Foundation of a Policy Management Strategy

Already today I have had three inquiries from organizations discussing their policy management strategy and the appropriate solutions to address their enterprise policy management and training needs for a holistic approach to policy management. Here are some thoughts on how to build a policy management strategy from the recent GRC 20/20 research report, Strategy Perspective: Policy Management Maturity Model.

Organizations need a coordinated cross-department strategy for managing policies across the enterprise. The goal is to develop common principles, framework components, strategies, processes, and architectures so that policy management is consistent and managed as an integrated whole rather than a dissociated collection of parts. 

Policy management programs that are managed as disconnected and disassociated departments, documents, data, systems, and processes leave the organization with fragments of truth. They fail to see the big picture of policy management across the enterprise and how it supports the organization’s governance, risk management, and compliance responsibilities, and hinders the achievement of corporate culture and integrity. The organization needs to have holistic visibility and situational awareness into policy management across the enterprise. The complexity of business and the intricacy and interconnectedness of policies and obligations requires that the organization implement a policy management maturity journey.

Principles of Policy Management

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management found in the Policy Management Capability Model (found at www.PolicyManagementPro.com) are: 

  • Necessary. Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
  • Tailored. The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
  • Integrated. Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
  • People-Centered. At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
  • High-Performing. The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
  • Standardized. Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
  • Collaborative. Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
  • Accessible. Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
  • Engaging. Policies need to be clearly written and understood. This requires policy management processes that conform to a consistent writing style and language as well as communication strategies to engage employees.
  • Dynamic. The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

Components of a Policy Management Capability 

The Policy Management Capability Model (found at www.PolicyManagementPro.com), which defines the goals of a mature policy management program, is organized into five components that outline an iterative, continuous improvement process to achieve maturity in policy management. While there is an implied sequence beginning with Govern, once the capability is established, components operate concurrently, interactively, and symbiotically. The components of a mature policy management program, as found in the Policy Management Capability Model, are:

  • Govern. Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
  • Develop. Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
  • Communicate. Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
  • Enforce. Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
  • Improve. Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

Policy Management Strategy, Process & Technology Architecture

Policy management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole in strategy, process, information, and technology. The organization requires complete situational and holistic awareness of policies across operations, processes, employees, and transactions to see the big picture of policy performance. Distributed, dynamic, and disrupted business requires the organization to take a strategic approach to policy management. The architecture defines how organizational processes, information, and technology are structured to make policy management effective, efficient, and agile across the organization.

Organizations need to be intelligent about the policy management processes and technologies they deploy. A sustainable and mature policy management strategy means keeping policies current in the midst of continuous regulatory, risk, and organizational change. With increased exposure to regulations and scrutiny, how does an organization keep policies current? 

The primary directive of a mature policy management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of policies across the organization. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of policies throughout the enterprise. The framework components of a policy management architecture are (more detail on the framework for a policy management architecture is found in GRC 20/20’s Policy Management by Design research paper):

  • Policy Management Strategic Plan. Designing a federated policy management program starts with defining the strategy. The strategy connects key business functions with a common policy governance framework. The strategic plan is the foundation that enables policy management transparency, discipline, and control across the ecosystem of the enterprise. The core elements of the policy management strategic plan include:
    • Policy governance team. The first piece of the strategic plan is building the cross-organization policy governance team (e.g., committee, group). This team needs to work with policy owners to ensure a collaborative and efficient oversight process is in place.  
    • Policy management charter. With the initial collaboration and interaction of the policy management team in place, the next step in the strategic plan is to formalize this with a policy management charter. The charter defines the key elements of the policy management strategy and gives it executive and board authorization. 
    • Policy on Policies (e.g., MetaPolicy). This sets the policy management structure in place. The policy should require that an inventory of all policies be maintained with appropriate detail and approvals. The policy on policies is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
  • Policy Management Process Architecture. Policy management is enabled through defined policy management processes. Processes are used to manage and monitor the ever-changing business, third-party relationship, risk, and regulatory environments in the context of policies. The policy management process architecture is the structural design of processes, including their components of inputs, processing, and outputs. This architecture inventories and describes policy management processes, each process’s components and interactions, and how processes work together. The core elements of the process architecture are understood as the organization’s policy management lifecycle. This represents the actual operation and process of the Policy on Policies in action to develop, manage, and maintain policies throughout their effective use. Parts of an effective policy management process architecture include: 
    • Determine need for new policies or updates
    • Policy development and approval 
    • Policy publication, communication, training, and awareness
    • Policy adherence and compliance
    • Implement related procedures and controls
    • Monitor, test, and assess policy adherence/conformance
    • Manage and document policy exceptions 
    • Policy metrics and reporting
    • Review, update, or retirement of policies 
    • Policy archives of past versions with audit trail of history and interactions
  • Policy Management Information Architecture. The information architecture supports the process architecture and overall policy management strategy. With processes defined and structured in the process architecture, the organization can now get into the specifics of the information architecture needed to support policy management processes. The policy management information architecture involves the structural design, labeling, use, flow, processing, and reporting of policy management information to support policy management processes. 
  • Policy Management Technology Architecture. The policy management technology architecture enables and operationalizes the information and process architecture to support the overall policy management strategy. The goal of the technology architecture is to operationalize the process and information architecture. The right policy management technology enables the organization to effectively manage policy management performance and engagement across the organization and facilitates the ability to document, communicate, report, and monitor the range of communications, training, documents, tasks, responsibilities, and action plans. There can and should be a central core technology platform for policy management that connects the fabric of the policy management processes across the organization. Organizations suffer when they take a myopic view of policy management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operations. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment that enables better performance, less expense, and more agility in policy management and engagement. Some capabilities organizations should consider in a policy management platform are:
    • Integration with other business systems
    • Collaborative policy authoring
    • Content, workflow, and task management
    • Regulatory change management and mapping
    • Cognitive technologies/artificial intelligence for policy and regulatory mapping 
    • Policy portal and accessibility
    • Notifications
    • Audit trail and system of record
    • Intuitive interface design
    • Mobility

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

Delivering Agile Compliance

In business, change is inevitable. The compliance landscape is also constantly evolving. Agile compliance ensures businesses move with these changes.

Business today is dynamic. It is changing minute-by-minute and second-by-second. Employees, processes, technology, transactions, interactions, even business relationships are in a continuous state of movement.

At the same time, the regulatory and risk environment is constantly changing. There are 257 regulatory change events every business day in financial services coming from 1,217 regulators worldwide.

The challenge for compliance professionals is becoming agile. An organisation needs an agile compliance program to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE SKILLCAST BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

360° Visibility into Policies and Policy Management

Dynamic, Disrupted & Distributed Business Requires Policies

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, employees, partners, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. 

The interconnectedness of governance, risk management, compliance, and the integrity of the organization requires 360° visibility into the organization’s policies. Organizations need to see the intricate relationships of policies across the organization’s operations. It requires holistic visibility and intelligence into policies and policy management and how it impacts organizational integrity and culture. The complexity of business necessitates that the organization implements a strategic approach to policy management.

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization in establishing boundaries of behavior for individuals, processes, relationships, and transactions. When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk; every policy is a risk document that aims to control behavioral related risks.

Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, individual processes, and assets —the organization states what it will and will not accept and defines the culture of governance, integrity, risk management, and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.

GRC, by definition, is “a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Policies articulate the governance culture. Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Imagine an organization that did not have policies. How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
  • Policies articulate the risk culture. This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
  • Policies articulate a culture of compliance. Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and ESG (environmental, social, governance) commitments of the organization. Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.

In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more”. Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. An organization may develop a corrupt culture even with the right policies in place, but it cannot have a strong, effective culture without them.

Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. Policies must be governed, managed, monitored, and enforced so that they are both effective and efficient tools to help the organization stay on the path it chooses.

The Challenge: Hordes of Policies Scattered Across the Organization

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that policies affect every person involved with supporting the business, including internal employees and third parties. 

Many organizations struggle with:

  • Policies are managed in documents and file shares. Policies are haphazardly managed as document files and dispersed on several file shares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, eighth grade reading level). 
  • Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face misaligned policies, exposure and liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where a policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process. 

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability. To be an organization of integrity and defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. 

Delivering 360° Policy Management Visibility

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity. 

Organizations need complete 360° situational awareness and visibility into policies that govern the organization’s processes, operations, transactions, regulatory requirements, ethics/values, and risks. What complicates this is the exponential effect of change on the organization. Businesses operate in a world of chaos, and even a small change can cascade, develop, and influence what ends up being a significant risk exposure for the organization. Dissociated siloed approaches to policy management leave the organization with fragments of culture and control that fail to see, guide, and direct the enterprise in the midst of change. The organization needs visibility into policies and policy management consistency across the entire organization. Organizational complexity and change require that the organization implements an enterprise view of policies and policy management. 

The Bottom Line: Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

Have You Done your Policy Enforcement Push-ups?

I love teaching my By Design” Workshops! This past Monday it was Policy Management by Design, my favorite of all of them, in New York City. It is great to be back live teaching these interactive workshops, and it was a great day in New York with engaged attendees from a range of organizations.

The Policy Management by Design Workshop has a lot of new content. Including the Policy Management Capability Model that I worked hard on publishing with OCEG in our joint venture with www.PolicyManagementPro.com. It also includes my new Policy Management Maturity Model.

In discussing Policy Enforcement, one of the 5 components of the Policy Management Capability Model, one organization in attendance stated how they increased policy awareness and compliance by getting creative in policy enforcement. The example this person gave was in the context of their Background Check Policy. If an employee does not follow the background check policy then they and their manager have to do push-ups in front of others. That is one example of creatively building a culture of integrity and policy compliance.

In a previous workshop, before lockdowns, a global software firm stated they take their inclusion, diversity, equality, harassment, and discrimination policies very seriously. If an employee gets behind in their policy acknowledgment and required related training in these areas . . . they go to log in to their computer and they will find all they can access is the policy management portal with the policy acknowledgment and training they have to complete. Another example of policy enforcement.

This is what I love about these workshops. I can lecture and teach all day, but attendees learn from each other as much as they do from me.

Myself teaching on the Policy Management Capability Model in the New York Policy Management by Design Workshop this week.

Upcoming Workshops . . .

November 30

Enterprise GRC Management by Design – Minneapolis

Blueprint for an Effective, Efficient & Agile Enterprise GRC Program Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives  while addressing uncertainty  and acting with integrity .” This requires that GRC needs […]December 2021THU2

December 2

Compliance Management by Design – New York

Blueprint for an Effective, Efficient & Agile Compliance Management Program Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Complicating matters, today’s organization is dynamic and constantly changing. The modern organization adjusts by the minute. New employees come, others leave, roles change. […]March 2022THU10

March 10 

Risk Management By Design Workshop – New York

Risk is pervasive throughout business strategies, operations, and processes. Siloed approaches to risk management leave the organization not seeing the big picture of risk. The reaction is often to centralize risk management which forces different areas of the organization into a one-size-fits-all risk management model that fails to adequately manage and monitor risk. Defining strategy, […]

Hybrid Working: What About the Risk?

I have been a remote and hybrid worker for twenty-five years. It is has been and remains my professional life. I work out of my home office (though I do have a rental office space I can use for when I need seclusion). It takes a lot of foresight to manage the risks as I have a lot of clients and their sensitive data.

In my recent travels across Europe (London, Paris, Copenhagen, Zurich) and the USA (Chicago, New York) this past month, the conversation has often turned to the risks of the hybrid work environment. To address employees’ desires, demands, and needs as a result of the pandemic and provide a future of flexibility, many organizations are offering a hybrid option or complete remote working. For many organizations, this has been a quick reaction without really thinking it through carefully.

For your consideration, consider the following risks . . .

  • IT/cyber/information security. This is the first thing that comes to mind, but it should not be the only thing. Careful attention has to be paid to the security of the remote office. My home office is filled with connected devices: speakers, exercise bikes, wall outlets, televisions, even my blender in my kitchen. If any of these devices has a back-door or trojan-horse installed (think SolarWinds for a current reality) it could compromise the home office environment. Careful attention needs to be paid to the home office security and the business devices and connections of the remote office. This is a no-brainer.
  • Physical security. This is often neglected. What about the security of the physical environment? What sensitive conversations can be overheard on the phone, conference calls, Zoom meetings, and more? Can that spouse, partner, roommate overhear things they should not be privy to? Are screens protected? Physical documents, are they secure and even locked up when not being used? This is a serious concern that many organizations have not looked into.
  • Where is work being done. This ties into the first two bullets. In a hybrid and remote work enviornment employees can work from anywhere. I am in a coffee shop writing this blog right now. What sensitive business or client/customer information on calls can be overheard by strangers, potentially competitors? What can be seen on screens and other devices by strangers? I look around and I can see three laptop screens and their information from just a casual glance up from my cup of coffee right now.
  • Conduct. As we moved to Zoom/online meetings becasue of the pandemic we saw a huge spike in conduct issues. People are working from home. They may be wearing their dress shirt in the video, but are wearing their pajama bottoms under the desk. They feel relaxed and casual. They end up saying things in business meetings that cross the lines of harassment and discrimination, things that would never be allowed in the corporate office and conference rooms. But since they are working from home they feel different rules apply.
  • Culture. This brings us to culture, how do you develop and maintain a strong corporate culture in a remote and hybrid environment. This will require extra nurturing, fostering, and development. Employee engagement and interaction is critical.
  • Fatigue. Zoom/video conference fatigue is a reality. People start losing focus in online meetings after one-hour and are completely checked out in two-hours. Organizations need to restructure how they plan meetings, particulalrly frequency and length.
  • OSHA and physical health and safety. A lot of attention has been placed on creating healthy work environments for the physical health and well-being of employees. With employees working from home, how do we ensure that these are physically healthy enviornments?

Organizations need to clearly write, communicate, and enforce their hybrid work policies and procedures to address these risks. There should be a single central portal for all of the organization’s policies and procedures that are contextually relevant to the employee’s role/function. Hence, they see the policies related to their job and responsibilities. All remote/hybrid-work-related policies should be tagged and grouped so employees can easily find these. These include security, home-office/remote-work conduct, health and safety, home-office expense, and other related policies. Organizations should develop training for remote and hybrid work and require that all employees undergo this training annually.

Consideration of all of these risks and related policies also needs to be applied to the extended enterprise. Brick-and-mortar walls do not define the modern organization as we have the remote and hybrid-work world. But it also is not limited by traditional employees. Your contractors, consultants, outsourcers, service providers, and even temporary workers may also be working remotely. These risks impact your third-party relationships as well and need consideration.

These are the risks that employers should consider and address when developing their remote and hybrid work-related policies. However, I have been encountering employee concerns about the risk of what the company may do in the future. If remote working is allowed, will they then take the next step to reduce costs and allow off-shore remote working?

Risk Management Lessons from Denmark

October was a great month! Business travel is back and I had a backlog of in-person engagements across London, Paris, Copenhagen, Zurich, and New York. It is good to be back on the road and meet people around the world in the context of my research into governance, risk management, and compliance (GRC) challenges organizations face and how they solve that with strategy, process, and technology.

On this series of trips, I finally got to my ancestral homeland of Denmark (30 to 40% Danish, and the source of my last name). In all of my travels around the world over the past several decades . . . this was my first trip to Denmark (Copenhagen). My paternal grandfather came from Denmark. I am told that I have a great uncle that was a leader in the underground railroad in Denmark helping the Jews escape Germany. I am also told that one of my ancestors was the inventor of the Danish hot dog cart on street corners. So I was anxious to see this part of my ancestral homeland as I presented my research on the top GRC drivers and trends for 2021 and into 2022 to risk management and compliance executives at Scandinavian companies.

What struck me in my visit to Denmark was the culture of trust and thus the culture of risk management and control. Denmark prides itself on being a society of trust. This is evident in their business environment as they have a fairly low rate of fraud and wrongdoing.

This culture of trust is also evident in their mass transit. I took the train into downtown Copenhagen. I purchased a ticket for the train but was able to walk right on board without going through any gate or presenting the ticket to anyone. There was no turnstile. Nothing of the sort. On the way back to the hotel I took a taxi so I can see more of the city. I asked the taxi driver about this, and he explained it was part of their culture to trust. Danish people will do the right thing and there is a very low occurrence of abuse of the system. In fact, he stated that it would cost more to put in controls and validate tickets than what they would recover in abuse.

Two things to consider in this context . . .

  • Risk and trust culture. The Danish people have built a positive culture of trust that impacts their risk culture. I am curious in researching how this has developed over time and what brought them to this strong, positive culture.
  • Cost of controls related to risk exposure. The Danish people understand their risk exposure, in this case very little, and decided that risk acceptance is the best path forward and not further controls to mitigate risk. They realize that the cost of controls to enforce honesty on the few perpetrators is greater than what they would recover.

The key element here is that the culture of trust is critical. I do not think you could eliminate turnstiles and related controls in mass transit in the USA, United Kingdom, and many other places I visit. There would be too much abuse of the system and the cost of controls would be worth the enforcement. Denmark can do this because it has developed and nurtured a culture of trust where this works.

In our organizations, the key question is how can we improve our culture of trust and risk management? Also, there may be certain areas where you have controls that do not make sense. The cost of controls may outweigh the value they preserve and protect.

ESG – It’s Time to Up Your Game

Why Every Organization Should be Focusing on ESG

I recently wrote an article for Aravo’s new publication, Risk & Resilience. Their inaugural issue focused around the important topic of ESG, and is jampacked with great thought leadership content from a variety of experts and perspectives. I invite you to read the article I included below, but also to check out the publication as a whole and learn from the great thought leadership included.

ESG – Environmental, Social, Governance – is a dominant focus in organizations right now getting board-level scrutiny and attention. Organizations around the world and across industries are challenged to define, implement, and report on ESG. These pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations must do something about it.

Previous iterations of ESG were Corporate Social Responsibility (CSR) and Sustainability. These were often passed around the organization like a hot potato and often landed in the lap of marketing as a branding exercise. This is not the case with ESG; the risk exposure to the organization is too great. I find that the Corporate Compliance and Ethics Officer (CECO) is the most common role leading the coordinated/federated ESG strategy in the organization. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

However, understanding ESG is complex. What is happening in organizations is like the parable of the blind men and the elephant. One blind man touches the tail and thinks it is a rope, another touches the body and feels a wall, and another touches a leg and says it is a tree. The same is happening with ESG as different functions/departments see what impacts them. Some focus on the E for the environment and think that is the most important since it leads the acronym ESG. Others are focused on the S, and others the G. All three are critical and intersect with each other.

As a guide, but not exhaustive, ESG covers:

  • Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
  • Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity, inclusion, working conditions, health and safety, product liability.
  • Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.

The reality is that ESG does not start and stop with traditional brick-and-mortar walls and employees. To address ESG requires that organizations address ESG in the context of the extended enterprise of third-party relationships.

Martin Luther King Jr stated, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organization’s relationships in the extended enterprise in the context of ESG.

That is because the structure and reality of business today have changed. It is not the same as it was a few decades back. The modern organization is supported by an interrelated structure of business relationships. It is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and others. Business today relies and thrives on third-party relationships; this is the extended enterprise, and it is the challenge of business today to manage ESG across these relationships.

The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization in the context of ESG. The integrity and ability of the organization to comply to act with integrity in the context of ESG, comply with investor and regulatory requirements, and ensure that ESG commitments and values are followed through in relationships is no easy task. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.

Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. The focus on ESG is restructuring how organizations define and manage risk in the extended enterprise. 

Particularly, there are pending directives and legislation that have an expansive scope that is expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act

These laws are more than reporting requirements; they will have teeth. They are not like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption. 

This is going to fundamentally change and restructure TPRM programs to address ESG in the extended enterprise. Organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party governance program that addresses ESG throughout the extended enterprise. This unifies a single approach to govern ESG in third-party relationships and delivers a 360° contextual awareness of ESG risk in relationships. 

The writing is on the wall, organizations need to fundamentally change how they approach ESG internally and across the extended enterprise. Organizations should start defining an integrated strategy for ESG to address these forthcoming requirements and stakeholder demands in a unified and consistent approach.

Thank you again for reading my contribution to Risk & Resilience! Again, I invite you to explore other great articles and interviews in the publication to gain a well-rounded understanding of ESG’s importance.

Check out Risk & Resilience’s issue on ESG

Explore Risk & Resilience on LinkedIn

Upcoming Webinars

Are You Headed to a Risk Management Clusterf***?

Yes, you read that correctly. Anyone that knows me knows that I am not inclined to use profanity casually. The reality is that this term, clusterf***, is a technical term.

The term has its roots stemming from the Vietnam War, perhaps earlier. It defines a situation where there is a lot of top-down strategy (high-level officers/brass) but not enough on-the-ground information. Things look good from a strategic plan on paper, but the realities in on-the-ground operations are not appropriately considered.

Clusterf*** describes a concern I have for the trajectory of risk management strategies in organizations today. The past has had various departments of on-the-ground risk management doing their different things without any strategic direction. In the last few years, we have seen a shift of focus, propelled by some leading risk luminaries, to a top-down strategic planning view of risk in the context of performance, objectives, and strategy. This is a good thing, but I feel organizations may overcorrect and shift the pendulum too far and adopt a top-down view of risk at the cost of neglecting an understanding of risk down in the organization’s operations.

Focusing just on the top-down view of risk can lead us to disaster. It is like the butterfly effect in chaos theory, where the flutter of the butterfly’s wings in The Netherlands makes tiny atmospheric changes that can influence the development and path of a hurricane in the Gulf of Mexico. The lesson is that the little things matter as much as the strategic things.

While some of my peers seem to argue for a complete top-down view of risk . . . I state we are then headed for a risk management clusterf***. What is needed is a balance that brings both a top-down view of risk in the context of performance, objectives, and strategy management that aligns with a more traditional view of operational risk management down in the bowels, behavior, transactions, processes, and relationships of the organization.

Semantically, this is how I differentiate ERM (enterprise risk management) and ORM (operational risk management). ERM is about the top-down strategic view of risk aligned with the organization’s performance, objectives, and strategy. ORM is focused on risk in the operations, processes, and activities of the organization. ORM is part of ERM, but ERM includes strategic risk management, capital/liquidity/finance risk management, as well as operational risk management.

Good risk management will understand risk from a top-down view aligned and integrated, a part of performance and objectives. But it will also include a bottom-up view of risk in the processes and operations of the organization. We need a balance of both to avoid a risk management clusterf***.

Aligning Risk & Performance Management will be the discussion we will have this week on The GRC Red Flag Series where I will be interviewing executives from Corporater as well Soenke Thun, the Vice President Group Risk Governance at Deutsche Telekom, on how to align risk management with performance management while also maintaining a strong view of risk down in the operations of the organization.

Policy Management Maturity: Journey to an Agile Policy Management Program

Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.

Mature policy management is about delivering policy that minimizes the perception of getting in the way of business and becoming a part of business, organization change, and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering well-defined processes and an engaging policy user experience that aligns with the needs of employees, integrates with organization systems, and delivers relevant policy content when needed wherever it is needed. 

This means maturing a connected view of policy management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to leverage policies to ensure the integrity and culture of the organization aligns with its mission, vision, obligations, and values. Well-defined processes and technology for policy management make it easier to ensure policies are written, maintained, and communicated consistently across the organizations. 

Lacking an integrated view of policy management results in business processes, services, processes, employees, and systems that behave like leaves blowing in the wind. An integrated and mature policy management strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage policies, increase efficiencies, and be agile to business, risk, and regulatory change. Mature policy management delivers better business outcomes because of stronger policy governance and improved culture and control in the context of the organization and its processes and objective, which will:

  • Lower costs, reduce redundancy, and improve efficiencies.
  • Deliver consistent and accurate policy in context of the business.
  • Improve decision-making and insight into what is acceptable and unacceptable behavior.
  • Enable the organization to defend itself with a robust policy audit trail designed to mitigate risk and ensure integrity of the organization.

Five Stages of Policy Management Maturity

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

Download the latest GRC 20/20 Research Report on the Policy Management Maturity Model . . .

Register for the webinar on Understanding the Journey to Policy Management Maturity . . .

Register for the next Policy Management by Design Workshop in New York on November 15th . . .

Access the Policy Management Capability Model and become a Certified Policy Management Professional . . .

Putting $$$ to It: Can You Quantify Your Risk?

As Sir Arthur Conan Doyle stated . . .

It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”

Data is critical to risk management, and the more objective and quantitative the data is, the more value risk provides to the risk owners in the business.

Organizations take risks all the time but fail to quantify these risks effectively in an environment that demands an understanding of the risk exposure to objectives in order to make decisions. Too often, risk management is seen as a compliance exercise and not truly quantitative analysis that is of value to the organization’s strategy, decision-making, and objectives. A cavalier approach to risk management stuck in subjective and qualitative risk assessments leads to the inevitable failure . . . 

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE LOGICGATE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]