The GRC Pundit

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience and explored GRC resilience again . . . and we now continue with the third trend of five, integrity . . .

The third global trend in the GRC market for solutions and services is INTEGRITY.

INTEGRITY: 1. the quality of being honest and having strong moral principles; moral uprightness. 2. the state of being whole and undivided.

Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2023 and how this extends and is enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes focusing on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, managing risk, conduct with others (e.g., customers, partners), privacy, security, and more. What the organizations communicates in policies, statements, reports, and controls needs to be a reality in the organization and not just smoke and mirrors.

Integrity is played out in ESG – Environmental, Social, Governance . . .

• Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
• Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity, inclusion, working conditions, health and safety, product liability.
• Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.

Organizations need a cohesive strategy from the board down into operations to address the organization’s integrity in the context of ESG. This moves from strategy down into ESG processes and how this is automated and managed in a GRC (which enables ESG) information and technology architecture.

ESG does not start with RISK!

ESG does not start with risk but with objectives. I cringe when solution providers show me their solutions focused on ESG risk management. That is putting the cart before the horse. To be an organization of integrity requires a focus on principles and objectives. Only in that context can we identify and manage risks to those objectives. An organization may have an objective to be carbon neutral; then, we map the risks of not being carbon neutral. An organization has inclusivity and diversity objectives, no tolerance of child labor objectives, and more. Risks are then mapped to ESG objectives. YOU CAN BET THAT I WILL NEVER RECOMMEND A SOLUTION IN THE MARKET that starts with ESG risk over ESG objectives.

ESG requires focus on the EXTENDED ENTERPRISE!

Brick-and-mortar walls and traditional employees no longer define the modern organization. The modern organization is the extended enterprise: suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, partners, and more. ESG, and in this context, integrity, plays out and is measured across these relationships. Martin Luther King Jr stated, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organization’s relationships in the extended enterprise. The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization in the context of ESG. The integrity and ability of the organization to act with integrity in the context of ESG require addressing this across the extended enterprise.

There is so much happening in the regulatory aspects of this. Consider the breadth of ESG impact from just the following (much more can be added) . . .

Broad ESG Regulation

• EU CSRD – 50,000 firms have to respond to this.
• EU CSDDD – requires ongoing continuous due diligence on ESG

Third-Party Due Diligence

• EU CSDDD
• Germany’s LkSG (Supply Chain Due Diligence Act)
• Dutch Due Diligence Act

Modern Slavery (but ties into Third-Party due diligence)

• UK Modern Slavery Act
• Norwegian Transparency Act
• Swiss Human Rights Due Diligence Law
• California Transparency in Supply Chain Act
• Conflict Minerals
• Uyghur Forced Labor Prevention – China Supply Chain Risk

Anti-Bribery & Corruption (under the G)

• US FCPA
• UK Bribery Act
• Sapin II

Environmental

• SEC Climate Change
• PFAS

IT Security (under the G)

• SEC Cybersecurity

Internal Controls & Governance (under the G)

• US SOX
• UK SOX & Corporate Governance

And, of course, Tax Transparency, Beneficial Ownership, Inclusivity/Diversity, Consumer Duty, PFAS, and much more . . . 

The writing is on the wall; organizations must fundamentally change how they approach ESG internally and across the extended enterprise. Organizations should start defining an integrated strategy for ESG to address these forthcoming requirements and stakeholder demands in a unified and consistent approach.

GRC 20/20 will be doing a deep-dive on ESG and these regulations for solution and service providers in the upcoming 2023: How to Market & Sell ESG Solutions & Services.

The following is an article published in the latest issue of Enterprise Risk Magazine (Summer 2023) starting on page 16. This article was authored by Michael Rasmussen, Analyst & Pundit at GRC 20/20 Research, and William Gonyer of Group697.

The latest banking crisis in North America has put potential failures regulation, governance and risk management back in the spotlight crisis is back.

Springtime often becomes a metaphor for change, new growth and transformation. While change and transformation tend to be the by-product of dissatisfaction with behaviours and patterns that are no longer tenable to the present situation, sometimes this change is also involuntary in its nature – an uncomfortably forced evolution that imposes progress on us. Springtime this year has pushed forward a mass sobering for the banking industry. After riding a wave of ultra-low interest rates and high market liquidity, a domino effect of events has brought on the failure of several major regional American banks, marking the greatest shake-up of the global financial system since the financial crisis of 2007-08.

As the age-old adage goes, “there is nothing new under the sun.” The driving factors that led to the collapse of Lehman Brothers, Bear Stearns, Wachovia and Washington Mutual are almost identical to the key drivers of the bank failures within Silicon Valley Bank (SVB) and Signature Bank this year – a gross failure of governance and risk management, the exception being First Republic.

Situational awareness

The interconnectedness of organisational objectives, risks, resilience and integrity requires 360° situational awareness of governance, risk and resiliency. Organisations must see the intricate relationships and impacts of objectives, risks, processes and controls. It requires holistic visibility and intelligence regarding risk and resiliency.

Organisations such as banks and other financial institutions take risks all the time. Still, the failure to monitor and manage these risks effectively in an environment that demands agility can lead to a tinder box of potential catastrophe. Too often, risk management is seen as a compliance exercise and not truly integrated with the organisation’s strategy, decision-making and objectives. It results in the inevitable failure of governance, risk and compliance (GRC) and risk management, providing case
studies for future generations on how poor GRC management leads to the demise of organisations.

The collapse of SVB is one of the most blatant cases of this. For example, SVB failed to institute some of the most basic risk management practices by industry standards. Starting from the end of 2019, SVB deposits grew from $61 billion to $189 billion by quarter 4 of Interest rates at the time were so low that these deposits were treated as free money at ~25 basis point cost average. SVB then used these inflows to increase loans 100 per cent to $66 billion and push far beyond average industry risk parameters with its held-to-maturity (HTM) securities portfolio, ramping what was mostly agency mortgage holdings from $13.5 billion at quarter 4 of 2019 to $99 billion at quarter 4 of 2021.

SVB’s big problems were with its HTM portfolio. The bank increased its security portfolio by 700 per cent, buying in at a generational top in the bond market and buying $88 billion of mostly 10 plus year mortgages with an average yield of just 1.63 per cent. In the absence of adequate interest rate risk management, this resulted in massive unrealised losses when the Federal Reserve began hiking its benchmark interest rates.

Deregulation

SVB’s HTM securities had mark-to-market losses as of quarter 3, 2022 of $15.9 billion, compared to just $11.5 billion of tangible common equity. Due to lobbying for deregulation by SVB, as well as other midsized banks such as Signature Bank (of which Barney Frank of Dodd-Frank was a board member), regulators did not require SVB to mark its HTM securities to market. However, internally they should have been doing this anyway, as well as running risk models against changing rates.

The deregulation that enabled their increased risk tolerance came as a result of Congress passing the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), also known as the Dodd-Frank Reform Act. The act was signed into law in May 2018, and it raised the asset threshold for systemically important financial institutions (SIFIs) from $50 billion to $250 billion, effectively reducing the regulatory burden on many midsized banks such as SVB and First Republic.

On top of this, due to the Federal Reserve Bank’s interest rate hikes, SVB saw accelerating deposit outflows (-6.5 per cent YTD in January), a mix shift away from non-interest accounts and skyrocketing interest costs (money markets now yield 4 per cent), as well as increased burn rates from the bank’s venture clients resulting in customer deposit drawdowns. As SVB’s funding costs continued to reset higher, SVB was faced with a massively high negative carry cost on its HTM portfolio, largely a fixed-yield securities portfolio.

But SVB’s greatest failures extend to the top – its leadership. The Federal Reserve’s review described SVB as “textbook case of mismanagement” and further described a failure of oversight and accountability of senior leadership by the bank’s board of directors. Only one member of SVB’s board had previous banking experience. The practices and procedures used by SVBs risk management team raises serious questions on their competencies based on evident gaps in their risk management frameworks. SVB’s risk management team “failed to establish a risk-management and control infrastructure suitable for the size and complexity of SVBFG when it was a $50 billion firm, let alone when it grew to be a $200 billion firm”, said the review. SVB had 31 identified unaddressed “safe and soundness supervisory warnings” more than triple the average number of peer banks. Furthermore, the bank was also left without a chief risk officer for 7 months in 2022, a departure that may demand an explanation. The discoveries made by the Federal Reserve and Treasury Department regarding the bank’s risk management practices only beg more questions outside of the obvious conclusions: SVB failed to institute an adequate asset liability committee, erroneously focused on short-term profits, and neglected long-term associated risks.

Bad timing

The relaxing of Dodd-Frank also came at exactly the worst time. It happened almost a year before the beginning of the Federal Reserve’s tightening cycle and at the natural end of an era of economic expansion that was later disrupted by emergency monetary intervention measures during the global COVID-19 pandemic. Midsized banks could now take on greater risks, and they did so during a time of irregular economic factors of expanded emergency liquidity.

First Republic’s portfolio arguably could have withstood the fluctuations. However, First Republic lost more than half of its deposit base amid SVB’s collapse, pulling the bank into a critical territory and ultimately leading to its collapse and takeover by JP Morgan and the Federal Deposit Insurance Corporation (FDIC). This marked the second-largest bank collapse in US history after Washington Mutual in 2008.

First Republic’s traditional savings and loan business model was arguably sound. It catered to wealthier clients in the tech
sector, targeting the employees at companies like Apple, Alphabet and Meta. First Republic even had a branch inside of Facebook’s headquarters. But First Republic’s failure was purely panic induced. Even with paper losses on lowinterest loans and its interest rate risk mismatch, the bank could have survived if it didn’t have to rapidly fund withdrawals by depositors seeking higher returns on deposits elsewhere, as well as outflows triggered by panic amid the failure of SVB. As a result, the bank was forced to rely on government lending facilities at rates that exceeded its income in an attempt to ride out the storm. First Republic’s problems are almost reminiscent of Bailey’s Building and Loan in Frank Capra’s 1946 film It’s a Wonderful Life, only in this not so wonderful life the townspeople did not temper their panic and rally around their community bank.

Re-regulation

The recent failure of these regional banks will likely trigger a new wave of regulations and guidelines as well as a reversal of the changes made to regulatory frameworks for midsized banks in 2018. Regulators need to consider that with the increased scale of the financial system, midsized banks that may be only regionally important can still pose a significant systemic risk as supervisory authorities do not have the resources to monitor their activities and should not underestimate the propensity for mismanagement. Asset thresholds for enhanced prudential standards for SIFIs should be reversed from $250 billion to $50 billion. Regulators and organisations with large deposits also need to consider the concept of dual fiduciary duty.

In the case of SVB, a bank of choice for many venture capital firms and venture-backed companies, the burden of large deposit risk cannot fall solely on the bank. Venture capital firms, while exempt from many of the regulations and compliance burdens of hedge funds and other asset managers, were arguably negligent in managing their cash risk for their limited partners and thus somewhat complicit in the risk concentration of SVB. The leading practice of asset managers is to hedge cash risk through treasuries. A venture capital firm’s responsibility to its investors must extend to its cash risk within its portfolio companies.

Too often, regulators and bank managers alike continue to make policies solely in the vacuum of a crisis. Policy developed in the vacuum of a crisis is inherently inadequate, as it usually only accounts for remedying the causation and symptoms of the present crisis. Supervisory authorities need to consider expanded guidelines for bank governance and leadership, and the policies set by leadership for financial institutions should meet qualification standards. All bank board members should be certified by supervisory authorities such as the Office of the Comptroller of the Currency (OCC), FDIC and Financial Industry Regulatory Authority (FINRA) for a minimum qualification standard.

Cost of failure

While The US Department of the Treasury and Federal Reserve have taken responsibility for inadequate supervisory measures of these troubled midsized banks, financial institutions now need to realise more than ever that increased legal risk tolerance does not equate to acceptable risk tolerance. Banks must institute more sophisticated internal risk frameworks that factor in significantly higher stress tests for implied volatility.

Major money centre banks are forced to adhere to a wide range of scenarios for long-term resilience, but midsized and even small banks need to develop their own internal frameworks beyond the demands of compliance that mirror the top of the industry at scale, even if it comes at the cost of profits because the cost of a bank failure is far greater than neglecting profits made unsustainably. Banks that are currently undergoing pressure should consider seeking to consolidate with peer banks before they are forced into consolidation, liquidation or shotgun acquisitions. Well-structured asset-liability committees and audit committees
should become a universal practice for banks of all sizes.

The conclusions of the Federal Reserve’s review of SVB implicitly stated that two of the three critical weaknesses of the bank were governance and risk management. The further conclusion of the review was that while SVB was compliant, compliance alone was inadequate because the regulation and the supervisory frameworks were inadequate in preventing the bank’s failure. The second and third largest bank collapses in US history have set the stage for a new wave of regulation to reinforce neglected gaps in global financial services from the United States, European Union, United Kingdom, the Commonwealth and beyond.

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience . . . and we continue with resilience before we move on to the third trend of five, integrity . . .

I know, I know . . . I already posted on resilience. But I have more to say.

But first, some backstory. A good research analyst engages and talks to those in the trenches doing governance, risk management, and compliance. An analyst that is on an Ivory Tower and makes people/organizations scurry up the tower to seek wisdom is not part of the real world. Good research, including market research, is rolling up the sleeves and getting involved. In my travels, I make sure to book meetings with organizations to see what they are doing. What keeps them up at night in the context of GRC. How do they solve those nightmares and challenges with strategy, process, and technology. I love getting involved in RFPs and being involved. I love keeping solution providers honest in RFPs.

Last week I had one, actually several, of those amazing interactions while in London. One really stood out on the topic of risk and resilience management that really stood out with a global hospitality firm.

First, resilience is critical to them. Reading my blogs on the topic and engaging their business, they have shifted their department focus to a focus on resilience. Risk, Resilience & Assurance that is.

A key element of the resilience trend I previously wrote on that they commented on is that their line of business embraces it. Risk is often passed around like a hot potato. Who wants to own and be accountable for risk? But resilience is something the board, executives, and the line of business understand and desire. Who does not desire a resilient business? They have found that the business is more apt to be engaged and own resilience over risk management.

Even with resilience as a core message of engagement, it is about maturing risk management in the business itself and enhancing risk culture throughout the organization. They desire risk management to be a business enabler of strategic value to the organization. Even ESG they are approaching through the concept of strategic resilience. Their risk and resilience management strategy is not to mitigate risk but to facilitate management ownership, accountability, and management of risk.

Some of their concerns in this risk and resilience topic:

• Too big of a risk team. Risk and resilience should be business facilitators of risk management. If they have too big of a risk team, they end up owning the risk, at least in perception.
• Are they touching the important parts of the business. Risk and resilience need to be engaged with the business, and the business evolves. It is important to be continuously evaluating business engagement in the midst of change.
• Doing the same thing. If they are doing the same thing every month or quarter they are in a routine of assessments. Risk is dynamic and changes. They need to be constantly evolving.
• LEAVING A LEGACY. I love this one. They want to leave a legacy of risk management excellence for the next generation to build upon.
• Agility and the horizon. Keeping abreast of what is developing on the horizon that can impact them. Forecasting and doing scenarios on the complexity and intersection of risk on inflation, interest, economy, geo-political, operational, regulatory, and more.
• Servant leadership. Ensuring they engage the business with a servant leadership attitude on risk management.

One of the things that have been developing that they are keenly interested in is the U.K. Government’s requirement for entities to publish resilience statements. Related to UK SOX, the UK BEIS (Department for Business, Energy and Industrial Strategy) requires resilience statements to improve how organizations identify, manage and report on their resilience risks that are most material to their business. This applies to Public Interest Entities (PIEs) with 750 or more employees and £750 million or more in annual turnover. This requires companies to engage in short and medium-term resilience risk assessment and management, as well as reverse stress testing and reporting for resilience.

GRC 20/20’s Michael Rasmussen will be speaking on the topic of this blog in the webinar: Got ESG? Show Me Your Policies!

ESG – environmental, social, governance – is pressuring organizations from various angles. 

Corporate investors are making investment decisions based on ESG practices. Executives and board members are fired if they do not meet ESG metrics. Various regulations, some specific and some broad, require ESG compliance, reporting, and engagement. Employees and business partners decide who they work with based on shared values.

In this context, many organizations are starting ESG strategies and processes. The common question is: where do we start?

The answer is simple: you start with your existing policies . . .

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility. We now turn to the second trend of five, resilience . . .

Dynamic, Disrupted & Distributed Business is Difficult to Control

The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates the organization implements a strategic approach to business and operational resilience.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity requires 360° contextual awareness of risk and resilience. Organizations must see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resilience. 

There is a lot of focus right now on resilience right now. Resilience is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resilience program. Business continuity management as a separate function in the organization is a thing of the past. Over the next two to three years we will see a mass migration to an integrated operational risk and resilience program.

The Resilience Challenge to Boards, Executives, and Management

Keeping resilience, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout the organization. This challenge is even greater when resilience management is buried in the depths of departments and approached from a compliance or continuity angle and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management.

Resilience in the modern organization is challenging because the organization is:

• Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick and mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
• Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts buries the organization when managed in silos.
• Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resilience. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
• Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution. 

The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impacts the entire ecosystem.

This interconnectedness of business drives demand for 360° contextual awareness in the organization’s resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations must see the intricate intersection of objectives, risks, and boundaries across the business. 

Firms globally and across industries are focusing on integrating their resilience (historically business continuity/disaster recovery) programs into enterpriser and operational risk management, and broader GRC. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view into the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity. 

Business or Operational Resilience?

Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . . 

• Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
• Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.

Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.

Providing 360° Integrated Awareness of Risk and Resilience

Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. Complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement. 

Successful resilience requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive, straightforward insight into resilience to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased resilience maturity in the organization.

ESG – Environmental, Social & Governance – pressure is mounting from multiple fronts for organizations to implement ESG reporting in their organizations. ESG has the momentum and force to become a significant measurement of the organization’s integrity. 

One thing to note, ESG is more than the E (environmental). Too often organizations lead with the E and perceive that ESG is just about environmental values and climate change. It is so much more than this. The S (social) and the G (governance) need to be addressed as well in ESG . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ANSARADA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. We now dive deep into the first of those trends, agility . . .

Gone are the years of simplicity in business operations. The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations must see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often, risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. It results in the inevitable failure of GRC and risk management, providing case studies for future generations on how poor GRC management leads to the demise of organizations – even those with strong brands.

Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. The business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue.

Dissociated siloed approaches to GRC management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts its strategy and objectives.

The organization needs agility into GRC and, with that, visibility into objective and risk relationships across processes. The complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of GRC to see what is coming at the organization and prepare the organization.

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing. A few years back I was doing a lot of Spartan races. Myself, that was not agility but the more of an awkward ox doing obstacles, but others it was amazing what they could do in the environment given to them.

When I think of agility, my mind immediately goes to Legolas, the elf in Lord of the Rings. Though I prefer the books, the films were amazing, and the agility of Legolas in the midst of battle was amazing. How he can move about the threats and enemies around him and seize opportunities for victory. Gimli, the dwarf in Lord of the Rings, is the embodiment of resiliency. He is built like a tank and simply can withstand the beating and hits as he pummels forward to victory. We will talk about the resilience trend in the next blog. Resilience is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event.

However, there is more that needs to happen. Organizations also need to be agile. Agility is the ability of an organization to move quickly and easily, the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.

We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage in advancing the organization and its goals. Organizations need to be agile and resilient. GRC needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunities as well as avoid exposures and threats. 

So today’s modern organization needs GRC that enables enterprise agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between agility with operational risk and resiliency that organizations need to develop in today’s dynamic, distributed, and disrupted business.

Spreadsheets are the most prevalent GRC tool used by organizations. Their use, particularly in reporting, leads to the inevitability of failure. 

Consider one organization that was spending 200 hours building a report for the board on risk events that have happened. All the information was trapped in spreadsheets that they had to aggregate, tabulate, and build this report from. Every year 200 hours (it now takes them a minute). The last year they did it this way, they found out they had risk issues that started eleven months back. That is not managing risk; that is reacting to it well after the fact. 

Another example is a . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ANSARADA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Below is Michael Rasmussen’s article in The IRM Global Risk Trends 2023 report , published by the Institute of Risk Management (The IRM).

The complexity of business combined with the intricacy and interconnectedness of risk and objectives necessitates that the organization implements a strategic approach to business and operational risk and resiliencein 2023.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations,globalization, distributed operations, competitive velocity, technology, and business data encumber organizations ofall sizes.

Keeping changes to business strategy, operations, and processes in sync is a significant challenge forboards and executives, as well as management professionals throughout all levels of the business in 2023 andbeyond.

The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations need to see the intricate relationships and impacts of objectives, risks,processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.

The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than adissociated collection of risk management processes anddepartments.

Change in one area has cascading effects that impacts theentire ecosystem.

This interconnectedness of business is driving demand for360° contextual awareness in the organization’s risk management processes in 2023 to reliably achieve objectives, address uncertainty, and act with integrity.

Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.

Organizations in 2023 are Focusing on the Following Five Areas in Their GRC Management Strategies:

1. Agility. The last few years global uncertainties, geo-political tensions with a war in Ukraine, and the impact on business operations and supply chains. Organizations are now turning their attention to being agile in risk in 2023. To see what is coming at the organization in the next six months, years, or two years and go through scenarios and prepare the organization for uncertainty to take the best path forward. Risk agility is lookingahead and preparing the organization.
2. Resilience. This is where many organizations have been focused, but still working on improving. Agility allows us tonavigate our environment and see what is coming at us. Resilience is the ability to recover from a risk event and minimize the impact on the organisation. Risk agility and risk resilience are very symbiotic and play off each other, both have become essential to risk management programs in 2023.
3. Integrity. With a global focus on ESG risk management programs will shift from laying the groundwork for ESG inorganization structures and reporting to operationalizing ESG within the organisation. At the end of the day, ESG is about the integrity of the business. What the organization communicates are its values, ethics, and commitments . . . is this being done? Risk management plays a critical role in navigating uncertainty to ensurethe integrity of the organization in the era of ESG in 2023.
4. Accountability. There is a growing focus on board and executive-level accountability in 2022 that will extend and grow in 2023.Accountability regimes have expanded around the world – UK, Ireland, Australia, Hong Kong, Singapore, and nowSouth Africa. There is a growing focus in the USA with the Department of Justice and SEC on greater accountability for risk and compliance. There are US state-level accountability focus on New York and California.Most recently, Uber’s former CISO was held personally accountable for a security breach.
5. Engagement. Risk is not taken and managed in the back-office of risk management. Risk happens throughout the business at alllevels of the organization. This requires that organizations in 2023 focus on risk culture, risk awareness, and proper risk management skills from the front-line up through operational management to executives and the board. Good risk management engages all levels of the organization. It is time for organizations to take another read through the IRM Risk Culture: Resources for Practitioners as they enter 2023.

What is clear, organizations need complete 360° situational awareness and visibility into risks in 2023. Business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives.

The organization needs visibility into risk. Complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk monitoring, automation, andenforcement.

Successful risk management in 2023 requires the organization to provide an integrated strategy, process,information, and technology architecture. The goal is comprehensive straight forward insight into risk andresilience management to identify, analyze, manage, and monitor risk in context of operations, processes, and services.

It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives.

---

Michael Rasmussen is a Global Ambassador of Risk Management and Honorary Life Member of the IRM and an internationally recognized pundit on governance, risk management and compliance

The Organization: an Interconnected Web of Relationships

No man is an island, entire of itself; Every man is a piece of the continent, a part of the main.

English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: no organization is an island unto itself, every organization is a piece of the broader whole.

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past; physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries and nest themselves in layers of relationship complexity. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships is critical. Without effective governance of the extended enterprise, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate uncertainty in business relationships. Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence across risk domains with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices with limited to know risk intelligence. Recent technological advances in automation, natural language processing, machine learning, and data science enable organizations to be more effective and do more with fewer resources. Unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party risk management comes about when organizations rely on outdated risk practices with limited to no risk intelligence, including: 

• Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and an agile information and intelligence architecture. The risk posed by a third party for one business function may seem immaterial but is significant when factored into multiple risk exposures across all the business functions monitoring other risks of the same third-party. Without a single pane of risk intelligence visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated introducing more risk.
• Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. Truly effective continuous risk intelligence monitoring of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone and requires Cognitive GRC technologies that leverage artificial intelligence such as natural language processing, machine learning, predictive analytics, and robotic process automation. 
• Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data and lack of integrated risk intelligence content. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
• Limited view of risk vectors. Organizations often rely solely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth party risk exposure. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage of risk intelligence content.
• Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
• Overreliance on Periodic Assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
• Silos of risk intelligence services overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

When the organization approaches third party risk management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization and ESG. Without a coordinated third-party risk intelligence strategy, the organization and its various departments never see the big picture. 

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure and blind spots. It is time for organizations to step back and move from legacy practices, defined by manual processes, periodic assessments, and silos of risk intelligence content to a third-party risk intelligence solution that includes integrated full-spectrum real-time feeds of situational awareness of the organization’s extended enterprise. 

---

GRC 20/20 has the following upcoming Third-Party Risk Management by Design Workshops in the next few months that dives deep into this topic of a holistic view of third-party risk . . .

Chicago: March 30 @ 12:00 pm – 6:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Chicago

New York: April 25 @ 12:00 pm – 6:00 pm EDT 

• Third-Party Risk Management by Design Workshop, New York

San Francisco: May 2 @ 12:00 pm – 6:00 pm PDT 

• Third-Party Risk Management by Design Workshop, San Francisco

Houston: May 4 @ 12:00 pm – 6:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Houston