Dynamic, Disrupted & Distributed Business Requires Policies

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, employees, partners, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. 

The interconnectedness of governance, risk management, compliance, and the integrity of the organization requires 360° visibility into the organization’s policies. Organizations need to see the intricate relationships of policies across the organization’s operations. It requires holistic visibility and intelligence into policies and policy management and how it impacts organizational integrity and culture. The complexity of business necessitates that the organization implements a strategic approach to policy management.

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization in establishing boundaries of behavior for individuals, processes, relationships, and transactions. When an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk; every policy is a risk document that aims to control behavioral related risks.

Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, individual processes, and assets —the organization states what it will and will not accept and defines the culture of governance, integrity, risk management, and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.

GRC, by definition, is “a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

• Policies articulate the governance culture. Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Imagine an organization that did not have policies. How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
• Policies articulate the risk culture. This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
• Policies articulate a culture of compliance. Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and ESG (environmental, social, governance) commitments of the organization. Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.

In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more”. Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. An organization may develop a corrupt culture even with the right policies in place, but it cannot have a strong, effective culture without them.

Issuing well-crafted and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strongly embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. Policies must be governed, managed, monitored, and enforced so that they are both effective and efficient tools to help the organization stay on the path it chooses.

The Challenge: Hordes of Policies Scattered Across the Organization

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that policies affect every person involved with supporting the business, including internal employees and third parties. 

Many organizations struggle with:

• Policies are managed in documents and file shares. Policies are haphazardly managed as document files and dispersed on several file shares, websites, local hard drives, and mobile devices. The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
• Reactive and inefficient policy training programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
• Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, eighth grade reading level). 
• Rogue policies. Anyone can create a document and call it a policy. As policies establish a legal duty of care, organizations face misaligned policies, exposure and liability, and other rogue policies that were never authorized.
• Out of date policies. In most cases, a published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
• Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
• Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where a policy is breaking down, and how it can be addressed.
• Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process. 

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability. To be an organization of integrity and defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. 

Delivering 360° Policy Management Visibility

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity. 

Organizations need complete 360° situational awareness and visibility into policies that govern the organization’s processes, operations, transactions, regulatory requirements, ethics/values, and risks. What complicates this is the exponential effect of change on the organization. Businesses operate in a world of chaos, and even a small change can cascade, develop, and influence what ends up being a significant risk exposure for the organization. Dissociated siloed approaches to policy management leave the organization with fragments of culture and control that fail to see, guide, and direct the enterprise in the midst of change. The organization needs visibility into policies and policy management consistency across the entire organization. Organizational complexity and change require that the organization implements an enterprise view of policies and policy management. 

The Bottom Line: Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: Policy Management Maturity Model.

I have been a remote and hybrid worker for twenty-five years. It is has been and remains my professional life. I work out of my home office (though I do have a rental office space I can use for when I need seclusion). It takes a lot of foresight to manage the risks as I have a lot of clients and their sensitive data.

In my recent travels across Europe (London, Paris, Copenhagen, Zurich) and the USA (Chicago, New York) this past month, the conversation has often turned to the risks of the hybrid work environment. To address employees’ desires, demands, and needs as a result of the pandemic and provide a future of flexibility, many organizations are offering a hybrid option or complete remote working. For many organizations, this has been a quick reaction without really thinking it through carefully.

For your consideration, consider the following risks . . .

• IT/cyber/information security. This is the first thing that comes to mind, but it should not be the only thing. Careful attention has to be paid to the security of the remote office. My home office is filled with connected devices: speakers, exercise bikes, wall outlets, televisions, even my blender in my kitchen. If any of these devices has a back-door or trojan-horse installed (think SolarWinds for a current reality) it could compromise the home office environment. Careful attention needs to be paid to the home office security and the business devices and connections of the remote office. This is a no-brainer.
• Physical security. This is often neglected. What about the security of the physical environment? What sensitive conversations can be overheard on the phone, conference calls, Zoom meetings, and more? Can that spouse, partner, roommate overhear things they should not be privy to? Are screens protected? Physical documents, are they secure and even locked up when not being used? This is a serious concern that many organizations have not looked into.
• Where is work being done. This ties into the first two bullets. In a hybrid and remote work enviornment employees can work from anywhere. I am in a coffee shop writing this blog right now. What sensitive business or client/customer information on calls can be overheard by strangers, potentially competitors? What can be seen on screens and other devices by strangers? I look around and I can see three laptop screens and their information from just a casual glance up from my cup of coffee right now.
• Conduct. As we moved to Zoom/online meetings becasue of the pandemic we saw a huge spike in conduct issues. People are working from home. They may be wearing their dress shirt in the video, but are wearing their pajama bottoms under the desk. They feel relaxed and casual. They end up saying things in business meetings that cross the lines of harassment and discrimination, things that would never be allowed in the corporate office and conference rooms. But since they are working from home they feel different rules apply.
• Culture. This brings us to culture, how do you develop and maintain a strong corporate culture in a remote and hybrid environment. This will require extra nurturing, fostering, and development. Employee engagement and interaction is critical.
• Fatigue. Zoom/video conference fatigue is a reality. People start losing focus in online meetings after one-hour and are completely checked out in two-hours. Organizations need to restructure how they plan meetings, particulalrly frequency and length.
• OSHA and physical health and safety. A lot of attention has been placed on creating healthy work environments for the physical health and well-being of employees. With employees working from home, how do we ensure that these are physically healthy enviornments?

Organizations need to clearly write, communicate, and enforce their hybrid work policies and procedures to address these risks. There should be a single central portal for all of the organization’s policies and procedures that are contextually relevant to the employee’s role/function. Hence, they see the policies related to their job and responsibilities. All remote/hybrid-work-related policies should be tagged and grouped so employees can easily find these. These include security, home-office/remote-work conduct, health and safety, home-office expense, and other related policies. Organizations should develop training for remote and hybrid work and require that all employees undergo this training annually.

Consideration of all of these risks and related policies also needs to be applied to the extended enterprise. Brick-and-mortar walls do not define the modern organization as we have the remote and hybrid-work world. But it also is not limited by traditional employees. Your contractors, consultants, outsourcers, service providers, and even temporary workers may also be working remotely. These risks impact your third-party relationships as well and need consideration.

These are the risks that employers should consider and address when developing their remote and hybrid work-related policies. However, I have been encountering employee concerns about the risk of what the company may do in the future. If remote working is allowed, will they then take the next step to reduce costs and allow off-shore remote working?

Why Every Organization Should be Focusing on ESG

I recently wrote an article for Aravo’s new publication, Risk & Resilience. Their inaugural issue focused around the important topic of ESG, and is jampacked with great thought leadership content from a variety of experts and perspectives. I invite you to read the article I included below, but also to check out the publication as a whole and learn from the great thought leadership included.

ESG – Environmental, Social, Governance – is a dominant focus in organizations right now getting board-level scrutiny and attention. Organizations around the world and across industries are challenged to define, implement, and report on ESG. These pressures are coming from all directions: investors, customers, employees, regulators, and activists. The reality is that ESG has teeth, and organizations must do something about it.

Previous iterations of ESG were Corporate Social Responsibility (CSR) and Sustainability. These were often passed around the organization like a hot potato and often landed in the lap of marketing as a branding exercise. This is not the case with ESG; the risk exposure to the organization is too great. I find that the Corporate Compliance and Ethics Officer (CECO) is the most common role leading the coordinated/federated ESG strategy in the organization. The goal is to be an organization of integrity to ensure that the values, ethics, statements, commitments, relationships, and transactions are a reality in practice, process, relationships, and transactions.

However, understanding ESG is complex. What is happening in organizations is like the parable of the blind men and the elephant. One blind man touches the tail and thinks it is a rope, another touches the body and feels a wall, and another touches a leg and says it is a tree. The same is happening with ESG as different functions/departments see what impacts them. Some focus on the E for the environment and think that is the most important since it leads the acronym ESG. Others are focused on the S, and others the G. All three are critical and intersect with each other.

As a guide, but not exhaustive, ESG covers:

• Environment. Climate change, natural resource utilization, pollution and waste, biodiversity, certification, carbon footprint/emissions.
• Social. Child labor, forced labor, socio-economic inequality, privacy, personal data use, diversity, inclusion, working conditions, health and safety, product liability.
• Governance. Corporate governance, fraud, anti-bribery and corruption, anti-money laundering, internal controls over financial reporting, security, corporate conduct and behavior, anti-competitive practices, tax transparency, ownership, and structure.

The reality is that ESG does not start and stop with traditional brick-and-mortar walls and employees. To address ESG requires that organizations address ESG in the context of the extended enterprise of third-party relationships.

Martin Luther King Jr stated, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” This statement is true in our individual relationships, and it is true in an organization’s relationships in the extended enterprise in the context of ESG.

That is because the structure and reality of business today have changed. It is not the same as it was a few decades back. The modern organization is supported by an interrelated structure of business relationships. It is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and others. Business today relies and thrives on third-party relationships; this is the extended enterprise, and it is the challenge of business today to manage ESG across these relationships.

The saying “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization in the context of ESG. The integrity and ability of the organization to comply to act with integrity in the context of ESG, comply with investor and regulatory requirements, and ensure that ESG commitments and values are followed through in relationships is no easy task. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.

Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. The focus on ESG is restructuring how organizations define and manage risk in the extended enterprise. 

Particularly, there are pending directives and legislation that have an expansive scope that is expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act. 

These laws are more than reporting requirements; they will have teeth. They are not like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption. 

This is going to fundamentally change and restructure TPRM programs to address ESG in the extended enterprise. Organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party governance program that addresses ESG throughout the extended enterprise. This unifies a single approach to govern ESG in third-party relationships and delivers a 360° contextual awareness of ESG risk in relationships. 

The writing is on the wall, organizations need to fundamentally change how they approach ESG internally and across the extended enterprise. Organizations should start defining an integrated strategy for ESG to address these forthcoming requirements and stakeholder demands in a unified and consistent approach.

Thank you again for reading my contribution to Risk & Resilience! Again, I invite you to explore other great articles and interviews in the publication to gain a well-rounded understanding of ESG’s importance.

Check out Risk & Resilience’s issue on ESG

Explore Risk & Resilience on LinkedIn

Upcoming Webinars

• Third-Party Risk Intelligence: Delivering 360° Situational Awareness to the Extended Enterprise
• Accountability & Compliance in the Modern Enterprise
• The Supply Chain and ESG
• GRC 5.0 – Cognitive GRC: Leveraging A.I. to Make GRC Efficient, Effective & Agile
• Addressing ESG Risk in the Enterprise: Focus on the Social

Yes, you read that correctly. Anyone that knows me knows that I am not inclined to use profanity casually. The reality is that this term, clusterf***, is a technical term.

The term has its roots stemming from the Vietnam War, perhaps earlier. It defines a situation where there is a lot of top-down strategy (high-level officers/brass) but not enough on-the-ground information. Things look good from a strategic plan on paper, but the realities in on-the-ground operations are not appropriately considered.

Clusterf*** describes a concern I have for the trajectory of risk management strategies in organizations today. The past has had various departments of on-the-ground risk management doing their different things without any strategic direction. In the last few years, we have seen a shift of focus, propelled by some leading risk luminaries, to a top-down strategic planning view of risk in the context of performance, objectives, and strategy. This is a good thing, but I feel organizations may overcorrect and shift the pendulum too far and adopt a top-down view of risk at the cost of neglecting an understanding of risk down in the organization’s operations.

Focusing just on the top-down view of risk can lead us to disaster. It is like the butterfly effect in chaos theory, where the flutter of the butterfly’s wings in The Netherlands makes tiny atmospheric changes that can influence the development and path of a hurricane in the Gulf of Mexico. The lesson is that the little things matter as much as the strategic things.

While some of my peers seem to argue for a complete top-down view of risk . . . I state we are then headed for a risk management clusterf***. What is needed is a balance that brings both a top-down view of risk in the context of performance, objectives, and strategy management that aligns with a more traditional view of operational risk management down in the bowels, behavior, transactions, processes, and relationships of the organization.

Semantically, this is how I differentiate ERM (enterprise risk management) and ORM (operational risk management). ERM is about the top-down strategic view of risk aligned with the organization’s performance, objectives, and strategy. ORM is focused on risk in the operations, processes, and activities of the organization. ORM is part of ERM, but ERM includes strategic risk management, capital/liquidity/finance risk management, as well as operational risk management.

Good risk management will understand risk from a top-down view aligned and integrated, a part of performance and objectives. But it will also include a bottom-up view of risk in the processes and operations of the organization. We need a balance of both to avoid a risk management clusterf***.

Aligning Risk & Performance Management will be the discussion we will have this week on The GRC Red Flag Series where I will be interviewing executives from Corporater as well Soenke Thun, the Vice President Group Risk Governance at Deutsche Telekom, on how to align risk management with performance management while also maintaining a strong view of risk down in the operations of the organization.

Successful policy management requires the organization to provide an integrated strategy, process, information, and technology architecture to consistently govern policies across the organization. The goal is to give comprehensive, straightforward insight into policy management to identify, analyze, manage, and monitor policies in the context of operations, processes, transactions, and roles. It requires the ability to continuously monitor change and capture changes in the organization’s policies. As a result, organizations are measuring their current state and planning toward a future state of increased policy management maturity in the organization.

Mature policy management is about delivering policy that minimizes the perception of getting in the way of business and becoming a part of business, organization change, and the culture of the organization. There is an element to policies that will always be inhibitive, but the right approach overcomes this by delivering well-defined processes and an engaging policy user experience that aligns with the needs of employees, integrates with organization systems, and delivers relevant policy content when needed wherever it is needed. 

This means maturing a connected view of policy management that automates and makes processes more efficient, effective, and agile. This in turn enables organizations to leverage policies to ensure the integrity and culture of the organization aligns with its mission, vision, obligations, and values. Well-defined processes and technology for policy management make it easier to ensure policies are written, maintained, and communicated consistently across the organizations. 

Lacking an integrated view of policy management results in business processes, services, processes, employees, and systems that behave like leaves blowing in the wind. An integrated and mature policy management strategy with common processes, information, and technology gets to the root of the problem. Leading organizations adopt a common strategy, framework, architecture, and shared processes to manage policies, increase efficiencies, and be agile to business, risk, and regulatory change. Mature policy management delivers better business outcomes because of stronger policy governance and improved culture and control in the context of the organization and its processes and objective, which will:

• Lower costs, reduce redundancy, and improve efficiencies.
• Deliver consistent and accurate policy in context of the business.
• Improve decision-making and insight into what is acceptable and unacceptable behavior.
• Enable the organization to defend itself with a robust policy audit trail designed to mitigate risk and ensure integrity of the organization.

Five Stages of Policy Management Maturity

Mature policy management is a seamless part of governance and operations. It requires a top-down view of policies starting with the code of conduct and filtering down into division, department, process, and asset-related policies as well as the risks, regulations, standards, procedures, and controls mapped to those policies. Mature policy management will be consistently led by the executives and the board and become an integrated part of the fabric of business operations and processes – not an unattached obscure layer of scattered documents on file shares and internal websites. It also means bottom-up participation, where business functions understand policies in the context of their roles and responsibilities. GRC 20/20 has developed the Policy Management Maturity Model to articulate maturity in the policy management processes and provide organizations with a roadmap to support acceleration through their maturity journey. 

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Download the latest GRC 20/20 Research Report on the Policy Management Maturity Model . . .

Register for the webinar on Understanding the Journey to Policy Management Maturity . . .

Register for the next Policy Management by Design Workshop in New York on November 15th . . .

Access the Policy Management Capability Model and become a Certified Policy Management Professional . . .

As Sir Arthur Conan Doyle stated . . .

“It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”

Data is critical to risk management, and the more objective and quantitative the data is, the more value risk provides to the risk owners in the business.

Organizations take risks all the time but fail to quantify these risks effectively in an environment that demands an understanding of the risk exposure to objectives in order to make decisions. Too often, risk management is seen as a compliance exercise and not truly quantitative analysis that is of value to the organization’s strategy, decision-making, and objectives. A cavalier approach to risk management stuck in subjective and qualitative risk assessments leads to the inevitable failure . . . 

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE LOGICGATE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Last week I looked at James Bond 007 and Risk Situational Awareness where we explored how organizations need to be like James Bond and have full situational awareness of risk and uncertainty to objectives. This week we keep on the fictional hero theme with a look at Dr. Strange who is the representative of the ultimate CRO – Chief Risk Officer – managing a multiverse of uncertainty . . . 

Doctor Strange is one of the most intriguing characters in the Marvel pantheon of heroes. His powers are diverse. They include his superior intelligence (as well as great martial arts skills), and his ability to have some control over time and outcomes through time loops, and the ability to see into possible futures, giving him the visibility into the multiverse of possible futures and realities.

This makes Doctor Strange the ultimate prototype of the Chief Risk Officer. Risk, as defined in ISO 31000, is the effect of uncertainty on objectives. It is the job of the risk professional to manage and monitor uncertainty to objectives. So, the ultimate Chief Risk Officer is the one that can provide insight into the future and a variety of scenarios that can play out from the actions, activities, external events/developments, and transactions of the organization as it moves forward to achieve its objectives. Those objectives can be high-level entity strategic objectives, they can be division, department, process, project, or event asset level objectives. 

The modern Chief Risk Officer sees into the multiverse of possible futures and realities of the organization and its objectives. Like Doctor Strange, the Chief Risk Officer understands possible futures to determine how they impact the achievement of objectives of the organization. The ability to understand what leads to those possible futures and what the best route forward is for the organization to optimize value and achieve objectives.

This requires that the modern Chief Risk Officer have these Doctor Strange super abilities:

• Superior intelligence. From my perspective this means that the risk professional needs to be able to enhance left-brain thinking (structured risk models) with right-brain thinking (being able to think creatively and intuitively about risk). Both together provide great risk insight into uncertainty and possible outcomes. 
• Insight into possible futures. This involves strong scenario analysis to pattern and analyze future scenarios how objectives and risks play out in context of uncertainty to determine the best path forward for the organization.

Of course, both elements are enhanced through structured risk information and quantitative risk analysis and data that is also supported by good risk visualization and perspectives. That is why I am a particular fan of both monte carlo risk analysis and bow-tie risk analysis. 

Unfortunately, the one ability that Doctor Strange has that the modern Chief Risk Officer does not have is the ability to use time loops to correct wrong decisions and errors in time. So, it is critical that the risk function has solid risk intelligence and scenario analysis. 

I will be exploring the role of risk management in the performance and objectives of the organization in this month’s episode of The GRC Red Flag Series where we will discuss Aligning Risk and Performance/Objective Management. 

I am so excited about this evening! After a long wait, I am going to the new James Bond 007 movie, No Time to Die! I am making it a big deal. A group of 12 of us are going to the nice Silverspot Cinema that is amazing, with an incredible lounge area. I am dressing up in my black tuxedo, my wife is going to wear an evening gown and be a Bond girl (her choice for those that don’t like the stereotype). We are going to get a vodka martini in the lounge before the movie and enjoy the film. It is going to be a lot of fun, I wish each of you could be there with us.

James Bond is all about risk management. Situational awareness of opportunity, uncertainty, and hazards. He understands and interprets everything around him to leverage and use to his advantage.

Today’s organizations need James Bond risk situational awareness. Risk situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the organization because of the complexity and intricacies of risk management.

Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: Risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. What is James Bond’s objective? What can help him in achieving those objectives? What can hinder him from achieving those objectives? What is he confident in? what is he uncertain of?

The same questions and thought processes can be asked of the organization in its objectives. In the business world, we have all sorts of objectives. They can be strategic entity-level objectives for profit, growth, expansion. They could be a division or department objectives. They can then drill into the process, project, or even asset-level objectives. We need to understand and manage risk (uncertainty) in achieving those objectives.

The business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect,’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades and influences what ends up being a significant issue. Change in one area has cascading effects that impact the entire ecosystem. Dissociated risk information leaves the organization with fragments of truth that fail to see the big picture of performance, objectives, and risk/uncertainty across the enterprise. The organization has to have holistic visibility and 360° risk situational awareness into risk.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and a sometimes chaotic, relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk in the non-linear world of business, the result is often exponential to unpredictable.

Situational risk awareness enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. 

Organizations striving to improve their GRC management capability and maturity in their organization will find they are more:

• Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
• Aligned. They align performance, risk management, and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated risk capability to those of the entity and giving strategic consideration to information from the risk management capability to affect appropriate change.
• Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organization needs to know to make the right decisions.
• Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
• Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary to adapt and respond to opportunities rapidly.
• Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced GRC capability and related decisions about the application of resources.

Stay tuned for next week as we look at Dr. Strange, the Chief Risk Officer in the Multiverse of Uncertainty . . .