Blog

GDPR: Moving Forward Out of the Doldrums

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GDPR: Moving Forward Out of the Doldrums

I love sailing. It has fascinated me since I was in high school, but only recently have I taken up learning to sail. While I have not sailed across an ocean, I have read many accounts of sailors getting stuck in the doldrums. The area in both the Atlantic and Pacific Ocean near the equator where there is a low-pressure zone that creates a condition of little to no wind. A sailboat is virtually stalled and stuck.

When pondering GDPR this morning at a coffee shop in London, I was thinking of the doldrums of compliance. That point when organizations tend to stall and become neglectful and stop moving forward with compliance. This often happens shortly after the regulation launch date. Organizations moved with some momentum to work toward GDPR compliance and made progress, but once the compliance date passed, businesses got distracted with other things and failed to maintain the same levels of momentum.

In year one of GDPR compliance, up through the initial compliance deadline of May 2018, I saw a lot of organizations make great strides in addressing GDPR. They did the foundational components, but many have stalled on the follow through. These organizations did well in . . .

The rest of this article by GRC 20/20’s Michael Rasmussen can be found as a guest blog on SureCloud.

[button link=”https://www.surecloud.com/sc-blog/gdpr-moving-forward-out-of-the-doldrums”]READ MORE[/button]

Monitoring and Managing Risk Effectively

The GRC Pundit BlogPublished onLeave a Comment on Monitoring and Managing Risk Effectively

Organizations take risks all the time but fail to monitor and manage risk effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively.

The modern organization is:

  • Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
  • Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls with the result nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this, organizations remain keenly interested in how to improve risk management.

Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations should consider:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.

Upcoming Webinar on Risk Management

20/20 Strategy Perspective Research Paper on Risk Management

20/20 Buyers Guide Research Briefing on Risk Management Solutions

Other 20/20 Research Pieces on Risk Management

[button link=”https://grc2020.com/product-category/grc-functional-area/risk-management-analytics/”]RISK MANAGEMENT RESEARCH[/button]

Understanding & Improving Governance, Risk Management & Compliance

The GRC Pundit BlogPublished onLeave a Comment on Understanding & Improving Governance, Risk Management & Compliance

Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” (source: OCEG GRC Capability Model that GRC 20/20 has helped define and contribute to) This requires that GRC needs to be understood in the context of enterprise strategy, objectives, architecture and processes.

Designing mature GRC processes that align with the organization requires an understanding of what the organization is about, how it operates, how it should be monitored and controlled. This is done through defining the right GRC process, information and technology architecture. GRC by Design requires an enterprise/organization architecture approach to the organization and how it operates.

GRC 20/20 is a research and analyst organization aimed at understanding what is keeping organizations up at night and how they address this with strategy, process, and technology to make GRC related processes efficient, effective, and agile. We are a research and analyst firm, not a consulting firm.

In this context, GRC 20/20 does regular training By Design workshops to share our research and experience with organizations looking to improve their GRC related strategies. These workshops are key part of our research as they are workshops and not lectures. Attendees interact and share their challenges and approaches and learn from each other as much as they learn from GRC 20/20. These are amazing facilitated sessions that engage attendees on the deep subjects of GRC in a way that is practical and enriching. There is no cost to attend these workshops and attendees use the time for continuing education credits for certifications. However, they are only open for organizations working on their own internal GRC related strategies and processes. Solution providers and professional service firms are not allowed to register for these workshops.

Third Party Management by Design Workshops

Enterprise GRC Management by Design Workshops

IT GRC/Security Management

By Design workshop aims to provide a blueprint for attendees on effective enterprise GRC strategies in a dynamic business, regulatory, and risk environment. Attendees will learn enterprise GRC strategies and techniques that can be applied across the organization. Learning is done through lectures, collaboration with peers, and workshop tasks.

GRC 20/20 also offers complimentary inquiry to organizations looking to improve GRC related processes and identify the right technology solutions and what differentiates them to solve those problems. Our research is objective and there are over 800 solutions we have mapped into the many segments of the broad GRC market. If you have a question on GRC strategy, process, and technology . . . simply ask us an inquiry and can have a call or email exchange.

The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

The GRC Pundit BlogPublished onUpdated on1 Comment on The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

For those of you on this list that know me on a personal level, I am a huge Tolkien fan. In fact, I am just a Master’s thesis away from my M.A. in Church History and the thesis is on the influence of Medieval theology, particularly Aquinas, on J.R.R. Tolkien and his works (my particular focus in Church History in general is medieval British Church history which fascinates me).

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

I just got off the phone with a deep discussion on the UK SMR/CR as well as the other copy regulations coming out of Australia, Singapore, Hong Kong, Japan, Ireland, and more. I explained that the UK SMR/CR is the One Regulation to rule all other risk, compliance, and control regs. The whole point is to put personal accountability and responsibility to senior executives and directors for risk and compliance. It is the regulation that enforces all the others and binds them.

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects.

This impacts every area of GRC in financial services. One firm I talked to told me this is what is keeping them up at night from a governance, risk management, and compliance (GRC) perspective. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing a lot of interest and ownership of GRC processes by senior executives and directors as they are now personally accountable because of UK SMR/CR. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank told me they have applied UK SMR/CR to third party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance failures in third parties. In a recent interaction I had, the Head of Risk Frameworks at a UK financial services company stated:

SMR is the UK’s equivalent of Sarbanes Oxley and will be interesting to see what happens in Australia. But maybe it’s still early days and people think they can get by with what they have. When a high-profile executive lands behind bars or a sizeable number of fines are dished out, then I guess we’ll see the market pick up.”

This regulation is more than an HR issue, it is a governing umbrella of all risk and compliance. Foundationally, organizations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organizations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This in turn drives greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMR/CR (and other similar legislation in other jurisdictions) the governing umbrella of all risk and compliance obligations and requirements. Organizations need to map and report on risk and compliance across regulations to these roles.

Managing this process in documents, spreadsheets and emails and manual processes will be time consuming and at the end of the day not have the proper audit trail and system of record to show clear awareness and acknowledgement of risk and compliance by senior executives. Organizations need technology to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organization.

This article was originally a guest blog by GRC 20/2o @ Governor Software . . .

Managing Risk & Compliance in the Extended Enterprise

The GRC Pundit Blog, Third Party Management SolutionsPublished onLeave a Comment on Managing Risk & Compliance in the Extended Enterprise

Modern Organization: Interconnected Maze of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.[1]

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet John Donne is describing the post-modern twenty-first century organization. In other words, “No organization is an island unto itself, every organization is a piece of the broader whole.”

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them and fail to actively manage and understand the interrelationship of third parties across the organization.

The challenge:“Can you attest to the governance, risk management, and compliance of the organization’s extended business relationships?”

Typical response: Organizations tend to look at the formation of a third party relationship and fail to foresee issues that cascade and cause damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.

The fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance.  Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship and the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected. The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight.Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches.When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on third party information. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies.When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency, impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only.Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change.Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance.Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[2]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Third party management is “a capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrityin and across its 3rdparty relationships.[3]Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

GRC 20/20 Events & Resources for Third Party Management Include . . .

Third Party Management Workshop

GRC 20/20 will be leading a complimentary interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

[1]A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions(1624) found in the section Meditation XVII.

[2]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

[3]GRC 20/20’s adaption of the OCEG definition of GRC found in the OCEG GRC Capability Model applied to third party management.

Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Compliance Management Solutions, Issue Reporting & Case Management, Policy & Training Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].”[1] Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  1. Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  2. GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  3. Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations.

Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues.  While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations.

GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization.

Attendees will learn:

  • GRC in the context of the Three Lines of Defence Model
  • How the second and third line of defense depend on the first line to protect the organization
  • How to effectively communicate and train the first line of defence on policies
  • Methods for first line employees to identify and report issues and incidents
  • How technology can automate and enable the first line of defense
  • Driving efficiency, effectiveness and agility into all three lines of defense

[button link=”https://www.brighttalk.com/webcast/11811/333341?utm_campaign=user_webcast_register&utm_medium=email&utm_source=brighttalk-transact&utm_content=title”]REGISTER[/button]

[1]This is the official definition of GRC that is found in the OCEG GRC Capability Model. www.OCEG.org

Compliance, Particularly for Privacy, Requires Data Process Mapping & Disposition

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Compliance, Particularly for Privacy, Requires Data Process Mapping & Disposition

Compliance used to be simpler. An organization was given a set of requirements and it had to check the boxes that it met the requirements and compliance was achieved. The complex nature of business today and the focus on information in the digital economy has driven compliance requirements to a new level of intricacy and depth.

Today data weaves in and out of business processes, throughout the organization and across third party relationships. Organizations need to understand how all information, especially personally identifiable information (PII), enters, moves throughout, and is used in the organization, and how it is shared and used in third party relationships (e.g., outsourcers, services providers, vendors, suppliers, consultants, brokers, dealers, agents).

Privacy is a significant compliance challenge with specific requirements, associated content and processes that organizations should consider . . .

The rest of the article can be read via the link in the button below. Michael Rasmussen of GRC 20/20 posted this as a guest blog on www.infogoto.com.

[button link=”https://www.infogoto.com/compliance-particularly-for-privacy-requires-data-process-mapping-disposition/”]READ MORE[/button]

Is SMR & CR, the UK Financial Services biggest challenge for 2018?

Compliance Management Solutions, The GRC Pundit BlogPublished onLeave a Comment on Is SMR & CR, the UK Financial Services biggest challenge for 2018?

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects . . .

The rest of the article can be read via the link in the button below. Michael Rasmussen of GRC 20/20 posted this as a guest blog on www.governorsoftware.com.

[button link=”https://www.governorsoftware.com/news/is-smr-cr-the-uk-financial-services-biggest-challenge-for-2018″]READ MORE[/button]

The IRM Emperor (Gartner) Has No Clothes

The GRC Pundit BlogPublished onUpdated onLeave a Comment on The IRM Emperor (Gartner) Has No Clothes

The Gartner Integrated Risk Management (IRM) Magic Quadrant has been out a few weeks and I have been buried with inquiries from organizations asking my thoughts on it. While I initially was going to post my thoughts in this article right away, I have spent the past few weeks doing a lot of reflection and talking to the majority of the solution providers in the Magic Quadrant and their experiences. In fact, I have interacted with 12 of the 16 solution providers in the Magic Quadrant. With 5 of these solutions providers I have actually advised them throughout varying aspects of the Magic Quadrant process in reviewing their responses, preparing them for interactions with Gartner, and playing the ‘dark side’ analyst to critique their solutions.

The Gartner IRM Magic Quadrant is of great concern in how it represents and analyzes solutions, and the process of the IRM MQ is of even greater concern. Organizations should be very cautious and skeptical of the results. I feel they are very unreliable. Here are my issues . . .

  • IRM vc GRC. Gartner has to invent new terms to make themselves feel relevant. John Wheeler came out with several blogs stating how GRC has failed and is dead and organizations should look to IRM. First off, technology evolves and changes. GRC today is not the same as GRC 10 years back. Same with other areas of technology such as ERP and CRM, these technology categories have evolved and not remained the same . . . but we still refer to them as ERP and CRM. Gartner is actually 5 years behind. What John Wheeler states as IRM in his blog GRC vs. IRM Solutions – What’s the Difference? is what I talked about in GRC 3.o in my research and blogs back in 2013:
  • If GRC is dead, where is the difference in the MQ? Let’s get right to the point. Gartner has made a big push in their research, blogs, and speeches that GRC is dead and failed now we have IRM. If this is the case, then why are the Leaders in the Magic Quadrant for IRM the same Leaders that were in the last several Magic Quadrants for GRC by Gartner.  What has failed if the exact same solutions that dominate the market are getting the leading accolades from Gartner in their old GRC research h and now their new IRM research? The answer is simple, IRM is a marketing ploy by Gartner and the technologies they say have failed in GRC they now praise as leaders in IRM are the same solutions and must not have failed as Gartner originally stated.
  • What is with Gartner changing all these terms? It is not just GRC that Gartner is trying to change. They also talk about Digital Risk Management. What is Digital Risk Management? Organizations do not use this term. They talk about information security, or IT security. Gartner has some need to rebrand things to make their analysts feel relevant.
  • Can Gartner make the hard calls? I must applaud Forrester in their most recent GRC Wave, they had the ‘cojones’ to knock back one of the leaders out of the leaders area. You can compare the Wave and MQ to figure out who I am talking about; it is the solution that I get more complaints on than any other solution in the market by a significant amount.
  • Gartner IRM use cases are incomplete. Gartner defined in their IRM MQ six IRM use cases: Digital Risk Management, Vendor Risk Management, Business Continuity Management, Audit Management, Corporate Compliance & Oversight, and Enterprise Legal Management. My prominent question – where is Enterprise and Operational Risk Management (ERM, ORM)? There are defined capabilities and needs for enterprise and operational risk management that are not covered and brought out. Most of Gartner’s research has a large IT security bent to it, oops, I mean digital risk management, that permeates everything and fails to see the broad range of enterprise and operational risks. Also, they bring Enterprise Legal Management into the IRM which I see in about 5 to 10% of Enterprise GRC (IRM) RFPs. I am not against this, but they failed to mention Environmental, Health & Safety (EH&S) which is in over 50% of Enterprise GRC (IRM) RFPs. In fact, Gartner has completely discontinued their coverage of EH&S technology.
  • The Magic Quadrant process has serious issues. What is extremely concerning about the Gartner Magic Quadrant for IRM is the process. Some issues are:
    • Video demos and not live demos. Gartner did not want to have live demonstrations of the solutions, they wanted organizations to submit video demos. Anything can be mocked up in a video. Forrester, on the other hand, requires live demos and even requires a sandbox to work with the solution themselves. I have advised solution providers in the Forrester GRC Wave and have seen the audit trail of Forrester analysts going through the solution and testing it themselves. Not so with Gartner, they do not want a sandbox or even a live demo . . . just a video. And organizations around the world are relying on the Magic Quadrant? This is down right scary.
    • Lack of transparency. Further, Gartner does not publish the criteria, scores and weightings of the Magic Quadrant. It is exactly what it says it is . . . MAGIC. Forrester publishes a full spreadsheet with each of the hundreds of criteria measured, the vendor score on each, and the weighting. You might disagree with Forrester’s findings, I do at tines, but Forrester is transparent and Gartner is not.
    • Client reference checks. Client references are also a concern, while Gartner got on the phone with a few client references they are overly reliant on web surveys for client references. To get real answers you have to talk and interact with a range of client references and ask the hard questions. You also have to talk to the individuals using the solution every day and not just the decision maker.
    • Inconsistency in Strengths and Cautions. For each solution evaluated Gartner publishes strengths and weaknesses of each, usually 3, but sometimes 2. But these are not consistent. For example, Gartner calls out negatives on some solutions that they do not do Enterprise Legal Management, but in others that also do not have it they do not call it out. These are not an apples to apples comparison.

My advice to organizations, avoid Gartner when it comes to GRC/IRM. They are clueless and actually dangerous to organizations looking for solutions in the market. While I provide insight and advice (including complimentary inquiry for organizations looking at solutions in the market), their are other analysts as well, my competitors, that do a much better job than Gartner. Forrester and Verdantix are prime examples.

In full disclosure, Gartner is my competitor. They are the behemoth of the analyst world. I spent 7 years at Forrester Research as a Vice President and one of their top analysts and now have been 11 years on my own as a individual market analyst covering solutions in the Governance, Risk Management, and Compliance (GRC) Market. While Gartner is my competitor, that does not keep me from having respect for competitors. Though I disagree with them at times, I have deep respect for the analysts at Forrester Research, and I have deep respect for Verdantix, which covers the Environmental, Health & Safety aspect of the GRC market. Even in Gartner, there are analysts I have very deep respect for such as my former manager Merv Adrian. It is the IRM research that I have major concerns with at Gartner and you should too.

GRC 20/20’s Research Briefings on the GRC Market . . .

Most Recent On-Demand Recorded Buyers Guide:
Upcoming Live Buyer Guides
Other On-Demand Buyer Guides
Other Research Briefings

Defining the Issue Reporting & Case Management Process

Issue Reporting & Case Management, The GRC Pundit BlogPublished on2 Comments on Defining the Issue Reporting & Case Management Process

Distributed and dynamic business requires the organization to take a strategic approach to issue reporting and case management. Organizations require complete situational and holistic awareness of issues, incidents, investigations, and cases across business operations and processes. This is best approached through structured and accountable processes enabled through an integrated information and technology architecture for issue reporting and case management. The goal is to manage individual issues at the detail level while being able to see the big picture and trends of issues and their impact on overall risk and compliance exposure.

Two essential components for a mature and robust issue reporting and case management program are:

  1. Structured processesfor issue reporting and case management.
  2. Integrated information and technology architecturefor issue reporting and case management.

Issue reporting and case management processes determine the types of information needed, gathered, used, and reported. It is through the integrated information and technology architecture that processes can be properly managed. The architecture defines how organizational processes, information, and technology is structured to make issue reporting and case management effective, efficient, and agile across the organization.

Issue Reporting & Case Management ProcessStructure

Issue reporting and case management processes are a subset of overall business and GRC processes. Issue reporting and case management identifies where things are going wrong with a goal of containing, addressing, and correcting exposure, loss, and incidents. The issue reporting and case management process is the structural design of tasks and management of how issues are reported, investigated, and resolved.

Structured processes for issue reporting and case management defines responsibilities, workflow, tasks, how issues are reported, cases managed, and how the processes work together as an integrated whole with other GRC and organizational processes. Issues and cases provide objective information that should in turn feed into risk management models as well as compliance reporting. For a mature GRC program, the organization requires the ability to track all issues across the enterprise (e.g. employee issues, customer issues, poor product quality, and supply chain).

There are five foundational process components that organizations should have in place for issue reporting and case management:

  1. Strategic/operational case planning and administration.This involves the ongoing planning and administration of issues, cases, investigators, workload, and tasks. Core to this is resource and case planning and administration, the ability to measure cycles/seasonality of cases, backlog, resource planning, and costs.
  2. Issue intake & triage.This is the foundational component where issues are reported. It involves being able to report and process issues coming from hotlines, web forms, management reports, and other inputs. The goal is to eliminate noise, consolidate duplicated issue reports, flesh out non-cases, and focus on what is critical and exposes the organization to the greatest risk. It is critical that the organization has the ability to automate and link between issues being reported, cases, parties, processes, places, and other relationships. From here initial planning and assignment of cases is done.
  3. This is the heart of the process that takes reported issue(s) and manages the process of investigation through to closure. Investigators need structured templates and processes to keep everything organized, document the investigation, manage tasks, provide notifications and escalation, and keep all information in one place for ease of reporting. The more the organization can automatically define the process to investigate an issue/case, the better. Accountability, centralization of information, keeping everything current and up to date, and having a defensible system of record that can stand up in court is critical to this stage of the process.
  4. Remediation & resolution.History repeats itself because no one was listening the first time. This stage of the issue reporting and case management process ensures that remediation steps are followed to mitigate or eliminate the risk of further issues and incidents. The organization needs to be able to track action items and ensure that things do not slip through cracks to obtain a reduction in repeated and future cases. The organization requires the ability to link issues to policies and procedures to ensure they are updated as resolutions dictate.
  5. Reporting, analytics & metrics.This is the stage of the process that provides detailed reports on both individual and aggregate cases. The organization should be able to track past due tasks, benchmark timelines of cases, identify where loss can be mitigated, and reduce gaps.

Issue Reporting & Case Management Information & Technology Architecture

With processes defined and structured the organization can now define the information architecture needed to support issue reporting and case management processes. Issue reporting and case management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a structured and coordinated whole. The issue reporting and case management information architecture involves the structural design, labeling, use, flow, processing, and reporting of information to support issue reporting and case management processes. This architecture supports and enables the process structure and overall issue reporting and case management strategy.

Successful issue reporting and case management information architecture will be able to integrate, manage, and report on issues and cases across the organization. This requires a robust and adaptable information architecture that can model the complexity of information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and data.

The issue reporting and case management technology architecture operationalizes information and processes to support the overall strategy. The right technology architecture enables the organization to effectively manage issues and facilitate the ability to document, communicate, report, and monitor the range of investigations, tasks, responsibilities, and action plans.

There can and should be a central core technology platform for issue reporting and case management that connects the fabric of the processes and information together across the organization. Many organizations see issue reporting and case management initiatives fail when they purchase technology before understanding their process and information requirements. The “best” systems are the ones that are highly configurable to a client’s situation and can be adapted to the company’s forms, processes, technical architecture. The system should not run the business, the business should run the system. Organizations have the following technology architecture choices before them:

  • Documents, spreadsheets, and email.Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring. This is where most organizations have focused in managing issues and cases. There is increased inefficiency and ineffectiveness as this document centric and manual approach grows too large and limits the amount of information that can be managed.
  • Custom built databases.Organizations also have built custom internal databases to manage issues and cases. The challenge here is that the organization ends up maintaining a solution that is limited in function and costly to keep current. Many companies go from the document and spreadsheet approach to building a custom database that is limited in features, reporting, and scalability at a cost of internal IT resources and maintenance.
  • Issue reporting and case management platforms.These are solutions deployed for issue reporting and case management and have the broadest array of built-in (versus built-out) features to support the breadth of case management processes. In this context, they take a full-lifecycle view of managing the entire process of issue reporting and case management. These solutions allow an organization to govern incidents and issues throughout the lifecycle and enable enterprise reporting.

Most homegrown systems are the result of starting with tools that are readily available and easy: documents, spreadsheets, emails, and desktop databases. Too many organizations take an ad hoc approach to issue reporting and case management by haphazardly using documents, spreadsheets, desktop databases, and emails, which then dictates and limits what their issue reporting and case management process will be limited to. This approach then grows and expands quickly outgrowing these desktop tools to the point where it grows cumbersome. Organizations suffer when they take a myopic view of issue reporting and case management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in. The right issue reporting and case management technology architecture choice for an organization involves an integrated platform to facilitate the correlation of issue and case information, analytics, and reporting.

NOTE: GRC 20/20 will be conducting a Research Briefing on how to build a business case, define value/return, and navigate the range of requirements and solutions to automate and enable the issue reporting and case management process. For example, one organization spent 200 FTE hours on doing an end of year report on the organizations cases, investigations, incidents, and issues . . . it now takes them less than 5 minutes. Register to attend (and gain access to the on-demand recording afterwards) Buyer’s Guide: Issue Reporting & Case Management Solutions.

Upcoming Research Briefing On Issue Reporting & Case Management

Research Paper: Value of Issue Reporting & Case Management

Research Paper: Case Study on Issue Reporting & Case Management

Solution Perspectives: Solution Overviews in Issue Reporting & Case Management

Strategy Perspectives: Strategic Directions in Issue Reporting & Case Management