Embracing the Uncertain: Enterprise Risk Management Through the Lens of Star Trek

In the vast expanse of space, the Starship Enterprise embarks on its mission to explore strange new worlds, seek out new life and civilizations, and boldly go where no one has gone before. This iconic journey from the legendary series Star Trek. In Season 2, Episode 20 of the original series, Captain James T. Kirk, a leader who faced the uncertain with courage and determination, stated:

“Risk! Risk is our business. That’s what this starship is all about. That’s why we’re aboard her.”

Captain James T. Kirk, U.S.S. Enterprise

This quote, though set in the backdrop of space exploration, resonates profoundly with the challenges and opportunities in the field of Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC). Let’s delve into how this interstellar perspective can illuminate our approach to risk in the business world.

Background . . .

“Star Trek: The Original Series” Season 2, Episode 20, titled “Return to Tomorrow,” is a significant episode in the Star Trek canon, particularly for its exploration of risk and leadership through the character of Captain James T. Kirk.

In “Return to Tomorrow,” the Starship Enterprise is contacted by a powerful, disembodied alien entity named Sargon. Sargon and his companions are survivors of a highly advanced, extinct civilization. They have been living as consciousnesses without physical bodies for half a million years and invite the crew of the Enterprise to their planet. Upon arrival, Sargon explains his ambitious plan: to temporarily inhabit the bodies of Captain Kirk, Science Officer Spock, and Dr. Ann Mulhall, so they can construct android bodies to permanently transfer their consciousnesses. This offers the potential for immense scientific advancement but comes with significant risks, as the process could potentially harm or kill the host bodies.

Captain Kirk’s famous quote, “Risk: Risk is our business. That’s what this starship is all about. That’s why we’re aboard her,” is made during a pivotal scene where the crew debates whether to assist Sargon and his companions. The decision is fraught with ethical and physical dangers. The risk here is a physical threat and a moral dilemma, as the crew must weigh the potential benefits of helping a dying civilization against the possible costs.

Kirk’s statement encapsulates his leadership philosophy and the broader mission of the Enterprise. He acknowledges that their journey is not just about exploration but also about taking risks to achieve greater understanding and to help others, even when the outcomes are uncertain. This perspective on risk is not reckless but is a calculated acceptance of the unknown as part of the pursuit of progress and knowledge.

In essence, this episode and Kirk’s statement highlight a core theme of Star Trek: the pursuit of knowledge and exploration inherently involves risk, but it is through taking these risks that humanity grows and learns. This theme resonates with the challenges and decisions faced in business and organizational contexts, especially in areas like enterprise risk management and governance. It reminds me of Judge Mervyn King of South Africa, the impetus for the King 1, 2, 3, & 4 reports on Corporate Governance, who stated: “Business is the undertaking of risk for reward.”

The Enterprise as a Metaphor for the Organization

Picture the Starship Enterprise: a vessel designed for exploration, encountering new worlds and civilizations. In the corporate world, an organization is akin to this starship, venturing into the market’s uncharted territories. Just as the Enterprise faces cosmic anomalies and unfamiliar species, companies encounter market volatility, technological disruptions, and competitive landscapes. Understanding this parallel helps us appreciate the necessity of being well-equipped to manage the unknown.

Just as the USS Enterprise traverses the unknowns of the galaxy, modern organizations navigate through the uncharted territories of the global market. The Enterprise, equipped for unexpected challenges, represents an organization’s need to be prepared for various risks – be they financial, operational, strategic, or compliance-related. Like a starship crew, a company must work in harmony, utilizing every member’s strengths to achieve its objectives while safeguarding itself against potential threats.

Understanding Risk in the Business Context

Risk, in business, is often viewed with apprehension. However, just as the Enterprise’s mission is not to avoid space but to explore it, the mission of a business is not to avoid risk but to engage with it strategically. Risk is a dual-edged sword; it presents potential dangers and opportunities. Effective risk management strategies help organizations identify, assess, and manage these risks, turning potential threats into opportunities for growth and innovation.

In the business world, risk is too often viewed through a lens of avoidance and mitigation. However, Captain Kirk’s view of risk as an integral part of the Enterprise’s mission suggests a different perspective. Risk is not just about avoiding harm; it’s about embracing the possibility of opportunity and reward. We take risks to achieve business objectives. The business not taking risks is the business this is out of business. Effective risk management involves identifying, assessing, and managing risk to maximize the organization’s value, just as Kirk evaluates potential dangers and opportunities on his voyages.

Here are some things we can learn in this analogy of Star Tek to the world of risk management in business . . .

• Risk Management: The Crew’s Responsibilities. On the Starship Enterprise, every crew member, from the Captain to the engineers, plays a crucial role. The diverse crew of the Enterprise, from Mr. Spock’s logic to Dr. McCoy’s compassion, highlights the varied roles within an organization. Similarly, in an organization, effective GRC requires the coordination of various roles – from the board of directors and executives to individual employees. Each department, whether finance, operations, human resources, or IT, is critical in managing risk. Each member contributes to the organization’s risk management. Effective GRC ensures that these roles are not siloed but work in concert, much like the coordinated efforts of the Enterprise’s crew.
• Risk Management: Navigating Uncharted Territories. Navigating a starship requires constant vigilance, adaptability, and a deep understanding of the environment. It requires understanding the star charts, the ship’s capabilities, and the potential dangers of space. In business, navigating through market and operational uncertainties requires a similar approach. Risk assessment tools and strategies are maps and sensors that help businesses understand their environment, assess potential risks, and develop strategies to mitigate them. Businesses must employ risk assessment tools and strategies to navigate uncertainties. This could involve scenario planning, risk frameworks, and continuous monitoring akin to the Enterprise’s sensors and navigational systems.
• The Need for Bold Risk Leadership: The Role of Captain Kirk. Captain Kirk’s leadership is pivotal in the Star Trek narrative. It is a bold, decisive, yet informed leadership style that is emblematic of what is required in business leaders. In business, leadership plays a similar role in risk management. Leaders must make critical decisions, often with incomplete information while inspiring their teams to embrace the organization’s vision. The courage to take calculated risks is at the heart of innovative leadership, balancing boldness with a sense of responsibility.
• Case Studies: Successful Risk-Taking Enterprises. Let’s look at real-world examples. Companies like Apple and Tesla have navigated significant risks in pursuing innovation, much like the Enterprise explored unknown galaxies. These cases demonstrate the importance of vision, innovation, and risk management in achieving business success. Apple revolutionized the music, phone, and tablet industries by taking significant risks. Now we watch SpaceX, which dares to re-imagine space travel. Like the Enterprise, these companies venture into uncharted territory to reap substantial rewards. They demonstrate that well-managed risk can lead to groundbreaking innovation.
• Balancing Risk and Reward: The Ongoing Mission. The Enterprise’s mission in Star Trek is ongoing, constantly adapting to new challenges and opportunities. Just as the journey of the Enterprise is ongoing, so is the risk management process. It’s about finding the right balance between taking risks and managing them prudently. This balance is crucial for sustainable growth and long-term success. Risk management is a dynamic process that has to adapt to changing objectives and uncertainties to achieve those objectives. It requires organizations to balance taking risks to achieve growth and exercising caution to ensure sustainability.

Embracing Risk as Part of the Business Voyage

In conclusion, Captain Kirk’s perspective on risk offers a valuable lens through which to view the challenges and opportunities in risk management and GRC. Organizations, much like starships, are on a voyage through the uncertain. ISO 31000 devices risk as the uncertainty in achieving objectives. OCEG defines GRC as a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance]. Embracing and managing risk is not just a necessity; it’s a fundamental aspect of the journey toward achieving extraordinary objectives.

As Captain Kirk suggests, embracing risk is essential for organizations aiming to thrive in today’s competitive landscape. By understanding, managing, and strategically taking risks, businesses can boldly go where they have never gone before, turning potential threats into opportunities for success.

In the dynamic world of business, the Chief Risk Officer (CRO) is not merely a guardian against threats but a conductor orchestrating the organization’s movements in harmony with strategy, goals, performance objectives, and how these get melded into operations, decisions, and transactions. ISO 31000 defines risk as ”the effect of uncertainty on objectives,” emphasizing the need to manage risk defensively but proactively, embracing opportunities that contribute to business strategy and objectives.

The CRO is a conductor of the orchestra of risk to ensure that the organization has no surprises in achieving its objectives. In this exploration, we delve into the intricacies of how the CRO integrates risk management seamlessly into the business’s cycles, strategy, performance, and objectives, providing executives with the insights they need for informed decision-making.

In this context, consider . . .

[The rest of this blog can be read on the Inclus blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Embracing Risk Agility and Resilience in Modern BusinessRisk

The landscape of business operations has undergone a seismic shift. The days of simplicity are behind us, replaced by a complex web of risks, regulations, globalization, and rapid technological advancements. For organizations, big and small, aligning business strategy, operations, and processes with these evolving dynamics poses a formidable challenge. The crux of success is achieving a 360° contextual awareness of risk and resilience to the organization’s objectives. It’s no longer sufficient to merely acknowledge the existence of risks; organizations must now understand and navigate the intricate relationships between their objectives, risks, processes, and controls with a holistic lens.

Too often, risk management is relegated to a checkbox exercise, disjointing from an organization’s core strategy and decision-making processes. This misalignment often spells the downfall of even the most established brands, serving as cautionary tales for future business leaders. The key challenge lies in synchronizing risk management with the ever-evolving complexity and change inherent in modern business. Too often, risk management is buried in departmental silos, approached from merely a compliance or audit perspective rather than as an integral part of strategic decision-making. This disjointed approach fails to capture the bigger picture, leaving organizations vulnerable to unforeseen risks.

In today’s fast-paced business environment, change in one area can trigger a domino effect, impacting the entire organizational ecosystem. This interconnectedness demands a comprehensive approach to risk and resilience management. Organizations need to understand how their decisions and actions in one domain affect risks and objectives in another. This level of understanding is crucial for navigating the uncertain waters of modern business operations and maintaining integrity across all fronts.

Technology plays a pivotal role in achieving this holistic understanding. Advanced technological solutions can automate and enable risk and resilience management, offering organizations much-needed visibility and intelligence. By integrating risk management with business continuity programs, firms can foster a symbiotic interaction between these disciplines, ensuring a more resilient operational framework.

Consider the agility of a parkour athlete or the nimbleness of a character like Legolas from “Lord of the Rings.” These examples embody the essence of agility – the ability to navigate and adapt swiftly to the environment. Similarly, organizations need to cultivate this agility in their risk management practices. This agility isn’t just about avoiding threats; it’s equally about seizing opportunities and advancing organizational goals. Good risk management involves a clear understanding of the organization’s objectives, performance goals, and strategy and the ability to continuously monitor the environment for 360° situational awareness.

Organizations must be agile and resilient in today’s dynamic, distributed, and disrupted business environment. Governance, Risk, and Compliance (GRC) must be integrated with performance, objective, and strategy management to foster this duality. Operational risk and resiliency support enterprise agility, creating a symbiotic relationship essential for navigating today’s complex business terrain. The modern organization’s survival and success hinge on its ability to embrace risk agility and resilience. By integrating GRC into their core strategies and leveraging technology for holistic risk and resilience management, organizations can safeguard themselves against potential threats and position themselves to capitalize on emerging opportunities. The future of business demands a proactive, agile approach to risk management, encompassing the entire organizational ecosystem and turning challenges into catalysts for growth and innovation.

Check out these upcoming events and resources on Risk & Resilience Management by Design . . .

• RISK & RESILIENCE ILLUSTRATED
  • Risk & Resilience Management Solutions, OCEG GRC Technology Illustrated Series
    • The concept for this was designed by GRC 20/20, aligned with our market coverage of GRC technology solutions, in partnership with OCEG.
    • Stay tuned for future illustrations covering every category of GRC 20/20’s segmentation of the broad GRC market.
• WORKSHOPS
  • Atlanta, Risk & Resilience Management by Design, February 21st
  • London, Risk & Resilience Management by Design, April 24th
• WEBINARS
  • A Practical Approach to Adopting and Understanding Risk and Resilience Management Solutions
• PUBLISHED RESEARCH
  • Risk & Resilience Management by Design
  • Risk & Resilience Management Maturity Model

The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacy, such as deep supply chains and sub-contracting relationships. Business today relies and thrives on third-party relationships; this is the extended enterprise.

In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately.

Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure . . .

[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

---

Navigating the Complexities of Modern Governance, Risk, and Compliance

Embracing Agile and Cognitive GRC in a Dynamic Business World

In an era marked by rapid regulatory changes and an ever-evolving business landscape, the second annual GPRC summit shines a spotlight on the critical importance of Governance, Risk, and Compliance (GRC) in modern organizations. The summit, a convergence of thought leaders and professionals, delves deep into the concept of agile and cognitive GRC, underlining the need for organizations to adapt swiftly and intelligently to stay ahead.

The Systemic Nature of Risk

The interconnectedness of risks in the modern business environment cannot be overstated. Risks in one area can have cascading effects on others, necessitating a systemic approach to risk management. It’s not enough to tackle risks in silos; businesses must adopt a holistic view, understanding how various risks interplay and impact the organization as a whole.

Defining GRC

At its core, GRC is about reliably achieving objectives (governance), addressing uncertainty (risk management), and acting with integrity (compliance). This triad forms the foundation of effective GRC practices, emphasizing the need to align risk management strategies with the organization’s broader goals and values.

Aligning Risk with Organizational Objectives

Effective risk management is intrinsically linked to the organization’s objectives. It’s about understanding the goals at various levels – from high-level entity objectives to specific project or third-party relationship goals – and aligning the risk management strategy accordingly.

Risk: A Tool for Success

Contrary to the traditional view of risk as a negative force to be avoided, the summit presents risk as a crucial element of business success. Like fire, when controlled, risk can propel an organization forward; when uncontrolled, it can lead to its downfall. Understanding and managing risk is not just about mitigation but about harnessing its potential for growth and innovation.

The Art of Risk Orchestration

The role of a Chief Risk Officer (CRO) is akin to that of an orchestra conductor, ensuring harmony among the different sections of an organization’s risk profile. The CRO must maintain an overarching view of the risk landscape, understanding how different risks interact and affect the organization’s ability to achieve its objectives.

Beyond Resilience: The Need for Agility

In today’s fast-paced business environment, resilience – the ability to recover from risk events – is crucial. However, organizations must also be agile, anticipating potential risks and navigating around them proactively. This combination of resilience and agility is key to thriving in a volatile business world.

The Ever-Changing Face of Modern Organizations

Organizations today are not just confined to their physical boundaries but extend to networks of third parties like vendors and suppliers. This extension translates into a complex web of interdependencies where external issues have a direct impact on internal operations. Michael highlighted the constant flux in regulations, risks, and business processes, emphasizing the need for a comprehensive approach to GRC.

The Dynamics of External and Internal Change

Businesses aren’t just battling external factors like geopolitical shifts; they’re also constantly evolving internally. Changes in business processes, strategies, technologies, and personnel demand a flexible approach to GRC. Moreover, the traditional concept of an organization, limited to its brick-and-mortar presence, has extended to include a network of suppliers, contractors, and third-party relationships, further complicating the GRC landscape.

The Global Regulatory Maze

One of the most daunting challenges for businesses today is the sheer volume of regulatory changes. Globally, financial institutions grapple with an average of 257 regulatory change events every business day. This staggering number highlights the need for a robust GRC strategy that can navigate the complexities of compliance across various jurisdictions.

The Promise of Cognitive GRC and AI

The integration of artificial intelligence (AI) in GRC processes promises to revolutionize how organizations manage risk. AI can enhance efficiency, effectiveness, and predictive capabilities, enabling businesses to stay ahead of risks and compliance requirements. However, leveraging AI in GRC also presents challenges, including ensuring the ethical use of AI and managing the complexities of AI-driven decision-making.

The Future: Business Integrated GRC

Looking ahead, the speaker envisioned a future where GRC is more deeply integrated into business processes, driven by technology. This integration would lead to a more aware, responsive, and efficient approach to managing risks and compliance.

---

The journey to agile and cognitive GRC is not just about adopting new technologies or processes. It’s a paradigm shift in how organizations view and manage risk. By embracing a holistic, forward-thinking approach to GRC, businesses can navigate the complexities of the modern world, turning risks into opportunities for growth and success. The GPRC Summit in Dubai opened a window to the future of GRC, one that is agile, cognitive, and deeply integrated with the core business processes. As businesses continue to navigate through complexities, the role of GRC as a strategic enabler becomes ever more critical. The journey towards agile and cognitive governance in GRC is not just about adopting new technologies but about a fundamental shift in how risks, compliance, and governance are perceived and managed.

In 2024, the Governance, Risk Management, and Compliance (GRC) landscape is evolving rapidly. Organizations are increasingly facing complexity and chaos driven by several factors, such as changing regulations, external risks and uncertainty, as well as dynamic and evolving business operations, processes, and technology. These drivers push companies to adopt innovative GRC strategies to stay agile, resilient, compliant, and competitive.

The key GRC trends in 2024 that GRC 20/20 Research has identified and are monitoring include:

1. GRC 6.0 – Business Integrated GRC. This trend marks a paradigm shift where GRC becomes seamlessly integrated into the core business processes. It aligns closely with the organization’s strategy, performance, and objectives. It is pushing GRC accountability and control into business processes and the business instead of additional layers of compliance band-aids disconnected from the business.
2. Risk Management = No Surprises (or Minimal). Mature risk management processes in 2024 aim to minimize surprises. Organizations increasingly use predictive analytics and other advanced tools to anticipate potential risks and mitigate them proactively. It is about forecasting risk and uncertainty on the horizon, going through scenarios, and preparing the organization for the best path forward..
3. GRC Orchestration. In 2024, GRC management will be increasingly collaborative and a cross-functional responsibility. This trend emphasizes visibility and consistency in GRC processes across all departments and functions. For instance, a multinational corporation might use common processes automated by technology across different geographic locations, ensuring uniformity and reducing risk exposure. Some solutions allow for GRC centralization while allowing some autonomy with consistency within business areas.
4. Addressing Geopolitical Risk. Geopolitical risk has become a primary focus area. Organizations need clear insights into the evolving geopolitical landscape to understand how it might impact their objectives. For example, a global supply chain company might monitor international trade policies, economic and inflation uncertainties, commodity availability, conflicts, and more to anticipate and prepare for disruptions.
5. Risk Agility. This trend involves organizations being agile in their risk management strategies. They continuously scan the horizon for potential risks, review scenarios, and chart the best path forward. An organization may use scenario planning to prepare for various economic conditions, ensuring it adapts quickly to changing circumstances.
6. Business, Strategic & Operational Resilience. The ability to quickly recover from risk events is crucial in 2024. Companies focus on building resilience in every aspect of their operations. This includes resilience of the organization’s strategy, financial resilience, and, more specifically, its operational resilience to contain and recover from risk events.
7. ESG and Integrity. With rising global concern over environmental, social, and governance (ESG) issues, organizations are working to manage the complexities of ESG commitments. This includes accurate reporting to ensure organizational integrity within the business and across the extended enterprise of third-party relationships.
8. Trust Assurance & Data GRC. Businesses increasingly focus on integrity throughout their operations, processes, transactions, data/information, and relationships. Trust is critical for investors/stakeholders, employees, customers, and business partners in today’s business. This is particularly true in dealing with the complex uncertainty and compliance requirements across information, data, transactions, and interactions.
9. The Extended Enterprise. In 2024, managing risks and maintaining ethical environments across extended business relationships is crucial. Companies must ensure that their partners, suppliers, and distributors adhere to the same ethical and compliance standards, and that risk is management in these relationships. This is particularly true in addressing ESG across the extended enterprise.
10. A.I. GRC/ A.I. Governance. The governance of AI use within organizations is a growing concern. Companies are focused on ensuring AI is used ethically and effectively to reduce uncertainty. Organizations across industries need to implement oversight of AI to review and approve AI algorithms used in the organization.
11. Cognitive GRC. Utilizing AI to enhance GRC processes is becoming more prevalent. Cognitive GRC uses AI to increase efficiency, effectiveness, resilience, and agility in GRC activities.
12. Accountability. There is a global focus on enhancing accountability in risk and compliance, particularly at the board, executive, and senior management levels. This means greater transparency and responsibility for GRC decisions and actions. The growing array of accountability regimes (e.g., U.K., Ireland, Australia, Hong Kong, Singapore, South Africa) is expanding, as well as legal accountability in the USA for key business and GRC executives.
13. GRC and Cultural Contexts. Organizations operating in diverse cultural and geographical contexts face unique compliance, ethics, and ESG challenges across these business areas. Navigating these differences requires a nuanced approach, understanding, and respecting local values and regulations.
14. GRC Engagement. The human element in GRC is critical. Ensuring employees at all levels are engaged with policies and controls and trained to identify and report issues is essential for effective GRC. Regular training and clear communication channels are key strategies in this area. This is the most important firewall in the organization, the human firewall.
15. Business Champion.: When GRC is implemented effectively, it fosters champions at all organizational levels. These champions advocate for and reinforce GRC principles, helping to embed a culture of ethics, risk management, and integrity.

In summary, the GRC landscape in 2024 is characterized by a dynamic interplay of integration, innovation, and responsiveness. The trends outlined above reflect a holistic and forward-thinking approach to governance, risk management, and compliance. Organizations are increasingly weaving GRC into the fabric of their business operations, aligning it with strategic objectives and cultivating a culture of resilience and integrity.

The shift towards Business-Integrated GRC, the emphasis on predictive risk management, and the orchestration of GRC across departments highlight a proactive and integrated approach. Addressing geopolitical risks, ensuring risk agility, and maintaining business resilience are now fundamental to organizational sustainability and success. Moreover, the focus on ESG, trust assurance, and accountability underscores the growing importance of ethical practices and transparency.

Technological advancements in AI and cognitive GRC tools are transforming how organizations manage compliance and risks, bringing efficiency and agility to the forefront. The extended enterprise concept emphasizes the need for ethical and compliant practices beyond an organization’s immediate boundaries.

Finally, the human element remains central to effective GRC. Engaging employees, fostering a culture of compliance, and creating GRC champions at all levels are crucial for embedding these practices deeply within an organization.

As we navigate through 2024, these trends in GRC are not just about managing risks or complying with regulations; they are about creating sustainable, resilient, and ethical organizations capable of achieving their objectives while thriving in an ever-changing global landscape.

In the ever-evolving governance, risk management, and compliance (GRC) landscape, organizations that have already embraced a GRC program including strategy, process, and technology, know its significance in navigating complexities and ensuring sustainable risk and compliance agility and resilience within their organization. However, the journey toward excellence is ongoing, and organizations with established GRC frameworks often seek ways to mature their programs for enhanced efficiency and effectiveness. 

Following are 7 key strategic elements to continue to elevate your GRC program to new heights of maturity . . .

Several factors contribute to this growing complexity . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Note the following analogy is focused on lack of design for a broad enterprise GRC perspective. Note that this same analogy can be applied to aspects of GRC that have no design across departments and funtions like risk management, compliance, third-party risk management, and more. Compliane and ethics management particularly suffer from no design to their processes and technology.

Unraveling the Maze of Scattered Governance, Risk Management, and Compliance

In the heart of San Jose, California, stands the enigmatic Winchester Mystery House, a testament to architectural perplexity and confusion. While this Victorian mansion boasts a rich history and an allure for tourists, its lack of design, blueprint, and oversight during construction is eerily reminiscent of organizations grappling with the complexities of scattered Governance, Risk Management, and Compliance (GRC) silos with no design, no architect, and not blueprint for GRC. Let us deliver into the labyrinth of challenges faced by entities mirroring the mystique of the Winchester Mystery House – organizations burdened by manual processes, redundancy, gaps, and a lack of integration.

The Winchester Mystery House: An Architectural Anomaly

Built in the 1800s at a staggering cost of $5.5 million, the Winchester Mystery House stands as an architectural enigma. The mansion was constructed over 38 years with the involvement of 147 different builders, and remarkably, it lacks a cohesive design, blueprint, or the guiding hand of an architect. This lack of central planning resulted in hallways leading to nowhere, doors opening to walls, staircases ending abruptly, skylights in floors instead of ceilings, and an overall sense of chaotic disarray.

Similarly, organizations plagued by fragmented and siloed GRC practices navigate a maze of challenges resembling the bewildering layout of the Winchester Mystery House. Here are key parallels between the mansion’s architectural chaos and the disorderly GRC landscape of some organizations:

• Absence of Design and Blueprint . . .
  • Winchester House: The absence of a coherent design or blueprint led to nonsensical features like staircases leading to the ceiling.
  • GRC Silos: Organizations lacking a unified GRC strategy often find themselves implementing disjointed processes, resulting in confusion and inefficiency.
• Scattered Governance . . .
  • Winchester House: Hallways and doors leading to nowhere highlight the lack of governance in its construction.
  • GRC Silos: Organizations with scattered governance experience difficulties in enforcing policies consistently across different departments and processes.
• Manual Processes and Redundancy . . .
  • Winchester House: The sheer size of the mansion and the multitude of builders led to manual processes, resulting in inefficiencies and redundancies.
  • GRC Silos: Manual processes, reliance on thousands of documents, spreadsheets, and emails create a convoluted GRC landscape with unnecessary redundancies.
• Siloed Solutions and Lack of Integration . . .
  • Winchester House: The mansion was built in sections without integration, creating a disjointed structure.
  • GRC Silos: Organizations often implement siloed GRC solutions without proper integration, leading to a lack of visibility and communication across risk, compliance, and governance functions.
• Gaps in Oversight:
  • Winchester House: The absence of an overseeing architect allowed for peculiar features like skylights in the floor.
  • GRC Silos: In organizations, gaps in oversight can result in missed compliance requirements, exposing the enterprise to unnecessary risks.

Just as the Winchester Mystery House stands as a testament to the perils of scattered construction without oversight, organizations wrestling with fragmented GRC practices face many challenges. From manual processes to siloed solutions, the parallels are striking. To overcome these challenges, organizations must invest in comprehensive GRC strategies, integrating governance, risk management, and compliance into a cohesive strategy and framework (e.g., OCEG GRC Capability Model) that is supported by well designed processes and an integrated information and technology architecture. Only through intentional design and strategic oversight can organizations avoid the perplexing maze of scattered GRC silos, ensuring a sturdy and purposeful foundation for long-term success.

Greetings! 

I trust 2024 is off to a great start. It is for me. 2023 was my busiest year in my career with extensive GRC travels around the world. 2024 looks to be every bit as busy. I am headed this week to Riyadh, and then Dubai over the weekend and into next week. Then London next Wednesday to Friday, returning home on February 3rd. Then back to London the week of February 12th. 

The GRC Market is complex with a broad platforms and many focused best of breed solutions solving specific problems and challenges. There are 365 solution providers (not counting professional service firms) that GRC 20/20 monitors in the market. Seventy-four can be classified as an Enterprise/Integrated GRC Platform that can cross departments and use cases; the rest are best-of-breed point solutions. Of these 365, GRC 20/20 actively monitors 83 of them more deeply annually, and the rest keeps abreast of and interacts with in briefings every two or three years.

It is a fast-moving market with a lot of momentum, but also a lot of nuances and niches. In 2023, GRC 20/20 answered between 10 and 20 inquiry/research questions from organizations asking about and looking for solutions every week. This accounted for over 750 interactions in 2023. These come in via email, text, LinkedIn messages, and more. Most are simple responses to questions; others go deeper. In 2023, there were 53 RFPs that GRC 20/20 monitored around the world. Some deeply, some from a distance. The 2024 outlook on the GRC market was just covered in the on-demand 2024 State of the GRC Market Research Briefing.

Times of uncertainty brings a boom to GRC related solutions and services. GRC 20/20 has never been so busy than at this very moment. While the activity is global, there is a lot of particular GRC market activity coming out of the United Kingdom and Europe right now. And the Middel East is the fastest growing market. 

Follow GRC 20/20 on LinkedIn and Twitter.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . . 

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2023, organized by topic area.

Enterprise GRC and the Broad GRC Market

Research Reports

• LogicGate Risk Cloud®: A Next-Generation GRC Management Platform
• Empowered Systems: Connected Risk: Enabling Agile, Cognitive & Business Integrated GRC
• Ansarada GRC: Streamlining Governance, Risk Management & Compliance
• Corestream: Delivering 360° Next-Generation GRC Management
• Symbiant: Delivering Agility to Risk, Compliance & Assurance Processes
• Lucara Botswana: Best in Class Enterprise GRC Management – Small Enterprise
• Farm Credit Canada: Best in Class Enterprise GRC Management – Medium Enterprise

Blogs

• Cognitive GRC: Revolutionizing GRC With Artificial Intelligence
• Building a Business Case & RFP for GRC-Related Software
• Charting the Course: Tackling GRC Challenges in Higher Education Institutions
• Challenges in GRC and the Business Case of GRC Technology
• Addressing GRC in Complex, Distributed & Autonomous Environments
• USA vs. UK/Europe in Risk & Compliance Approaches
• 2023 GRC Trends: Engagement
• 2023 GRC Trends: Accountability
• 2023 GRC Trends: Integrity (ESG)
• Why the Banking Crisis is Back
• 2023 GRC Trends: Resilience (continued) . . .
• 2023 GRC Trends: Resilience
• 2023 GRC Trends: Agility
• How Moving from Spreadsheets to a GRC Solution Provides Better Reporting
• 2023 Governance, Risk Management & Compliance Trends
• GRC in a United Kingdom Context
• 2022 GRC Research Year in Review

Risk & Resilience Management

Research Reports

• Deutsche Telekom AG: Best in Class GRC in Risk & Resilience Management – Large Enterprise
• FNZ: Best in Class Risk & Resilience Management – Medium Enterprise
• Riskonnect Business Continuity & Resilience: Delivering Value in Business Continuity & Resilience
• Inclus: Delivering an Integrated & Holistic View of Risk
• Decision Focus: Delivering 360° Risk & Control Management

Blogs

• The Chief Risk Officer and The Rhythm of Risk
• The Chief Risk Officer: The Conductor of the Orchestra of Risk Management
• Risk Management = No Surprises!
• Navigating Risk and Resilience: Balancing Complexity and Cost in GRC Solutions
• USA vs. UK/Europe in Risk & Compliance Approaches
• Geopolitical Risk and the Extended Enterprise
• Ensuring Supplier Risk & Resilience in the Extended Enterprise
• ESG, Compliance, and Resilience in the Extended Enterprises: Navigating Supplier and Vendor Relationships

Aritificial Intelligence GRC

Research Reports

• A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Blogs

• A.I. Governance, Risk Management & Compliance
• A.I. GRC: The Governance, Risk Management & Compliance of A.I.
• When A.I. (Artificial Intelligence) Fails . . .
• The Challenges & Risk in Artificial Intelligence

ESG – Environmental, Social, Governance

Research Reports

• How to Market & Sell ESG Solutions & Services
• Cognizant: Best in Class ESG Management – Large Enterprise

Blogs

• Rethinking Compliance & Ethics Management in the Era of ESG
• ESG: Doing the right thing is never the wrong thing
• Why ESG Success Requires Effective Policy Management (Strategy, Systems and Processes)
• Delivering 360° Situational Awareness of ESG Starts With a Proper Diagnosis
• 2023 GRC Trends: Integrity (ESG)
• ESG, Compliance, and Resilience in the Extended Enterprises: Navigating Supplier and Vendor Relationships
• Managing Risks, ESG, and PFAS in the Extended Enterprise

Corporate Compliance & Ethics Management

Research Reports

• Ascent: Delivering the A.I. Enabled Regulatory Change Lifecycle
• Zurich Insurance Company: Best in Class Compliance & Ethics Management – Large Enterprise
• Transurban Group: Best in Class Compliance & Ethics Management – Medium Enterprise
• RegEd Regulatory Change Management: Enabling Closed-Loop Regulatory Compliance

Blogs

• 6 Ways to Create a Repeatable, Scalable Compliance Program
• A Preventative Approach To Achieving Compliance In Healthcare
• How to Keep Up With Regulatory Change
• Cognitive GRC: A.I. & Regulatory Change & Intelligence
• Enabling Closed-Loop Regulatory Compliance
• The What, Why & How of an Ethical Compliance Culture
• Measuring the Cost of Non-Compliance
• How Mortgage Lenders Can Leverage Automation to Strengthen Compliance in a Turbulent Economy
• USA vs. UK/Europe in Risk & Compliance Approaches
• ESG, Compliance, and Resilience in the Extended Enterprises: Navigating Supplier and Vendor Relationships

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports

• New American Funding: Best in Class in Third Party GRC Management – Medium Enterprise
• Whispir: Best in Class in Third Party GRC Management – Small Enterprise
• ICON plc: Best in Class in Third Party GRC Management – Large Enterprise
• Supply Wisdom: Enabling 360° Intelligence of Third-Party Relationships

Blogs

• Navigating Third-Party Risk Management – 5 Takeaways from Michael Rasmussen
• Geopolitical Risk and the Extended Enterprise
• Ensuring Supplier Risk & Resilience in the Extended Enterprise
• Challenges in Third-Party Risk Management
• Navigating Third-Party Risk Management: An EU & UK Perspective
• ESG, Compliance, and Resilience in the Extended Enterprises: Navigating Supplier and Vendor Relationships
• Managing Risks, ESG, and PFAS in the Extended Enterprise
• Third-Party Risk Management & Intelligence Solutions
• Enabling 360° Intelligence of Third-Party Relationships

Strategy, Performance & Objective Management

Research Reports

• Be’ah: Best in Class GRC in Strategy & Performance Management – Small Enterprise

Policy Management

Blogs

• Ensuring Engagement Throughout the Policy Lifecycle
• Why ESG Success Requires Effective Policy Management (Strategy, Systems and Processes)

IT GRC Management

Research Reports

• RegScale: Providing Real-Time GRC Visibility into IT Risk & Compliance
• Guidewire: Best in Class Enterprise IT GRC Management: Medium Enterprise
• AuditBoard: Delivering Value in IT Risk & Compliance Management
• SimpleRisk: Streamlining Risk Management & Compliance

Internal & Automated Control Management

Blogs

• Navigating Complexity & Chaos: Approaching Regulatory Requirements with Control Automation
• Newell Brands: Best in Class Internal Control Management – Large Enterprise

Audit Management & Analytics

Research Reports

• AuditBoard Audit Management: Elevating Audit for Strategic Impact
• Wendy’s®: Best in Class Audit Management & Analytics – Large Enterprise
• Netafim: Best in Class Audit Management – Medium Enterprise

Issure Reporting & Case Management

Research Reports

• Soneva: Best in Class Issue Reporting & Case Management – Medium Enterprise
• Curry’s: Best in Class Issue Reporting & Case Management – Small Enterprise

Data GRC Management

Blogs

• Building Your Data Governance Strategy: A Call to Action for Data GRC

Finance GRC Management

Research Reports

• Southwest Airlines: Best in Class Finance GRC Management – Large Enterprise

Blogs

• Preparing for Tax Compliance in 2023

Identity GRC Management

Research Reports

• Identity GRC Management by Design

In an era marked by the exponential growth of data, evolving business landscapes, and increased regulatory scrutiny, effective data governance has emerged as a critical imperative for organizations of all sizes. The complexities of managing and governing data in today’s dynamic environment demand a new paradigm that aligns with business objectives, adapts to change, and encompasses a holistic approach to data governance, data risk management, and data compliance (Data GRC).

Organizations face specific challenges in data governance, including the discovery, collection, management, access, and analysis of data. These challenges require a comprehensive approach involving establishing clear responsibilities, implementing data quality measures, and ensuring secure access to data while upholding ethical data analysis practices.

Data GRC involves . . .

[The rest of this blog can be read on the Archive360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]