Category: The GRC Pundit Blog

As organizations increasingly integrate artificial intelligence (AI) into their operations, the importance of robust data governance cannot be overstated. Data GRC (Governance, Risk Management, and Compliance) form the bedrock upon which effective AI programs are built. These frameworks ensure that data is managed properly, data objectives are achieved, uncertainty and risks are mitigated, and compliance is maintained to ensure that organization acts with integrity, all of which are crucial for the ethical and efficient use of AI.  

Here are key data governance principles necessary for the successful deployment of AI programs in organizations . . .

[The rest of this blog can be read on the Archive360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

---

The Interconnected Reality of Modern Business

The modern organization operates in an interconnected world with the extended enterprise. However, recent global disruptions have highlighted the profound impact these connections have on business operations. This has underscored a vital lesson: the importance of relationships in defining business success.

Martin Luther King Jr. famously said, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.”

This principle applies not only to personal relationships but also to the intricate web of third-party relationships that sustain modern enterprises. Today’s businesses are no longer confined by physical walls or traditional employee structures. Instead, they are supported by an extensive network of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and more. This is the extended enterprise.

Governance and Corporate Integrity

The ability of a business to achieve its objectives is closely tied to how well it governs its third-party relationships. Effective third-party governance ensures that an organization can manage risks and maintain resilience. The integrity of an organization, including its compliance with regulations, commitments, and core values, is also reflected in the integrity of its third-party relationships.

The old adage, “Show me who your friends are, and I will tell you who you are,” rings true in the business context: show me your third-party relationships, and I will tell you who you are as an organization. Modern businesses are defined by their ability to manage and govern third-party relationships. This ensures that the organization can reliably achieve its objectives, manage uncertainty/risk, and act with integrity across the extended enterprise.

Modern businesses face numerous risks stemming from their third-party relationships. These risks highlight the interconnectedness of today’s global business environment:

• Resilience. Disruptions in the operations of service providers and outsourcers can significantly impact an organization’s ability to deliver goods and services. For example, supply chain disruptions can halt production, and service outages can affect customer satisfaction and business continuity. In the context of IT risk, as organizations increasingly rely on digital tools and remote work, the risk of cyber breaches grows. Third parties may introduce vulnerabilities through their IT infrastructure, potentially compromising sensitive company data.
• Integrity. Rapidly changing business environments can strain controls over third-party relationships. This increases the risk of unethical behavior, such as fraud and corruption. Effective governance frameworks are essential to maintain high standards of conduct and compliance. Global supply chains often extend into regions with varying labor standards. Organizations must ensure that their third-party relationships uphold human rights, avoiding issues like forced labor, poor working conditions, and child labor.

These risks must be managed within the complex web of interconnections that define the modern organization. For instance, a disruption in one part of the supply chain can cascade, affecting numerous other areas and ultimately impacting the organization as a whole.

In response to these challenges, organizations are focusing on several strategic trends to enhance third-party governance, risk management, and compliance (third-party GRC):

1. Integrity & ESG. Companies are re-evaluating their core values, ethics, and standards of conduct and extending these principles across third-party relationships. This includes a strong emphasis on ESG, including human rights, privacy, environmental standards, and security.
2. Resilience. Maintaining operations amid uncertainty requires a comprehensive understanding of third-party relationships and their performance in the context of risk. Organizations need a holistic view of GRC within each relationship.
3. Governance. Clear governance of third-party relationships is crucial. This involves defining and managing the objectives and sub-relationships, such as contracts and service levels, to ensure risk and uncertainty are controlled effectively.
4. Federated Approach. Moving away from siloed operations, organizations are adopting a federated strategy for third-party governance. This ensures collaboration across departments like procurement, information security, compliance, and ethics, facilitating consistent management practices.
5. Integration. To support a federated strategy, organizations are redesigning their technology and information architectures. This involves creating systems that can manage diverse third-party governance needs and integrate seamlessly with existing ERP and procurement systems.

Implementing Effective Third-Party Governance

To address these strategic trends, organizations must implement comprehensive third-party GRC programs. These programs should include:

• Due Diligence. Conduct thorough due diligence on third parties before entering into relationships. This includes assessing their financial stability, compliance history, and ethical standards.
• Continuous Monitoring. Implement ongoing monitoring of third-party performance and risks. Use technology to track changes in risk profiles and compliance statuses in real-time. This requires third-party risk intelligence.
• Incident Management. Develop robust incident management protocols to respond quickly to any issues that arise in third-party relationships. This includes having clear communication channels and predefined response strategies.
• Training and Awareness. Ensure that both internal employees and third-party partners are well-trained on policies and practices. Regular training sessions and awareness programs can help maintain high standards across the extended enterprise.
• Collaborative Platforms. Use third-party risk management platforms to facilitate communication and coordination between different departments involved in third-party governance. This promotes a unified approach and helps break down silos.

The end game is that organizations need a complete view of what is happening with third-party relationships. This contextual awareness requires that third-party management have a central nervous system to capture signals found in assessments, and changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third-party relationships.

As my mother used to say, “You will be known by who your friends are.” In the world of business, our third-party relationships define us. Addressing third-party risk is not just about risk management; it’s about upholding corporate integrity and ensuring that our business practices reflect our core values.

GRC 20/20 is facilitating Third-Party Risk Management By Design Workshops in:

• SAN FRANCISCO: May 29 @ 1:00 pm – 5:00 pm PDT, Third-Party Risk Management by Design, SAN FRANCISCO
• LONDON: June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON

Boldly Going Where No GRC Professional Has Gone Before

My latest episode of “GRC After Hours” has been released. In this episode, we cleverly marry the adventurous spirit of Star Trek with the pragmatic world of governance, risk, and compliance (GRC). Captain James T. Kirk’s assertion from Season 2, Episode 20 of the Original Series, “Risk! Risk is our business!” sets the stage. This sentiment encapsulates the essence of the discussion: just as the Starship Enterprise embarks on daring missions into uncharted territories, modern organizations must navigate the complex frontier of GRC, facing risks head-on with innovation and strategic foresight.

Join me as I sit down with a glass of whiskey with Sam Abadir and John Michelsen of Krista.ai to discuss AI, GRC, and the iconic Star Trek franchise. We boldy explore strange new worlds in GRC that involve:

• Exploring the Final Frontier: AI in GRC. The episode delves into how artificial intelligence (AI) is revolutionizing the GRC landscape. Sam Abadir and John Michelsen discuss the role of AI technologies like Christa AI in transforming GRC tasks from mundane to strategic. AI’s ability to automate compliance monitoring and risk assessments is likened to the Enterprise’s computer, capable of processing vast amounts of data and making recommendations in real-time. This technological leap enables organizations to shift from reactive to proactive stances, anticipating risks before they materialize, much like the predictive capabilities seen on the bridge of the Enterprise.
• Universal Translators for Compliance: Multilingual and Multiregional Challenges. Navigating the complexities of global compliance is akin to the Enterprise crew interacting with diverse alien cultures, each with its own language and customs. The speakers highlight how AI can break down linguistic and regulatory barriers, ensuring that GRC strategies are adapted appropriately across different jurisdictions. This segment emphasizes the importance of technology in managing the intricacies of multinational compliance, drawing parallels to the universal translator device in Star Trek that facilitates communication between disparate species.
• Red Alert: Crisis Management in the GRC Enterprise. Drawing on Star Trek’s frequent crisis scenarios, the discussion pivots to crisis management within organizations. The ability of the Enterprise crew to swiftly mobilize resources and coordinate responses during emergencies serves as a model for GRC professionals. The use of AI can significantly enhance this capacity, providing tools that quickly aggregate data, assess risks, and propose actionable solutions, thereby reducing the time between crisis detection and response.
• The Prime Directive: Ethical AI in GRC. Ethics in AI usage takes center stage as the speakers address the potential perils and promises of AI in GRC. Just as Star Trek’s prime directive governs the exploratory protocols of the Federation, ensuring non-interference with alien civilizations, organizations must develop ethical guidelines to govern their use of AI. This ensures technologies are used responsibly, transparently, and in alignment with organizational values and societal norms.
• Star Trek or Blade Runner: Envisioning the Future of GRC. In the concluding segment, the future of GRC and its intersection with AI is envisioned not as a dystopian Blade Runner scenario but as a Star Trek-like advancement where technology supports societal improvement and ethical governance. The discussion speculates on how the integration of AI into GRC can lead to a more efficient, just, and risk-aware organizational culture, much like the cooperative and optimistic future portrayed in Star Trek.

This episode not only entertains with its Star Trek analogies but also provides deep insights into how GRC professionals can leverage AI to navigate the complexities of modern risk management and compliance. It encourages viewers to think of GRC not as a static set of rules and procedures but as a dynamic field that, with the aid of AI, can explore new realms of efficiency and strategic impact.

The fusion of Star Trek’s adventurous narratives with the detailed discussions of GRC creates a compelling vision for the future of governance, risk, and compliance. As organizations continue to explore this final frontier, the principles discussed in this episode will serve as a guide to managing the unknown with courage, innovation, and ethical responsibility.

Join GRC 20/20 for these Upcoming Related Webinars on this subject . . .

May 22 @ 12:00 pm – 1:00 pm EDT –

• The AI Chicken or the AI Egg – Which comes first?

June 6 @ 11:00 am – 12:00 pm EDT 

• Steering Clear of the Pitfalls: Essential Data Governance Strategies for Effective AI Compliance

Imagine a house built over 38 years, involving 147 different builders, without a clear design, blueprint, or architect. This might sound like an absurd way to build a home, but this is precisely what happened with the Winchester Mystery House. The resulting structure is a labyrinth of rooms, staircases leading to nowhere, and an overall confusing layout that leaves visitors baffled.

Unfortunately, this chaos is not unique to the Winchester Mystery House—it mirrors the typical organization’s approach to third-party risk management. In many organizations, third-party risk oversight is fragmented into isolated silos, resulting in a bewildering landscape of uncoordinated efforts. Over the last 38 years, organizations have had 147 different builders of third-party risk management with no design, no blueprint, and no architect. The result is a mess of confusion. The Winchester Mystery House serves as a cautionary tale, emphasizing the need for organizations to step back and design a cohesive, federated approach to third-party governance and risk management.

The Interconnected Modern Organization

In today’s business landscape, no organization is an island. Modern organizations are interconnected webs of relationships, spanning across suppliers, vendors, outsourcers, service providers, and more. The extended enterprise demands that businesses govern these relationships effectively, as third-party problems can quickly become organizational problems.

Fragmented third-party risk management through disconnected department silos leads organizations to inevitable failure. The lack of coordination, reactive processes, and scattered information blinds organizations to the risks and compliance exposures within their third-party relationships. Silos hinder the ability to see the big picture and address the complexity of the modern third-party ecosystem.

Much like the Winchester Mystery House, an organization that builds its third-party risk management without a cohesive design ends up with a confusing, inefficient, and ineffective system. Organizations face:

1. Growing Risk and Regulatory Concerns: With inadequate resources, organizations struggle to monitor third-party risks and regulations, leading to finger-pointing and inefficiencies.
2. Interconnected Third-Party Risks: Risks in one area can cascade into significant issues when not managed holistically.
3. Silos of Third-Party Oversight: Different departments manage third-party governance independently, lacking coordination and visibility.
4. Document and Email-Centric Approaches: Governing third-party relationships through documents, spreadsheets, and emails is prone to failure and inefficiency.
5. Non-Integrated Legacy Technologies: Disconnected legacy systems limit the ability to govern third-party relationships effectively.
6. Focus on Onboarding Only: Many organizations focus on onboarding but neglect ongoing monitoring and assessment.
7. Inadequate Change Management: Organizations struggle to govern third-party relationships amid constant change【8†source】.

Third-Party GRC Management by Design: From Chaos to Clarity

A mature third-party GRC (governance, risk management, and compliance) management program delivers effectiveness, efficiency, resilience, and agility by connecting the enterprise, business units, processes, and information. A federated approach aligns third-party governance, risk management, and compliance with organizational objectives and strategy.

A federated third-party risk management program begins with a strategic plan, connecting key business functions through a common framework and policy. Organizations should focus on critical elements such as understanding third-party relationship objectives and performance in the context of risk. It is necessary to know who you do business with, keep information current, and have structured oversight, policies, assessment, monitoring, controls, and inspections of third-party risk across the lifecycle of onboarding, ongoing monitoring, to offboarding.

This requires an integrated third-party risk management strategy and process that is supported by robust third-party risk intelligence/content integrated into a third-party risk management platform that can be used across departments/functions that have a stake in third-party governance.

The Winchester Mystery House serves as a cautionary tale for organizations that approach third-party risk management without a cohesive design. By designing a federated approach to third-party risk management, organizations can avoid the pitfalls of silos and create a cohesive, effective system. A federated approach enables organizations to be aware, aligned, responsive, and agile in managing third-party relationships, ensuring they achieve objectives, manage uncertainty, and act with integrity.

GRC 20/20 is facilitating Third-Party Risk Management By Design Workshops in:

• SAN FRANCISCO: May 29 @ 1:00 pm – 5:00 pm PDT, Third-Party Risk Management by Design, SAN FRANCISCO
• LONDON: June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON

GRC 20/20’s Michael Rasmussen will explore the following challenges, trends, and best practices in the upcoming webinar: Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management

In today’s rapidly evolving business landscape, organizations face an array of complex challenges. They operate in environments that are inherently complex, dynamic, distributed, and frequently disrupted by various internal and external factors. Amidst this uncertainty, effectively managing risk and building resilience has become imperative for organizational success.

As defined by ISO 31000, risk is the effect of uncertainty on objectives. To manage risk effectively, organizations must adopt a holistic approach encompassing a top-down strategic view aligned with objectives and a bottom-up operational perspective embedded within processes and activities. This aligns with the OCEG definition of GRC where GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].

Today’s organization needs to be agile in managing risk and its impact on the organization’s objectives from the moment it is developing on the horizon, as well as resilient in recovering from risk events when they materialize.

However, the modern organization faces many challenges in addressing an integrated risk and resilience management approach. These include:

1. Lack of Risk Agility. Organizations often struggle to respond promptly to emerging risks due to rigid processes and hierarchies. Failure to adapt quickly to changing circumstances can lead to missed opportunities or unanticipated threats.
2. Fragmented & Inaccurate Risk Data. Siloed data across disparate systems makes it challenging to obtain a comprehensive view of risks. Inaccurate or outdated data undermines the reliability of risk assessments and decision-making processes.
3. Limited Visibility. Limited visibility into interconnected risks and dependencies hampers the ability to anticipate and mitigate potential impacts. Organizations are vulnerable to cascading failures without a clear understanding of the full risk landscape.
4. Inefficient Risk Manual Processes. Manual and disjointed risk management processes result in inefficiencies and delays. Hundreds or thousands of out-of-sync documents, spreadsheets, and emails encumber these. The lack of automation and standardized workflows impedes timely identification and response to risks.
5. Inadequate Risk Reporting. Traditional risk reporting methods often fail to provide actionable insights or meaningful context. Poorly structured reports obscure critical risk information and hinder informed decision-making.
6. Limited Scalability. Scalability challenges arise when existing risk management practices cannot accommodate growth or organizational changes. Scaling risk management efforts across multiple business units or geographies becomes increasingly complex.
7. Resource Intensiveness. Resource constraints, both in terms of personnel and technology, hinder effective risk management efforts. Limited resources result in suboptimal risk mitigation strategies and increased vulnerability.
8. Ineffective Collaboration. Siloed organizational structures and cultural barriers inhibit collaboration and information sharing. Lack of cross-functional collaboration undermines the ability to identify and address systemic risks.
9. Resilience Planning Gaps. Inadequate focus on resilience planning leaves organizations vulnerable to disruptions. Failure to anticipate and prepare for potential risk events can lead to significant operational disruptions and financial losses.
10. Difficulties in Business Change Management. Resistance to change and organizational inertia pose challenges to keeping risk current as the business evolves..

To address these challenges, organizations must transition to bring risk and resilience management together in an integrated function as part of a broader GRC strategy. This function should be focused on enabling the organization to reliably achieve objectives in the midst of risk and uncertainty.

This requires a unified view of risk information and processes that deliver greater efficiency, effectiveness, resilience, and agility. By centralizing risk management functions and integrating risk accountability throughout all levels of the organization, organizations can achieve a more holistic understanding of risks and opportunities.

Leveraging technology solutions such as advanced analytics, artificial intelligence, and automation can enhance risk agility and enable proactive risk management strategies. Ultimately, a comprehensive risk and resilience management approach empowers organizations to navigate uncertainty with confidence, proactively prepare for potential risks, and effectively respond to disruptions when they occur.

GRC 20/20’s Michael Rasmussen will explore the following challenges, trends, and best practices in the upcoming webinar: Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management

Before COVID, I ran several Spartan races. The challenge of being outdoors and running down the trail while overcoming obstacles to finish the race . . . what a rush! The final accomplishment of achieving the objective of the finish line by leaping over the fire is an accomplishment.

In the ever-evolving landscape of uncertainty in achieving business objectives, organizations are like endurance athletes on a rugged trail encountering obstacles. Each turn and dip holds potential risks—yet also opportunities. The athlete’s dual objectives of maintaining speed while avoiding missteps mirror the organizational imperative of risk agility and resilience. This analogy paints a vivid picture of the strategic approach necessary for navigating today’s business environment to achieve objectives and sets the stage for a deeper understanding of integrating resilience (formerly business continuity) into risk management as part of a broader integrated GRC (governance, risk management, and compliance) strategy.

The Trail Ahead: Navigating with Agility

Imagine an athlete traversing a complex trail network with obstacles. Their success hinges on their ability to quickly perceive changes in the terrain and adjust their path accordingly. Similarly, organizations must cultivate risk agility: the capability to rapidly identify and react to risks as they arise on the horizon and plan on the best approach. This agility is crucial in avoiding potential pitfalls and capitalizing on opportunities swiftly. What is developing on the horizon may very well be a hazard, or it could be an opportunity, and perhaps both.

The foundation of risk agility lies in the organization’s ability to gain a holistic view of its risk landscape and understand scenarios on what is developing on the horizon. Modern businesses operate in a dynamic environment where risks such as market volatility, technological disruptions, economic uncertainty, and geopolitical shifts can arise suddenly and with little warning. Organizations that continuously monitor these horizon risks and opportunities can adapt their strategies proactively rather than reactively to achieve their objectives. For instance, a company might use predictive analytics to detect emerging market trends and technological innovations, allowing it to pivot its operations to exploit new market opportunities or mitigate potential disruptions from competitors. Scenario analysis, simulations, and table-top exercises are critical to navigating uncertainty/risk.

Staying the Course: The Resilience to Recover

No matter how agile an athlete—or an organization—might be, missteps are inevitable. Resilience is the ability to recover quickly from these setbacks, whether they are minor or catastrophic. For businesses, this means having systems and processes that can absorb the impact of a risk event and quickly return to normal operations or, in some cases, a new, more effective operational state. Organizations need strategic and operational intelligence on how the business operates and recovers.

Resilience in business is multifaceted, involving financial stability, operational redundancy, and a strong organizational culture that can withstand and adapt to challenges. For example, a multinational corporation might have backup supply chains to ensure continuity in the face of regional disruptions, such as what we are seeing on the Eastern seaboard of the USA with the bridge collapse in Maryland. Similarly, fostering a culture that encourages rapid problem-solving and adaptation among employees can enhance an organization’s ability to stabilize operations during and after a crisis.

From Continuity to Resilience: The Evolution of Strategy

The evolution from business continuity planning to operational resilience marks a significant shift in organizational strategy. Traditional business continuity focuses on recovery and restoration of operations post-disruption. In contrast, operational resilience is an ongoing strategy that integrates risk and resilience management into the very fabric of business operations, aiming not just for recovery but for continuous operation under adverse conditions.

This strategic shift requires organizations to rethink their approach to risk. It involves integrating risk management with strategic planning processes, ensuring that potential risks are considered in decision-making at all levels. It also means investing in technology that can provide comprehensive risk intelligence, such as systems that offer real-time insights into global operations, supply chains, and market conditions.

Implementing a Holistic Approach: Strategy, Process, Intelligence, and Technology

Achieving risk agility and resilience necessitates a concerted effort across four domains: strategy, process, intelligence, and technology.

1. Risk & Resilience Management Strategy. First, the strategy must align with the organization’s long-term goals and include a clear framework for risk and resilience management. This strategic alignment ensures that every part of the organization understands its role in mitigating risks.
2. Risk & Resilience Management Processes. Second, processes must be designed to support agile and resilient operations. This involves creating standard operating procedures that include risk assessments, scenario analysis, response protocols, and continuous learning cycles where insights from past incidents are used to strengthen future resilience.
3. Risk & Resilience Management Intelligence/Information. Third, strong risk and resilience intelligence enables the strategy and process. The ability to take in feeds of information on geo-political risk, market/economic risks, uncertainty, supplier and vendor alerts, and more. The organization needs complete 360° situational awareness, which requires intelligence feeds.
4. Risk & Resilience Management Technology. Finally, technology is crucial in enabling risk agility and resilience management. Advanced data analytics, artificial intelligence, and machine learning can provide organizations with the tools to predict, detect, and respond to risks in real-time. These technologies also support decision-making processes, ensuring that data-driven insights are available to guide strategic choices and provide structured workflow, accountability, reporting, and dashboards.

Conclusion: Leading the Race with Agility and Resilience

Just as an endurance athlete relies on both agility to navigate the trail ahead and resilience to overcome the inevitable falls, modern organizations must integrate these capabilities into their GRC strategies to integrate resilience into enterprise risk management strategies. The journey from traditional business continuity to operational resilience is complex and challenging but ultimately rewarding and becomes part of enterprise risk management that flows into the broader GRC, which enables an organization “to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” By fostering a culture of continuous adaptation and learning, organizations can not only survive but thrive in the face of uncertainty; to thrive on risk. This requires a comprehensive approach that blends strategic foresight with robust processes and cutting-edge technology, ensuring that the organization remains competitive and capable of overcoming any obstacle in its path.

GRC 20/20 Risk & Resilience Events & Resources

Upcoming Webinars

• May 1 @ 9:00 am – 10:00 am CDT, Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management
• April 30 @ 8:00 am – 9:00 am PDT, Modern Enterprise Risk Management 
• May 1 @ 4:00 pm – 5:00 pm BST, Building a Robust and Resilient Supply Chain through Third-Party Risk Management
• May 2 @ 10:00 am – 11:00 am EDT, Compliance Countdown: Accelerating Cyber Resilience Initiatives

Illustration

• Risk & Resilience Management Technology Illustrated

Research Briefing

• April 29 @ 10:00 am – 11:30 am CDT, 2024 Buyers Guide: Risk & Resilience Management Solutions

Research Papers

• Risk & Resilience Management by Design

• Risk & Resilience Management Maturity Model

Upcoming Workshop

• April 24 @ 9:00 am – 6:30 pm BST, Risk & Resilience Management by Design Workshop, LONDON

In the ever-shifting terrain of the business world, where unpredictability, risk, and disruption are the only constants, organizations are pushed to find stability and success in achieving their objectives. It’s a high-stakes game of chess where unseen forces can influence every move. Governance, Risk Management, and Compliance (GRC), done properly, is an integrated capability that guides organizations to reliably achieve objectives, navigate the volatility of uncertainty, and act with integrity.

The Open Compliance and Ethics Group (OCEG) has crafted a definition of GRC that succinctly encapsulates this mission: “GRC is a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” This definition resonates with ISO 31000’s description of risk management: “Risk is the effect of uncertainty on objectives.”

However, in the past, too often, GRC has been more CRG, or just CR, or just C. Organizations focus on compliance and not what true GRC, as it has been defined for the past 22 years, aims for: a better-run business.

This backdrop sets the stage for what we know as “GRC 6.0: Business Integrated & Aligned GRC”—the enablement of an organization’s capability to absorb shock and drive performance. This approach isn’t just about meeting compliance requirements but embedding the essence of GRC into the very fabric of business processes, thus enabling an organization to dance in rhythm with the dynamic beat of the market.

Business Integrated GRC draws its lineage from GRC 4.0 Agile GRC—characterized by its adaptable low-code/no-code GRC solutions—and the analytical prowess of GRC 5.0 Cognitive GRC, which extends Agile GRC with artificial intelligence. With the dawn of the 6th generation, we are witnessing an era where GRC is no longer an add-on but a core aspect of business strategy and execution.

Consider the analogy of a symphony orchestra I have used before, where each section—strings, brass, woodwinds, and percussion—plays a vital role in a harmonious performance. Strategy, objectives, and performance management form the conductor, orchestrating the overall vision, aligning risks with organizational goals, and monitoring performance while ensuring each plays their part to act with integrity/compliance. This is coordinated across departments but also involves a GRC architecture (GRC 3.) that can have a central platform but integrates and allows best of breed point GRC solutions to provide their deeper value.

The woodwinds—an organization’s subtle yet crucial tones—are akin to Business Process Modeling & Enterprise Architecture, which are critical for understanding the business and, in that context, how the business operates. These are essential components of GRC that enable greater risk agility and resilience. Here, we define and construct the processes, ensuring they are robust yet flexible enough to incorporate risk and controls elegantly.

Business Management Platforms are the strings section, the foundation that allows complex compositions to be executed seamlessly, ensuring that GRC is woven into the notes composing the business’s daily operations, activities, transactions, and relationships. GRC should be baked into business processes and activities.

And what about the percussion—the heartbeat of the orchestra? This represents our Top-Down and Bottom-Up Risk Alignment, ensuring that every beat resonates from the boardroom to the front lines, each thump echoing the organization’s risk profile. This brings rhythm to the organization, like ancient war galleys beating the drum to keep the rowers of the boat synchronized and moving forward.

The automation of business controls enhances this into and within business processes, introducing the precise tempo, like a metronome, maintaining the cadence of compliance and integrated controls without missing a beat.

Risk quantification, aggregation, and visualization in the context of the organization’s objectives become the meticulous tuner of the orchestra, ensuring each note played aligns with the key. It offers an objective measure of the impact of risk on performance and objectives.

This enables the organization to achieve greater levels of risk agility and resilience. It’s the organization’s ability to improvise when a surprise solo breaks in or when the composition changes mid-performance. It’s the agility to keep playing, to adjust and adapt, ensuring the music doesn’t stop, and the resilience to recover and bring it all back together.

Finally, engaging the right brain, not just the left brain, not GRC, and particularly risk management means engaging the creative maestro within, calling forth innovation in risk thinking, and weaving the artistic with the analytic to master the performance in the grand theatre of business objectives, strategy, and performance.

As we delve deeper into the 6th generation of GRC, we are not just integrating GRC into the business; we are making it the very essence of how business is conducted, ensuring that with every twist and turn, with every rise and fall, the organization not only survives but thrives, playing its symphony of success amidst the cacophony of the market.

In a world reminiscent of the Wild West, where Artificial Intelligence (AI) roamed free and unbridled, businesses and organizations for the past few years have harnessed its power, at times haphazardly, to propel themselves into a future filled with promise and potential. 

However, the flip side of this unchecked freedom was a landscape riddled with risks – data privacy breaches, bias, opaque decision-making, and more. As the dust settles, a new sheriff has arrived – the EU AI Act, heralding an era of strict AI governance, what GRC 20/20 calls AI GRC (AI Governance, AI Risk Management, and AI Compliance), that requires extensive testing of AI systems, especially those considered high-risk.

OCEG defines GRC as “a capability to reliably achieve objectives, address uncertainty, and act with integrity.” Adapting this definition of GRC to address the specifics of AI GRC, AI GRC is the capability to reliably achieve the objectives of AI models and their use, address uncertainty and risk in the use of AI, and act with integrity in the ethical, legal, and regulatory use of AI in the organization’s context. 

The EU AI Act, much like the mythical lawmen of the 1800s, seeks to bring order to a chaotic frontier of AI use within organizations. Its scope extends beyond the borders of Europe, influencing global businesses that must respond to it. The implications are monumental, with the act imposing obligations on any entity operating within or dealing with the EU’s member states and its citizens. The most alarming of these is the potential fine for non-compliance, which can reach up to 35 million euros or 7% of global turnover, underscoring the act’s seriousness in enforcing responsible AI usage.

The EU AI Act categorizes AI systems based on the level of risk they pose, with “high-risk” AI systems receiving particular attention due to their potential impact on safety and fundamental rights. 

For these high-stake scenarios, organizations must now ensure data quality, enhanced protection measures, and adherence to ethical standards. The act also bans specific uses of AI that are considered harmful, such as certain types of biometric identification and social scoring systems, bringing a more humane and ethical approach to AI development and deployment.

AI systems classified as high-risk encompass technologies used in various critical sectors:

• Critical Infrastructures. Such as transport systems, where AI can significantly impact citizens’ safety and health.
• Education and Vocational Training. For instance, AI that scores exams, potentially influencing educational paths and career trajectories.
• Product Safety Components. For example, AI applications in robot-assisted surgery and medical devices.
• Employment and Worker Management. Including CV-sorting software for recruitment, which can affect employment and self-employment opportunities.
• Essential Services. Examples include AI in credit scoring that could deny loans to individuals.
• Law Enforcement. AI systems that might infringe upon fundamental rights, such as tools evaluating evidence reliability.
• Migration, Asylum, and Border Control. This covers AI tools like automated visa application processing.
• Justice and Democratic Processes. AI systems used in searching for court rulings are examples here.

These high-risk AI systems are subject to stringent conditions before market release/use. This includes rigorous data management and documentation processes, high levels of transparency, and accountability to ensure that risks are managed effectively. The aim is to prevent or mitigate potential harms or violations of individual rights and freedoms arising from using AI in these critical areas. It reminds me of the testing and validation that has to be done in FDA-validated systems in life sciences. Organizations operating high-risk AI systems need to address:

• Thorough AI risk assessment and mitigation strategies.
• Assurance of high-quality datasets to minimize risk and avoid biased outcomes.
• Comprehensive activity logs for result traceability and AI usage.
• In-depth documentation for AI assessment and validation by authorities.
• Clear, detailed information for AI users.
• Measures for adequate human oversight of AI to reduce risk.
• Exceptional robustness, security, and accuracy controls built into AI.

Then, there are limited-risk AI systems. The term “limited risk” in AI mainly pertains to transparency issues. The AI Act mandates explicit transparency obligations to ensure users are informed when interacting with AI systems, like chatbots, so they can make knowledgeable decisions. Moreover, providers must label AI-generated content, including texts, audio, and video (especially deep fakes), particularly when intended to inform the public on significant issues, indicating their artificial origin.

Finally, there are minimal or no-risk AI systems. The AI Act permits the unrestricted usage of AI systems posing minimal risk, such as AI-enhanced video games or spam filters. Most AI systems currently used in the EU are categorized within this minimal-risk bracket.

The EU AI Act isn’t merely a set of prohibitions; it’s a comprehensive framework demanding a paradigm shift in how organizations develop, deploy, and manage AI. Transparency becomes paramount, particularly for high-risk AI systems, where developers must provide detailed information about their functioning, data usage, and human oversight mechanisms. This level of transparency aims to mitigate the risks associated with the ‘black box’ nature of advanced AI algorithms.

Preparing for the New EU AI Act Frontier – What Organizations Should Do

Organizations must adapt to survive and thrive in this new environment as the AI Act reshapes the landscape. Here’s a roadmap to help navigate these changes:

• AI GRC Oversight. Establish a robust AI governance framework, combining the right policies, roles, and an inventory system that aligns with organizational objectives and values.
• AI GRC Lifecycle Management. Implement a comprehensive lifecycle approach encompassing AI acquisition, development, use, maintenance, and eventual retirement to ensure effective governance across all stages of AI usage.
• Developing and Maintaining an AI Inventory. Undertake a thorough AI discovery process to catalog all AI technologies used within the organization. This inventory should be regularly updated and include details like ownership, development history, and documentation of each AI model.
• Validation and Control. Emphasize the importance of validating AI models for quality and reliability and embed controls throughout the AI components to ensure proper use and prevent misuse.
• Continuous Monitoring and Assurance. Regularly audit and assess AI systems to confirm they function as intended, comply with set standards, and adapt to changes in the business environment.
• Technology and Information Architecture. Build a technology architecture that supports AI GRC management. This includes model management, robust data management capabilities, compliance tracking, and integration with other organizational systems.
• Ethical and Transparent AI Usage. Foster an organizational culture that values ethical AI usage and transparency. Ensure your AI systems are understandable (explainable) and within ethical guidelines and legal boundaries.

The arrival of the EU AI Act marks the end of the AI Wild West. It mandates a structured, responsible approach to AI, emphasizing governance, risk management, and compliance. Organizations worldwide must now saddle up and journey through this new landscape, ensuring their AI initiatives align with this more structured and ethically responsible future. The new law is in town, and it’s reshaping the AI frontier – one regulation at a time. See what GRC 20/20 has to say about this in our research report, A.I. GRC: The Governance, Risk Management & Compliance of A.I.

In today’s rapidly shifting business landscape, where uncertainty seems to be the only constant, Governance, Risk, and Compliance (GRC) strategy, process, and technology are more critical than ever. This era is marked by a kaleidoscope of challenges: geopolitical instabilities, economic volatility, and a relentless pace of technological innovation. In my recent webinar with MetricStream’s Patricia McParland, GRC Trends and Strategies to Accelerate Risk, Compliance, and Audit Programs in 2024 and Beyond, I had the privilege of diving into this whirlpool of change to explore emerging GRC trends and strategies for 2024 and beyond. 

When I reflect on the state of global business today, I see . . .

[The rest of this blog can be read on the MetricStream blog, where GRC 20/20’s Michael Rasmussen is a guest author]