Category: Blogs

The world has changed, business has changed. A worldwide pandemic has caused restructuring of processes, employees, and activities. It has forced organizations to look for agile ways to manage a dynamic business environment.

As organizations went into lockdown and moved employees to a work from home environment they were confronted with issues, such as:

• Reduced workforce. There were layoffs and restructuring. Business processes and roles had to adapt. Employees needed clear guidance and understanding of what is required of them as they had multiple roles and responsibilities in a different environment.
• Shifting requirements. Regulations and business strategy changed impacting the way organizations needed to conduct themselves. Policies changed to meet these requirements and address new risks.
• Increased risk exposure. The pandemic . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE METACOMPLIANCE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The value of a third-party risk management strategy

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define your organization. The modern organization is the extended enterprise: an interconnected maze of relationships and interactions that span traditional business boundaries. These relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships.

The challenge today is that issues of integrity in your extended business relationships are your organization’s issues. You stand in the shoes of your third-party relationships. Third-party integrity problems are the organization’s integrity problems and directly impact the brand, as well as reputation while increasing exposure to risk and compliance matters. Compliance and ethics challenges do not stop at organizational boundaries.

An organization can face reputation and economic disaster by establishing or maintaining the wrong third-party relationships, or by allowing good business relationships to sour because of weak governance of the relationship. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third-party partners behave appropriately.

Third party risk management challenges

Maintaining integrity across the extended enterprise is challenging, as your organization faces . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Risk management is a hot topic and focus within organizations. We are surrounded with acronyms of GRC (governance, risk management, and compliance), ERM (enterprise risk management), ORM (operational risk management), and now IRM (Gartner’s integrated risk management). We hear other terms like operational resilience, strategic risk management, and more.

Risk management strategies (pick your favorite acronym or buzzword) lead to RFPs for technology to support the risk management strategy and processes. HOWEVER, not all risk technology is created equally. Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey. This involves a clear understanding of where you are now with risk management and where you want to be. The current pandemic is demanding attention to this, which I also wrote about before the pandemic.

The problem with many risk management programs is that they struggle with documents, spreadsheets, and emails. I talked to one organization that was spending over 200 hours to build a report for the board of directors because it required them to go through hundreds to thousands of documents, spreadsheets, and emails to aggregate and report on risks and risk events. In an RFP I advised on for a mid-sized bank, they did an internal study that found that 80% of their risk management resources was nothing more than document/data reconcilers and aggregators and only 20% of the time was managing risk, they wanted to change that with a solution and did. This recent article in the BBC caught my attention in the limitations and risk exposure in using spreadsheets: Excel: Why using Microsoft’s tool caused Covid-19 results to be lost.

So organizations look for risk management solutions and get sucked in by marketing and sales hyperbole. There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk. The market is an interesting time right now as older solutions rearchitect to meet the demands of Agile GRC 4.0, while newer solutions are already there. 

My question to you: Can your risk management technology you have (or are considering) truly deliver on the needs and concerns of risk management.

There was a ton of interest in my recent article on the Role of Business Process Modeling in GRC Requirements. This week I turn my attention to risk management requirements. In 2020 I have interacted on several RFPs for enterprise and operational risk management solutions and engaged to advise on several more as we enter 2021. In addition to these formal engagements, I answer inquiry questions from organizations looking at solutions throughout every week. I am seeing a lot of activity for risk management in North America, Europe, the Middle East, and Australia right now.

In these interactions, I have found that the following requirements/functional areas for GRC, ERM, ORM, IRM RFPs are core to maturing a risk management function within an organization. If you want to build a true risk management program that goes beyond tick-box compliance exercises, then you should strongly consider:

• Performance/Objective-View of Risk. This is where risk management should start. ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective. I recently finished advising on an RFP for a global European firm that this became the deciding factor in their choice of a solution, and am and starting another RFP that is centered on this. It comes up regularly, but in these two situations, it was table stakes.
• Front Office Engagement. Organizations desire the depth and breadth of capabilities and complexity of risk analytics for the back-office (2nd and 3rd line) risk functions for risk modeling, analysis, mapping, and monitoring. But I am seeing increased requirements for front-office (1st line) engagement on risk ownership, accountability, and reporting. These interfaces for back-office and front-office are not the same and need to be very role/context-specific so it does not overwhelm front-office operations. I am interacting with a financial services firm right now looking specifically for this dichotomy of simple and intuitive front-office engagement on risk with the depth and analytics for the back-office.
• Risk Interrelationships. Risks cannot be understood and managed in isolation. I wrote about this last year in my article in Enterprise Risk magazine. 2020 proves this point with COVID-19. What is a health and safety risk that has an interrelated impact on performance, resiliency, third-party/supply-chain, IT security, human resources, fraud & corruption, and even social accountability and human rights risks? Organizations need to be able to map and understand risk relationships and interrelationships/dependencies. Measuring a risk exposure also requires understanding the exposures and impacts with related risks.
• Risk Aggregation & Normalization. This is a critical factor, particularly for large organization.s One department’s high-risk might be another department’s low-risk in quantifiable exposure. Departments, projects, functions want a legitimate view of risk at their operational level. Within their view of the world, they need to know what is high-risk to low-risk. But as this gets rolled into enterprise risk reporting they strong risk normalization and aggregation that is meaningful. This is one key requirement I am seeing in Germany in the context of the IDW PS 340 audit standard driving enterprise risk reporting. I had a corporate secretary for a global brand on a panel I was moderating at a conference who stated their board of directors never wants to see a heatmap from their leading IRM solution ever again because it lacked risk normalization and aggregation (don’t get me started on the issues of heatmaps, that is another blog in itself).
• Risk Frequency & Distribution. I am seeing more and more risk management programs mature to want risk frequency and distribution models, like Monte Carlo simulations. An immature approach to risk might plot risk as a point on a heat map (which has many issues), but real risk has a range of scenarios, frequencies, and impacts that need more complex modeling to analyze and understand. Organizations are looking for more advanced ways to do risk quantification and modeling. Monte Carlo simulations, Bayesian modeling, and more are becoming more frequent in RFPs.
• Risk Visualization. There is a growing demand for greater risk visualization and analytic techniques. Organizations want fresh and modern user interfaces (UX). I am seeing an increased demand for bow-tie risk analysis across industries. RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!! This also ties back into the point above on risk interrelationships as well as risk quantification and using risk visualization to communicate and analyze.
• Cost of Ownership. Organizations are looking for Agile GRC 4.0 solutions that deliver solutions in rapid timeframes and value to the organization. They are tired of dated solutions (10 to 20-year-old code) that take a year or more to role out. For example, I am interacting with one organization looking to replace a Gartner IRM Leader that they purchased 3 years ago and still have no users on the platform. Modern solutions should be agile and have a low cost of ownership to implement and maintain.

Can your risk management technology deliver on these broader risk management capabilities? These are just some buckets of functionality that I get much more specific with in my risk management RFP requirements library.

What do you see as critical in technology to deliver on maturing your risk management strategy?

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.

E. F. Schumacher

Governance, risk management, and compliance (GRC) is as much or more the responsibility of the front-office (1^st line employees and management) as it is the back-office (2^nd and 3^rd line risk, compliance, security, control, and audit functions).

Think about it . . . risk, compliance, and control decisions are being made every day by the frontlines of the organization. The doctor or nurse in the hospital are making patient privacy and safety decisions; the teller at the bank is making decisions on fraud, customer privacy, security, and money-laundering; the miner in the coal mine is making environmental and health and safety decisions.

Risk exposure is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE 360inControl BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Over the course of a year, I interact and advise on a lot of GRC related RFPs/RFIs. Some of these are for Enterprise GRC Platforms, most are in specific domains of GRC such as operational risk management, IT risk management, compliance management, audit management and analytics, policy management, third-party management, and more. Something I added to my RFP requirements back in 2005 is the criteria if the solution supports business process modeling (BPM) natively in the application.

I saw this as an important requirement fifteen years back, but it only seems to have become mainstream over the past few years. In an increasing amount of RFPs, as well as organizations purchasing a solution without an RFP, I am seeing the capability to support BPM natively in the GRC solution as a key requirement. Organizations are tired of using separate solutions like Visio to document process flows and attach them as evidence and documentation for risks, compliance, and controls. Today, organizations want to be able to do business process modeling within the GRC solution (whether for broad enterprise GRC or a specific area of GRC like GDPR or internal control management). They want to be able to identify risk and control areas visually on these process flows and even use them as dashboards to see how processes are functioning to reliably achieve objectives, address uncertainty, and act with integrity (OCEG GRC definition).

Consider that organizations are facing a range of requirements that require business process and data flow modeling in the context of GRC, these include:

• Privacy, GDPR & CCPA, Requirements. The foundational step to privacy compliance is documenting how personal information is collected, used, processed, shared, and even destroyed in the organization. This involves data process flow diagrams on how personal information is collected and flows throughout organization processes. Organizations want to be able to document the data flows of personal information and highlight where risks and controls are, and even use process flow diagrams as dashboards to show where they are having privacy issues and where those issues are occurring in business processes.
• Accountability Regulations – UK SMCR, Australia BEAR, Ireland SEAR, HK MIC, Singapore MAS. There is a growing array of accountability regulations that make senior management functions (SMFs) personally liable for lack of due diligence, negligence, or willful wrongdoing in risk and compliance contexts. These roles can be personally fined or go to jail. Core to compliance starts with accountability maps that map SMFs to accountability and responsibility structures and their associated processes. Organizations need business process modeling to map risk, compliance, control accountabilities to SMFs, and use these for regulatory reporting as well as dashboards and executive communication.
• Operational Resiliency & Business Continuity. The key to business continuity, and now the greater need for operational resiliency, is to map business process flows and services to clearly document how this works. When a disaster happens, there needs to be process maps to show how business process flows and services are adjusted in different scenarios to maintain continuity and resiliency and recover the organization. BPM is foundational, from my point of view, in addressing the Operational Resiliency requirements coming from the UK FCA, PRA, and Bank of England.
• Sarbanes-Oxley & Internal Control Management. Over the past several years the Public Company Accounting Oversight Board (PCAOB) has been putting pressure on external auditors to require of their clients business process diagrams for SOX compliance in addition to the lengthy written control narratives. Increasingly, organizations are looking for their internal control management solutions to be able to diagram business processes – such as accounts payable, accounts receivable, procurement – and document risk and control points in these processes visually. This is another ideal area to use process diagrams of dashboards to demonstrate how these processes are functioning to reliably achieve objectives while addressing uncertainty and act with integrity and light-up where controls are failing and issues are happening.

These are just some examples of many for the critical role of BPM in GRC related solutions. The key question for you . . . is your GRC solution supporting BPM natively in the application?

What Else are Organizations Looking for In GRC Solutions?

Wading through the onslaught of recent inquiries, research interactions, as well as the RFPs/RFIs I have interacted on this past year . . . here are the top things I am finding that organizations are looking for in next-generation solutions across segments of the GRC market. Across these interactions, I am getting regular interactions and references to my blog on Agile GRC 4.0 blog. 

• User Experience. This is the number one criteria. Organizations want a modern user experience that incorporates the latest in UX design and interaction. One recent RFP for risk management that I advised on (for a global firm) made this the deciding factor. Several were weeded out early on because of dated user experiences and it came down to two. The one they chose had a superior and more modern user experience over the other. 
• Value, Business Case, Cost of Ownership. This is up there right with user experience. Orgs want a clear and compelling business case of value and business justification. Not just acquisition costs but ongoing costs of management, maintenance, configuration, and upgrades. Too many have had horrible experiences with older solutions that take months to years to roll out. One RFP that is being formulated for risk management bought one solution three years back, spent these years building it out, and today has 0 users on it and is now looking for something more agile. 
• Front Office, Not Just Back Office. With more and more risk, compliance, and control focus being put on the 1st line (front office) and not just 2nd and 3rd lines (back office risk/compliance functions) organizations want simple intuitive interfaces and experiences to engage front office personnel. They still want the depth of analytics and analysis for back-office functions, but they want a streamlined contextually relevant view to engage the front office in GRC areas. 
• Configurable and Agile. Orgs want solutions that are no code and highly configurable that do not break on upgrades (or cost just as much to upgrade as a whole new solution). This includes the ability to easily integrate with other business systems.
• Modern & New Solutions. This one is a little challenging. I have encountered three RFPs in multi-national organizations where the first criteria is that they were not going to invite anyone that is in the Leaders quadrant of Gartner (and to a degree Forrester) as they have had bad experiences with these solutions. They only wanted to evaluate solutions that have a modern code-base and architecture. The downside to this is that some newer solutions may not have the depth of features and analytics. But the issue is bad experiences, failed projects, and the cost of ownership of legacy solutions. 
• Understanding. The other interesting that has caught my attention is evaluating the domain knowledge and understanding of the solutions. I have seen solutions win because they have stronger engagement and thought leadership (e.g., blogs, white papers, webinars) over comparable solutions in the market. Buyers are becoming very sensitive to knowing that they are engaging a firm that truly understands their challenges and can speak to them in context. 

What are you seeing as critical criteria for GRC solutions in your organization?

Organizations are caught in a swirling vortex of uncertainty in risk and compliance as they strive to be bastions of integrity in the center of chaos. In the midst of a global pandemic, economic uncertainty, racial justice tensions, and employee concerns, organizations are trying to hold fast to, as well as enhance, their corporate culture. They seek to achieve corporate integrity by fostering a culture of accountability, social responsibility, and employee engagement of values from the top of the organization hierarchy down into the front lines of the organization.

“We are what we repeatedly do. Excellence then, is not an act, but a habit.” Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization. 

Aristotle

Integrity is a mirror reflecting what the organization truly is. Does the mirror show an organization that . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Compliance and ethics are a growing challenge and concern in organizations.

Faced with increasing regulatory change, enforcement actions, audits and exams, and liability and exposure, compliance and ethics is in the midst of evolution and maturing. Compliance and ethics is moving from the stigma of being ‘the corporate cop’ to being the bastion of the integrity of the organization as it aims to guide culture and conduct in the context of the obligations and values. I have stated for fifteen years that the Chief Compliance (CCO)/Chief Ethics & Compliance Officer (CECO) is really the Chief Integrity Officer of the organization.

Compliance and ethics is becoming more established as its own function, with its own budget, and direct reporting to senior executives and boards of directors. In many organizations across industries, compliance and ethics is being moved out of the bowels of the legal department to operate independently, but collaboratively, with legal.

As part of this process of growing and maturing, we are seeing an increased focus on what constitutes an effective compliance and ethics program. One element that is getting a lot of attention, but also produces a lot of confusion, is the requirement to take a risk-based approach to compliance and ethics. Most compliance professionals have a history of focusing on check-lists and requirements and are unfamiliar with how to do a risk assessment.

Consider the following . . .

• Principles/Outcome-Based Regulation. What started years ago in the UK FSA moved to the EU with their Better Regulatory Policy to strive for principle/outcome-based regulation. An approach that does not focus on prescriptive checklists of requirements but outcomes. The way one organization approaches compliance may be different from another, but it is the outcome that matters. This requires a risk-based approach to compliance, to identify, analyze, and manage the compliance risk.
• ISO 19600:2014 – Compliance Management Systems. The international standard for compliance takes a risk-based approach to compliance and requires a compliance risk assessment to identify, analyze, evaluate, and treat compliance risks.
• U.S.S.C. Sentencing of Organizations. The United States Sentencing Commission in their Organizational Sentencing guidelines lays out the elements of an effective compliance program for courts to use to measure the culpability and therefore penalties on an organization. It requires that “the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.”
• U.S. DoJ Evaluation of Compliance Programs. The most recent update to the U.S. Department of Justice guidance on the Evaluation of Compliance Programs keeps a risk-based approach to compliance front and center. Risk is mentioned 53 times in this guidance. Specifically, “Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”

In my Compliance Management by Design Workshops as well as inquiries, I am frequently asked by compliance and ethics professionals how they should manage and assess risk. Most of these professionals have a legal background and have not been trained in how to do a risk assessment. My recommendation, and an exercise I work on with attendees in workshops, is to do a bow-tie risk assessment.

I love bow-ties: both the kind you wear and the ones you use to assess risk. When most people think of risk management they think of numbers and complex models, and those are good and important. Myself, I am a visual person. My father was an accountant, my brother is an accountant, I went to law school. I like words and pictures over math. A bow-tie risk assessment provides a visual picture and assessment of risk that helps organizations think outside the box and engages both the left and right-brains. I am not downplaying the numbers side, that is still important and bow-ties can and do tie in the quantified analysis.

A bow-tie risk assessment gets its name as it takes the shape of a bow-tie:

• The knot is the risk. The center of the bow tie is the knot which is the risk you are evaluating. From a compliance and ethics point of view, this can be many things, so before you do a bow-tie you have to identify your risks (knots) that need to be evaluated. You can have separate knots for bribery/corruption, fraud, anti-trust, harassment, discrimination, privacy, money-laundering, and many more. The knot can be very specific, if you would like, such as the risk of bribery/corruption in a specific project or geography or it can be more general.
• The left-side of the tie is the source of the risk. Stemming off of the knot to the left you focus on the source of the risk or the causes. What can cause bribery/corruption? What could cause harassment/discrimination? You label each cause and connect it to the knot (risk). Then you identify detective and preventive controls to place between the cause and the knot that mitigate the exposure from that event happening.
• The right-side of the tie is the consequences of the risk. On this side, you identify the consequences/outcomes from an actual event happening. These can be regulatory fines, civil action, brand/reputation, loss of revenue, loss of employees, morale, and more. After identifying the consequences you then place detective and responsive controls to mitigate the damage and exposure of those outcomes to the risk.

There is a lot more detail I can go into here on how to do this, but it would go beyond the length of a blog to fully summarize. I am delighted to interact and discuss the benefits and use of bow-tie risk assessments. There are a range of technology solutions I cover in the market as part of my research and analysis that facilitate this format and approach to risk assessment.

Compliance is Not Easy

Organizations across industries have global clients, partners, and business operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants, and staffing) their compliance risk profile grows exponentially.

The dynamic and global nature of business is challenging for managing compliance. Compliance activities managed in silos often lead to the inevitable failure of an organization’s and compliance program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its environment.

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat . . .

[the rest of this blog can be found on the CURA website where GRC 20/20’s Michael Rasmussen is a guest author]

In this podcast The GRC Pundit of GRC 20/20 Research, LLC interviews Toni Villanen of Majid Al Futtaim to discuss #riskmanagement #ERM #ORM #GRC – where it has been, where it is now, and where it is going. 

In this podcast, we discuss the challenges today in risk management, how COVID-19 is changing risk management, and how organizations need to engage the front-office (first-line) of the organization in risk management. We also interact on the need for greater risk integration, aggregation, reporting, and the use of bow-tie risk assessments.