Category: The GRC Pundit Blog

The following is an article published in the latest issue of Enterprise Risk Magazine (Summer 2023) starting on page 16. This article was authored by Michael Rasmussen, Analyst & Pundit at GRC 20/20 Research, and William Gonyer of Group697.

The latest banking crisis in North America has put potential failures regulation, governance and risk management back in the spotlight crisis is back.

Springtime often becomes a metaphor for change, new growth and transformation. While change and transformation tend to be the by-product of dissatisfaction with behaviours and patterns that are no longer tenable to the present situation, sometimes this change is also involuntary in its nature – an uncomfortably forced evolution that imposes progress on us. Springtime this year has pushed forward a mass sobering for the banking industry. After riding a wave of ultra-low interest rates and high market liquidity, a domino effect of events has brought on the failure of several major regional American banks, marking the greatest shake-up of the global financial system since the financial crisis of 2007-08.

As the age-old adage goes, “there is nothing new under the sun.” The driving factors that led to the collapse of Lehman Brothers, Bear Stearns, Wachovia and Washington Mutual are almost identical to the key drivers of the bank failures within Silicon Valley Bank (SVB) and Signature Bank this year – a gross failure of governance and risk management, the exception being First Republic.

Situational awareness

The interconnectedness of organisational objectives, risks, resilience and integrity requires 360° situational awareness of governance, risk and resiliency. Organisations must see the intricate relationships and impacts of objectives, risks, processes and controls. It requires holistic visibility and intelligence regarding risk and resiliency.

Organisations such as banks and other financial institutions take risks all the time. Still, the failure to monitor and manage these risks effectively in an environment that demands agility can lead to a tinder box of potential catastrophe. Too often, risk management is seen as a compliance exercise and not truly integrated with the organisation’s strategy, decision-making and objectives. It results in the inevitable failure of governance, risk and compliance (GRC) and risk management, providing case
studies for future generations on how poor GRC management leads to the demise of organisations.

The collapse of SVB is one of the most blatant cases of this. For example, SVB failed to institute some of the most basic risk management practices by industry standards. Starting from the end of 2019, SVB deposits grew from $61 billion to $189 billion by quarter 4 of Interest rates at the time were so low that these deposits were treated as free money at ~25 basis point cost average. SVB then used these inflows to increase loans 100 per cent to $66 billion and push far beyond average industry risk parameters with its held-to-maturity (HTM) securities portfolio, ramping what was mostly agency mortgage holdings from $13.5 billion at quarter 4 of 2019 to $99 billion at quarter 4 of 2021.

SVB’s big problems were with its HTM portfolio. The bank increased its security portfolio by 700 per cent, buying in at a generational top in the bond market and buying $88 billion of mostly 10 plus year mortgages with an average yield of just 1.63 per cent. In the absence of adequate interest rate risk management, this resulted in massive unrealised losses when the Federal Reserve began hiking its benchmark interest rates.

Deregulation

SVB’s HTM securities had mark-to-market losses as of quarter 3, 2022 of $15.9 billion, compared to just $11.5 billion of tangible common equity. Due to lobbying for deregulation by SVB, as well as other midsized banks such as Signature Bank (of which Barney Frank of Dodd-Frank was a board member), regulators did not require SVB to mark its HTM securities to market. However, internally they should have been doing this anyway, as well as running risk models against changing rates.

The deregulation that enabled their increased risk tolerance came as a result of Congress passing the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), also known as the Dodd-Frank Reform Act. The act was signed into law in May 2018, and it raised the asset threshold for systemically important financial institutions (SIFIs) from $50 billion to $250 billion, effectively reducing the regulatory burden on many midsized banks such as SVB and First Republic.

On top of this, due to the Federal Reserve Bank’s interest rate hikes, SVB saw accelerating deposit outflows (-6.5 per cent YTD in January), a mix shift away from non-interest accounts and skyrocketing interest costs (money markets now yield 4 per cent), as well as increased burn rates from the bank’s venture clients resulting in customer deposit drawdowns. As SVB’s funding costs continued to reset higher, SVB was faced with a massively high negative carry cost on its HTM portfolio, largely a fixed-yield securities portfolio.

But SVB’s greatest failures extend to the top – its leadership. The Federal Reserve’s review described SVB as “textbook case of mismanagement” and further described a failure of oversight and accountability of senior leadership by the bank’s board of directors. Only one member of SVB’s board had previous banking experience. The practices and procedures used by SVBs risk management team raises serious questions on their competencies based on evident gaps in their risk management frameworks. SVB’s risk management team “failed to establish a risk-management and control infrastructure suitable for the size and complexity of SVBFG when it was a $50 billion firm, let alone when it grew to be a $200 billion firm”, said the review. SVB had 31 identified unaddressed “safe and soundness supervisory warnings” more than triple the average number of peer banks. Furthermore, the bank was also left without a chief risk officer for 7 months in 2022, a departure that may demand an explanation. The discoveries made by the Federal Reserve and Treasury Department regarding the bank’s risk management practices only beg more questions outside of the obvious conclusions: SVB failed to institute an adequate asset liability committee, erroneously focused on short-term profits, and neglected long-term associated risks.

Bad timing

The relaxing of Dodd-Frank also came at exactly the worst time. It happened almost a year before the beginning of the Federal Reserve’s tightening cycle and at the natural end of an era of economic expansion that was later disrupted by emergency monetary intervention measures during the global COVID-19 pandemic. Midsized banks could now take on greater risks, and they did so during a time of irregular economic factors of expanded emergency liquidity.

First Republic’s portfolio arguably could have withstood the fluctuations. However, First Republic lost more than half of its deposit base amid SVB’s collapse, pulling the bank into a critical territory and ultimately leading to its collapse and takeover by JP Morgan and the Federal Deposit Insurance Corporation (FDIC). This marked the second-largest bank collapse in US history after Washington Mutual in 2008.

First Republic’s traditional savings and loan business model was arguably sound. It catered to wealthier clients in the tech
sector, targeting the employees at companies like Apple, Alphabet and Meta. First Republic even had a branch inside of Facebook’s headquarters. But First Republic’s failure was purely panic induced. Even with paper losses on lowinterest loans and its interest rate risk mismatch, the bank could have survived if it didn’t have to rapidly fund withdrawals by depositors seeking higher returns on deposits elsewhere, as well as outflows triggered by panic amid the failure of SVB. As a result, the bank was forced to rely on government lending facilities at rates that exceeded its income in an attempt to ride out the storm. First Republic’s problems are almost reminiscent of Bailey’s Building and Loan in Frank Capra’s 1946 film It’s a Wonderful Life, only in this not so wonderful life the townspeople did not temper their panic and rally around their community bank.

Re-regulation

The recent failure of these regional banks will likely trigger a new wave of regulations and guidelines as well as a reversal of the changes made to regulatory frameworks for midsized banks in 2018. Regulators need to consider that with the increased scale of the financial system, midsized banks that may be only regionally important can still pose a significant systemic risk as supervisory authorities do not have the resources to monitor their activities and should not underestimate the propensity for mismanagement. Asset thresholds for enhanced prudential standards for SIFIs should be reversed from $250 billion to $50 billion. Regulators and organisations with large deposits also need to consider the concept of dual fiduciary duty.

In the case of SVB, a bank of choice for many venture capital firms and venture-backed companies, the burden of large deposit risk cannot fall solely on the bank. Venture capital firms, while exempt from many of the regulations and compliance burdens of hedge funds and other asset managers, were arguably negligent in managing their cash risk for their limited partners and thus somewhat complicit in the risk concentration of SVB. The leading practice of asset managers is to hedge cash risk through treasuries. A venture capital firm’s responsibility to its investors must extend to its cash risk within its portfolio companies.

Too often, regulators and bank managers alike continue to make policies solely in the vacuum of a crisis. Policy developed in the vacuum of a crisis is inherently inadequate, as it usually only accounts for remedying the causation and symptoms of the present crisis. Supervisory authorities need to consider expanded guidelines for bank governance and leadership, and the policies set by leadership for financial institutions should meet qualification standards. All bank board members should be certified by supervisory authorities such as the Office of the Comptroller of the Currency (OCC), FDIC and Financial Industry Regulatory Authority (FINRA) for a minimum qualification standard.

Cost of failure

While The US Department of the Treasury and Federal Reserve have taken responsibility for inadequate supervisory measures of these troubled midsized banks, financial institutions now need to realise more than ever that increased legal risk tolerance does not equate to acceptable risk tolerance. Banks must institute more sophisticated internal risk frameworks that factor in significantly higher stress tests for implied volatility.

Major money centre banks are forced to adhere to a wide range of scenarios for long-term resilience, but midsized and even small banks need to develop their own internal frameworks beyond the demands of compliance that mirror the top of the industry at scale, even if it comes at the cost of profits because the cost of a bank failure is far greater than neglecting profits made unsustainably. Banks that are currently undergoing pressure should consider seeking to consolidate with peer banks before they are forced into consolidation, liquidation or shotgun acquisitions. Well-structured asset-liability committees and audit committees
should become a universal practice for banks of all sizes.

The conclusions of the Federal Reserve’s review of SVB implicitly stated that two of the three critical weaknesses of the bank were governance and risk management. The further conclusion of the review was that while SVB was compliant, compliance alone was inadequate because the regulation and the supervisory frameworks were inadequate in preventing the bank’s failure. The second and third largest bank collapses in US history have set the stage for a new wave of regulation to reinforce neglected gaps in global financial services from the United States, European Union, United Kingdom, the Commonwealth and beyond.

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility, and then explored GRC resilience . . . and we continue with resilience before we move on to the third trend of five, integrity . . .

I know, I know . . . I already posted on resilience. But I have more to say.

But first, some backstory. A good research analyst engages and talks to those in the trenches doing governance, risk management, and compliance. An analyst that is on an Ivory Tower and makes people/organizations scurry up the tower to seek wisdom is not part of the real world. Good research, including market research, is rolling up the sleeves and getting involved. In my travels, I make sure to book meetings with organizations to see what they are doing. What keeps them up at night in the context of GRC. How do they solve those nightmares and challenges with strategy, process, and technology. I love getting involved in RFPs and being involved. I love keeping solution providers honest in RFPs.

Last week I had one, actually several, of those amazing interactions while in London. One really stood out on the topic of risk and resilience management that really stood out with a global hospitality firm.

First, resilience is critical to them. Reading my blogs on the topic and engaging their business, they have shifted their department focus to a focus on resilience. Risk, Resilience & Assurance that is.

A key element of the resilience trend I previously wrote on that they commented on is that their line of business embraces it. Risk is often passed around like a hot potato. Who wants to own and be accountable for risk? But resilience is something the board, executives, and the line of business understand and desire. Who does not desire a resilient business? They have found that the business is more apt to be engaged and own resilience over risk management.

Even with resilience as a core message of engagement, it is about maturing risk management in the business itself and enhancing risk culture throughout the organization. They desire risk management to be a business enabler of strategic value to the organization. Even ESG they are approaching through the concept of strategic resilience. Their risk and resilience management strategy is not to mitigate risk but to facilitate management ownership, accountability, and management of risk.

Some of their concerns in this risk and resilience topic:

• Too big of a risk team. Risk and resilience should be business facilitators of risk management. If they have too big of a risk team, they end up owning the risk, at least in perception.
• Are they touching the important parts of the business. Risk and resilience need to be engaged with the business, and the business evolves. It is important to be continuously evaluating business engagement in the midst of change.
• Doing the same thing. If they are doing the same thing every month or quarter they are in a routine of assessments. Risk is dynamic and changes. They need to be constantly evolving.
• LEAVING A LEGACY. I love this one. They want to leave a legacy of risk management excellence for the next generation to build upon.
• Agility and the horizon. Keeping abreast of what is developing on the horizon that can impact them. Forecasting and doing scenarios on the complexity and intersection of risk on inflation, interest, economy, geo-political, operational, regulatory, and more.
• Servant leadership. Ensuring they engage the business with a servant leadership attitude on risk management.

One of the things that have been developing that they are keenly interested in is the U.K. Government’s requirement for entities to publish resilience statements. Related to UK SOX, the UK BEIS (Department for Business, Energy and Industrial Strategy) requires resilience statements to improve how organizations identify, manage and report on their resilience risks that are most material to their business. This applies to Public Interest Entities (PIEs) with 750 or more employees and £750 million or more in annual turnover. This requires companies to engage in short and medium-term resilience risk assessment and management, as well as reverse stress testing and reporting for resilience.

GRC 20/20’s Michael Rasmussen will be speaking on the topic of this blog in the webinar: Got ESG? Show Me Your Policies!

ESG – environmental, social, governance – is pressuring organizations from various angles. 

Corporate investors are making investment decisions based on ESG practices. Executives and board members are fired if they do not meet ESG metrics. Various regulations, some specific and some broad, require ESG compliance, reporting, and engagement. Employees and business partners decide who they work with based on shared values.

In this context, many organizations are starting ESG strategies and processes. The common question is: where do we start?

The answer is simple: you start with your existing policies . . .

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. Then we dove deep into the first trend of the need for GRC agility. We now turn to the second trend of five, resilience . . .

Dynamic, Disrupted & Distributed Business is Difficult to Control

The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates the organization implements a strategic approach to business and operational resilience.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping changes to business strategy, operations, and processes in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. The interconnectedness of objectives, risks, resilience, and integrity requires 360° contextual awareness of risk and resilience. Organizations must see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resilience. 

There is a lot of focus right now on resilience right now. Resilience is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event. This is very critical and I see a lot of organizations moving to bring together operational risk management and business continuity management into what is now defined as an operational risk and resilience program. Business continuity management as a separate function in the organization is a thing of the past. Over the next two to three years we will see a mass migration to an integrated operational risk and resilience program.

The Resilience Challenge to Boards, Executives, and Management

Keeping resilience, complexity, and change in sync is a significant challenge for boards, executives, and management professionals throughout the organization. This challenge is even greater when resilience management is buried in the depths of departments and approached from a compliance or continuity angle and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. This further is compounded when business continuity programs are completely disconnected and not part of risk management.

Resilience in the modern organization is challenging because the organization is:

• Distributed. Even the smallest of organizations can have distributed operations complicated by a web of global relationships. The traditional brick and mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization.  Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy.
• Dynamic. Organizations are in a constant state of flux as distributed business operations and relationships grow and change. At the same time, the organization is trying to remain competitive with fluctuating strategies, technologies, and processes while keeping pace with change to risk. The multiplicity of risk environments that organizations must monitor span regulatory, geopolitical, market, credit, and operational risks. Managing risk and business change on numerous fronts buries the organization when managed in silos.
• Disrupted. Organizations are attempting to manage high volumes of structured and unstructured risk data across multiple systems, processes, and relationships to see the big picture of performance, risk, and resilience. The velocity, variety, veracity, and volume of risk data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
• Accountable. There is a growing awareness among executives and directors that risk management needs to be taken seriously. It is part of their fiduciary obligations to oversee risk management as an integrated part of business strategy and execution. 

The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impacts the entire ecosystem.

This interconnectedness of business drives demand for 360° contextual awareness in the organization’s resilience processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations must see the intricate intersection of objectives, risks, and boundaries across the business. 

Firms globally and across industries are focusing on integrating their resilience (historically business continuity/disaster recovery) programs into enterpriser and operational risk management, and broader GRC. This is becoming a key regulatory requirement in some industries. Delivering this requires a holistic view into the objectives and processes of the organization in the context of uncertainty and risk and the symbiotic interaction of risk management and business continuity. 

Business or Operational Resilience?

Business resilience is broader than operational resilience but also includes operational resilience. Consider the following . . . 

• Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
• Operational resilience is a component of business resilience focused on business processes, services, people, systems, and relationships.

Operational resilience is not business continuity 2.0. It is much more than that. Operational resilience is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party risk management.

Providing 360° Integrated Awareness of Risk and Resilience

Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives. The organization needs visibility into objective and risk relationships across processes. Complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk and resilience monitoring, automation, and enforcement. 

Successful resilience requires the organization to provide an integrated strategy, process, information, and technology architecture. The goal is a comprehensive, straightforward insight into resilience to identify, analyze, manage, and monitor risk in the context of operations, processes, and services. It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives. As a result, organizations are measuring their current state and planning toward a future state of increased resilience maturity in the organization.

ESG – Environmental, Social & Governance – pressure is mounting from multiple fronts for organizations to implement ESG reporting in their organizations. ESG has the momentum and force to become a significant measurement of the organization’s integrity. 

One thing to note, ESG is more than the E (environmental). Too often organizations lead with the E and perceive that ESG is just about environmental values and climate change. It is so much more than this. The S (social) and the G (governance) need to be addressed as well in ESG . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ANSARADA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

In the previous post, 2023 Governance, Risk Management & Compliance, we reviewed the top five 2023 GRC trends. We now dive deep into the first of those trends, agility . . .

Gone are the years of simplicity in business operations. The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations must see the intricate relationships and impacts of objectives, risks, processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often, risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives. It results in the inevitable failure of GRC and risk management, providing case studies for future generations on how poor GRC management leads to the demise of organizations – even those with strong brands.

Organizations need complete 360° situational awareness and visibility into their processes, operations, objectives, and risks. What complicates this is the exponential effect of risk on the organization. The business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue.

Dissociated siloed approaches to GRC management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts its strategy and objectives.

The organization needs agility into GRC and, with that, visibility into objective and risk relationships across processes. The complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of GRC to see what is coming at the organization and prepare the organization.

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing. A few years back I was doing a lot of Spartan races. Myself, that was not agility but the more of an awkward ox doing obstacles, but others it was amazing what they could do in the environment given to them.

When I think of agility, my mind immediately goes to Legolas, the elf in Lord of the Rings. Though I prefer the books, the films were amazing, and the agility of Legolas in the midst of battle was amazing. How he can move about the threats and enemies around him and seize opportunities for victory. Gimli, the dwarf in Lord of the Rings, is the embodiment of resiliency. He is built like a tank and simply can withstand the beating and hits as he pummels forward to victory. We will talk about the resilience trend in the next blog. Resilience is the capacity to recover quickly from difficulties/events; the ability of a business to spring back into shape from an event.

However, there is more that needs to happen. Organizations also need to be agile. Agility is the ability of an organization to move quickly and easily, the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.

We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage in advancing the organization and its goals. Organizations need to be agile and resilient. GRC needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunities as well as avoid exposures and threats. 

So today’s modern organization needs GRC that enables enterprise agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between agility with operational risk and resiliency that organizations need to develop in today’s dynamic, distributed, and disrupted business.

Spreadsheets are the most prevalent GRC tool used by organizations. Their use, particularly in reporting, leads to the inevitability of failure. 

Consider one organization that was spending 200 hours building a report for the board on risk events that have happened. All the information was trapped in spreadsheets that they had to aggregate, tabulate, and build this report from. Every year 200 hours (it now takes them a minute). The last year they did it this way, they found out they had risk issues that started eleven months back. That is not managing risk; that is reacting to it well after the fact. 

Another example is a . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ANSARADA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Below is Michael Rasmussen’s article in The IRM Global Risk Trends 2023 report , published by the Institute of Risk Management (The IRM).

The complexity of business combined with the intricacy and interconnectedness of risk and objectives necessitates that the organization implements a strategic approach to business and operational risk and resiliencein 2023.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations,globalization, distributed operations, competitive velocity, technology, and business data encumber organizations ofall sizes.

Keeping changes to business strategy, operations, and processes in sync is a significant challenge forboards and executives, as well as management professionals throughout all levels of the business in 2023 andbeyond.

The interconnectedness of objectives, risks, resilience, and integrity require 360° contextual awareness of risk and resiliency. Organizations need to see the intricate relationships and impacts of objectives, risks,processes, and controls. It requires holistic visibility and intelligence into risk and resiliency.

The ecosystem of business objectives, uncertainty/risk, and integrity is complex, interconnected, and requires a holistic contextual awareness of the organization – rather than adissociated collection of risk management processes anddepartments.

Change in one area has cascading effects that impacts theentire ecosystem.

This interconnectedness of business is driving demand for360° contextual awareness in the organization’s risk management processes in 2023 to reliably achieve objectives, address uncertainty, and act with integrity.

Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.

Organizations in 2023 are Focusing on the Following Five Areas in Their GRC Management Strategies:

1. Agility. The last few years global uncertainties, geo-political tensions with a war in Ukraine, and the impact on business operations and supply chains. Organizations are now turning their attention to being agile in risk in 2023. To see what is coming at the organization in the next six months, years, or two years and go through scenarios and prepare the organization for uncertainty to take the best path forward. Risk agility is lookingahead and preparing the organization.
2. Resilience. This is where many organizations have been focused, but still working on improving. Agility allows us tonavigate our environment and see what is coming at us. Resilience is the ability to recover from a risk event and minimize the impact on the organisation. Risk agility and risk resilience are very symbiotic and play off each other, both have become essential to risk management programs in 2023.
3. Integrity. With a global focus on ESG risk management programs will shift from laying the groundwork for ESG inorganization structures and reporting to operationalizing ESG within the organisation. At the end of the day, ESG is about the integrity of the business. What the organization communicates are its values, ethics, and commitments . . . is this being done? Risk management plays a critical role in navigating uncertainty to ensurethe integrity of the organization in the era of ESG in 2023.
4. Accountability. There is a growing focus on board and executive-level accountability in 2022 that will extend and grow in 2023.Accountability regimes have expanded around the world – UK, Ireland, Australia, Hong Kong, Singapore, and nowSouth Africa. There is a growing focus in the USA with the Department of Justice and SEC on greater accountability for risk and compliance. There are US state-level accountability focus on New York and California.Most recently, Uber’s former CISO was held personally accountable for a security breach.
5. Engagement. Risk is not taken and managed in the back-office of risk management. Risk happens throughout the business at alllevels of the organization. This requires that organizations in 2023 focus on risk culture, risk awareness, and proper risk management skills from the front-line up through operational management to executives and the board. Good risk management engages all levels of the organization. It is time for organizations to take another read through the IRM Risk Culture: Resources for Practitioners as they enter 2023.

What is clear, organizations need complete 360° situational awareness and visibility into risks in 2023. Business operates in a world of chaos, and even a small event can cascade, develop, and influence what ends up being a significant issue. Dissociated siloed approaches to risk management that do not span processes and systems can leave the organization with fragments of truth that fail to see the big picture across the enterprise, as well as how it impacts their strategy and objectives.

The organization needs visibility into risk. Complexity of business and intricacy, as well as the interconnectedness of risk data, requires that the organization implement an enterprise view of risk monitoring, automation, andenforcement.

Successful risk management in 2023 requires the organization to provide an integrated strategy, process,information, and technology architecture. The goal is comprehensive straight forward insight into risk andresilience management to identify, analyze, manage, and monitor risk in context of operations, processes, and services.

It requires the ability to continuously monitor changing contexts and capture changes in the organization’s risk profile from internal and external events as they occur that can impact objectives.

Michael Rasmussen is a Global Ambassador of Risk Management and Honorary Life Member of the IRM and an internationally recognized pundit on governance, risk management and compliance

The Organization: an Interconnected Web of Relationships

No man is an island, entire of itself; Every man is a piece of the continent, a part of the main.

English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.

Substitute ‘man’ with ‘organization’ and seventeenth-century English poet John Donne could be describing the post-modern twenty-first century organization: no organization is an island unto itself, every organization is a piece of the broader whole.

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past; physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries and nest themselves in layers of relationship complexity. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships is critical. Without effective governance of the extended enterprise, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate uncertainty in business relationships. Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence across risk domains with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices with limited to know risk intelligence. Recent technological advances in automation, natural language processing, machine learning, and data science enable organizations to be more effective and do more with fewer resources. Unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party risk management comes about when organizations rely on outdated risk practices with limited to no risk intelligence, including: 

• Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and an agile information and intelligence architecture. The risk posed by a third party for one business function may seem immaterial but is significant when factored into multiple risk exposures across all the business functions monitoring other risks of the same third-party. Without a single pane of risk intelligence visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated introducing more risk.
• Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. Truly effective continuous risk intelligence monitoring of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone and requires Cognitive GRC technologies that leverage artificial intelligence such as natural language processing, machine learning, predictive analytics, and robotic process automation. 
• Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data and lack of integrated risk intelligence content. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
• Limited view of risk vectors. Organizations often rely solely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth party risk exposure. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage of risk intelligence content.
• Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
• Overreliance on Periodic Assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
• Silos of risk intelligence services overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

When the organization approaches third party risk management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization and ESG. Without a coordinated third-party risk intelligence strategy, the organization and its various departments never see the big picture. 

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure and blind spots. It is time for organizations to step back and move from legacy practices, defined by manual processes, periodic assessments, and silos of risk intelligence content to a third-party risk intelligence solution that includes integrated full-spectrum real-time feeds of situational awareness of the organization’s extended enterprise. 

GRC 20/20 has the following upcoming Third-Party Risk Management by Design Workshops in the next few months that dives deep into this topic of a holistic view of third-party risk . . .

Chicago: March 30 @ 12:00 pm – 6:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Chicago

New York: April 25 @ 12:00 pm – 6:00 pm EDT 

• Third-Party Risk Management by Design Workshop, New York

San Francisco: May 2 @ 12:00 pm – 6:00 pm PDT 

• Third-Party Risk Management by Design Workshop, San Francisco

Houston: May 4 @ 12:00 pm – 6:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Houston

Tsunami of Change Overwhelms Compliance

Managing and keeping up with change is one of the greatest challenges for financial services organizations in the context of compliance management. The dynamic and interconnected nature of regulatory change and how it impacts the organization are driving strategies to mature and improve regulatory change and compliance management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated compliance management strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions. It is continuous, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:

• External risk environments. External risks – such as market, geopolitical, societal, competitive, industry, and technological forces – are constantly shifting in nature, impact, frequency, scope, and velocity. 
• Internal business environments. The financial services organization must stay on top of changing business environments that introduce a range of operational risks, such as changes in employees, processes, relationships, mergers & acquisitions, strategy, and technology. Any of these changes can take an organization from a state of compliance to non-compliance in its processes, controls, and people.
• Regulatory environments. Regulatory environments governing financial services organizations are a constantly shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rulemakingactivities, and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone managing how they impact each other. Organizations can devote human and financial capital resources to keeping up with regulatory change, but that does not make them compliant if that change is not consistent and in sync with business and risk change. Change in economic or market risk bears down on the organization as it impacts regulatory oversight and requirements. Internal processes, people, and technology      continuously change and regulatory requirements need to be understood in context of business change. As these internal processes, systems, and employees change, this impacts regulatory compliance and risk posture. 

Change is an intricate machine of chaotic gears and movements. Keeping current and aligned with change is one of the greatest challenges to compliance management strategies within organizations.

Compliance Overwhelming the Organization

Compliance management, and in this context regulatory change management, is overwhelming organizations. Financial services firms are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting are a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year. Regulatory change impacts the organization as it reacts to:

• Frequency of change. In the past five years, the number of regulatory changes has tripled while the typical organization has not increased staff or updated processes to manage regulatory change.
• Regulatory contexts. Regulatory change is not limited to one jurisdiction but is a turbulent sea of change across the country and around the world. Regulations have a global impact on organizations and markets. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
• Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and incident/complaint reporting requirements becomes complicated when faced with requirements. Regulatory jurisdictions have varying approaches and requirements. There are often conflicting challenges in regulations and other laws impacting organizations across jurisdictions.
• Expansion into new markets. It has become complex for organizations to remain in different markets as well as enter new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive, but     at the same time they are being constrained by the turbulent sea of changing regulations and requirements.
• Focus on risk assessment. Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, regulators in the US seek to ensure that compliance officers do compliance risk assessments. This is also a theme picked up on by law enforcement agencies like the U.S. Department of Justice (DoJ) and the Securities and Exchange Commission (SEC). The courts, with the United States Sentencing Commission, also evaluate the culpability of an organization on compliance based on compliance risk.
• Hoard of regulatory information. Organizations are overwhelmed by information from legal alerts, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
• Defensible compliance. Regulators across industries are requiring that compliance is not just well documented but is operationally effective. This can be seen in the latest DoJ Evaluation of Compliance Program guidance.^[1] Case in point, Morgan Stanley was praised by regulators as a model compliance program and was the first company in 35 years of the Foreign Corrupt Practices Acts (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current amid regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.”^[2]

Broken Process and Insufficient Resources to Manage Compliance

The typical financial services organization does not have adequate processes or resources in place to monitor regulatory change and manage compliance in a dynamic environment. Organizations struggle to be intelligent about regulatory developments and fail to prioritize and revise policies and take actionable steps to be proactive. Instead, most financial services organizations end up firefighting, trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions involving other financial services organizations can have a significant impact. 

Organizations that GRC 20/20 has interviewed in the context of compliance management reference the following challenges to processes and resources:

• Insufficient head count and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
• Frequency of change and number of information sources overwhelms. The frequency of updatesfrom the regulators themselves is challenging but then comes the flood of updates from aggregators, experts, law firms, and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence^[3]. Going through each source to identify what is relevant takes time and effort.       
• Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility into ongoing compliance — the organization has no idea of who is reviewing what and suffers from an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered across      documents, spreadsheets, and emails in different versions. 
• Lack of an audit trail/system of record. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. These leads to issues with regulators and auditors when they find there is no accountability and integrity in compliance records interms of who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception; individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
• Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus provides no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
• Wasted resources and spending. Silos of ad hoc regulatory change monitoring led to wasted resources and hidden costs. Instead of determining how resources can be leveraged to manage regulatory change efficiently and effectively, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective, and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources and creates excessive and unnecessary burdens across the organization.
• Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates that it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
• No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated: the process fails to be agile, effective, and efficient in the use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject matter experts (SMEs) are, what has changed, who changes are assigned to, what the priorities are, what the risks are, what needs to be done, whether it is overdue, and the results of the change analysis.

The bottom line: Processes for managing compliance and regulatory change often constitute a myriad of subject matter experts that monitor regulatory change on an ad-hoc basis and rely on email to communicate compliance tasks to stakeholders. Manual processes and a lack of accountability result in an inability to adequately monitor regulatory changes and predict the readiness of the organization to meet new requirements. Compliance professionals spend significant time and resources researching the mandates they must follow and struggle to keep up with new requirements and identify how changing regulations impact existing policies. A haphazard, siloed, and document-centric approach to managing regulatory change results in missed requirements, wasted time, and accelerated costs. It is time for organizations to step back and implement a structured process and technology for compliance management. 

^[1]       https://www.justice.gov/criminal-fraud/page/file/937501/download

^[2]       Source of this statement is at: http://www.justice.gov/opa/pr/2012/April/12-crm-534.html

^[3]       Such as legal databases, regulator feeds and news, trade associations, enforcement actions, court rulings, administrative decisions