Blog

2023 GRC Research Year in Review

The GRC Pundit BlogPublished onUpdated onLeave a Comment on 2023 GRC Research Year in Review

Greetings! 

I trust 2024 is off to a great start. It is for me. 2023 was my busiest year in my career with extensive GRC travels around the world. 2024 looks to be every bit as busy. I am headed this week to Riyadh, and then Dubai over the weekend and into next week. Then London next Wednesday to Friday, returning home on February 3rd. Then back to London the week of February 12th. 

The GRC Market is complex with a broad platforms and many focused best of breed solutions solving specific problems and challenges. There are 365 solution providers (not counting professional service firms) that GRC 20/20 monitors in the market. Seventy-four can be classified as an Enterprise/Integrated GRC Platform that can cross departments and use cases; the rest are best-of-breed point solutions. Of these 365, GRC 20/20 actively monitors 83 of them more deeply annually, and the rest keeps abreast of and interacts with in briefings every two or three years.

It is a fast-moving market with a lot of momentum, but also a lot of nuances and niches. In 2023, GRC 20/20 answered between 10 and 20 inquiry/research questions from organizations asking about and looking for solutions every week. This accounted for over 750 interactions in 2023. These come in via email, text, LinkedIn messages, and more. Most are simple responses to questions; others go deeper. In 2023, there were 53 RFPs that GRC 20/20 monitored around the world. Some deeply, some from a distance. The 2024 outlook on the GRC market was just covered in the on-demand 2024 State of the GRC Market Research Briefing.

Times of uncertainty brings a boom to GRC related solutions and services. GRC 20/20 has never been so busy than at this very moment. While the activity is global, there is a lot of particular GRC market activity coming out of the United Kingdom and Europe right now. And the Middel East is the fastest growing market. 

Follow GRC 20/20 on LinkedIn and Twitter.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . . 

ASK INQUIRY

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2023, organized by topic area.

Enterprise GRC and the Broad GRC Market

Research Reports
  • LogicGate Risk Cloud®: A Next-Generation GRC Management Platform
  • Empowered Systems: Connected Risk: Enabling Agile, Cognitive & Business Integrated GRC
  • Ansarada GRC: Streamlining Governance, Risk Management & Compliance
  • Corestream: Delivering 360° Next-Generation GRC Management
  • Symbiant: Delivering Agility to Risk, Compliance & Assurance Processes
  • Lucara Botswana: Best in Class Enterprise GRC Management – Small Enterprise
  • Farm Credit Canada: Best in Class Enterprise GRC Management – Medium Enterprise
Blogs

Risk & Resilience Management

Research Reports
Blogs

Aritificial Intelligence GRC

Research Reports
Blogs

ESG – Environmental, Social, Governance

Research Reports
Blogs

Corporate Compliance & Ethics Management

Research Reports
Blogs

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports
  • New American Funding: Best in Class in Third Party GRC Management – Medium Enterprise
  • Whispir: Best in Class in Third Party GRC Management – Small Enterprise
  • ICON plc: Best in Class in Third Party GRC Management – Large Enterprise
  • Supply Wisdom: Enabling 360° Intelligence of Third-Party Relationships
Blogs

Strategy, Performance & Objective Management

Research Reports
  • Be’ah: Best in Class GRC in Strategy & Performance Management – Small Enterprise

Policy Management

Blogs

IT GRC Management

Research Reports
  • RegScale: Providing Real-Time GRC Visibility into IT Risk & Compliance
  • Guidewire: Best in Class Enterprise IT GRC Management: Medium Enterprise
  • AuditBoard: Delivering Value in IT Risk & Compliance Management
  • SimpleRisk: Streamlining Risk Management & Compliance

Internal & Automated Control Management

Blogs

Audit Management & Analytics

Research Reports

Issure Reporting & Case Management

Research Reports
  • Soneva: Best in Class Issue Reporting & Case Management – Medium Enterprise
  • Curry’s: Best in Class Issue Reporting & Case Management – Small Enterprise

Data GRC Management

Blogs

Finance GRC Management

Research Reports

Blogs

Identity GRC Management

Research Reports

Building Your Data Governance Strategy: A Call to Action for Data GRC

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Building Your Data Governance Strategy: A Call to Action for Data GRC

In an era marked by the exponential growth of data, evolving business landscapes, and increased regulatory scrutiny, effective data governance has emerged as a critical imperative for organizations of all sizes. The complexities of managing and governing data in today’s dynamic environment demand a new paradigm that aligns with business objectives, adapts to change, and encompasses a holistic approach to data governance, data risk management, and data compliance (Data GRC).

Organizations face specific challenges in data governance, including the discovery, collection, management, access, and analysis of data. These challenges require a comprehensive approach involving establishing clear responsibilities, implementing data quality measures, and ensuring secure access to data while upholding ethical data analysis practices.

Data GRC involves . . .

[The rest of this blog can be read on the Archive360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

READ MORE

Navigating Third-Party Risk Management – 5 Takeaways from Michael Rasmussen

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Navigating Third-Party Risk Management – 5 Takeaways from Michael Rasmussen

Third-party relationships have become increasingly critical in the rapidly transforming landscape of global business. Gone are the days when a company’s operations and success depended solely on its internal resources and capabilities. In the current business environment, third-party entities such as suppliers, vendors, contractors, and partners play a crucial role in a company’s growth, innovation, and competitive edge. However, this reliance on external entities also introduces a range of risks that can significantly impact a company’s reputation, financial health, and operational stability.

As the complexity of business relationships expands, so does the spectrum of risks associated with third-party relationships. These risks can stem from various sources, including financial uncertainties, reputation and brand, resilience and continuity, compliance issues, cybersecurity threats, and geopolitical dynamics. The challenge for businesses is to identify and understand these risks and develop effective strategies to manage and mitigate them.

The organization’s approach to third-party risk management needs to . . .

[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

READ MORE

Geopolitical Risk and the Extended Enterprise

The GRC Pundit BlogPublished onUpdated on1 Comment on Geopolitical Risk and the Extended Enterprise

I love my career as an analyst; I research the challenges organizations face in the context of governance, risk management, and compliance (GRC) and how they solve those challenges with strategy, process, and technology. However, if I could redo my career, I would want to be a geopolitical risk management (honestly, that would be my second choice after being a vicar in a small English parish in an idealized 1950s setting solving mysteries, think Grantchester).

Consider the following . . .

“Organizations that take a serious, systematic, and senior-driven approach to political risk management are likely to be surprised less often and recover better.”

Condoleezza Rice and Amy Zegart, Political Risk: How Businesses and Organizations Can Anticipate Global Insecurity (Hachette, 2018)

Geopolitical risk management is an increasingly crucial aspect of an organization’s Governance, Risk Management, and Compliance (GRC) or Enterprise Risk Management (ERM) program. The global landscape constantly shifts due to political instability, economic changes, and social upheaval. These changes can significantly impact an organization’s objectives, operations, and supply chains across the extended enterprise. Understanding and managing these risks is essential for sustainable growth and resilience.

Geopolitical risks refer to the potential impact that political decisions, events, or conditions in one or several countries can have on an organization’s operational and financial performance. These risks can emerge from various sources, including government policies, regulatory changes, political instability, elections, economic sanctions, trade wars, and terrorism. Natural disasters and other conditions, of course, intersect and play into and influence these as well. The goal is to orchestrate and integrate geopolitical risk management into the organization’s strategy, operations, and decisions to minimize surprises in achieving the organization’s objectives.

Incorporating geo-political risk into an organization’s GRC/ERM program involves several steps:

  1. Risk Identification. Identify geo-political risks specific to the organization’s objectives, strategy, operations, markets, and supply chains.
  2. Risk Assessment. Evaluate the likelihood, velocity, and potential impact of these risks on the organization and its objectives.
  3. Risk Mitigation. Develop strategies to leverage geopolitical risk to the organization’s advantage and objectives while mitigating these risks’ negative exposure.
  4. Risk Monitoring and Review. Continuously monitor the geo-political landscape and adjust the organization’s objectives and risk management strategies accordingly.

Geo-political risks can have a direct impact on an organization’s strategic objectives. For example, changes in trade policies can affect market access, while political instability can disrupt operations in a specific region. Economic sanctions can limit business opportunities or increase operational costs.

Operational impacts include:

  • Disruption of Supply Chains. Political unrest or border closures can disrupt supply chains, leading to delays or increased costs. We have seen this extensively with the war in Ukraine and the disruption in supply chains during COVID lockdowns.
  • Regulatory Compliance. Changes in regulations can require operational adjustments to remain compliant.
  • Political Changes. The UK’s decision to leave the EU brought about regulatory and trade changes, impacting European businesses and others worldwide.
  • Market Volatility. Political decisions can lead to market uncertainty, affecting investments and financial stability. The U.S.-China trade war significantly impacts global trade, affecting companies with supply chains or markets in these countries.

In my opinion, any good Chief Risk Officer role today (or those in other risk roles like third-party/supply chain risk management) will be an avid reader of The Economist and similar publications. This includes taking int geopolitical risk feeds of developments worldwide daily (GRC 20/20 tracks a variety of these feeds that can plug into GRC/ERM/third-party risk systems to give continuous updates on geopolitical risk across the extended enterprise). This is also a key point of discussion at next week’s Third Party Risk Management by Design Workshop in London. Organizations must integrate geopolitical risk management into their GRC/ERM framework by:

  1. Enhance Geopolitical Risk Intelligence Capabilities. Invest in geopolitical risk intelligence feeds and analytics to understand potential geo-political disruptions.
  2. Scenario Planning. Develop scenarios for possible geopolitical events and their potential organizational impact on its objectives.
  3. Diversify Operations. Reduce dependence on politically unstable regions by diversifying markets and supply chains.
  4. Stakeholder Engagement. Engage with governments, NGOs, and other stakeholders to understand and influence the geo-political landscape.

Geopolitical risk management is no longer an optional part of an organization’s risk management strategy; it is a necessity. The dynamic nature of global politics requires organizations to be proactive, agile, and well-informed. By effectively integrating geopolitical risk management into their GRC/ERM programs, organizations can protect themselves from potential threats and identify new opportunities in an ever-changing global landscape.

6 Ways to Create a Repeatable, Scalable Compliance Program

The GRC Pundit Blog, UncategorizedPublished onUpdated onLeave a Comment on 6 Ways to Create a Repeatable, Scalable Compliance Program

Compliance programs are critical in ensuring organizations adhere to established regulations, laws, and ethical standards, fostering trust with stakeholders, employees, business partners, and the public. A repeatable and scalable compliance program ensures consistency and efficiency in managing compliance risks across various operational scales and ensures compliance in the context of regulatory/obligation and business change. Organizations across industries and sizes must create a compliance program that meets the legal requisites and is repeatable and scalable in a dynamic, distributed, and ever-changing business environment.

What’s Required to Establish a Successful Compliance Program?

Creating a scalable and repeatable compliance program requires . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

READ MORE

The Chief Risk Officer and The Rhythm of Risk

The GRC Pundit BlogPublished onUpdated onLeave a Comment on The Chief Risk Officer and The Rhythm of Risk

Building on my recent blogs Risk Management = No Surprises, and particularly The Chief Risk Officer: The Conductor of the Orchestra of Risk Management, we now pick up on that theme and explore the Chief Risk Officer and The Rhythm of Risk in the business . . . 

The concept and term The Rhythm of Risk is not my own but comes from a conversation I had with my friend Brad Jewett (a fellow OCEG Fellow) about fifteen years ago. At the time, he was the enterprise risk director of Microsoft (he is currently the CFO of Corel Corporation). I have expanded on this conversation in my thoughts below.

In the intricate orchestra of business, the Chief Risk Officer (CRO) is tasked with choreographing the organization’s steps around the rhythm of risk, ensuring that every movement is aligned with the company’s strategic beat and performance objectives. ISO 31000 defines risk as “the effect of uncertainty on objectives” as the foundation for this alignment, emphasizing that managing risk is not just about avoiding threats but also about embracing opportunities that contribute to achieving business goals. Here, we explore how the CRO manages risk within the business’s cycles, strategy, performance, and objectives, providing executives with the relevant risk information they need to make informed decisions. . . 

  • Setting the Tempo: Risk and Business Cycles. With its ebb and flow, the business cycle is like a musical composition with varying tempos. The CRO must understand these rhythms and set the pace for risk management accordingly. This means identifying the risks associated with different phases of the business cycle, from expansion and peak to contraction and trough, and aligning risk strategies to protect and propel the business through each phase.
  • Composing the Strategy: Risk in Strategic Planning. Strategic planning is where the organization’s objectives are composed, and it is here that the CRO must integrate risk management into the broader corporate strategy. By understanding the strategic objectives, the CRO can identify what uncertainties could impact these goals and provide insights on managing them. This ensures that risk management is not a siloed function but a key part of strategic planning, contributing to the overall direction and success of the organization.
  • Orchestrating Performance: Risk and Business Objectives. Performance metrics are the score by which a business’s success is measured, and for the CRO, it is crucial to ensure that risk management contributes positively to these metrics. The CRO must provide risk information that is not only timely and accurate but also relevant to the objectives against which executives are measured. This involves translating risk data into actionable intelligence to inform decision-making processes and drive performance.
  • Synchronizing Movements: Aligning Risk Information with Objectives. The relevance of risk information is pivotal; it must resonate with the strategic objectives and the key performance indicators (KPIs) that executives use to gauge success. The CRO must, therefore, tailor the communication of risk insights to match the rhythm of the business, ensuring that it aligns with the cadence of the objectives being pursued. This tailored approach helps executives to see risk management as an integral part of achieving their goals rather than as a separate or competing agenda.
  • The Crescendo: Leveraging Opportunities. In line with ISO 31000, the CRO’s role is not limited to managing adverse effects but also involves recognizing and seizing opportunities that arise from uncertainty. By providing a balanced view of risks and opportunities, the CRO can help the organization reach a crescendo of strategic success, turning potential threats into advantages that can lead to competitive gains and value creation.

In the rhythm of risk, the Chief Risk Officer plays a critical role in ensuring that the organization moves to the beat of strategic growth and performance objectives. This role is the composer who integrates risk management with business cycles, the strategist who aligns risk with corporate planning, and the conductor who ensures that risk information is in sync with the executive measures of success. Ultimately, the CRO work enables the organization to dance confidently amid uncertainties, turning the rhythm of risk into a pathway to resilience and strategic achievement.

The Chief Risk Officer: The Conductor of the Orchestra of Risk Management

The GRC Pundit BlogPublished onUpdated on1 Comment on The Chief Risk Officer: The Conductor of the Orchestra of Risk Management

I am in London this week and next week and always love going to the London Symphony Orchestra or more intimate settings like the baroque performances at St. Martin in the Fields.

Navigating the complex and dynamic landscape of organizational risk requires a leader with a keen sense of balance, foresight, and an ability to harmonize diverse elements. Much like a conductor who leads an orchestra through intricate compositions, a Chief Risk Officer (CRO) orchestrates the management of various risks to ensure the smooth operation and sustainable growth of a company. The CRO, much like a conductor of an orchestra, plays a vital role in harmonizing the various types of risks in alignment with the organization’s objectives. The CRO ensures that risks are managed in context, conducting a symphony of resilience and strategic success. By managing uncertainty (risk) in achieving objectives, the CRO works with the business to establish appropriate risk tolerances and proactively sees risks across its silos within the organization to address the complexity of interconnected uncertainties. The CRO guides the organization toward achieving its goals, creating a masterpiece of stability and strategic achievement (similar to my previous blog on Risk Management = No Surprises!).

Just as a conductor leads an orchestra through a symphony, ensuring each section contributes to the overall masterpiece, a CRO orchestrates the management of risk across an organization. This analogy becomes even more vivid when we consider the ISO 31000 definition of risk as “the effect of uncertainty on objectives.” The CRO, like a conductor, ensures that risk is managed in the context of achieving the organization’s objectives, aligning different types of risks to create a harmonious performance.

The Symphony of Objectives and Risk

An organization, much like a piece of music, has its objectives, ranging from entity-wide goals to specific targets for divisions, departments, processes, projects, assets, or relationships. The CRO plays a pivotal role in ensuring that risks are managed in alignment with these objectives, conducting a symphony that balances uncertainty and strategic direction.

The CRO holds the baton of risk management, conducting the different sections of risks to create a balanced and harmonious performance. Just as a conductor has a deep understanding of music and the unique characteristics of each instrument, the CRO possesses an in-depth knowledge of various risk types and how they interact within the organizational framework.

Imagine the following (of course, simplified for the analogy) . . .

  • The Melody of Strategy. Just as the string section provides the melody in an orchestra, strategic risks shape the long-term direction of the organization. The CRO ensures that these risks are in harmony with the company’s objectives, guiding the organization toward its aspirations and goals.
  • The Rhythm of Operations. Operational risks, represented by the woodwinds, are essential for the daily functioning of the company. The CRO harmonizes these risks, aligning internal processes, people, and systems with the organization’s objectives to maintain a smooth performance.
  • The Dynamics of Finance. Financial risks, akin to the brass section, have a powerful impact on the organization. The CRO manages these risks in context of the company’s financial objectives, mitigating exposure to market fluctuations, credit risks, and liquidity concerns.
  • The Tempo of Reputation. Reputational risks, represented by the percussion, influence public perception and the organization’s standing in the marketplace. The CRO pays close attention to these risks, ensuring that the company’s reputation is managed in alignment with its objectives for stakeholder trust and market presence.

Anticipating the Crescendos and Diminuendos

The conductor has a unique vantage point, able to see and hear every part of the orchestra. Similarly, the CRO possesses a holistic view of the organization’s risk profile, enabling them to see across different risk categories and anticipate potential challenges.

With the ISO 31000 definition in mind, the CRO’s role extends beyond balancing different types of risks; they must also ensure that risks are managed in the context of the organization’s diverse objectives. They conduct risk assessments and implement mitigation strategies across various risk categories, ensuring that the organization is in tune and aligned with its strategic, operational, financial, and reputational objectives. They use this insight to proactively address risks, ensuring that the organization is prepared to face uncertainties and navigate through turbulent times.

Just as a conductor ensures that no section overpowers the others, the CRO works to maintain a balance between different types of risks. They monitor the risk landscape, identifying when a particular risk category is out of tune or misaligned with the rest. This involves setting and enforcing risk tolerances, conducting regular risk assessments, and implementing mitigation strategies to keep the organization on track.

Just as a conductor anticipates changes in a musical score, adjusting the orchestra’s performance accordingly, the CRO uses its holistic view of the organization’s risk profile aligned with the objectives of the organization to anticipate potential challenges and navigate through uncertainties. The role of the CRO and the enterprise risk department ensures that the organization is prepared for risk crescendos and diminuendos, maintaining a balanced performance in alignment with the organization’s objectives.

In the symphony of organizational success, the Chief Risk Officer plays the vital role of conductor, harmonizing different types of risks to create a balanced and resilient performance. By maintaining a keen awareness of the risk landscape, setting appropriate tolerances, and proactively managing risks, the CRO ensures that the organization stays in tune, aligned, and ready to face the uncertainties of the business world. Like a maestro leading an orchestra through a complex composition, the CRO orchestrates the management of risks, guiding the organization toward harmony, stability, and strategic success.

Risk Management = No Surprises!

The GRC Pundit BlogPublished onUpdated on1 Comment on Risk Management = No Surprises!

I am in Sweden this week, where tomorrow I provide a keynote to 102 risk officers and directors at the SWERMA (Swedish Risk Management Association)’s ERM Day 2023. In general, I find the risk management thinking in Europe to be more aligned with the business, whereas, in North America, it is more of a compliance exercise, too often tied to Sarbanes Oxley. 

Let me tell you a story . . . 

I taught my Risk and Resilience Management by Design Workshop in Amsterdam in September. During the day, I had a great interaction with a Chief Risk Officer from a European life sciences company. He told me the following story . . . 

After being hired as the Chief Risk Officer, he met the CEO for the first time. The CEO looks him in the eye and states, “So, you are the new CRO. Tell me what that means to me?”

He looked him back in the eye and stated, “My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO thought that was brilliant and the best definition of risk management he ever heard. 

ISO 31000 defines risk “as the uncertainty on achieving objectives.” Risk needs context, and that context starts with the organization’s objectives. They can be financial objectives, they can be operational objectives, or even ethical/ESG objectives. Objectives can be high-level entity objectives that are driven down into division, department, process, project, or asset-level objectives. Even supplier and third-party relationships start with objectives and purpose to the relationship. 

The context for risk management is objectives, as ISO 31000 states. That is why ISO 31000 and its foundation in AUS/NZ 4360 influenced and framed the OCEG GRC Capability Model. GRC, as defined in the OCEG model, is “a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” 

Risk management needs context, and that is the organization’s objectives (at their varying nested levels). As an analyst covering software in the market, I specifically look for how a risk management solution starts with objectives. If it does not, it is not my ideal solution. Even in ESG, I look for how the solution starts with the ESG objectives of the organization. Any ESG solution that starts with risks and not objectives is not worth much. 

As this CRO states, his job is managing uncertainty to ensure there are “no surprises” in achieving the organization’s objectives. Of course, there can still be surprises as things catch us off guard. However, it is the role of the Chief Risk Officer to ensure that executives and the business are fully informed of risks to their objectives to minimize uncertainty and surprises so they can reliably achieve those objectives. 

What also is brilliant about this CRO’s response . . . it puts risk accountability with executives and the business. Risk management’s job is to facilitate risk management across the organization and communicate and engage on risk in the context of objectives. Risk management has done its job if the risk management function has fully communicated this and the business owns and drives forward for gain or loss. It is not the job of risk management to ‘own’ risk but to communicate risk in the context of objectives. It is the role of executives and the business to own the risk in their decisions.

Cognitive GRC: Revolutionizing GRC With Artificial Intelligence

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Cognitive GRC: Revolutionizing GRC With Artificial Intelligence

As we venture deeper into the digital era, the role of Artificial Intelligence (AI) in Governance, Risk Management, and Compliance (GRC) cannot be overstated. Cognitive GRC (what GRC 20/20 refers to as GRC 5.0: Cognitive GRC) is the intersection of GRC and AI, promising a future where GRC is not just a bureaucratic necessity but a strategic enabler of business performance and resilience.

Cognitive GRC refers to the application of AI (cognitive technologies) to GRC functions, effectively facilitating intelligent, automated, and informed decision-making processes that minimize risk and ensure compliance. AI brings unprecedented efficiency, effectiveness, resilience, and agility through the cognitive automation of GRC, allowing organizations to respond proactively to risks and compliance and gain insights to navigate the organization and achieve objectives in an era of uncertainty.

Consider the following AI technologies and some examples of their potential Cognitive GRC use cases . . .

[The rest of this blog can be read on the TruOps blog, where GRC 20/20’s Michael Rasmussen is a guest author]

READ MORE

A.I. Governance, Risk Management & Compliance

The GRC Pundit BlogPublished onUpdated onLeave a Comment on A.I. Governance, Risk Management & Compliance

Organizations increasingly employ A.I. to enhance efficiency and decision-making processes in the modern business landscape. However, using A.I. presents numerous governance, risk management, and compliance (GRC) challenges that need meticulous attention. Within the scope of an enterprise perspective of GRC is the growing domain of A.I. GRC – the governance, risk management, and compliance over the use of artificial intelligence. The Open Compliance and Ethics Group (OCEG) defines GRC as “a capability to reliably achieve objectives, address uncertainty, and act with integrity.”

Adapting the definition of GRC to address the specifics of A.I., A.I. GRC is the capability to reliably achieve the objectives of A.I. models and their use, to address the uncertainty and risk in the use of A.I., and to act with integrity in the ethical, legal, and regulatory use of A.I. in the organization’s context. 

  • A.I. Governance. Governance in A.I. involves overseeing and guiding A.I.-related initiatives and the use of A.I. technology and models to ensure alignment with organizational objectives and values. Proper governance implies establishing clear A.I. policies, procedures, and decision-making frameworks. These frameworks should help an organization “reliably achieve objectives” of the organizations and ensure that the objectives and design of the A.I. models in their intended purpose are also achieved. Thus, the governance of A.I. involves strategic planning, stakeholder engagement, and performance and A.I. usage monitoring to ensure A.I. projects effectively meet their intended objectives and contribute positively to the broader organizational objectives.
  • A.I. Risk Management. Risk management in A.I. refers to identifying, assessing, and managing the uncertainty associated with developing, using, and maintaining A.I. technologies. These risks range from technical aspects, such as security breaches or system failure, to ethical aspects, like algorithmic bias or privacy infringement. Risk management is about addressing uncertainty. Given their potential to hamper an organization’s operations or reputation, A.I.-related risks require comprehensive risk assessments and robust risk mitigation strategies.
  • A.I. Compliance. Compliance is a critical aspect of A.I. implementation. As A.I. technology evolves, so does the regulatory landscape surrounding its use. Compliance in the A.I. context means adhering to relevant legal requirements, industry standards, and ethical norms. Compliance equates to “acting with integrity.” This involves adhering to regulations like GDPR for data privacy and adopting ethical A.I. practices to maintain transparency, fairness, and accountability in A.I. applications. In today’s era of ESG – environmental, social, and governance – the ethical use of A.I. is part of the organization’s ESG commitments. 

Incorporating core GRC principles in the responsible use of A.I. involves building a culture that values ethical A.I. use and behavior, transparency, and consistent improvement. 

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Upcoming A.I. GRC webinars:

October 18 @ 3:00 pm – 4:00 pm EDT 

November 7 @ 12:00 pm – 1:00 pm CST