Michael Rasmussen

Effective 3rd Party Management Workshop

GRC WorkshopsPublished onUpdated onLeave a Comment on Effective 3rd Party Management Workshop

GRC 20/20 Workshops provide interactive training to groups of people on a range of GRC topics. These workshops provide a collaborative learning environment in which the attendees will be guided through lectures, problems, activities, and discussion.

GRC 20/20 can be engaged to deliver workshops internally to organizations as well as sponsored by GRC solution providers for their clients and prospects. GRC 20/20 regularly teaches the following workshops throughout the world in 1/2-day, full-day, and multi-day formats . . .

[tabs id=”Effective_3rd_Party_Management_Workshop” heading=”Effective 3rd Party Management Workshop”] [tab title=”Description” tabid=”Description”]

No company is an island unto itself: Organizations are a complex and diverse system of business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries. Organizations today struggle to identify, manage, and govern extended business relationships as they stand in the shoes of their vendors, partners, suppliers, and relationships. Business partner problems and issues are the organizations problems that directly impact the organization’s brand and reputation. When questions of business practices, compliance, and controls arise, the organization is held accountable, and it must ensure that business partners behave appropriately.

Risk, regulatory, and business environments are in a constant state of change. Extended business relationships — supply chain, value chain, vendors, service providers, outsourcers, and contractors — cannot be left to themselves. Business relationships must comply with regulatory requirements, corporate and regional cultures, codes of conduct, statements of social responsibility and sustainability, policies, risk limits and controls, and other business practices. Anything that impacts business relationships can taint the organization’s brand — such as child labor, quality issues, fraud, privacy violations, or other misconduct. Procurement, and other parts of the business, tend to look at the formation of a business relationship and fail to foresee issues that can cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship itself.

Organizations struggle with consistent processes to manage 3rd party risk and compliance. Business needs defined processes, information, frameworks, and technology to effectively and efficiently manage 3rd party extended business relationships. The goal is to enable business agility by providing defined and integrated accountability processes that can manage risk and compliance in the context of business change across business relationships. A clearly defined approach to managing risk and compliance across extended business relationships requires a consistent lifecycle and program supported by a common information and technology architecture.

 [/tab] [tab title=”Who Should Attend” tabid=”Who_Should_Attend”]

  • Risk Managers
  • Compliance Officers/Managers
  • Corporate Social Responsibility/Accountability
  • Procurement
  • Supply Chain Management
  • Vendor Management
  • Legal
  • IT/Information Security
  • Business Operations

[/tab] [tab title=”What Attendees Learn” tabid=”What_Attendees_Learn”]

  • Disarray of 3rd party management
  • Understand regulatory and risk issues in 3rd party/vendor management bearing down on organizations
    1. Supply chain/vendor Code of Conduct and policies
    2. Social Accountability/International Labor Standards
    3. Conflict Minerals
    4. Anti-Brbiery & Corruption
    5. Security
    6. Privacy
  • Roles & responsibilities in 3rd party management
  • 3rd party risk Assessment
  • 3rd party audit and inspections
  • Effective 3rd Party Management Lifecycle
    1. Understand regulatory and risk issues in 3rd party/vendor management bearing down on financial services organizations
    2. Conduct initial and ongoing due diligence in 3rd party and vendor relationships
    3. Protect the organization through communication of policy and requirements across 3rd party relationships
    4. Assess and score 3rd party/vendor risk
    5. Resolve issues before they grow out of control
    6. Provide oversight and reporting of vendor/3rd party relationships
  • How 3rd party management solutions deliver effective, efficient, and agile 3rd party management processes
  • Relationship of 3rd Party Management to Other Areas of GRC

[/tab] [/tabs]  

When to Write a Policy

Speaking AbstractsPublished onLeave a Comment on When to Write a Policy

Policies address risk and they introduce risk. Too many policies bring about a state of over control and possibly non-compliance as the organization cannot manage and monitor the policies in place. Too little policies bring a state of under-control in which the organization does not have sufficient guidance on conduct and behavior. Good policies provide clear operating structures for employees, processes, and business relationships with enough latitude to achieve business objectives.

Attendees will be able to address the following items:

  • Determine the need for policy based on the level of risk to the organization
  • Determine the need for a policy based on understanding of business objectives
  • Determine the need for a policy based on regulatory requirements
  • Provide a framework for organizaitons to use to determine if a policy should be written or another policy adapted

Effective Policy Management & Communication Workshop

GRC WorkshopsPublished onUpdated onLeave a Comment on Effective Policy Management & Communication Workshop

GRC 20/20 Workshops provide interactive training to groups of people on a range of GRC topics. These workshops provide a collaborative learning environment in which the attendees will be guided through lectures, problems, activities, and discussion.

GRC 20/20 can be engaged to deliver workshops internally to organizations as well as sponsored by GRC solution providers for their clients and prospects. GRC 20/20 regularly teaches the following workshops throughout the world in 1/2-day, full-day, and multi-day formats . . .

[tabs id=”Effective_Policy_Management_Communication_Workshop1405″ heading=”Effective Policy Management & Communication Workshop”] [tab title=”Description” tabid=”Description”]Policies & procedures must be in place to safeguard and educate staff, to protect the organization against unnecessary risk, ensure the consistent operation of the business, uphold ethical values of the organization, and to defend the organization should it land in turbulent legal waters. 

However, effectively managing policies is easier said than done. Ad hoc or passive approaches mean that key policies are out-dated, scattered across the business, and not consistent– resulting in confusion for recipients; and an insufficient level of governance and reporting for auditors and regulators.

It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation AND understanding of policies across the business. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to manage the Policy lifecycle. The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management.

This workshop provides a collaborative learning environment in which the attendees will be guided through lectures and discussions to learn how to implement an effective policy management process within their organizations. [/tab] [tab title=”Who Should Attend” tabid=”Who_Should_Attend”]

  • Policy Managers & Administrators
  • Corporate Managers
  • Ethics
  • Human Resources
  • Legal
  • IT/Information Security
  • Corporate Social Responsibility
  • Supply/Value Chain
  • Health & Safety
  • Business Operations
  • And other roles responsible for writing, managing, and communicating policies[/tab] [tab title=”What Attendees Learn” tabid=”What_Attendees_Learn”]
  • Disarray of Policy Management
  • Defining a process lifecycle for managing policies 
  • Determining when to write a policy
  • Keeping policies current in the midst of business, risk, and regulatory change
  • Policy governance models
  • Establishing policy ownership and accountability 
  • Roles & responsibilities in policy management
  • Developing a MetaPolicy – the policy on writing policies
  • Providing consistency in policies through consistent style and language 
  • Communicating policies across extended business relationships 
  • Effective policy communication, attestation, and training 
  • Delivering an interactive and engaging policy portal to employees and partners
  • Monitoring metrics to establish effectiveness and/or issues with policies 
  • Maintaining policies and keeping them relevant
  • Enabling policies through a proper GRC information and technology architecture
  • Relating policy management to risk, issue/case, and other GRC areas[/tab] [/tabs] 

GRC Architecture Workshop

GRC WorkshopsPublished onUpdated onLeave a Comment on GRC Architecture Workshop

GRC 20/20 Workshops provide interactive training to groups of people on a range of GRC topics. These workshops provide a collaborative learning environment in which the attendees will be guided through lectures, problems, activities, and discussion.

GRC 20/20 can be engaged to deliver workshops internally to organizations as well as sponsored by GRC solution providers for their clients and prospects. GRC 20/20 regularly teaches the following workshops throughout the world in 1/2-day, full-day, and multi-day formats . . .

[tabs id=”GRC_Architecture_Workshop” heading=”GRC Architecture Workshop”] [tab title=”Description” tabid=”Description”]

“GRC is a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.” OCEG GRC Capability Model 2.1

GRC is what is achieved in the business and its operations. This means that GRC needs to be understood in the context of business architecture. To achieve good GRC processes in your environment requires an understanding of what the business is about, how it operates, and how it should be monitored and controlled through information and technology.

GRC is about taking an enterprise/business architecture approach to understanding the business and how it operates. This includes:

  • Strategy architecture. Understanding what the business is about and where it is going. This requires that we understand GRC in the context of business performance, strategy, objectives as well as its culture and values.
  • Process architecture. Flowing from strategy are the processes that define the business and how it operates. Good GRC is done in the rhythm of the business.
  • Information architecture. To support business operations and processes you need a good definition of GRC related information and how information flows across the business.
  • Technology architecture. You need to make sure that GRC technologies integrate with your business operations, systems, and processes.

 [/tab] [tab title=”Who Should Attend” tabid=”Who_Should_Attend”]

  • GRC Architects
  • Enterprise Architects
  • IT Professionals
  • And others responsible for GRC Strategy, Process, Information, and Technology

[/tab] [tab title=”What Attendees Learn” tabid=”What_Attendees_Learn”]

  • Business is the context of GRC
  • The cadence of GRC in the rhythm of business
  • Relationship and integration of GRC to Enterprise Architecture
  • Understand a top-down as well as a bottom-up approach to defining a GRC process
  • Implement GRC in the context of business, process, and operations
  • Explore different GRC architecture models and how they apply to your organization
  • Discover the various technology categories for GRC and how they apply to your business
  • Take a risk-focused approach to developing a GRC information architecture
  • Align GRC with business performance, strategy, and objectives
  • Effectively communicate GRC with the business
  • Developing a GRC strategic plan
  • GRC Processes & the GRC Capability Model
  • GRC Information Architecture
  • How GRC Information Relates to Each Other
  • GRC Information in the Context of Business Strategy and Process
  • GRC Technology Architecture
  • Areas of GRC Technology
  • How GRC Technology Integrates Into the Business
  • GRC Technology Architecture Models[/tab] [/tabs] 

Effective Regulatory Change Management Workshop

GRC WorkshopsPublished onUpdated onLeave a Comment on Effective Regulatory Change Management Workshop

GRC 20/20 Workshops provide interactive training to groups of people on a range of GRC topics. These workshops provide a collaborative learning environment in which the attendees will be guided through lectures, problems, activities, and discussion.

GRC 20/20 can be engaged to deliver workshops internally to organizations as well as sponsored by GRC solution providers for their clients and prospects. GRC 20/20 regularly teaches the following workshops throughout the world in 1/2-day, full-day, and multi-day formats . . .

[tabs id=”Effective_Regulatory_Change_Workshop” heading=”Effective Regulatory Change Management Workshop”] [tab title=”Description” tabid=”Description”]

In the time it takes you to consider this workshop your business has changed. Business drifts in a sea of change. One particular area of change that bears down on the organization is the siege of changing laws, regulations, and enforcement actions.

When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about regulatory risk that impacts your business. The typical organization does not have adequate processes in place to monitor regulatory change, determine impact on business processes, prioritize, and make changes to policies. Information itself is not enough organizations are overwhelmed by data through legal and regulatory newsletters, Websites, e-mails, and content aggregators.

The organization needs a defined regulatory change management process to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organizations policies, procedures, and controls need to be adjusted to address the change.

This workshop enables the attendee to build a regulatory intelligence strategy and process that monitors regulatory change, measures impact on the business, while implementing appropriate policy, training, and control updates.

 [/tab] [tab title=”Who Should Attend” tabid=”Who_Should_Attend”]

  • Compliance Officers/Managers
  • Internal Policy Managers/Administrators
  • Human Resources
  • Legal
  • IT/Information Security
  • Business Operations
  • Health and Safety

[/tab] [tab title=”What Attendees Learn” tabid=”What_Attendees_Learn”]

  • Disarray of regulatory change
  • Understand regulatory change management lifecycle
  • Roles & responsibilities in regulatory change management
  • Develop a regulatory taxonomy/framework indexed to your organizations enterprise risk taxonomy
  • Understand roles and responsibilities in the regulatory change management process
  • Conduct a business impact analysis to understand regulatory change impact on your business
  • Map regulations to policies so that you know what policies to review when regulations change
  • Revise communication and training programs to keep them current with regulatory change
  • Monitor and audit action plans to ensure that changes to regulations are driven into the controls of the business
  • Information & technology architecture for regulatory change management

[/tab] [/tabs] 

Why Companies Have a Disconnect Between Theory and Practice in Their GRC Practices

GRC Platforms & Architecture Solutions, GRC Pundit TVPublished onLeave a Comment on Why Companies Have a Disconnect Between Theory and Practice in Their GRC Practices

Mature Governance, Risk Management & Compliance Needs an Enterprise Architecture Approach

The GRC Pundit BlogPublished onLeave a Comment on Mature Governance, Risk Management & Compliance Needs an Enterprise Architecture Approach

Governance, Risk Management, & Compliance (GRC) is not new to business. The acronym itself is over a decade old, but organizations have always had some approach to governance, risk management, and compliance. An acronym did not give us GRC it just put a label on it. Every organization has GRC.

The question every organization should be asking: how mature is your organization’s approach to GRC?

GRC is not something you buy, it is something you do.  No GRC vendor can sell you a commodity that will solve all of your GRC related problems. GRC is part of business and extends across and into its operations. To that point we need to rethink our understanding of GRC.

Over the years, GRC has grown in conception and understanding. The best thing to happen to GRC was the development of the OCEG GRC Capability Model, and with that the OCEG definition of GRC:

GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].

Mature GRC requires an understanding of the business – its strategy, organizational structure, processes, risks, obligations, commitments, and objectives.  The goal of GRC is to enable the organization to govern the organization and manage risk and compliance in the context of business.

Achieving GRC maturity requires a GRC architecture that leverages an understanding of enterprise architecture. GRC architecture is a  . . .

Continued on the MEGA Corporate Governance Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://community.mega.com/t5/Blog/Mature-Governance-Risk-Management-amp-Compliance-needs-an/ba-p/9315″ color=”default”]READ MORE[/button]

2014 GRC Value Award Nominations are Being Accepted

The GRC Pundit BlogPublished onLeave a Comment on 2014 GRC Value Award Nominations are Being Accepted

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization.

Whether technology, content, or professional service providers – all can submit an award about a solution or service.  However, the nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process. 

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.   

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.

Nominations must be received by June 30, 2014.  Recipients will be notified in August 2014 at least two weeks before formal announcements/publications are made in early September 2014.

Download the nomination form:

{rsfiles path=”2014 GRC Value Nomination Form.docx”}

 

Inevitable Failure: Disconnected Risk & Policy Management

The GRC Pundit BlogPublished onLeave a Comment on Inevitable Failure: Disconnected Risk & Policy Management

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.

The modern organization is:

  • Distributed.  The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations.  An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization.  Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
  • Dynamic.  Organizations are in a constant state of flux.  Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe.  Regulatory change has more than doubled in some industries in the past five years and has grown for all industries.  Managing risk, regulatory and business change on numerous fronts has buried many organizations.
  • Disrupted.  The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.”  Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate.  Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events.  The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points. 

A backbone of GRC is risk management.  Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together.  To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value. 

Isolated Risk and Policy Initiatives Introduce Greater Risk

Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.  

The official definition of GRC is:

The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance.  All three of these provide a natural flow.  Governance provides strategy and objectives that deliver the context for risk management.  Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives.  Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives. 

The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization. 

A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:

  • Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other.  Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address. 
  • Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
  • Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners. 
  • Lack of business agility. The organization is constantly changing and  therefore its risk profile is changing.  The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic. 
  • Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the
    job done.  This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.

What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework. 

More on this topic can be found in the following items from GRC 20/20 . . .

 

The GRC Pundit Discusses ERP Maestro's 2014 Innovation Award

GRC Pundit TVPublished onLeave a Comment on The GRC Pundit Discusses ERP Maestro's 2014 Innovation Award

GRC 20/20 Discusses the reasons behind ERP Maestro’s 2014 Innovation Award from ERP Maestro® on Vimeo.