Category: Blogs

Below is an abstract and the video of my keynote from the Konnect 2022 conference. My next keynote will be at #RISK in London on November 16th and 17th where I will also be the chair/host of the conference, and doing a special executive breakout session on ESG. The keynote video details the challenges organizations face in GRC and risk management in the current context, currently in the era of ESG. If you wait to the end, you will find that the numerous questions in the audience (about 500 people attended) were all on ESG.

BTW – the graphic above on this post is actually a drawing that was done by an artist of my keynote as I was delivering it. The actual artwork was huge, 4 feet x 6 feet. I love how the artist captured my thoughts from the keynote . . .

I hope you enjoy this video as much as I did delivering it to such an engaging group of attendees at Konnect 2022

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often GRC management is seen as a compliance exercise instead of something truly integrated with the organization’s strategy, decision-making, and objectives. However, business operates in a chaotic world, and risk has an exponential effect on the organization. Even a small event can cascade, develop, and influence what ends up being a significant issue. Risk management inevitably fails, providing case studies for future generations on how poor risk and resiliency management leads to the demise of organizations – even those with strong brands.
 
To be agile and maintain integrity in an environment of interconnected objectives, risks, resilience, and integrity requires 360° contextual awareness of risk and resiliency — particularly in the era of ESG. Organizations need to have risk under one roof to see the intricate relationships and impacts of objectives, risks, processes, and controls with complete 360° situational awareness, intelligence, and holistic visibility.

Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to illustrate the big picture across the enterprise or the impact on strategy and objectives.

Last week we explored where third-party risk management strategy and technology fail, this week we turn our attention to where enterprise/operational/integrated risk management strategies and technologies fail. Yes, that world of ERM, ORM, IRM which is fraught with misconceptions, complexities, and too often solutions that create blind spots on risk. 

The modern organization demands that organizations not only be resilient, but also agile. Resilience is the capacity to recover from a risk event. Agility is the capability to see what is coming at the organization, what is developing on the horizon, and what are the scenarios it can play out on the organization. This allows the organization to use risk as a tool, not only to avoid hazard and harm but to leverage risk for greater gain to the organization. 

The issue is that too many organizations have immature ERM/ORM/IRM functions. The failures in risk management strategy, process, and particularly technology is often:

• Performance and objectives. I see too many risk management solutions that seem to identify, manage, and monitor risk in a vacuum that has no business context. We do not just wake up in the morning and state, “I feel like doing a risk assessment.” Risk is always set in a business context. That context starts with the performance and objectives of the organization. What is the organization trying to achieve? These can be entity level objectives, division, department, process, or even asset level objectives. ISO 31000 defines risk as the effect of uncertainty on objectives. Risk is managed in the context of measuring the uncertainty in achieving objectives.
• Silos of risk management. Too often organizations think they are approaching an enterprise view of risk when they are really trapped in a silo. Good risk management requires the ability to see complex relationships of risk management and in that context complex relationships of risk on objectives. What starts off with a health and safety risk then impacts objectives, culture of the organization, performance, continuity, security, privacy, conduct risk, bribery and corruption risk, modern slavery risk and more . . . that was COVID-19. It is an integrated risk environment, and it requires a full spectrum of understanding risk and objectives of the organization.
• Quantification. In order for the business to understand risk it is necessary that it be quantified. What is the business impact. Organizations need to mature their approach to risk management by providing more advanced risk quantification capabilities. Too often I see quantification being done as guess work and ranges that lack any statistical modeling. 
• Heatmaps. I am not a big fan of heatmaps. I think they are overused and misleading. Too often this is the primary view into risk, and it fails the organization. If you have a lot of risks trending in the upper right, that is too often fiction. The organization is most often not seeing a regular cadence of major loss events. The most significant risks, according to history, are high-impact and low-likelihood events, those destroy companies, but they are often coded a yellow and not a red. And having a risk in the lower right might not be telling you the whole picture, that risk in the green area might be over controlled. Heatmaps provide a view into risk, but it should not be the sole view and depended on. I would rather do without them. 
• Stuck in the left-brain. The world of risk management is navigating chaos. There is so much changing and risks cascade like dominos and impact performance and objectives in unforeseen ways. What is often a little thing cascades into a huge risk event, like chaos theory and the butterfly effect. Good risk management requires that we use the right-brain in addition to the left-brain. The left-brain is the logical and structured thinking of risk, that is where we have risk models. But models are imperfect and never accurately represent the real world. Today’s organization needs good right brain thinking on risk, the outside the box thinking that can look at risk from different perspectives and see things that are models are not telling us. I am a fan of visual risk analysis techniques like bow-tie risk assessments. These are great to use in risk facilitation workshops. 
• Lack of risk normalization and aggregation. Enterprise risk management is complex. One department’s high risk might be another department’s medium risk when quantified. I have seen too many failures where there is no, or broken, risk normalization and aggregation as risk rolls up in the enterprise. Projects and departments need a legitimate measurement of high, medium, low risks (of course quantified and not just qualitative) but as this gets compiled into an enterprise view of risk there must be risk normalization and aggregation.
• Risk ownership and accountability. Back-office functions of risk management do not own the risk of the organization. Executives down into operational management own risk. Risk processes and technology fail when they do not engage the real risk owners and help them monitor the risk they own and do not provide structured processes for risk accountability.

I can go on in the need for good scenario analysis and the integration of resilience and continuity into risk management. What is the key takeaway is that organizations need to manage risk in the context of the business, performance, and objectives. It needs to do this in a way that sees the complexities and interrelationships of risks and thus needs to engage both the left and right-brains to manage risk logically as well as creatively. Risk needs to be quantified and understood in a business context that empowers first-line functions that are the real risk owners with structured accountability for risk. 

The issue is that there are many risk solutions on the market, but not many really deliver on these points I have brought out to equip, enable, and deliver value to a true GRC, ERM, ORM, or IRM program. Ask GRC 20/20 about our market research and coverage of risk solutions in the market and what differentiates them and fits particular needs . . . 

The need for cybersecurity is growing with the dynamic, distributed, disrupted, and particularly digital nature of business. Digital transformation is making cybersecurity even more critical to protect the organization, maintain resilience, and compete in today’s chaotic and digital business environment. The threats to business come from all angles and include the malicious, but also the ignorant and inadvertent.  

The challenge to protect the organization and its cyber assets and processes is even more challenging when one considers the extended enterprise of third-party relationships that are critical to the cyber and digital operations of the business: vendors, outsourcers, service providers, consultants, contractors, and more.  

We all know that firewalls are critical to cybersecurity. The network firewall has been the bastion of corporate protection from the deviant and malicious for forty years. Then there are application firewalls and personal firewalls. Firewalls are critical to the organization to protect it from hackers, viruses, and worms (oh my!). But what is often overlooked is the most critical firewall in the organization: The human firewall . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ONETRUST BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

How do you define the modern organization? 

There is no binary boundary to the organization anymore, no more black and white. It is impossible to clearly state that this is where the organization ends. The organization is NO LONGER defined by brick-and-mortar walls and traditional employees. There are shades of grey as the modern organization is the extended enterprise that involves layers of complex nested-supplier and subcontracting relationships. 

The distributed nature of business across extended third-party and nth-party relationships is the new reality. Managing risk in this paradigm is challenging. However, given the new complexities of ESG risks and the volatile world of geopolitical risks has a compounding exponential risk exposure that many organizations are not prepared for. 

For organizations of all sizes and industries, this poses a huge challenge but also a huge opportunity.

1. Organizations that fail to manage the . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ETHIXBASE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is the Extended Enterprise of third-party and nth-party relationships. The suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, partners, and more . . . they are part of your organization. There is no black-and-white border to the organization it is shades of grey. 

Third-party risk management strategy, processes, and particularly technology (including intelligence/content solutions) are a major part of my overall GRC market research. I have advised organizations around the world on RFPs, directed them to solutions and services to consider, and teach my Third-Party GRC/Risk Management workshops around the world (just taught one in London last week with over 40 that attended. I have seen successes, unfortunately I have seen a lot of failures and often engaged to come in and tell organizations where they went wrong and what they should consider, particularly with third-party risk technology. 

Here are the top things I see in my research where organizations fail in third-party risk management . . . 

• No concept of third-party governance. Personally, I prefer the term third-party GRC over third-party risk management. Risk does not happen in a vacuum. Risk management, and in this context third-party risk assessment requires context. Every relationship is established for a purpose, what are the objectives of the relationship and its components? According to ISO 31000, “risk is the effect of uncertainty on objectives.” Too often organizations fail to manage risk in the context of the delivery, performance, objectives, and value of each third-party relationship. Too often technology being adopted in this space completely lacks an understanding of third-party governance to objectives and performance. I am speaking on this in the upcoming webinar: Transform Your Third Party GRC Strategy to Focus on Agility, Resilience, & Integrity.
• Third-party risk or Extended Enterprise? I personally do not like the term third-party; the reality is that the modern organization is the extended enterprise. The term third-party builds a stigma of something being a commodity, expendable, and changing. The strongest third-party risk (GRC) management programs are focused on the extended enterprise and treat their third parties as critical players and partners to their strategy, operations, and processes.
• ESG. ESG is going to rock your third-party risk world. You need to be leveraging technology that fully integrates complete situational awareness of ESG – environmental, social, governance – across your extended enterprise. Too often organizations fail to see the scope of ESG and the scope of its impact on third-party relationships. The tsunami of ESG regulations impacting supply-chain and third-party relationships is building and it is monstrous. I am speaking on this in the upcoming webinar: ESG Teeth & Supplier Risk: Analyst Advice for Mid-Sized Companies
• Silos of third-party risk oversight. Organizations fail because they too often lack a full view of third-party risk. IT security is doing its thing for vendor risk. Procurement is doing something else. Continuity/resiliency has their program involving third parties. Compliance and ethics are going down a different road as well. So is ESG now. And more. Organizations fail to see the aggregate and complete risk exposure across all these silos in a relationship. Just looking at one aspect of risk does not give you a full picture of risk and may give you a false or misleading picture of risk.
• Not managing the details of a relationship. Too often technology in this space is built to manage risk at the relationship level and not the components of a relationship. I sat on the social accountability advisory board for a major Fortune company for their supply chain code of conduct. They have 5,000 suppliers with 50,000 facilities across those suppliers. One supplier might have one facility, another might have 20 facilities. This organization manages social accountability risk (e.g., child labor, forced labor, working hours, health and safety) at the facility level and not just the supplier relationship level. A North American bank that came to my workshop has 4 data centers they outsource to one outsourcer. They measure risk and different risks at each data center not just the relationship level. A global bank in Europe told me they need to manage risk to the service-level agreement (SLA) or specific contract. One relationship might have a hundred contracts or SLAs. They were frustrated as their platform they chose only manages relationships and not the components. 
• Lack of a good source of third-party risk intelligence/content. Organizations fail as this is not just a technology and process problem. To manage third-party risk, and particularly ESG risk, requires a full spectrum of third-party risk content/intelligence across sanctions, politically exposed persons, financial/viability ratings, security ratings and scorecards, ESG ratings, negative news/adverse media, geo-political risks, reputation and brand lists, and more. Organizations need technology platforms that integrate into the new generation of third-party content/intelligence providers to provide 360° contextual awareness of what is happening.
• Resiliency is not understood. There is so much focus on operational resilience today, but you cannot be a resilient organization without looking at the extended enterprise of third-party relationships. Third parties are critical to the organization’s services and operations. And this is much more than digital resilience and security, it requires a full spectrum of third-party risks and the relationships of the organization, and particularly in a geo-political risk context. 
• Thinking third-party risk assessments are going away. However, those using broader third-party risk intelligence/content too often buy into a fiction that they do not need the assessment questionnaires. Those are still needed and will NOT go away. At basic level third-party assessment questionnaires are a CYA (cover your behind) legal and compliance exercise that is necessary. At a more mature level it is ensuring a common understanding of risk management and shared values/ESG. 
• Offboarding is missing. Many companies have processes and technology in place to do due diligence during on-boarding. When it comes to ongoing monitoring there are often structured processes in place. However, most organizations fail in having defined processes with structured workflow and tasks to off-board (say good-bye) to a third-party.
• No process to exercise right to audit clauses. I am frustrated in the number of programs I see that have no methodology and structure to how and when they conduct right to audit clauses and inspections. Too often technology in this space does not help as it does not manage these interactions. The best practice I have seen is with a large global food retailer with thousands of relationships and tens of thousands of facilities within those relationships. They score every facility at a red (high), yellow (medium), green (low) level for risk that drives audits/inspections. Red level facilities must have an onsite inspection every year, yellow risk facilities every two years, and green risk facilities are randomly sampled for onsite inspections/audits.
• Selecting the wrong vendor. This happens time and time again. Two years back I was working on one RFP. The global organization had deep and complex requirements. They had a few vendors in play in silos of third-party risk oversight and one they particularly liked. They selected that one, even when I told them not to that it will not meet their complex needs. They went down that road and later came back to me stating they wish they would have listened. They must dumb-down their third-party risk program (particularly down to the relationship level and not component/SLA/contract level) or go back to RFP. You need to make sure you select the vendor that delivers on the vision for what you are trying to achieve. 
• Documents, spreadsheets, and emails. Then there are the programs, or fragments of programs, that think they can manage third-party risk on documents, spreadsheets, and emails. These manual processes have huge issues in cost as well defensibility. Documents, spreadsheets, and emails do not provide a robust and defensible audit trail and system of record – the organization has no record of what fiction may have created in these electronic paper trails to cover up something. Regulators and law enforcement are wising up to this. Further, I have seen programs that state 80% of their staff time is chasing and managing hundreds to thousands of documents, spreadsheets, and emails and only 20% of staff time (or less) is productively managing and improving third-party risk management in relationships. Some organizations I have talked to went from 20 hours to onboard a third-party on average down to 3 hours by replacing manual processes. Ongoing annual risk assessments went from 10 hours down to 1 and a ½ hours of time per third party because of automation.

As you can see, there is a lot of pitfalls to not properly addressing third-party risk management strategy, process, and technology. These programs are essential and needed to be designed with care and the right technology and content used that delivers value. 

Third-party risk management also varies by industry as to focus. Recently there have been a quite a few of RFPs over the past few years in life sciences/pharmaceuticals. They all have very similar requirements, but are also very different from financial services, and others. To see the scope and complexity of third-party risk, here is the common elements in the life sciences industries in a third-party risk management program:

• Animal Welfare
• Anti-Bribery and Corruption
• Compliance in Suppliers
  • Promotional Practices
  • Bioethics
• Environmental
• ESG
• Global Security/Physical Security
• Health & Safety
• Information Security
• Information Systems Quality
• Intellectual Property Risks
• Geo-Political Risk
• Privacy
• Performance, Contractual, SLAs
• Product Quality and Safety 
  • Clinical Trials 
  • Human Biological Sample Management
  • Pharmacovigilance
• Resiliency & Business Continuity 
  • Concentration Risk of Suppliers
  • Material Risk of Suppliers 
• Sanctions
• Social Accountability
  • Child Labor
  • Forced/Prison Labor
  • Inclusivity/Diversity
• Strategic Sourcing
• 4^th/N^th Party Risk Across All These Domains

That is just one industry example . . . then there is healthcare, banking, insurance, retail, hospitality, oil/gas, and more examples. 

Next week we will look at where risk management strategies and technologies fail . . . stay tuned. 

Have you ever heard of the Winchester Mystery House in San Jose, California? It’s a sprawling mansion that was built in the 1800s at the cost of $5.5 million (calculate inflation, and that is one very expensive house today). It had 147 builders that built it over 38 years with no blueprint, no design, and no architect. As you might imagine, it’s a confusing maze of construction. 

The story of this house reminds me of GRC and GRC processes in many organizations, perhaps yours. The components of GRC – governance, risk management, and compliance — are in every organization. My position is that while every organization does GRC, their approaches and results vary. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. But GRC done right delivers the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].

The Winchester Mystery House analogy is how GRC looks in many organizations. You may have shadow GRC processes that spring up all over the organization in the bowels of operations that lack . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RESOLVER BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

ESG – Environmental, Social, and Governance – has been creating a barrage of pressure upon organizations across industries and around the world in recent years. Corporate investors are making capital investment decisions in companies based on ESG commitments, metrics, and ratings. Legislatures and regulators around the world are ensuring the regulations are focused on the breadth of ESG as well as specific aspects of ESG (e.g., modern slavery, carbon emissions). Employees are making decisions on who they work for based on shared values and not just benefits. Customers are engaging and buying products and services that share their values. ESG is getting attention from the top of the organization, the board and the executives, to the down into the depths of the organization.

What is ESG and Why is it Important?

That is a good question. ESG varies in breadth and depth of scope by industry, company size, and even geography and regulatory frameworks. It also varies by individual departments that focus on aspects of ESG but not the breadth of ESG. Too often, ESG can be like the parable of the blind men and the elephant where one feels the side and thinks it is a wall, another feels the trunk and thinks it is a tree, and another the tail and thinks it is a rope.

In understanding the important scope of ESG, consider . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The physicist Fritjof Capra stated:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Capra was making the point that ecosystems are complex, interdependent, and require a holistic, contextual awareness of the intricacy of their interconnectedness as an integrated whole rather than a dissociated collection of systems and parts. Change in one area has cascading effects on other areas and, in all likelihood, the entire ecosystem. A small event can develop into what ends up being a significant issue. This understanding can be applied to your GRC strategy roadmap as well.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RESOLVER BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Too often GRC – governance, risk management, compliance – is approached backwards. Using the acronym, one would think it is CRG, or even Cr (lower case intentional). Too many organizations start with compliance, and even risk management is done in a compliance context, and governance, performance, and objectives are not even in view.

The official definition of GRC, found in the GRC Capability Model, is that GRC “Is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” (www.OCEG.org) It starts with governance and setting objectives (entity, division, department, process, project, asset objectives). From governance flows the context to begin and do risk management (remember, ISO 31000 defines risk as the effect of uncertainty on objectives). The compliance is the follow through to ensure we stay within ethical, regulatory, ESG, and even risk boundaries (compliance verifies that controls we put in place to mitigate risk are operational and effective). 

I am in a three-week GRC tour of Europe right now and there are a lot of interesting RFPs over here. More often in Europe you see requirements for a focus on business and business process, and even for business process modeling (BPM) capabilities within GRC. Europe, in general but not always, sees GRC as more integrated into the business the way it should be. Too often GRC, particularly in North America, is a compliance band-aid and not a true integrated way of managing the business.

GRC should be about performance. In fact, at OCEG, we defined GRC in this context. GRC delivers what is called Principled Performance. GRC, through strategy, process, information, and technology, should deliver better performing organizations that do so in an ethical way aligned with the organization’s values. 

One of my favorite interactions on risk management in my career was with Brad Jewett when he was the ERM Director at Microsoft. He had this whole approach he called ‘The Rhythm of Risk.’ It was specifically about managing risk in the context of Microsoft’s objectives, business, and processes. It was business focused GRC aimed at Principled Performance.

To deliver on this requires full awareness and integration of GRC into the business and management. The most critical thing is to be able to manage your business in a GRC context. This requires that our approach to GRC allow for deep modeling, definition, and monitoring of business objectives and business processes. To manage risk and compliance in context of performance, objectives, and processes. That is how GRC is done.

When approaching GRC (or ERM, ORM, IRM), what do you really want from the following:

1. Do you want a solution that manages your business; and in that context manages risk, compliance, and controls?
2. Or do you want a solution that manages compliance, and perhaps risk, but is disconnected from the business and is an afterthought, a band-aid?

In my market research and coverage of solutions in the market, there are over 100 solutions that can address the second option, but very few that can actually deliver on the first. Organizations need business management platforms that have GRC capabilities built and baked in.

We are in the era of GRC 5.0 – Cognitive GRC, and all the elements of GRC 4.0 – Agile GRC are still wrapped up and part of GRC 5.0. I am often asked what is next? What is GRC 6.0? Getting out my analyst crystal ball it is GRC 6.0 – Business Integrated GRC where GRC is an integrated part of a business management platform. The idea of a siloed GRC platform goes away to manage GRC as an integrated platform of the business, its objectives, its performance, and then risk, compliance, control, and assurance in this context. It will take a few years for us to transition to GRC 6.0, perhaps as much as five, but it is on the horizon.

There will still always be a place for best of breed GRC solutions focused on specific risks, compliance, and content. What I am saying is that the broad enterprise/integrated GRC platform (or ERM, ORM, IRM) is delivered as a part of a business management platform.

Do you have questions on GRC Solutions available in the breadth of the market and which few deliver on the vision of Business Integrated GRC? Ask GRC 20/20, in our coverage of the market as an analyst firm, what solutions are available and what differentiates them for your specific needs: