management), and now IRM (Gartner’s integrated risk management). We hear other terms like operational resilience, strategic risk management, and more.

Risk management strategies (pick your favorite acronym or buzzword) lead to RFPs for technology to support the risk management strategy and processes. HOWEVER, not all risk technology is created equally. Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey. This involves a clear understanding of where you are now with risk management and where you want to be. The current pandemic is demanding attention to this, which I also wrote about before the pandemic.

The problem with many risk management programs is that they struggle with documents, spreadsheets, and emails. I talked to one organization that was spending over 200 hours to build a report for the board of directors because it required them to go through hundreds to thousands of documents, spreadsheets, and emails to aggregate and report on risks and risk events. In an RFP I advised on for a mid-sized bank, they did an internal study that found that 80% of their risk management resources was nothing more than document/data reconcilers and aggregators and only 20% of the time was managing risk, they wanted to change that with a solution and did. This recent article in the BBC caught my attention in the limitations and risk exposure in using spreadsheets: Excel: Why using Microsoft’s tool caused Covid-19 results to be lost.

So organizations look for risk management solutions and get sucked in by marketing and sales hyperbole. There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. The market is an interesting time right now as older solutions rearchitect to meet the demands of Agile GRC 4.0, while newer solutions are already there. 

My question to you: Can your risk management technology you have (or are considering) truly deliver on the needs and concerns of risk management.

There was a ton of interest in my recent article on the Role of Business Process Modeling in GRC Requirements. This week I turn my attention to risk management requirements. In 2020 I have interacted on several RFPs for enterprise and operational risk management solutions and engaged to advise on several more as we enter 2021. In addition to these formal engagements, I answer inquiry questions from organizations looking at solutions throughout every week. I am seeing a lot of activity for risk management in North America, Europe, the Middle East, and Australia right now.

In these interactions, I have found that the following requirements/functional areas for GRC, ERM, ORM, IRM RFPs are core to maturing a risk management function within an organization. If you want to build a true risk management program that goes beyond tick-box compliance exercises, then you should strongly consider:

  • Performance/Objective-View of Risk. This is where risk management should start. ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. I recently finished advising on an RFP for a global European firm that this became the deciding factor in their choice of a solution, and am and starting another RFP that is centered on this. It comes up regularly, but in these two situations, it was table stakes.
  • Front Office Engagement. Organizations desire the depth and breadth of capabilities and complexity of risk analytics for the back-office (2nd and 3rd line) risk functions for risk modeling, analysis, mapping, and monitoring. But I am seeing increased requirements for front-office (1st line) engagement on risk ownership, accountability, and reporting. These interfaces for back-office and front-office are not the same and need to be very role/context-specific so it does not overwhelm front-office operations. I am interacting with a financial services firm right now looking specifically for this dichotomy of simple and intuitive front-office engagement on risk with the depth and analytics for the back-office.
  • Risk Interrelationships. Risks cannot be understood and managed in isolation. I wrote about this last year in my article in Enterprise Risk magazine. 2020 proves this point with COVID-19. What is a health and safety risk that has an interrelated impact on performance, resiliency, third-party/supply-chain, IT security, human resources, fraud & corruption, and even social accountability and human rights risks? Organizations need to be able to map and understand risk relationships and interrelationships/dependencies. Measuring a risk exposure also requires understanding the exposures and impacts with related risks.
  • Risk Aggregation & Normalization. This is a critical factor, particularly for large organization.s One department’s high-risk might be another department’s low-risk in quantifiable exposure. Departments, projects, functions want a legitimate view of risk at their operational level. Within their view of the world, they need to know what is high-risk to low-risk. But as this gets rolled into enterprise risk reporting they strong risk normalization and aggregation that is meaningful. This is one key requirement I am seeing in Germany in the context of the IDW PS 340 audit standard driving enterprise risk reporting. I had a corporate secretary for a global brand on a panel I was moderating at a conference who stated their board of directors never wants to see a heatmap from their leading IRM solution ever again because it lacked risk normalization and aggregation (don’t get me started on the issues of heatmaps, that is another blog in itself).
  • Risk Frequency & Distribution. I am seeing more and more risk management programs mature to want risk frequency and distribution models, like Monte Carlo simulations. An immature approach to risk might plot risk as a point on a heat map (which has many issues), but real risk has a range of scenarios, frequencies, and impacts that need more complex modeling to analyze and understand. Organizations are looking for more advanced ways to do risk quantification and modeling. Monte Carlo simulations, Bayesian modeling, and more are becoming more frequent in RFPs.
  • Risk Visualization. There is a growing demand for greater risk visualization and analytic techniques. Organizations want fresh and modern user interfaces (UX). I am seeing an increased demand for bow-tie risk analysis across industries. RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!! This also ties back into the point above on risk interrelationships as well as risk quantification and using risk visualization to communicate and analyze.
  • Cost of Ownership. Organizations are looking for Agile GRC 4.0 solutions that deliver solutions in rapid timeframes and value to the organization. They are tired of dated solutions (10 to 20-year-old code) that take a year or more to role out. For example, I am interacting with one organization looking to replace a Gartner IRM Leader that they purchased 3 years ago and still have no users on the platform. Modern solutions should be agile and have a low cost of ownership to implement and maintain.

Can your risk management technology deliver on these broader risk management capabilities? These are just some buckets of functionality that I get much more specific with in my risk management RFP requirements library.

What do you see as critical in technology to deliver on maturing your risk management strategy?

ENGAGING GRC TO THE FRONT-OFFICE, AND NOT JUST BACK-OFFICE FUNCTIONS

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

E. F. Schumacher

Governance, risk management, and compliance (GRC) is as much or more the responsibility of the front-office (1st line employees and management) as it is the back-office (2nd and 3rd line risk, compliance, security, control, and audit functions).

Think about it . . . risk, compliance, and control decisions are being made every day by the frontlines of the organization. The doctor or nurse in the hospital are making patient privacy and safety decisions; the teller at the bank is making decisions on fraud, customer privacy, security, and money-laundering; the miner in the coal mine is making environmental and health and safety decisions.

Risk exposure is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE 360inControl BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Role of Business Proces Modeling in GRC Requirements

Over the course of a year, I interact and advise on a lot of GRC related RFPs/RFIs. Some of these are for Enterprise GRC Platforms, most are in specific domains of GRC such as operational risk management, IT risk management, compliance management, audit management and analytics, policy management, third-party management, and more. Something I added to my RFP requirements back in 2005 is the criteria if the solution supports business process modeling (BPM) natively in the application.

I saw this as an important requirement fifteen years back, but it only seems to have become mainstream over the past few years. In an increasing amount of RFPs, as well as organizations purchasing a solution without an RFP, I am seeing the capability to support BPM natively in the GRC solution as a key requirement. Organizations are tired of using separate solutions like Visio to document process flows and attach them as evidence and documentation for risks, compliance, and controls. Today, organizations want to be able to do business process modeling within the GRC solution (whether for broad enterprise GRC or a specific area of GRC like GDPR or internal control management). They want to be able to identify risk and control areas visually on these process flows and even use them as dashboards to see how processes are functioning to reliably achieve objectives, address uncertainty, and act with integrity (OCEG GRC definition).

Consider that organizations are facing a range of requirements that require business process and data flow modeling in the context of GRC, these include:

  • Privacy, GDPR & CCPA, Requirements. The foundational step to privacy compliance is documenting how personal information is collected, used, processed, shared, and even destroyed in the organization. This involves data process flow diagrams on how personal information is collected and flows throughout organization processes. Organizations want to be able to document the data flows of personal information and highlight where risks and controls are, and even use process flow diagrams as dashboards to show where they are having privacy issues and where those issues are occurring in business processes.
  • Accountability Regulations – UK SMCR, Australia BEAR, Ireland SEAR, HK MIC, Singapore MAS. There is a growing array of accountability regulations that make senior management functions (SMFs) personally liable for lack of due diligence, negligence, or willful wrongdoing in risk and compliance contexts. These roles can be personally fined or go to jail. Core to compliance starts with accountability maps that map SMFs to accountability and responsibility structures and their associated processes. Organizations need business process modeling to map risk, compliance, control accountabilities to SMFs, and use these for regulatory reporting as well as dashboards and executive communication.
  • Operational Resiliency & Business Continuity. The key to business continuity, and now the greater need for operational resiliency, is to map business process flows and services to clearly document how this works. When a disaster happens, there needs to be process maps to show how business process flows and services are adjusted in different scenarios to maintain continuity and resiliency and recover the organization. BPM is foundational, from my point of view, in addressing the Operational Resiliency requirements coming from the UK FCA, PRA, and Bank of England.
  • Sarbanes-Oxley & Internal Control Management. Over the past several years the Public Company Accounting Oversight Board (PCAOB) has been putting pressure on external auditors to require of their clients business process diagrams for SOX compliance in addition to the lengthy written control narratives. Increasingly, organizations are looking for their internal control management solutions to be able to diagram business processes – such as accounts payable, accounts receivable, procurement – and document risk and control points in these processes visually. This is another ideal area to use process diagrams of dashboards to demonstrate how these processes are functioning to reliably achieve objectives while addressing uncertainty and act with integrity and light-up where controls are failing and issues are happening.

These are just some examples of many for the critical role of BPM in GRC related solutions. The key question for you . . . is your GRC solution supporting BPM natively in the application?

What Else are Organizations Looking for In GRC Solutions?

Wading through the onslaught of recent inquiries, research interactions, as well as the RFPs/RFIs I have interacted on this past year . . . here are the top things I am finding that organizations are looking for in next-generation solutions across segments of the GRC market. Across these interactions, I am getting regular interactions and references to my blog on Agile GRC 4.0 blog

  • User Experience. This is the number one criteria. Organizations want a modern user experience that incorporates the latest in UX design and interaction. One recent RFP for risk management that I advised on (for a global firm) made this the deciding factor. Several were weeded out early on because of dated user experiences and it came down to two. The one they chose had a superior and more modern user experience over the other. 
  • Value, Business Case, Cost of Ownership. This is up there right with user experience. Orgs want a clear and compelling business case of value and business justification. Not just acquisition costs but ongoing costs of management, maintenance, configuration, and upgrades. Too many have had horrible experiences with older solutions that take months to years to roll out. One RFP that is being formulated for risk management bought one solution three years back, spent these years building it out, and today has 0 users on it and is now looking for something more agile. 
  • Front Office, Not Just Back Office. With more and more risk, compliance, and control focus being put on the 1st line (front office) and not just 2nd and 3rd lines (back office risk/compliance functions) organizations want simple intuitive interfaces and experiences to engage front office personnel. They still want the depth of analytics and analysis for back-office functions, but they want a streamlined contextually relevant view to engage the front office in GRC areas. 
  • Configurable and Agile. Orgs want solutions that are no code and highly configurable that do not break on upgrades (or cost just as much to upgrade as a whole new solution). This includes the ability to easily integrate with other business systems.
  • Modern & New Solutions. This one is a little challenging. I have encountered three RFPs in multi-national organizations where the first criteria is that they were not going to invite anyone that is in the Leaders quadrant of Gartner (and to a degree Forrester) as they have had bad experiences with these solutions. They only wanted to evaluate solutions that have a modern code-base and architecture. The downside to this is that some newer solutions may not have the depth of features and analytics. But the issue is bad experiences, failed projects, and the cost of ownership of legacy solutions. 
  • Understanding. The other interesting that has caught my attention is evaluating the domain knowledge and understanding of the solutions. I have seen solutions win because they have stronger engagement and thought leadership (e.g., blogs, white papers, webinars) over comparable solutions in the market. Buyers are becoming very sensitive to knowing that they are engaging a firm that truly understands their challenges and can speak to them in context. 

What are you seeing as critical criteria for GRC solutions in your organization?

Next-Generation Policy Management: Collaborative Accountability

Policy management is a critical issue for organizations across industries and geographies and various sizes. In a time of chaos and change, organizations must get control of an enterprise’s perspective and control of what policies they have and how they are communicated.

In 2020, I am finding organizations have realized what a mess policies are in their environment. They are out of date, scattered on different portals, sites, and file shares. Policies are in different templates with different writing styles. Most organizations could not even produce a list of what all the official policies are in their organization. In a time of crisis and change, organizations are scrambling to provide consistent policies in a singular portal the reflect the brand and reinforce the culture of the organization. A culture that needs policies and assures individuals that the company is in control and is part of a broader organization when working from home or an office.

One of the key elements I see in RFPs and inquiries for policy management software, particularly among large global organizations, is the need for collaborative accountability in policy authoring, approvals, and maintenance. Let’s break this apart into the two components:

  1. Collaborative. Policy management needs to be collaborative. Multiple authors and subject matter experts provide input into policies and various regional/jurisdictional impacts of policies. Organizations want a collaborative policy authoring environment where multiple people can be working on the same policy at the same time. I can be writing the new conduct policy here in the USA, and someone else can be making edits, contributions, and comments in Singapore, and someone else can in London . . . all at the same time. What no longer works for organizations is document check-in and check-out where new or updated policies take 6 months to write and get approvals. In a time of continuous business, risk, and regulatory change, this needs to be brought to a few weeks to keep the organization agile, in control, and out of the hot waters of regulatory and legal actions. One business case I was recently advising on found that one recent policy went through 70 different reviewers, subject matter experts, and approvers. This took months and months to complete in a linear document check-in and check-out approach. Their business case is collapse this to weeks with a collaborative approach where everyone can access, comment, and edit the policy simultaneously.
  2. Accountability. Policy management needs accountability. There needs to be a complete system of record and audit trail on who did what and when to a policy. Not at the document level, but down to the section, paragraph, clause, or event word level. Full traceability of who authored, who edited, what was modified. This is supported by workflow and task to that same section or clause level, not just the document level. Perhaps I am the primary policy author of the new anti-money laundering policy. But I want to assign a task and action item to someone in Australia to review a specific wording and paragraph to ensure it meets local regulatory requirements there. I need to assign that task not just to the document, but to the exact portion of the policy I need them to look at and approve. There needs to full accountability and traceability of policy authoring, edits, comments, and actions.

Collaborative accountability in policy management goes hand in hand. They are a symbiotic relationship that supports each other. Greater collaboration requires greater accountability.

This is causing a lot of change in the policy management technology world. Many older legacy solutions allow you only to attach policy documents. Some allow for a policy authoring environment but limit you to a linear approach with document check-in and check-out that takes months to write or update a policy. Newer solutions enable collaborative accountability authoring environments that bring policy development from several months to less than a month. Collaborative accountability delivers greater efficiency (e.g., time), effectiveness, and agility to policy management.

However, the handful of solutions that are offering collaborative accountability are not all created equal. Some do this natively with the most robust features and value. Others are parading an integration with other platforms such as Office365 or GoogleDocs that limit the collaborative accountability benefits, particularly as they are not purpose-built for policy management.

Some important things to consider are:

  • Policy specific workflows and tasks. You want a solution that automates notifications that engage stakeholders to perform required tasks, actions, reviews, edits, comments, contributions, and approvals to the actual section, paragraph, or clause level. To point where they need to focus in the document with audit trails down to that level.
  • Full audit and versioning. You want to see all collaboration across the entire history of versions of the same document down to that section and clause level. Some jimmy-rigged solutions that integrate with Office365 do not give you full visibility into the audit trail unless you download a local copy to your locally installed software, causing issues.
  • Gap analysis. You want to ensure that the entire organization has a full view of policies and evidence of policies for compliance to provide assurances that policies are sufficient, non-contradicting, and integrate and are mapped to processes.
  • Mapping. Part of this requires that the organization can map documents and even sections/clauses of policies to other policies as well as to regulations. When one changes, it can trigger changes and review in related items.
  • Master language. You also should look for the capability to define master language elements. So if I have a clause in a policy, and I edit it, it can be reflected in other documents that reference or use that same language. Consider a Code of Conduct. You may have a statement on discrimination/racism that appears in the Code of Conduct, and if you change it you want that language changed in any associated policies that use that same language such as the discrimination policy itself, as well as procedures, manuals, and such.
  • Security. Another important consideration is the security of your environment. One global firm that I helped with their RFP left a solution leveraging Office365/Sharepoint as they found security bugs that exposed their data and users in the integration with the policy management software leveraging it.

These are some considerations among many features and requirements I am advising on in enterprise policy management RFPs. I will be talking in detail on these and other elements of policy and compliance management in these upcoming webinars:

October 6 @ 10:00 am – 11:00 am CDT  – THE FUTURE OF COMPLIANCE IS DIGITAL, CONNECTED & AUTOMATED

  • Industry experts come together online for a 30mins discussion on the future of compliance Between March and April 2020, businesses had 3,000 regulatory updates to deal with. But the compliance workload was huge even before the Covid-19 pandemic. In 2019, businesses received 200 regulatory updates a day, compared to just 10 a day in 2004. […]THU15

October 15 @ 10:00 am – 11:00 am CDT – DOJ GUIDANCE AND THE COMPELLING NEED FOR AN INTEGRATED COMPLIANCE PROGRAM

  • Compliance and ethics programs are rapidly evolving. Organizations are required to have a structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, […]

Managing Integrity Through GRC Engagement of Employees

Organizations are caught in a swirling vortex of uncertainty in risk and compliance as they strive to be bastions of integrity in the center of chaos. In the midst of a global pandemic, economic uncertainty, racial justice tensions, and employee concerns, organizations are trying to hold fast to, as well as enhance, their corporate culture. They seek to achieve corporate integrity by fostering a culture of accountability, social responsibility, and employee engagement of values from the top of the organization hierarchy down into the front lines of the organization.

“We are what we repeatedly do. Excellence then, is not an act, but a habit.” Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization. 

Aristotle

Integrity is a mirror reflecting what the organization truly is. Does the mirror show an organization that . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

How to Tie a Compliance & Ethics Bow Tie

Compliance and ethics are a growing challenge and concern in organizations.

Faced with increasing regulatory change, enforcement actions, audits and exams, and liability and exposure, compliance and ethics is in the midst of evolution and maturing. Compliance and ethics is moving from the stigma of being ‘the corporate cop’ to being the bastion of the integrity of the organization as it aims to guide culture and conduct in the context of the obligations and values. I have stated for fifteen years that the Chief Compliance (CCO)/Chief Ethics & Compliance Officer (CECO) is really the Chief Integrity Officer of the organization.

Compliance and ethics is becoming more established as its own function, with its own budget, and direct reporting to senior executives and boards of directors. In many organizations across industries, compliance and ethics is being moved out of the bowels of the legal department to operate independently, but collaboratively, with legal.

As part of this process of growing and maturing, we are seeing an increased focus on what constitutes an effective compliance and ethics program. One element that is getting a lot of attention, but also produces a lot of confusion, is the requirement to take a risk-based approach to compliance and ethics. Most compliance professionals have a history of focusing on check-lists and requirements and are unfamiliar with how to do a risk assessment.

Consider the following . . .

  • Principles/Outcome-Based Regulation. What started years ago in the UK FSA moved to the EU with their Better Regulatory Policy to strive for principle/outcome-based regulation. An approach that does not focus on prescriptive checklists of requirements but outcomes. The way one organization approaches compliance may be different from another, but it is the outcome that matters. This requires a risk-based approach to compliance, to identify, analyze, and manage the compliance risk.
  • ISO 19600:2014 – Compliance Management Systems. The international standard for compliance takes a risk-based approach to compliance and requires a compliance risk assessment to identify, analyze, evaluate, and treat compliance risks.
  • U.S.S.C. Sentencing of Organizations. The United States Sentencing Commission in their Organizational Sentencing guidelines lays out the elements of an effective compliance program for courts to use to measure the culpability and therefore penalties on an organization. It requires that “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”
  • U.S. DoJ Evaluation of Compliance Programs. The most recent update to the U.S. Department of Justice guidance on the Evaluation of Compliance Programs keeps a risk-based approach to compliance front and center. Risk is mentioned 53 times in this guidance. Specifically, “Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”

In my Compliance Management by Design Workshops as well as inquiries, I am frequently asked by compliance and ethics professionals how they should manage and assess risk. Most of these professionals have a legal background and have not been trained in how to do a risk assessment. My recommendation, and an exercise I work on with attendees in workshops, is to do a bow-tie risk assessment.

I love bow-ties: both the kind you wear and the ones you use to assess risk. When most people think of risk management they think of numbers and complex models, and those are good and important. Myself, I am a visual person. My father was an accountant, my brother is an accountant, I went to law school. I like words and pictures over math. A bow-tie risk assessment provides a visual picture and assessment of risk that helps organizations think outside the box and engages both the left and right-brains. I am not downplaying the numbers side, that is still important and bow-ties can and do tie in the quantified analysis.

A bow-tie risk assessment gets its name as it takes the shape of a bow-tie:

  • The knot is the risk. The center of the bow tie is the knot which is the risk you are evaluating. From a compliance and ethics point of view, this can be many things, so before you do a bow-tie you have to identify your risks (knots) that need to be evaluated. You can have separate knots for bribery/corruption, fraud, anti-trust, harassment, discrimination, privacy, money-laundering, and many more. The knot can be very specific, if you would like, such as the risk of bribery/corruption in a specific project or geography or it can be more general.
  • The left-side of the tie is the source of the risk. Stemming off of the knot to the left you focus on the source of the risk or the causes. What can cause bribery/corruption? What could cause harassment/discrimination? You label each cause and connect it to the knot (risk). Then you identify detective and preventive controls to place between the cause and the knot that mitigate the exposure from that event happening.
  • The right-side of the tie is the consequences of the risk. On this side, you identify the consequences/outcomes from an actual event happening. These can be regulatory fines, civil action, brand/reputation, loss of revenue, loss of employees, morale, and more. After identifying the consequences you then place detective and responsive controls to mitigate the damage and exposure of those outcomes to the risk.

There is a lot more detail I can go into here on how to do this, but it would go beyond the length of a blog to fully summarize. I am delighted to interact and discuss the benefits and use of bow-tie risk assessments. There are a range of technology solutions I cover in the market as part of my research and analysis that facilitate this format and approach to risk assessment.

Agile and Integrated Compliance: Managing Compliance in Dynamic Business

Compliance is Not Easy

Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially.

The dynamic and global nature of business is challenging for managing compliance. Compliance activities managed in silos often lead to the inevitable failure of an organization’s and compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its environment.

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat . . .

[the rest of this blog can be found on the CURA website where GRC 20/20’s Michael Rasmussen is a guest author]