Posted on 15 Comments

Being Unprepared for the Crisis Does Not Make it a Black Swan

I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 

Posted on 3 Comments

Communicating Policies in a Time of Crisis

Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

  • Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
  • Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .

Posted on 1 Comment

Keep Calm & GRC On!

These are crazy and uncertain times, but this does not mean governance, risk management, and compliance (GRC) comes to a halt in organizations. It is the opposite, this is the time for strong corporate governance, risk management, and compliance. This is what gets organizations through the crisis and allows them to navigate the chaos. As the British taught us in World War II, we all need to “keep calm and carry on.” That last part is critical. Now is not the time for GRC to stall in your organization but to lead. We need to KEEP CALM AND GRC ON!

The official definition of GRC is that GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” [source OCEG GRC Capability Model] Now is the time for greater GRC strategy, practices, and processes to enable your organization to

  • reliably achieve objectives, though those may be changing to respond to the environment;
  • manage uncertainty, which these times are very uncertain; and
  • act with integrity in the face of changing business processes and economic conditions.

GRC strategies and infrastructure will come out of this stronger than ever. I have been a research analyst for 20 years, I saw GRC functions thrive after 9/11 in 2001. I saw them thrive after the 2008 financial crisis. GRC related departments, processes, and technology architecture will be stronger because of the horrible global crisis we face. GRC strategies, solutions, and services are and will be in demand.

Risk management, business continuity, operational resiliency, third party GRC, policy management are all hot topics right now that I am interacting on because of the crisis. Coming out this will see changes to regulations that will cause more demand for compliance management. Strategies related to ESG, EH&S, and CSR will grow in organizations because of this crisis.

How GRC Will Change in Organizations

I have been interacting on a number of inquiries this past week from organizations (across buyers of solutions as well as solution/service providers). Here are my thoughts:

  • Risk management will fundamentally change. Too often enterprise and operational risk management programs have been dominated or even consumed with IT security risk focuses. IT risk is huge and an important topic, but our most significant risks are from other areas such as environmental, health and safety.
    • Just a few months back I blogged on this, “Tale of Two Futures: Blade Runner or Star Trek?” While information security will remain a critical risk area, we are going to see more balanced enterprise and operational risk management strategies that include environmental and health/safety risks across industries.
  • Operational resiliency – integrating risk and business continuity management. The UK, in financial services, has had a specific regulatory focus on operational resiliency which requires an integrated approach top operational risk and business continuity management (as well as third party risk).
    • This is the buzz word right now and will be a global cross-industry focus coming out of this crisis. In most organizations, business continuity has been overly focused on disaster recovery from an IT focus. There will be a new focus in true business continuity management that is part of an enterprise/operational risk management program. Operational resiliency is what brings this together. 
  • Third-party risk management is a necessity. Business today is not defined by employees and brick and mortar walls. It is a complex web of relationships. The crisis is showing this.
    • Organizations need 360° situational awareness of risk and continuity in their third party relationships. This cannot just be an IT security focus but needs to be complete situational awareness of risk and continuity in the extended enterprise. 
  • Policy management is in demand. I get a lot of inquiries on policy management, but I am the only analyst that covers it as its own defined area of GRC. I have been getting inquiries on best practices and ideas on how to communicate changing policies, track understanding/acknowledgment, and monitor compliance in times of crisis. The fact is that business operations have changed this past week — this means policies and procedures have changed. The common question is how do we change and manage policies in times of crisis and then bring the organization back to a state of normal (or a new normal)?
    • There are a lot of organizations that have realized how messed up their policies are and that they need a centralized portal for all corporate policies to deal with crisis and change. When an organization has 20 policy portals scattered in different corners of the organization it makes reacting to crisis and change challenging if not impossible.
  • Look for CSR/ESG to evolve. Many organizations are doing great things to respond to the crisis, and others are failing miserably.
    • Look for a variety of lessons learned and new perspectives and initiatives in CSR/ESG particularly on matters of social accountability and responsibility in organizations. 

I would love to hear your thoughts . . .

Posted on Leave a comment

Forrester GRC Wave = Tsunami of Confusion

I feel that I am in an alternate reality. This cannot possibly be the real world. Are we living in a DC multi-verse where there are different GRC technology realities and I am just confused as I woke up in the wrong world?

Anyone following me long knows my frustration with Gartner and the Magic Quadrant (see note at bottom on Gartner)[i]. But now Forrester?

I long praised Forrester for their Wave approach and methodology (full disclosure, I was a VP and ‘top analyst’ at Forrester from 2001 through 2007 and wrote four Waves, including two GRC Waves). Where Gartner is based on secrets and magic (I guess that is truth in advertising), Forrester discloses every criterion, weighting, and scores.

The previous Forrester GRC Wave I only had one major issue with, and I talked to the lead analyst of the previous report about it last June at a conference we were both at. That issue was the fact that Forrester had a criterion that every solution evaluated had to be doing $30 million in GRC revenue, and at least one solution, LogicManager, was not. The analyst explained to me that they were grand-fathered in. I replied that an exception should be documented and footnoted in the research report. Organizations were being left with a false impression that this vendor is much larger than it is. That solution is a Leader in the new GRC Wave, but Forrester dropped the revenue criteria down to $15 million, but I still think that is a stretch. But that was my only issue with the previous Wave.

Now the 2020 Forrester GRC Wave is released, and I feel that I must be in a different reality. It does not make sense. 

Before I get into that, I must state how I loathe two-dimensional representation of winners and losers such as in the Forrester Wave and Gartner Magic Quadrant. These graphics have deep underlying assumptions and criteria that make some solutions winners and other losers in a single graphic. Every solution in the current GRC Wave I can think of situations where they are a good fit. To have a graphic that makes someone the winner and the rest losers leads many down the road to project confusion and often failure. In fact, my last GRC Wave I wrote at Forrester in 2007 had four different Wave graphics as the market back 13 years ago was too complex to represent in one graphic. It is a time for these two-dimensional analyst graphics to die, or at least do them tied to very specific use cases based on the size/complexity of an organization and industry.

Looking at the recently released GRC Wave, my first question is who is this Wave for?

It cannot be a representation of solutions that are delivering true integrated GRC, ERM, or ORM in Fortune 500 companies. The only way the graphic and scoring make sense to me is if it is a GRC Wave for the SMB (small to mid-sized business market). Perhaps this is the ‘undocumented’ focus of the report as their comment on ServiceNow, one of the Leaders, is that it is “a good fit for midmarket companies.” Ironically, ServiceNow does have large enterprise clients for ITSM, but I am personally not aware of any large organization using them for a full enterprise/operational risk management program in all its complexity.

This leads to the question . . . who are Forrester’s clients? From my experience, Forrester subscribers have tended to be large global organizations and not the SMB market. So is this Wave a good fit for Forrester’s actual subscribers/readers . . . I do not believe so. 

While I have a deep respect for the Leaders in the Wave, they all have their strengths and areas of focus, I cannot come up with any client references that I know of where they are truly being used for an enterprise/integrated GRC/ERM/ORM implementation in Fortune 500 companies. Yes, many of the Leaders are in Fortune 500 companies in specific use cases (e.g., audit management, internal controls, ITSM, IT risk management), but I am not aware of any large global organization in the Fortune 500 actually using any of the Leaders for a complex enterprise view of risk that aggregates and normalizes risk across the entire organization (e.g., strategic, operational, financial/treasury, compliance/regulatory, EH&S, IT). I could be wrong, but I talk to a lot of organizations and interact on a lot of RFPs every year in my market research. Forrester does not clarify the scope and since it is GRC, it can only be assumed that a broad focus of enterprise and operational risks would be a primary use case.

I do applaud Forrester for their focus on user experience, ease of implementation, cost of ownership, configurability of the solution, as well as artificial intelligence. These are areas I have carefully defined in GRC 4.0 – Agile GRC as well as the artificial intelligence capabilities coming forth in GRC 5.0 – Cognitive GRC. The next generation GRC 5.0 Cognitive GRC platform I have personally experienced in my interaction with ING in their GRC Orchestrate project in ING Labs.

If I was a Fortune 500 company looking at this Wave, I would ask the following questions:

  • What actual client references can a solution provider deliver that are using the solution for a true enterprise view of risk (not an IT-focused view of risk)?
    • You want a solution that has a proven track record at tackling the complexities of GRC/ERM/ORM in large global organizations.
  • How do these solutions do risk normalization and aggregation (which is ‘table stakes’ for a true enterprise view of risk)? 
    • Many solutions have a very flat view of risk as they were built for smaller organizations or for a specific department like IT security/risk management. They fail when you have a complex enterprise implementation. One department’s high risk may be another department’s low risk. Large organizations need a legitimate department view of risk as well as an enterprise view of risk in a solution that makes sense. To compare apples to apples and not apples to oranges you need advanced risk aggregation and normalization.
  • What are the solution’s capabilities for risk analytics and modeling?
    • Too many solutions have a very flat heat-map approach to risk, and that is a recipe for disaster. Large organizations need a variety of risk analysis techniques that require advanced analytics and modeling. You should understand the range of risk analytics and modeling capabilities in the solution (e.g., bow-tie risk analysis, monte carlo, decision tree, FAIR, and more).
  • How does the solution show risk interrelationships or interconnectedness?
    • Risk modeling is complex in today’s dynamic business environment. You cannot depend on a solution that simply allows for a cascading risk hierarchy (e.g, register). Risks have relationships across the hierarchy and any risk may have many-to-many relationships with other risks in the hierarchy.
  • How does the solution support a top-down approach to risk management aligned with objectives?
    • The official definition of GRC is that GRC is a “capability to reliably achieve objectives while addressing uncertainty and act with integrity.” Any solution in the GRC space needs to show how it can document and manage the reliable achievement of objectives and manage risk in that context. Whether these are strategic entity objectives down into division, department, process, project, and even asset level objectives. Risk management requires context and it is the strategy and objectives of the organization that provides context for risk assessment. 
  • Does the solution have the data and application architecture to scale?
    • Large organizations require a data and application architecture that can scale to their complex environments. This means that the solution needs to be able to address varying complex and distributed organizational structures.
  • Does the solution support business process modeling?
    • The complex risk and compliance challenges of today require that organizations look for solutions that support business process modeling. The operational resiliency requirements coming out of the UK, GDPR/CCPA, and even the changes in SOX compliance over the past few years require that organizations have the capability to model and document business processes in a risk and compliance context.
  • How does the solution do quantitative risk modeling?
    • There are functional uses for qualitative risk modeling and reporting, but organizations need to be able to quantify risk. Large organizations require actual objective financial numbers to risk that are defensible and not subjective. 
  • Does the solution truly integrate and support an enterprise view of risk?
    • This may seem redundant, but it needs to be emphasized. Can the solution actually deliver on a true enterprise view of risk where it can bring together disparate risk areas such as strategic risks in context with the wide array of operational risks across operations, third parties, environmental, health and safety, quality, conduct, compliance/ethics, IT risk, and more. This may require integration with a range of other risk and business solutions.
  • How does the solution bring together both a top-down and bottom-up view of risk?
    • Large organizations need an integrated view of risk that aligns with the objectives and strategy of the organization (top-down) as well as the controls and risks down in the bowels of the organization (bottoms-up). Too many solutions only focus on the bottoms-up, and to my previous point, often only one or a few areas. 

If you apply criteria around these questions you will get a completely different ranking of solutions than what Forrester delivers, but you will also find no one solution is perfect and does everything. 

Here are some other thoughts, insights, and experiences on the Forrester GRC Wave:

  • Inconsistent criticisms. I do not understand how SAI Global gets called out for having separate platforms under the hood when the dominant ‘Leader’ Galvanize has the same thing? SAI Global is working hard, like Galvanize, to bring about a consistent architecture from their acquisitions. But Forrester downplays Galvanize by referring to ‘modules’ not having the same interface, while SAI Global is criticized for separate applications. The ‘modules’ in Galvanize are separate applications, not modules. These currently are different code bases for the ACL product and Rsam products that form Galvanize HighBond with different user experiences. Galvanize is a great solution, but I find the Wave evaluation not to be consistent in evaluation.

    Forrester gives Galvanize a score of 5 on Mobile and yet highlights Mobile as an area of weakness on the commentary of Galvanize. Others, like MetricStream who have some of the largest adoptions of enterprise GRC mobility, get a score of 1. 

    Next, consider risk and control management. This is a broad category with many sub-criteria.  One of the sub-criteria for the highest score required a dedicated team to maintain content.  Both ServiceNow and MetricStream are criticized in their profiles for using UCF for content, though ServiceNow still receives the highest score in the category, while others are not. On the topic of content – bringing in content from authoritative sources is critical for GRC and could be a range of criteria Large organizations expect integrations with various content sources. A requirement for a GRC vendor to maintain their own content team hardly makes sense except for a few narrow use cases in IT Risk where pre-mapped controls from a couple of common frameworks may be sufficient for the mid-market.

  • What are the full GRC capabilities? I am a fan of Workiva, it is doing some great things in internal control management, audit management, and policy management. But Forrester states that “one-third of customers use Workiva’s full GRC capabilities.” What are they measuring? If Forrester means internal control management, then I can agree with that. Workiva states they have 3,400 clients. Forrester scored them across risk and control management, document management, policy management, audit management, IT risk management, third-party risk management, and risk scoring. That would mean that over 1,100 companies are using Workiva for all of these capabilities? This simply is not true. Internal control management they have had for years. Other modules in their ‘full’ GRC capabilities are newer. There is no way 1,100 companies are using all these use cases scored by Forrester on Workiva. Workiva is doing some great things, but Forrester has the breadth of their use cases wrong.

  • Where are the greatest risks organizations face?  According to the World Economic Forum and Davos, the most significant risks we face are environmental risks (and with that health and safety risks with the current virus threat). Enablon has moved from a strong position in previous Waves to the back of the pack, but it is the one solution tackling and managing the most significant risks organizations are facing. Other analysts that understand this, like Verdantix, put Enablon in a clear-leader position. 

    Other analyst firms, like Chartis that understand the range of financial and non-financial operational risk in large organizations, place IBM and MetricStream as leaders in their most recent market quadrant. RSA scores high in IT Risk with Chartis. Galvanize, ServiceNow, and Logic Manager do not even appear on the Chartis quadrant as relevant, but this could be because Chartis if focusing on the challenges of large organizations and not the SMB market. I feel the Forrester scoring in the Wave may be heavily weighted to SMB organizations without clearly stating this or for use cases predominantly focused on IT risk/security that lowers the score and positioning of the systems doing broader enterprise/operational risk management. 
  • Conflict of Interest. Another critical issue I have is the fact that this is an official research report and conflicts of interest should be documented. I am not stating there was any wrongdoing, but any conflict of interest should be footnoted for the reader. Part of any compliance program (as well as research) is managing and documenting conflicts of interest on anything that can influence bias. The fact that the lead analyst has six years in a senior role at one of the solutions being evaluated (and the one that ends up being the leader of leaders) should be documented in the report so readers can take this into account. Any research publication from Wall Street financial analysts would require management of conflicts of interest, the same should be true of industry/technology analysts. Besides, there is also experience with the solution. The lead analyst is intimately familiar with the capabilities of the new leader having worked there for 6 years, while other solutions in the Wave get a 90-minute demo?

  • That brings us to Sandbox and demos. Forrester requested a sandbox environment to go into and experience the solution. This was provided, but solutions in the Wave are reporting no logins at all to just a few minutes of activity actually in the solution. Forrester states that they only use the sandbox to validate things and not for scoring. This is a huge issue. Organizations are investing hundreds of thousands and some cases millions on software and much more on implementation and the analysts recommending the solutions are not even kicking the tires themselves. One constant criticism of Forrester in this process is the level of due diligence and response to issues in this research. Eight vendors have complained about this. How can Forrester claim to have the insight by reviewing 80 pieces of functionality in a 90-minute demo? They require a data populated sandbox but audit logs show they do not log in or just spend a few minutes looking at the solution. To make it worse, they allow only 300 characters (not words) to explain each piece of functionality/criterion in their spreadsheet answers to capabilities.

[i] At the heart of it is the fact that Gartner does not disclose any of their criteria and is becoming more dependent on recorded videos than live demos and does not actually get hands on with the products. My latest issues with Gartner were the smoke and mirrors of IRM in which the lead IRM analyst stated GRC technology has failed and now we have IRM technology when the IRM MQ had the same exact technology as GRC. What failed? If Gartner had simply come out and stated that they are now calling GRC by the term IRM, I would not have cared. Call it whatever you want: GRC, ERM, ORM, IRM, ABC, XYZ. What matters is what organizations are doing and not what they are calling it. But Gartner had to say GRC tech failed and promotes IRM technology which was the same exact GRC technology as before. Off to battle I went . . . 

Posted on Leave a comment

360° Control Automation, Monitoring & Enforcement

Business today is changing minute-by-minute and second-by-second. Processes and technology and their configurations are changing. Employees and their access into systems is changing as new employees are hired, others change roles and have inherited rights issues, others leave the organization. Transactions and vendors are changing. The pace of change in business today requires new approaches to control automation.

The past involved random sampling, an approach that is dated and out of step for the dynamic nature of business today. Random sampling and monitoring of controls only cover a small fraction of the configuration, master data, segregation of duties/access rights, and transaction controls in the environment. Manual processes for control monitoring focused on random sampling leaves the organization in a false sense of control where the reality is there can be significant control issues that expose the organization to malicious and inadvertent issues and events.

Random sampling of controls results in . . .

[This is continued as a guest blog by Michael Rasmussen of GRC 20/20 on the Greenlight Technologies blog]

Don’t miss the upcoming Webinar How to Achieve an Integrated & Continuous Approach to Managing Controls on March 4th. Click here for more information and to register.

Posted on 1 Comment

Managing Risk in Dynamic & Distributed Business

Organizations are dynamic and distributed. They are changing minute-by-minute and second-by-second. That is challenging many risk management programs, but the complexity of distributed business further chaos to the organization and makes risk management very complicated. There is no such thing as brick and mortar business, organizations are not defined by employee relationships. Half of an organizations ‘insiders’ are now third parties.

I recently was having a conversation with risk, compliance, and legal management at a global manufacturer with a global manufacturer (about 200,000 employees). Their challenge was managing risk in a distributed and dynamic business. They expressed challenges in which what used to be thought of as an inside risk now extends across a web of third-party relationships. Policies that used to be just for employees, now have impact and governance over a range of individuals from third-party relationships that work and interact with the organization’s internal processes (e.g., outsourcers, suppliers, service providers, contractors, consultants, temporary workers).

I also recently talked to a global European bank that is looking at requiring every individual in their data centers to go through the same GDPR policies and training as employees do. Most of the individuals in their data centers are third parties.

Risk management is not just about the back office of the chief risk officer, but it is also about the front lines of the business that take and manage risk every day in their jobs. Risk management is not about the traditional brick and mortar business but also about the extended enterprise and nested relationships of risk that exposes the business and can hinder it from achieving objectives (or help it).

Organizations need to think holistically about risk management and adapt their programs to the dynamic and distributed business of today. They need to align and integrate risk management with strategic planning, objectives, and performance while still having visibility into risk down in the bowels of the organization’s processes and relationships. In essence, organizations need a 360° contextual view of risk in the organization in the context of both strategy and operations. This requires a top-down view of risk as well as a bottom-up view of risk. It also requires quantitative risk analytics that brings value and order to qualitative methods (which still have use). It requires right-brain creative out of the box thinking of risk as well as left-brain analytical and model thinking of risk.

I will be interacting on next-generation risk management as it transcends the enterprise at the following upcoming events:

Upcoming Risk Events & Interactions

Roundtable Discussion & Coffee in London 

Third Party GRC Management by Design Workshops 

Risk Management by Design workshops are:

Policy Management by Design workshops are:

  • Chicago, Policy Management by Design, April – details forthcoming
  • New York, Policy Management by Design, April 28th
  • London, United Kingdom, Policy Management by Design, June – details forthcoming

Upcoming Risk Conferences . . .

  • Zurich, Switzerland, RiskIn, May 13th to 15th

Upcoming Webinars . . .

Posted on Leave a comment

7 Habits of a Highly Effective Privacy Compliance Program

Privacy has become a front-and-center compliance risk in organizations around the world. GDPR (Europe), CCPA (California), APP (Australia), PIPEDA (Canada), PDO (Hong Kong), PIPA (Japan), ECTA (South Africa)…the world of privacy compliance is like a bowl of alphabet soup, yet this list just highlights some of many privacy regulations bearing down on organizations.

The challenge with privacy compliance is that business is dynamic. It changes minute by minute and second by second. Personal data is pervasive across the data and processes of an organization (e.g., employee data, customer data, and sales data). You may have been on top of your privacy obligations at the end of 2019, but the organization has changed significantly over the past few weeks and now also has CCPA compliance to worry about. Processes have changed, the business has changed, employees have changed, third parties have changed, your customers have changed.

Privacy compliance management has to be continuously managed and monitored in organizations. It is not a point in time effort but one that has to be addressed in the context of continuous organizational change. Privacy compliance is about identifying and mitigating the compliance, brand, and business risks associated with processing personal data. It is about managing risks across the full lifecycle of data in an organization and its web of processes, transactions, relationships, and interactions.

Here are 7 habits of highly effective privacy compliance programs to help keep you on track:

1. Appoint . . .

[this is a guest blog by GRC 20/20’s Michael Rasmussen published on the Mitratech blog. The rest of the blog can be read at the link below]

Posted on Leave a comment

UK SMCR: Trekking Up the Mountain

The importance of stages

Climbing a mountain like Mount Everest is not done haphazardly. It takes careful planning and an organized route. It also involves breaking the trek up the mountain into stages. One does not simply run up Mount Everest. You climb a mountain like Everest too quickly . . . you die. Tackling a trek up a large mountain is broken into stages that are manageable and allow for proper recovery and review of plans before the next ascent.

The same approach is done with a significant regulation, like UK SMCR in the financial services industry. UK SMCR is a significant shift in accountability, communications, attestation, and certification of staff in a financial services organization. As with other significant regulations, financial services firms are tackling UK SMCR in stages.

Beginning your SMCR journey

The first stage of the UK SMCR trek was mapping and aligning senior management functions in the organization. This was foundational and like getting to the first base camp of the UK SMCR Everest. You cannot manage accountability and certification if you do not have the responsibility maps and roles defined.

The run up to the 9th of December 2019: SMCR implementation date

The second stage of UK SMCR climb was to . . .

[this is a guest blog by GRC 20/20’s Michael Rasmussen published on the SureCloud blog. The rest of the blog can be read at the link below]

Posted on Leave a comment

Third Party GRC vs Third Party Risk Management

Business is No Longer Brick & Mortar Walls

I was recently talking to a global manufacturer about the challenges they face in defining their organization. The challenge is that there are no more brick and mortar walls that define the organization. Their organization, like yours, is a web of third party relationships. In many areas, these relationships are further complicated as they nest themselves in other relationships in deep supply chains and subcontractors. What used to be thought of as an internal risk within the traditional brick and mortar walls of this global manufacturer is now extended across an array of relationships in the extended enterprise.

However, as we were talking, it is not just about risk management. The organization has to ensure that these extended enterprise relationships share the same values and commitments to integrity define the core organization, the global manufacturer. It also has to ensure that each of these relationships is meeting the objectives that the relationship is in place for. This gets further complicated where the organization has to not only manage the performance/objectives, risk, and compliance at the relationship level but also at the contract, facility, and/or service-level.

One financial service firm stated they cannot simply manage a service provider/outsourcer relationship at the relationship level but needs to understand the details at each contract/service-level of the relationship. They might have one relationship but have 100 contracts/service levels within that relationship. They need to manage how each contract is performing and the unique risks that each contract has.

I sat on the social accountability advisory firm for one Fortune 100 firm that was managing international labor standards across 5,000 suppliers. However, these 5,000 suppliers had an aggregate of 20,000 facilities. Social accountability cannot simply be managed at the relationship level of each supplier but had to extend into each facility servicing this global firm.

However, Organizations Focus on Third Party Risk Silos

The challenge is that many organizations approach third party risk management in isolated silos. The IT security team has their process and technology focused on security. Corporate compliance and ethics are concerned about anti-bribery and corruption and have their processes for managing this in third party relationships. Then other departments such as quality, environmental, health and safety, EST/CSR, and others have their siloed processes to govern relationships. This results in no one seeing a full spectrum of the risk and exposure in these relationships. Perhaps each area has some concerns in a relationship, but in their silo it is not a big enough concern. But if they would aggregate the concerns across silos monitoring the one relationship they should have alarms going off.

However, what is often missing, is the governance of these relationships. As organizations focus on the silos of risk they often forget to put in context how these third party relationships are delivering on the performance and objectives of the relationship.

It Is Time to Move to Third Party GRC

It is time for organizations to stop thinking about Third Party Risk Management and start doing Third Party Governance, Risk Management, and Compliance (GRC). Third Party GRC is the capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE] in and across the web of the organizations third party relationships in the extended enterprise (note: this is modified from the OCEG definition of GRC to fit Third Party GRC).

Think about it. Each relationship has a purpose. There would not be a relationship if there was no purpose for it. The organization needs processes in place to reliably achieve the objectives of the relationships – this is third party governance. Then the organization needs to manage the uncertainty in the relationship. Risk, according to ISO 31000, is the effect of uncertainty on objectives. The organization has to monitor and manage the uncertainty/risk in meeting the objectives of the relationship. Then the organization needs to ensure the integrity in the relationship, that the compliance requirements, values, and ethics are in place and aligned with the organizations.

These are three legs of one stool, and all are needed. It is more than third party risk. That only gets you a partial view. Organizations need to start thinking fo Third Party GRC in defining these programs.

Only a Few Solutions Deliver on Third Party GRC

I recently published my Third Party GRC Maturity Model. This breaks the measurement of maturity of an organization’s Third Party GRC program into 5 levels – Ad Hoc, Fragmented, Defined, Integrated, and Agile. The Ad Hoc stage is fire fighting and reactive. The Fragmented stage is manual processes at a department level. Defined is technology-enabled third party risk management at a department level. Integrated is an enterprise view of third party risk across departments. Agile is where we achieve Third Party GRC as it looks at risk and compliance in context and in balance with the objectives and performance of each relationship.

From a technology perspective, there are a lot of siloed very focused solutions that do one area of third party risk to get an organization to the Defined stage. There are a handful of solutions that can take a broad view of third party risk across departments to get an organization to the Integrated stage. There are only a few solutions on the market that can truly deliver on Agile and bring an integrated view of the objectives/performance in the context of the risk and compliance in each relationship.

Today’s business environment where the business has no boundaries and extends across an array of third parties necessitates that organizations start focusing on the Agile – Third Party GRC and not silos of third party risk management.

GRC 20/20 Third Party GRC Workshops

I will be teaching my Third Party GRC by Design workshops in the following cities in February. Registration is free but limited to those within organizations managing aspects of their third party relationships. In other words, it is not open to solution providers trying to sell products/services. Come join us . . .

Upcoming Risk Management by Design workshops are:

Upcoming Policy Management by Design workshops are:

  • Chicago, Policy Management by Design, April – details forthcoming
  • New York, Policy Management by Design, April 28th
  • London, United Kingdom, Policy Management by Design, June – details forthcoming
Posted on Leave a comment

How Mature is Governance, Risk Management & Compliance (GRC) in Your Organization?

GRC maturity has evolved over the past fifteen years since OCEG first published the GRC Capability Model and we have measured these changes along the way. In 2019 we conducted our fifth GRC Maturity Survey to determine how program design and confidence has changed. The survey has hundreds of participants from organizations of all sizes and types worldwide.

Do you know that those with integrated GRC strategies are:

  • More confident in their business, understanding of risk, and impact of risk on performance
  • The level of GRC integration has steadily increased over the past several years
  • That 93% of those with mature and integrated GRC strategies state it has met or exceeded expectations
  • The level of visibility in the business and risks has increased with those with integrated GRC strategies

Join us for this webinar, where we review the current state and changes in maturity of GRC over time. Areas addressed include:

  • The level of integration of risk, compliance and performance activities and controls
  • The degree of confidence in ability to identify and manage risks and requirements
  • The use of technology to support GRC capability
  • GRC roles and organizational structures
  • Realized benefits of integrated capability and negative effects of siloed operations
  • Changes in findings from GRC Maturity Surveys across the years