Category: Blogs

GRC Take 2: Key Factors in Choosing a New GRC Vendor

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GRC Take 2: Key Factors in Choosing a New GRC Vendor

Governance, risk management, and compliance (GRC) is something every organization does: it is part of business. Whether the organization calls it GRC, ERM, EHS, or something else…every organization has some approach to GRC. It can be completely manual, broken, and reactive or it can be optimized, aligned, and integrated. The key question is how can we improve GRC related processes and information? How can we make it more efficient, effective, and agile?

GRC itself is about a strategy and process of collaboration between functions to share information to aid the organization in achieving objectives. The official definition of GRC is that it is an ‘integrated capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”

Technology plays a critical role in GRC strategy and process. Through technology, GRC processes can become more efficient, effective, and agile. Technology enables GRC. However, many organizations find that they have outgrown their current GRC technology platform. Some common issues I hear in organizations frustrated with their current technology architecture for GRC is that it is . . . 

[this is continued as a guest blog written by GRC 20/20 Research on the IsoMetrix Blog]

READ MORE

Are Your Policies a Mess? A Maze of Confusion?

The GRC Pundit BlogPublished onUpdated onLeave a Comment on Are Your Policies a Mess? A Maze of Confusion?

Effectively managing policies is easier said than done. Ad hoc or passive approaches mean that policies are outdated, scattered across the organization, and not consistent– resulting in confusion for recipients and a nightmare to manage. Organizations often lack a complete inventory of policies as so many departments have gone in different policy directions. Further, there is significant concern of rogue policies as anyone can create a document and call it a policy which may put a legal duty of care upon the organization.

Policies must be in place so the organization can:

  • Reliably achieve objectives
  • Manage and control uncertainty
  • Safeguard the workplace
  • Protect the organization from unnecessary risk
  • Ensure consistent operations
  • Uphold ethical values
  • Address compliance obligations
  • Defend the organization should it land in turbulent legal and regulatory waters

In order to achieve effectiveness, efficiency, and agility in policy management, organizations need to define a structured governance framework and process. Designing a mature policy management program and processes that align with the organization requires an understanding of what the organization is about, how it operates and how it should be monitored and controlled. Policy management by design requires a structured approach in context of how the organization operates. This is done through defining the right process, information and technology architecture for policy management.

The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management. It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation, and understanding of policies across the organization. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to govern policies and implement an effective policy management lifecycle.

Upcoming Policy Management Workshop

Upcoming Policy Management Webinars

Key Research on Policy Management Strategy

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Maintaining Internal Controls in Dynamic and Distributed Business

Internal Control Management & Automation Solutions, The GRC Pundit BlogPublished onUpdated onLeave a Comment on Maintaining Internal Controls in Dynamic and Distributed Business

Organizations operate in a field of risk landmines. The daily headlines reveal companies that fail in risk, compliance, and internal controls. Business today is complex in its operations and corresponding internal control obligations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, and operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to an internal control program. As organizations expand operations, their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal and external risk in context of a changing business environment. What may seem insignificant in one area can have profound impact on others.

Risk and control is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing requirements and fluctuating risk exposure, yet fail to actively manage and understand the interrelationship of internal control data in the context of business and business change. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing internal controls as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined internal control practices that are monitored and adapted to the demands of a changing business and regulatory environment. 

Today’s business entity must ensure internal controls are understood and managed company-wide; that internal controls are more than a list in a spreadsheet, but are part of the fabric of business operations and processes. A strong culture of control ensures transparency, accountability, and responsibility as part of its ethical environment. A strong internal control program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Traditional processes of managing internal control programs (e.g., shared drives, spreadsheets, emails, etc.), can be time-consuming, error-ridden, mundane, and most importantly lacking in providing transparent insight on the state of controls across the organization. Requirements and processes can change frequently as a result of new or emerging risks, making it increasingly difficult for organizations to identify control requirements, map them against organizational processes, and then report on the level of compliance across the enterprise.

The organization has to be able to see the individual area of control as well as the interconnectedness of risk and controls. A GRC professional’s most challenging task therefore, is developing a process or framework to understand how internal and external risks interrelate with controls and business processes in context of change, and how to evaluate organizational initiatives against these requirements.

The Bottom Line: Organizations cannot readily understand control from a series of lists or spreadsheets. They need intelligence and insight into the relationships between the hierarchical dimensions that describe an organization’s internal control and risk ecosystem that predict the full scope of potential impacts (direct and cascading) due to actual or exploratory change to risk and business strategy. Organizations need solutions that support simulation and scenario planning for strategic and tactical action plans in response to change.

Upcoming Workshops (no cost & CPEs) . . .

Upcoming Webinars . . .

Operational Resiliency: Connected Management of Operational Risk

The GRC Pundit BlogPublished onUpdated on3 Comments on Operational Resiliency: Connected Management of Operational Risk

I am sitting in a pub in London having a pint after an intense week of interactions with organizations. My mind is laser focused on the burning issue of the day: operational resiliency.

The FCA, PRA, and Bank of England have recently released a discussion paper focused on the need to build greater operational resilience in organizations. This challenge is much broader than just the United Kingdom and financial services; it is an issue that crosses the globe and industries. How do we build resiliency in our business to risk and disruption?

Today’s organization is complex and chaotic—in a constant state of metamorphosis. Keeping complexity and change in sync is a significant challenge for operational risk management functions. Consider that the modern organization is:

  • Distributed. Traditional brick-and-mortar business is a thing of the past: Physical buildings and conventional employees no longer define organizations. The organization is an interconnected mesh of relationships and interactions that span business boundaries with distributed operations complicated by a web of global relationships.
  • Dynamic. Organizations are in a constant state of change. Distributed business operations are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology, and processes while keeping current with changes in risk and regulatory environments around the world. The multiplicity of risk environments an organization monitors span regulatory, geopolitical, and operational risks across the globe.
  • Disrupted. The intersection of distributed and dynamic business brings disruption. Change (dynamic business) combined with complexity (distributed operations and relationships) means the organization is easily disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk information across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, and volume of risk is overwhelming—disrupting the organization and slowing it down at a time when it needs to be agile and fast.

In defining operational resiliency, I can think of nothing stronger than leveraging the OCEG definition for governance, risk management, and compliance (GRC). This is a capability to reliably achieve objectives, while addressing uncertainty, and act with integrity. To be operationally resilient requires that we understand the operational objectives of the organization and in that context manage the risk and uncertainty in hitting those objectives while operating with the boundaries of values and requirements set on the organization.

Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.

Connecting ORM and BCM is just part of achieving operational resiliency. To be resilient requires that the organization also manage the intersection of compliance, information security, business operations/processes, performance, third-party management, and other risk functions. Operational risk management is an umbrella covering a lot of risk departments that have historically operated in silos. These silos need to collaborate and connect in a broader operational risk strategy focused on the operational resiliency of the organization.

Managing operational risk activities in disconnected silos leads the organization to inevitable failure. Decentralized and disconnected distributed systems of the past catch the organization off guard to risk. The complexity of business and intricacy and interconnectedness of risk requires an integrated approach. Silos of risk fail to actively manage risk and leave the organization blind to intricate relationships of connected risk across the organization. An ad hoc approach to operational risk management results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk as an integrated part of business.

Distributed, dynamic, and disrupted business demands a strategic approach to operational risk strategy and process enabled with an integrated information and technology architecture. The organization needs complete situational awareness of risk across operations, processes, relationships, systems, and information to see the big picture of risk and its impact on organization performance and strategy.

This article is connected to an associated GRC Illustration and roundtable that GRC 20/20 collaborated with OCEG and Refinitiv to produce. I encourage you to download the detailed GRC Illustration on Connected Management of Operational Risk Prevents Disruption and the related roundtable discussion on this topic.

[button link=”https://go.oceg.org/operational-risk-management”]DOWNLOAD GRC ILLUSTRATION[/button]

Manage Your Privacy Journey: GDPR, CCPA & Beyond

The GRC Pundit BlogPublished onLeave a Comment on Manage Your Privacy Journey: GDPR, CCPA & Beyond

I love adventures! Whether in a city or out in nature, it is exciting to go out and do things. Simple adventures do not require a lot of planning, but you still need to be prepared for the day. More complex adventures require a lot of planning, coordination and execution. In organizations, complex adventures also require stepping back and reevaluating where you are and where you’re going.

Over the past few years, we have been on a General Data Protection Regulation (GDPR) adventure. Some might think the privacy adventure is over as we are now six months past the compliance deadline of May 28, 2018. However, the privacy journey is ongoing, and organizations need to continue forward with ongoing proactive GDPR compliance, particularly as organizations are dynamic and constantly changing.

Think about it, has your organization remained the same over the past six months? Certainly not . . .

The rest of this article by GRC 20/20’s Michael Rasmussen can be found as a guest blog on InfoGoTo.

[button link=”https://www.infogoto.com/manage-your-privacy-journey-gdpr-ccpa-and-beyond/”]READ MORE[/button]

Efficient and Effective Third-Party GRC Management

The GRC Pundit Blog, Third Party Management SolutionsPublished onLeave a Comment on Efficient and Effective Third-Party GRC Management

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization.

The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization.

The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.

GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

GDPR: Moving Forward Out of the Doldrums

The GRC Pundit BlogPublished onUpdated onLeave a Comment on GDPR: Moving Forward Out of the Doldrums

I love sailing. It has fascinated me since I was in high school, but only recently have I taken up learning to sail. While I have not sailed across an ocean, I have read many accounts of sailors getting stuck in the doldrums. The area in both the Atlantic and Pacific Ocean near the equator where there is a low-pressure zone that creates a condition of little to no wind. A sailboat is virtually stalled and stuck.

When pondering GDPR this morning at a coffee shop in London, I was thinking of the doldrums of compliance. That point when organizations tend to stall and become neglectful and stop moving forward with compliance. This often happens shortly after the regulation launch date. Organizations moved with some momentum to work toward GDPR compliance and made progress, but once the compliance date passed, businesses got distracted with other things and failed to maintain the same levels of momentum.

In year one of GDPR compliance, up through the initial compliance deadline of May 2018, I saw a lot of organizations make great strides in addressing GDPR. They did the foundational components, but many have stalled on the follow through. These organizations did well in . . .

The rest of this article by GRC 20/20’s Michael Rasmussen can be found as a guest blog on SureCloud.

[button link=”https://www.surecloud.com/sc-blog/gdpr-moving-forward-out-of-the-doldrums”]READ MORE[/button]

Monitoring and Managing Risk Effectively

The GRC Pundit BlogPublished onLeave a Comment on Monitoring and Managing Risk Effectively

Organizations take risks all the time but fail to monitor and manage risk effectively. A cavalier approach to risk-taking is a result of a poorly defined risk culture. It results in disaster, providing case studies for future generations on how poor risk management leads to the demise of corporations — even those with strong brands. Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, projects, strategy, processes, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as risk management professionals throughout the business. Organizations need to understand how to monitor risk-taking, whether they are taking the right risks, and whether risk is managed effectively.

The modern organization is:

  • Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner, and client relationships. The traditional brick and mortar business with physical buildings and conventional employees have been replaced with an interconnected mesh of relationships and interactions which define the modern organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
  • Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with shifting business strategies, technologies, and processes while also keeping pace with change to risk environments around the world. The multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit, and operational risks. Managing risk and business change on numerous fronts has buried many organizations.
  • Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that “Big Risk Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes, and relationships to see the big picture of performance, risk, and compliance. The velocity, variety, veracity, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Understand the Interrelationship of Risk and Its Impact

Risk management is often misunderstood, misapplied, and misinterpreted as a result of scattered and uncoordinated approaches. For some organizations, risk management is only an expanded view of routine financial controls with the result nothing more than a deeper look into internal controls with some heat maps thrown in, and does not truly provide an enterprise view of risk. Despite this, organizations remain keenly interested in how to improve risk management.

Risk is pervasive; there are a variety of departments that manage risk with varying approaches, models, needs, and views on what risk is and how it should be measured and managed. These challenges come at department and process levels, and build as organizations develop operational and enterprise risk management strategies.

Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a major challenge. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk and not the aggregate picture, unable to recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is no opportunity to be intelligent about risk as risk intersects, compounds, and interrelates to create a larger risk exposure than each silo is independently aware of. A siloed approach fails to deliver insight and context and renders it nearly impossible to make a connection between risk management and business strategy, objectives, and performance.

It can be bewildering to make sense of risk management and its varying factions across enterprise, operational, project, legal/regulatory, third-party, strategic, insurance, and hazard risks. This makes enterprise and operational risk management a challenge when risk management strategy forces everyone into one flat view of risk to conform and have significant issues in risk normalization and aggregation as they roll-up risk into enterprise risk reporting.

Providing 360° Contextual Awareness of Risk

Managing risk effectively requires multiple inputs and methods of modeling and analyzing risk. This requires information gathering — risk intelligence — so the organization has a full perspective and can make better business decisions. This is an important part of developing a risk analysis framework. Mature risk management is built on a risk management process, information, and technology architecture that can show the relationship between objectives, risks, controls, loss, and events.

In light of this, organizations should consider:

  • Does the organization understand the risk exposure to each individual process/project and how it interrelates with other risks and aggregates in an enterprise perspective or risk?
  • How does the organization know it is taking and managing risk effectively to achieve optimal operational performance and meet strategic objectives?
  • Can the organization accurately gauge the impact risk has on strategy, performance, project, process, department, division, and enterprise levels?
  • Does the organization have the information it needs to quickly respond to and avoid risk exposure, and also to seize risk-based opportunities?
  • Does the organization monitor key risk indicators across critical projects and processes?
  • Is the organization optimally measuring and modeling risk?

Gathering multiple perspectives on risk is critical for producing effective relational diagrams, decision trees, heat maps, and scenarios. This risk intelligence comes from:

  • The external perspective: Monitoring the external environment for geopolitical, environmental, competitive, economic, regulatory, and other risk intelligence sources.
  • The internal perspective: Evaluating the internal environment of objectives, projects, risks, controls, audits, loss, performance and risk indicators, and other internal data points.

The bottom line: Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their view of risk that can roll into enterprise and operational risk management and reporting. This is done through a common risk management strategy, process, information, and technology architecture to support overall risk management activities from the process level up through an enterprise view. Organizations need to clearly understand the breadth and depth of their risk management strategy and process requirements and select the right information and technology architecture that is agile and flexible to meet the range of risk management needs today and into tomorrow.

Upcoming Webinar on Risk Management

20/20 Strategy Perspective Research Paper on Risk Management

20/20 Buyers Guide Research Briefing on Risk Management Solutions

Other 20/20 Research Pieces on Risk Management

[button link=”https://grc2020.com/product-category/grc-functional-area/risk-management-analytics/”]RISK MANAGEMENT RESEARCH[/button]

Understanding & Improving Governance, Risk Management & Compliance

The GRC Pundit BlogPublished onLeave a Comment on Understanding & Improving Governance, Risk Management & Compliance

Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” (source: OCEG GRC Capability Model that GRC 20/20 has helped define and contribute to) This requires that GRC needs to be understood in the context of enterprise strategy, objectives, architecture and processes.

Designing mature GRC processes that align with the organization requires an understanding of what the organization is about, how it operates, how it should be monitored and controlled. This is done through defining the right GRC process, information and technology architecture. GRC by Design requires an enterprise/organization architecture approach to the organization and how it operates.

GRC 20/20 is a research and analyst organization aimed at understanding what is keeping organizations up at night and how they address this with strategy, process, and technology to make GRC related processes efficient, effective, and agile. We are a research and analyst firm, not a consulting firm.

In this context, GRC 20/20 does regular training By Design workshops to share our research and experience with organizations looking to improve their GRC related strategies. These workshops are key part of our research as they are workshops and not lectures. Attendees interact and share their challenges and approaches and learn from each other as much as they learn from GRC 20/20. These are amazing facilitated sessions that engage attendees on the deep subjects of GRC in a way that is practical and enriching. There is no cost to attend these workshops and attendees use the time for continuing education credits for certifications. However, they are only open for organizations working on their own internal GRC related strategies and processes. Solution providers and professional service firms are not allowed to register for these workshops.

Third Party Management by Design Workshops

Enterprise GRC Management by Design Workshops

IT GRC/Security Management

By Design workshop aims to provide a blueprint for attendees on effective enterprise GRC strategies in a dynamic business, regulatory, and risk environment. Attendees will learn enterprise GRC strategies and techniques that can be applied across the organization. Learning is done through lectures, collaboration with peers, and workshop tasks.

GRC 20/20 also offers complimentary inquiry to organizations looking to improve GRC related processes and identify the right technology solutions and what differentiates them to solve those problems. Our research is objective and there are over 800 solutions we have mapped into the many segments of the broad GRC market. If you have a question on GRC strategy, process, and technology . . . simply ask us an inquiry and can have a call or email exchange.

The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

The GRC Pundit BlogPublished onUpdated on1 Comment on The One Regulation to Rule Them All: UK SMR/CR & Cascading Regulations

For those of you on this list that know me on a personal level, I am a huge Tolkien fan. In fact, I am just a Master’s thesis away from my M.A. in Church History and the thesis is on the influence of Medieval theology, particularly Aquinas, on J.R.R. Tolkien and his works (my particular focus in Church History in general is medieval British Church history which fascinates me).

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

I just got off the phone with a deep discussion on the UK SMR/CR as well as the other copy regulations coming out of Australia, Singapore, Hong Kong, Japan, Ireland, and more. I explained that the UK SMR/CR is the One Regulation to rule all other risk, compliance, and control regs. The whole point is to put personal accountability and responsibility to senior executives and directors for risk and compliance. It is the regulation that enforces all the others and binds them.

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization.

Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects.

This impacts every area of GRC in financial services. One firm I talked to told me this is what is keeping them up at night from a governance, risk management, and compliance (GRC) perspective. The other day I had a phone call with a mid-sized financial services firm in the United Kingdom. They are seeing a lot of interest and ownership of GRC processes by senior executives and directors as they are now personally accountable because of UK SMR/CR. They are using risk management to help these business leaders understand their business and risk exposure, and in this context track accountability. One major UK bank told me they have applied UK SMR/CR to third party management, making business leaders (e.g., executives, directors) accountable and personally liable for risk and compliance failures in third parties. In a recent interaction I had, the Head of Risk Frameworks at a UK financial services company stated:

SMR is the UK’s equivalent of Sarbanes Oxley and will be interesting to see what happens in Australia. But maybe it’s still early days and people think they can get by with what they have. When a high-profile executive lands behind bars or a sizeable number of fines are dished out, then I guess we’ll see the market pick up.”

This regulation is more than an HR issue, it is a governing umbrella of all risk and compliance. Foundationally, organizations have to map risk and compliance roles/responsibilities to senior executives and directors. It requires that organizations track responsibilities and accountabilities for risk and compliance to senior business leaders and track awareness and accountability of these individuals. This in turn drives greater need for transparency and awareness of risk and compliance down into the business. Policy management is a critical concern to communicate policies to senior leaders and track attestations and awareness of accountabilities. But it does not stop there. You have to be able to communicate risk, compliance, and control to these individuals. They cannot accept accountability if they have no way of measuring and being informed of risk and compliance. This makes UK SMR/CR (and other similar legislation in other jurisdictions) the governing umbrella of all risk and compliance obligations and requirements. Organizations need to map and report on risk and compliance across regulations to these roles.

Managing this process in documents, spreadsheets and emails and manual processes will be time consuming and at the end of the day not have the proper audit trail and system of record to show clear awareness and acknowledgement of risk and compliance by senior executives. Organizations need technology to enable the mapping of risk and compliance responsibilities to senior executives, with a robust audit trail to provide a system of record of communication and awareness, supported by risk and compliance reporting to inform senior executives who are now accountable to the exposure they face in the organization.

This article was originally a guest blog by GRC 20/2o @ Governor Software . . .