The GRC Pundit

Too often GRC – governance, risk management, compliance – is approached backwards. Using the acronym, one would think it is CRG, or even Cr (lower case intentional). Too many organizations start with compliance, and even risk management is done in a compliance context, and governance, performance, and objectives are not even in view.

The official definition of GRC, found in the GRC Capability Model, is that GRC “Is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” (www.OCEG.org) It starts with governance and setting objectives (entity, division, department, process, project, asset objectives). From governance flows the context to begin and do risk management (remember, ISO 31000 defines risk as the effect of uncertainty on objectives). The compliance is the follow through to ensure we stay within ethical, regulatory, ESG, and even risk boundaries (compliance verifies that controls we put in place to mitigate risk are operational and effective). 

I am in a three-week GRC tour of Europe right now and there are a lot of interesting RFPs over here. More often in Europe you see requirements for a focus on business and business process, and even for business process modeling (BPM) capabilities within GRC. Europe, in general but not always, sees GRC as more integrated into the business the way it should be. Too often GRC, particularly in North America, is a compliance band-aid and not a true integrated way of managing the business.

GRC should be about performance. In fact, at OCEG, we defined GRC in this context. GRC delivers what is called Principled Performance. GRC, through strategy, process, information, and technology, should deliver better performing organizations that do so in an ethical way aligned with the organization’s values. 

One of my favorite interactions on risk management in my career was with Brad Jewett when he was the ERM Director at Microsoft. He had this whole approach he called ‘The Rhythm of Risk.’ It was specifically about managing risk in the context of Microsoft’s objectives, business, and processes. It was business focused GRC aimed at Principled Performance.

To deliver on this requires full awareness and integration of GRC into the business and management. The most critical thing is to be able to manage your business in a GRC context. This requires that our approach to GRC allow for deep modeling, definition, and monitoring of business objectives and business processes. To manage risk and compliance in context of performance, objectives, and processes. That is how GRC is done.

When approaching GRC (or ERM, ORM, IRM), what do you really want from the following:

1. Do you want a solution that manages your business; and in that context manages risk, compliance, and controls?
2. Or do you want a solution that manages compliance, and perhaps risk, but is disconnected from the business and is an afterthought, a band-aid?

In my market research and coverage of solutions in the market, there are over 100 solutions that can address the second option, but very few that can actually deliver on the first. Organizations need business management platforms that have GRC capabilities built and baked in.

We are in the era of GRC 5.0 – Cognitive GRC, and all the elements of GRC 4.0 – Agile GRC are still wrapped up and part of GRC 5.0. I am often asked what is next? What is GRC 6.0? Getting out my analyst crystal ball it is GRC 6.0 – Business Integrated GRC where GRC is an integrated part of a business management platform. The idea of a siloed GRC platform goes away to manage GRC as an integrated platform of the business, its objectives, its performance, and then risk, compliance, control, and assurance in this context. It will take a few years for us to transition to GRC 6.0, perhaps as much as five, but it is on the horizon.

There will still always be a place for best of breed GRC solutions focused on specific risks, compliance, and content. What I am saying is that the broad enterprise/integrated GRC platform (or ERM, ORM, IRM) is delivered as a part of a business management platform.

Do you have questions on GRC Solutions available in the breadth of the market and which few deliver on the vision of Business Integrated GRC? Ask GRC 20/20, in our coverage of the market as an analyst firm, what solutions are available and what differentiates them for your specific needs:

Compliance and ethics do not happen in the back office but at all levels of the organization. From the top down to the front-line employees. Compliance and ethics done right are a part of everyone’s job. 

Too often we shovel compliance into the bowels of the organization, thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back-office of legal, human resources, IT, and other departments. 

This misperception is a critical issue that organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations, and cross-partner, vendor, and supplier relationships throughout the extended enterprise. 

This requires that all the organization’s compliance policies be clearly communicated and understood by the front lines of the organization. The scenarios of risk and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve an activity that employees should catch and report. 

The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. The challenge is that organizations need to find a way to get everyone involved and adhere to policies to build integrity across the whole organization and the extended enterprise.

Inevitable Failure of Policy & Training Management

Policy and training matter. Compliance communications, attestations, and disclosures matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance. 

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, disclosure, and training. An ad hoc approach to compliance, policy and training management exposes the organization to significant liability. 

This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. 

To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what disclosures were made, what exceptions were granted, and how policy violation and resolution was monitored and managed. 

The user experience for policy management has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality, and a lack of centrally coordinated efforts for policy and compliance communications. 

Organizations have ended up with multiple sources of policy, training, surveys, assessments, disclosures, attestations, and issue reporting. Interaction with these systems has consumed human and financial capital. Communication is often inconsistently logged in documents and spreadsheets if they are logged at all. 

There is no coordination of policy communication and training and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten. 

A typical organization may have over two dozen policy portals that are file shares, SharePoint sites, and other intranet sites that struggle with rogue, out-of-date, and inconsistent policies that open the floodgates of liability as they are mismanaged instead of protecting the organization as they should. 

One organization found that eighty per cent of their compliance staff time was spent managing and chasing documents and emails for compliance and not actually managing compliance. Another organization spent two hundred hours building an annual report on compliance because all the data was trapped in thousands of documents and emails that had to be aggregated, tabulated, and then reported on. 

If compliance, policies, and training programs don’t conform to a structured process, defined audit trail and system of record, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support, organizations are not positioned to drive desired behaviours in corporate culture or enforce accountability in compliance, ethics, and the new era of corporate integrity with ESG: environmental, social, governance.

With today’s complex business operations, global expansion, and the ever-changing legal/regulatory and compliance environments, well-defined compliance, policy, and training management program is vital to enable an organization to effectively develop and maintain compliance and adherence to values to govern and ensure with integrity. 

Keeping up with regulatory content can be a challenge. The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction. This is enabled with GRC 5.0 – Cognitive GRC technologies that leverage artificial intelligence to provide greater levels of automation.

Many organizations either hire a lot of compliance/legal experts to comb through mountains of regulatory data, or they subscribe to regulatory content subscriptions that do this. This is changing with the role of artificial intelligence applied to a GRC context (Cognitive GRC). Natural language processing, predictive analytics, and robotic process automation make regulatory change management more efficient, effective, and agile for the organization. he U.K.’s FCA Rulebook stacks to six feet tall; this would take a human a year or more to read. A machine can read it, sort it, categorize it, and link it in under a minute. Not only is a machine faster at reading regulations, but it is also more accurate. One Chief Ethics and Compliance Officer (CECO) told GRC 20/20 that they found natural language processing 30% more accurate in reading, sorting, categorizing, and linking/mapping regulations/requirements than humans. A machine stays focused; there is no mind to wander and get distracted.

Cognitive GRC technologies enable a GRC architecture for regulatory change management. Leading solutions in this area are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This, at a minimum, requires workflow and task management capabilities, but in mature systems it provides artificial intelligence to enable this. The old way of hiring an army of subject matter experts as aggregators to manage regulatory profiles, and provide data about relevant new developments is being replaced or at least supplemented by cognitive technologies. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process supported by artificial intelligence technologies that read and analyze changes and their impact on the organizations processes, policies, and controls.

Specific capabilities to be evaluated in solutions for regulatory change management include:

• Regulatory intelligence content. Cognitive solutions provide integration and automation with artificial intelligence platforms built for regulatory change to conduct horizon scanning to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
• Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations
• Content management. The solution should be able to catalog and version regulations, policies, risks, controls, and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods and obsolescence rules that can be set for regulations.
• Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations, and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed, or deactivated, the solution assesses the impact of the change and sets up the appropriate responsive actions.
• Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for regulatory change management.
• Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
• Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted, and notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
• Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are, and more. Additionally, by linking regulatory requirements to the various other aspects of the platform – including risks, policies, controls, and more – the reporting should provide an aggregate view of a regulatory requirement across multiple organizational units and business processes.
• Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

Ask GRC 20/20, in our coverage of the market as an analyst, what solutions are available for regulatory change management and what differentiates them for your specific needs:

Organizations need to be agile, not just resilient. Agility is the ability to see what is coming at the organization and allow the organization to adjust and navigate to use the environment to its advantage to seize opportunities while avoid or mitigate hazards and harms. Resiliency is the ability to spring back and recover from an event and minimize loss and exposure. Both are needed in today’s dynamic business environment, but their needs to be focus on agility and not just resiliency. 

Take the analogy of running. If I am running down the street and trip over a pothole or curb, resilience is how quickly can I recover and get up and start running again. Agility is to see what is coming at me on the horizon and see the obstacle, like a curb or pothole, and leap over it, go around it, or if I am doing some type of parkour use it to my advantage to spring into a flip to amaze all those around me. 

We are migrating from the era of GRC 4.0 – Agile GRC to the new era of GRC 5.0 – Cognitive GRC. Agile GRC is still there and is the foundation for Cognitive GRC. Agile GRC is a complete re-architecture of GRC to be flexible, adaptable, configurable, and intuitive while increasing efficiency, effectiveness, and agility. Agile GRC technologies have a lower cost of ownership in implementation and ongoing maintenance cost and do not break on upgrades. They replace older legacy GRC software that struggled with these issues. 

Cognitive GRC, GRC 5.0, builds on Agile GRC by leveraging cognitive technologies such as machine/deep learning, predictive analytics, natural language processing, neural networks, blockchain, and robotic process automation to make GRC processes even more efficient, effective, and agile in today’s dynamic, disrupted, distributed business environment. 

It is with Cognitive GRC we can contextualize current operations and data to see risks, controls, gaps, issues and such that operational impact us now or in the near future to increase our resiliency. It is with Cognitive GRC that the organization can conduct horizon scanning of risks, opportunities, and regulations that are starting to trend one, two, or three years out to prepare scenarios for scenario analysis so the organization can achieve greater agility to navigate the environment and prepare the organization.

I am excited to see new capabilities being added on to Agile GRC solutions to achieve and deliver on the vision I have had for Cognitive GRC for several years. These solutions make organizations more agile and resilient int regulatory change, risk trending/monitoring, control and process automation, assurance, and much more. 

As you look to upgrade or implement GRC related solutions (whether focused on a specific area or a broad enterprise platform) it is critical that you include requirements for Cognitive GRC to keep the edge on the organization in an environment that is fraught with risk and disruption. 

In the words of the physicist Fritjof Capra,

“The more we study the major problems of our time, the more we come to realise that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

It is with Cognitive GRC that we can start seeing and reacting to these systemic risks in real-time as they develop on the horizon or impact us operationally in the here and now. 

I have been advising organizations on strategy, process, and technology related to ESG for over fifteen years. Of course, it has not been called ESG for that long. It was CSR (corporate social responsibility), social accountability, sustainability . . . now it is ESG. ESG has a lot more focus and momentum than its previous iterations. It has teeth from corporate investors, regulators, stakeholders and even employees and clients. 

Today, I am at the Interact 2022 conference in Nashville. I did one session on ESG and following that another session on policy management. The interesting thing is the one, ESG, is built on the other, policy management. 

ESG is built on the policies of the organization. From the code of conduct down into the range of policies that govern the environment, health and safety, inclusivity, diversity, privacy, labor standards (e.g., child labor, forced labor, working conditions), anti-bribery and corruption, transparency, security, and many more. These all establish the framework for what ESG is in the organization. 

The starting point of building an ESG program is doing an inventory of all policies related to the many aspects of E-environment, S-social, and G-governance. The organization has policies in these areas today. There may be gaps, but ESG starts with understanding what policies are in place today that are part of ESG and then identifying changes needed to these policies and write new, or revise existing, policies for any gaps the organization has. 

It is through policies and policy enforcement/adherence that the organization’s integrity to ESG is measured against. Only through the foundation of established written codes of behavior and boundaries of conduct is an ESG program then assessed, measured, monitored, and reported upon. 

Simply put: you cannot have an ESG program without policies. Therefore, well-written policies and good policy management practices are an essential foundation to an ESG program in an organization.

However, it is not just well-written policies that are important, they must also be communicated and engaged to employees and third-parties (e.g., vendors, suppliers) to be effective in the organization. Policies are only as good as the awareness and enforcement of them in the environment. It is through policy engagement that true ESG cultural transformation is done. 

The challenge is that organizations will often find that their policies are a mess and policy management even more of a mess. That different departments have different portals, templates, file shares, and more. Many organizations do not even know what policies they have. 

If you are going to start an ESG strategy and program in your organization, I suggest you start with doing a good inventory of your current policies, map them to your ESG risks and framework, clean them up, provide consistent management and monitoring of policies leveraging technology designed for policy management, and deliver a single portal of all the organizations policies to your employees, again through technology designed for policy engagement. You cannot do ESG without addressing your policies and the management of them. 

The mature risk and resilience program can be measured against critical elements across governance and oversight, people and engagement, process and execution, and information and technology.

Risk & Resilience Governance & Oversight

• The governance model is agreed upon at the board level and effectively communicated and supported across the organization 
• Policies and procedures for risk and resilience management are fully documented and consistently applied across the organization 
• The risk and resilience management framework is well defined 
• Measurement and trending are now available in an enterprise view 
• Risk appetite and tolerance are well defined and understood in the context of objectives, processes, and services of the organization

People & Engagement

• Clear roles and responsibilities across the organization 
• Skills and resources are being applied to programs 
• A dedicated team is in place and recognized as a center of excellence 
• Skilled subject matter experts engaged in reviews 
• Training and development are embedded 
• Resources are focused on strategic value-added components of the program rather than tactical components 
• You may be outsourcing some industry standardized activities to shared services communities

Process & Execution

• Well-defined and executed processes across the organization
• There is a single version of the truth for all risk and resilience information that is well-integrated with other business systems
• Risk assessment and monitoring processes are standardized and automated
• Segmentation and risk tiering is in place
• Clear view of inherent and residual risk at both the process and enterprise levels
• Applying a risk-based approach that incorporates critical risks and the long-tail impact
• Multiple risk categories being assessed for each department, process, and services
• Issue management is in place, and full tracking and remediation is taking place in a single system
• Ongoing monitoring is established, with changes in risk profiles automatically triggering the appropriate actions
• Clear view and controls for the extended enterprise
• Managing risk through business change
• Performance management fully embedded in the program
• Program improvement decisions are facilitated by robust data

Information & Technology

• Leveraging best-in-class risk and resilience management software 
• Risk portal for assessments, document collection, issue management and collaboration to engage front-line and operational management and risk owners
• Leveraging risk intelligence content to support automated business processes, and to support enhanced decision making

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Getting to the Head of the Risk & Resiliency Class

Organizations with risk and resilience processes siloed within departments operate at the Ad Hoc, Fragmented, or Defined stage. At these stages, risk and resilience management programs manage risk and continuity at the departmental level, and lack an integrated view, with no gain in efficiencies from shared processes. 

In the Integrated and Agile maturity levels, organizations have centralized risk and resilience oversight to create consistent programs around the world with common risk and resilience processes supported by an integrated risk and resilience information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on performance, risk, and continuity, and greater effectiveness through the ability to report and analyze risk and resilience data. The primary difference between the Integrated and Agile stage is the integration of risk and resilience in the context of performance, objectives, and strategy aligned across the organization. Differences may be seen in top-down support from executive management, and when various risk and resilience functions align with a strategy to collaborate and share information and processes. 

Considerations for Moving From Ad Hoc and Fragmented to Defined

Departments at the Ad Hoc and Fragmented stage have siloed approaches to risk and resiliency management at the department level. This means no integration or sharing of the program and related risk and resilience information, processes, or technology. An organization that sees itself at the Ad Hoc stage should skip the Fragmented stage, and plan to move to the Defined stage. 

To move from Ad Hoc or Fragmented to Defined requires the department to reduce manual data integration and improve overall visibility into risk and resilience at the department level. Organizations should consider defining risk and resilience process and information architecture at the department level and implement technology to manage multiple risk and resilience initiatives cohesively.

Considerations for Moving from Defined to Integrated

Departments at the Defined maturity stage are in a good place to lead the organization in a risk and resilience strategy to the Integrated stage. They have a strategic approach to risk and resilience management at the department level, supported by mature risk and resilience processes that can be extended to other departments. 

To move from the Defined to the Integrated stage requires a common process, information, and technology approach that spans multiple departments. Organizations can leverage risk and resilience insight to improve planning and strategic decisions. A common governance model for risk and resilience management is used across lines of business, functions, and processes. The organization needs a common risk and resilience methodology and taxonomy. Organizations at this level report process efficiencies – reducing human and financial capital requirements, greater agility to understand and report on risk and resilience, and greater ability to report and analyze risk and resilience data.

Considerations for Moving from Integrated to Agile

The difference between the Integrated and Agile stages is primarily one of context. At the Integrated stage, the organization provides a consistent approach to managing risk and resiliency in the context of hazards and continuity. This is supported by an established risk and resilience process, information, and technology architecture. While risk and resilience are understood in the context of the business, it is still focused more on risk and continuity than performance and strategy. At the Agile stage, the organization has performance, strategy, and objectives set the context to achieve a greater ability to avoid issues and not just respond to events.

Achieving the Agile stage requires risk and resilience expectations set as part of the annual strategic planning processes. The organization has measured and monitored risks and resiliency metrics in the context of business strategy, performance, and objectives. There is shared data and technology about risk and resilience, as well as decision support, optimization, and business intelligence. The organization has integrated risk and finance data to drive performance while mitigating risks and ensuring integrity across the organization’s operations, services, and extended enterprise of third-party relationships.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Mature risk and resilience management is a seamless part of risk governance and operations. It requires a top-down view of risk and resilience, led by the executives and the board, where risk and resilience management are part of the fabric of business operations and processes – not an unattached layer of oversight. It also means bottom-up participation, where business functions identify and monitor risk and resilience that expose the organization. GRC 20/20 has developed the Risk and Resiliency Management Maturity Model to articulate maturity in the risk and resilience management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

1: Ad Hoc 

Organizations at the Ad Hoc stage of maturity have reactive approaches to risk and resilience management at the department level. Businesses at this stage do not understand risk and exposure; few if any resources are allocated to risk and resilience. The organization addresses risk and resilience in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and resilience, and certainly no integration of risk and resilience information and processes in context of objectives, strategy, performance, and business change. 

2: Fragmented

The Fragmented stage sees departments with some focus on risk management and business continuity within respective areas, but they are disconnected and not working together. Information and processes are highly redundant and lack integration. With siloed approaches to risk management and resilience (e.g., business continuity, disaster recovery), the organization is still very document centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.

3: Defined

The Defined stage suggests that the organization has some areas of risk and resilience that are managed well at a department level, but it lacks integration to address risk and resilience across departments. Organizations in the Defined stage will have defined processes for risk and resilience in some departments or business functions, but there is no consistency. Risk and resilience processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as business continuity, disaster recovery, and/or enterprise and operational risk management are beginning to emerge. 

4: Integrated

In the Integrated stage, the organization has a cross department strategy for managing risk and resilience across departments and functions. Risk and resilience are aligned across several departments to provide consistent strategy, frameworks, and processes supported by a common risk and resilience information and technology architecture. The organization addresses risk and resilience through shared processes and information that achieve greater efficiency and effectiveness. However, not all processes and information are completely integrated, and risk and resilience if focused on avoiding issues and not on agility.

5: Agile

At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives. Consistent core risk and resilience processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for risk and resilience management with minimal overhead. 

Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

The Agile Maturity is where most organizations will find the greatest balance in collaborative risk and resilience management and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and architecture that the various groups in risk and resilience governance participate in. The Agile stage increases the ability to connect, understand, analyze, and monitor risk relationship and underlying patterns of impact on performance, objectives, and strategy – as it allows different business functions to be focused on their areas while reporting into a common risk and resilience governance framework and architecture. Different functions participate in risk and resilience management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Firewalls protect us. In buildings, it is a wall intended to shield and confine a fire to an area to protect the rest of the building. In a vehicle, it is a metal shield protecting passengers from heat and potential fire in the engine. In network security, it is the logical ingress and egress points securing a network.

Within organizations, there is another firewall that is the most essential, but the most overlooked. That is the ‘Human Firewall.’ I have been an analyst for twenty-two years. Back twenty years ago I remember PentaSafe, later purchased by NetIQ, marketing and using the term Human Firewall to promote policy management in an IT security context. We need to bring the concept of the Human Firewall back and broaden it out too much more than IT security.

The weakest area of any governance, risk management, and compliance (GRC) strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. In the technical world we can lock things down and the world operates in binary. In the world of human interaction it is not binary but shades of grey. Nurturing corporate culture and behavior is absolutely critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.

A decade ago, I was involved with The Institute of Risk Management in London in developing Risk Culture: Resources for Practitioners. In this guidance, there is the A-B-C model. The ‘A’ttitudes of individuals shapes the ‘B’ehavior of these individual and the organization overall which in turn forms the ‘C’ulture of the organization. And that culture, in turn, has a symbiotic effect further influencing attitudes and behavior. Culture is one of the organization’s greatest assets. It can spiral out of control and become corrupt quickly but can take years, or even decades, to nurture and build in the right direction. The ‘Human Firewall’ is the greatest bastion/guardian of the integrity of the organization and its culture. In today’s focus of ESG – environmental, social, governance – it is in the Human Firewall this becomes a reality in the behavior and culture of the organization.

Every organization needs a Human Firewall. So what is a Human Firewall? What is it composed of? The following are essential elements:

• Policy Management. Policies govern the organization, address risk and uncertainty, and provide the boundaries of conduct for the organization to act with integrity. The organization needs well-written policies that are easy to understand and apply to the context that they govern. They should be in a consistent writing style, maintained and monitored. It is absolutely essential that policies be well-designed, well-written, consistent, maintained, and monitored as they provide the foundation for the Human Firewall.
• Policy Engagement. Well-written and maintained policies are not enough, they also need to be communicated and engaged with the workforce. It does the organization no good, and can actually be a legal liability, to have policies that establish conduct that is not communicated and engaged to the workforce. All policies should be in a common corporate policy portal so they can be easily accessed and should have a regular communication and engagement plan.
• Training. The next part of the Human Firewall is training. Individuals need training on policies and procedures on what proper and improper conduct are in the organization’s processes, transactions, and interactions. Training applies policies to real-world context and aids understanding which strengthens the Human Firewall.
• Issue Reporting. Things will go wrong. Bad decisions will be made, inadvertent mistakes will happen, and the malicious insider will do something wrong. Part of the Human Firewall is providing mechanisms such as hotlines, whistle-blower systems, management reports, and other mechanisms of issue reporting for the employees in the front-office and back-office can report where things are breaking down or going wrong before they become big issues for the organization.
• Extended Enterprise. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is an extended web of relationships: suppliers, vendors, outsourcers, service providers, consultants, temporary workers, contractors, and more. You walk down the halls of an organization and half the people you walk by, the insiders, are no longer employees. They are third-parties. The Human Firewall also has to extend across these individuals that are a core part of the organization’s processes. Policies, training, and issue reporting should encompass the web of third-party relationships that shape and form today’s organization.

Where are you at in building, maintaining, and nurturing your organization’s Human Firewall?

One resource to help is GRC 20/20’s work in partnership with OCEG on www.PolicyManagementPro.com to promote good policy management practices and certification within organizations.

Other resources to help include GRC 20/20’s research and publications on:

• Policy & Training Management
• Issue Reporting & Case Management
• Third-Party Risk/GRC Management (Extended Enterprise)

I have been on the road regularly for the past six weeks with a heavy travel schedule through mid-July that brings me across the USA and Europe. Lots of interactions with people face-to-face and the conversations center on:

• How do we engage the front-line/office of the organization on GRC?
• How do we make GRC intuitive? How do we make it simple?
• What technologies are revolutionizing GRC to provide value in a way that gets the job done but is less of a burden?

This is what GRC 4.0 (Agile GRC) and GRC 5.0 (Cognitive GRC) are all about. And it is not just for “Enterprise GRC/IRM” Platforms. But down in the best of breed GRC solutions for third-party risk, policy management, regulatory change, IT risk management, resiliency, and more. 

Let me remind each of you on this list . . . 

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of Agile & Cognitive GRC is to provide GRC processes and information that is innovative, contextually intelligent, assessable, and engaging. GRC done right minimizes its impact on the business while still maintaining insight and control of risk across the business. GRC should be intuitive to the business and GRC technology should provide the right information in a way that works for the business.

GRC technology should not get in the way of business. Why do some enterprise GRC projects take two years for just the initial implementation to be built out?  The primary issue is overhead in extensive services and technology customization to integrate and develop massive GRC implementations that end up slowing the business down and delaying value (if the value is ever achieved). GRC needs to be Agile and Cognitive to be valuable to the business. GRC technology has to deliver harmonious relationships or GRC information that supports the business. GRC is to enable enterprise agility by creating dynamic interactions of GRC information, analytics, reporting, and monitoring in the context of business.

Like Apple with its innovative technologies, organizations must approach GRC in a way that re-architects the way it works as well as the way it interacts. The Agile & Cognitive GRC goal is simple; it is itself Simplicity. 

Simplicity is often equated with minimalism. Yet true simplicity is more than just the absence of clutter or removal of embellishment. It’s about offering up the right contextually relevant GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC processes and data. GRC interactions should be intuitive.

Agile & Cognitive GRC is about delivering innovative, intuitive, and GRC engagement and intelligence to the business in the context of business. It delivers 360° contextual GRC intelligence through the use of artificial intelligence, cognitive computing, machine learning, and natural language processing. It provides engaging and user-friendly experiences that minimize process overhead while enabling the organization to reliably achieve objectives, while addressing uncertainty, and act with integrity.

I discuss this in detail in the Research Briefing: 2022 State of the GRC Market.

I would love to hear your thoughts on Agile & Cognitive GRC technology and intelligence . . .