Posted on 1 Comment

Navigating Chaos

Below is Michael Rasmussen’s article found in the Autumn 2019 issue of Enterprise Risk, published by the Institute of Risk Management (The IRM).

The physicist Fritjof Capra once said, “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.” Capra was making the point that biological ecosystems are complex, interconnected and require a holistic contextual awareness of the intricacy in interconnectedness as an integrated whole – rather than a dissociated collection of systems and parts. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness and a demand for a 360° contextual awareness apply to the world of business. Organisations need to see the intricate relationships ofobjectives, risks and boundaries of the enterprise. Business operates in a world of chaos. In chaos theory, for instance,the “butterfly effect” means thatsomething as simple as the flutter of a butterfly’s wings in the Netherlands could create tiny changes in the atmosphere that have a cascading and growing force that ultimately impacts the development and path of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a significant issue.

Gone are the years of simplicity in business operations.Exponential growth and change in risks, regulations, globalisation, distributed operations, competitive velocity, technology and business data encumbers organisations of all sizes. Keeping business strategy, performance, uncertainty, complexity and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

This challenge is even greater when risk management is buried in the depths of departments and approached from a compliance or audit angle, and not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy. Organisations need to understand how to monitor risk-taking, measure whether the associated risks taken are the right risks and review whether risks are effectively managed.

Holistic

Today’s organizations have to have holistic visibility and 360° contextual awareness of risk in the context of objectives across the enterprise. The complexity of business and intricacy, and interconnectedness of risk and objectives, requires that the organization implement governance, risk management, and compliance (GRC) management strategy. GRC, by official definition in the GRC Capability Model, published byOCEG, is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” This definition of GRC provides the framework for what the think tank OCEG calls principled performance. There is a natural flow to the GRC acronym. Governance sets the context by defining the objectives of the organization. These can be entity-level objectives, so division-, department-, process-, project- or even asset-level objectives. It is the evaluation and establishment of objectives that provide the context for risk management. Without context, risk management fails.

Risk management assesses and monitors risk to objectives within the context of governance to take action on risk through identification, analysis and then treatment (risk acceptance, avoidance, mitigation or transfer). ISO 31000 defines risk as to the “effect of uncertainty on objectives” providing a natural flow and integration of governance to risk management.

Compliance provides boundaries to frame risk management. Risk management, by itself, is neutral and analyses options. A risk assessment may very well determine that the organization most likely can get away with an unethical course of action. Compliance frames the ethical principles as well as the obligation boundaries (for example, regulatory requirements, contractual commitments or corporate social responsibility values) for risk management to work within. Compliance provides the follow- through on risk treatment plans to ensure that risk is managed within limits and controls are in place and functioning. Risk management fails without compliance as compliance is needed to ensure controls are in place and operational to mitigate risk.

Three legs

The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organisation.

Every organization does GRC today. They may call it enterprise risk management (ERM), operational risk management (ORM) or integrated risk management (IRM). Some may not have a name for it. Every organization is doing GRC, no matter what they call it. You will not find an organization that states they do not govern the organization, that risk is not managed and compliance is neglected. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

The research organization GRC 20/20 has identified two approaches that organisations take to manage GRC – anarchy and federated. Anarchy is based on ad hoc department silos. This is when the organisation has departments doing different yet similarthings with little to no collaboration between them. Distributed and siloed GRC management initiatives never see the big picture and fail to put risk management in the context of organisational strategy, objectives and performance. The organisation is not thinking big picture about how GRC management processes can be designed to meet a range of needs. An ad hoc approach to GRC management results in poor visibility of the organisation’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be insightful about risk, compliance and performance. The organisation fails to see the web of risk interconnectedness and its impact on performance and strategy, leading to greater exposure than any silo understood on its own.

Federated GRC is an integrated and collaborative approach. The federated approach is where mature organizations will find the greatest balance in a collaborative and connected view of GRC management and oversight. It allows for some level of department and business function autonomy when needed, but also focuses on a common governance model, processes and architecture that GRC functions across the organization can participate in. A federated approach increases the ability to connect, understand, analyze and monitor connectedness and underlying patterns of performance, risk, and compliance. Different functions participate in GRC management with a focus on coordination and collaboration through common processes and integrated technology architecture.

Maturity

The primary directive of a mature GRC management capability is to deliver effectiveness, efficiency, and agility to the business. This is in the context of managing the breadth of risks on organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the extended enterprise. Organizations need a mature GRC capability that brings together a coordinated strategy and processes. This is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, butit does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance. There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organisation. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

Successful GRC management requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature GRC management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives have a much better chance of thriving in today’s complex business world.

BENEFITS OF GRC

Organisations striving to improve their GRC management capability and maturity in their organisation will find they are more:

  • Aware. They have a finger on the pulse of the business and watch for a change in the internal and external environments that introduce risk to objectives. Key to this is the ability to turn data into information that can be, and is, analysed and shareable in every relevant direction.
  • Aligned. They align performance, risk management and compliance to support and inform business objectives. This requires continuously aligning objectives and operations of the integrated GRC capability to those of the entity, and to give strategic consideration to information from the GRC management capability to affect appropriate change.
  • Responsive. Organisations cannot react to something they do not sense. Mature GRC management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to uncover what an organisation needs to know to make the right decisions.
  • Agile. Stakeholders desire the organisation to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organisation is headed in the wrong direction. GRC enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use GRC to its advantage, grasp strategic opportunities and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organisations need to be able to bounce back quickly from changes in context and risks with limited business impact. They need sufficient tolerances to allow for some missteps and have the confidence necessary toadapt and respond to opportunities rapidly.
  • Efficient. They build business muscle and trim the fat to rid expense from unnecessary duplication, redundancy and misallocation of resources; to make the organisation leaner overall with enhanced GRC capability and related decisions about the application of resources.

Michael Rasmussen is an Honorary Life Member of the IRM and an internationally recognised pundit on governance, risk management and compliance (GRC) and founder of GRC 20/20 Research, LLC.

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring

This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.

Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.

Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.

A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today. 

This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.

Five Necessities of Security Monitoring

Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Onboarding

This is the first of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on steps to achieve a proper and friction-free onboarding process.

The Vendor Relationship: Stages in the Lifecycle

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected mess of relationships and connections that span traditional business boundaries. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees, but are third parties such as contractors, consultants, temporary workers, outsourcers, service providers, and vendors.

An organization can face disruption and disaster by establishing or maintaining the wrong business relationships. Third party security problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of security arise, the organization is held accountable, and it must ensure that third party partners behave appropriately. 

Today’s organization requires complete situational and holistic awareness of third party security and its connection to and impact on operations, processes, transactions, and data. It has become essential that organizations govern third party relationships throughout the lifecycle of the relationship:

  1. Onboarding
  2. Ongoing monitoring
  3. Offboarding

Today we will look at the first stage of onboarding a third party relationship, ensuring the organization is doing business with the right third parties as they are brought onboard before network connections are established and data shared. 

Approaches to Onboarding

There are a variety of approaches to onboarding as part of . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Posted on Leave a comment

Compliance Disclosure Solutions: Separating the Simple from the Advanced

GRC 20/20 is seeing a growing demand for compliance management technologies from the Corporate Compliance and Ethics department (e.g., Chief Ethics and Compliance Officer, Chief Compliance Officer). This demand spans from a broad compliance management platform to manage the range of compliance tasks and activities, to focused solutions in areas such as policy management, third party GRC (e.g., vendor/supplier), issue reporting and case management, and the area of compliance disclosures management.

The inquiries on Compliance Disclosure Management solutions is increasing as organizations look to get a handle on areas such as Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is the focus. Some are purpose-built for a specific disclosure area such as Conflicts of Interest, and not to be a platform to address a range of compliance disclosure areas. Others are broad disclosure platforms that are highly agile where the organization can adapt fields and customize forms, workflow, tasks, and reporting to meet a range of compliance disclosure areas. While some compliance disclosure solutions operate in a module in a broader compliance management platform (or GRC platform) where disclosure can be managed and cross-referenced to policies, regulations, risks, assessments, and cases.

GRC 20/20 separates Compliance Disclosure Management solutions in the market into basic and competitive solutions, but then also distinguishes advanced capabilities that separate competitive solutions in the market.

  • Basic compliance disclosure management solutions. These are solutions, and there are many of them, that address the basic forms, workflow, and task management of compliance disclosures management with some basic reporting capabilities. They can present a disclosure form, capture attestations, and route the form through a workflow for review and approval/denial. Most often, but not always, they focus on a single compliance disclosure areas such as Conflicts of Interest.
  • Competitive compliance disclosure solutions. These are the solutions that most often come up in RFPs regularly and have stronger capabilities to manage a breadth of compliance disclosures in the organization. They have more advanced reporting capabilities and provide a stronger portal for the configuration and customization of disclosures. Some key capabilities of competitive solutions are:
    • The ability to manage a breadth of disclosure types
    • Configurable and adaptable to organizations specific needs down to the field and value level
    • Strong graphical workflow builder and task management that allows for parallel as well as linear workflows
    • The breadth of templates for forms and reports on disclosures
    • Strong dashboard and reporting engine with pre-built reports as well as the ability to do custom reports
    • The ability to present the relevant policy, gather attestation to the policy and provide the training with the disclosure
    • Provide for regularly scheduled/periodic disclosure campaigns as well as the ad hoc/triggered disclosures when they arise
    • Ability to manage and document disclosures that are exceptions/exemptions to the defined policy and regularly track and monitor them
    • Provide a robust and legally defensible audit trail/system of record of disclosure related activities
    • Allow for attachments, such as documents/evidence, to disclosures

However, what really separates Compliance Disclosure Management solutions in the market are the advanced capabilities. These include:

  • Disclosure forms and workflow that are highly configurable by the average business user (e.g., citizen developer) without extensive IT knowledge
  • Advanced workflow based on disclosure type and role (e.g, hierarchical workflows)
  • Integration with other business systems, such as HR management systems, to populate information and provide information consistency between systems, or to integrate with ERP systems to pull up transaction history for disclosures related to gifts and entertainment to a particular entity in the past
  • Advanced reporting capabilities, including regulatory reporting in which reports are automatically generated in the format specific regulators are looking for (e.g., securities industry reporting for COI)
  • The ability to define and manage disclosure campaigns to broad and specific employee audiences
  • Integration with policy and training so the disclosure form also includes the written policy as well as training on the policy
  • The ability to provide anonymous reporting on issues related to compliance disclosure
  • Risk management capabilities to measure risk and track key risk indicators (KRIs) related to disclosures
  • Mobile interface/application where disclosures can be reported on smartphones and tablets
  • Collaborative engagement that allows disclosure reviewers and disclosures to communicate and interact back and forth to ask questions and provide more information
  • The ability to provide confidential notes that are encrypted and protected by the disclosure reviewer(s)
  • Provide for follow-up tasks and action items that may be scheduled out in advance to follow-up on disclosures that were approved but needs closer monitoring or other activities

These are some of the advanced capabilities that I am encountering regularly. If you are looking for or evaluating Compliance Disclosure Management solutions, feel free to ask an inquiry of GRC 20/20 . . .

Here are some compliance disclosure and policy management resources and events you should be aware of:

Seminars

Policy Management by Design Workshops

Published/Recorded GRC 20/20 Research

Posted on Leave a comment

Understanding Third Party GRC Maturity: Defined Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

Today we look at Stage 3, the Defined level of Third Party GRC

The Defined stage suggests that the organization has some areas of third-party GRC that are managed well at a department level, but it lacks . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on Leave a comment

Policy & Training Engagement in a Millennial Generation

As the only analyst covering the range of policy and training management solutions as its own segment of the Governance, Risk Management, and Compliance (GRC) market, I am asked several times a month on who is providing the next generation portal that integrated into one portal both policy communication and training related to the policy. The answer is very few.

Organizations need to rethink how they are managing and communicating policies in their environment. Haphazard approaches that scatter policies across different internal websites and portals in different formats is not relevant to today’s workforce and handicaps the organization in managing policy communication and awareness in an era that requires complete visibility and operational effectiveness and understanding of policies. This is particularly true of the millennial generation.

The young and advancing workforce are highly reliant on mobile technologies, and with integrated experiences. You go out to Facebook and you can watch a YouTube video right there in Facebook. You do not need to click on a link and bounce out to a completely different site to watch the video. Organizations need to integrate policy and training into one portal to engage the front lines of the organization. This portal needs to be interactive, mobile, and highly engaging in bringing policies and training together in an integrated experience. As regulators and law enforcement advance the focus on policies and training as the measurement of an operationally effective compliance program this is not a nice to have, but an essential.

The pillars of an engaging and integrated policy and training portal are that it is:

  • Unified. Employees come to one policy and training portal to find everything needed. Policies are not just documents but integrated resources & tools. Video and resources are integrated alongside written policy.
  • Relevant. The policy portal reflects changes in employee role and context. The most critical “need to know” policies are easy to find. Users can customize and organize the policy portal to their needs.
  • Interactive. Understanding is increased through embedded media. Games, scenarios and interactive content is used to reinforce key points within policies. Pop-ups provide access to definitions & resources in written policies.
  • Social and Personable. Employees can share policies and provide comment and interaction on policies. The portal makes it is easy for employees to get questions answered. The employee has an corporate avatar that is linked to badges and progress in policy and training tasks.

I am presenting a webinar tomorrow, Wednesday, August 28th, on this very topic:

Next week, on August 4th, I am presenting on best practices in policy management:

The GRC 20/20 Policy Management by Design Workshops that dive deep into an interactive and engaging workshop on policy and training management are scheduled for the following cities and dates:

I have two roundtables coming up specifically for financial services on policy management:

GRC 20/20’s flagship research piece on effective, efficient, and agile policy management is:

Please share your thoughts and experiences on engaging employees on policy and training management . . .

Posted on Leave a comment

The Rhythm of Risk: Managing Risk Throughout the Context of Business

Writing about risk management is like trying to have an intelligent conversation today about religion or politics.

Individuals in the risk management community have polarized views and if someone does not agree with you 100% you end up in the crosshairs of an attack. It is sad. Instead of intelligent discussion where we can come together and learn, there are many ready to pounce if you do not express their exact ideology. Some view risk management as purely top-down from objectives and strategy, others are risk professionals down in the bowels of the organization looking bottom-up. Some feel that risk registers, risk appetite, and other aspects of traditional risk management are meaningless, others see this as the core part of how they have managed risk. Some hate heat maps and qualitative approaches, others live by them. Some, I feel, are simply trying to relabel corporate performance management to be risk management, instead of seeing that risk management is a part of performance management.

While I feel there is objective truth when it comes to matters of religion/theology . . . what if that was not the case for risk management?

  • What if the best approach to risk management brought together the top-down and the bottom-up?
  • Used both quantitative and qualitative methods?
  • Leverages risk registers but does not get locked into thinking only in their context?
  • Knew the weaknesses of a heatmap and how to overcome them while still using them as a visualization tool?

My view of risk management is that all sides of the debate have something valid to bring to the table. To truly do enterprise risk management requires a 360° contextual awareness of risk in the context of performance, objectives, and strategy as well as day to day operations and hazards of the business. Organizations need both a top-down view of risk management in the context of strategy and objectives as well as a bottom-up view of risk down in the weeds of operations and hazards. Good risk management requires both.

My favorite approach to risk management I have encountered in my research was with Microsoft when Brad Jewett was the ERM Director there from 2003 to 2008 (I cannot speak to Microsoft today as I have not interacted with them recently, Brad is now the CFO of Corel Corporation). I have served with Brad as an OCEG Fellow over the years and have a deep respect for him as a risk management professional. Brad defined his approach to risk management at Micorosft as ‘The Rhythm of Risk.’ This he defined by his desire to integrate risk management into daily decision making that would follow the corporate calendar for key processes such as multi-year strategic planning, annual planning, mergers and acquisitions, audit planning, SEC reporting, investor communications, product and service roadmaps, etc. It an aspirational agenda but it set the tone and expectation that risk management was a priority that should Influence and be integrated into the way things get done every day. This included the strategic as well as the operational. The top-down as well as the bottom-up

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see the individual risk (the tree), as well as the interconnectedness of risk to strategy and objecrtives (the forest). Many organizations are asking for this to go even deeper, as they need to see the leaf and branch as it connects to the tree, and how it is part of the forest.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and sometimes chaotic, relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both top-down view of risk to objectives as well as a bottom-up view of risk within operations and processes. It can integrate internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling.

Successful risk management requires the organization to provide an integrated process and information architecture. This helps to identify, analyze, manage, and monitor risk, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board that is not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk down in the depth of the business.

Organizations striving to increase risk management maturity in their organization need to be:

  • Aware. They need to have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
  • Aligned. They need to align performance and risk management to support and inform business objectives. This requires continuously aligning objectives and operations of risk management to the objectives and operations of the entity, and to give strategic consideration to information from the risk management capability to affect appropriate change.
  • Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions. This requires that the organization have a bottoms-up view of risk as well as the top-down.
  • Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Mature risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have the confidence necessary to rapidly adapt and respond to opportunities.
  • Efficient. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced capability and related decisions about the application of resources.

My point is simple, there are many perspectives on risk management that brought together properly and in balance can really build an effective and mature risk management program. While there are issues with qualitative methods, heat maps, and risk registers, that does not mean they are useless. They need to be effectively used and their issues and weaknesses understood. The same goes for a complete top-down view of risk management that only focuses on objectives and misses the hazards and issues that lie in the depths of the weeds of the organization that can cause significant harm. The best world is one that brings the strengths of all of these together and avoided throwing the baby out with the bathwater.

I will be presenting my views on how risk management technology enables and mature risk management capabilities in the webinar tomorrow:

I will be presenting my views on how organizations can mature their risk management capability in the webinar this Wednesday:

GRC 20/20 also has the upcoming Risk Management by Design Workshops:

GRC 20/20 has also just updated it’s flagship research paper on this topic:

Posted on Leave a comment

Understanding Third Party GRC Maturity: Fragmented Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc (click to read previous post)
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 2, the Fragmented level of Third Party GRC

The Fragmented stage sees departments with . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on Leave a comment

Policy Management Tips for Companies in Asia

On 30th July, ClauseMatch hosted a Policy Management Workshop with Governance, Risk & Compliance (GRC) expert Michael Rasmussen in Singapore, the first in our global series that aim to provide a blueprint for attendees on effective policy management in today’s dynamic business, regulatory and risk environment. We caught up with Michael after the workshop to hear his summary of the main event.

ClauseMatch: Firstly, let’s recap on why we’ve decided to host a workshop in Singapore (our first in Asia).

Michael: Singapore is one of Asia’s most important business and financial hubs. There are many multinational companies based here that have operations across the region, which presents a significant challenge for compliance and risk officers in terms of policy management, particularly when you take into account the different jurisdictions and regulations that need to be complied with. 

ClauseMatch: Are there any major regulatory changes on the horizon that companies need to be aware of here in Singapore?

Michael: In April 2018 the . . .

[the rest of this article can be found as a guest blog that GRC 20/20 was part of on www.clausematch.com]

Posted on Leave a comment

Understanding Third Party GRC Maturity: Ad Hoc Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 1, the Ad Hoc level of Third Party GRC

Organizations at the Ad Hoc stage of maturity have . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]