Category: Blogs

Mature risk and resilience management is a seamless part of risk governance and operations. It requires a top-down view of risk and resilience, led by the executives and the board, where risk and resilience management are part of the fabric of business operations and processes – not an unattached layer of oversight. It also means bottom-up participation, where business functions identify and monitor risk and resilience that expose the organization. GRC 20/20 has developed the Risk and Resiliency Management Maturity Model to articulate maturity in the risk and resilience management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

1: Ad Hoc 

Organizations at the Ad Hoc stage of maturity have reactive approaches to risk and resilience management at the department level. Businesses at this stage do not understand risk and exposure; few if any resources are allocated to risk and resilience. The organization addresses risk and resilience in a reactive mode — doing assessments when forced to. There is no ownership or monitoring of risk and resilience, and certainly no integration of risk and resilience information and processes in context of objectives, strategy, performance, and business change. 

2: Fragmented

The Fragmented stage sees departments with some focus on risk management and business continuity within respective areas, but they are disconnected and not working together. Information and processes are highly redundant and lack integration. With siloed approaches to risk management and resilience (e.g., business continuity, disaster recovery), the organization is still very document centric. Processes are manual and they lack standardization, making it hard to measure effectiveness.

3: Defined

The Defined stage suggests that the organization has some areas of risk and resilience that are managed well at a department level, but it lacks integration to address risk and resilience across departments. Organizations in the Defined stage will have defined processes for risk and resilience in some departments or business functions, but there is no consistency. Risk and resilience processes have the beginning of an integrated information architecture supported by technology and ongoing reporting. Accountability and oversight for certain domains such as business continuity, disaster recovery, and/or enterprise and operational risk management are beginning to emerge. 

4: Integrated

In the Integrated stage, the organization has a cross department strategy for managing risk and resilience across departments and functions. Risk and resilience are aligned across several departments to provide consistent strategy, frameworks, and processes supported by a common risk and resilience information and technology architecture. The organization addresses risk and resilience through shared processes and information that achieve greater efficiency and effectiveness. However, not all processes and information are completely integrated, and risk and resilience if focused on avoiding issues and not on agility.

5: Agile

At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives. Consistent core risk and resilience processes span the entire organization and its geographies. The organization benefits from consistent, relevant, and harmonized processes for risk and resilience management with minimal overhead. 

Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.

But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats. 

The Agile Maturity is where most organizations will find the greatest balance in collaborative risk and resilience management and oversight. It allows for some department/business function autonomy where needed, but focuses on a common governance model and architecture that the various groups in risk and resilience governance participate in. The Agile stage increases the ability to connect, understand, analyze, and monitor risk relationship and underlying patterns of impact on performance, objectives, and strategy – as it allows different business functions to be focused on their areas while reporting into a common risk and resilience governance framework and architecture. Different functions participate in risk and resilience management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration.

Firewalls protect us. In buildings, it is a wall intended to shield and confine a fire to an area to protect the rest of the building. In a vehicle, it is a metal shield protecting passengers from heat and potential fire in the engine. In network security, it is the logical ingress and egress points securing a network.

Within organizations, there is another firewall that is the most essential, but the most overlooked. That is the ‘Human Firewall.’ I have been an analyst for twenty-two years. Back twenty years ago I remember PentaSafe, later purchased by NetIQ, marketing and using the term Human Firewall to promote policy management in an IT security context. We need to bring the concept of the Human Firewall back and broaden it out too much more than IT security.

The weakest area of any governance, risk management, and compliance (GRC) strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. In the technical world we can lock things down and the world operates in binary. In the world of human interaction it is not binary but shades of grey. Nurturing corporate culture and behavior is absolutely critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.

A decade ago, I was involved with The Institute of Risk Management in London in developing Risk Culture: Resources for Practitioners. In this guidance, there is the A-B-C model. The ‘A’ttitudes of individuals shapes the ‘B’ehavior of these individual and the organization overall which in turn forms the ‘C’ulture of the organization. And that culture, in turn, has a symbiotic effect further influencing attitudes and behavior. Culture is one of the organization’s greatest assets. It can spiral out of control and become corrupt quickly but can take years, or even decades, to nurture and build in the right direction. The ‘Human Firewall’ is the greatest bastion/guardian of the integrity of the organization and its culture. In today’s focus of ESG – environmental, social, governance – it is in the Human Firewall this becomes a reality in the behavior and culture of the organization.

Every organization needs a Human Firewall. So what is a Human Firewall? What is it composed of? The following are essential elements:

• Policy Management. Policies govern the organization, address risk and uncertainty, and provide the boundaries of conduct for the organization to act with integrity. The organization needs well-written policies that are easy to understand and apply to the context that they govern. They should be in a consistent writing style, maintained and monitored. It is absolutely essential that policies be well-designed, well-written, consistent, maintained, and monitored as they provide the foundation for the Human Firewall.
• Policy Engagement. Well-written and maintained policies are not enough, they also need to be communicated and engaged with the workforce. It does the organization no good, and can actually be a legal liability, to have policies that establish conduct that is not communicated and engaged to the workforce. All policies should be in a common corporate policy portal so they can be easily accessed and should have a regular communication and engagement plan.
• Training. The next part of the Human Firewall is training. Individuals need training on policies and procedures on what proper and improper conduct are in the organization’s processes, transactions, and interactions. Training applies policies to real-world context and aids understanding which strengthens the Human Firewall.
• Issue Reporting. Things will go wrong. Bad decisions will be made, inadvertent mistakes will happen, and the malicious insider will do something wrong. Part of the Human Firewall is providing mechanisms such as hotlines, whistle-blower systems, management reports, and other mechanisms of issue reporting for the employees in the front-office and back-office can report where things are breaking down or going wrong before they become big issues for the organization.
• Extended Enterprise. The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is an extended web of relationships: suppliers, vendors, outsourcers, service providers, consultants, temporary workers, contractors, and more. You walk down the halls of an organization and half the people you walk by, the insiders, are no longer employees. They are third-parties. The Human Firewall also has to extend across these individuals that are a core part of the organization’s processes. Policies, training, and issue reporting should encompass the web of third-party relationships that shape and form today’s organization.

Where are you at in building, maintaining, and nurturing your organization’s Human Firewall?

One resource to help is GRC 20/20’s work in partnership with OCEG on www.PolicyManagementPro.com to promote good policy management practices and certification within organizations.

Other resources to help include GRC 20/20’s research and publications on:

• Policy & Training Management
• Issue Reporting & Case Management
• Third-Party Risk/GRC Management (Extended Enterprise)

I have been on the road regularly for the past six weeks with a heavy travel schedule through mid-July that brings me across the USA and Europe. Lots of interactions with people face-to-face and the conversations center on:

• How do we engage the front-line/office of the organization on GRC?
• How do we make GRC intuitive? How do we make it simple?
• What technologies are revolutionizing GRC to provide value in a way that gets the job done but is less of a burden?

This is what GRC 4.0 (Agile GRC) and GRC 5.0 (Cognitive GRC) are all about. And it is not just for “Enterprise GRC/IRM” Platforms. But down in the best of breed GRC solutions for third-party risk, policy management, regulatory change, IT risk management, resiliency, and more. 

Let me remind each of you on this list . . . 

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of Agile & Cognitive GRC is to provide GRC processes and information that is innovative, contextually intelligent, assessable, and engaging. GRC done right minimizes its impact on the business while still maintaining insight and control of risk across the business. GRC should be intuitive to the business and GRC technology should provide the right information in a way that works for the business.

GRC technology should not get in the way of business. Why do some enterprise GRC projects take two years for just the initial implementation to be built out?  The primary issue is overhead in extensive services and technology customization to integrate and develop massive GRC implementations that end up slowing the business down and delaying value (if the value is ever achieved). GRC needs to be Agile and Cognitive to be valuable to the business. GRC technology has to deliver harmonious relationships or GRC information that supports the business. GRC is to enable enterprise agility by creating dynamic interactions of GRC information, analytics, reporting, and monitoring in the context of business.

Like Apple with its innovative technologies, organizations must approach GRC in a way that re-architects the way it works as well as the way it interacts. The Agile & Cognitive GRC goal is simple; it is itself Simplicity. 

Simplicity is often equated with minimalism. Yet true simplicity is more than just the absence of clutter or removal of embellishment. It’s about offering up the right contextually relevant GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC processes and data. GRC interactions should be intuitive.

Agile & Cognitive GRC is about delivering innovative, intuitive, and GRC engagement and intelligence to the business in the context of business. It delivers 360° contextual GRC intelligence through the use of artificial intelligence, cognitive computing, machine learning, and natural language processing. It provides engaging and user-friendly experiences that minimize process overhead while enabling the organization to reliably achieve objectives, while addressing uncertainty, and act with integrity.

I discuss this in detail in the Research Briefing: 2022 State of the GRC Market.

I would love to hear your thoughts on Agile & Cognitive GRC technology and intelligence . . .

A dynamic business environment requires the capability to actively manage risk intelligence and fluctuating risks impacting the organization and its relationships. The old paradigm of uncoordinated third-party risk management is inadequate given the volume of risk information, the pace of change, and the broader operational impact on today’s business environment and operations. Organizations need to address third-party risk intelligence with an integrated strategy and an enterprise-wide information architecture that provides 360° third-party risk situational awareness. The goal is to provide actionable and relevant risk intelligence to support third-party risk governance and oversight to ensure the organization is agile, resilient, and acting with integrity in its business relationships. 

Third-Party Risk Intelligence Architecture: Core Elements

Comprehensive 360° situational awareness requires a system to gather information, weed out irrelevant information, route critical information to subject matter experts (SMEs) for analysis, track accountability, and determine the potential impact on the organization. Therefore, an effective enterprise-wide third-party risk intelligence architecture includes:

• A comprehensive risk framework. The third-party risk framework should be a hierarchical and comprehensive catalog/index of third-party risk domains with the potential to impact the organization. Third-party risk domains should be further broken into categories comprised of individual risk metrics logically grouped into related areas (e.g., ESG risk domain would include risk categories of Environmental, Social, and Governance. The Social category would include sub-category risk metrics related to diversity & inclusion, pay equality, health & safety, child labor, human rights, etc.). 
• Intelligence content aggregation. The organization needs to identify the best sources of risk intelligence. Content feeds can come directly from various sources – regulators, law firms, consultancies, news feeds, blogs by experts, etc. – or from content aggregators. It must be mapped to the risk intelligence framework. The most economical and efficient way to address this need is through a risk intelligence provider that leverages automation and AI to aggregate risk content while removing noise and false positives. Additionally, there can be great efficiencies and cost savings that can be realized by leveraging a single solution that can provide a comprehensive and consistent view.
• Metrics, dashboarding & reporting. To govern and report on the third-party risk intelligence process, the organization needs the ability to monitor metrics and reports to determine process adherence, risk/performance indicators, and risk issues and exposure. The dashboards should provide the organization with a quick view into the current risk exposure and potential emerging risks, which individuals are responsible for triage and/or impact analysis and overall risk impact on the organization.
• Defined roles and responsibilities. Successful risk management requires accountability: making sure the right information gets to the right person with knowledge of the risk domain and its impact on the organization. This requires the identification of SMEs for each risk category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in categories, metrics, or specific jurisdictions, or who perform specific actions as part of a series of changes to address risk developments and exposure.
• Workflow and task management. Real-time third-party risk intelligence feeds into a risk management platform providing a system of structured accountability to manage changes based on business impact analysis. Workflow and task management route details and required actions to the appropriate SMEs for further analysis with escalation capabilities when items are past due. The process tracks accountability on who is assigned risk tasks, establishes priorities, and determines the appropriate course of action. Automation is leveraged to handle routine risk mitigation actions, freeing up team members to focus on only the most critical risks that require human intervention. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis of third-party risk developments.

Third-Party Risk Intelligence Architecture: Additional Capabilities

In addition to the core elements, the following additional capabilities provide further value to a third-party risk intelligence architecture:

• Accountability. A primary directive of a third-party risk intelligence architecture is to provide accountability. Accountability needs to be tracked as risk information is routed to the right SME to review and define actions. The SME should be notified when further evaluation is necessary and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitate risk intelligence in the context of the organization’s operations and its third-party relationships. 
• Business impact analysis. The architecture needs to provide the functionality to identify the impact of changes in risks on the third-party business environment and its operations and then communicate to relevant areas of the organization how the development impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag risk areas/domains to respective business relationships, services, and operations. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution ensures that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined.
• Mapping risks, policies, controls, and more. A critical component to evaluate is the architecture’s ability to link third-party risks to assessments, policies, controls, reports, and processes. The ability to map to business lines, products, and geographies allow companies to manage a risk-based approach to third-party developments and strategies. The workflow automatically alerts relevant stakeholders for necessary action and relationship changes. It also supports electronic signoffs at departmental and functional levels that roll up for executive certifications on risk exposure and acceptance. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for third-party risk intelligence.
• Audit trail and system of record. It is absolutely necessary that the risk architecture have a full audit trail to see who was assigned a task, what they did, what was noted, notes that were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when risks were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
• Reporting capabilities. The architecture is to provide full reporting and dashboard capabilities for clear visibility into the risks monitored, task assignments, overdue actions, and the identification of issues that pose the most significant risk to the organization’s third-party relationships. Additionally, by linking risk intelligence to the various other aspects of the platform – including relationships, processes, objectives, policies, controls, and more – the reporting should provide an aggregated view of risk across multiple relationships and business owners.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.

Take advantage of GRC’s structured guidance to deliver on ESG strategy and processes.

ESG – Environmental, Social, and Governance – is pressuring organizations from every angle. Investors are making investment decisions based on the ESG practices of companies. Individual directors on boards are being voted out based on ESG metrics. Employees are making decisions on whom they work for based on shared values, as well as clients/customers. And regulators are taking focus on ESG, the most recent being the SEC with its proposed disclosure requirements for climate change.

Organizations around the world and across industries are challenged to define, implement, and report on ESG. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships and transactions.

However, understanding ESG is complex. As a guide, but not exhaustive, ESG covers . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SAI360 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The Federal Risk and Authorization Management Program (FedRAMP) has been in place for just over a decade (2011). Its purpose is to provide a “cost-effective, risk-based approach for the adoption and use of cloud services” by the federal government. This is to equip and enable federal agencies to utilize cloud technologies in a way that minimizes risk exposure through security and protection of federal information and processes. It is to promote the use of secure cloud services through the standardization of security and risk assessments with corresponding controls to mitigate risk. Through FedRAMP, federal agencies gain access to FedRAMP authorized and certified cloud services that are vetted and approved to ensure they conform to controls and compliance requirements to minimize risk exposure. 

However, for cloud service providers (CSPs) the FedRAMP process is not easy. It requires a lot of defined structure, controls, and processes for ongoing management of security controls, risk assessments, and response. FedRAMP authorization and certification can be a daunting process. Organizations seeking FedRAMP certification need to ensure they have the right security architecture and processes in place and maintained on a continuous basis with a full audit trail and system of record of FedRAMP requirements, related activities, assessments, and controls. 

Managing and maintaining FedRAMP certification in manual processes will lead to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IGNYTE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Gone are the years of simplicity in business operations. Rapid growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, compliance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives and management professionals throughout all levels of the business.

The interconnectedness of objectives, compliance, risks, and resilience requires 360° contextual awareness of risk and resiliency. It requires holistic visibility and intelligence of risk and resiliency. Organizations need to see the intricate relationships of objectives, risks, compliance obligations, processes, and controls across the organization’s operations. The complexity of business – combined with the intricacy and interconnectedness of risk and compliance – necessitates that the organization implements a strategic approach to operational resilience.

The past few years have taught us lessons, such as . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Organizations often fail to monitor and manage compliance controls effectively in an environment that demands agility. This results in the inevitable failure of compliance that provides case studies for future generations on how poor internal control management leads to the demise of organizations: even those with strong brands.

Today’s business environment is complex. Exponential growth and change in risks, regulations, globalization, employees, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, and GRC management professionals throughout all levels of the business. Organizations need to understand how to design effective compliance controls, implement them, and review whether the risks they were designed to control are effectively mitigated continuously.

Compliance control management in the modern organization is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Organizations need to be organizations of integrity. What we communicate to the world about our policies, compliance and ethics practices, values, code of conduct, regulatory commitments, and now ESG statements is a reality in the organization and not fiction. The Chief Ethics and Compliance Officer (CECO) has become the Chief Integrity Officer of the organization. Integrity is a mirror. What we tell the world what the organization is about, is that what is truly reflected back to us in our behavior and operations?

Growing up, I was always told, and I am sure you were as well, that actions speak louder than words. Or you can talk-the-talk but can you walk-the-walk? It was an encouragement to ensure that what we tell people we do is what we actually do. That we do not live a fictitious life by portraying to the world that we are something that we really are not . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE VCOMPLY BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]