Category: Blogs

2020 was certainly a year for the history books. While it has been a roller coaster that moves on into 2021 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. The keywords for 2021 are integrity and resiliency. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency. I see both the terms business and operational resiliency used a lot, they are different but related. Business resiliency is the resiliency of the organization’s strategy, finance/treasury position, and operations. Operational Resiliency is that last piece in business resiliency: operations. Operational resiliency is looking at the risk and resiliency of the organization’s processes, functions, systems, and third party relationships.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2020 organized by topic area. However, it is critical that I refer to three research articles from the last few months of 2019 as they have been referred back to over and over again as foresight from GRC 20/20 into what the year 2020 brought us. These are:

• Navigating Chaos
• GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization
• Tale of Two Futures: Blade Runner or Star Trek?

Now let’s look at GRC 20/20’s 2020 Research Year in Review. As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process.

Enterprise GRC and the Broad GRC Market

This starts with GRC 20/20’s flagship annual research briefing that defines, segments, sizes, and forecasts the broad GRC market and its various individual segments:

• 2020 State of the GRC Market: Analysis, Sizing, Forecasting & COVID-19 Impact

Other Enterprise GRC research publications that GRC 20/20 led in 2020 are:

• OCEG GRC Maturity Survey 2020 Report
• GRC Pundit Podcast: ING GRC Orchestrate Project
• Engaging GRC to the Front-Office, and Not Just Back-Office Functions
• Role of Business Proces Modeling in GRC Requirements
• Managing Integrity Through GRC Engagement of Employees
• Delivering 360° Contextual Awareness of Your GRC Program
• Keep Calm & GRC On!
• Forrester GRC Wave = Tsunami of Confusion
• How Mature is Governance, Risk Management & Compliance (GRC) in Your Organization?​​​​

Corporate Compliance & Ethics Management

• Chief Ethics & Compliance Officer (CECO) SWOT Analysis
• Disclosure Management: Comparing Compliance Solutions
• Delivering on Agile Compliance in Dynamic Business
• Efficiency & Agility in Accountability Compliance – SMCR, BEAR, SEAR, MIC, GIAC
• How to Tie a Compliance & Ethics Bow Tie
• Agile and Integrated Compliance: Managing Compliance in Dynamic Business
• Next Generation Corporate Compliance & Ethics Architecture
• Driving Efficiency into Compliance & Ethics Processes: Time Saved = Money Saved
• Compliance & Ethics is Rapidly Evolving
• Centralizing Compliance and Ethics Communications in a Time of Crisis
• 7 Habits of a Highly Effective Privacy Compliance Program
• UK SMCR: Trekking Up the Mountain

Enterprise & Operational Risk Management

• Being Unprepared for the Crisis Does Not Make it a Black Swan
• Rethinking Risk Management RFP Requirements
• The Pandemic & the Dominos of Risk Interconnectedness
• Effective Risk Management in Context of the Pandemic
• GRC Supper Club: Operational Resiliency and the Interconnectedness of Risk
• Managing Risk Creatively & Structurally
• GRC Pundit Podcast: Toni Villanen of Majid Al Futtaim
• Managing Risk in Dynamic & Distributed Business
• avedos risk2value
• Protecht.ERM

Policy Management

• Policy Management Illustrated ebook
• Next-Generation Policy Management: Collaborative Accountability
• Why Policies, and Policy Management, Matters
• Policy Engagement In A COVID & Post-COVID World
• Policy Management and Remote Work: Adapting to the New Normal
• Communicating Policies in a Time of Crisis

Third-Party (e.g, Vendor/Supplier) Management

• Value of a Third Party Assessment
• A Business Case for Integrated Third-Party GRC Across the Extended Enterprise
• Ensuring Integrity in the Extended Enterprise
• At the Cross-roads: A Tale of Four Third Party GRC/Risk Management Roads to Travel
• Why Third-Party 360° Situational Risk Awareness is Needed Now More Than Ever
• Third Party GRC vs Third Party Risk Management

Corporate Legal Management

• Legal GRC Management by Design
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Privacy Management

• Privacy, Pandemics, and Business Change…OH MY!!!
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Internal Control Management

• Greenlight Business Controls Automation
• 360° Control Automation, Monitoring & Enforcement

IT Risk Management

• A New Framework for Defining and Approaching Information Governance
• SaltyCloud Isora

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past two decades has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after two decades of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE TRUOPS BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

At its core, GRC is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. GRC is something organizations do, not something they purchase. They govern, they manage risk, and they comply with obligations. However, there is technology to enable GRC related processes, such as legal and privacy, to be more efficient, effective, and agile.

However, too often the focus on GRC technology is limited to the process management of forms, workflow, tasks, and reporting. These are critical and important elements, but the role of technology for GRC is so much broader to operationalize GRC activities that are labor intensive, particularly in the context of legal and privacy. Simply managing forms, workflow, and tasks are no longer enough. Organizations need to start thinking how they can integrate eDiscovery and data/information governance solutions within their core GRC architecture.

What is needed is the ability to search, find, monitor, interact, and control data throughout the business environment. GRC platforms are excellent at managing forms, workflow, tasks, analytics, and reporting. But behind the scenes there are still labor-intensive tasks or disconnected solutions that actually find, control, and assess the disposition of sensitive data in the enterprise. eDiscovery and information governance solutions have been disconnected and not strategically leveraged for GRC purposes. Together, the core GRC platform that integrates with eDiscovery and information governance technologies builds exponential economies in . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Compliance disclosures are a critical element of an organization’s compliance and ethics management program. The organization requires structured approaches to managing disclosures such as conflicts of interest, and a way to address compliance related forms and processing for gifts, entertainment, and travel or facilitated payments. This requires the ability to intake information, route it for review and approval or denial, document exceptions, and provide a strong defensible system of record of the entire process.

The traditional approach to disclosure management has been manual processes involving print or electronic forms that thread compliance disclosures, like conflicts of interest, through time-consuming manual processes where things often get missed, slip through cracks, or mistakes are made. Manual processes or older software treat disclosures as static entities, making it difficult, if not impossible, for employees to access or update previously filed disclosures. This results in static disclosures that are filed and forgotten, rather than living documents that contain accurate, up-to-date insight into relationships and their potential impact on the business.

The next phase of disclosure management

There is a growing demand for compliance disclosure management solutions that can be more dynamically managed to address Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas of compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.

I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:

Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.

There are two primary items missing from traditional vendor and third-party risk management:

1. Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
2. Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.

What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.

What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.

How do you get there? Here are some simple steps:

1. Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
2. Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
3. Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
4. Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.

Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.

Organizational exposure to compliance risk is rising while the cost of compliance soars. Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with obligations and value. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

However, compliance is not easy. Organizations are complex and dynamic. The modern organization changes by the minute or even second. The organization can go from a state of compliance to non-compliance in a blink of an eye. Processes change. Technology changes. Employees change. Business relationships change. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations?

To maintain compliance, an organization must . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CURA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Accountability is More Than Responsibility

There is a difference between accountability and responsibility. An individual or organization can outsource or delegate responsibilities, but one cannot do so with accountability. To address the breadth of compliance and ethics failures, as well as risk management, in financial services there have been a growing array of accountability regulations sweeping the world.

It all started with the United Kingdom’s Senior Manager Regime & Certification Regime (UK SMCR). This put accountability on senior management functions (SMFs) for failures in risk, compliance, control, and ethics. If there is willful wrongdoing these SMFs can go to jail. If there is negligence or lack of due diligence in compliance, risk, control, or ethics these SMFs can be personally fined from their personal bank accounts. This framework has sped around the world in Australia’s Banking Executive Accountability Regulation (BEAR), Ireland’s Senior Executive Accountability Regulation (SEAR), Hong Kong’s Managers in Charge Regulation (MIC), and now the stringent requirements in Singapore’s Monetary Authority’s Guidelines on Individual Accountability and Conduct (GIAC). These regulations have a global impact, I have talked to several financial services headquartered in the USA that are struggling with compliance with accountability regulations as they have operations in these countries.

I am a J.R.R. Tolkien fan, so I have characterized accountability regulations as the one ring in Tolkien’s Lord of the Rings. It is the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them. Accountability regulations are the uber regulation that puts the sharp teeth of personal accountability to enforce other regulations and ethical practices. I will be presenting on this in the webinar Escaping the SMCR Quagmire.

There are various stages of compliance. In the context of UK SMCR (noting there are other regimes I have mentioned) solo-regulated firms are just coming into the spotlight. Larger firms have been dealing with this for the past few years but at various stages. Even these large firms have a looming requirement coming up (postponed by the FCA from December 2020 to March 2021) to communicate conduct rules (which are policies) to all employees (except ancillary staff like receptionists and caterers). This requires communicating a policy(ies) to every employee and documenting communication (e.g., attestation). Already these firms have had to document SMFs, certify staff, get approval from regulators, and regularly communicate conduct rules to SMFs and certification staff. Now it extends to all employees (except ancillary staff).

Making Accountability Compliance Efficient, Effective, and Agile

What is becoming apparent is that the ongoing management of accountability regulations, the reporting to regulators, the certification of SMFs, the communication of conduct rules on a regular basis with documentation of communication and attestation, the definition and maintenance of accountability and responsibility maps . . . this is not going away. As financial services firms grapple with ongoing and continuous compliance they are now looking for ways to automate the process.

The approach many firms have taken to accountability regulations is very typical of other regulations, such as when Sarbanes Oxley first hit us in 2002. For the first year or two firms use manual processes involving lots of documents, spreadsheets, and emails. Then as they build their process, address compliance, and realize that this obligation for oversight and reporting is not going away but continuing, they then start to look for technology to automate the process and make it more efficient, effective, and agile. The regulators also crackdown as the audit trails (system of record) are weak and not defensible in manual processes when relying on documents, spreadsheets, and emails. On top of this, business is changing minute-by-minute and second-by-second. Processes change, management changes, employees change, risk changes, regulations change. This all means that accountability compliance has to be agile in a dynamic, distributed, and disrupted business environment. Manual processes with documents, spreadsheets, and emails are cumbersome, slow the organization down, and certainly are not agile.

Technology for accountability compliance falls into three areas:

1. Solutions focused on aspects of the regulations. Organizations here look for solutions to manage and automate aspects of the regulation, but not the entire regulation. This most often is a policy management solution to communicate conduct rules and track attestations to those rules to provide a documented system of record of these communications. Think about it, if you are a firm with thousands of employees, then manually communicating, tracking, monitoring, and reporting on the communication of conduct rules becomes very time consuming quickly.
2. Solutions for full accountability compliance. These are solutions built for the regulations (e.g., UK SMCR, BEAR, SEAR, MIC, GIAC). The solutions are designed to manage the process of defining senior management/accountable functions, building responsibility/accountability maps, certifying functions and staff, reporting and interacting with the regulators for approvals of staff, and communicating conduct rules/policies to all employees.
3. Solutions BECAUSE of accountability compliance. This is the interesting one that has come up a lot this past year. These are not solutions to manage the specific requirements of compliance in the accountability regulation. These are solutions BECAUSE of the regulation. Think about it, if you are an SMF that is personally accountable for an area of ethics, compliance, risk, control – such as vendor risk, GDPR, or operational resiliency – then you will want to make sure your organization is properly managing this area and want visibility into this. After all, it is your personal bank account on the line (or possible prison time).

The good news is that technology delivers across these functions. Technology relieves the burden of ongoing compliance monitoring and reporting. It makes accountability compliance efficient in reduction of human and financial resources, more effective in a strong system of record and audit trail with fewer things sipping through cracks, and agile to keep compliance current in a dynamic business environment where risks, processes, regulations, and particularly employees such as SMFs are changing constantly. Again, I will be presenting on this in the webinar Escaping the SMCR Quagmire (which the details here can also be applied to BEAR, SEAR, MIC, and GIAC).

How is your organization approaching accountability compliance?

Information governance has become a critical objective for organizations. In the context of the pervasive use of information throughout the enterprise, operational reliance on information, and increased regulation and liability of information, organizations are building structured approaches to information governance. This is to ensure the proper collection, use, and control of sensitive information – intellectual property, proprietary information, regulated data, personal information – across the organizations. Privacy regulations such as the California Consumer Protection Act (CCPA) and the EU Global Data Protection Regulation (GDPR) are making information governance even a greater priority.

Over the years we have seen a lot of definitions for ‘Information Governance.’ From the straightforward, like . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

It is finally here! For the past year, I have been working hard with OCEG on the Policy Management Illustrated eBook. I have spent countless hours behind Adobe Illustrator working hard on doing the design, layout, concepts, and process of policy management in these illustrations in collaboration with OCEG and many other firms. Below is my lead article in the eBook (which you can download for free). Please enjoy the Illustrations I have labored on in my passion for policy management. I look forward to hearing your thoughts as you go through these.

Michael Rasmussen

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting with the policy of all policies – the code of conduct – they filter down to govern the enterprise at all levels.

GRC, by definition, is “a capability to reliably achieve objectives while addressing uncertainty and acting with integrity.”

OCEG GRC Capability model

Policies are a critical foundation of GRC. When properly managed, communicated, and enforced, policies:

• Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization. Without a policy, there are no consistent rules and the organization goes in every direction.
• Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
• Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of the corporate culture. Without a policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

A policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and non-compliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecutors, and plaintiff attorneys use policy violations and noncompliance to place culpability.

An organization must establish a policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, but it cannot achieve a strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Despite the value of policy, many organizations have:

• Policies managed in documents and fileshares
• Reactive and inefficient training programs
• Policies that do not adhere to a consistent style
• Rogue and out of date policies
• Policies without lifecycle management
• Policies that do not map to exceptions or incidents
• Policies that fail to cross-reference standards, rules, or regulations

Inevitable Failure of Ad Hoc Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. If policies and training programs don’t conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever-changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The haphazard department and document-centric approaches for policy and training management of the past compound the problem. It is time for organizations to step back and define a cross-functional and coordinated team to define and govern policy and training management. Organizations need to wipe the slate clean and approach policy and training management by design with a strategy and architecture to manage the ecosystem of policies and training programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Here are some other resources:

OCEG Policy Management Resources

OCEG GRC Resources