The modern organization is a complex array of transactions, processes, and relationships.

This is challenging to manage within a single jurisdiction, but becomes even more complex, bridging on the word chaotic, when the organization deals with an interconnected mess of subsidiaries, divisions, relationships, and cross-border transactions.

Even a small organization faces a complex web of transactions that span geographic and jurisdictional boundaries as money is moved, services rendered, and products are produced. Complexity grows as these interconnected transactions and processes nest themselves in intricacy.

In this context, organizations operating . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE IMPERO BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC 20/20’s Michael Rasmussen will be speaking on the blog below in an ESG context on the webinar: Policy & Training Management: A Foundation of a Successful ESG Program

From time to time, people ask why policies matter. The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended.

Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. 

Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk; every policy is a risk document that aims to control behavior-related risks.

The longer answer is a bit more complicated . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE EKKO/LEARNING ZONE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

GRC 20/20’s Michael Rasmussen will be speaking on the blog below in an ESG context on the webinar: Policy & Training Management: A Foundation of a Successful ESG Program

The scenarios of ethical and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve activity that employees should catch and report. 

The most significant exposures to ethics and compliance issues are not in the bowels of the organization, they are at the front lines. The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. 

Compliance is an (extended enterprise) engagement challenge

The challenge is that organizations need to find a way to get everyone involved and adhering to policies to build integrity across the whole organization and the extended enterprise. 

Compliance communications, attestations, and disclosure matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE EKKO/LEARNING ZONE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Last week I had an amazing week of GRC interactions, or G[P]RC with the P being performance), in the Middle East. I was the keynote at the G[P]RC Summit in Riyadh and in Dubai. I am also interacting on a few RFP development projects in the Middle East as well. The Middle East is the fastest growing market for GRC related solutions and services.

However, the busiest market is the United Kingdom and Europe. I am busier with interactions in the United Kingdom and Europe than I am in North America. I could rattle off a dozen RFPs in various stages of engagement right now. London and the broader United Kingdom is my busiest region, followed by the DACH region of Europe. After that it is the Nordics and Benelux regions. The next few months has me on a trip to the United Kingdom, then Australia, followed by two separate trips to Germany in March.

The United Kingdom is my busiest city for engagement in the entire world. I have spent more time in London for GRC than any other city. I am now preparing for my next GRC trip to London for the week of February 12th to 19th.

What brings me to London in February? . . . I am glad you asked . . .

It is a whirlwind of a week of engagements. A few are with solution and service providers helping them with their solution and go to market strategy, but most my interactions are with organizations looking for solutions and services to address a range of challenges in risk and compliance they are facing.

The heart of the week is co-hosting a RegTech/FinTech Networking Event with ING as well as working with the Institute of Risk Management in London to build out a strategy of engagement in my role as one of their Global Ambassadors of Risk Management.

It will be a great week of interactions which all feed into my research on the GRC market. I describe what I do as an analyst in the context that I am a researcher. I research what the challenges organizations face in the context of governance, risk management, and compliance and how do organizations solve these challenges through the combination of strategy, process, and technology/services.

The leading topics for my meetings/engagements this week are as follows:

• Germany’s Corporation Supply Chain Due Diligence Act. Yes, I am in London and one of the hottest topics of conversation is Germany’s law and the related EU Directive. I have several interactions in the United Kingdom right now where this is driving a lot of change to ESG and the intersection of third-party risk management programs.
• UK SOX. After several years of speculation and discussion UK SOX is here and a hot topic of engagement. Starring with financial years ending December of this year (2023) organizations in the UK are facing requirements for internal controls over financial reporting and disclosures inline with US Sarbanes Oxley. So a lot of organizations are now scrambling to address this.
• Operational Resilience. The UK FCA/BoE/PRA regulation has the entire financial services industry restructuring their operational risk and continuity programs to address these requirements. Last year, March 2022, saw a lot of this come to maturity but organizations are looking for technology and services to make this sustainable. Related to this is addressing the EU DORA (digital operational resilience act) as they intersect for firms operating in Europe.
• Consumer Duty. This is the trending hot topic in the financial services space in the United Kingdom. Organizations have to set high and clear standards of consumer protection across financial services, and this requires firms to put their customers’ needs first. This is driving a lot of policy and training management and engagement as the foundation and from there a lot of assessment and controls.
• UK SMCR. The United Kingdom’s Senior Managers/Certification Regime also ties into several discussions. Sometimes intersecting with the same conversations/engagements on resilience and consumer duty. But organizations are looking to make UK SMCR more sustainable as many have approached the first few years of compliance with manual processes they now are finding cumbersome.
• ESG. This ties into all the above and more. A lot of interactions on how to manage and report on ESG through all of its complexities and niches. Last April, the UK passed two mandatory ESG disclosure laws: The Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022 and The Limited Liability Partnerships (Climate-related Financial Disclosure) Regulations 2022. UK companies that have more than 500 employees have to do ESG reporting.
• Regulatory Change Management. I have a few interactions with both financial services and life science companies in the United Kingdom to discuss cognitive technologies to keep up with regulatory change management, and with that policies.

Those are the main points of interaction. Tied to some of these include UK Modern Slavery Act, UK Bribery Act, and the UK Data Protection Act as well as EU GDPR.

As you can see it is a fascinating week of engagements across these. The schedule is filling up . . .

Integrity is everything to an organization. If I could rebrand the Chief Ethics and Compliance Officer (CECO) I would call it the Chief Integrity Officer, but we already have a CIO in the Chief Information Officer. Ethics and compliance done correctly is the bastion of corporate integrity and corporate ethical culture. That is what compliance and ethics truly is all about.

Too often compliance is not seen in this perspective. Compliance is approached tactically as a series of checkboxes. If we check the boxes, we want our get out of jail free card. It is a tactical approach and not strategic. Alternatively, compliance is done as an afterthought or is seen as the corporate police that is always getting in the way. This leads to greater compliance exposure as compliance and ethics is not seen as a core part of how we do business and the way we do business. Too often it is approached with smoke and mirrors with a focus on the bare minimum to get by or creating an outright fictitious compliance environment.

When it comes to compliance breaches and incidents, too often organizations fail to grasp the full financial impact of non-compliance. In my research and experience, you can break the cost of a compliance incident/breach into the following three areas (with others that I have not measured) . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CLAUSEMATCH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

In today’s ever-changing economy, mortgage lenders and service providers face a growing number of regulations and risks in compliance. This opens up an opportunity for organizations to rearchitect their compliance processes and leverage automation to remain competitive in this uncertain environment.

—

Mortgage lenders and service providers, as a segment of the financial services industry, face a lot of change. The mortgage space right now is a tough one and interest rates are only going up. Firms are writing fewer loans, whether it’s a new loan or a refinance. The market is shifting and drying up for the foreseeable future of the next year or two. The industry is changing and reacting to uncertainty in the economy. Mortgage companies’ internal processes and employees are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ASCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Wow! 2022, what a rollercoaster of a year for GRC – governance, risk management, and compliance. Top discussions this past year have been around ESG, risk agility, resilience, third-party risk in the extended enterprise, compliance and regulatory change, and policy management. We are still feeling the impact of the COVID pandemic combined with geopolitical risk tensions further confounded by economic and global uncertainty.

However, times of uncertainty brings a boom to GRC related solutions and services. GRC 20/20 has never been so busy than at this very moment. While the activity is global, there is a lot of particular GRC market activity coming out of the United Kingdom and Europe right now.

The top GRC 20/20 social media post, by far, this past year was on LinkedIn:

HEAR ME – no organization can address #ESG without good #policymanagement and #policyengagement with training. ESG gets codified in policies from #codeofconduct down into #environmental policies, #socialaccountability policies, and the range of #governance policies. The measure of integrity to ESG comes down to policy engagement and enforcement to employees. 

Follow GRC 20/20 on LinkedIn and Twitter.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2022 organized by topic area.

As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process. Every week GRC 20/20 is answering between 15 and 20 inquiries from organizations looking for advice on solutions and services to engage as they navigate the hundreds of solutions av ailable in the GRC market . . .

Enterprise GRC and the Broad GRC Market

Research Reports

• 2022: State of the GRC Market
• 2022: How to Market & Sell GRC Solutions
• 6clicks: Delivering Hub & Spoke GRC Engagement

Blogs

• State of GRC: A Future of Agility, Resiliency & Integrity
• Measuring Value: Making GRC Processes Efficient, Effective, and Agile
• Rasmussen’s Strategic Pillars of GRC: Agility, Resiliency, Integrity
• GRC Done Right Starts With the Business: Objectives, Performance, Processes
• COGNITIVE GRC: Enabling Regulatory Change Management
• Cognitive GRC (GRC 5.0): Enabling Enterprise Risk Agility & Resilience
• Agile & Cognitive GRC: a New Generation in GRC Solutions
• Building a Mature GRC Program: The Top 5 Considerations
• How to Build your GRC Strategy in an ESG Era
• GRC 20/20’s 2021 Research Year in Review

Risk & Resiliency Management

Research Reports

• Risk & Resilience Management by Design: an Integrated Approach to Risk & Resilience Management
• Risk & Resilience Management Maturity Model
• Fusion Risk Management: Enabling Integrated Risk & Resilience Management

Blogs

• Where Risk Management Strategy & Technology Fail . . .
• Checklist to Measure & Improve Risk & Resilience Maturity
• Advancing Your Organization’s Risk and Resilience Maturity
• Five Stages of Risk and Resilience Maturity
• IRM Risk Predictions 2022
• Rethinking Risk Across the Enterprise
• A New Paradigm in Risk, Resiliency & Continuity Integration
• 360° Visibility into Risk & Resilience
• Got Risk Management? You Think You Do . . .

ESG – Environmental, Social, Governance

Blogs

• ESG and the Geopolitical Complexities of Supplier Risk
• Practically Understanding and Delivering ESG in Today’s Organization
• ESG: The Foundation is Built on Policies
• How to Operationalize ESG with GRC
• How to Build your GRC Strategy in an ESG Era
• Ways to Enhance Your Social Accountability/Sustainability Program
• GRC 2020’s Key Tips for ESG Reporting in 2022 

Corporate Compliance & Ethics Management

Research Reports

• Skillcast: Delivering Compliance Engagement to the Organization

Blogs

• The Exposure of Compliance at the Frontlines of the Organization
• The Human Firewall: Essential to Organizations
• Operationalize Compliance to Ensure 360° Visibility into Operational Resilience 
• How do you add compliance controls in different parts of your business?
• Strategies to Drive Compliance Operationalization
• Providing Compliance Defensibility

Third-Party (e.g, Vendor/Supplier) GRC Management

Research Reports

• 360° Risk Intelligence in the Extended Enterprise
• ProcessUnity: Delivering Value in Third Party Risk Management
• CISO: a Critical Role in Resilience in the Extended Enterprise

Blogs

• ESG and the Geopolitical Complexities of Supplier Risk
• Where Third-Party Risk Strategy & Technology Fail . . .
• Delivering 360° Third-Party Risk Situational Awareness
• 360° Risk Intelligence in the Extended Enterprise

Policy Management

Research Reports

• MetaCompliance: Delivering Policy Management & Engagement

Blogs

• Where Policy Management Fails
• Strengthen Your Cybersecurity Management Policy With the Human Firewall
• ESG: The Foundation is Built on Policies
• The Human Firewall: Essential to Organizations
• Policy Management Maturity: Level 2 – Fragmented
• Policy Management Maturity: Level 1 – The Ad Hoc

IT GRC Management

Research Reports

• CISO: a Critical Role in Resilience in the Extended Enterprise

Research Reports

• Strengthen Your Cybersecurity Management Policy With the Human Firewall
• Improving FedRAMP: Federal Procurement & Risk Management

Environmental, Health & Safety (EHS)

Blogs

• How EHS Software Facilitates Risk Data Collection, Improves Data Accuracy & Streamlines Reporting 

Internal & Automated Control Management

Blogs

• How do you add compliance controls in different parts of your business?

Legal GRC Management

Blogs

• Breaking Silos with GRC and Legal

Below is an abstract and the video of my keynote from the Konnect 2022 conference. My next keynote will be at #RISK in London on November 16th and 17th where I will also be the chair/host of the conference, and doing a special executive breakout session on ESG. The keynote video details the challenges organizations face in GRC and risk management in the current context, currently in the era of ESG. If you wait to the end, you will find that the numerous questions in the audience (about 500 people attended) were all on ESG.

BTW – the graphic above on this post is actually a drawing that was done by an artist of my keynote as I was delivering it. The actual artwork was huge, 4 feet x 6 feet. I love how the artist captured my thoughts from the keynote . . .

I hope you enjoy this video as much as I did delivering it to such an engaging group of attendees at Konnect 2022

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often GRC management is seen as a compliance exercise instead of something truly integrated with the organization’s strategy, decision-making, and objectives. However, business operates in a chaotic world, and risk has an exponential effect on the organization. Even a small event can cascade, develop, and influence what ends up being a significant issue. Risk management inevitably fails, providing case studies for future generations on how poor risk and resiliency management leads to the demise of organizations – even those with strong brands.
 
To be agile and maintain integrity in an environment of interconnected objectives, risks, resilience, and integrity requires 360° contextual awareness of risk and resiliency — particularly in the era of ESG. Organizations need to have risk under one roof to see the intricate relationships and impacts of objectives, risks, processes, and controls with complete 360° situational awareness, intelligence, and holistic visibility.

Dissociated siloed approaches to risk and resilience management that do not span processes and systems can leave the organization with fragments of truth that fail to illustrate the big picture across the enterprise or the impact on strategy and objectives.

Last week we explored where third-party risk management strategy and technology fail, this week we turn our attention to where enterprise/operational/integrated risk management strategies and technologies fail. Yes, that world of ERM, ORM, IRM which is fraught with misconceptions, complexities, and too often solutions that create blind spots on risk. 

The modern organization demands that organizations not only be resilient, but also agile. Resilience is the capacity to recover from a risk event. Agility is the capability to see what is coming at the organization, what is developing on the horizon, and what are the scenarios it can play out on the organization. This allows the organization to use risk as a tool, not only to avoid hazard and harm but to leverage risk for greater gain to the organization. 

The issue is that too many organizations have immature ERM/ORM/IRM functions. The failures in risk management strategy, process, and particularly technology is often:

• Performance and objectives. I see too many risk management solutions that seem to identify, manage, and monitor risk in a vacuum that has no business context. We do not just wake up in the morning and state, “I feel like doing a risk assessment.” Risk is always set in a business context. That context starts with the performance and objectives of the organization. What is the organization trying to achieve? These can be entity level objectives, division, department, process, or even asset level objectives. ISO 31000 defines risk as the effect of uncertainty on objectives. Risk is managed in the context of measuring the uncertainty in achieving objectives.
• Silos of risk management. Too often organizations think they are approaching an enterprise view of risk when they are really trapped in a silo. Good risk management requires the ability to see complex relationships of risk management and in that context complex relationships of risk on objectives. What starts off with a health and safety risk then impacts objectives, culture of the organization, performance, continuity, security, privacy, conduct risk, bribery and corruption risk, modern slavery risk and more . . . that was COVID-19. It is an integrated risk environment, and it requires a full spectrum of understanding risk and objectives of the organization.
• Quantification. In order for the business to understand risk it is necessary that it be quantified. What is the business impact. Organizations need to mature their approach to risk management by providing more advanced risk quantification capabilities. Too often I see quantification being done as guess work and ranges that lack any statistical modeling. 
• Heatmaps. I am not a big fan of heatmaps. I think they are overused and misleading. Too often this is the primary view into risk, and it fails the organization. If you have a lot of risks trending in the upper right, that is too often fiction. The organization is most often not seeing a regular cadence of major loss events. The most significant risks, according to history, are high-impact and low-likelihood events, those destroy companies, but they are often coded a yellow and not a red. And having a risk in the lower right might not be telling you the whole picture, that risk in the green area might be over controlled. Heatmaps provide a view into risk, but it should not be the sole view and depended on. I would rather do without them. 
• Stuck in the left-brain. The world of risk management is navigating chaos. There is so much changing and risks cascade like dominos and impact performance and objectives in unforeseen ways. What is often a little thing cascades into a huge risk event, like chaos theory and the butterfly effect. Good risk management requires that we use the right-brain in addition to the left-brain. The left-brain is the logical and structured thinking of risk, that is where we have risk models. But models are imperfect and never accurately represent the real world. Today’s organization needs good right brain thinking on risk, the outside the box thinking that can look at risk from different perspectives and see things that are models are not telling us. I am a fan of visual risk analysis techniques like bow-tie risk assessments. These are great to use in risk facilitation workshops. 
• Lack of risk normalization and aggregation. Enterprise risk management is complex. One department’s high risk might be another department’s medium risk when quantified. I have seen too many failures where there is no, or broken, risk normalization and aggregation as risk rolls up in the enterprise. Projects and departments need a legitimate measurement of high, medium, low risks (of course quantified and not just qualitative) but as this gets compiled into an enterprise view of risk there must be risk normalization and aggregation.
• Risk ownership and accountability. Back-office functions of risk management do not own the risk of the organization. Executives down into operational management own risk. Risk processes and technology fail when they do not engage the real risk owners and help them monitor the risk they own and do not provide structured processes for risk accountability.

I can go on in the need for good scenario analysis and the integration of resilience and continuity into risk management. What is the key takeaway is that organizations need to manage risk in the context of the business, performance, and objectives. It needs to do this in a way that sees the complexities and interrelationships of risks and thus needs to engage both the left and right-brains to manage risk logically as well as creatively. Risk needs to be quantified and understood in a business context that empowers first-line functions that are the real risk owners with structured accountability for risk. 

The issue is that there are many risk solutions on the market, but not many really deliver on these points I have brought out to equip, enable, and deliver value to a true GRC, ERM, ORM, or IRM program. Ask GRC 20/20 about our market research and coverage of risk solutions in the market and what differentiates them and fits particular needs . . .