Category: Blogs

Denmark is often lauded for its high quality of life, progressive social policies, and exemplary governance. However, there is something more subtle yet profoundly impactful that one notices when visiting Denmark—a deep-seated culture of orderliness and mindfulness. This is not just about following rules; it’s about a collaborative accountability to ethical behavior, mutual respect, and a sense of community responsibility that permeates every aspect of Danish life. Previously, I wrote on this specifically from a risk management perspective on a previous trip to Copenhagen, Risk Management Lessons from Denmark. My current trip causes some further reflection.

On my trip to Copenhagen, Denmark, this past week, I was struck by these characteristics of collaborative accountability to ethical behavior, mutual respect, and a sense of community responsibility in ways that were both surprising and enlightening. Even the smallest observations, such as the gentleman sitting next to me on the plane into Copenhagen, offered valuable insights. This individual was thoughtful and mindful throughout the flight, and when it was time to deboard, he took the time to neatly fold his blanket and leave his space orderly. This act, seemingly small, is a reflection of a broader cultural norm in Denmark: a commitment to mindfulness and respect for shared spaces and experiences.

As I spent more time in Denmark, I noticed that this wasn’t an isolated incident. Walking through the streets of Copenhagen at 1:00 a.m., I observed that people still waited patiently for the walk signal to cross the street—even when there were no cars in sight. This adherence to rules is not out of fear of punishment, as might be the case in places like Singapore, where strict laws and harsh penalties enforce orderliness. In Denmark, it is about something deeper: a shared understanding of the importance of following rules for the benefit of the community as a whole. This is about collaborative accountability, where the community collectively upholds standards of behavior, not because they are enforced by law, but because they are valued and respected.

Understanding the Danish Ethical Culture

The question then arises: how does Denmark cultivate such a strong ethical culture? The answer lies not in strict enforcement but in community values and social norms. Danish society is built on trust, mutual respect, and a strong sense of social responsibility. These values are ingrained from a young age, through education, family, and community interactions, leading to a society where individuals naturally conform to ethical standards because they believe in their importance, not because they fear punishment.

In Denmark, the concept of “hygge” (a sense of coziness and contentment) also plays a role in fostering a close-knit community. Hygge is about creating a warm atmosphere, enjoying the good things in life with good people. It reinforces the importance of community and the need to take care of each other, which naturally extends to following rules that benefit everyone.

Moreover, Denmark’s relatively flat organizational and social structures contribute to a culture where everyone feels responsible for the well-being of the community. There is a strong emphasis on equality and consensus, which means that people are more likely to collaborate and hold each other accountable, rather than relying on hierarchical enforcement of rules.

I am not trying to state that Denmark is some state of utopia and is perfect. It has its issues as well. But there are differences when you contrast Denmark to other nations, like the USA, that too often tend to have a utilitarian ethical framework focused on the best outcome for the individual.

Lessons for Organizations: Building a Culture of Collaborative Accountability

The Danish approach to ethics and compliance offers valuable lessons for organizations looking to build a strong culture of governance, risk management, and compliance (GRC). Here are some key takeaways:

1. Foster a Sense of Community and Shared Responsibility. Organizations should work towards creating an environment where employees feel a sense of belonging and responsibility towards each other. This can be achieved through team-building activities, open communication, and encouraging collaborative decision-making processes. When employees see themselves as part of a community, they are more likely to adhere to ethical standards for the collective good.
2. Promote Mindfulness and Respect in Everyday Actions. Just as the gentleman on the plane folded his blanket out of respect for the next passenger, organizations can promote small acts of mindfulness and respect that contribute to a positive culture. This can be as simple as encouraging cleanliness in shared spaces, or more broadly, promoting a culture of thoughtfulness in interactions and decision-making processes.
3. Encourage Ethical Behavior Through Values, Not Fear. Instead of relying solely on strict rules and penalties to enforce compliance, organizations should focus on cultivating a culture where ethical behavior is driven by shared values. This can be done through leadership modeling ethical behavior, incorporating ethics into the core mission and vision of the organization, and recognizing and rewarding ethical behavior among employees.
4. Create Flat Structures that Encourage Collaboration and Accountability. Just as Danish society values equality and consensus, organizations can benefit from flattening hierarchies to encourage open communication and shared accountability. When employees at all levels feel empowered to speak up and hold each other accountable, it creates a more robust and resilient ethical culture.
5. Educate and Train Continuously. In Denmark, ethical behavior is taught and reinforced from a young age. Similarly, organizations should invest in continuous education and training to instill and reinforce the importance of ethics and compliance. This includes not only formal training programs but also informal opportunities for employees to discuss and reflect on ethical dilemmas and best practices.

Conclusion: Cultivating a Danish-Style Ethical Culture

Denmark’s culture of orderliness and mindfulness offers a powerful model for organizations looking to build strong ethical cultures. By fostering a sense of community, promoting mindfulness and respect, encouraging ethical behavior through shared values, creating flat organizational structures, and investing in continuous education, organizations can develop a culture of collaborative accountability that mirrors the Danish approach.

In doing so, they not only enhance their governance, risk management, and compliance efforts but also create a workplace where employees feel valued, respected, and motivated to contribute to the greater good. Just as the Danish people naturally follow rules and consider the impact of their actions on others, so too can organizations cultivate a culture where ethical behavior is the norm, not the exception.

While these are great thoughts, I am also concerned if they can be effectively promulgated in a country like mine, the United States of America. I fear the USA, in general, has a predominant utilitarian ethical culture that focuses on the individual and not the group. Too often individuals will make the decisions that provide them individually with the best outcome, which can lead to breaking rules and then even the law. Exploring these thoughts and appreciate any honest reflections and feedback on this . . .

In today’s rapidly evolving business landscape, risk management is no longer just about avoiding pitfalls—it’s about navigating the uncertain waters of opportunity and danger with agility and resilience. The modern approach to risk management is about mastering the art of navigating through an intricate web of opportunities and threats with both agility and resilience. This new paradigm recognizes that risk is not just a challenge to be mitigated but an integral component of strategic decision-making. In an environment characterized by relentless change and uncertainty—driven by technological advancements, global interconnectedness, and shifting market dynamics—organizations must develop a proactive and adaptive risk management strategy. This means anticipating potential disruptions, seizing emerging opportunities, and building organizational resilience to bounce back stronger from setbacks. Effective risk management today requires a dynamic, forward-thinking approach that not only protects against adverse events but also leverages risks as catalysts for growth and innovation. By integrating risk management into the core of their strategic operations, organizations can better navigate the complex terrain of the modern business world, ensuring long-term success and sustainability.

For nearly two decades, I’ve questioned why business continuity often operates in a silo, buried deep within the organizational structure, rather than being an integral part of enterprise and operational risk management. The symbiotic relationship between these functions is undeniable, and the pandemic, along with regulatory bodies, is finally forcing a change. The Office of the Comptroller of the Currency (OCC) in the U.S. succinctly stated, “Operational resilience is . . . the outcome of effective operational risk management.”

But let’s be clear: resilience alone isn’t enough. Agility is equally crucial. True risk management involves not just surviving the storm but steering the ship towards opportunity while skillfully avoiding or mitigating hazards. As Teddy Roosevelt wisely remarked, “Risk is like fire; if controlled, it will help you; if uncontrolled, it will rise up and destroy you.” 

This sentiment is echoed by Judge Mervyn King of South Africa, who stated, “Enterprise is the undertaking of risk for reward.” Effective risk management is a strategic tool that enables organizations to thrive amid the chaos of the modern world, maximizing returns and performance while minimizing losses.

So, how does your organization approach risk management? Is it merely a . . .

[The rest of this blog can be read on the GRC Report, where GRC 20/20’s Michael Rasmussen is a contributor and CEO]

Effective policy management is critical to maintaining organizational integrity, compliance, and operational efficiency. Yet, many organizations remain trapped in outdated, manual processes that create a mess of confusion, inefficiency, and risk. The reliance on documents, spreadsheets, emails, and scattered policy portals, websites, and file shares not only hampers back-office functions responsible for managing policies but also frustrates employees who must navigate these labyrinths to find, read, and comply with the necessary policies. 

Why does your team need policy management automation?  

Imagine the typical scenario in an organization: policies are . . .

[The rest of this blog can be read on the Origami Risk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In today’s interconnected world, the relationships that businesses forge with third parties are akin to friendships—built on trust, integrity, and resilience. Just as strong friendships require shared values, ethical behavior, and the ability to withstand challenges, so too do the relationships that businesses maintain with their vendors, suppliers, and partners. These relationships form the backbone of what is known as the “extended enterprise,” a complex web of interactions that extends far beyond the traditional boundaries of a single organization.

As an analyst deeply entrenched in the field of third-party risk management, I can attest that this is one of the busiest and most critical areas in governance, risk management, and compliance (GRC) today. I am currently involved in over a dozen RFPs (Requests for Proposals) related to third-party risk management, all driven by the dual pillars of integrity and resilience. These are not just buzzwords; they are essential qualities that define the success and sustainability of business relationships in the modern enterprise.

Integrity and Resilience: The Cornerstones of Third-Party Relationships

Imagine a friendship that lacks integrity—one where trust is broken, and values are compromised. Such a relationship is bound to fail, as it lacks the moral foundation needed to weather challenges. In the same vein, business relationships must be built on a foundation of integrity, encompassing environmental, social, and governance (ESG) principles, as well as compliance with laws, regulations, and ethical standards. This is the very essence of corporate integrity.

But integrity alone is not enough. A relationship must also be resilient, capable of withstanding the inevitable challenges and disruptions that arise. In the business world, resilience translates to the ability to manage risk and maintain continuity in the face of adversity. Whether it’s a cyber-attack on a critical supplier, a geopolitical crisis affecting a key market, or a sudden regulatory change, businesses must be prepared to respond swiftly and effectively to protect their operations and reputation.

One of the most telling examples of the importance of resilience in third-party relationships came from a firm that DID NOT use Crowdstrike but found itself impacted because several of its critical third-party partners did. This situation underscores the interconnectedness of risk within the extended enterprise and the need for a comprehensive approach to third-party risk management that goes beyond the surface level and is focused on resilience.

One global bank even identified third-party risk as their largest area of concern, reflecting the growing recognition of the potential impact that third-party failures can have on an organization’s overall risk profile.

The Regulatory Landscape: Driving the Need for Third-Party Risk Management

The regulatory environment is a significant driver behind the increased focus on third-party risk management. Frameworks such as the EU Digital Operational Resilience Act (DORA) and the EU Corporate Sustainability Reporting Directive (CSRD) are pushing organizations to enhance their oversight and management of third-party risks. These regulations have a global impact, and not just regional. They also impacted downstream suppliers and vendors. And the EU DORA and CSRD are the primary drivers right now, but certainly not the only regulatory drivers.

Please free to ping me if you want a list of the dozens of laws/regulations I am tracking that impact third-party risk management.

The Call to Action: A Federated Third-Party Risk Management Program

To effectively manage third-party risks, organizations must move towards a federated third-party risk management program—a unified strategy that spans across departments and functions responsible for third-party risk. This approach requires structured processes that cover the entire lifecycle of third-party relationships, from onboarding and continuous monitoring to addressing issues and, crucially, offboarding—a phase that is often neglected.

At the heart of this strategy lies the need for robust third-party risk technology and real-time third-party risk intelligence feeds/content. These solutions, together, enable organizations to monitor their third parties continuously, ensuring that any emerging risks are identified and addressed promptly. Moreover, advancements in artificial intelligence (AI) are playing an increasingly important role, offering the ability to automate due diligence processes and provide deeper insights into the risk profiles of third parties.

A Holistic Approach to Third-Party GRC Management

Effective third-party risk management requires more than just a focus on risk; it demands a holistic approach that integrates governance, risk management, and compliance (GRC). This approach should be grounded in a clear understanding of the objectives and values that define each relationship, as well as the risks and uncertainties that may threaten those objectives. Myself, I prefer to call it third-party GRC or third-party governance, but third-party risk management is what is commonly used.

Organizations that adopt a federated approach to third-party risk management are better positioned to navigate the complexities of the extended enterprise. By fostering collaboration across departments, leveraging advanced technologies, and maintaining a clear focus on integrity and resilience, businesses can build stronger, more resilient relationships with their third parties—relationships that, like good friendships, stand the test of time.

In conclusion, as the extended enterprise becomes increasingly integral to the success of modern organizations, the need for a unified, proactive approach to third-party risk management has never been greater. Just as friendships require trust, communication, and shared values, so too must business relationships be nurtured and managed with care. By doing so, organizations can ensure that their extended enterprise is not only a source of strength but also a foundation for future growth and success.

I am sure this will be controversial, many love their role and title. First, some perspective . . . my career started in IT security. I cut my GRC teeth in IT security. My first imagination of a GRC platform came from leading an IT security, risk, and compliance consulting practice in the 1990s, which I first encountered as a product in February 2002 after which I defined the GRC market. I started the Milwaukee Chapter of the Information Systems Security Association (ISSA). I was on the International Board of the ISSA, primarily as their VP of Standards and Public Policy. I co-chaired Congressperson Putnam’s Corporate Information Security Working Group. I wrote a paper on CyberRisk for the Joint Economic Committee of Congress. While my career and analyst coverage has gone far beyond IT security, that is where I started.

To put it bluntly, the CISO role is dead. Organizations need something different, a broader view of IT risk management. The recent CrowdStrike event is just one example of many that require organizations to create a much broader view of IT risk and resilience management. Security is still critical and is a component of this, but it is more than security.

Consider the intricate narrative of J.R.R. Tolkien’s epic, “The Lord of the Rings,” we witness a profound transformation: Gandalf the Grey, once a humble guide and protector, transcends his former self to become Gandalf the White, a more powerful beacon of wisdom and power confronting the enemy at the gates of Mordor. This metamorphosis is not merely a change in title or attire; it represents a fundamental shift in purpose, responsibility, and vision. In much the same way, the role of the Chief Information Security Officer (CISO) is undergoing a significant evolution. The era of the traditional CISO is ending, and from its ashes rises a new archetype: the Digital Risk & Resilience Officer (DRRO).

NOTE: Personally, I am not a fan of the word ‘digital.’ When I see it I think of digital alarm clocks in the 1970’s and 80’s growing up. It is a dated term for me. But it sticks and is what is being used. The title Cyber Risk & Resilience Officer is a little too narrow.

But let’s unpack this . . .

The Grey Years: Traditional CISO

The role of the CISO emerged from the burgeoning need to safeguard organizational assets in an increasingly digital world. In the early days, the CISO’s primary mission was clear-cut: protect the confidentiality, integrity, and availability of information systems from exposure to malicious attackers and inadvertent mishaps. This task involved implementing firewalls, antivirus software, intrusion detection systems, and a myriad of other security controls to fend off cyber threats and reduce vulnerabilities.

However, as technology evolved, so did the complexity of risks. The scope of the CISO’s responsibilities expanded, encompassing compliance with regulatory requirements, managing vendor risks, and ensuring data privacy. Yet, despite these growing duties, the perception of the CISO remained largely confined to IT security. The metaphorical Gandalf the Grey was adept and diligent but limited by the conventional boundaries of information security in a business environment that has become more and more dependent on information and technology pervasively throughout the organization.

The Shifting Landscape

The digital landscape is now more interconnected and complex than ever before. IT risk is no longer isolated to data breaches or hacking incidents. It encompasses a broader spectrum, including IT resilience, business continuity, and the ability to withstand and recover from disruptions.

The recent CrowdStrike incident is a poignant reminder of this reality. Despite being a leading cybersecurity firm, CrowdStrike faced a significant operational disruption that was not a security breach but a colossal IT and business risk. This incident underscores the need for a more comprehensive approach to IT risk management. Organizations globally were impacted. Some organizations did not use CrowdStrike themselves but were still impacted as their vendors and suppliers used it.

On top of that, you have regulations like the United Kingdom Operational Resilience, EU Digital Operational Resilience Act, EU CyberResilience Act, and Australia CPS 230 taking a more expansive view.

The Death and Rebirth: From CISO to DRRO

Just as Gandalf the Grey’s transformation into Gandalf the White signified a rebirth with greater responsibilities and a more profound vision, the transition from CISO to Digital Risk & Resilience Officer (DRRO) marks a pivotal evolution in IT risk management.

The DRRO is not just a guardian of security but a strategist for operational resilience. This role encompasses a holistic view of digital risk, integrating cybersecurity, IT resilience, business continuity, and risk management into a cohesive framework that aligns with the business. It addresses security but also looks at staffing and talent, bugs and resilience, and so much more. The DRRO ensures that organizations are not only protected from cyber threats but also capable of enduring and thriving amidst disruptions in a business environment that is akin to navigating chaos.

The Pillars of Digital Risk & Resilience

1. Holistic Risk Management. The DRRO must adopt a comprehensive risk management strategy that includes cyber threats, IT failures, supply chain disruptions, and other operational risks. This involves regular risk assessments, scenario planning, and the implementation of robust risk mitigation strategies.
2. Operational Resilience. Beyond preventing security incidents, the DRRO focuses on ensuring that the organization can quickly recover from disruptions. This requires scenario planning and preparedness, a well-defined recovery plan, regular testing, and continuous improvement of resilience capabilities.
3. Integration of IT and Business Strategies. The DRRO bridges the gap between IT and business objectives, ensuring that digital risk management aligns with the overall strategic goals of the organization. This integration enhances decision-making and supports long-term business growth and resilience.
4. Proactive Threat Intelligence. Leveraging advanced threat intelligence, the DRRO stays ahead of emerging risks, adapting strategies to address new vulnerabilities and threats proactively. This proactive stance is crucial in an ever-evolving threat landscape.
5. Stakeholder Collaboration. Effective digital risk management requires collaboration across all levels of the organization. The DRRO works closely with executive leadership, IT teams, business units, and external partners to foster a culture of resilience and shared responsibility.

The Path Forward

As organizations navigate the complexities of the digital age, the need for a DRRO becomes increasingly evident. The traditional CISO, confined by the narrow scope of IT security, is no longer sufficient. The DRRO, embodying the wisdom and vision of Gandalf the White, represents a new era of comprehensive digital risk and resilience management.

In this transformed role, the DRRO not only protects the organization from cyber threats but also ensures its ability to withstand and recover from any disruption. This holistic approach to IT risk management is essential for achieving true operational resilience in the modern era.

The death of the traditional CISO marks the end of an era but also heralds the beginning of a new one. The emergence of the Digital Risk & Resilience Officer is a natural evolution, reflecting the changing landscape of digital risk and the need for a more comprehensive approach to IT resilience. Just as Gandalf the White rose from the trials and tribulations of his former self, so too does the DRRO rise to meet the challenges of the modern era, guiding organizations toward a future of resilience and prosperity.

The journey from CISO to DRRO is not merely a change in title; it is a profound transformation in purpose, responsibility, and vision. It is a journey that every organization must embark upon to thrive in an increasingly complex and interconnected world. The death of the CISO is not an end but a new beginning, a rebirth into a role that is more vital and encompassing than ever before.

I love feudal Japan! After my love for medieval Europe is my love for feudal Japan. Perhaps they are on par with each other as both of these eras excite me. So when my sons asked me if I wanted to go see Akira Kurosawa’s 1954 classic, Seven Samurai, on the big screen here in Milwaukee . . . I lept at it. I have seen this before but not on the big screen.

Of course, my mind is racing and thinking of analogies to the ever-evolving world of governance, risk management, and compliance (GRC), as organizations are constantly besieged by a multitude of threats from different angles just like the village in Seven Samurai. Much like the defenseless village, modern organizations need protection against marauding threats to strategy and objectives, resilience, dynamic risks, regulatory change, cyber risks, operational hazards, and compliance breaches. Enter the Seven AI Samurai of GRC – a band of intelligent, automated warriors designed to defend and fortify the village that is your organization.

Meet the Seven AI Samurai of GRC

Just as Kurosawa’s samurai were each skilled in unique martial arts and skills, our AI Samurai each specialize in a different aspect of GRC. These samurai work together to create a robust defense system for organizations, ensuring that all facets of governance, risk, and compliance are covered.

1. Risk Ronin: The Strategist of Scenarios. Our first Samuari is the Risk Ronin, who excels in identifying, assessing, and monitoring risks to the organization’s objectives (ISO 31000 states that risk is the effect of uncertainty on objectives). This samurai’s strategic mind uses AI to conduct deep dives into global external events and data, identifying relevant information to develop and refine risk scenarios. These scenarios are then used to run annual risk analyses and exercises, ensuring the organization is prepared for any eventuality. Risk Ronin’s analytical prowess provides the organization with accurate, up-to-date risk information, enabling informed decision-making and proactive risk management. His strategies ensure that the village can anticipate and navigate through the most treacherous threats.
2. Visibility Vassal: The Overseer of Transparency & Resilience. Aiding the Risk Ronin is the Visibility Vassal, the second samurai, who brings clarity and transparency to the village and its objectives. This samurai’s AI-powered tools gather and consolidate data from various sources, providing a holistic view of risks and control issues. Visibility Vassal ensures that all risks and obligations are visible in the context of the organization and its objectives, creating a culture of accountability and informed decision-making. With his watchful eye, Visibility Vassal enables the organization to maintain a high-level overview of all organization objectives and activities, ensuring that nothing is overlooked and everything is accounted for in a dynamic and changing context.
3. Regulatory Ronin: The Sentinel of Compliance. The third samurai, Regulatory Ronin, stands guard at the gate of regulatory changes. His sharp AI senses scan the horizon for any incoming regulations, monitoring over 2,000 sources across numerous jurisdictions. With unparalleled speed and accuracy, this samurai categorizes, parses, and maintains a version history of all regulatory updates. This ensures the village is always compliant, reducing the noise and focusing only on relevant changes. Regulatory Ronin’s strength lies in the ability to filter through the chaos and provide actionable intelligence. His presence ensures that the organization remains compliant with current laws, mitigating the risk of non-compliance fines and penalties.
4. Obligation Oishi: The Keeper of Commitments. Obligation Oishi is the fourth samurai, tasked with maintaining the village’s obligations catalog, and is a close partner with Regulatory Ronin. With meticulous attention to detail, Obligation Oishi oversees the full lifecycle of regulatory change management, from creation to governance of policies. Using AI, this samurai treats internal policies and controls consistently with external regulations, ensuring that all organizational commitments are documented and managed. Obligation Oishi’s dedication ensures that the organization has a comprehensive, up-to-date record of all obligations, providing a single source of truth that is essential for effective compliance management.
5. Control Katana: The Master of Alignment. Next is Control Katana, whose blade slices through confusion to align controls with business objectives, regulatory requirements, and risks. Using AI-powered gap analysis, Control Katana compares internal policies against external regulations, standards, frameworks, and benchmarks to optimize control coverage and common or best practices. This samurai ensures that the organization’s controls are not only effective but also consistently governed and accountable. Control Katana’s mastery allows for the elimination of redundant controls and the streamlining of processes, creating a lean, efficient, and resilient system. This samurai’s vigilance ensures that every control is precisely where it needs to be, performing at its best.
6. Automation Ashigaru: The Worker of Efficiency. The sixth samurai, Automation Ashigaru, is the tireless worker who automates repetitive tasks, freeing up the villagers to focus on more value-added activities. This samurai’s AI-driven capabilities streamline risk, compliance, control, and audit processes, conduct regular risk and control assessments, and quickly identify and resolve gaps. Automation Ashigaru’s relentless efficiency saves time and resources, making the village’s operations more effective and agile. This samurai’s contributions allow the organization to do more with less, enhancing overall productivity and effectiveness.
7. Innovation Itō: The Pioneer of Progress. Last but not least, Innovation Itō is the visionary samurai who pushes the boundaries of what is possible. Using advanced AI techniques, this samurai explores new areas such as predictive analytics and artificial intelligence, continually enhancing the organization’s GRC capabilities. Innovation Itō’s insights and innovations drive continuous improvement, ensuring that the village is always ahead of the curve. Innovation Itō’s forward-thinking approach keeps the organization at the forefront of GRC best practices, enabling it to adapt and thrive in an ever-changing landscape.

The Battle: Defending Against the Bandits of Organization Objectives

Just as the seven samurai banded together to defend the village from bandits, the Seven AI Samurai of GRC work in unison to protect the organization from the myriad threats it faces in reliably achieving objectives, addressing uncertainty, and acting with integrity. Each samurai brings their unique skills to the table, creating a comprehensive defensive and offensive system that is greater than the sum of its parts.

• Phase 1: Establishing Context. The first step is understanding the organization, its culture, its objectives, and its internal and external environments. This allows the seven AI samurai of GRC to have the context for the rest of the defensive and offensive measures.
• Phase 2: Identifying Threats to Objectives. Next, Risk Ronin and Visibility Vassal take charge of identifying and assessing threats to the organization’s objectives. Risk Ronin uses his strategic insights to develop risk scenarios, while Visibility Vassal provides a clear view of all risk, compliance, and control activities in the context of objectives, ensuring that nothing slips through the cracks.
• Phase 3: Establishing Defenses. The third step in defending the organization’s village is establishing robust defenses. Regulatory Ronin sets up a perimeter by continuously monitoring regulatory changes. Obligation Oishi documents all commitments, creating a strong foundation for compliance, while Control Katana aligns controls with business requirements to ensure that every entry point is fortified for resilience.
• Phase 4: Automating Responses. With threats and defenses identified, Automation Ashigaru steps in to automate responses, streamlining processes and ensuring that the village can respond quickly and effectively to any situation. These efforts free up resources, allowing the organization’s villagers to focus on more critical tasks.
• Phase 5: Innovating for the Future. Finally, Innovation Itō pushes the boundaries, exploring new AI technologies and methodologies to keep the village ahead of the game. These innovations ensure that the village is not only protected but also continually improving and adapting to new challenges.

Through the combined efforts of the Seven AI Samurai, the organization village is secure and resilient. Regulatory changes are monitored and addressed in real time, controls are aligned and optimized, obligations are meticulously documented, risks are accurately assessed and managed in the context of objectives, and processes are automated and efficient. With continuous innovation driving improvement, the organization is well-equipped to face any challenge that comes its way.

In the world of GRC, just as in Seven Samurai, success depends on the right combination of skills and strategies. The Seven AI Samurai of GRC offer a powerful analogy for how AI can be harnessed to automate and enhance governance, risk management, and compliance. By leveraging the unique strengths of each samurai, organizations can build a robust defense system that achieves business objectives, mitigates risks and uncertainty, ensures compliance, and drives continuous improvement while maintaining integrity.

So, as you navigate the complex landscape of GRC, remember the Seven AI Samurai. They are your protectors, your strategists, your workers, and your innovators who extend your current subject matter expertise – ensuring that your organizational village remains secure, resilient, and agile, ever-ready to face the future.

BTW – I will be interacting with Anthony Stevens, and his book “AI and the Future of GRC,” on AI and the Future of GRC webinar on August 2 @ 10:00 am – 5:00 pm Chicago/CDT.

This past week has seen a global risk event in the Crowdstrike/Microsoft outage that illustrates the need for organizations to address risk and resilience management . . .

Risk management is often misunderstood, misapplied, and misinterpreted due to scattered and uncoordinated approaches that get in the way of sharing data. Various departments manage risk with different approaches, models, requirements, and perspectives on risk and how it should be measured and managed. Risk management silos — where distributed business units and processes maintain their own data, spreadsheets, analytics, modeling, frameworks, and assumptions — pose a significant challenge for enterprise risk visibility and fails to provide actual value to the business in pursuit of objectives. Documents and spreadsheets are not equipped to capture the complex interrelationships that span global operations, business relationships, lines of business, and processes. Individual business areas focus on their view of risk, not the aggregate picture, and cannot recognize substantial and preventable losses. When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk. 

A siloed approach to risk management fails to deliver insight and context and makes it nearly impossible to connect risk management and decision-making, business strategy, objectives, and performance. This is because risk intersects, compounds, and interrelates with other risk areas to create a more significant risk exposure than each silo is independently aware of. Today, it is critical that all these roles work off the same data and that this risk data is clean, reliable, timely, and thus actionable and meaningful.

Keeping risk, complexity, and change in sync is a challenge not only when risk management is buried in the depths of departments but also when risk management is approached as a compliance or audit function and not as an integrated discipline of decision-making that has a symbiotic relationship with performance and strategy. Unfortunately, risk management is only an expanded view of routine financial controls for some organizations, resulting in nothing more than a deeper look into internal controls with some heat maps thrown in. It does not truly provide an enterprise view of risk aligned with strategy and objectives. Completing a risk assessment process and ticking the box has gotten in the way of proper risk analysis and understanding. 

ISO 31000 defines risk as the effect of uncertainty on objectives. Risk management is about managing uncertainty. Organizations need to link and measure risk to strategic objectives. Good risk management results in improved decision-making and fewer surprises when achieving the organization’s objectives. 

Today’s organization needs to be agile in managing risk and its impact on the organization’s objectives from the moment it is developing on the horizon, as well as resilient in recovering from risk events when they materialize. Organizations need to understand how to monitor risk-taking, measure whether the associated risks are the right risks to achieve objectives, and review whether the risks are managed effectively to ensure the organization’s agility and resilience. Amidst this uncertainty, effectively managing risk and building resilience has become imperative for organizational success. 

To manage risk effectively, organizations must adopt a holistic approach encompassing a top-down strategic view aligned with objectives and a bottom-up operational perspective embedded within processes and activities. This aligns with the OCEG definition of GRC where “GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”

However, the modern organization faces many challenges in addressing an integrated risk and resilience management approach. These include:

• Lack of risk agility. Organizations often struggle to respond promptly to emerging risks due to rigid processes and hierarchies. Failure to adapt quickly to changing circumstances can lead to missed opportunities or unanticipated threats.
• Fragmented and inaccurate risk data. Siloed data across disparate systems makes obtaining a comprehensive view of risks challenging. Inaccurate or outdated data undermines the reliability of risk assessments and decision-making processes.
• Limited visibility. Limited visibility into interconnected risks and dependencies hampers the ability to anticipate and mitigate potential impacts. Organizations are vulnerable to cascading failures without a clear understanding of the entire risk landscape.
• Inefficient manual processes for risk management. Manual and disjointed risk management processes result in inefficiencies and delays. Hundreds or thousands of out-of-sync documents, spreadsheets, and emails encumber these. The lack of automation and standardized workflows impedes timely identification and response to risks.
• Inadequate risk reporting. Traditional risk reporting methods often fail to provide actionable insights or meaningful context. Poorly structured reports obscure critical risk information and hinder informed decision-making.
• Limited scalability. Scalability challenges arise when existing risk management practices cannot accommodate growth or organizational changes. Scaling risk management efforts across multiple business units or geographies becomes increasingly complex.
• Resource intensiveness. Resource constraints, both in terms of personnel and technology, hinder effective risk management efforts. Limited resources result in suboptimal risk mitigation strategies and increased vulnerability. Too often, GRC 20/20 hears that 80% of risk staff time is spent managing documents, spreadsheets, and emails rather than managing risk.
• Ineffective collaboration. Siloed organizational structures and cultural barriers inhibit collaboration and information sharing. Lack of cross-functional collaboration undermines the ability to identify and address systemic risks.
• Resilience planning gaps. Inadequate focus on resilience planning leaves organizations vulnerable to disruptions. Failure to anticipate and prepare for potential risk events can lead to significant operational disruptions and financial losses.
• Difficulties in business change management. Resistance to change and organizational inertia pose challenges to keeping risk current as the business continuously evolves.

The Bottom Line: The goal is comprehensive, straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of the organization’s objectives and how it impacts strategy, performance, operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. This enables risk agility to forecast and plan what is coming at the organization to prepare and navigate it. It also gives a detailed understanding of how the organization operates and how it breaks to ensure resilience when risk becomes a reality. Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture. 

This post is an excerpt from GRC 20/20’s latest research paper: Risk & Resilience Management by Design and Illustrated in Risk & Resilience Technology Illustrated.

Dynamic, Disrupted & Distributed Business is Difficult to Control

Organizations take risks but fail to monitor and manage these risks effectively in an environment that demands risk agility and resilience. Too often, risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. A cavalier approach to risk-taking results in the inevitable failure of risk management, providing case studies for future generations on how poor risk management leads to the demise of organizations – even those with strong brands. 

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping these changes and their impact on business strategy, operations, and processes in sync is a significant challenge. Organizations must see the intricate relationships and impacts of risks on objectives and processes. They need full contextual awareness of risk and resilience.

The complexity of business—combined with the intricacy and interconnectedness of risk and business objectives—necessitates implementing a strategic and integrated approach to risk and resilience management. This includes a top-down enterprise view of risk aligned with objectives and a bottom-up operational understanding of risk within the organization’s processes and relationships.

Over the past few years, organizations have seen lots of disruption to objectives. It has been a risk and resilience rollercoaster. Some industries and organizations have failed, while others held firm and navigated risk events with agility. But there are lessons to be learned. These include:

• Interconnected risk. Organizations face an interconnected risk environment; risk and resilience cannot be managed in isolation. The organization needs to see across silos of risk management to see complex relationships of risk on objectives.
• Dynamic and agile business. The organization needs to be agile in a changing risk environment. It must adapt objectives and seize opportunities while ensuring risk is managed within limits to those objectives. The organization needs to react quickly to stay in business. Organizations are constantly in flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor spans strategic, regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts buries the organization when managed in silos.
• Operational intelligence. Risk and resilience management, done correctly, requires a detailed and intimate understanding of how the business operates and how it breaks. Only with this intelligence can the organization manage uncertainty in the context of the business achieving its objectives. This has taught organizations that risk management requires a 360° view of objectives, risks, processes, and services within the organization and the extended enterprise.
• Disruption. International and local events easily disrupt business. Organizations have had to respond to disruptions, geo-political risk, unrest, economic uncertainty, inflation, commodity availability, competitive shifts, changes in business models, shifting regulations, environmental disasters, cyber risk, and more. Organizations face a complex, chaotic, and even hostile risk environment while attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resiliency. The velocity, variety, veracity, and volume of risk data is overwhelming, disrupting the organization and slowing it down at a time when it needs to be agile and fast.
• Dependency on others. No organization is an island; the modern organization is the extended enterprise. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions that now define the organization. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. This requires the organization to manage and monitor risk and resilience in third-party relationships.
• Risk ownership and accountability. There is a growing awareness among executives and directors that risk management needs to be taken seriously. Oversighting risk management as an integrated part of business strategy and execution is part of their fiduciary obligations. 

The Bottom Line: The goal is comprehensive, straightforward insight into risk and resilience management to identify, analyze, manage, and monitor risk in the context of the organization’s objectives and how it impacts strategy, performance, operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. This enables risk agility to forecast and plan what is coming at the organization to prepare and navigate it. It also gives a detailed understanding of how the organization operates and how it breaks to ensure resilience when risk becomes a reality. Successful risk and resilience management requires the organization to provide an integrated strategy, process, information, and technology architecture. 

This blog post is an excerpt from GRC 20/20’s latest research paper: Risk & Resilience Management by Design

Modern organizations are not defined by brick-and-mortar walls and traditional employees; they are extended enterprises comprising third-party relationships, which often nest themselves in layers and transactions of complexity. In today’s interconnected business landscape, the complexity and scope of supply chains are expanding, bringing significant third-party risks, especially related to bribery and corruption. Managing these corruption risks is crucial for maintaining compliance and upholding a company’s integrity.

Organizations need a clear understanding of corruption in the context of third-party risk in supplier and vendor relationships, particularly when faced with the U.S. Foreign Corrupt Practices Act (FCPA), U.K. Bribery Act, France’s Sapin II, and other notable enforcement actions.

Corruption within supply chains typically manifests . . .

[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Imagine driving a car while only looking in the rearview mirror, occasionally glancing at your dashboard. This is how many organizations approach risk management today—focused on past issues and compliance-driven metrics, with little attention paid to future objectives and the road ahead. Effective risk management requires not just a look back or a status check, but a clear view of where the organization is headed and the risks along the way.

In the landscape of governance, risk management, and compliance (GRC), there’s a prevalent but misguided approach that begins with compliance rather than governance. Logically, one might expect the acronym to be CRG, reflecting the common tendency where compliance takes precedence over governance and strategic performance considerations. This approach can lead to fragmented risk management efforts and overlooks the foundational role that governance plays in setting objectives and guiding risk mitigation strategies. Governance serves as the bedrock from which effective risk management can spring forth, adhering to ISO 31000’s view of risk as the effect of uncertainty on objectives.

The GRC Capability Model, as defined by OCEG (www.OCEG.org), offers a clear perspective: risk management is “a capability to reliably achieve objectives, address uncertainty, and act with integrity.” This definition underscores the proper sequence: governance first establishes clear objectives across various organizational levels—from overarching entity goals to specific project or process aims. Governance serves as the bedrock from which effective risk management can spring forth, adhering to ISO 31000’s view of risk as the effect of uncertainty on objectives.

Looking in the Rearview Mirror: Past Issues and Compliance

Many organizations focus heavily on past issues, akin to driving by looking only in the rearview mirror. They implement controls to ensure compliance with regulations and standards based on previous incidents and failures. While this historical perspective is crucial—it helps understand what went wrong and prevents recurrence—it should not dominate the risk management approach. For instance, a financial institution might focus extensively on compliance with anti-money laundering (AML) regulations after a past violation, ensuring all processes meet regulatory standards. However, if this focus on past issues blinds them to emerging risks in digital fraud or cybersecurity, they could miss significant threats on the horizon.

Glancing at the Dashboard: Current Operations

Paying attention to the dashboard represents the current state of operations—monitoring key metrics and ensuring everything is functioning properly. This is important as it provides real-time insights into the organization’s health and performance. For example, a manufacturing company might closely monitor its supply chain metrics, such as inventory levels and supplier performance, to ensure smooth operations. Yet, focusing solely on these indicators without looking ahead to potential supply chain disruptions or geopolitical risks can leave the company unprepared for future challenges.

The Road Ahead: Strategic Risk Management

Effective risk management is about knowing your objectives and where you are headed, and understanding the risks that lie ahead as you navigate the road of risk and objectives. It requires a forward-looking perspective that integrates past learnings and current operations with strategic foresight. This is akin to driving with a clear view of the road ahead, using navigation tools to anticipate turns, obstacles, and opportunities.

For instance, consider a tech company planning to expand into new markets. Strategic risk management would involve not only complying with current data privacy regulations (rearview mirror) and monitoring ongoing operations (dashboard) but also anticipating future regulatory changes in those new markets and potential competitive threats. This proactive approach allows the company to adapt its strategy, mitigate risks, and seize opportunities effectively to achieve its objectives in market expansion.

Achieving this forward-looking view of risk to objectives demands a holistic approach where risk management is fully embedded within the fabric of business and management practices. It requires robust modeling, definition, and ongoing monitoring of business objectives and processes to ensure that risk efforts are not isolated but intricately woven into the organization’s operational fabric. Effective risk management, therefore, manages uncertainty within the broader context of performance, objectives, and operational processes, thereby optimizing resilience and strategic alignment.

Organizations must ensure that their risk management systems are not just looking backward at past issues or glancing at the current status but are focused on future objectives and the road ahead. This forward-looking approach will empower organizations to achieve their strategic goals with greater confidence and resilience, ensuring they can navigate the complexities of today’s business landscape effectively.

In conclusion, elevating risk management from a compliance-centric to a performance-driven integration involves shifting focus from the rearview mirror to the road ahead. It requires a balanced view that incorporates past learnings, current operations, and future objectives, enabling organizations to manage risks proactively and strategically. By doing so, organizations can ensure that risk management becomes a driver of performance excellence and a cornerstone of sustainable success.

Checkout GRC 20/20’s latest published research:

• Risk & Resilience Management by Design: 360° Visibility Into Risk Resilience Management. The modern business environment’s complexity and interconnected risks necessitate an integrated approach to risk and resilience management, moving beyond compliance to strategic alignment with organizational objectives. Key challenges include managing interconnected risks, maintaining agility in a dynamic environment, and ensuring comprehensive operational intelligence. A robust strategy involves establishing a cross-functional risk management team, formalizing a risk charter, and defining clear policies. Effective risk management architecture integrates process, information, and technology to support decision-making and risk mitigation. Building a business case for investment in risk management requires assessing the current state, defining the future state, and developing a transition roadmap to enhance efficiency, effectiveness, resilience, and agility, ultimately supporting the organization’s strategic goals.