Enabling 360° Intelligence of Third-Party Relationships

The Organization: an Interconnected Web of Relationships

No man is an island, entire of itself; Every man is a piece of the continent, a part of the main.

English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: no organization is an island unto itself, every organization is a piece of the broader whole.

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past; physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries and nest themselves in layers of relationship complexity. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships is critical. Without effective governance of the extended enterprise, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate uncertainty in business relationships. Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence across risk domains with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices with limited to know risk intelligence. Recent technological advances in automation, natural language processing, machine learning, and data science enable organizations to be more effective and do more with fewer resources. Unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party risk management comes about when organizations rely on outdated risk practices with limited to no risk intelligence, including: 

  • Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and an agile information and intelligence architecture. The risk posed by a third party for one business function may seem immaterial but is significant when factored into multiple risk exposures across all the business functions monitoring other risks of the same third-party. Without a single pane of risk intelligence visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated introducing more risk.
  • Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. Truly effective continuous risk intelligence monitoring of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone and requires Cognitive GRC technologies that leverage artificial intelligence such as natural language processing, machine learning, predictive analytics, and robotic process automation. 
  • Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data and lack of integrated risk intelligence content. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
  • Limited view of risk vectors. Organizations often rely solely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth party risk exposure. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage of risk intelligence content.
  • Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
  • Overreliance on Periodic Assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
  • Silos of risk intelligence services overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

When the organization approaches third party risk management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization and ESG. Without a coordinated third-party risk intelligence strategy, the organization and its various departments never see the big picture. 

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure and blind spots. It is time for organizations to step back and move from legacy practices, defined by manual processes, periodic assessments, and silos of risk intelligence content to a third-party risk intelligence solution that includes integrated full-spectrum real-time feeds of situational awareness of the organization’s extended enterprise. 


GRC 20/20 has the following upcoming Third-Party Risk Management by Design Workshops in the next few months that dives deep into this topic of a holistic view of third-party risk . . .

Chicago: March 30 @ 12:00 pm – 6:00 pm CDT 

New York: April 25 @ 12:00 pm – 6:00 pm EDT 

San Francisco: May 2 @ 12:00 pm – 6:00 pm PDT 

Houston: May 4 @ 12:00 pm – 6:00 pm CDT 

Enabling Closed-Loop Regulatory Compliance

Tsunami of Change Overwhelms Compliance

Managing and keeping up with change is one of the greatest challenges for financial services organizations in the context of compliance management. The dynamic and interconnected nature of regulatory change and how it impacts the organization are driving strategies to mature and improve regulatory change and compliance management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated compliance management strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions. It is continuous, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:

  • External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. The financial services organization must stay on top of changing business environments that introduce a range of operational risks, such as changes in employees, processes, relationships, mergers & acquisitions, strategy, and technology. Any of these changes can take an organization from a state of compliance to non-compliance in its processes, controls, and people.
  • Regulatory environments. Regulatory environments governing financial services organizations are a constantly shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rulemakingactivities, and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone managing how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulatory oversight and requirements. Internal processes, people, and technology      continuously change and regulatory requirements need to be understood in context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture. 

Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.

Compliance Overwhelming the Organization

Compliance management, and in this context regulatory change management, is overwhelming organizations. Financial services firms are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting are a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year. Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years, the number of regulatory changes has tripled while the typical organization has not increased staff or updated processes to manage regulatory change.
  • Regulatory contexts. Regulatory change is not limited to one jurisdiction but is a turbulent sea of change across the country and around the world. Regulations have a global impact on organizations and markets. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and incident/complaint reporting requirements becomes complicated when faced with requirements. Regulatory jurisdictions have varying approaches and requirements. There are often conflicting challenges in regulations and other laws impacting organizations across jurisdictions.
  • Expansion into new markets. It has become complex for organizations to remain in different markets as well as enter new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, but     at the same time they are being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk.
  • Hoard of regulatory information. Organizations are overwhelmed by information from legal alerts, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries are requiring that compliance is not just well documented but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance.[1] Case in point, Morgan Stanley was praised by regulators as a model compliance program and was the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current amid regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.”[2]

Broken Process and Insufficient Resources to Manage Compliance

The typical financial services organization does not have adequate processes or resources in place to monitor regulatory change and manage compliance in a dynamic environment. Organizations struggle to be intelligent about regulatory developments and fail to prioritize and revise policies and take actionable steps to be proactive. Instead, most financial services organizations end up firefighting, trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions involving other financial services organizations can have a significant impact. 

Organizations that GRC 20/20 has interviewed in the context of compliance management reference the following challenges to processes and resources:

  • Insufficient head count and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Frequency of change and number of information sources overwhelms. The frequency of updatesfrom the regulators themselves is challenging but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence[3]. Going through each source to identify what is relevant takes time and effort.       
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility into ongoing compliance — the organization has no idea of who is reviewing what and suffers from an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered across      documents, spreadsheets, and emails in different versions. 
  • Lack of an audit trail/system of record. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. These leads to issues with regulators and auditors when they find there is no accountability and integrity in compliance records interms of who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception; individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus provides no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring led to wasted resources and hidden costs. Instead of determining how resources can be leveraged to manage regulatory change efficiently and effectively, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates that it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated: the process fails to be agile, effective, and efficient in the use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject matter experts (SMEs) are, what has changed, who changes are assigned to, what the priorities are, what the risks are, what needs to be done, whether it is overdue, and the results of the change analysis.

The bottom line: Processes for managing compliance and regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders. Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed, and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management. 


[1]       https://www.justice.gov/criminal-fraud/page/file/937501/download

[2]       Source of this statement is at: http://www.justice.gov/opa/pr/2012/April/12-crm-534.html

[3]       Such as legal databases, regulator feeds and news, trade associations, enforcement actions, court rulings, administrative decisions

Preparing for Tax Compliance in 2023

The modern organization is a complex array of transactions, processes, and relationships.

This is challenging to manage within a single jurisdiction, but becomes even more complex, bridging on the word chaotic, when the organization deals with an interconnected mess of subsidiaries, divisions, relationships, and cross-border transactions.

Even a small organization faces a complex web of transactions that span geographic and jurisdictional boundaries as money is moved, services rendered, and products are produced. Complexity grows as these interconnected transactions and processes nest themselves in intricacy.

In this context, organizations operating . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IMPERO BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Ensuring Engagement Throughout the Policy Lifecycle

GRC 20/20’s Michael Rasmussen will be speaking on the blog below in an ESG context on the webinar: Policy & Training Management: A Foundation of a Successful ESG Program

From time to time, people ask why policies matter. The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended.

Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. 

Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk; every policy is a risk document that aims to control behavior-related risks.

The longer answer is a bit more complicated . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE EKKO/LEARNING ZONE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The What, Why & How of an Ethical Compliance Culture

GRC 20/20’s Michael Rasmussen will be speaking on the blog below in an ESG context on the webinar: Policy & Training Management: A Foundation of a Successful ESG Program

The scenarios of ethical and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve activity that employees should catch and report. 

The most significant exposures to ethics and compliance issues are not in the bowels of the organization, they are at the front lines. The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. 

Compliance is an (extended enterprise) engagement challenge

The challenge is that organizations need to find a way to get everyone involved and adhering to policies to build integrity across the whole organization and the extended enterprise. 

Compliance communications, attestations, and disclosure matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE EKKO/LEARNING ZONE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC in a United Kingdom Context

Last week I had an amazing week of GRC interactions, or G[P]RC with the P being performance), in the Middle East. I was the keynote at the G[P]RC Summit in Riyadh and in Dubai. I am also interacting on a few RFP development projects in the Middle East as well. The Middle East is the fastest growing market for GRC related solutions and services.

However, the busiest market is the United Kingdom and Europe. I am busier with interactions in the United Kingdom and Europe than I am in North America. I could rattle off a dozen RFPs in various stages of engagement right now. London and the broader United Kingdom is my busiest region, followed by the DACH region of Europe. After that it is the Nordics and Benelux regions. The next few months has me on a trip to the United Kingdom, then Australia, followed by two separate trips to Germany in March.

The United Kingdom is my busiest city for engagement in the entire world. I have spent more time in London for GRC than any other city. I am now preparing for my next GRC trip to London for the week of February 12th to 19th.

What brings me to London in February? . . . I am glad you asked . . .

It is a whirlwind of a week of engagements. A few are with solution and service providers helping them with their solution and go to market strategy, but most my interactions are with organizations looking for solutions and services to address a range of challenges in risk and compliance they are facing.

The heart of the week is co-hosting a RegTech/FinTech Networking Event with ING as well as working with the Institute of Risk Management in London to build out a strategy of engagement in my role as one of their Global Ambassadors of Risk Management.

It will be a great week of interactions which all feed into my research on the GRC market. I describe what I do as an analyst in the context that I am a researcher. I research what the challenges organizations face in the context of governance, risk management, and compliance and how do organizations solve these challenges through the combination of strategy, process, and technology/services.

The leading topics for my meetings/engagements this week are as follows:

  • Germany’s Corporation Supply Chain Due Diligence Act. Yes, I am in London and one of the hottest topics of conversation is Germany’s law and the related EU Directive. I have several interactions in the United Kingdom right now where this is driving a lot of change to ESG and the intersection of third-party risk management programs.
  • UK SOX. After several years of speculation and discussion UK SOX is here and a hot topic of engagement. Starring with financial years ending December of this year (2023) organizations in the UK are facing requirements for internal controls over financial reporting and disclosures inline with US Sarbanes Oxley. So a lot of organizations are now scrambling to address this.
  • Operational Resilience. The UK FCA/BoE/PRA regulation has the entire financial services industry restructuring their operational risk and continuity programs to address these requirements. Last year, March 2022, saw a lot of this come to maturity but organizations are looking for technology and services to make this sustainable. Related to this is addressing the EU DORA (digital operational resilience act) as they intersect for firms operating in Europe.
  • Consumer Duty. This is the trending hot topic in the financial services space in the United Kingdom. Organizations have to set high and clear standards of consumer protection across financial services, and this requires firms to put their customers’ needs first. This is driving a lot of policy and training management and engagement as the foundation and from there a lot of assessment and controls.
  • UK SMCR. The United Kingdom’s Senior Managers/Certification Regime also ties into several discussions. Sometimes intersecting with the same conversations/engagements on resilience and consumer duty. But organizations are looking to make UK SMCR more sustainable as many have approached the first few years of compliance with manual processes they now are finding cumbersome.
  • ESG. This ties into all the above and more. A lot of interactions on how to manage and report on ESG through all of its complexities and niches. Last April, the UK passed two mandatory ESG disclosure laws: The Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022 and The Limited Liability Partnerships (Climate-related Financial Disclosure) Regulations 2022. UK companies that have more than 500 employees have to do ESG reporting.
  • Regulatory Change Management. I have a few interactions with both financial services and life science companies in the United Kingdom to discuss cognitive technologies to keep up with regulatory change management, and with that policies.

Those are the main points of interaction. Tied to some of these include UK Modern Slavery Act, UK Bribery Act, and the UK Data Protection Act as well as EU GDPR.

As you can see it is a fascinating week of engagements across these. The schedule is filling up . . .

Measuring the Cost of Non-Compliance

Integrity is everything to an organization. If I could rebrand the Chief Ethics and Compliance Officer (CECO) I would call it the Chief Integrity Officer, but we already have a CIO in the Chief Information Officer. Ethics and compliance done correctly is the bastion of corporate integrity and corporate ethical culture. That is what compliance and ethics truly is all about.

Too often compliance is not seen in this perspective. Compliance is approached tactically as a series of checkboxes. If we check the boxes, we want our get out of jail free card. It is a tactical approach and not strategic. Alternatively, compliance is done as an afterthought or is seen as the corporate police that is always getting in the way. This leads to greater compliance exposure as compliance and ethics is not seen as a core part of how we do business and the way we do business. Too often it is approached with smoke and mirrors with a focus on the bare minimum to get by or creating an outright fictitious compliance environment.

When it comes to compliance breaches and incidents, too often organizations fail to grasp the full financial impact of non-compliance. In my research and experience, you can break the cost of a compliance incident/breach into the following three areas (with others that I have not measured) . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CLAUSEMATCH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

How Mortgage Lenders Can Leverage Automation to Strengthen Compliance in a Turbulent Economy

In today’s ever-changing economy, mortgage lenders and service providers face a growing number of regulations and risks in compliance. This opens up an opportunity for organizations to rearchitect their compliance processes and leverage automation to remain competitive in this uncertain environment.

Mortgage lenders and service providers, as a segment of the financial services industry, face a lot of change. The mortgage space right now is a tough one and interest rates are only going up. Firms are writing fewer loans, whether it’s a new loan or a refinance. The market is shifting and drying up for the foreseeable future of the next year or two. The industry is changing and reacting to uncertainty in the economy. Mortgage companies’ internal processes and employees are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ASCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2022 GRC Research Year in Review

Wow! 2022, what a rollercoaster of a year for GRC – governance, risk management, and compliance. Top discussions this past year have been around ESG, risk agility, resilience, third-party risk in the extended enterprise, compliance and regulatory change, and policy management. We are still feeling the impact of the COVID pandemic combined with geopolitical risk tensions further confounded by economic and global uncertainty.

However, times of uncertainty brings a boom to GRC related solutions and services. GRC 20/20 has never been so busy than at this very moment. While the activity is global, there is a lot of particular GRC market activity coming out of the United Kingdom and Europe right now.

The top GRC 20/20 social media post, by far, this past year was on LinkedIn:

HEAR ME – no organization can address #ESG without good #policymanagement and #policyengagement with training. ESG gets codified in policies from #codeofconduct down into #environmental policies, #socialaccountability policies, and the range of #governance policies. The measure of integrity to ESG comes down to policy engagement and enforcement to employees. 

Follow GRC 20/20 on LinkedIn and Twitter.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2022 organized by topic area.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering between 15 and 20 inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . .

Enterprise GRC and the Broad GRC Market

Research Reports
Blogs

Risk & Resiliency Management

Research Reports
Blogs

ESG – Environmental, Social, Governance

Blogs

Corporate Compliance & Ethics Management

Research Reports
Blogs

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports
Blogs

Policy Management

Research Reports
Blogs

IT GRC Management

Research Reports
Research Reports

Environmental, Health & Safety (EHS)

Blogs

Internal & Automated Control Management

Blogs

Legal GRC Management

Blogs

Where Policy Management Fails

After exploring Where Third-Party Risk Management Fails and Where Risk Management Fails, I now turn my attention to my biggest soapbox, Where Policy Management Fails . . .

First it is essential to understand that policies are critically important to governance, risk management, and compliance. Through policies organizations can have reliable processes, transactions, and behavior so it can reliably achieve objectives [governance]. Policies are risk documents, the very fact that there is a policy means there is uncertainty/risk that needs to be governed and controlled [risk management]. Through policies, and their adherence, the organization maintains integrity to its values, ethics, conduct, ESG commitments, regulatory commitments, and contractual commitments [compliance].

HOWEVER, policies also set a legal duty of care and liability on the organization. A policy that is not followed can be used against the organization in a civil, criminal, and/or regulatory matter. What is shocking is how badly policies are managed in the organization given their critical nature to enable the organization to reliably achieve objectives, address uncertainty, and act with integrity. 

I teach Policy Management by Design workshops around the world and have a variety of research papers on policy management. I have also partnered with OCEG in developing PolicyManagementPro.com and the Certified Policy Management Professional certification. Here is where I see policy management fails in many organizations . . .

  • Not knowing what policies the organization has. Policies often are scattered across departments and many organizations do not even know what policies are out there. I was keynoting at a conference and asked a few hundred people in the room who has a master list of all their official policies, only two people raised their hands.
  • Policies scattered on different portals. Too often the organization does not have a singular portal for policies. One insurance company came to me moving into pandemic lockdowns in March of 2020 in a panic as they discovered they had 27 different policy portals from policy file shares to SharePoint sites, to commercial software. It was a maze of confusion and there was no singular point for employees to access policies.
  • Different writing styles and processes. Organizations often do not have a consistent template and writing style for policies, not a standard process to write and approve policies. Basically, they do not have a Policy on Writing Policies (also called a Metapolicy) nor a style guide on how to write policies in consistent grammar, use of active voice, punctuation, formatting, and how to approach gender neutral language. 
  • No standard template for a policy. Yes, I brought this out in the previous point, but it deserves to be mentioned again. Anyone should be able to recognize a policy by the template/formatting of the document (digitally or in print). It should be easily recognizable as an official policy.
  • Not addressing rogue policies. This is a HUGE issue. Too often managers across the organization are opening word processors and writing documents and calling them policies. They communicate this to employees, customers, and partners. Policies, as stated, establish a legal duty of care. If a manager is writing a document and calling it a policy, it exposes the organization to legal liability if it is not followed. 
  • Out of date policies. Organizations struggle with the number of policies that exist indefinitely and are not updated, lack an owner, and are no longer needed . . . or desperately need revision. 
  • Not keeping up with legal, regulatory, and business change. There is a variety of legal, regulatory, risk, and even business change that impacts policies. One bank had a policy that was being revised because of a regulatory change that went through 75 reviewers in a linear fashion of document check in and check out and took six months to get updated. In an industry where there are 257 regulatory change events every day this certainly is not agile and behind the game. Another organization, this one in healthcare, discovered they had 21,000 policy and procedure documents because of all the consolidation and acquisition of hospitals over a few decades. 
  • Not keeping up with employee change. Employees come into the organization, they change roles and departments, they leave the organization. Organizations need to ensure that employees are aware of the policies that apply to their role as they move to different functions and roles, particularly high-risk areas. 
  • Lack of audit trail and system of record. This is another HUGE issue. The legal and regulatory environment demand that the organization have a clear defensible history of what policies were communicated to employees, did they understand it, were they trained, how they were reminded. Look at the latest U.S. Department of Justice Evaluation of Compliance Programs where it focuses on the audit trail and system of record of the policy portal and employee interactions. Having a defensible audit trail on policies and awareness gets the organization out of hot water, ask Morgan Stanley.
  • Outdated policy portals and training. Every month I am getting inquiries from organizations looking for that next generation policy portal that brings together policies and training into one portal. Think about it, employees go out to Facebook and can watch a YouTube video in Facebook. They do not have to click on a link and go out to YouTube and come back to Facebook to comment on it. The same thing NEEDS to happen with the policy portal that brings policies and training on policies into one portal. Millennials and Gen Z expect this. And, mobility access to policies and training is also critical. 

As you can see, this is a soapbox of mine. I am passionate about policies and policy management. They are critical to the organization. Without policies, and policies that are adhered to and enforced, the organization’s behavior is like leaves blowing in the wind. Can you imagine an organization with no policies? What a mess of transactions and behavior. I am literally scratching the surface on all the areas of where policy management fails today. 

Organizations need to address the back-office of policy management, and the front-office of policy engagement . . .

  • Back-office policy management. This is the enterprise-wide consistent process to write, approve, monitor, enforce, manage, maintain, and audit policies in the organization. They key here is collaborative authoring and cooperation across departments supported by strong technology in this space to ensure nothing slips through the cracks and adheres to the Policy on Writing Policies.
  • Front-office policy engagement. This is the portal, training, awareness, and engagement to employees (and third parties) on policies. There should be a singular portal for all the official policies of the organization. Employees should have regular reminders and are properly aware and trained on policies that impact their role/function in the organization.

There are a variety of solutions for policy management in the market. Some focus on certain departments (e.g., EH&S, information security, privacy, HR), others focus on specific industries (e.g., healthcare, banking), and others are broad. Some solutions focus on back-office policy management, others excel in front-office policy engagement. Few do both well. 

Ask GRC 20/20 about our market research and coverage of policy management best practices and the range solutions in the market and what differentiates them and fits your particular need . . . 

Also, register for one of these upcoming webinars on Effective Policy Management . . .