In the dynamic world of business, the Chief Risk Officer (CRO) is not merely a guardian against threats but a conductor orchestrating the organization’s movements in harmony with strategy, goals, performance objectives, and how these get melded into operations, decisions, and transactions. ISO 31000 defines risk as ”the effect of uncertainty on objectives,” emphasizing the need to manage risk defensively but proactively, embracing opportunities that contribute to business strategy and objectives.
The CRO is a conductor of the orchestra of risk to ensure that the organization has no surprises in achieving its objectives. In this exploration, we delve into the intricacies of how the CRO integrates risk management seamlessly into the business’s cycles, strategy, performance, and objectives, providing executives with the insights they need for informed decision-making.
In this context, consider . . .
[The rest of this blog can be read on the Inclus blog, where GRC 20/20’s Michael Rasmussen is a guest author]
Embracing Risk Agility and Resilience in Modern BusinessRisk
The landscape of business operations has undergone a seismic shift. The days of simplicity are behind us, replaced by a complex web of risks, regulations, globalization, and rapid technological advancements. For organizations, big and small, aligning business strategy, operations, and processes with these evolving dynamics poses a formidable challenge. The crux of success is achieving a 360° contextual awareness of risk and resilience to the organization’s objectives. It’s no longer sufficient to merely acknowledge the existence of risks; organizations must now understand and navigate the intricate relationships between their objectives, risks, processes, and controls with a holistic lens.
Too often, risk management is relegated to a checkbox exercise, disjointing from an organization’s core strategy and decision-making processes. This misalignment often spells the downfall of even the most established brands, serving as cautionary tales for future business leaders. The key challenge lies in synchronizing risk management with the ever-evolving complexity and change inherent in modern business. Too often, risk management is buried in departmental silos, approached from merely a compliance or audit perspective rather than as an integral part of strategic decision-making. This disjointed approach fails to capture the bigger picture, leaving organizations vulnerable to unforeseen risks.
In today’s fast-paced business environment, change in one area can trigger a domino effect, impacting the entire organizational ecosystem. This interconnectedness demands a comprehensive approach to risk and resilience management. Organizations need to understand how their decisions and actions in one domain affect risks and objectives in another. This level of understanding is crucial for navigating the uncertain waters of modern business operations and maintaining integrity across all fronts.
Technology plays a pivotal role in achieving this holistic understanding. Advanced technological solutions can automate and enable risk and resilience management, offering organizations much-needed visibility and intelligence. By integrating risk management with business continuity programs, firms can foster a symbiotic interaction between these disciplines, ensuring a more resilient operational framework.
Consider the agility of a parkour athlete or the nimbleness of a character like Legolas from “Lord of the Rings.” These examples embody the essence of agility – the ability to navigate and adapt swiftly to the environment. Similarly, organizations need to cultivate this agility in their risk management practices. This agility isn’t just about avoiding threats; it’s equally about seizing opportunities and advancing organizational goals. Good risk management involves a clear understanding of the organization’s objectives, performance goals, and strategy and the ability to continuously monitor the environment for 360° situational awareness.
Organizations must be agile and resilient in today’s dynamic, distributed, and disrupted business environment. Governance, Risk, and Compliance (GRC) must be integrated with performance, objective, and strategy management to foster this duality. Operational risk and resiliency support enterprise agility, creating a symbiotic relationship essential for navigating today’s complex business terrain. The modern organization’s survival and success hinge on its ability to embrace risk agility and resilience. By integrating GRC into their core strategies and leveraging technology for holistic risk and resilience management, organizations can safeguard themselves against potential threats and position themselves to capitalize on emerging opportunities. The future of business demands a proactive, agile approach to risk management, encompassing the entire organizational ecosystem and turning challenges into catalysts for growth and innovation.
Check out these upcoming events and resources on Risk & Resilience Management by Design . . .
The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacy, such as deep supply chains and sub-contracting relationships. Business today relies and thrives on third-party relationships; this is the extended enterprise.
In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately.
Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure . . .
[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]
Navigating the Complexities of Modern Governance, Risk, and Compliance
Embracing Agile and Cognitive GRC in a Dynamic Business World
In an era marked by rapid regulatory changes and an ever-evolving business landscape, the second annual GPRC summit shines a spotlight on the critical importance of Governance, Risk, and Compliance (GRC) in modern organizations. The summit, a convergence of thought leaders and professionals, delves deep into the concept of agile and cognitive GRC, underlining the need for organizations to adapt swiftly and intelligently to stay ahead.
The Systemic Nature of Risk
The interconnectedness of risks in the modern business environment cannot be overstated. Risks in one area can have cascading effects on others, necessitating a systemic approach to risk management. It’s not enough to tackle risks in silos; businesses must adopt a holistic view, understanding how various risks interplay and impact the organization as a whole.
At its core, GRC is about reliably achieving objectives (governance), addressing uncertainty (risk management), and acting with integrity (compliance). This triad forms the foundation of effective GRC practices, emphasizing the need to align risk management strategies with the organization’s broader goals and values.
Aligning Risk with Organizational Objectives
Effective risk management is intrinsically linked to the organization’s objectives. It’s about understanding the goals at various levels – from high-level entity objectives to specific project or third-party relationship goals – and aligning the risk management strategy accordingly.
Risk: A Tool for Success
Contrary to the traditional view of risk as a negative force to be avoided, the summit presents risk as a crucial element of business success. Like fire, when controlled, risk can propel an organization forward; when uncontrolled, it can lead to its downfall. Understanding and managing risk is not just about mitigation but about harnessing its potential for growth and innovation.
The Art of Risk Orchestration
The role of a Chief Risk Officer (CRO) is akin to that of an orchestra conductor, ensuring harmony among the different sections of an organization’s risk profile. The CRO must maintain an overarching view of the risk landscape, understanding how different risks interact and affect the organization’s ability to achieve its objectives.
Beyond Resilience: The Need for Agility
In today’s fast-paced business environment, resilience – the ability to recover from risk events – is crucial. However, organizations must also be agile, anticipating potential risks and navigating around them proactively. This combination of resilience and agility is key to thriving in a volatile business world.
The Ever-Changing Face of Modern Organizations
Organizations today are not just confined to their physical boundaries but extend to networks of third parties like vendors and suppliers. This extension translates into a complex web of interdependencies where external issues have a direct impact on internal operations. Michael highlighted the constant flux in regulations, risks, and business processes, emphasizing the need for a comprehensive approach to GRC.
The Dynamics of External and Internal Change
Businesses aren’t just battling external factors like geopolitical shifts; they’re also constantly evolving internally. Changes in business processes, strategies, technologies, and personnel demand a flexible approach to GRC. Moreover, the traditional concept of an organization, limited to its brick-and-mortar presence, has extended to include a network of suppliers, contractors, and third-party relationships, further complicating the GRC landscape.
The Global Regulatory Maze
One of the most daunting challenges for businesses today is the sheer volume of regulatory changes. Globally, financial institutions grapple with an average of 257 regulatory change events every business day. This staggering number highlights the need for a robust GRC strategy that can navigate the complexities of compliance across various jurisdictions.
The Promise of Cognitive GRC and AI
The integration of artificial intelligence (AI) in GRC processes promises to revolutionize how organizations manage risk. AI can enhance efficiency, effectiveness, and predictive capabilities, enabling businesses to stay ahead of risks and compliance requirements. However, leveraging AI in GRC also presents challenges, including ensuring the ethical use of AI and managing the complexities of AI-driven decision-making.
The Future: Business Integrated GRC
Looking ahead, the speaker envisioned a future where GRC is more deeply integrated into business processes, driven by technology. This integration would lead to a more aware, responsive, and efficient approach to managing risks and compliance.
The journey to agile and cognitive GRC is not just about adopting new technologies or processes. It’s a paradigm shift in how organizations view and manage risk. By embracing a holistic, forward-thinking approach to GRC, businesses can navigate the complexities of the modern world, turning risks into opportunities for growth and success. The GPRC Summit in Dubai opened a window to the future of GRC, one that is agile, cognitive, and deeply integrated with the core business processes. As businesses continue to navigate through complexities, the role of GRC as a strategic enabler becomes ever more critical. The journey towards agile and cognitive governance in GRC is not just about adopting new technologies but about a fundamental shift in how risks, compliance, and governance are perceived and managed.
In 2024, the Governance, Risk Management, and Compliance (GRC) landscape is evolving rapidly. Organizations are increasingly facing complexity and chaos driven by several factors, such as changing regulations, external risks and uncertainty, as well as dynamic and evolving business operations, processes, and technology. These drivers push companies to adopt innovative GRC strategies to stay agile, resilient, compliant, and competitive.
The key GRC trends in 2024 that GRC 20/20 Research has identified and are monitoring include:
GRC 6.0 – Business Integrated GRC. This trend marks a paradigm shift where GRC becomes seamlessly integrated into the core business processes. It aligns closely with the organization’s strategy, performance, and objectives. It is pushing GRC accountability and control into business processes and the business instead of additional layers of compliance band-aids disconnected from the business.
Risk Management = No Surprises (or Minimal). Mature risk management processes in 2024 aim to minimize surprises. Organizations increasingly use predictive analytics and other advanced tools to anticipate potential risks and mitigate them proactively. It is about forecasting risk and uncertainty on the horizon, going through scenarios, and preparing the organization for the best path forward..
GRC Orchestration. In 2024, GRC management will be increasingly collaborative and a cross-functional responsibility. This trend emphasizes visibility and consistency in GRC processes across all departments and functions. For instance, a multinational corporation might use common processes automated by technology across different geographic locations, ensuring uniformity and reducing risk exposure. Some solutions allow for GRC centralization while allowing some autonomy with consistency within business areas.
Addressing Geopolitical Risk. Geopolitical risk has become a primary focus area. Organizations need clear insights into the evolving geopolitical landscape to understand how it might impact their objectives. For example, a global supply chain company might monitor international trade policies, economic and inflation uncertainties, commodity availability, conflicts, and more to anticipate and prepare for disruptions.
Risk Agility. This trend involves organizations being agile in their risk management strategies. They continuously scan the horizon for potential risks, review scenarios, and chart the best path forward. An organization may use scenario planning to prepare for various economic conditions, ensuring it adapts quickly to changing circumstances.
Business, Strategic & Operational Resilience. The ability to quickly recover from risk events is crucial in 2024. Companies focus on building resilience in every aspect of their operations. This includes resilience of the organization’s strategy, financial resilience, and, more specifically, its operational resilience to contain and recover from risk events.
ESG and Integrity. With rising global concern over environmental, social, and governance (ESG) issues, organizations are working to manage the complexities of ESG commitments. This includes accurate reporting to ensure organizational integrity within the business and across the extended enterprise of third-party relationships.
Trust Assurance& Data GRC. Businesses increasingly focus on integrity throughout their operations, processes, transactions, data/information, and relationships. Trust is critical for investors/stakeholders, employees, customers, and business partners in today’s business. This is particularly true in dealing with the complex uncertainty and compliance requirements across information, data, transactions, and interactions.
The Extended Enterprise. In 2024, managing risks and maintaining ethical environments across extended business relationships is crucial. Companies must ensure that their partners, suppliers, and distributors adhere to the same ethical and compliance standards, and that risk is management in these relationships. This is particularly true in addressing ESG across the extended enterprise.
A.I. GRC/ A.I. Governance. The governance of AI use within organizations is a growing concern. Companies are focused on ensuring AI is used ethically and effectively to reduce uncertainty. Organizations across industries need to implement oversight of AI to review and approve AI algorithms used in the organization.
Cognitive GRC. Utilizing AI to enhance GRC processes is becoming more prevalent. Cognitive GRC uses AI to increase efficiency, effectiveness, resilience, and agility in GRC activities.
Accountability. There is a global focus on enhancing accountability in risk and compliance, particularly at the board, executive, and senior management levels. This means greater transparency and responsibility for GRC decisions and actions. The growing array of accountability regimes (e.g., U.K., Ireland, Australia, Hong Kong, Singapore, South Africa) is expanding, as well as legal accountability in the USA for key business and GRC executives.
GRC and Cultural Contexts. Organizations operating in diverse cultural and geographical contexts face unique compliance, ethics, and ESG challenges across these business areas. Navigating these differences requires a nuanced approach, understanding, and respecting local values and regulations.
GRC Engagement. The human element in GRC is critical. Ensuring employees at all levels are engaged with policies and controls and trained to identify and report issues is essential for effective GRC. Regular training and clear communication channels are key strategies in this area. This is the most important firewall in the organization, the human firewall.
Business Champion.: When GRC is implemented effectively, it fosters champions at all organizational levels. These champions advocate for and reinforce GRC principles, helping to embed a culture of ethics, risk management, and integrity.
In summary, the GRC landscape in 2024 is characterized by a dynamic interplay of integration, innovation, and responsiveness. The trends outlined above reflect a holistic and forward-thinking approach to governance, risk management, and compliance. Organizations are increasingly weaving GRC into the fabric of their business operations, aligning it with strategic objectives and cultivating a culture of resilience and integrity.
The shift towards Business-Integrated GRC, the emphasis on predictive risk management, and the orchestration of GRC across departments highlight a proactive and integrated approach. Addressing geopolitical risks, ensuring risk agility, and maintaining business resilience are now fundamental to organizational sustainability and success. Moreover, the focus on ESG, trust assurance, and accountability underscores the growing importance of ethical practices and transparency.
Technological advancements in AI and cognitive GRC tools are transforming how organizations manage compliance and risks, bringing efficiency and agility to the forefront. The extended enterprise concept emphasizes the need for ethical and compliant practices beyond an organization’s immediate boundaries.
Finally, the human element remains central to effective GRC. Engaging employees, fostering a culture of compliance, and creating GRC champions at all levels are crucial for embedding these practices deeply within an organization.
As we navigate through 2024, these trends in GRC are not just about managing risks or complying with regulations; they are about creating sustainable, resilient, and ethical organizations capable of achieving their objectives while thriving in an ever-changing global landscape.
In the ever-evolving governance, risk management, and compliance (GRC) landscape, organizations that have already embraced a GRC program including strategy, process, and technology, know its significance in navigating complexities and ensuring sustainable risk and compliance agility and resilience within their organization. However, the journey toward excellence is ongoing, and organizations with established GRC frameworks often seek ways to mature their programs for enhanced efficiency and effectiveness.
Following are 7 key strategic elements to continue to elevate your GRC program to new heights of maturity . . .
Several factors contribute to this growing complexity . . .
[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]
Note the following analogy is focused on lack of design for a broad enterprise GRC perspective. Note that this same analogy can be applied to aspects of GRC that have no design across departments and funtions like risk management, compliance, third-party risk management, and more. Compliane and ethics management particularly suffer from no design to their processes and technology.
Unraveling the Maze of Scattered Governance, Risk Management, and Compliance
In the heart of San Jose, California, stands the enigmatic Winchester Mystery House, a testament to architectural perplexity and confusion. While this Victorian mansion boasts a rich history and an allure for tourists, its lack of design, blueprint, and oversight during construction is eerily reminiscent of organizations grappling with the complexities of scattered Governance, Risk Management, and Compliance (GRC) silos with no design, no architect, and not blueprint for GRC. Let us deliver into the labyrinth of challenges faced by entities mirroring the mystique of the Winchester Mystery House – organizations burdened by manual processes, redundancy, gaps, and a lack of integration.
The Winchester Mystery House: An Architectural Anomaly
Built in the 1800s at a staggering cost of $5.5 million, the Winchester Mystery House stands as an architectural enigma. The mansion was constructed over 38 years with the involvement of 147 different builders, and remarkably, it lacks a cohesive design, blueprint, or the guiding hand of an architect. This lack of central planning resulted in hallways leading to nowhere, doors opening to walls, staircases ending abruptly, skylights in floors instead of ceilings, and an overall sense of chaotic disarray.
Similarly, organizations plagued by fragmented and siloed GRC practices navigate a maze of challenges resembling the bewildering layout of the Winchester Mystery House. Here are key parallels between the mansion’s architectural chaos and the disorderly GRC landscape of some organizations:
Absence of Design and Blueprint . . .
Winchester House: The absence of a coherent design or blueprint led to nonsensical features like staircases leading to the ceiling.
GRC Silos: Organizations lacking a unified GRC strategy often find themselves implementing disjointed processes, resulting in confusion and inefficiency.
Scattered Governance . . .
Winchester House: Hallways and doors leading to nowhere highlight the lack of governance in its construction.
GRC Silos: Organizations with scattered governance experience difficulties in enforcing policies consistently across different departments and processes.
Manual Processes and Redundancy . . .
Winchester House: The sheer size of the mansion and the multitude of builders led to manual processes, resulting in inefficiencies and redundancies.
GRC Silos: Manual processes, reliance on thousands of documents, spreadsheets, and emails create a convoluted GRC landscape with unnecessary redundancies.
Siloed Solutions and Lack of Integration . . .
Winchester House: The mansion was built in sections without integration, creating a disjointed structure.
GRC Silos: Organizations often implement siloed GRC solutions without proper integration, leading to a lack of visibility and communication across risk, compliance, and governance functions.
Gaps in Oversight:
Winchester House: The absence of an overseeing architect allowed for peculiar features like skylights in the floor.
GRC Silos: In organizations, gaps in oversight can result in missed compliance requirements, exposing the enterprise to unnecessary risks.
Just as the Winchester Mystery House stands as a testament to the perils of scattered construction without oversight, organizations wrestling with fragmented GRC practices face many challenges. From manual processes to siloed solutions, the parallels are striking. To overcome these challenges, organizations must invest in comprehensive GRC strategies, integrating governance, risk management, and compliance into a cohesive strategy and framework (e.g., OCEG GRC Capability Model) that is supported by well designed processes and an integrated information and technology architecture. Only through intentional design and strategic oversight can organizations avoid the perplexing maze of scattered GRC silos, ensuring a sturdy and purposeful foundation for long-term success.
I trust 2024 is off to a great start. It is for me. 2023 was my busiest year in my career with extensive GRC travels around the world. 2024 looks to be every bit as busy. I am headed this week to Riyadh, and then Dubai over the weekend and into next week. Then London next Wednesday to Friday, returning home on February 3rd. Then back to London the week of February 12th.
The GRC Market is complex with a broad platforms and many focused best of breed solutions solving specific problems and challenges. There are 365 solution providers (not counting professional service firms) that GRC 20/20 monitors in the market. Seventy-four can be classified as an Enterprise/Integrated GRC Platform that can cross departments and use cases; the rest are best-of-breed point solutions. Of these 365, GRC 20/20 actively monitors 83 of them more deeply annually, and the rest keeps abreast of and interacts with in briefings every two or three years.
It is a fast-moving market with a lot of momentum, but also a lot of nuances and niches. In 2023, GRC 20/20 answered between 10 and 20 inquiry/research questions from organizations asking about and looking for solutions every week. This accounted for over 750 interactions in 2023. These come in via email, text, LinkedIn messages, and more. Most are simple responses to questions; others go deeper. In 2023, there were 53 RFPs that GRC 20/20 monitored around the world. Some deeply, some from a distance. The 2024 outlook on the GRC market was just covered in the on-demand 2024 State of the GRC Market Research Briefing.
Times of uncertainty brings a boom to GRC related solutions and services. GRC 20/20 has never been so busy than at this very moment. While the activity is global, there is a lot of particular GRC market activity coming out of the United Kingdom and Europe right now. And the Middel East is the fastest growing market.
As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . .
In an era marked by the exponential growth of data, evolving business landscapes, and increased regulatory scrutiny, effective data governance has emerged as a critical imperative for organizations of all sizes. The complexities of managing and governing data in today’s dynamic environment demand a new paradigm that aligns with business objectives, adapts to change, and encompasses a holistic approach to data governance, data risk management, and data compliance (Data GRC).
Organizations face specific challenges in data governance, including the discovery, collection, management, access, and analysis of data. These challenges require a comprehensive approach involving establishing clear responsibilities, implementing data quality measures, and ensuring secure access to data while upholding ethical data analysis practices.
Data GRC involves . . .
[The rest of this blog can be read on the Archive360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]
Third-party relationships have become increasingly critical in the rapidly transforming landscape of global business. Gone are the days when a company’s operations and success depended solely on its internal resources and capabilities. In the current business environment, third-party entities such as suppliers, vendors, contractors, and partners play a crucial role in a company’s growth, innovation, and competitive edge. However, this reliance on external entities also introduces a range of risks that can significantly impact a company’s reputation, financial health, and operational stability.
As the complexity of business relationships expands, so does the spectrum of risks associated with third-party relationships. These risks can stem from various sources, including financial uncertainties, reputation and brand, resilience and continuity, compliance issues, cybersecurity threats, and geopolitical dynamics. The challenge for businesses is to identify and understand these risks and develop effective strategies to manage and mitigate them.
The organization’s approach to third-party risk management needs to . . .
[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]