Blog

ESG – Environmental, Social, and Governance – has been creating a barrage of pressure upon organizations across industries and around the world in recent years. Corporate investors are making capital investment decisions in companies based on ESG commitments, metrics, and ratings. Legislatures and regulators around the world are ensuring the regulations are focused on the breadth of ESG as well as specific aspects of ESG (e.g., modern slavery, carbon emissions). Employees are making decisions on who they work for based on shared values and not just benefits. Customers are engaging and buying products and services that share their values. ESG is getting attention from the top of the organization, the board and the executives, to the down into the depths of the organization.

What is ESG and Why is it Important?

That is a good question. ESG varies in breadth and depth of scope by industry, company size, and even geography and regulatory frameworks. It also varies by individual departments that focus on aspects of ESG but not the breadth of ESG. Too often, ESG can be like the parable of the blind men and the elephant where one feels the side and thinks it is a wall, another feels the trunk and thinks it is a tree, and another the tail and thinks it is a rope.

In understanding the important scope of ESG, consider . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The physicist Fritjof Capra stated:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Capra was making the point that ecosystems are complex, interdependent, and require a holistic, contextual awareness of the intricacy of their interconnectedness as an integrated whole rather than a dissociated collection of systems and parts. Change in one area has cascading effects on other areas and, in all likelihood, the entire ecosystem. A small event can develop into what ends up being a significant issue. This understanding can be applied to your GRC strategy roadmap as well.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RESOLVER BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Too often GRC – governance, risk management, compliance – is approached backwards. Using the acronym, one would think it is CRG, or even Cr (lower case intentional). Too many organizations start with compliance, and even risk management is done in a compliance context, and governance, performance, and objectives are not even in view.

The official definition of GRC, found in the GRC Capability Model, is that GRC “Is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” (www.OCEG.org) It starts with governance and setting objectives (entity, division, department, process, project, asset objectives). From governance flows the context to begin and do risk management (remember, ISO 31000 defines risk as the effect of uncertainty on objectives). The compliance is the follow through to ensure we stay within ethical, regulatory, ESG, and even risk boundaries (compliance verifies that controls we put in place to mitigate risk are operational and effective). 

I am in a three-week GRC tour of Europe right now and there are a lot of interesting RFPs over here. More often in Europe you see requirements for a focus on business and business process, and even for business process modeling (BPM) capabilities within GRC. Europe, in general but not always, sees GRC as more integrated into the business the way it should be. Too often GRC, particularly in North America, is a compliance band-aid and not a true integrated way of managing the business.

GRC should be about performance. In fact, at OCEG, we defined GRC in this context. GRC delivers what is called Principled Performance. GRC, through strategy, process, information, and technology, should deliver better performing organizations that do so in an ethical way aligned with the organization’s values. 

One of my favorite interactions on risk management in my career was with Brad Jewett when he was the ERM Director at Microsoft. He had this whole approach he called ‘The Rhythm of Risk.’ It was specifically about managing risk in the context of Microsoft’s objectives, business, and processes. It was business focused GRC aimed at Principled Performance.

To deliver on this requires full awareness and integration of GRC into the business and management. The most critical thing is to be able to manage your business in a GRC context. This requires that our approach to GRC allow for deep modeling, definition, and monitoring of business objectives and business processes. To manage risk and compliance in context of performance, objectives, and processes. That is how GRC is done.

When approaching GRC (or ERM, ORM, IRM), what do you really want from the following:

1. Do you want a solution that manages your business; and in that context manages risk, compliance, and controls?
2. Or do you want a solution that manages compliance, and perhaps risk, but is disconnected from the business and is an afterthought, a band-aid?

In my market research and coverage of solutions in the market, there are over 100 solutions that can address the second option, but very few that can actually deliver on the first. Organizations need business management platforms that have GRC capabilities built and baked in.

We are in the era of GRC 5.0 – Cognitive GRC, and all the elements of GRC 4.0 – Agile GRC are still wrapped up and part of GRC 5.0. I am often asked what is next? What is GRC 6.0? Getting out my analyst crystal ball it is GRC 6.0 – Business Integrated GRC where GRC is an integrated part of a business management platform. The idea of a siloed GRC platform goes away to manage GRC as an integrated platform of the business, its objectives, its performance, and then risk, compliance, control, and assurance in this context. It will take a few years for us to transition to GRC 6.0, perhaps as much as five, but it is on the horizon.

There will still always be a place for best of breed GRC solutions focused on specific risks, compliance, and content. What I am saying is that the broad enterprise/integrated GRC platform (or ERM, ORM, IRM) is delivered as a part of a business management platform.

Do you have questions on GRC Solutions available in the breadth of the market and which few deliver on the vision of Business Integrated GRC? Ask GRC 20/20, in our coverage of the market as an analyst firm, what solutions are available and what differentiates them for your specific needs:

Compliance and ethics do not happen in the back office but at all levels of the organization. From the top down to the front-line employees. Compliance and ethics done right are a part of everyone’s job. 

Too often we shovel compliance into the bowels of the organization, thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back-office of legal, human resources, IT, and other departments. 

This misperception is a critical issue that organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations, and cross-partner, vendor, and supplier relationships throughout the extended enterprise. 

This requires that all the organization’s compliance policies be clearly communicated and understood by the front lines of the organization. The scenarios of risk and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve an activity that employees should catch and report. 

The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. The challenge is that organizations need to find a way to get everyone involved and adhere to policies to build integrity across the whole organization and the extended enterprise.

Inevitable Failure of Policy & Training Management

Policy and training matter. Compliance communications, attestations, and disclosures matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance. 

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, disclosure, and training. An ad hoc approach to compliance, policy and training management exposes the organization to significant liability. 

This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. 

To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what disclosures were made, what exceptions were granted, and how policy violation and resolution was monitored and managed. 

The user experience for policy management has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality, and a lack of centrally coordinated efforts for policy and compliance communications. 

Organizations have ended up with multiple sources of policy, training, surveys, assessments, disclosures, attestations, and issue reporting. Interaction with these systems has consumed human and financial capital. Communication is often inconsistently logged in documents and spreadsheets if they are logged at all. 

There is no coordination of policy communication and training and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten. 

A typical organization may have over two dozen policy portals that are file shares, SharePoint sites, and other intranet sites that struggle with rogue, out-of-date, and inconsistent policies that open the floodgates of liability as they are mismanaged instead of protecting the organization as they should. 

One organization found that eighty per cent of their compliance staff time was spent managing and chasing documents and emails for compliance and not actually managing compliance. Another organization spent two hundred hours building an annual report on compliance because all the data was trapped in thousands of documents and emails that had to be aggregated, tabulated, and then reported on. 

If compliance, policies, and training programs don’t conform to a structured process, defined audit trail and system of record, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support, organizations are not positioned to drive desired behaviours in corporate culture or enforce accountability in compliance, ethics, and the new era of corporate integrity with ESG: environmental, social, governance.

With today’s complex business operations, global expansion, and the ever-changing legal/regulatory and compliance environments, well-defined compliance, policy, and training management program is vital to enable an organization to effectively develop and maintain compliance and adherence to values to govern and ensure with integrity. 

Keeping up with regulatory content can be a challenge. The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction. This is enabled with GRC 5.0 – Cognitive GRC technologies that leverage artificial intelligence to provide greater levels of automation.

Many organizations either hire a lot of compliance/legal experts to comb through mountains of regulatory data, or they subscribe to regulatory content subscriptions that do this. This is changing with the role of artificial intelligence applied to a GRC context (Cognitive GRC). Natural language processing, predictive analytics, and robotic process automation make regulatory change management more efficient, effective, and agile for the organization. he U.K.’s FCA Rulebook stacks to six feet tall; this would take a human a year or more to read. A machine can read it, sort it, categorize it, and link it in under a minute. Not only is a machine faster at reading regulations, but it is also more accurate. One Chief Ethics and Compliance Officer (CECO) told GRC 20/20 that they found natural language processing 30% more accurate in reading, sorting, categorizing, and linking/mapping regulations/requirements than humans. A machine stays focused; there is no mind to wander and get distracted.

Cognitive GRC technologies enable a GRC architecture for regulatory change management. Leading solutions in this area are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This, at a minimum, requires workflow and task management capabilities, but in mature systems it provides artificial intelligence to enable this. The old way of hiring an army of subject matter experts as aggregators to manage regulatory profiles, and provide data about relevant new developments is being replaced or at least supplemented by cognitive technologies. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process supported by artificial intelligence technologies that read and analyze changes and their impact on the organizations processes, policies, and controls.

Specific capabilities to be evaluated in solutions for regulatory change management include:

• Regulatory intelligence content. Cognitive solutions provide integration and automation with artificial intelligence platforms built for regulatory change to conduct horizon scanning to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
• Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations
• Content management. The solution should be able to catalog and version regulations, policies, risks, controls, and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods and obsolescence rules that can be set for regulations.
• Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations, and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed, or deactivated, the solution assesses the impact of the change and sets up the appropriate responsive actions.
• Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for regulatory change management.
• Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
• Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted, and notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
• Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are, and more. Additionally, by linking regulatory requirements to the various other aspects of the platform – including risks, policies, controls, and more – the reporting should provide an aggregate view of a regulatory requirement across multiple organizational units and business processes.
• Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

Ask GRC 20/20, in our coverage of the market as an analyst, what solutions are available for regulatory change management and what differentiates them for your specific needs:

Organizations need to be agile, not just resilient. Agility is the ability to see what is coming at the organization and allow the organization to adjust and navigate to use the environment to its advantage to seize opportunities while avoid or mitigate hazards and harms. Resiliency is the ability to spring back and recover from an event and minimize loss and exposure. Both are needed in today’s dynamic business environment, but their needs to be focus on agility and not just resiliency. 

Take the analogy of running. If I am running down the street and trip over a pothole or curb, resilience is how quickly can I recover and get up and start running again. Agility is to see what is coming at me on the horizon and see the obstacle, like a curb or pothole, and leap over it, go around it, or if I am doing some type of parkour use it to my advantage to spring into a flip to amaze all those around me. 

We are migrating from the era of GRC 4.0 – Agile GRC to the new era of GRC 5.0 – Cognitive GRC. Agile GRC is still there and is the foundation for Cognitive GRC. Agile GRC is a complete re-architecture of GRC to be flexible, adaptable, configurable, and intuitive while increasing efficiency, effectiveness, and agility. Agile GRC technologies have a lower cost of ownership in implementation and ongoing maintenance cost and do not break on upgrades. They replace older legacy GRC software that struggled with these issues. 

Cognitive GRC, GRC 5.0, builds on Agile GRC by leveraging cognitive technologies such as machine/deep learning, predictive analytics, natural language processing, neural networks, blockchain, and robotic process automation to make GRC processes even more efficient, effective, and agile in today’s dynamic, disrupted, distributed business environment. 

It is with Cognitive GRC we can contextualize current operations and data to see risks, controls, gaps, issues and such that operational impact us now or in the near future to increase our resiliency. It is with Cognitive GRC that the organization can conduct horizon scanning of risks, opportunities, and regulations that are starting to trend one, two, or three years out to prepare scenarios for scenario analysis so the organization can achieve greater agility to navigate the environment and prepare the organization.

I am excited to see new capabilities being added on to Agile GRC solutions to achieve and deliver on the vision I have had for Cognitive GRC for several years. These solutions make organizations more agile and resilient int regulatory change, risk trending/monitoring, control and process automation, assurance, and much more. 

As you look to upgrade or implement GRC related solutions (whether focused on a specific area or a broad enterprise platform) it is critical that you include requirements for Cognitive GRC to keep the edge on the organization in an environment that is fraught with risk and disruption. 

In the words of the physicist Fritjof Capra,

“The more we study the major problems of our time, the more we come to realise that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

It is with Cognitive GRC that we can start seeing and reacting to these systemic risks in real-time as they develop on the horizon or impact us operationally in the here and now. 

I have been advising organizations on strategy, process, and technology related to ESG for over fifteen years. Of course, it has not been called ESG for that long. It was CSR (corporate social responsibility), social accountability, sustainability . . . now it is ESG. ESG has a lot more focus and momentum than its previous iterations. It has teeth from corporate investors, regulators, stakeholders and even employees and clients. 

Today, I am at the Interact 2022 conference in Nashville. I did one session on ESG and following that another session on policy management. The interesting thing is the one, ESG, is built on the other, policy management. 

ESG is built on the policies of the organization. From the code of conduct down into the range of policies that govern the environment, health and safety, inclusivity, diversity, privacy, labor standards (e.g., child labor, forced labor, working conditions), anti-bribery and corruption, transparency, security, and many more. These all establish the framework for what ESG is in the organization. 

The starting point of building an ESG program is doing an inventory of all policies related to the many aspects of E-environment, S-social, and G-governance. The organization has policies in these areas today. There may be gaps, but ESG starts with understanding what policies are in place today that are part of ESG and then identifying changes needed to these policies and write new, or revise existing, policies for any gaps the organization has. 

It is through policies and policy enforcement/adherence that the organization’s integrity to ESG is measured against. Only through the foundation of established written codes of behavior and boundaries of conduct is an ESG program then assessed, measured, monitored, and reported upon. 

Simply put: you cannot have an ESG program without policies. Therefore, well-written policies and good policy management practices are an essential foundation to an ESG program in an organization.

However, it is not just well-written policies that are important, they must also be communicated and engaged to employees and third-parties (e.g., vendors, suppliers) to be effective in the organization. Policies are only as good as the awareness and enforcement of them in the environment. It is through policy engagement that true ESG cultural transformation is done. 

The challenge is that organizations will often find that their policies are a mess and policy management even more of a mess. That different departments have different portals, templates, file shares, and more. Many organizations do not even know what policies they have. 

If you are going to start an ESG strategy and program in your organization, I suggest you start with doing a good inventory of your current policies, map them to your ESG risks and framework, clean them up, provide consistent management and monitoring of policies leveraging technology designed for policy management, and deliver a single portal of all the organizations policies to your employees, again through technology designed for policy engagement. You cannot do ESG without addressing your policies and the management of them. 

The mature risk and resilience program can be measured against critical elements across governance and oversight, people and engagement, process and execution, and information and technology.

Risk & Resilience Governance & Oversight

• The governance model is agreed upon at the board level and effectively communicated and supported across the organization 
• Policies and procedures for risk and resilience management are fully documented and consistently applied across the organization 
• The risk and resilience management framework is well defined 
• Measurement and trending are now available in an enterprise view 
• Risk appetite and tolerance are well defined and understood in the context of objectives, processes, and services of the organization

People & Engagement

• Clear roles and responsibilities across the organization 
• Skills and resources are being applied to programs 
• A dedicated team is in place and recognized as a center of excellence 
• Skilled subject matter experts engaged in reviews 
• Training and development are embedded 
• Resources are focused on strategic value-added components of the program rather than tactical components 
• You may be outsourcing some industry standardized activities to shared services communities

Process & Execution

• Well-defined and executed processes across the organization
• There is a single version of the truth for all risk and resilience information that is well-integrated with other business systems
• Risk assessment and monitoring processes are standardized and automated
• Segmentation and risk tiering is in place
• Clear view of inherent and residual risk at both the process and enterprise levels
• Applying a risk-based approach that incorporates critical risks and the long-tail impact
• Multiple risk categories being assessed for each department, process, and services
• Issue management is in place, and full tracking and remediation is taking place in a single system
• Ongoing monitoring is established, with changes in risk profiles automatically triggering the appropriate actions
• Clear view and controls for the extended enterprise
• Managing risk through business change
• Performance management fully embedded in the program
• Program improvement decisions are facilitated by robust data

Information & Technology

• Leveraging best-in-class risk and resilience management software 
• Risk portal for assessments, document collection, issue management and collaboration to engage front-line and operational management and risk owners
• Leveraging risk intelligence content to support automated business processes, and to support enhanced decision making

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Getting to the Head of the Risk & Resiliency Class

Organizations with risk and resilience processes siloed within departments operate at the Ad Hoc, Fragmented, or Defined stage. At these stages, risk and resilience management programs manage risk and continuity at the departmental level, and lack an integrated view, with no gain in efficiencies from shared processes. 

In the Integrated and Agile maturity levels, organizations have centralized risk and resilience oversight to create consistent programs around the world with common risk and resilience processes supported by an integrated risk and resilience information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on performance, risk, and continuity, and greater effectiveness through the ability to report and analyze risk and resilience data. The primary difference between the Integrated and Agile stage is the integration of risk and resilience in the context of performance, objectives, and strategy aligned across the organization. Differences may be seen in top-down support from executive management, and when various risk and resilience functions align with a strategy to collaborate and share information and processes. 

Considerations for Moving From Ad Hoc and Fragmented to Defined

Departments at the Ad Hoc and Fragmented stage have siloed approaches to risk and resiliency management at the department level. This means no integration or sharing of the program and related risk and resilience information, processes, or technology. An organization that sees itself at the Ad Hoc stage should skip the Fragmented stage, and plan to move to the Defined stage. 

To move from Ad Hoc or Fragmented to Defined requires the department to reduce manual data integration and improve overall visibility into risk and resilience at the department level. Organizations should consider defining risk and resilience process and information architecture at the department level and implement technology to manage multiple risk and resilience initiatives cohesively.

Considerations for Moving from Defined to Integrated

Departments at the Defined maturity stage are in a good place to lead the organization in a risk and resilience strategy to the Integrated stage. They have a strategic approach to risk and resilience management at the department level, supported by mature risk and resilience processes that can be extended to other departments. 

To move from the Defined to the Integrated stage requires a common process, information, and technology approach that spans multiple departments. Organizations can leverage risk and resilience insight to improve planning and strategic decisions. A common governance model for risk and resilience management is used across lines of business, functions, and processes. The organization needs a common risk and resilience methodology and taxonomy. Organizations at this level report process efficiencies – reducing human and financial capital requirements, greater agility to understand and report on risk and resilience, and greater ability to report and analyze risk and resilience data.

Considerations for Moving from Integrated to Agile

The difference between the Integrated and Agile stages is primarily one of context. At the Integrated stage, the organization provides a consistent approach to managing risk and resiliency in the context of hazards and continuity. This is supported by an established risk and resilience process, information, and technology architecture. While risk and resilience are understood in the context of the business, it is still focused more on risk and continuity than performance and strategy. At the Agile stage, the organization has performance, strategy, and objectives set the context to achieve a greater ability to avoid issues and not just respond to events.

Achieving the Agile stage requires risk and resilience expectations set as part of the annual strategic planning processes. The organization has measured and monitored risks and resiliency metrics in the context of business strategy, performance, and objectives. There is shared data and technology about risk and resilience, as well as decision support, optimization, and business intelligence. The organization has integrated risk and finance data to drive performance while mitigating risks and ensuring integrity across the organization’s operations, services, and extended enterprise of third-party relationships.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Mature risk and resilience management is a seamless part of risk governance and operations. It requires a top-down view of risk and resilience, led by the executives and the board, where risk and resilience management are part of the fabric of business operations and processes – not an unattached layer of oversight. It also means bottom-up participation, where business functions identify and monitor risk and resilience that expose the organization. GRC 20/20 has developed the Risk and Resiliency Management Maturity Model to articulate maturity in the risk and resilience management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

1: Ad Hoc 

Organizations at the Ad Hoc stage of maturity have reactive approaches to risk and resilience management at the department level. Businesses at this stage do not understand risk and exposure; few if any resources are allocated to risk and resilience. The organization addresses risk and resilience in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and resilience, and certainly no integration of risk and resilience information and processes in context of objectives, strategy, performance, and business change. 

2: Fragmented

The Fragmented stage sees departments with some focus on risk management and business continuity within respective areas, but they are disconnected and not working together. Information and processes are highly redundant and lack integration. With siloed approaches to risk management and resilience (e.g., business continuity, disaster recovery), the organization is still very document centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.

3: Defined

The Defined stage suggests that the organization has some areas of risk and resilience that are managed well at a department level, but it lacks integration to address risk and resilience across departments. Organizations in the Defined stage will have defined processes for risk and resilience in some departments or business functions, but there is no consistency. Risk and resilience processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as business continuity, disaster recovery, and/or enterprise and operational risk management are beginning to emerge. 

4: Integrated

In the Integrated stage, the organization has a cross department strategy for managing risk and resilience across departments and functions. Risk and resilience are aligned across several departments to provide consistent strategy, frameworks, and processes supported by a common risk and resilience information and technology architecture. The organization addresses risk and resilience through shared processes and information that achieve greater efficiency and effectiveness. However, not all processes and information are completely integrated, and risk and resilience if focused on avoiding issues and not on agility.

5: Agile

At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives. Consistent core risk and resilience processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for risk and resilience management with minimal overhead. 

Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

The Agile Maturity is where most organizations will find the greatest balance in collaborative risk and resilience management and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and architecture that the various groups in risk and resilience governance participate in. The Agile stage increases the ability to connect, understand, analyze, and monitor risk relationship and underlying patterns of impact on performance, objectives, and strategy – as it allows different business functions to be focused on their areas while reporting into a common risk and resilience governance framework and architecture. Different functions participate in risk and resilience management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.