6 Ways to Create a Repeatable, Scalable Compliance Program

Compliance programs are critical in ensuring organizations adhere to established regulations, laws, and ethical standards, fostering trust with stakeholders, employees, business partners, and the public. A repeatable and scalable compliance program ensures consistency and efficiency in managing compliance risks across various operational scales and ensures compliance in the context of regulatory/obligation and business change. Organizations across industries and sizes must create a compliance program that meets the legal requisites and is repeatable and scalable in a dynamic, distributed, and ever-changing business environment.

What’s Required to Establish a Successful Compliance Program?

Creating a scalable and repeatable compliance program requires . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

The Chief Risk Officer and The Rhythm of Risk

Building on my recent blogs Risk Management = No Surprises, and particularly The Chief Risk Officer: The Conductor of the Orchestra of Risk Management, we now pick up on that theme and explore the Chief Risk Officer and The Rhythm of Risk in the business . . . 

The concept and term The Rhythm of Risk is not my own but comes from a conversation I had with my friend Brad Jewett (a fellow OCEG Fellow) about fifteen years ago. At the time, he was the enterprise risk director of Microsoft (he is currently the CFO of Corel Corporation). I have expanded on this conversation in my thoughts below.

In the intricate orchestra of business, the Chief Risk Officer (CRO) is tasked with choreographing the organization’s steps around the rhythm of risk, ensuring that every movement is aligned with the company’s strategic beat and performance objectives. ISO 31000 defines risk as “the effect of uncertainty on objectives” as the foundation for this alignment, emphasizing that managing risk is not just about avoiding threats but also about embracing opportunities that contribute to achieving business goals. Here, we explore how the CRO manages risk within the business’s cycles, strategy, performance, and objectives, providing executives with the relevant risk information they need to make informed decisions. . . 

  • Setting the Tempo: Risk and Business Cycles. With its ebb and flow, the business cycle is like a musical composition with varying tempos. The CRO must understand these rhythms and set the pace for risk management accordingly. This means identifying the risks associated with different phases of the business cycle, from expansion and peak to contraction and trough, and aligning risk strategies to protect and propel the business through each phase.
  • Composing the Strategy: Risk in Strategic Planning. Strategic planning is where the organization’s objectives are composed, and it is here that the CRO must integrate risk management into the broader corporate strategy. By understanding the strategic objectives, the CRO can identify what uncertainties could impact these goals and provide insights on managing them. This ensures that risk management is not a siloed function but a key part of strategic planning, contributing to the overall direction and success of the organization.
  • Orchestrating Performance: Risk and Business Objectives. Performance metrics are the score by which a business’s success is measured, and for the CRO, it is crucial to ensure that risk management contributes positively to these metrics. The CRO must provide risk information that is not only timely and accurate but also relevant to the objectives against which executives are measured. This involves translating risk data into actionable intelligence to inform decision-making processes and drive performance.
  • Synchronizing Movements: Aligning Risk Information with Objectives. The relevance of risk information is pivotal; it must resonate with the strategic objectives and the key performance indicators (KPIs) that executives use to gauge success. The CRO must, therefore, tailor the communication of risk insights to match the rhythm of the business, ensuring that it aligns with the cadence of the objectives being pursued. This tailored approach helps executives to see risk management as an integral part of achieving their goals rather than as a separate or competing agenda.
  • The Crescendo: Leveraging Opportunities. In line with ISO 31000, the CRO’s role is not limited to managing adverse effects but also involves recognizing and seizing opportunities that arise from uncertainty. By providing a balanced view of risks and opportunities, the CRO can help the organization reach a crescendo of strategic success, turning potential threats into advantages that can lead to competitive gains and value creation.

In the rhythm of risk, the Chief Risk Officer plays a critical role in ensuring that the organization moves to the beat of strategic growth and performance objectives. This role is the composer who integrates risk management with business cycles, the strategist who aligns risk with corporate planning, and the conductor who ensures that risk information is in sync with the executive measures of success. Ultimately, the CRO work enables the organization to dance confidently amid uncertainties, turning the rhythm of risk into a pathway to resilience and strategic achievement.

The Chief Risk Officer: The Conductor of the Orchestra of Risk Management

I am in London this week and next week and always love going to the London Symphony Orchestra or more intimate settings like the baroque performances at St. Martin in the Fields.

Navigating the complex and dynamic landscape of organizational risk requires a leader with a keen sense of balance, foresight, and an ability to harmonize diverse elements. Much like a conductor who leads an orchestra through intricate compositions, a Chief Risk Officer (CRO) orchestrates the management of various risks to ensure the smooth operation and sustainable growth of a company. The CRO, much like a conductor of an orchestra, plays a vital role in harmonizing the various types of risks in alignment with the organization’s objectives. The CRO ensures that risks are managed in context, conducting a symphony of resilience and strategic success. By managing uncertainty (risk) in achieving objectives, the CRO works with the business to establish appropriate risk tolerances and proactively sees risks across its silos within the organization to address the complexity of interconnected uncertainties. The CRO guides the organization toward achieving its goals, creating a masterpiece of stability and strategic achievement (similar to my previous blog on Risk Management = No Surprises!).

Just as a conductor leads an orchestra through a symphony, ensuring each section contributes to the overall masterpiece, a CRO orchestrates the management of risk across an organization. This analogy becomes even more vivid when we consider the ISO 31000 definition of risk as “the effect of uncertainty on objectives.” The CRO, like a conductor, ensures that risk is managed in the context of achieving the organization’s objectives, aligning different types of risks to create a harmonious performance.

The Symphony of Objectives and Risk

An organization, much like a piece of music, has its objectives, ranging from entity-wide goals to specific targets for divisions, departments, processes, projects, assets, or relationships. The CRO plays a pivotal role in ensuring that risks are managed in alignment with these objectives, conducting a symphony that balances uncertainty and strategic direction.

The CRO holds the baton of risk management, conducting the different sections of risks to create a balanced and harmonious performance. Just as a conductor has a deep understanding of music and the unique characteristics of each instrument, the CRO possesses an in-depth knowledge of various risk types and how they interact within the organizational framework.

Imagine the following (of course, simplified for the analogy) . . .

  • The Melody of Strategy. Just as the string section provides the melody in an orchestra, strategic risks shape the long-term direction of the organization. The CRO ensures that these risks are in harmony with the company’s objectives, guiding the organization toward its aspirations and goals.
  • The Rhythm of Operations. Operational risks, represented by the woodwinds, are essential for the daily functioning of the company. The CRO harmonizes these risks, aligning internal processes, people, and systems with the organization’s objectives to maintain a smooth performance.
  • The Dynamics of Finance. Financial risks, akin to the brass section, have a powerful impact on the organization. The CRO manages these risks in context of the company’s financial objectives, mitigating exposure to market fluctuations, credit risks, and liquidity concerns.
  • The Tempo of Reputation. Reputational risks, represented by the percussion, influence public perception and the organization’s standing in the marketplace. The CRO pays close attention to these risks, ensuring that the company’s reputation is managed in alignment with its objectives for stakeholder trust and market presence.

Anticipating the Crescendos and Diminuendos

The conductor has a unique vantage point, able to see and hear every part of the orchestra. Similarly, the CRO possesses a holistic view of the organization’s risk profile, enabling them to see across different risk categories and anticipate potential challenges.

With the ISO 31000 definition in mind, the CRO’s role extends beyond balancing different types of risks; they must also ensure that risks are managed in the context of the organization’s diverse objectives. They conduct risk assessments and implement mitigation strategies across various risk categories, ensuring that the organization is in tune and aligned with its strategic, operational, financial, and reputational objectives. They use this insight to proactively address risks, ensuring that the organization is prepared to face uncertainties and navigate through turbulent times.

Just as a conductor ensures that no section overpowers the others, the CRO works to maintain a balance between different types of risks. They monitor the risk landscape, identifying when a particular risk category is out of tune or misaligned with the rest. This involves setting and enforcing risk tolerances, conducting regular risk assessments, and implementing mitigation strategies to keep the organization on track.

Just as a conductor anticipates changes in a musical score, adjusting the orchestra’s performance accordingly, the CRO uses its holistic view of the organization’s risk profile aligned with the objectives of the organization to anticipate potential challenges and navigate through uncertainties. The role of the CRO and the enterprise risk department ensures that the organization is prepared for risk crescendos and diminuendos, maintaining a balanced performance in alignment with the organization’s objectives.

In the symphony of organizational success, the Chief Risk Officer plays the vital role of conductor, harmonizing different types of risks to create a balanced and resilient performance. By maintaining a keen awareness of the risk landscape, setting appropriate tolerances, and proactively managing risks, the CRO ensures that the organization stays in tune, aligned, and ready to face the uncertainties of the business world. Like a maestro leading an orchestra through a complex composition, the CRO orchestrates the management of risks, guiding the organization toward harmony, stability, and strategic success.

Risk Management = No Surprises!

I am in Sweden this week, where tomorrow I provide a keynote to 102 risk officers and directors at the SWERMA (Swedish Risk Management Association)’s ERM Day 2023. In general, I find the risk management thinking in Europe to be more aligned with the business, whereas, in North America, it is more of a compliance exercise, too often tied to Sarbanes Oxley. 

Let me tell you a story . . . 

I taught my Risk and Resilience Management by Design Workshop in Amsterdam in September. During the day, I had a great interaction with a Chief Risk Officer from a European life sciences company. He told me the following story . . . 

After being hired as the Chief Risk Officer, he met the CEO for the first time. The CEO looks him in the eye and states, “So, you are the new CRO. Tell me what that means to me?”

He looked him back in the eye and stated, “My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO thought that was brilliant and the best definition of risk management he ever heard. 

ISO 31000 defines risk “as the uncertainty on achieving objectives.” Risk needs context, and that context starts with the organization’s objectives. They can be financial objectives, they can be operational objectives, or even ethical/ESG objectives. Objectives can be high-level entity objectives that are driven down into division, department, process, project, or asset-level objectives. Even supplier and third-party relationships start with objectives and purpose to the relationship. 

The context for risk management is objectives, as ISO 31000 states. That is why ISO 31000 and its foundation in AUS/NZ 4360 influenced and framed the OCEG GRC Capability Model. GRC, as defined in the OCEG model, is “a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” 

Risk management needs context, and that is the organization’s objectives (at their varying nested levels). As an analyst covering software in the market, I specifically look for how a risk management solution starts with objectives. If it does not, it is not my ideal solution. Even in ESG, I look for how the solution starts with the ESG objectives of the organization. Any ESG solution that starts with risks and not objectives is not worth much. 

As this CRO states, his job is managing uncertainty to ensure there are “no surprises” in achieving the organization’s objectives. Of course, there can still be surprises as things catch us off guard. However, it is the role of the Chief Risk Officer to ensure that executives and the business are fully informed of risks to their objectives to minimize uncertainty and surprises so they can reliably achieve those objectives. 

What also is brilliant about this CRO’s response . . . it puts risk accountability with executives and the business. Risk management’s job is to facilitate risk management across the organization and communicate and engage on risk in the context of objectives. Risk management has done its job if the risk management function has fully communicated this and the business owns and drives forward for gain or loss. It is not the job of risk management to ‘own’ risk but to communicate risk in the context of objectives. It is the role of executives and the business to own the risk in their decisions.

Cognitive GRC: Revolutionizing GRC With Artificial Intelligence

As we venture deeper into the digital era, the role of Artificial Intelligence (AI) in Governance, Risk Management, and Compliance (GRC) cannot be overstated. Cognitive GRC (what GRC 20/20 refers to as GRC 5.0: Cognitive GRC) is the intersection of GRC and AI, promising a future where GRC is not just a bureaucratic necessity but a strategic enabler of business performance and resilience.

Cognitive GRC refers to the application of AI (cognitive technologies) to GRC functions, effectively facilitating intelligent, automated, and informed decision-making processes that minimize risk and ensure compliance. AI brings unprecedented efficiency, effectiveness, resilience, and agility through the cognitive automation of GRC, allowing organizations to respond proactively to risks and compliance and gain insights to navigate the organization and achieve objectives in an era of uncertainty.

Consider the following AI technologies and some examples of their potential Cognitive GRC use cases . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

A.I. Governance, Risk Management & Compliance

Organizations increasingly employ A.I. to enhance efficiency and decision-making processes in the modern business landscape. However, using A.I. presents numerous governance, risk management, and compliance (GRC) challenges that need meticulous attention. Within the scope of an enterprise perspective of GRC is the growing domain of A.I. GRC – the governance, risk management, and compliance over the use of artificial intelligence. The Open Compliance and Ethics Group (OCEG) defines GRC as “a capability to reliably achieve objectives, address uncertainty, and act with integrity.”

Adapting the definition of GRC to address the specifics of A.I., A.I. GRC is the capability to reliably achieve the objectives of A.I. models and their use, to address the uncertainty and risk in the use of A.I., and to act with integrity in the ethical, legal, and regulatory use of A.I. in the organization’s context. 

  • A.I. Governance. Governance in A.I. involves overseeing and guiding A.I.-related initiatives and the use of A.I. technology and models to ensure alignment with organizational objectives and values. Proper governance implies establishing clear A.I. policies, procedures, and decision-making frameworks. These frameworks should help an organization “reliably achieve objectives” of the organizations and ensure that the objectives and design of the A.I. models in their intended purpose are also achieved. Thus, the governance of A.I. involves strategic planning, stakeholder engagement, and performance and A.I. usage monitoring to ensure A.I. projects effectively meet their intended objectives and contribute positively to the broader organizational objectives.
  • A.I. Risk Management. Risk management in A.I. refers to identifying, assessing, and managing the uncertainty associated with developing, using, and maintaining A.I. technologies. These risks range from technical aspects, such as security breaches or system failure, to ethical aspects, like algorithmic bias or privacy infringement. Risk management is about addressing uncertainty. Given their potential to hamper an organization’s operations or reputation, A.I.-related risks require comprehensive risk assessments and robust risk mitigation strategies.
  • A.I. Compliance. Compliance is a critical aspect of A.I. implementation. As A.I. technology evolves, so does the regulatory landscape surrounding its use. Compliance in the A.I. context means adhering to relevant legal requirements, industry standards, and ethical norms. Compliance equates to “acting with integrity.” This involves adhering to regulations like GDPR for data privacy and adopting ethical A.I. practices to maintain transparency, fairness, and accountability in A.I. applications. In today’s era of ESG – environmental, social, and governance – the ethical use of A.I. is part of the organization’s ESG commitments. 

Incorporating core GRC principles in the responsible use of A.I. involves building a culture that values ethical A.I. use and behavior, transparency, and consistent improvement. 

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Upcoming A.I. GRC webinars:

October 18 @ 3:00 pm – 4:00 pm EDT 

November 7 @ 12:00 pm – 1:00 pm CST 

Building a Business Case & RFP for GRC-Related Software

I am an analyst; my job is researching the challenges companies face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and particularly technology and services. Every week, I answer between 10 and 20 inquiry questions from organizations that want insight into GRC-related solutions and services and desire my perspective on the market (I offer an initial interaction at no cost).

My job as an analyst is two-fold:

  1. Horizon Scanning. Forecasting the drivers and trends over the next two to five years and providing insight into what organizations will need and where the market is headed.
  2. The Current Situation. To understand what is being delivered in the market, what differentiates one solution/service from another, and provide insight to buyers of solutions and services on what they should look at and consider meeting their current and future needs. 

We are entering that time of the year when I get a lot of interactions on how to build a business case and prepare for an RFP for GRC-related software as organizations prepare for next-year budgets. 

Note I stated GRC-related. It is not all about one platform that does everything for one thing that does not exist. There may be a core platform for GRC, but there are a lot of best-of-breed and deep solutions that extend the GRC architecture of an organization. There are deeply capable solutions and RFPs for specific domains of GRC, such as third-party risk management, ESG, resilience and continuity, policy management, audit management, regulatory change management, case management, and more. What I go through below can be applied to a broad GRC platform doing various things or a very specific domain and use cases for GRC with dedicated best-of-breed solutions.

I am very busy with many current and developing RFPs. Some are within small to mid-sized organizations that are trying to replace manual processes of documents, spreadsheets, and emails. Others are with the mid to large enterprises that have found several, and in one case nine, different GRC platforms installed across the organization with further complexity of various point solutions and a maze of documents, spreadsheets, and emails.  

Building a business case starts with a current state analysis to understand the present to prepare and architect for the future. Often, organizations find themselves trapped in a chaotic jungle of documents, spreadsheets, emails, and discrete point solutions when managing GRC. A current state analysis is pivotal for:

  • Identifying inefficiencies. A deep dive into the prevalence and breadth of GRC management practices across the organization typically will unearth redundancies, bottlenecks, gaps, and silos in processes and information flow.

Once we understand the current state, we can begin designing/architecting the future state. Some might have a pretty good strategy and process in place that is supported by a robust GRC-related information and technology architecture. These organizations will take a Japanese kaizen approach to GRC processes and technology, with small incremental improvements. Others will find a mess and need a complete overhaul. 

To shape a future where GRC management is streamlined and synergistic, it’s imperative to:

  • Integrate technology where it makes sense by implementing GRC-related software to consolidate data, automate workflows, and enable data analytics.
  • Optimize and re-engineer processes by identifying and eliminating non-value-added activities, leveraging technology to augment process efficiency.
  • Enhance collaboration and visibility by breaking down silos and barriers to foster cross-functional collaboration, ensuring information and best practices are shared across departments.
  • Build a resilient GRC framework with a system that addresses current governance, risks, and compliance requirements and is agile enough to adapt to future changes.

Once a clear understanding of the current state (most likely a mess that looks like an illustration of Dante’s Inferno) and a desired future state is defined. The organization can then begin to build a business case that measures and quantifies the value of the future state in contrast to the current state.

When I work on a business case, I build it around the following four areas:

  1. Efficiency (Time & Money Saved). Implementing GRC software eradicates manual processes and redundant systems, diminishing human error and freeing employee time. It also provides an integrated architecture for information and reporting, reducing costs. One firm I helped with found that 80 of their risk staff time was managing and chasing documents and emails and NOT managing risk. Another was spending 200 hours building a report every year for the board of directors (now takes 5 minutes). 
  2. Effectiveness (Risk Reduction & Enhanced Productivity). This is where we get more done, fewer things slipping through the cracks, a single source of truth and system of record, greater accountability, and enhanced visibility. GRC-related software offers a comprehensive view of organizational risks, enabling better-informed decision-making to reliably achieve objectives; if done properly.
  3. Resilience (Proactive Issue Discovery & Management). GRC solutions with analytics capabilities empower organizations to identify and address issues before they escalate. The organization can address risks, events, incidents, and issues before they become bigger. The organization can recover quickly when things go wrong. 
  4. Agility (Adaptability to Keep Up With Change). Organizations face constant change. Risk changes in the external environment (geo-political, economic, disasters, competitive). Regulations and laws continuously change. At the same time, the business itself is changing with employees, processes, technologies, strategy, mergers and acquisitions, and event third-party relationships. GRC technology enables organizations to be agile in a changing business and forecast and see risks coming at the organization and prepare the organization to reliably achieve objectives, address uncertainty and risk, and act with integrity in meeting obligations amid continuous change and evolution.

Once the budget has been approved, it is time to write the RFP. I have hundreds of requirements from the simple to the complex across GRC domains. Each area/domain of GRC can be a full paper on requirements. When you’re clear about the current state, desired future state, and business case, design a Request for Proposal (RFP) is the ensuing step:

  • Identify Key Requirements. List the functionalities and capabilities the GRC software must have to bridge the gap between the current and desired states.
  • Define Evaluation Criteria. Establish metrics for evaluating potential vendors, such as functionality, technology stack, user-friendliness, customization capabilities, and post-implementation support. This includes demo scripts and use cases.
  • Consider Future Scalability. Ensure that the software can scale and adapt to the future growth and diversification of the organization.
  • Measure Total Cost of Ownership (TCO). Consider not just the procurement cost but also implementation, customization, training, and maintenance costs.

In summary, transforming GRC management (whether a broad strategy or a focused area) from a document-heavy, siloed operation into a streamlined, technology-enabled function necessitates a deep understanding of the current state, a clear vision of the desired future, and a robust business case that underscores the benefits in terms of efficiency, effectiveness, resilience, and agility. By establishing a clear business case and desired future state delivered in a well-crafted RFP, organizations can navigate the complex maze of GRC solutions and services, ensuring they are always ahead in this dynamically evolving business world.

A Preventative Approach To Achieving Compliance In Healthcare

In an era where change is the only constant, organizations are being inundated by a deluge of shifts across risk, business, and regulatory dimensions. Each change brings its own complexities and managing them individually, much less collectively, becomes a herculean task. The challenge is two-fold: not only must businesses keep up with these changes, but they must also ensure that their response is in sync with their overarching business strategy.

The Scope of Regulatory Change

The world of regulatory requirements is an ever-shifting landscape. This turbulence is compounded by the continuous introduction and modification of laws, regulations, enforcement actions, and administrative decisions at local, regional, and international levels. For many, the challenge isn’t merely about staying afloat but preventing drowning in the overwhelming sea of updates.

Several factors contribute to this growing complexity . . .

[The rest of this blog can be read on the SDG blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Charting the Course: Tackling GRC Challenges in Higher Education Institutions

Governance, Risk Management, and Compliance (GRC) in higher education presents unique challenges due to the complex, dynamic, and highly regulated environments in which they operate. Crafting a coherent strategy, adopting streamlined processes, and leveraging appropriate GRC technology are paramount to charting a successful risk and compliance course that maintains an institution’s integrity, reputation, and resources.

Challenges of GRC in Higher Education

Higher education institutions often cross multiple frameworks and their governance structures are complex, leading to specific struggles when implementing an effective GRC strategy. To effectively maintain a sense of order, transparency, and a level of practical accountability within the scope of GRC, the following challenges must first be addressed . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Ensuring Supplier Risk & Resilience in the Extended Enterprise

Here are some thoughts stemming from my Third-Party Risk Management by Design Workshop in London last week and other interactions I have had on my research. I am speaking on this topic next week at my Third-Party Risk Management by Design Workshop in Chicago, as well as a webinar on Building Resilient Supply Chains: Strategies for Success.

In today’s complex and distributed business that largely depends on extended enterprises, supplier risk and resilience have become fundamental components for maintaining operational efficiency. With the increasing interdependence amongst organizations and their suppliers, the significance of developing robust systems to manage supplier governance, risk management, and compliance associated with suppliers cannot be overstated.

Some key challenges organizations face are:

  • Operational Resilience. Operational resilience refers to an organization’s ability to continue to deliver on its key business services during times of operational stress and disruption. In the context of supplier risk, this encompasses ensuring that critical suppliers are similarly resilient, preventing interruptions in the supply chain that may impact business continuity. Within extended enterprises, operational resilience necessitates carefully evaluating and monitoring each supplier’s capabilities, reliability, and stability. This integrated approach helps organizations to anticipate potential supply chain disruptions and enact measures to mitigate risks proactively, maintaining service delivery even under unpredictable circumstances.
  • ESG in Supplier Risk Management. Environmental, Social, and Governance (ESG) criteria have become crucial for evaluating supplier risks. Suppliers’ ESG practices directly impact the reputation and sustainability of the hiring organization. Evaluating suppliers based on ESG metrics is integral to fostering responsible business practices, ensuring long-term sustainability, and mitigating reputational risks. The European Union has been pioneering in imposing stringent ESG standards for businesses. With regulations such as the EU Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD), organizations operating within or dealing with the EU market must ensure their suppliers comply with these elevated standards, as non-compliance can lead to hefty fines and reputational damage. This has a global impact across the world.

Developing a comprehensive supplier risk and resilience strategy is imperative to navigate the uncertainties and complexities in today’s business environment. This strategy should encompass risk identification and management and focus on building resilience within the supply chain to ensure uninterrupted service delivery.

  • Risk Identification. Organizations should identify potential risks associated with each supplier, considering geopolitical stability, financial health, operational capabilities, and compliance with ESG standards.
  • Continuous Monitoring. Continuous monitoring mechanisms must be implemented to track changes in identified risks and the emergence of new ones.
  • Actionable Insights. Organizations should leverage technology and third-party risk intelligence to derive actionable insights from the monitored data, enabling timely decision-making and risk mitigation.

Implementing technology solutions that seamlessly integrate with third-party risk intelligence content offerings is crucial for effective supplier risk and resilience management. These technologies facilitate the efficient collection, analysis, and interpretation of vast amounts of supplier data, providing organizations with a clear and immediate understanding of their supplier risk landscape.

As businesses increasingly rely on a network of suppliers for operational success, crafting a detailed supplier risk and resilience strategy becomes non-negotiable. Such a strategy, complete with systematic processes and technologically advanced tools, assists organizations in identifying and managing supplier risks and building a resilient supply chain capable of withstanding disruptions. Given the heightened focus on operational resilience and ESG standards, especially within the European Union’s regulatory framework, companies should proactively develop, implement, and continuously improve their approach to Supplier Risk and Resilience to safeguard their operations and reputation in the dynamic global market.

Are you considering attending Third Party Risk Management by Design in Chicago next week? Here are some comments from the London attendees last week . . .

  • “An engaging and valuable session on TPRM with some great insights on emerging risks (AI in the supply chain and increasing regulation) and the maturity of an integrated risk management response.  Certainly, a number of topics on which to follow up with our Supply Chain risk team” – VP Risk Advisory, Hospitality 
  • “The session was set up well with some great topics to discuss round the table. It was good to see some similar trends on challenges various industries were facing regarding 3rd Party assurance. I enjoyed the overall risk management and senior leadership endorsement, the maturity model and offboarding suppliers as key areas of development. I look forward to your next visit and workshop!” – Cyber Security Risk and Assurance Manager, Transportation
  • “The workshop was very informative and covered a wide range of topics both from yourself and other attendees. Key areas that I took away from the workshop were the implications of AI on third parties both positive and negative as well as highlighting the need for oversight when offboarding suppliers.” – Head of Third Party Governance, Financial Services
  • “It was a very informative experience and a lot to take away from initiating a drive from the 3rd party program to the off-boarding of 3rd parties suppliers. I have a lot to help me start a clearer road map in plugging the gaps within our 3rd party management program.” – Supplier Assurance & Controls Analyst, Energy Company
  • “Thanks for the session yesterday. I found it very informative and I made several pages of notes. I am planning to use the Titanic analogy as a risk awareness session for leaders and managers – with a bit of research I think I can turn it into a great case study and map out the parallels with running a business, how third parties introduce risk, communication, risk appetite, risk blindness, planning, the role of due diligence (or the lack of it), etc. You have also provided some great check lists which we can use to sense check our due diligence process for robustness and where we can improve third party risk management.” – Principal, Health and Safety, EMEA, Architecture Design Firm