Category: The GRC Pundit Blog

How do you define the modern organization? 

There is no binary boundary to the organization anymore, no more black and white. It is impossible to clearly state that this is where the organization ends. The organization is NO LONGER defined by brick-and-mortar walls and traditional employees. There are shades of grey as the modern organization is the extended enterprise that involves layers of complex nested-supplier and subcontracting relationships. 

The distributed nature of business across extended third-party and nth-party relationships is the new reality. Managing risk in this paradigm is challenging. However, given the new complexities of ESG risks and the volatile world of geopolitical risks has a compounding exponential risk exposure that many organizations are not prepared for. 

For organizations of all sizes and industries, this poses a huge challenge but also a huge opportunity.

1. Organizations that fail to manage the . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE ETHIXBASE BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is the Extended Enterprise of third-party and nth-party relationships. The suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, partners, and more . . . they are part of your organization. There is no black-and-white border to the organization it is shades of grey. 

Third-party risk management strategy, processes, and particularly technology (including intelligence/content solutions) are a major part of my overall GRC market research. I have advised organizations around the world on RFPs, directed them to solutions and services to consider, and teach my Third-Party GRC/Risk Management workshops around the world (just taught one in London last week with over 40 that attended. I have seen successes, unfortunately I have seen a lot of failures and often engaged to come in and tell organizations where they went wrong and what they should consider, particularly with third-party risk technology. 

Here are the top things I see in my research where organizations fail in third-party risk management . . . 

• No concept of third-party governance. Personally, I prefer the term third-party GRC over third-party risk management. Risk does not happen in a vacuum. Risk management, and in this context third-party risk assessment requires context. Every relationship is established for a purpose, what are the objectives of the relationship and its components? According to ISO 31000, “risk is the effect of uncertainty on objectives.” Too often organizations fail to manage risk in the context of the delivery, performance, objectives, and value of each third-party relationship. Too often technology being adopted in this space completely lacks an understanding of third-party governance to objectives and performance. I am speaking on this in the upcoming webinar: Transform Your Third Party GRC Strategy to Focus on Agility, Resilience, & Integrity.
• Third-party risk or Extended Enterprise? I personally do not like the term third-party; the reality is that the modern organization is the extended enterprise. The term third-party builds a stigma of something being a commodity, expendable, and changing. The strongest third-party risk (GRC) management programs are focused on the extended enterprise and treat their third parties as critical players and partners to their strategy, operations, and processes.
• ESG. ESG is going to rock your third-party risk world. You need to be leveraging technology that fully integrates complete situational awareness of ESG – environmental, social, governance – across your extended enterprise. Too often organizations fail to see the scope of ESG and the scope of its impact on third-party relationships. The tsunami of ESG regulations impacting supply-chain and third-party relationships is building and it is monstrous. I am speaking on this in the upcoming webinar: ESG Teeth & Supplier Risk: Analyst Advice for Mid-Sized Companies
• Silos of third-party risk oversight. Organizations fail because they too often lack a full view of third-party risk. IT security is doing its thing for vendor risk. Procurement is doing something else. Continuity/resiliency has their program involving third parties. Compliance and ethics are going down a different road as well. So is ESG now. And more. Organizations fail to see the aggregate and complete risk exposure across all these silos in a relationship. Just looking at one aspect of risk does not give you a full picture of risk and may give you a false or misleading picture of risk.
• Not managing the details of a relationship. Too often technology in this space is built to manage risk at the relationship level and not the components of a relationship. I sat on the social accountability advisory board for a major Fortune company for their supply chain code of conduct. They have 5,000 suppliers with 50,000 facilities across those suppliers. One supplier might have one facility, another might have 20 facilities. This organization manages social accountability risk (e.g., child labor, forced labor, working hours, health and safety) at the facility level and not just the supplier relationship level. A North American bank that came to my workshop has 4 data centers they outsource to one outsourcer. They measure risk and different risks at each data center not just the relationship level. A global bank in Europe told me they need to manage risk to the service-level agreement (SLA) or specific contract. One relationship might have a hundred contracts or SLAs. They were frustrated as their platform they chose only manages relationships and not the components. 
• Lack of a good source of third-party risk intelligence/content. Organizations fail as this is not just a technology and process problem. To manage third-party risk, and particularly ESG risk, requires a full spectrum of third-party risk content/intelligence across sanctions, politically exposed persons, financial/viability ratings, security ratings and scorecards, ESG ratings, negative news/adverse media, geo-political risks, reputation and brand lists, and more. Organizations need technology platforms that integrate into the new generation of third-party content/intelligence providers to provide 360° contextual awareness of what is happening.
• Resiliency is not understood. There is so much focus on operational resilience today, but you cannot be a resilient organization without looking at the extended enterprise of third-party relationships. Third parties are critical to the organization’s services and operations. And this is much more than digital resilience and security, it requires a full spectrum of third-party risks and the relationships of the organization, and particularly in a geo-political risk context. 
• Thinking third-party risk assessments are going away. However, those using broader third-party risk intelligence/content too often buy into a fiction that they do not need the assessment questionnaires. Those are still needed and will NOT go away. At basic level third-party assessment questionnaires are a CYA (cover your behind) legal and compliance exercise that is necessary. At a more mature level it is ensuring a common understanding of risk management and shared values/ESG. 
• Offboarding is missing. Many companies have processes and technology in place to do due diligence during on-boarding. When it comes to ongoing monitoring there are often structured processes in place. However, most organizations fail in having defined processes with structured workflow and tasks to off-board (say good-bye) to a third-party.
• No process to exercise right to audit clauses. I am frustrated in the number of programs I see that have no methodology and structure to how and when they conduct right to audit clauses and inspections. Too often technology in this space does not help as it does not manage these interactions. The best practice I have seen is with a large global food retailer with thousands of relationships and tens of thousands of facilities within those relationships. They score every facility at a red (high), yellow (medium), green (low) level for risk that drives audits/inspections. Red level facilities must have an onsite inspection every year, yellow risk facilities every two years, and green risk facilities are randomly sampled for onsite inspections/audits.
• Selecting the wrong vendor. This happens time and time again. Two years back I was working on one RFP. The global organization had deep and complex requirements. They had a few vendors in play in silos of third-party risk oversight and one they particularly liked. They selected that one, even when I told them not to that it will not meet their complex needs. They went down that road and later came back to me stating they wish they would have listened. They must dumb-down their third-party risk program (particularly down to the relationship level and not component/SLA/contract level) or go back to RFP. You need to make sure you select the vendor that delivers on the vision for what you are trying to achieve. 
• Documents, spreadsheets, and emails. Then there are the programs, or fragments of programs, that think they can manage third-party risk on documents, spreadsheets, and emails. These manual processes have huge issues in cost as well defensibility. Documents, spreadsheets, and emails do not provide a robust and defensible audit trail and system of record – the organization has no record of what fiction may have created in these electronic paper trails to cover up something. Regulators and law enforcement are wising up to this. Further, I have seen programs that state 80% of their staff time is chasing and managing hundreds to thousands of documents, spreadsheets, and emails and only 20% of staff time (or less) is productively managing and improving third-party risk management in relationships. Some organizations I have talked to went from 20 hours to onboard a third-party on average down to 3 hours by replacing manual processes. Ongoing annual risk assessments went from 10 hours down to 1 and a ½ hours of time per third party because of automation.

As you can see, there is a lot of pitfalls to not properly addressing third-party risk management strategy, process, and technology. These programs are essential and needed to be designed with care and the right technology and content used that delivers value. 

Third-party risk management also varies by industry as to focus. Recently there have been a quite a few of RFPs over the past few years in life sciences/pharmaceuticals. They all have very similar requirements, but are also very different from financial services, and others. To see the scope and complexity of third-party risk, here is the common elements in the life sciences industries in a third-party risk management program:

• Animal Welfare
• Anti-Bribery and Corruption
• Compliance in Suppliers
  • Promotional Practices
  • Bioethics
• Environmental
• ESG
• Global Security/Physical Security
• Health & Safety
• Information Security
• Information Systems Quality
• Intellectual Property Risks
• Geo-Political Risk
• Privacy
• Performance, Contractual, SLAs
• Product Quality and Safety 
  • Clinical Trials 
  • Human Biological Sample Management
  • Pharmacovigilance
• Resiliency & Business Continuity 
  • Concentration Risk of Suppliers
  • Material Risk of Suppliers 
• Sanctions
• Social Accountability
  • Child Labor
  • Forced/Prison Labor
  • Inclusivity/Diversity
• Strategic Sourcing
• 4^th/N^th Party Risk Across All These Domains

That is just one industry example . . . then there is healthcare, banking, insurance, retail, hospitality, oil/gas, and more examples. 

Next week we will look at where risk management strategies and technologies fail . . . stay tuned. 

Have you ever heard of the Winchester Mystery House in San Jose, California? It’s a sprawling mansion that was built in the 1800s at the cost of $5.5 million (calculate inflation, and that is one very expensive house today). It had 147 builders that built it over 38 years with no blueprint, no design, and no architect. As you might imagine, it’s a confusing maze of construction. 

The story of this house reminds me of GRC and GRC processes in many organizations, perhaps yours. The components of GRC – governance, risk management, and compliance — are in every organization. My position is that while every organization does GRC, their approaches and results vary. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. But GRC done right delivers the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].

The Winchester Mystery House analogy is how GRC looks in many organizations. You may have shadow GRC processes that spring up all over the organization in the bowels of operations that lack . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RESOLVER BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

ESG – Environmental, Social, and Governance – has been creating a barrage of pressure upon organizations across industries and around the world in recent years. Corporate investors are making capital investment decisions in companies based on ESG commitments, metrics, and ratings. Legislatures and regulators around the world are ensuring the regulations are focused on the breadth of ESG as well as specific aspects of ESG (e.g., modern slavery, carbon emissions). Employees are making decisions on who they work for based on shared values and not just benefits. Customers are engaging and buying products and services that share their values. ESG is getting attention from the top of the organization, the board and the executives, to the down into the depths of the organization.

What is ESG and Why is it Important?

That is a good question. ESG varies in breadth and depth of scope by industry, company size, and even geography and regulatory frameworks. It also varies by individual departments that focus on aspects of ESG but not the breadth of ESG. Too often, ESG can be like the parable of the blind men and the elephant where one feels the side and thinks it is a wall, another feels the trunk and thinks it is a tree, and another the tail and thinks it is a rope.

In understanding the important scope of ESG, consider . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE KANINI BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The physicist Fritjof Capra stated:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Capra was making the point that ecosystems are complex, interdependent, and require a holistic, contextual awareness of the intricacy of their interconnectedness as an integrated whole rather than a dissociated collection of systems and parts. Change in one area has cascading effects on other areas and, in all likelihood, the entire ecosystem. A small event can develop into what ends up being a significant issue. This understanding can be applied to your GRC strategy roadmap as well.

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE RESOLVER BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Too often GRC – governance, risk management, compliance – is approached backwards. Using the acronym, one would think it is CRG, or even Cr (lower case intentional). Too many organizations start with compliance, and even risk management is done in a compliance context, and governance, performance, and objectives are not even in view.

The official definition of GRC, found in the GRC Capability Model, is that GRC “Is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” (www.OCEG.org) It starts with governance and setting objectives (entity, division, department, process, project, asset objectives). From governance flows the context to begin and do risk management (remember, ISO 31000 defines risk as the effect of uncertainty on objectives). The compliance is the follow through to ensure we stay within ethical, regulatory, ESG, and even risk boundaries (compliance verifies that controls we put in place to mitigate risk are operational and effective). 

I am in a three-week GRC tour of Europe right now and there are a lot of interesting RFPs over here. More often in Europe you see requirements for a focus on business and business process, and even for business process modeling (BPM) capabilities within GRC. Europe, in general but not always, sees GRC as more integrated into the business the way it should be. Too often GRC, particularly in North America, is a compliance band-aid and not a true integrated way of managing the business.

GRC should be about performance. In fact, at OCEG, we defined GRC in this context. GRC delivers what is called Principled Performance. GRC, through strategy, process, information, and technology, should deliver better performing organizations that do so in an ethical way aligned with the organization’s values. 

One of my favorite interactions on risk management in my career was with Brad Jewett when he was the ERM Director at Microsoft. He had this whole approach he called ‘The Rhythm of Risk.’ It was specifically about managing risk in the context of Microsoft’s objectives, business, and processes. It was business focused GRC aimed at Principled Performance.

To deliver on this requires full awareness and integration of GRC into the business and management. The most critical thing is to be able to manage your business in a GRC context. This requires that our approach to GRC allow for deep modeling, definition, and monitoring of business objectives and business processes. To manage risk and compliance in context of performance, objectives, and processes. That is how GRC is done.

When approaching GRC (or ERM, ORM, IRM), what do you really want from the following:

1. Do you want a solution that manages your business; and in that context manages risk, compliance, and controls?
2. Or do you want a solution that manages compliance, and perhaps risk, but is disconnected from the business and is an afterthought, a band-aid?

In my market research and coverage of solutions in the market, there are over 100 solutions that can address the second option, but very few that can actually deliver on the first. Organizations need business management platforms that have GRC capabilities built and baked in.

We are in the era of GRC 5.0 – Cognitive GRC, and all the elements of GRC 4.0 – Agile GRC are still wrapped up and part of GRC 5.0. I am often asked what is next? What is GRC 6.0? Getting out my analyst crystal ball it is GRC 6.0 – Business Integrated GRC where GRC is an integrated part of a business management platform. The idea of a siloed GRC platform goes away to manage GRC as an integrated platform of the business, its objectives, its performance, and then risk, compliance, control, and assurance in this context. It will take a few years for us to transition to GRC 6.0, perhaps as much as five, but it is on the horizon.

There will still always be a place for best of breed GRC solutions focused on specific risks, compliance, and content. What I am saying is that the broad enterprise/integrated GRC platform (or ERM, ORM, IRM) is delivered as a part of a business management platform.

Do you have questions on GRC Solutions available in the breadth of the market and which few deliver on the vision of Business Integrated GRC? Ask GRC 20/20, in our coverage of the market as an analyst firm, what solutions are available and what differentiates them for your specific needs:

Compliance and ethics do not happen in the back office but at all levels of the organization. From the top down to the front-line employees. Compliance and ethics done right are a part of everyone’s job. 

Too often we shovel compliance into the bowels of the organization, thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back-office of legal, human resources, IT, and other departments. 

This misperception is a critical issue that organizations must address. The most significant exposures to risk and compliance issues are not in the bowels of the organization, they are at the front lines. They are at all levels of management and business operations, and cross-partner, vendor, and supplier relationships throughout the extended enterprise. 

This requires that all the organization’s compliance policies be clearly communicated and understood by the front lines of the organization. The scenarios of risk and compliance exposure across business operations and frontline employees are unlimited. Some involve malicious employees, others could be inadvertent mistakes, while some scenarios involve an activity that employees should catch and report. 

The organization must effectively engage employees and educate them about compliance and policies in the context of their role in the organization. The challenge is that organizations need to find a way to get everyone involved and adhere to policies to build integrity across the whole organization and the extended enterprise.

Inevitable Failure of Policy & Training Management

Policy and training matter. Compliance communications, attestations, and disclosures matter. However, when you look at the typical organization you would think policies and compliance processes are irrelevant and a nuisance. 

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, disclosure, and training. An ad hoc approach to compliance, policy and training management exposes the organization to significant liability. 

This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. 

To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what disclosures were made, what exceptions were granted, and how policy violation and resolution was monitored and managed. 

The user experience for policy management has been typically poor in most organizations, resulting in time-consuming and redundant processes, a check-box mentality, and a lack of centrally coordinated efforts for policy and compliance communications. 

Organizations have ended up with multiple sources of policy, training, surveys, assessments, disclosures, attestations, and issue reporting. Interaction with these systems has consumed human and financial capital. Communication is often inconsistently logged in documents and spreadsheets if they are logged at all. 

There is no coordination of policy communication and training and no way to prioritize messages and employee tasks. The result is emails and documents that fly about, slip through cracks, are never responded to, or are simply forgotten. 

A typical organization may have over two dozen policy portals that are file shares, SharePoint sites, and other intranet sites that struggle with rogue, out-of-date, and inconsistent policies that open the floodgates of liability as they are mismanaged instead of protecting the organization as they should. 

One organization found that eighty per cent of their compliance staff time was spent managing and chasing documents and emails for compliance and not actually managing compliance. Another organization spent two hundred hours building an annual report on compliance because all the data was trapped in thousands of documents and emails that had to be aggregated, tabulated, and then reported on. 

If compliance, policies, and training programs don’t conform to a structured process, defined audit trail and system of record, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support, organizations are not positioned to drive desired behaviours in corporate culture or enforce accountability in compliance, ethics, and the new era of corporate integrity with ESG: environmental, social, governance.

With today’s complex business operations, global expansion, and the ever-changing legal/regulatory and compliance environments, well-defined compliance, policy, and training management program is vital to enable an organization to effectively develop and maintain compliance and adherence to values to govern and ensure with integrity. 

Keeping up with regulatory content can be a challenge. The constant changes in today’s regulatory environments translate to a growing burden on organizations in terms of the number of regulations they face and their scope. Many organizations do not possess the necessary regulatory change management infrastructure and processes to address these changes and, consequently, find themselves at a competitive disadvantage and subject to regulatory scrutiny and losses that were preventable. These organizations can greatly benefit from moving away from manual and ad hoc process changes and toward a system specifically designed to manage those changes comprehensively and consistently. Such a system gathers and sorts relevant information, routes critical information to subject matter experts, models and measures potential impact on the organization, and establishes personal accountability for action or inaction. This is enabled with GRC 5.0 – Cognitive GRC technologies that leverage artificial intelligence to provide greater levels of automation.

Many organizations either hire a lot of compliance/legal experts to comb through mountains of regulatory data, or they subscribe to regulatory content subscriptions that do this. This is changing with the role of artificial intelligence applied to a GRC context (Cognitive GRC). Natural language processing, predictive analytics, and robotic process automation make regulatory change management more efficient, effective, and agile for the organization. he U.K.’s FCA Rulebook stacks to six feet tall; this would take a human a year or more to read. A machine can read it, sort it, categorize it, and link it in under a minute. Not only is a machine faster at reading regulations, but it is also more accurate. One Chief Ethics and Compliance Officer (CECO) told GRC 20/20 that they found natural language processing 30% more accurate in reading, sorting, categorizing, and linking/mapping regulations/requirements than humans. A machine stays focused; there is no mind to wander and get distracted.

Cognitive GRC technologies enable a GRC architecture for regulatory change management. Leading solutions in this area are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This, at a minimum, requires workflow and task management capabilities, but in mature systems it provides artificial intelligence to enable this. The old way of hiring an army of subject matter experts as aggregators to manage regulatory profiles, and provide data about relevant new developments is being replaced or at least supplemented by cognitive technologies. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process supported by artificial intelligence technologies that read and analyze changes and their impact on the organizations processes, policies, and controls.

Specific capabilities to be evaluated in solutions for regulatory change management include:

• Regulatory intelligence content. Cognitive solutions provide integration and automation with artificial intelligence platforms built for regulatory change to conduct horizon scanning to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
• Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations
• Content management. The solution should be able to catalog and version regulations, policies, risks, controls, and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods and obsolescence rules that can be set for regulations.
• Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations, and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed, or deactivated, the solution assesses the impact of the change and sets up the appropriate responsive actions.
• Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. Mapping is another area where artificial intelligence/cognitive technologies are providing greater efficiency and effectiveness value for regulatory change management.
• Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
• Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted, and notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
• Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are, and more. Additionally, by linking regulatory requirements to the various other aspects of the platform – including risks, policies, controls, and more – the reporting should provide an aggregate view of a regulatory requirement across multiple organizational units and business processes.
• Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.

Ask GRC 20/20, in our coverage of the market as an analyst, what solutions are available for regulatory change management and what differentiates them for your specific needs:

Organizations need to be agile, not just resilient. Agility is the ability to see what is coming at the organization and allow the organization to adjust and navigate to use the environment to its advantage to seize opportunities while avoid or mitigate hazards and harms. Resiliency is the ability to spring back and recover from an event and minimize loss and exposure. Both are needed in today’s dynamic business environment, but their needs to be focus on agility and not just resiliency. 

Take the analogy of running. If I am running down the street and trip over a pothole or curb, resilience is how quickly can I recover and get up and start running again. Agility is to see what is coming at me on the horizon and see the obstacle, like a curb or pothole, and leap over it, go around it, or if I am doing some type of parkour use it to my advantage to spring into a flip to amaze all those around me. 

We are migrating from the era of GRC 4.0 – Agile GRC to the new era of GRC 5.0 – Cognitive GRC. Agile GRC is still there and is the foundation for Cognitive GRC. Agile GRC is a complete re-architecture of GRC to be flexible, adaptable, configurable, and intuitive while increasing efficiency, effectiveness, and agility. Agile GRC technologies have a lower cost of ownership in implementation and ongoing maintenance cost and do not break on upgrades. They replace older legacy GRC software that struggled with these issues. 

Cognitive GRC, GRC 5.0, builds on Agile GRC by leveraging cognitive technologies such as machine/deep learning, predictive analytics, natural language processing, neural networks, blockchain, and robotic process automation to make GRC processes even more efficient, effective, and agile in today’s dynamic, disrupted, distributed business environment. 

It is with Cognitive GRC we can contextualize current operations and data to see risks, controls, gaps, issues and such that operational impact us now or in the near future to increase our resiliency. It is with Cognitive GRC that the organization can conduct horizon scanning of risks, opportunities, and regulations that are starting to trend one, two, or three years out to prepare scenarios for scenario analysis so the organization can achieve greater agility to navigate the environment and prepare the organization.

I am excited to see new capabilities being added on to Agile GRC solutions to achieve and deliver on the vision I have had for Cognitive GRC for several years. These solutions make organizations more agile and resilient int regulatory change, risk trending/monitoring, control and process automation, assurance, and much more. 

As you look to upgrade or implement GRC related solutions (whether focused on a specific area or a broad enterprise platform) it is critical that you include requirements for Cognitive GRC to keep the edge on the organization in an environment that is fraught with risk and disruption. 

In the words of the physicist Fritjof Capra,

“The more we study the major problems of our time, the more we come to realise that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

It is with Cognitive GRC that we can start seeing and reacting to these systemic risks in real-time as they develop on the horizon or impact us operationally in the here and now. 

I have been advising organizations on strategy, process, and technology related to ESG for over fifteen years. Of course, it has not been called ESG for that long. It was CSR (corporate social responsibility), social accountability, sustainability . . . now it is ESG. ESG has a lot more focus and momentum than its previous iterations. It has teeth from corporate investors, regulators, stakeholders and even employees and clients. 

Today, I am at the Interact 2022 conference in Nashville. I did one session on ESG and following that another session on policy management. The interesting thing is the one, ESG, is built on the other, policy management. 

ESG is built on the policies of the organization. From the code of conduct down into the range of policies that govern the environment, health and safety, inclusivity, diversity, privacy, labor standards (e.g., child labor, forced labor, working conditions), anti-bribery and corruption, transparency, security, and many more. These all establish the framework for what ESG is in the organization. 

The starting point of building an ESG program is doing an inventory of all policies related to the many aspects of E-environment, S-social, and G-governance. The organization has policies in these areas today. There may be gaps, but ESG starts with understanding what policies are in place today that are part of ESG and then identifying changes needed to these policies and write new, or revise existing, policies for any gaps the organization has. 

It is through policies and policy enforcement/adherence that the organization’s integrity to ESG is measured against. Only through the foundation of established written codes of behavior and boundaries of conduct is an ESG program then assessed, measured, monitored, and reported upon. 

Simply put: you cannot have an ESG program without policies. Therefore, well-written policies and good policy management practices are an essential foundation to an ESG program in an organization.

However, it is not just well-written policies that are important, they must also be communicated and engaged to employees and third-parties (e.g., vendors, suppliers) to be effective in the organization. Policies are only as good as the awareness and enforcement of them in the environment. It is through policy engagement that true ESG cultural transformation is done. 

The challenge is that organizations will often find that their policies are a mess and policy management even more of a mess. That different departments have different portals, templates, file shares, and more. Many organizations do not even know what policies they have. 

If you are going to start an ESG strategy and program in your organization, I suggest you start with doing a good inventory of your current policies, map them to your ESG risks and framework, clean them up, provide consistent management and monitoring of policies leveraging technology designed for policy management, and deliver a single portal of all the organizations policies to your employees, again through technology designed for policy engagement. You cannot do ESG without addressing your policies and the management of them.