Michael Rasmussen

ESG – Environmental, Social & Governance – is all the rage and buzzword with investors, regulators, lawmakers, and citizen activists. Pressure is mounting from multiple fronts for organizations to implement ESG reporting in their organizations. In one respect, this is an evolution of sustainability and corporate social responsibility (CSR) efforts of the past. However, ESG is broader with more momentum. Where CSR and sustainability were too often (but not always) pushed from a marketing perspective, ESG has the momentum and force to become a significant measurement of the integrity of the organization. Integrity in that what the organization commits to in its values is a reality throughout the organization and the extended enterprise.

In a previous blog, Tale of Two Futures: Blade Runner or Star Trek?, I pointed out that a lot of GRC (Governance, Risk management, and Compliance) and ERM (Enterprise Risk Management) programs in organizations are unbalanced and do not reflect reality. If you look at these programs you would think the predominant risk to organizations was IT security risk. That is a significant risk, but I point out in the article that environmental risks and health and safety risks were often buried in other departments and not part of the broader ERM and GRC programs and has to be corrected. This blog was a few months before COVID-19 hit the world and validated my point. Organizations need to restructure their approach to GRC (and its components of governance, risk management, and compliance) to embrace and deliver on ESG monitoring and reporting.

One thing to note, ESG is more than the E (environmental). Too often I see organizations seeing that lead E and they have a perception that ESG is just about environmental values and climate change. It is so much more than this. The S (social) and the G (governance) is just as important as the E in ESG. Let’s unpack this, there are many standards and various definitions for ESG, but we can put a comprehensive view together . . .

• E = Environmental. Measures and reports on the values and commitment of the organization to stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.

• S = Social. Measures and reports on the values and commitments and now the company treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.

• G = Governance. Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

ESG crosses business boundaries. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is a web of third-party relationships: vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, intermediaries, agents, partners, and more. To truly deliver on ESG requires monitoring and managing the shared values and integrity throughout the extended enterprise of the organization. Legislation and regulation are focused on this, like the European Union’s Directive on Corporate Due Diligence and Accountability with Germany’s corresponding Due Diligence Act (to name one of many).

THE CHALLENGE: Delivering 360° Situational Awareness of ESG

I am getting a lot of inquiries from organizations looking to integrate and automate their ESG and GRC program. To deliver ESG reporting through their GRC strategy, process, and technology.

The official definition of GRC, found in the OCEG GRC Capability Model, is that GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. These are all the effective elements needed to deliver on ESG monitoring and reporting. It starts with the governance and setting the objectives of the organization that are aligned with the values and commitments delivered in ESG statements, from there the organization needs to monitor uncertainty to the objectives and ensure that the organization is acting with integrity to meet these objectives and commitments/values.

However, the technology environment to accomplish this is fragmented. I am getting inquiries from confused organizations that want clarity in who delivers the breadth of true GRC that would include the aspects of ESG. On one side you have platforms that Forrester and Gartner cover in their corresponding Waves and Magic Quadrants. These solutions are more focused on the G in ESG and some aspects of the S, with a predominant focus on information security. Then you have solutions that are covered in the Verdantix Operational Risk Green Quadrant which has a completely different set of solutions covered and these solutions focus more on the E and the other part of the S in ESG. I have been in RFPs where the organization wants a single integrated solution to manage GRC, ERM, ESG, EH&S in one platform . . . to find they have to go with best of breed solutions.

The next generation GRC platform that is going to lead the future is going to bring these worlds together. There will always be best-of-breed specialty risk systems that are integrated into the broader GRC architecture, but organizations need a complete platform that can deliver on 360° situational awareness across GRC areas, including environmental, and health and safety risks and deliver on full ESG monitoring and reporting. The race is on and organizations are looking now.

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing. A few years back I was doing a lot of Spartan races. Myself, that was not agility but the more of an awkward ox doing obstacles, but others it was amazing what they could do in the environment given to them.

When I think of agility, my mind immediately goes to Legolas, the elf, in Lord of the Rings. Though I prefer the books, the films were amazing and the agility of Legolas in the midst of battle was amazing. How he can move about the threats and enemies around him and seize opportunities for victory. Gimli, the dwarf, in Lord of the Rings is the embodiment of resiliency. He is built like a tank and simply can withstand the beating and hits as he pummels forward to victory. 

There is a lot of focus right now on business and operational resiliency. Resiliency is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resiliency program. Business continuity management as a separate function in the organization is a thing of the past and over the next two to three years we will see a mass migration to an integrated operational risk and resiliency program.

However, there is more that needs to happen. Organizations also need to be agile. Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives. It reminds me of a blog I wrote 11 years back,Everything I Need to Know About Risk Management I Learned in Drivers Education in the IPDE Model (Interpret, Predict, Decide, Execute). Though looking back on this I would add more emphasis on IPDE for opportunities.

In a blog last month, What is Business and Operational Resiliency?, I reviewed the financial services definitions of operational resiliency from the United Kingdom, European Union, United States, and the Basel Committee on Banking Supervision. In that article, I referenced how the United Kingdom’s FCA definition of operational resiliency was superior to the others. Particularly because it was the one that is proactive as it discusses the ability to prevent events. The other definitions were very reactive as the focus is all on the ability to recover from an event. The FCA definition has an element of agility that goes beyond resiliency.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

So today’s modern organization needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organizations need to develop in today’s dynamic, distributed, and disrupted business. This is all how GRC – governance, risk management, and compliance – has been officially defined for over 15 years in the OCEG view of Principled Performance and the GRC Capability Model. This is a capability to reliablY achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].

We are at the final stage in working through a CECO SWOT Analysis to help CECOs develop their strategy in 2021 and into the future. Over the past few weeks, we looked at the STRENGTHS, WEAKNESSES, and OPPORTUNITIES of the typical CECO; this week we turn to the THREATS.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. To achieve your strategy, it is critical to know the threats that can derail you as you strive to build the culture and integrity of the organization through a compliance and ethics management strategy.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. Here are some threats that can derail the CECO’s strategy if they are left unaddressed:

• Third party risk and compliance in which . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Last week we looked at Why Policies Matter from the newly published Policy Management Capability Model that I developed with OCEG for PolicyManagementPro.com. This week we turn our attention to the principles of policy management for those seeking training and certification as a Certified Policy Management Professional (CPMP) . . .

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management are:

• Necessary – Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
• Tailored – The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
• Integrated – Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
• People-Centered – At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
• High-Performing – The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
• Standardized – Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
• Collaborative – Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
• Accessible – Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
• Engaging – Policies need to be clearly written and understood. This requires policy management processes that conform to consistent writing style and language as well as communication strategies to engage employees.
• Dynamic – The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

As you are developing the capability, consider ways to make these principles evident in the design and operation of policy management.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

From time to time, people ask why policies matter. After all, they argue, are not the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their operations and have case-by-case flexibility? Don’t policies create liability when they are not followed? Isn’t it just more unnecessary bureaucracy?

The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral related risks.

Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.

The longer answer is a bit more complicated. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes—the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies, in context of this Policy Management Capability Model, can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. 

Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines.

Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.

• Policies articulate the governance culture: Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Can you imagine an organization that did not have policies? How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
• Policies articulate the risk culture: This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and social responsibility of the organization when it comes to matters of discretion.  Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.

In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization “to reliably achieve objectives [governance], while addressing uncertainty [risk management], and acting with integrity [compliance].” Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more.”  Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.

Issuing well-crafted, and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strong embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control.

Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

After years of discussion and more than 18 months in development, I am pleased to announce the launch of my latest collaboration with OCEG: Policy Management Pro and the publication of the Policy Management Capability Model. 

You should already be familiar with the GRC Capability Model, which is in use by organizations of all sizes and types worldwide. Now, we apply the same level of detail and clarity to the critical business need for effective policy management, which presents significant challenges in today’s ever-changing global operating and regulatory environments. 

Policy Management Pro brings policy standards and a professional certification in policy management to the market for the first time.

Our collaboration in this project with OCEG and the highly experienced practitioners in policy management who served on the review committee has led to a set of comprehensive practices that will benefit any organization.

The Certified Policy Management Professional designation indicates a strong understanding of the standard practices set out in the Policy Management Capability Model. Knowing your policy team or any new hires have the CPMP designation should offer peace of mind and confidence that your policy capability is in good hands. As we say on the site, we give you everything you need and nothing you don’t to build and run a strong policy management capability.

Check out what people have to say . . .

 “It was a great pleasure to read this document because of how thorough and well thought out it is. It has been frustrating with no industry standard for organizations to lean on when trying to stand up a policy management program. This really will be a fantastic and extremely valuable tool in helping organizations establish this capability.” 

Jeff Boyer, Governance Lead, Suncor Energy Services, Inc. and review committee member

This document has all the essentials, in sufficient detail, for any practitioner setting up a policy management project. This is virtually a step-by-step guide. I only wish the document was available to me all those years ago when I was in my first compliance role and had to get a new business unit with 150 frontline staff audit ready in 6 months!”

Meng Barnie, Compliance Officer & MLRO, BLOM Bank and review committee member

Take a few minutes to join!  View the Policy Management Pro website, download the Capability Model and check out the free sample lesson from the on-demand training program. Then take advantage of the opening discount offer and sign up today as the first step toward your standing as a Certified Policy Management Pro! 

Listen to the latest podcast from Tom Fox on PolicyManagementPro . . .

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Over the past few weeks, we looked at the STRENGTHS and WEAKNESSES of the typical CECO, this week we turn to the OPPORTUNITIES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. To achieve your strategy, it is important to look for opportunities to advance compliance and ethics within your organization.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. Here are some opportunities and messages that GRC 20/20 finds strong CECOs leveraging to advance the compliance and ethics agenda in their organization:

• Focus on integrity, in which the compliance and ethics function . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 

I am seeing a lot of interest in risk management and resiliency in my research. In this context, I come across the terms business resiliency and operational resiliency. There is a difference between business resiliency and operational resiliency. I see solution providers using these terms as either synonym, or I see some make the mistake thinking that operational resiliency is for financial services and business resiliency is for other industries. This mistake is because of the operational resiliency regulations in the financial services industry. The reality is that all industries have operations and processes and therefore have operational resiliency concerns. All organizations have business resiliency needs as well. There is not one organization that does not have business and operational resiliency needs.

What is the difference?

Business resiliency is broad, it includes the resiliency in the organization’s strategy, liquidity/cash, diversity/hedging, and operations. So operational resiliency is part of business resiliency just as its counterpart operational risk management (ORM) is part of, but not the same as, enterprise risk management (ERM). 

Here is how I differentiate the two and show that business resilience is broader than operational resiliency but also includes operational resilience.

• Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
• Operational resilience is a component of business resilience focused on internal processes, services, people, systems, and relationships.

Let’s Dive Deeper into Operational Resilience

Operational resiliency is not business continuity 2.0. It is much more than that. Operational resiliency is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party GRC/risk management (for example, the FCA/BoE/PRA guidance on operational resiliency references third-party/vendor risk throughout the document).

As for definitions, let’s look at how the financial regulators define operational resilience and I will give you my opinion which is the best definition:

• UK FCA: We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
• EU DORA: ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
• US OCC: Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
• Basel Committee on Banking Supervision: The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.

Granted these definitions are focused on financial services, so let’s evaluate them objectively in a context that crosses industries (strip out the financial services specific language). 

My least favorite definition is the EU’s DORA (digital operational resilience act). This is because it focused specifically and exclusively on digital operational resiliency. Operational resiliency is so much more than the depths and bowels of the IT department, technology, and information. Operational resiliency is also about people, processes, services, and third-party relationships. I also find the definition to be very reactive and not proactive.

Next in my order of least to best definition is the Basel definition. It is stuck in the idea of disruption and recovery, but has a broader view than DORA and does include elements of risk management. It is also another definition that is more reactive than proactive.

The US Office of the Comptroller of the Currency (OCC) definition is better. I like the fact that it specifically leads with operational risk management and takes it out of a pure business continuity context. This is good, but not good enough. I find the definition still a little weak as it is still focused on prepare and recover from disruption, a reactive approach.

The UK Financial Conduct Authority provides the best definition, and I love this definition. It is the shortest definition, but the only one that takes a strong risk management approach to operational resiliency. It is the only definition that mentions PREVENT as organizations can monitor and address situations before they impact the organization (at least in some situations). The idea of PREVENT gives a strong governance focus to this that ties into objectives and strategy to navigate the organization to manage uncertainty, a concept of agility to avoid disruption. The other element I love about this definition is that it references LEARN as well, so the organization learns from events and disruption so it does not repeat the same mistakes.

The United Kingdom wins again. I personally am a fan of regulations that come out of the United Kingdom (and nearly half my interactions are in the UK). The UK brought us principle/outcome-based regulations back in the FSA days (before the FCA), which then became EU better regulatory policy. The UK is leading in accountability regime regulation with the UK SMCR and now we have Australia BEAR, Ireland SEAR, Hong Kong MIC, and Singapore IA that have followed suit. The UK FCA is leading the world in digitizing the rulebook and regulations. More work is going into the UK Modern Slavery Act with greater requirements and enforcement penalties expected. Now I have digressed into other areas . . .

What are your thoughts on business and operational resiliency? How are they different? How are they related? How would you define them?

Last week we looked at the overall three strategic trends in governance, risk management, and compliance (GRC) in 2021. These were integrity, resiliency, and integration. This week we turn our attention to the tactical, but very critical, trends that are driving these three strategic trends . . .

The primary directive of a GRC management capability in 2021 is to deliver effectiveness, efficiency, and agility to the business that needs to manage integrity and resiliency in the midst of uncertainty. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the organization. Organizations need a mature GRC capability that brings together a coordinated strategy and process. 

The strategic drivers – integrity, resiliency, and integration – are supported by several tactical trends impacting organizations in 2021. These are:

• ESG reporting. GRC strategy and focus is turning to ESG (Environmental, Social, and Governance) reporting at a board level. ESG practices and reporting of an organization dictate the evaluation and monitoring of the organization’s environmental, social, and governance practices across the organization and its relationships. This has been a significant focus in Europe and is now gaining momentum in the USA. Bloomberg, Blackrock, Social Accountability Standards Board (SASB), and the most recent National Association of Corporate Director’s report show this as a growing board and corporate level concern. 
• Maturing risk management. There is growing pressure to mature risk management in organizations. This includes more focus on risk quantification, aggregation, and normalization. The range of RFPs that GRC 20/20 is monitoring and advising on sees increased focus on these criteria elements. This is also moving forward through standards and regulations, such as in the German IDW PS 340 requirements. 
• Policy management and regulatory change. Organizations across industries – but particularly financial services, healthcare, and life sciences – are seeing ongoing changes to regulations. Combined with the focus on integrity, organizations are developing enterprise policy management strategies to provide for collaborative policy authoring, management, and engagement. This includes the back-office management, monitoring, and enforcement of policies as well as the front-office engagement and awareness of policies.
• Compliance and ethics management. It has become clear that organizations need a federated compliance management strategy. There is no single department responsible for every aspect of compliance. Compliance functions have been scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. Organizations are beginning to develop collaboration and federation across these compliance and ethics functions to work together yet retain their autonomy.
• Employee engagement and culture. 2020 has forced organizations to rethink how they engage employees in 2021. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate risks, controls, policies, and awareness.
• Compliance and defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, specifically are looking for a robust system of record involving compliance activities. Defensibility also is a focus of the organization’s risk management and assurance practices.
• Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of increased risk exposure. CCPA is now evolving into CPRA in privacy requirements in California. The Schrems II decision in the EU has shifted strategies. There are new privacy laws coming into effect (e.g., Switzerland). 
• Information Security. Information security remains a significant focus in 2021, particularly in the wake of the SolarWinds hack reported at the end of 2020 – which impacted over 250 organizations that use SolarWinds. The work from home environment, that is here to stay, has many organizations rearchitecting their strategy, processes, and technology for information security. 
• Accountability Regimes. There is a sweeping array of accountability regimes/regulations that are putting personal liability on senior management functions (e.g., executives) for conduct, risk, compliance, control, and ethics issues. These individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and most recently Singapore’s Individual Accountability regime. Firms that are not headquartered, but have operations in these geographies, have to comply as well.
• Third-Party GRC/Risk Management. The interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the ability of the business to manage them. These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance, risk management, and compliance strategies in organizations. 
• Environmental. It is a central component of ESG but also stands on its own because of the critical nature of environmental issues, risk, and regulation. Environmental change is a significant focus for organizations and corporations. The World Economic Forum in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe and environmental regulations, and this significantly impacts USA organizations. Some regulators, such as the UK FCA in the SMCR regulation, are putting pressure to have senior management functions accountable for managing climate change risk on the organization.
• Health and Safety. The Pandemic of 2020 has brought health and safety front-and-center to all aspects of governance, risk management, and compliance within the organization and in the extended enterprise. There is a renewed focus on monitoring the health and safety risks in the business from both a human rights (ties into ESG) and a resiliency program. 
• Greater Assurance. These drivers and trends in 2021 impact the role of internal audit and assurance functions. Audit is being tasked to do more to provide assurance across these areas. Gone are the days of audit being focused purely on internal controls of financial reporting and IT controls. Today’s audit department has to provide a range of assurance activities across operational areas and third-party relationships.
• GRC Technology. Technology is changing to address these trends. There is a greater focus on RFPs to select solutions that are agile and easy to adapt to the business environment. They also are becoming more engaging to provide contextually relevant information in modern user interfaces to engage front-office/first-line employees, as well as having the depth of analytics and modeling for back-office/second and third line GRC functions. Technology is also embracing the move to cognitive, artificial intelligence, and robotic process automation in 2021 and beyond. 

Successful GRC management in 2021 requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage, and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. This enables GRC management to be a seamless part of governance and operations. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives in 2021 have a much better chance of thriving in today’s complex business world. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Last week we looked at the STRENGTHS of the typical CECO; this week we turn to WEAKNESSES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and your program and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. If you are like me, you do not want to focus on weakness. But we need to identify and address our weaknesses in order to do better. Some weaknesses we can overcome ourselves; others may require outside assistance. Perhaps it means finding capabilities on your team to provide balance to your weak areas.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. The typical CECO today struggles with:

• Limited technical acumen: Most compliance roles have grown out of legal, which has often been more comfortable with . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]