Category: Blogs

Compliance and ethics have become a critical challenge in organizations around the world. Faced with growing regulatory change increased enforcement actions, and a greater focused on the social responsibility and accountability of organizations, compliance and ethics management has become a front and center issue. Compliance and ethics departments are grappling with the challenges of conduct, bribery and corruption, insider trading, anti-trust, harassment, discrimination, privacy, and more. They need a coordinated strategy and process supported by an integrated information and technology architecture.

Recent developments, such as last month’s Department of Justice Evaluation of Compliance Program Guidelines, are putting greater emphasis on having robust insight, reporting, and analytics of compliance. Compliance and ethics departments have been plagued with manual processes encumbered by documents, spreadsheets, and emails. One organization that GRC 20/20 talked to was spending 200 employee hours to build an annual report on compliance. That is not managing compliance, that is reacting. Compliance and ethics issues that started eleven months back did not get contained and the organization was not aware of the issue for months later.

The other challenge is that too many compliance and ethics departments are buying point solutions that focus just on one small problem and do not integrate to manage an overall compliance and ethics program. It is not uncommon to see an organization with manual processes as well as a range of point solutions deployed for managing niche aspects of compliance such as conflicts of interest, gifts and hospitality, and more. Having a bunch of software solutions that do not integrate leaves the organizations blind to insights and interrelationships of compliance risk and exposure.

Organizations need to start approaching corporate compliance and ethics through a strategy that delivers an integrated information and technology architecture of compliance. Where the organization can mine and report and see relationships between hotlines, cases, policies, assessments, forms, approvals, training, and due diligence. If these activities are siloed and manned in manual processes or point solutions that do not integrate the organization is going to be blind-sided with issues, never find and get to root problems, or spend a massive amount of employee time trying to manually reconcile information to uncover relationships and root causes to be addressed.

Today’s compliance and ethics program needs a next generation information and technology architecture that delivers:

• Engagement. Compliance is not about the back office of corporate compliance and ethics, but it is about the front-office. The organization needs a strong compliance and ethics portal, a singular portal, that delivers policies, training, issue reporting, compliance-related forms, communications, and reminders to employees (and relevant third parties). There should be one view for individuals to access all of this and not scattered point solutions.
• Obligation management. The organization needs a systemized and organized way to define, manage, and monitor all of their compliance and ethics obligations. This includes laws, regulations, contractual commitments, ethical principles, social accountability, and more. Consider that global financial services firms alone are dealing with over 200 regulatory change events every business day. Organizations need a way to document new and existing obligations and manage those as they impact policies, training, assessments, cases, and more.
• Assessments. Organizations need a streamlined approach to manage compliance and ethics assessments. This includes self-assessments, checklists, quizzes, surveys, workpapers, and questionnaires. These are used by both the back-office of compliance and ethics management as well as the gathering information from all levels of the organization to assess compliance.
• Compliance risk management. There is greater pressure on organizations to show how they have identified, analyzed, addressed, and monitored compliance risk. The organization today needs compliance risk technology to identify and assess risk. There needs to be a central inventory of compliance risks and detailed assessments and analysis of these risks. The best risk management methodology for compliance risk assessments are bow-tie risk assessments (I will be blogging on How to Tie a Compliance Bow-Tie in the next few weeks).
• Policy management. Policies are the center of compliance and ethics. Everything relates back to policies. In the new DoJ guidance, policies were referenced over 30 times throughout the document. Organizations have to have structured approaches to inventory, develop, manage, monitor, communicate, and maintain policies. This requires defined workflows and notification capabilities. Many organizations are looking for collaborative policy authoring technologies to allow multiple roles to work on the same policy at the same time and see changes and comments in real-time without document checkin and checkout. These policies need to be accessible to individuals in a portal (back to engagement above). Many compliance and ethics departments are now leading a cross-organization strategy in enterprise policy management to ensure every policy is managed and maintained consistently.
• Training management. Linked to policies is training management. Training is done on policies. I do not think you will find any compliance and ethics training that is disconnected from a policy. As a result, organizations are looking for solutions that integrate policy and training management into the same portal. Where employees can read a policy and take the training in the same portal and interface without jumping to different systems. There is also a need to be able to manage compliance communications and campaigns that might bundle elements together, and manage the communications and activities over the calendar year.
• Compliance forms and disclosure management. Compliance has tons of forms. Forms that have to be filled out by individuals and routed for review and approval/disapproval. Forms such as conflicts of interest, gifts and entertainment, and more. These are often referred to as disclosures, but forms can be more than that. This is an area where organizations make mistakes and purchase siloed solutions. They should be looking for an overall integrated solution that allows for the creation and management of the range of compliance forms and disclosures. These also connect with policies and training, as well as hotlines and issue reporting.
• Issue intake. The organization has to have the ability to intake and process compliance and ethics issues. This is a range of intake from hotlines, anonymous web reporting, customer complaints (and other complaints), and management reports. The organizations needs structured forms and processes to intake issues and filter these into a review and triage process to identify cases that need to be responeded to.
• Case management. Investigations are a key function of compliance and ethics professionals. The organization has to have structured and documented investigations on how a case was reported, investigated, and resolved. This is a critical piece of a strong compliance and ethics architecture, and information from cases should cross-reference and identify where assessments were missed, policies were violated, training not effective. Insight into issues and cases provides critical information to address the whole compliance and ethics program.
• Third party management. The modern organization is not-defined by brick and mortar business and traditional employees. It is a complex web of supplier, vendor, outsourcer, service provider, consultants, contractors, temporary workers, brokers, agents, dealers, and intermediaries. Compliance and ethics issues within third parties are the issues of the organization. This requires structured compliance and ethics process from onboarding, ongoing monitoring, and offboarding of third parties with due diligence, assessments, policy attestations, training, and issue reporting.
• Regulatory exam and audit management. Compliance regularly comes under the scrutiny of external audits and regulatory exams. A key piece of a compliance information and technology architecture is the management and documentation of audits and exams.
• Reporting, analytics, and dashboards. The key focus for many right now is the ability to have real-time insight and reporting into compliance and ethics management. The recent DoJ Guidance specifically challenges organizations on this capability. Strong reporting and analytics requires an integrated information archicture that can see across all of these areas listed here and see the complex relationships between them. Organizations need 360° situational awareness of compliance and ethics across all of these areas. This cannot be achieved with manual processes or siloed applidaitons for compliance.
• Compliance program and project management. Compliance and ethics is challenging. There are a lot of assessments, changes, and things to monitor. The compliance and ethics department needs an overall command and control center to see all the compliance projects, tasks, assessments, and activities. To manage compliance personnel and see their workload and specialities. Identify who can address a new development or issue. When the organization is in the midst of significant change, such as mergers and acquisition, to be able to manage this change as an overall project with tasks, activities, deadlines, and overall dependencies.
• Evidence trail. Compliance today has to be more that well written policies and fiction. Compliance and ethics needs to be a reality. Regulators, law enforcement, opposing counsel in a lawsuit, auditors . . . they want you to demonstrate compliance. Organizations need structured and defensible records of all compliance activities and interactions. Documents, spreadsheets, and emails do not deliver this – you can manufacture records with documents, spreadsheets, and emails. Defensible audit trails and system of record that can stand up in court wint non-repudiation are what is needed today.
• Mobility. We started with engagement, we will end with engagement. Mobility is a key aspect to all of this. Compliance interfaces for policies, training, forms/disclosures, issue reporting are all needed on smartphone and tablet interfaces to engage employees wherever and whenever they are at.

There is a lot more that can be added to this, and each of these areas listed has a whole range of requirements that are needed in today’s compliance and ethics function. This is just a summary to paint the big picture. A big picture that should indicate that compliance and ethics processes need to be approached strategically with an integrated information and technology architecture. The organization approaching this in manual processes or siloed solutions that do not integrate are headed toward the INEVITABILITY OF FAILURE.

GRC 20/20 is a research and analyst organization that specializes in evaluating and understanding the range of governance, risk management, and compliance solutions available in the market. If you have questions on compliance and ethics strategy, process, and technology in your organization . . . use our complimentary inquiry form to ask us your question as we objectively cover what is available across the market and what differentiates different players. Our focus and experience specializes in corporate compliance and ethics. Solution and service providers can request a briefing to update us on their solution.

---

Upcoming Webinar . . .

July 30 @ 10:00 am – 11:00 am CDT 

Why Policy Management Matters

Online Webinar

Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take […]

The naturalist John Muir stated, “When one tugs at a single thing in nature, he finds it attached to the rest of the world.” This not only applies to nature but also to the reality of the Extended Enterprise in today’s complex and interconnected world. What seems to be one third-party risk cascades and interconnects with a variety of other third-party risks and relationships.

Recently I was talking to a global automobile manufacturer on their third-party risk program. Their challenge was that they need a fully integrated view of third-party risk. Over half of their operations are no longer defined by brick and mortar walls and employees, but is an array of suppliers, vendors, outsourcers, service providers, contractors, consultants, and more. These third parties work on and are part of internal processes and transactions that employees traditionally filled. When it came to governing and managing risk in these relationships, they felt exposed as they did not have a holistic view of third-party risk. Different departments –– IT security, procurement, legal, compliance, and others – each had their individual view of risk, but no one had the complete or aggregate view of risk in any relationship. 

Organizations today need a holistic 360° view into third-party risk to be able to see the aggregate view of risk in any one relationship as well as across relationships. The challenge is they often select the wrong technology architecture to support an integrated view of risk . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ARAVO BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Managing compliance and ethics has become a complex web of processes and information. The modern organization is constantly changing: new employees, shifting employees and responsibilities, evolving business processes, new and changed regulations/obligations, growing ethical concerns, and greater scrutiny from stakeholders, customers, law enforcement, and regulators.

The challenge of compliance and ethics grows more confusing when you look at the scattered approaches and departments. An organization may have a Chief Ethics and Compliance Officer (CECO), but compliance can be scattered. The CECO may be focused on code of conduct, anti-trust, anti-bribery and corruption, conflicts of interest, and more. But other departments have their compliance concerns and approaches such as human resources, information security, privacy, quality, environmental, health and safety, and more.

At the core, there are very similar processes for compliance assessment, issue reporting and hotlines, policy and training management, and case management . . . but each . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Evolution and change happen: sometimes slowly, sometimes rapidly. In the context of compliance and ethics programs, we are seeing a significant and rapid evolution of what is expected of organizations. Organizations are required to have structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, process, and technology architecture to deliver 360° contextual and situational awareness of compliance and ethics.

This is evident in, and being driven forward, by the recent United States Department of Justice (DoJ) guidance on the Evaluation of Corporate Compliance Programs. The DoJ has regularly provided guidance on what is expected of compliance programs. They released guidance in 2017, then again in 2019, and now the latest in June 2020. They have also released previous guidance in specific compliance areas such as anti-bribery and corruption with expectations in the context of the U.S. Foreign Corrupt Practices Act.

The DoJ guidance governs criminal compliance actions against organizations. But do not let this limit your understanding and the influence of this guidance. The influence of this guidance is broad and applies across industries, across organizations of various size and scale, and has a cascading impact on other jurisdictions, enforcement agencies, and regulators globally. The DoJ guidance has a symbiotic impact and influence that integrates with the U.S. Sentencing Commission Organization Sentencing Guidelines, and influences and filters into the guidance and exams of regulators. It has a global impact as it sets the benchmark and requirements of firms that operate in the U.S. but have to structure compliance programs around the world.

This latest guidance, in a nutshell, requires that organizations have a cohesive compliance strategy, process, and particularly technology architecture. The strategy and process requirements are spelled out in the document with one of the most significant changes being to the revisions made to the second of three key questions that frame the evaluation of compliance programs:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

The second key question specifically added the words ‘adequately resourced and empowered.’ Organizations cannot get by with a token compliance and ethics program, they have to demonstrate they have a commitment to compliance where proper funding, resources, and staff are given to ensure that the organizations stays within the boundaries of law and regulations.

What is very apparent throughout the document is that this empowerment of compliance programs can no longer be served by manual processes with documents, spreadsheets, and emails. Organizations need a compliance technology architecture that delivers real-time visibility into compliance in context of operations and transactions. Point-in-time assessments are not good enough. A thorough and defensible audit trail and system of record is also needed for compliance, something that documents, spreadsheets, and emails fail to provide as they do not have a strong audit trail that is defensible in court. It is too easy to manufacture evidence of compliance in documents, spreadsheets, and emails and regulators and enforcement agencies are honing in on this.

The guidance specifically points out that prosecutors are to examine “the comprehensiveness of the compliance program” to ensure the program is:

• Well-integrated into the company’s operations and workforce
• Based upon continuous access to operational data and information across functions (as opposed to point-in-time assessments that only provide a periodic review limited to a snapshot in time)
• Operationally integrated with policies in the context of employees roles/functions and the internal control systems
• Governed with third-party management that is risk-based and integrated
• Effectively implemented, reviewed, and revised, as appropriate, in an effective manner and is not simply a “paper [document] program”

Some key components to an effective compliance program that the guidance is looking for are:

• Policy management. The words ‘policies’ or ‘policy’ are mentioned 31 times in the 20 pages of the document. Organizations need to have defined policy management processes that have strong technology to manage policies and engage employees on policies. There is a whole section in the document on policies, but the reference to policies is throughout the document. Policies are the backbone of a compliance and ethics program and need to be managed, communicated, and maintained in organizations. Without policies, the entire compliance and ethics program falls apart. It is the foundation everything is built upon and intersects and supports other parts of the compliance program such as third parties, hotlines/reporting, cases/investigations . . . it all comes back to what are the policies. Specifically, the guidance requires:
  • Policies are properly designed and maintained
  • Policies are comprehensive and monitored
  • Polices are accessible and in a searchable format [in a portal]
  • Policies are operationally integrated
  • Policies have an evidence trail of who interacted with them, not just attested to. The guidance wants to know if the organization can show how often and by whom policies were accessed on a portal. A documented evidence trail of interaction on policies. I was talking to a global organization (100,000 employees) earlier this week on this. They feel the DoJ guidance requires that they move from their Sharepoint portals for policy to a defined policy management system with a structured process and reporting to meet these requirements.
• Compliance risk management. The guidance requires organizations have a structured approach to managing compliance risks with risk identification, assessment, and maintenance of defined compliance risk profiles. Prosecutors are to consider the “effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on risk assessment.” My particular favorite compliance risk assessment methodology is a bow-tie risk assessment. It requires that organizations have a:
  • Structured compliance risk management process
  • Risk-tailored resource allocation to focus on the most significant compliance risks
  • Regular updates and revision to compliance risk assessments
  • Lessons learned processes to minimize risk from the company’s own experience as well as from peers.
• Training and communication. Individuals not only need to be aware of policies, but they also need to be properly trained on policies. Note the whole section on training and communication centers on policies. It boggles my mind why so many organizations have separate policy portals and training portals. Training, from a compliance and ethics perspective, is on policies. This means organizations should have a portal that brings policies and training together in the same portal. Policies drive the training, not the other way around. Training needs to be risk-based so that high-risk policies, in context with high-risk roles/functions, are properly trained in the context of the compliance risk exposure and policies.
• Third-party management. The guidance is fully aware that the modern organization is not defined by brick and mortar walls and traditional employees. The modern organization is the extended enterprise in which there are nested relationships of vendors, suppliers, contractors, outsourcers, service providers, consultants, temporary workers, contractors, brokers, agents, dealers, and intermediaries. The guidance specifically focuses on whether due diligence and third-party monitoring are done just during onboarding or throughout the lifecycle of the relationship. Organizations need to be able to manage and monitor compliance risk in third party relationships throughout the relationship. The guidance also looks at whether compliance knows the rationale and purpose of the relationship, in addition to the risk of the relationship. Organizations need “ongoing monitoring of the third-party relationships, be it through updated due diligence, audits, and/or annual compliance certifications by the third party.” This process needs to be risk-based and integrated, have appropriate functioning controls in the relationship, properly managed and monitored, and demonstrate real actions and consequences when issues arise in third-party relationships.

These are some highlights, other areas that the document goes into include:

• Hotlines and reporting – confidential reporting structures and investigation process
• Compliance in the context of mergers and acquisitions
• Compliance commitment by senior and middle management
• The autonomy of the compliance function
• Incentives and disciplinary measures
• Does the compliance program work in practice
• Continuous improvement, periodic testing, and review
• Role of internal audit
• Investigations of misconduct
• Analysis and remediation of any underlying misconduct with a root cause analysis

Is your compliance and ethics program up to the task to meet the DoJ evaluation guidance? Do you have the strategy, process, and technology to deliver and operationally integrate compliance in your organization?

I am seeing a huge focus right now in response to this guidance and other compliance demands that is causing a rapid evolution and maturity in compliance strategy, process, and particularly a comprehensive technology architecture that can deliver a 360° contextual and situational awareness of compliance and ethics.

I think best in the abstract and imaginative. My mind is wired to be more intuitive and see relationships and images. I am more like my mother. My brother, he is like my father – wired for math and numbers. I have been competent with math, but it is not what engages me. While my father and brother were CPAs, I pursued theology and law. Just like we are left or right-handed in our dexterity, we also tend to be either left-brained (structured and analytical thinker) or right-brained (unstructured and creative). I would like to think that I am ambidextrous in my brain, but I know I favor the right side of my brain. 

When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.

Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.

In the business world, we have all sorts of objectives. They can be strategic entity level objectives for profit, growth, expansion. They could be division or department objectives. They can then drill into process, project, or even asset level objectives. We need to understand and manage the risk (uncertainty) in achieving those objectives. This requires both left-brain and right-brain risk thinking.

Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analysis. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated, “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.“

I argue that this is not enough. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic. There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organization. That requires creatively thinking about risk and risk event scenarios. Look at the world around you, what started as a health and safety risk in Asia has had a great impact on objectives at all levels around the world. It has cascaded and increased risk exposure to objectives, it has increased risk exposure to IT security, physical security, morale, harassment and discrimination, fraud, bribery and corruption, and more [check out my blog on this last week: The Pandemic & the Dominos of Risk Interconnectedness. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler, “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”

Creatively thinking about risk requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.

Technology enables not only the left-brain structured risk thinkers but also the right-brain creative risk thinkers. Some key things to look for in enterprise risk management technology are:

• Performance management. Any good risk management solution does not start with risk but starts with performance. What are the objectives the organization is trying to achieve and then what are the risks to those objectives? Again, these can be entity, division, department, process, project, or asset level objectives.
• Risk mapping. Can the solution enable multi-dimensional mapping or risk and objective relationships in many to many fashion?
• Risk visualization. Does the solution deliver rich risk visualizations, maps, charts, graphs, and modeling to engage both the left and right-brain risk thinkers?
• Risk quantification. Does the solution deliver structured risk analysis through things like Monte Carlo simulations that can give you solid objective information on risk probability and impact?
• Risk scenarios. Does the solution allow you to create multiple risk scenarios and document and measure multiple impacts and exposure to a risk event to look at various outcomes on different scales?
• Risk normalization and aggregation. This often gets missed. Does the solution allow for risk normalization and aggregation? What happens when one departments/projects high-risk is measurable to another departments/projects low-risk? For an enterprise risk management perspective, it is necessary to be able to compare apples to apples and not apples to oranges.
• Risk workshops. Can the solution support and deliver in-person or virtual risk workshops to analyze and work through risk scenarios collaboratively?
• Risk creativity. This last one is hard to define specifically, as it is abstract itself. Simply, how does the solution enable and engage right-brain risk thinkers to see a lot of pieces/elements of risk in different ways to identify complex outcomes and interdependencies?

What type of risk thinker are you? left-brain or right-brain? I would love to hear your thoughts on this.

BTW – as an analyst, I cover the range of GRC solutions in the market. I can always be engaged through inquiry to interact and discuss which solutions I see delivering on these and other relevant criteria fo risk management.

---

Upcoming Webinars . . .

The Future of Compliance: A Virtual Summit

• June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17

Risk Management to Support Operational Resilience

• June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18

Adapting to Pandemic Disruption: TPRM Lessons Learned

• June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18

How COVID-19 Learnings Will Shape the New Normal of Risk Management

• June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24

Minimize Growing Data Risks: Best Practices for Legal Leaders

• June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30

Why Policy Management Matters

• July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]

The world is in turbulence all around us. What started as a health and safety issue in Asia has had a cascading impact around the world. Economic uncertainty, health and safety, work from home, IT security issues, continuity, and operational resiliency…it is like an intricate pattern of dominos falling over.

In response to the pandemic, business has changed. Business processes have changed, organizations are supporting remote home working on a huge scale, economic and health constraints have business operating with a reduced workforce with employees sharing responsibilities and wearing multiple hats. A time of change and crisis leads to compliance exposure.

One critical area of compliance risk exposure is privacy compliance. As business processes change in context of the pandemic, the flow and use of personal information has also changed.

The pandemic’s threats to data privacy

Access to personal data is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.

A risk event has a domino impact on the organization. What starts with one domino of risk has a cascading impact on other risks. Consider the current global crisis and pandemic of COVID-19. It started as a health and safety risk coming out of Asia. However, it has a cascading impact that causes other risks to materialize and change that impact the organization. It cannot be managed in isolation but has to be understood in the complex web of interconnections of risk and objectives that play out from it.

What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. Consider the following:

• Risk to objectives. As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic. This plays out from the economic and business impacts of the virus.
• Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes. Business continuity in many organizations had an isolated focus on IT security and disaster recovery and was not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global people virus. As employees were cut, processes were changed, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure.
• Risk of information security. With the focus on supporting a broad work from home strategy, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, vendor, or TV in the employee home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data.
• Risk in third party relationships. It is typical that half of the organization is not traditional employees. Brick and mortar walls and employees no longer define the organization. Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
• Risk of company culture and control. With rapidly changing processes to address the pandemic, the organization is lacking controls or navigating around controls. With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
• Risk of fraud. In uncertain economic times and the unfolding of a recession, employees are under more stress to make ends meet. Employees who might never think of stealing/committing fraud during normal times may choose the wrong path when faced with the economic stress and uncertainty they now face.
• Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others. Or to get specific contracts or permits at a time when not much is being done.
• Risk of modern slavery and human rights. We see the unrest of human rights all around us right now. What was an issue before the pandemic has exploded further because of the pandemic. But it goes beyond civil rights and treatment of people groups by those in authority, it also extends into our facilities and supply chains. The pandemic has hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there is increased staffing with child or forced labor and unwanted working conditions.
• Risk of harassment and discrimination. Unrest is abounding. Stepping beyond the protests right now, there was growing discrimination happening because of the virus and a focus of anger on ethnic groups (particularly Chinese where the virus started). People working from home and not in normal office conditions, do not understand that the same rules apply. Communications such as email, text, video calls have become more relaxed and individuals are crossing boundaries and making statements that are sexual harassment.

I can go on and on and on. I have not touched privacy risk, compliance exposure and inability to meet compliance requirements because of changed business processes, and so much more.

The point is that risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacts. I personally love bow-tie risk analysis to explore these connections and relationships.

Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions. Good risk management will also bring together both risk quantification and qualification and it requires left-brain structured thinking as well as right-brain creative thinking on risk and impact. Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

Upcoming Webinars . . .

The Future of Compliance: A Virtual Summit

• June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17

Risk Management to Support Operational Resilience

• June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18

Adapting to Pandemic Disruption: TPRM Lessons Learned

• June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18

How COVID-19 Learnings Will Shape the New Normal of Risk Management

• June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24

Minimize Growing Data Risks: Best Practices for Legal Leaders

• June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30

Why Policy Management Matters

• July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]

The COVID-19 pandemic has caught a lot of organizations by surprise. But, should it have?

We have had pandemics in the past—history teaches us this over and over. The World Economic Forum has regularly reported pandemic risk on their global risk reports over the years. Political and business leaders have warned us of pandemics. 

So, why has it caught so many organizations off guard?

The problem: an unbalanced view of ERM

The reality is that organizations have not had a balanced view of enterprise risk. Too many enterprise risk management programs (including corporate risk management and operational risk management) have been focused on highly visible risks, such as IT security, while not paying attention to the significant, but low-likelihood, risks like a pandemic. 

Risk management will fundamentally change because of the COVID-19 pandemic. We will see a lot of enterprise risk management (ERM) programs become . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE WORKIVA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The past two months have been a crazy whirlwind of webinars, phone calls, and video meetings. Organizations the world over have been asking for calls on how to respond to the pandemic from a GRC perspective, and what the world of GRC will look like and how corporate governance, enterprise risk, and compliance and ethics management will change coming out of the pandemic. From 5:00 am to midnight here in Milwaukee, it has been a full sprint. RFPs, shortlists, strategy calls, competitive analysis of solutions, input on strategy, to market sizing and forecasting of GRC segments for solutions and services . . . it is a crazy time. I have done more webinars in two months than I normally do in an entire year.

One of the fun and unique engagements I did was the GRC Supper Club last week! This is an event that is normally done in person in the United Kingdom and led by my friend Lee Edge. With the pandemic it went virtual. So while the amazing host and many of the attendees were enjoying dinner and drinks in their homes in the UK and Europe, myself and a few others were doing lunch here in the United States.

Lee moderated the event, and I was one of three panelists for the virtual GRC Supper Club (you can access the recording for the virtual GRC Supper Club here). While we were speaking, Lee had an artist capturing the conversation and insight and putting it into the graphic you see above. I love how the graphic turned out! It captures so many of the points and analogies I brought up in the virtual GRC Supper Club. These are (working across the top and then clockwise around the bottom):

• The Pandemic is NOT a Black Swan Event. I stated that being unprepared for risk does not make it a black swan. There were plenty of warning signs, history of events, and people and organizations speaking out on the potential for a pandemic. It does not meet the requirements of a black swan event. I blogged on this here: Being Unprepared for the Crisis Does Not Make it a Black Swan.
• A Tale of Two Futures. Playing on the Charles Dickens novel, Tale of Two Cities, I discussed in the GRC Supper Club how we have a tale of two futures: we are headed toward either a Blade Runner dystopia or a Star Trek future. The choices organizations make today on the environment, climate change, and health and safety impacts what future we are headed toward. I blogged on this here: Tale of Two Futures: Blade Runner or Star Trek?
• The Interconnectedness of Risk & Chaos Theory. Looking at the bat stating, “I am no butterfly but I’ve had a big impact” was in reference to my discussion in the Club about the interconnectedness of risk and how small things matter. I referenced Chaos Theory and the Butterfly Effect in which the flutter of a butterfly’s wings in Amsterdam can influence the development and path of a hurricane in the Gulf of Mexico. What started with a bat at a wet market in China has had a worldwide impact that is more than a health and safety risk but cascades into economic risk, strategic risk, supply-chain third party risk, security risk, geopolitical risk, IT security risk, modern slavery and human rights risk, bribery and corruption risk, and even harassment and discrimination risk (I detail all of this in the Supper Club recording). I have blogged on this here: Navigating Chaos.
• Cover Your Behind & IT Risk. This part of the illustration detailed my discussion on how too many enterprise and operational risk management programs have been operating with a myopic and overly focused view on IT security risk. IT security is a huge risk, but there are other significant risks the organization faces that have not got the same level of attention. Look at the world around you and nothing more needs to be said. IT security has been the dominant risk focus in ERM and ORM programs at the cost of other risks like environmental, health and safety, and quality. I make reference to this in this blog: Forrester GRC Wave = Tsunami of Confusion.
• The Titanic of Risk. Next in the GRC Supper Club illustration and discussion, I referenced the illustration of the Titanic. This is an analogy I have been using in presentations for nearly 15 years. It is about all the risk exposures that contributed to the disaster of the Titanic, including environmental, overconfidence, third party risk issues, lack of control, health and safety, oversight, and more. Further illustrating the interconnectedness of risk. I have blogged on this here: The Titanic: An Analogy of Enterprise Risk.
• Right-Brain & Left-Brain Risk Thinking. In the lower right corner of the illustration you can see my dialogue during the GRC Supper Club in which I shared that good risk management involves both right-brain thinking and left-brain thinking. Too often we focus on the left-brain side of risk models and analytics, but good risk management also involves the out of the box creative thinking on risk and scenarios. I have blogged on this here: Managing Risk in Dynamic & Distributed Business.
• Environment, COVID & The World. This part of the illustration was in reference to my comments on the Economist cartoon from a few weeks back in which the world is fighting COVID in the boxing ring but a much bigger opponent of the environment and climate change is about to step into the ring.
• IT Security and the Home Office Blender. At this point in the GRC Supper Club I was discussing the IT security threats in the home office/work from home environment with the Internet of Things (IoT). I detailed how in my home in Milwaukee I have outlets, TVs, and even a blender that is connected to the Internet. If one of these devices has a vulnerability, or worse, a trojan horse, this could compromise organization data and connections.

It was a great event! There are two upcoming VIRTUAL GRC Supper Clubs you can register for, though I am not speaking on these. Hopefully, it will be back to in-person dinners back in the United Kingdom soon . . .