Chief Ethics & Compliance Officer: SWOT Analysis

Michael RasmussenThe GRC Pundit Blog, Uncategorized2019-03-182019-03-21Leave a Comment

Last week a Global CECO (manufacturing company operating in more than 60 countries with over 17,000 employees) reached out to me on a research piece I had published back in 2012 (a report I wrote for OCEG). It was a SWOT Analysis of the CECO role. This CECO asked me if I had updated this as it had provided him insight into his career and direction six years back and curious how my research and thoughts on this have changed since then. Before we get into the my current SWOT analysis on the CECO role, it is important to understand a few things happening that is shifting the role of compliance in organizations . . .

Compliance the Bastion of Organization Integrity. For the past fifteen years I have stated that if we could rebrand the CECO role I would advocate it to be the Chief Integrity Officer, but we already have a CIO so that most likely will not work. Integrity is the purpose and focus of compliance and ethics. This is becoming more and more apparent as the years move on and the compliance and ethics role evolves.
Compliance is Dealing with Lots of Change. The greatest challenge for the compliance and ethics function is keeping up with change, and then keeping all that change in sync. There is a barrage of regulatory, risk, and business change happening. Global financial services firms are dealing with 216 regulatory change events every business day (source: Thomson Reuters). Other industries are seeing a similar onslaught of evolving legislation, regulation, litigation, and enforcement actions. But the business is changing just as rapidly through shifts in strategy, employees, technology, mergers/acquisitions, and more. The challenge is keeping all that change in sync. Being intelligent about the law or regulation does not make you compliant if compliance is not operational in context of an evolving and dynamic organization.
Compliance Becoming an Independent Function in the Organization. There has been increased pressure for the compliance and ethics function to report outside of legal. This comes from a string of consent decrees, deferred prosecution agreements, non-prosecution agreements, corporate integrity agreements, and changes to the US Sentencing Commission Organizational Sentencing Guidelines. Compliance has the duty to discover and fix, while legal generally has the duty to deny and protect. This can be at odds with each other and a conflict. So in the slight majority of organizations we now see that the operational aspects of compliance now reports outside of legal. As a result, compliance functions are getting their own budgets and looking for improvements in compliance/ethics strategy, process, and technology to support their initiatives.
Compliance Accountability (more than Responsibility). Regulations like the United Kingdom’s Senior Manager’s Regime/Certification Regime (which has had a cascading impact on other jurisdictions such as Australia, Singapore, Hong Kong, Japan, Ireland) is focused on putting senior managers and executives personally accountable for compliance failures as a result of negligence or lack of due diligence. Last year, Barclay’s CEO was fined over £640,000 (nearly $900,000) under UK SMR/CR in context of a whistle blower issue. He personally had to pay this and the bank cannot reimburse them. I have likened UK SMR/CR to the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them (for all of you Tolkien fans). It is the regulation of all regulations that puts personal accountability and exposure on senior managers and executives.
Compliance Roles Gaining Risk Management Skills. Another paradigm shift I have been monitoring for the past twelve+ years is the dichotomic differences in compliance between the USA and much of the rest of the world. In the USA you have a very prescriptive, check-box mentality to compliance. Organizations want their checklist and if they check the checkboxes they want their get out of jail free card. This is in contrast to what we see in the UK, across Europe, and much of the rest of the world which takes a principle, or outcome-based, approach to compliance. In this approach organizations are not given a checklist, but what the expected outcomes or principles are. The way one organization achieves compliance is different from the way another organization might choose to get there. The focus is on the end results. This is requiring that compliance executives have a stronger background in risk management as they have to understand the compliance risk and choose the best approach to mitigate the risk for their particular organizations situation. As regulations are written with a cross-jurisdictional impact, like GDPR, this means that principle/outcome-based approaches are making a global impact requiring compliance executives to build strong risk management skillsets.
Compliance as a Federated Function. There are lots of departments of compliance – corporate compliance, HR compliance, IT compliance, quality compliance, environmental compliance, health & safety compliance. The CECO role is becoming a facilitator and leader of compliance across these departments in a federated and collaborative capacity.

SWOT Analysis of the Chief Ethics & Compliance Officer Role

SWOT Analysis is a powerful technique for identifying strengths and weaknesses, and for examining the opportunities and threats a CECO faces in managing and maintaining organization integrity and driving toward a strategy of Principled Performance^®. A SWOT analysis can help a CECO develop his or her career in a way that takes best advantage of one’s talents, abilities, and opportunities. What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities an executive can take advantage of. By understanding one’s weaknesses, an executive can manage and eliminate threats that could otherwise catch them unaware. More than this, using the SWOT framework, the CECO can start to distinguish him or herself from peers, and move quickly to develop the specialized talents and abilities needed to accelerate one’s career.

Approaching a SWOT analysis on a role/function like the CECO can be divided into:

Internal Qualities
- Strengths: Your personal professional capabilities
- Weaknesses: Your personal professional challenges
External Dynamics
- Opportunities: Organizational prospects to leverage and advance your career
- Threats: Organizational challenges to overcome and advance your career

Strengths: Professional Capabilities

Enabler & leader, that strives to enable the organization to reliably achieve objectives while addressing uncertainty and act with integrity.
Evangelist & visionary, that provides leadership, direction and insight for creating and protecting organization integrity, ethics, and values as well as maintain compliance with laws, regulations, policies, and procedures.
Energetic & engaging, with good communication skills that builds interest in better approaches to compliance management, ethics, and values throughout the organization.
Agile & versatile, that brings broad experience in compliance, ethics, regulatory issues, and corporate values and how they impact other business disciplines and roles.
Dedicated & driven, a passionate goal-oriented problem-solver that moves the enterprise forward through strong execution of finding and fixing compliance and ethical problems while enabling the business to execute on strategy in a principled manner.
Collaborator & facilitator, of compliance and ethics across a range of compliance functions scattered across the business and operations that acts as a partner with peers in the organization, adept at leveraging best practices and initiatives across operating units.

Weaknesses: Professional Challenges

Limited technical acumen, most compliance roles have grown out of legal that has often been more comfortable with documents and paper with limited understanding of how technology can make compliance more efficient, effective, and agile. When compliance executives are approached with technology they tend to find a solution to a specific problem as opposed to thinking big picture on how an integrated compliance technology architecture can provide greater contextual insight into compliance.
Manual processes and myopic technology, related to the limited technical acumen, this overwhelms the compliance officer and function with documents and manual processes that takes time to reconcile and report. For example, one organization was spending 200 FTE hours building a compliance report that now takes them 1 minute.
Project management skills are needed, compliance and ethics management has become a complex and intricate set of projects, tasks, and reports that requires compliance management to have an integrated view into compliance deadlines, resources, reports, and activities. This means that the CECO needs to have strong project management capabilities.
Federated facilitation experience, while the CECO role is the figure head of compliance, this role often has a limited view into the expanse of compliance across departments. The CECO role needs to be the chief herder of the compliance cats to get various fragments of compliance scattered in business operations to work together collaboratively.
Moving beyond checklists, the compliance function has a tendency to focus on corporate compliance checklists to find and resolve compliance issues, and now is being challenged to understand compliance risk and take on ethics, values, social responsibility, and become a champion for corporate culture.
Stigma of the corporate cop, the compliance role has historically been seen as a corporate cop rather than a strategic and operationally influential champion of organization integrity. This leads to a misperception of compliance being the department of NO instead of the principled enabler of ethical business.
Fire fighting and reactive approaches to compliance, where resources are consumed in investigations and putting out compliance fires which leaves little to no resources for proactive planning of compliance and ethics. The CECO is constantly behind in trying to keep a changing business compliant while reacting to ever-changing laws, regulations, and court and regulatory rulings.

Opportunities: Organization Prospects

Focus on integrity, in which the the compliance and ethics function continually assesses regulatory, ethical, and social responsibility trends to develop a full understanding of mandatory and voluntary obligations and requirements for compliance that align with the organizations values.
Federated Governance, Risk Management & Compliance (GRC) focus in which the CECO is part of an executive strategy to enable an organization “to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” This requires that the CECO be able to collaborate across the range of compliance areas that he or she has not typcially covered before to facillitate compliance across the organization.
Leverage an integrated information and technology architecture to manage the range of compliance projects, tasks, assessments, exams/audits, investigations, policies, and training. So the organization has 360° contextual intelligence on compliance. Where there is one common portal for policies and training for employees.
Enable the organization to be a Principled Performer to pursue competitive advantages with superior GRC capability aligned with compliance and ethics that is kept current and managed in a dynamic business, risk, and regulatory environment.
Improve compliance reporting to senior management and the board by integrating compliance metrics, information into existing reporting processes and forms to assist in their fiduciary obligations of oversight of compliance.
Build superior shareholder relations and broader stakeholder communications around ethics, values, and compliance activities.

Threats: Organization Challenges

Third party risk and compliance in which vendors, suppliers, outsourcers, and such expose the organization to issues of fraud, corruption, social responsibility, and compliance violations across these extended business relationships that result in reputational damage and substantial fines and penalties. Over half of insiders are not traditional employees but third parties which requires that a compliance program extend across third party relationships.
Keeping a changing organization in sync with changing compliance requirements, the volume of change impacting compliance is staggering. Being knowledgable at regulations and the law does not good if the organization is not operationally compliant. Keeping a dynamic business compliant with ever changing laws, regulations, and enforcement actions is a huge issue for most organizations.
Lack of competitive edge as competitors with more agile, effective, and efficient compliance programs outpace the organization in the market as it is encumbered with slow processes and reactive approaches. This stems from:
- Failure to implement adequate compliance and ethics infrastructure and architecture to monitor, mitigate, and respond to compliance and conduct risk of unethical conduct.
- Inadequate integrated GRC technology infrastructure, which reduces the quality and flow of information.
- Siloed processes and systems causing delayed reporting and inconsistent quality and reliability of risk information.
- Document centric approaches handicap compliance reporting and relative value to the rest of the organization.
Culture reinforcing compliance communication after an event or incident occurs, rather than proactively identifying potential problems before the occur.

Leveraging Data Classification to Enable GDPR/CCDP Data Subject Requests

Michael RasmussenUncategorized2019-02-262019-02-26Leave a Comment

Regulatory requirements are driving organizations to clearly define processes to manage personal data requests from data subjects [1], which in turn requires clear data classification and disposition controls in the environment. Chief among these regulations is the EU Global Data Protection Regulation (GDPR) but following suit later this year is the California Consumer Privacy Act (CCPA).

A key component of these regulations, with some nuances between them, is to assure data subjects of the control, use, protection and privacy of their personal data. To do this, GDPR empowers data subjects with specific rights. These rights enable data subjects to make specific requests and be assured that their personal data is only used for approved purposes for which it was provided. They include the right to access and rectify data collected on the data subject, the right for erasure of personal data, and the right to object to the data subject’s information being used.

These data subject rights provide the foundation for GDPR and CCPA compliance and an organization, the . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the InfoGoTo site]

Managing Risk Across Third-party Relationships

Michael RasmussenThe GRC Pundit Blog2019-02-082019-02-08Leave a Comment

Organizations are an intricate organism of complex relationships. The modern organization does not operate in isolation, but as part of an ecosystem of interactions with third parties.

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third-party risk management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”^[1]

Capra’s point is that biological ecosystems are complex and interconnected requiring a holistic understanding of the intricacies as an integrated whole rather than a dissociated collection of parts. Change in one segment has cascading effects and impacts on the entire ecosystem.

This is also true in third-party management . . .

This article is continued as a guest blog written by GRC 20/20 at SureCloud. Please click on the link below to finish reading.

GRC Take 2: Key Factors in Choosing a New GRC Vendor

Michael RasmussenThe GRC Pundit Blog2019-01-312019-01-31Leave a Comment

Governance, risk management, and compliance (GRC) is something every organization does: it is part of business. Whether the organization calls it GRC, ERM, EHS, or something else…every organization has some approach to GRC. It can be completely manual, broken, and reactive or it can be optimized, aligned, and integrated. The key question is how can we improve GRC related processes and information? How can we make it more efficient, effective, and agile?

GRC itself is about a strategy and process of collaboration between functions to share information to aid the organization in achieving objectives. The official definition of GRC is that it is an ‘integrated capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”

Technology plays a critical role in GRC strategy and process. Through technology, GRC processes can become more efficient, effective, and agile. Technology enables GRC. However, many organizations find that they have outgrown their current GRC technology platform. Some common issues I hear in organizations frustrated with their current technology architecture for GRC is that it is . . .

[this is continued as a guest blog written by GRC 20/20 Research on the IsoMetrix Blog]

READ MORE

Are Your Policies a Mess? A Maze of Confusion?

Michael RasmussenThe GRC Pundit Blog2019-01-222019-01-22Leave a Comment

Effectively managing policies is easier said than done. Ad hoc or passive approaches mean that policies are outdated, scattered across the organization, and not consistent– resulting in confusion for recipients and a nightmare to manage. Organizations often lack a complete inventory of policies as so many departments have gone in different policy directions. Further, there is significant concern of rogue policies as anyone can create a document and call it a policy which may put a legal duty of care upon the organization.

Policies must be in place so the organization can:

Reliably achieve objectives
Manage and control uncertainty
Safeguard the workplace
Protect the organization from unnecessary risk
Ensure consistent operations
Uphold ethical values
Address compliance obligations
Defend the organization should it land in turbulent legal and regulatory waters

In order to achieve effectiveness, efficiency, and agility in policy management, organizations need to define a structured governance framework and process. Designing a mature policy management program and processes that align with the organization requires an understanding of what the organization is about, how it operates and how it should be monitored and controlled. Policy management by design requires a structured approach in context of how the organization operates. This is done through defining the right process, information and technology architecture for policy management.

The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management. It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation, and understanding of policies across the organization. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to govern policies and implement an effective policy management lifecycle.

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Maintaining Internal Controls in Dynamic and Distributed Business

Michael RasmussenInternal Control Management & Automation Solutions, The GRC Pundit Blog2019-01-172019-01-17Leave a Comment

Organizations operate in a field of risk landmines. The daily headlines reveal companies that fail in risk, compliance, and internal controls. Business today is complex in its operations and corresponding internal control obligations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, and operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to an internal control program. As organizations expand operations, their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal and external risk in context of a changing business environment. What may seem insignificant in one area can have profound impact on others.

Risk and control is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing requirements and fluctuating risk exposure, yet fail to actively manage and understand the interrelationship of internal control data in the context of business and business change. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing internal controls as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined internal control practices that are monitored and adapted to the demands of a changing business and regulatory environment.

Today’s business entity must ensure internal controls are understood and managed company-wide; that internal controls are more than a list in a spreadsheet, but are part of the fabric of business operations and processes. A strong culture of control ensures transparency, accountability, and responsibility as part of its ethical environment. A strong internal control program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Traditional processes of managing internal control programs (e.g., shared drives, spreadsheets, emails, etc.), can be time-consuming, error-ridden, mundane, and most importantly lacking in providing transparent insight on the state of controls across the organization. Requirements and processes can change frequently as a result of new or emerging risks, making it increasingly difficult for organizations to identify control requirements, map them against organizational processes, and then report on the level of compliance across the enterprise.

The organization has to be able to see the individual area of control as well as the interconnectedness of risk and controls. A GRC professional’s most challenging task therefore, is developing a process or framework to understand how internal and external risks interrelate with controls and business processes in context of change, and how to evaluate organizational initiatives against these requirements.

The Bottom Line: Organizations cannot readily understand control from a series of lists or spreadsheets. They need intelligence and insight into the relationships between the hierarchical dimensions that describe an organization’s internal control and risk ecosystem that predict the full scope of potential impacts (direct and cascading) due to actual or exploratory change to risk and business strategy. Organizations need solutions that support simulation and scenario planning for strategic and tactical action plans in response to change.

Upcoming Workshops (no cost & CPEs) . . .

Internal Control Management by Design, Houston, January 28
Internal Control Management by Design, Atlanta, February 5
Internal Control Management by Design, Chicago, February 7

Upcoming Webinars . . .

Enabling the Second Line of Defence with Effective Policy Management & Oversight, January 23 @ 9:00 am – 10:00 am CST
Engage the Front Lines Through Effective Policy Communication, January 24 @ 11:00 am – 12:00 pm CST

2019 GRC User Experience Award Nominations

Michael RasmussenUncategorized2019-01-042019-01-04Leave a Comment

GRC 20/20 is accepting nominations for the 2019 GRC User Experience Awards!

Governance, risk management and compliance (GRC) is a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of GRC in the organization. The user experience for GRC related solutions has been typically poor in most organizations, resulting in time-consuming and redundant processes.

The core of GRC related technologies is operationalizing GRC across the fabric of business. This involves employee engagement in GRC related solutions with systems that are simple, mobile and easy to use from the frontline of the business to the back-office operations of GRC.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

Efficient:GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
Effective:At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context.
Agile:GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner.

Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.^{This quote has been attributed both to Einstein and E.F. Schumacher.}

A primary directive of GRC related technologies is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2019 GRC User Experience Award nominations will be accepted through 31 January 2019 (no exceptions, nomination form closes down at midnight CDT on 31 January). Recipients will be determined by end of March, write-ups for each recipient (one per category) will be completed in April and May with announcements in June 2019. Each recipient of an award will be written up and acknowledged.

The seventeen categories for submission are:

Audit Management & Analytics User Experience
Automated / Continuous Control User Experience
Business Continuity Management User Experience
Compliance & Ethics Management User Experience
Enterprise GRC User Experience
Environmental, Health &; Safety User Experience
IT GRC/Information Security User Experience
Internal Control Management User Experience
Issue Reporting & Case Management User Experience
Know Your Customer User Experience
Legal Management User Experience
Physical Security Management User Experience
Policy & Training Management User Experience
Quality Management User Experience
Reputation & Responsibility User Experience
Risk Management Value User Experience
Strategy & Performance User Experience
Third Party Management User Experience

Please submit nominations before midnight on 31 January 2019.

2019 GRC User Experience Nomination Form

Operational Resiliency: Connected Management of Operational Risk

Michael RasmussenThe GRC Pundit Blog2018-12-062018-12-063 Comments

I am sitting in a pub in London having a pint after an intense week of interactions with organizations. My mind is laser focused on the burning issue of the day: operational resiliency.

The FCA, PRA, and Bank of England have recently released a discussion paper focused on the need to build greater operational resilience in organizations. This challenge is much broader than just the United Kingdom and financial services; it is an issue that crosses the globe and industries. How do we build resiliency in our business to risk and disruption?

Today’s organization is complex and chaotic—in a constant state of metamorphosis. Keeping complexity and change in sync is a significant challenge for operational risk management functions. Consider that the modern organization is:

Distributed. Traditional brick-and-mortar business is a thing of the past: Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries with distributed operations complicated by a web of global relationships.
Dynamic. Organizations are in a constant state of change. Distributed business operations are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world. The multiplicity of risk environments an organization monitors span regulatory, geopolitical, and operational risks across the globe.
Disrupted. The intersection of distributed and dynamic business brings disruption. Change (dynamic business) combined with complexity (distributed operations and relationships) means the organization is easily disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk information across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, and volume of risk is overwhelming—disrupting the organization and slowing it down at a time when it needs to be agile and fast.

In defining operational resiliency, I can think of nothing stronger than leveraging the OCEG definition for governance, risk management, and compliance (GRC). This is a capability to reliably achieve objectives, while addressing uncertainty, and act with integrity. To be operationally resilient requires that we understand the operational objectives of the organization and in that context manage the risk and uncertainty in hitting those objectives while operating with the boundaries of values and requirements set on the organization.

Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.

Connecting ORM and BCM is just part of achieving operational resiliency. To be resilient requires that the organization also manage the intersection of compliance, information security, business operations/processes, performance, third-party management, and other risk functions. Operational risk management is an umbrella covering a lot of risk departments that have historically operated in silos. These silos need to collaborate and connect in a broader operational risk strategy focused on the operational resiliency of the organization.

Managing operational risk activities in disconnected silos leads the organization to inevitable failure. Decentralized and disconnected distributed systems of the past catch the organization off guard to risk. The complexity of business and intricacy and interconnectedness of risk requires an integrated approach. Silos of risk fail to actively manage risk and leave the organization blind to intricate relationships of connected risk across the organization. An ad hoc approach to operational risk management results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk as an integrated part of business.

Distributed, dynamic, and disrupted business demands a strategic approach to operational risk strategy and process enabled with an integrated information and technology architecture. The organization needs complete situational awareness of risk across operations, processes, relationships, systems, and information to see the big picture of risk and its impact on organization performance and strategy.

This article is connected to an associated GRC Illustration and roundtable that GRC 20/20 collaborated with OCEG and Refinitiv to produce. I encourage you to download the detailed GRC Illustration on Connected Management of Operational Risk Prevents Disruption and the related roundtable discussion on this topic.

[button link=”https://go.oceg.org/operational-risk-management”]DOWNLOAD GRC ILLUSTRATION[/button]

Manage Your Privacy Journey: GDPR, CCPA & Beyond

Michael RasmussenThe GRC Pundit Blog2018-11-29Leave a Comment

I love adventures! Whether in a city or out in nature, it is exciting to go out and do things. Simple adventures do not require a lot of planning, but you still need to be prepared for the day. More complex adventures require a lot of planning, coordination and execution. In organizations, complex adventures also require stepping back and reevaluating where you are and where you’re going.

Over the past few years, we have been on a General Data Protection Regulation (GDPR) adventure. Some might think the privacy adventure is over as we are now six months past the compliance deadline of May 28, 2018. However, the privacy journey is ongoing, and organizations need to continue forward with ongoing proactive GDPR compliance, particularly as organizations are dynamic and constantly changing.

Think about it, has your organization remained the same over the past six months? Certainly not . . .

The rest of this article by GRC 20/20’s Michael Rasmussen can be found as a guest blog on InfoGoTo.

[button link=”https://www.infogoto.com/manage-your-privacy-journey-gdpr-ccpa-and-beyond/”]READ MORE[/button]

Efficient and Effective Third-Party GRC Management

Michael RasmussenThe GRC Pundit Blog, Third Party Management Solutions2018-11-27Leave a Comment

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization.

The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization.

The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3^rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.

GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

2019 Trends in Third Party Risk, November 28 @ 10:00 am – 11:00 am CST
Best Practices for Third Party Management RFPs, November 29 @ 11:00 am – 12:00 pm CST
Efficient and Effective Third-Party Management, December 6 @ 10:00 am – 11:00 am CST
Senior Management Regime – The Next Level of Maturity, December 6 @ 8:00 am – 9:00 am CST

Strategy Perspective on Third Party Management

Third Party Management by Design: A Federated Approach to Third Party Management

Enter your search term below