Dreaming of the Ultimate GRC Platform . . .

In today’s rapidly evolving corporate landscape, the need for an enterprise view into Governance, Risk Management, and Compliance (GRC) is more pronounced than ever. One that truly addresses the official definition of GRC, found in the OCEG GRC Capability Model, that GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).

As the industry analyst that first framed and defined GRC and the GRC market for software and services on a cold snowy day in February 2002 (while at Forrester Research, I spent 7 years there and now 17 years competing against Gartner and Forrester), I have seen GRC technology evolve. There are 69 solutions that I cover deeply in my market analysis, and over 200 others that I monitor in the market. While there are some great solutions in the market, many that I deeply admire and recommend, there is no perfect solution that brings it all together.

Too often GRC platforms are either built, or just deployed, backwards. They are CRG platforms, or just CR platforms, or too often C platforms that do not understand the R and the G.

In envisioning the ideal GRC platform, we dream of a platform that not only addresses current needs but also anticipates future challenges, thereby revolutionizing the way organizations address and integrate governance, risk management, and compliance. There will always be a need for GRC architecture where best-of-breed solutions and content can integrate. But the overall command and control center that brings this together still needs some work. Some GRC solution providers are well on their to address this, but no one has arrived. Of course, with technology continuously evolving, will we ever arrive? It is a continuous journey.

Here is my wish list for the Ultimate GRC Platform . . .

  • Uniting Board Portal Excellence with Strong Governance. The dream begins with a solution that excels in integrating the board portal with robust governance mechanisms that filter down into strategy, performance, and operations. This system should provide an intuitive interface for board members, ensuring seamless access to vital information, fostering effective decision-making, and promoting transparent governance practices. The ideal platform will serve as a cornerstone for board-related activities, offering a blend of security, user-friendliness, and comprehensive functionality.
    • Currently, there is one primary solution provider in the market that is focused on this and a few others that have some capabilities.
  • Strategy, Performance, and Objective Management. Central to this GRC platform and architecture is a deep capability focused on strategy, performance, and objective management. One that enables the organization to define and map corporate strategy, define objectives, and monitor performance against those objectives. Remember that the G in GRC is governance, which is the capability to achieve objectives reliably. Objectives can be entity-level objectives and drill down into division, department, process, project, asset, or even third-party/supplier objectives. Objectives can be financial, performance, operational, ethical/value, compliance, and more. GRC starts with objectives when done correctly. However, most solutions do not cover this. This element ensures that the GRC processes are not just regulatory checkboxes but are intrinsically linked to the organization’s strategic objectives and performance indicators. Doing so aligns GRC activities with the company’s broader goals, creating a cohesive and forward-looking approach.
    • Currently, there are two solutions in the market that I monitor that do this well. Others may have some very rudimentary capabilities, but it is more of an after thought than anything of real value.
    • Also, I get frustrated when I see solutions/modules for ESG that start with ESG risks and not objectives. That is putting the cart before the horse. I DO NOT recommend solutions for ESG (see more below) that start with a risk-centric view.
  • Elevating GRC and ESG Reporting. A critical feature of this dream architecture is its prowess in GRC and Environmental, Social, and Governance (ESG) reporting. The number one complaint on nearly all client reference calls of GRC platforms is reporting. Nobody likes the reporting. NOTE: Dashboards are not reports; they are different. Acknowledging the common denominator in client feedback – the need for enhanced reporting capabilities – this solution must offer sophisticated reporting tools. These tools should cater to various stakeholders, including the board, regulators, and internal teams, ensuring clarity, assurance, and alignment with organizational goals.
    • Currently, there is one solution that comes to mind that excels in reporting (again, not dashboards) in the market for GRC, ESG, and compliance reporting.
  • Risk Quantification & Visualization. Honestly, this needs A LOT of work. Every platform is marketing risk quantification, but most get it wrong, terribly wrong. And many are very broken when it comes to things like risk normalization and aggregation. Myself, I am a big fan of bow-tie risk assessments and visualizations (I am a right-brain risk thinker), and I respect Monte Carlo analysis and other risk quantification methodologies (but many solutions have a half-baked attempt at Monte Carlo analysis). Solutions that can bring both together excite me, but few do.
    • Currently, there are a handful of solutions that I feel truly do risk quantification and visualization well.
  • Addressing Operational Needs in GRC. This dream solution dives deep into the operational aspects of GRC, encompassing enterprise and operational risk management, internal control, compliance, ESG management, audit, policy management, and more. It comprehensively addresses the intricate, day-to-day elements of GRC, ensuring no aspect is left unmanaged.
    • This is an area where many solutions do things well in specific areas. Some are great at EH&S, others great at IT risk management, others at continuity and resilience, others at third-party risk. Some have done very well across these domains in GRC.
  • Integration with Specialized GRC Solutions. Understanding the diversity in GRC needs, this platform/architecture would no just stand-alone but would seamlessly integrate with best-of-breed solutions specializing in areas like third-party risk, IT risk, and Environmental Health & Safety (EH&S) when and where it makes sense. This integration ensures that organizations benefit from specialized expertise without sacrificing the cohesion of a unified GRC platform.
    • Some solutions excel at their ease of integration with other systems, whether GRC specialty/domain-specific solutions or broader business systems. Others do not integrate so well.
  • Leveraging AI in Cognitive GRC. At the heart of this architecture lies a next-generation, AI-driven #CognitiveGRC platform. This system uses artificial intelligence appropriately and effectively across various GRC processes, enhancing predictive capabilities, automating routine tasks, and providing deeper insights. The platform may also connect with AI best-of-breed solutions that focus on specific GRC areas, such as regulatory change management or third-party risk intelligence, harnessing the power of technology to drive smarter, more efficient compliance and risk management.
    • We are seeing a lot of shifts in the market right now. Some have acquired CognitiveGRC capabilities to extend their GRC platform, others have partnered, and others are building this. Unfortunately, there is a lot of smoke and mirrors regarding AI. There are some great solutions delivering value, but there is also a lot of marketing hype for what may exist and be developed.
  • Built on Agile, No-Code, Low-Code Principles. Finally, the foundation of this GRC dream is an #AgileGRC architecture, developed in a true #nocode and #lowcode environment. This approach ensures that the system is not only advanced and robust but also highly configurable and adaptable to an organization’s specific needs. Such flexibility is crucial in a dynamic business environment, allowing companies to respond swiftly to changes without being hindered by their GRC systems.
    • This is a huge frustration for me. Some “low-code” solutions are really hiding behind marketing where they are still “high-code.” Others advertise themselves as “no-code” but are completely rigid and not agile. They may be a beautiful platform, but you cannot adapt it to your business, you have to adapt your business to it.
    • The true “no-code” solution is highly configurable and agile to adapt to the organization’s needs. A handful of solutions in the market are truly addressing this, while others slap these terms on for marketing and not reality.

In conclusion, the envisioned GRC platform of the future is more than just a tool – it’s a strategic partner for organizations, adeptly navigating the complex world of governance, risk, and compliance. With this dream architecture, we are not just solving today’s challenges but are also paving the way for a more adaptable, intelligent, and integrated approach to GRC in the future.

Have a question on GRC solutions in the market that are the best fit for your particularly needs? Ask GRC 20/20 as we offer complimentary inquiry to help you navigate the breadth and depth of solutions available in the market . . .

Check out these upcoming Research Briefings on the market . . .

April 29 @ 10:00 am – 11:30 am CDT 

April 8 @ 10:00 am – 12:00 pm CDT 

Here is an on-demand Research Briefings on the market . . .

The Book of Five GRC Rings: A Path to GRC Mastery

Continuing on my feudal Japan theme on GRC, after my last blog on Who Will be the GRC Platform Shogun? and my excitement for the new miniseries on Disney+/Hulu/FX, here we explore the Samurai art of the sword in the Book of Five Rings and apply it to the world of GRC . . .

In the dynamic, disrupted, and distributed business world, the integrated and interdependent disciplines of Governance, Risk Management, and Compliance (GRC) are akin to an art form – a delicate balance of strategy, foresight, insight, and ethical practice. This complex interplay can be beautifully likened to the wisdom found in Miyamoto Musashi’s revered treatise, “The Book of Five Rings.” Just as Musashi’s text offers guidance in the martial art of the sword, my conceptual framework of “The Book of Five GRC Rings” is a philosophical and practical guide to mastering the essential elements of GRC in today’s corporate world.

At the core of this analogy is the profound definition provided by OCEG, where I serve as an OCEG GRC Fellow. This definition describes GRC as “the capability to reliably achieve objectives (Governance), address uncertainty (Risk Management), and act with integrity (Compliance).” This definition underscores the interconnected nature of these three facets and emphasizes the importance of harmonizing them to create a resilient, agile, and ethical organization of integrity driving what OCEG calls Principled Performance.

In “The Book of Five Rings,” Musashi identifies the elements of ground, water, fire, wind, and the Void as the basis of his strategy. When translated into the context of GRC, these elements become powerful metaphors that encapsulate the essence of each discipline. They serve as a foundation for understanding the nuances and intricacies of navigating modern business’s complex and often turbulent world.

This analogy creating The Book of Five GRC Rings sets the stage for a deeper exploration into how these ancient principles can be applied to modern-day challenges in the corporate sphere. It invites leaders and practitioners alike to embark on a journey of discovery, learning how to meld the timeless wisdom of Musashi’s rings with the practical demands of effective governance, risk management, and uncompromising organization integrity. This journey is about embracing a holistic approach that ensures an organization can achieve objectives and navigate and leverage uncertainty for long-term success with integrity.

Here are the Five GRC Rings . . .

  • The First Ring: The Ground – Governance. The ground represents the stable foundation upon which all else is built. In GRC, this is Governance – an organization’s strategy framework and objectives. Like a samurai’s stance, governance must be solid, providing the structure and direction for all organizational activities. It entails defining the mission, setting clear objectives, and establishing the organization’s guidelines. The agility of governance lies in its ability to adapt and evolve with the changing business landscape, ensuring that objectives are consistently met efficiently and effectively.
  • The Second Ring: Water – Risk Management. Flowing like water, Risk Management is adaptive, constantly changing to meet the contours of the business terrain. It involves identifying, assessing, and mitigating uncertainty/risks that may hinder the organization’s ability to meet its objectives. Like a warrior who anticipates and counters the moves of an adversary, effective risk management requires an organization to be both reactive and proactive, adapting its strategies to ever-changing risks and uncertainties. An organization’s resilience is tested through its risk management practices, ensuring it can withstand and recover from adversities.
  • The Third Ring: Fire – Compliance. Compliance is the fire that fuels integrity within an organization. It is the passionate adherence to values, ethics, ESG commitments, laws, regulations, standards, and industry practices. Compliance should be controlled and monitored like fire, ensuring it does not become destructive. Compliance ensures that an organization acts responsibly, maintaining its reputation and avoiding legal pitfalls. The integrity of an organization is epitomized in its compliance, demonstrating a commitment to lawful and ethical conduct.
  • The Fourth Ring: Wind—Agility. Agility is the wind, invisible yet powerful, symbolizing an organization’s ability to respond quickly and effectively to change. In the context of GRC, agility refers to an organization’s nimbleness in adapting its governance, risk management, and compliance strategies to the dynamic business environment. It encompasses the capacity to foresee changes, make informed decisions swiftly, and implement them efficiently to maintain strategic direction and integrity.
  • The Fifth Ring: The Void – Resilience and Integrity. The final ring, the Void, represents the unknown, the challenges and opportunities that have yet to emerge. In GRC, this equates to the overarching themes of resilience and integrity. Resilience is an organization’s ability to endure, recover, and grow in the face of uncertainty and change. On the other hand, integrity is the ethical compass that guides every action and decision, ensuring that the organization remains true to its values and objectives in the context of uncertainty and change.

Mastering GRC is akin to the way of the samurai, a path of discipline, strategic thinking, and ethical action. The five rings – Ground, Water, Fire, Wind, and the Void – provide a framework for understanding and excelling in the complex world of governance, risk management, and compliance. By embodying these principles we have explored together, organizations can navigate the ever-changing business landscape with wisdom and strength, much like the legendary samurai masters of old. This is the essence of the Book of Five GRC Rings – a guide for the modern GRC warrior.

Who Will Be the GRC Platform Shogun?

In 1980, I fell in love with feudal Japan. Why? I was 10 years old and watched the NBC miniseries Shogun with Richard Chamberlain . . . samurais, ninja, everything needed to captivate the imagination of a young boy. I immediately read the huge book Shogun by James Clavell (1300 pages), which I have now read three times. Completing it for the third time a month ago getting ready for the new miniseries of Shogun on Hulu/FX. Yes, I had a watch party in my office on February 27th to watch the new Shogun! And yes, I wore a samurai kimono and zoroye complete with samurai swords to the watch party (reply and ask me for pictures). The watch party had sushi (my oldest son is a master sushi chef in Milwaukee), sake, Japanese whiskey, and Japanese beer).

As the GRC Pundit and market/industry analyst, I often reflect on the dynamism and complexity of the GRC technology market. This market resembles the vivid narrative of James Clavell’s novel Shogun. In this grand tale, just as in the GRC industry, numerous GRC technology/solution players are vying for dominance, alliances are ever-shifting, and strategy is key to survival and triumph.

Imagine the GRC technology solutions as the various feudal lords and samurai depicted in “Shogun.” Some are the daimyos that represent the GRC platforms that try to outmaneuver each other for market dominance. Others are samurai that serve these daimyos that are best-of-breed focused GRC solutions that extend capabilities, but at times shift alliances. Others are ronin, samurais with no masters and alliance.

Each daimyo, with his unique strengths and weaknesses, competes for influence and power in feudal Japan, much like how GRC vendors strive to innovate and differentiate their offerings in the market. The goal for these lords is to become the Shogun, the supreme military dictator, paralleling how GRC vendors aspire to lead the industry, to be GRC Shogun! Success requires great technology, but also alliances with other GRC best-of-breed technology solutions, professional service firms, and GRC content/intelligence providers.

Mergers and acquisitions in the GRC field are akin to the strategic marriages and alliances formed in the book. These unions are about gaining power and acquiring new capabilities, expanding territorial reach, and neutralizing threats, much like how GRC vendors merge with or acquire others to enhance their technological capabilities, expand market presence, and eliminate competition. And 2024 has shown quite a few M&A activities that have already gone public and much more in play yet to be announced that I have interacted on.

Similarly, partnerships in the GRC technology market resemble the shifting alliances between the daimyos (feudal lords) in “Shogun.” These tactical alliances are often formed to gain a strategic advantage over a common foe or enter new domains. In the GRC world, such partnerships might involve collaborating on joint ventures, integrating complementary technologies, or co-developing new solutions to meet emerging market needs.

The intrigues and power struggles within “Shogun” mirror the competitive dynamics in the GRC market. Just as the characters in the novel employ diplomacy, espionage, and warfare to outmaneuver their rivals, GRC vendors use market research, competitive intelligence, and strategic marketing to gain an edge. Something that GRC 20/20 specializes in and is better than any other market research firm on the planet. My very existence.

As in the novel, where the characters must adapt to a rapidly changing environment and unforeseen events, GRC vendors must also be agile, responding swiftly to regulatory changes, evolving risk landscapes, and technological advancements. This agility is crucial to survival and success in the quest to become the GRC Shogun. This is definitely the case with GRC solutions figuring out their artificial intelligence (Cognitive GRC) strategies, which are causing further acquisitions and alliances.

Lastly, the depth and breadth of the characters’ skills and alliances in “Shogun” can be likened to the range of solutions and services offered by GRC vendors. Just as a well-rounded character is more likely to succeed, a vendor that offers a comprehensive suite of solutions and services, which includes professional service and GRC content/intelligence partnerships, tailored to diverse and evolving needs, is more likely to lead in the GRC market.

The quest to become the GRC Shogun is a complex and dynamic journey, much like the intricate plot of “Shogun.” As an analyst, I provide insight into this fascinating market, helping businesses navigate the ever-changing landscape and understand the differentiators that set each vendor apart. Just as in “Shogun,” where strategy, alliances, and adaptability determine the ultimate victor, the same principles apply in the quest for leadership in the GRC technology market.

My role is to provide objective and independent evaluation and insight into the breadth and depth of the players in the GRC market to help organizations select the right solution that fits their specific needs and strategy. It is my job to evaluate and forecast where the market is headed and what differentiates players and to predict who is capable of being the GRC Shogun to dominate this market.

Have a question on GRC solutions (whether broad platform or specific best-of-breed focused solutions), ask an inquiry . . .

From Risk Management to Risk Leadership

As I engage with risk professionals around the world, I can’t help but notice a distinctive shift in risk management thinking and approach that is evolving. I have increased mature interactions, particularly in Europe, where risk management seems to be more intricately aligned with business objectives, transcending the mere compliance exercise often associated with risk management in the USA with Sarbanes Oxley.

The key to this is . . .

[The rest of this blog can be read on the Inclus blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Risk! Risk is Our Business!!!

Embracing the Uncertain: Enterprise Risk Management Through the Lens of Star Trek

In the vast expanse of space, the Starship Enterprise embarks on its mission to explore strange new worlds, seek out new life and civilizations, and boldly go where no one has gone before. This iconic journey from the legendary series Star Trek. In Season 2, Episode 20 of the original series, Captain James T. Kirk, a leader who faced the uncertain with courage and determination, stated:

“Risk! Risk is our business. That’s what this starship is all about. That’s why we’re aboard her.”

Captain James T. Kirk, U.S.S. Enterprise

This quote, though set in the backdrop of space exploration, resonates profoundly with the challenges and opportunities in the field of Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC). Let’s delve into how this interstellar perspective can illuminate our approach to risk in the business world.

Background . . .

“Star Trek: The Original Series” Season 2, Episode 20, titled “Return to Tomorrow,” is a significant episode in the Star Trek canon, particularly for its exploration of risk and leadership through the character of Captain James T. Kirk.

In “Return to Tomorrow,” the Starship Enterprise is contacted by a powerful, disembodied alien entity named Sargon. Sargon and his companions are survivors of a highly advanced, extinct civilization. They have been living as consciousnesses without physical bodies for half a million years and invite the crew of the Enterprise to their planet. Upon arrival, Sargon explains his ambitious plan: to temporarily inhabit the bodies of Captain Kirk, Science Officer Spock, and Dr. Ann Mulhall, so they can construct android bodies to permanently transfer their consciousnesses. This offers the potential for immense scientific advancement but comes with significant risks, as the process could potentially harm or kill the host bodies.

Captain Kirk’s famous quote, “Risk: Risk is our business. That’s what this starship is all about. That’s why we’re aboard her,” is made during a pivotal scene where the crew debates whether to assist Sargon and his companions. The decision is fraught with ethical and physical dangers. The risk here is a physical threat and a moral dilemma, as the crew must weigh the potential benefits of helping a dying civilization against the possible costs.

Kirk’s statement encapsulates his leadership philosophy and the broader mission of the Enterprise. He acknowledges that their journey is not just about exploration but also about taking risks to achieve greater understanding and to help others, even when the outcomes are uncertain. This perspective on risk is not reckless but is a calculated acceptance of the unknown as part of the pursuit of progress and knowledge.

In essence, this episode and Kirk’s statement highlight a core theme of Star Trek: the pursuit of knowledge and exploration inherently involves risk, but it is through taking these risks that humanity grows and learns. This theme resonates with the challenges and decisions faced in business and organizational contexts, especially in areas like enterprise risk management and governance. It reminds me of Judge Mervyn King of South Africa, the impetus for the King 1, 2, 3, & 4 reports on Corporate Governance, who stated: “Business is the undertaking of risk for reward.”

The Enterprise as a Metaphor for the Organization

Picture the Starship Enterprise: a vessel designed for exploration, encountering new worlds and civilizations. In the corporate world, an organization is akin to this starship, venturing into the market’s uncharted territories. Just as the Enterprise faces cosmic anomalies and unfamiliar species, companies encounter market volatility, technological disruptions, and competitive landscapes. Understanding this parallel helps us appreciate the necessity of being well-equipped to manage the unknown.

Just as the USS Enterprise traverses the unknowns of the galaxy, modern organizations navigate through the uncharted territories of the global market. The Enterprise, equipped for unexpected challenges, represents an organization’s need to be prepared for various risks – be they financial, operational, strategic, or compliance-related. Like a starship crew, a company must work in harmony, utilizing every member’s strengths to achieve its objectives while safeguarding itself against potential threats.

Understanding Risk in the Business Context

Risk, in business, is often viewed with apprehension. However, just as the Enterprise’s mission is not to avoid space but to explore it, the mission of a business is not to avoid risk but to engage with it strategically. Risk is a dual-edged sword; it presents potential dangers and opportunities. Effective risk management strategies help organizations identify, assess, and manage these risks, turning potential threats into opportunities for growth and innovation.

In the business world, risk is too often viewed through a lens of avoidance and mitigation. However, Captain Kirk’s view of risk as an integral part of the Enterprise’s mission suggests a different perspective. Risk is not just about avoiding harm; it’s about embracing the possibility of opportunity and reward. We take risks to achieve business objectives. The business not taking risks is the business this is out of business. Effective risk management involves identifying, assessing, and managing risk to maximize the organization’s value, just as Kirk evaluates potential dangers and opportunities on his voyages.

Here are some things we can learn in this analogy of Star Tek to the world of risk management in business . . .

  • Risk Management: The Crew’s Responsibilities. On the Starship Enterprise, every crew member, from the Captain to the engineers, plays a crucial role. The diverse crew of the Enterprise, from Mr. Spock’s logic to Dr. McCoy’s compassion, highlights the varied roles within an organization. Similarly, in an organization, effective GRC requires the coordination of various roles – from the board of directors and executives to individual employees. Each department, whether finance, operations, human resources, or IT, is critical in managing risk. Each member contributes to the organization’s risk management. Effective GRC ensures that these roles are not siloed but work in concert, much like the coordinated efforts of the Enterprise’s crew.
  • Risk Management: Navigating Uncharted Territories. Navigating a starship requires constant vigilance, adaptability, and a deep understanding of the environment. It requires understanding the star charts, the ship’s capabilities, and the potential dangers of space. In business, navigating through market and operational uncertainties requires a similar approach. Risk assessment tools and strategies are maps and sensors that help businesses understand their environment, assess potential risks, and develop strategies to mitigate them. Businesses must employ risk assessment tools and strategies to navigate uncertainties. This could involve scenario planning, risk frameworks, and continuous monitoring akin to the Enterprise’s sensors and navigational systems.
  • The Need for Bold Risk Leadership: The Role of Captain Kirk. Captain Kirk’s leadership is pivotal in the Star Trek narrative. It is a bold, decisive, yet informed leadership style that is emblematic of what is required in business leaders. In business, leadership plays a similar role in risk management. Leaders must make critical decisions, often with incomplete information while inspiring their teams to embrace the organization’s vision. The courage to take calculated risks is at the heart of innovative leadership, balancing boldness with a sense of responsibility.
  • Case Studies: Successful Risk-Taking Enterprises. Let’s look at real-world examples. Companies like Apple and Tesla have navigated significant risks in pursuing innovation, much like the Enterprise explored unknown galaxies. These cases demonstrate the importance of vision, innovation, and risk management in achieving business success. Apple revolutionized the music, phone, and tablet industries by taking significant risks. Now we watch SpaceX, which dares to re-imagine space travel. Like the Enterprise, these companies venture into uncharted territory to reap substantial rewards. They demonstrate that well-managed risk can lead to groundbreaking innovation.
  • Balancing Risk and Reward: The Ongoing Mission. The Enterprise’s mission in Star Trek is ongoing, constantly adapting to new challenges and opportunities. Just as the journey of the Enterprise is ongoing, so is the risk management process. It’s about finding the right balance between taking risks and managing them prudently. This balance is crucial for sustainable growth and long-term success. Risk management is a dynamic process that has to adapt to changing objectives and uncertainties to achieve those objectives. It requires organizations to balance taking risks to achieve growth and exercising caution to ensure sustainability.

Embracing Risk as Part of the Business Voyage

In conclusion, Captain Kirk’s perspective on risk offers a valuable lens through which to view the challenges and opportunities in risk management and GRC. Organizations, much like starships, are on a voyage through the uncertain. ISO 31000 devices risk as the uncertainty in achieving objectives. OCEG defines GRC as a capability to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance]. Embracing and managing risk is not just a necessity; it’s a fundamental aspect of the journey toward achieving extraordinary objectives.

As Captain Kirk suggests, embracing risk is essential for organizations aiming to thrive in today’s competitive landscape. By understanding, managing, and strategically taking risks, businesses can boldly go where they have never gone before, turning potential threats into opportunities for success.

Integrating Risk Management into Strategic Decision Making: A Symphony of Success

In the dynamic world of business, the Chief Risk Officer (CRO) is not merely a guardian against threats but a conductor orchestrating the organization’s movements in harmony with strategy, goals, performance objectives, and how these get melded into operations, decisions, and transactions. ISO 31000 defines risk as ”the effect of uncertainty on objectives,” emphasizing the need to manage risk defensively but proactively, embracing opportunities that contribute to business strategy and objectives.

The CRO is a conductor of the orchestra of risk to ensure that the organization has no surprises in achieving its objectives. In this exploration, we delve into the intricacies of how the CRO integrates risk management seamlessly into the business’s cycles, strategy, performance, and objectives, providing executives with the insights they need for informed decision-making.

In this context, consider . . .

[The rest of this blog can be read on the Inclus blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Risk & Resilience Management by Design

Embracing Risk Agility and Resilience in Modern BusinessRisk

The landscape of business operations has undergone a seismic shift. The days of simplicity are behind us, replaced by a complex web of risks, regulations, globalization, and rapid technological advancements. For organizations, big and small, aligning business strategy, operations, and processes with these evolving dynamics poses a formidable challenge. The crux of success is achieving a 360° contextual awareness of risk and resilience to the organization’s objectives. It’s no longer sufficient to merely acknowledge the existence of risks; organizations must now understand and navigate the intricate relationships between their objectives, risks, processes, and controls with a holistic lens.

Too often, risk management is relegated to a checkbox exercise, disjointing from an organization’s core strategy and decision-making processes. This misalignment often spells the downfall of even the most established brands, serving as cautionary tales for future business leaders. The key challenge lies in synchronizing risk management with the ever-evolving complexity and change inherent in modern business. Too often, risk management is buried in departmental silos, approached from merely a compliance or audit perspective rather than as an integral part of strategic decision-making. This disjointed approach fails to capture the bigger picture, leaving organizations vulnerable to unforeseen risks.

In today’s fast-paced business environment, change in one area can trigger a domino effect, impacting the entire organizational ecosystem. This interconnectedness demands a comprehensive approach to risk and resilience management. Organizations need to understand how their decisions and actions in one domain affect risks and objectives in another. This level of understanding is crucial for navigating the uncertain waters of modern business operations and maintaining integrity across all fronts.

Technology plays a pivotal role in achieving this holistic understanding. Advanced technological solutions can automate and enable risk and resilience management, offering organizations much-needed visibility and intelligence. By integrating risk management with business continuity programs, firms can foster a symbiotic interaction between these disciplines, ensuring a more resilient operational framework.

Consider the agility of a parkour athlete or the nimbleness of a character like Legolas from “Lord of the Rings.” These examples embody the essence of agility – the ability to navigate and adapt swiftly to the environment. Similarly, organizations need to cultivate this agility in their risk management practices. This agility isn’t just about avoiding threats; it’s equally about seizing opportunities and advancing organizational goals. Good risk management involves a clear understanding of the organization’s objectives, performance goals, and strategy and the ability to continuously monitor the environment for 360° situational awareness.

Organizations must be agile and resilient in today’s dynamic, distributed, and disrupted business environment. Governance, Risk, and Compliance (GRC) must be integrated with performance, objective, and strategy management to foster this duality. Operational risk and resiliency support enterprise agility, creating a symbiotic relationship essential for navigating today’s complex business terrain. The modern organization’s survival and success hinge on its ability to embrace risk agility and resilience. By integrating GRC into their core strategies and leveraging technology for holistic risk and resilience management, organizations can safeguard themselves against potential threats and position themselves to capitalize on emerging opportunities. The future of business demands a proactive, agile approach to risk management, encompassing the entire organizational ecosystem and turning challenges into catalysts for growth and innovation.

Check out these upcoming events and resources on Risk & Resilience Management by Design . . .

Federated Governance of the Extended Enterprise

The structure and reality of business today have changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacy, such as deep supply chains and sub-contracting relationships. Business today relies and thrives on third-party relationships; this is the extended enterprise.

In this context, organizations struggle to govern their third-party relationships and often manage risk and compliance in relationships in silos that fail to see the big picture of risk exposure and impact on the relationship’s objectives. Risk and compliance challenges do not stop at organizational boundaries. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships or allowing good business relationships to sour because of weak governance. Third-party problems are the organization’s problems and directly impact the brand and reputation, increasing exposure to risk and compliance matters. When questions of delivery, business practice, ethics, privacy, safety, quality, human rights, resiliency, corruption, security, and the environment arise, the organization is held accountable. It must ensure that third-party partners behave appropriately.

Fragmented governance of third-party relationships through disconnected department silos leads the organization to inevitable failure . . .

[The rest of this blog can be read on the EthixBase360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Agile & Cognitive GRC to the Future of Business Integrated GRC

This blog post encapsulates the key themes and insights from Michael Rasmussen’s G[P]RC Summit keynote in Dubai (video above), providing readers with a comprehensive understanding of the current trends and future direction in GRC.

Navigating the Complexities of Modern Governance, Risk, and Compliance

Embracing Agile and Cognitive GRC in a Dynamic Business World

In an era marked by rapid regulatory changes and an ever-evolving business landscape, the second annual GPRC summit shines a spotlight on the critical importance of Governance, Risk, and Compliance (GRC) in modern organizations. The summit, a convergence of thought leaders and professionals, delves deep into the concept of agile and cognitive GRC, underlining the need for organizations to adapt swiftly and intelligently to stay ahead.

The Systemic Nature of Risk

The interconnectedness of risks in the modern business environment cannot be overstated. Risks in one area can have cascading effects on others, necessitating a systemic approach to risk management. It’s not enough to tackle risks in silos; businesses must adopt a holistic view, understanding how various risks interplay and impact the organization as a whole.

Defining GRC

At its core, GRC is about reliably achieving objectives (governance), addressing uncertainty (risk management), and acting with integrity (compliance). This triad forms the foundation of effective GRC practices, emphasizing the need to align risk management strategies with the organization’s broader goals and values.

Aligning Risk with Organizational Objectives

Effective risk management is intrinsically linked to the organization’s objectives. It’s about understanding the goals at various levels – from high-level entity objectives to specific project or third-party relationship goals – and aligning the risk management strategy accordingly.

Risk: A Tool for Success

Contrary to the traditional view of risk as a negative force to be avoided, the summit presents risk as a crucial element of business success. Like fire, when controlled, risk can propel an organization forward; when uncontrolled, it can lead to its downfall. Understanding and managing risk is not just about mitigation but about harnessing its potential for growth and innovation.

The Art of Risk Orchestration

The role of a Chief Risk Officer (CRO) is akin to that of an orchestra conductor, ensuring harmony among the different sections of an organization’s risk profile. The CRO must maintain an overarching view of the risk landscape, understanding how different risks interact and affect the organization’s ability to achieve its objectives.

Beyond Resilience: The Need for Agility

In today’s fast-paced business environment, resilience – the ability to recover from risk events – is crucial. However, organizations must also be agile, anticipating potential risks and navigating around them proactively. This combination of resilience and agility is key to thriving in a volatile business world.

The Ever-Changing Face of Modern Organizations

Organizations today are not just confined to their physical boundaries but extend to networks of third parties like vendors and suppliers. This extension translates into a complex web of interdependencies where external issues have a direct impact on internal operations. Michael highlighted the constant flux in regulations, risks, and business processes, emphasizing the need for a comprehensive approach to GRC.

The Dynamics of External and Internal Change

Businesses aren’t just battling external factors like geopolitical shifts; they’re also constantly evolving internally. Changes in business processes, strategies, technologies, and personnel demand a flexible approach to GRC. Moreover, the traditional concept of an organization, limited to its brick-and-mortar presence, has extended to include a network of suppliers, contractors, and third-party relationships, further complicating the GRC landscape.

The Global Regulatory Maze

One of the most daunting challenges for businesses today is the sheer volume of regulatory changes. Globally, financial institutions grapple with an average of 257 regulatory change events every business day. This staggering number highlights the need for a robust GRC strategy that can navigate the complexities of compliance across various jurisdictions.

The Promise of Cognitive GRC and AI

The integration of artificial intelligence (AI) in GRC processes promises to revolutionize how organizations manage risk. AI can enhance efficiency, effectiveness, and predictive capabilities, enabling businesses to stay ahead of risks and compliance requirements. However, leveraging AI in GRC also presents challenges, including ensuring the ethical use of AI and managing the complexities of AI-driven decision-making.

The Future: Business Integrated GRC

Looking ahead, the speaker envisioned a future where GRC is more deeply integrated into business processes, driven by technology. This integration would lead to a more aware, responsive, and efficient approach to managing risks and compliance.

The journey to agile and cognitive GRC is not just about adopting new technologies or processes. It’s a paradigm shift in how organizations view and manage risk. By embracing a holistic, forward-thinking approach to GRC, businesses can navigate the complexities of the modern world, turning risks into opportunities for growth and success. The GPRC Summit in Dubai opened a window to the future of GRC, one that is agile, cognitive, and deeply integrated with the core business processes. As businesses continue to navigate through complexities, the role of GRC as a strategic enabler becomes ever more critical. The journey towards agile and cognitive governance in GRC is not just about adopting new technologies but about a fundamental shift in how risks, compliance, and governance are perceived and managed.

2024 Trends in Governance, Risk Management & Compliance (GRC)

In 2024, the Governance, Risk Management, and Compliance (GRC) landscape is evolving rapidly. Organizations are increasingly facing complexity and chaos driven by several factors, such as changing regulations, external risks and uncertainty, as well as dynamic and evolving business operations, processes, and technology. These drivers push companies to adopt innovative GRC strategies to stay agile, resilient, compliant, and competitive.

The key GRC trends in 2024 that GRC 20/20 Research has identified and are monitoring include:

  1. GRC 6.0 – Business Integrated GRC. This trend marks a paradigm shift where GRC becomes seamlessly integrated into the core business processes. It aligns closely with the organization’s strategy, performance, and objectives. It is pushing GRC accountability and control into business processes and the business instead of additional layers of compliance band-aids disconnected from the business.
  2. Risk Management = No Surprises (or Minimal). Mature risk management processes in 2024 aim to minimize surprises. Organizations increasingly use predictive analytics and other advanced tools to anticipate potential risks and mitigate them proactively. It is about forecasting risk and uncertainty on the horizon, going through scenarios, and preparing the organization for the best path forward..
  3. GRC Orchestration. In 2024, GRC management will be increasingly collaborative and a cross-functional responsibility. This trend emphasizes visibility and consistency in GRC processes across all departments and functions. For instance, a multinational corporation might use common processes automated by technology across different geographic locations, ensuring uniformity and reducing risk exposure. Some solutions allow for GRC centralization while allowing some autonomy with consistency within business areas.
  4. Addressing Geopolitical Risk. Geopolitical risk has become a primary focus area. Organizations need clear insights into the evolving geopolitical landscape to understand how it might impact their objectives. For example, a global supply chain company might monitor international trade policies, economic and inflation uncertainties, commodity availability, conflicts, and more to anticipate and prepare for disruptions.
  5. Risk Agility. This trend involves organizations being agile in their risk management strategies. They continuously scan the horizon for potential risks, review scenarios, and chart the best path forward. An organization may use scenario planning to prepare for various economic conditions, ensuring it adapts quickly to changing circumstances.
  6. Business, Strategic & Operational Resilience. The ability to quickly recover from risk events is crucial in 2024. Companies focus on building resilience in every aspect of their operations. This includes resilience of the organization’s strategy, financial resilience, and, more specifically, its operational resilience to contain and recover from risk events.
  7. ESG and Integrity. With rising global concern over environmental, social, and governance (ESG) issues, organizations are working to manage the complexities of ESG commitments. This includes accurate reporting to ensure organizational integrity within the business and across the extended enterprise of third-party relationships.
  8. Trust Assurance & Data GRC. Businesses increasingly focus on integrity throughout their operations, processes, transactions, data/information, and relationships. Trust is critical for investors/stakeholders, employees, customers, and business partners in today’s business. This is particularly true in dealing with the complex uncertainty and compliance requirements across information, data, transactions, and interactions.
  9. The Extended Enterprise. In 2024, managing risks and maintaining ethical environments across extended business relationships is crucial. Companies must ensure that their partners, suppliers, and distributors adhere to the same ethical and compliance standards, and that risk is management in these relationships. This is particularly true in addressing ESG across the extended enterprise.
  10. A.I. GRC/ A.I. Governance. The governance of AI use within organizations is a growing concern. Companies are focused on ensuring AI is used ethically and effectively to reduce uncertainty. Organizations across industries need to implement oversight of AI to review and approve AI algorithms used in the organization.
  11. Cognitive GRC. Utilizing AI to enhance GRC processes is becoming more prevalent. Cognitive GRC uses AI to increase efficiency, effectiveness, resilience, and agility in GRC activities.
  12. Accountability. There is a global focus on enhancing accountability in risk and compliance, particularly at the board, executive, and senior management levels. This means greater transparency and responsibility for GRC decisions and actions. The growing array of accountability regimes (e.g., U.K., Ireland, Australia, Hong Kong, Singapore, South Africa) is expanding, as well as legal accountability in the USA for key business and GRC executives.
  13. GRC and Cultural Contexts. Organizations operating in diverse cultural and geographical contexts face unique compliance, ethics, and ESG challenges across these business areas. Navigating these differences requires a nuanced approach, understanding, and respecting local values and regulations.
  14. GRC Engagement. The human element in GRC is critical. Ensuring employees at all levels are engaged with policies and controls and trained to identify and report issues is essential for effective GRC. Regular training and clear communication channels are key strategies in this area. This is the most important firewall in the organization, the human firewall.
  15. Business Champion.: When GRC is implemented effectively, it fosters champions at all organizational levels. These champions advocate for and reinforce GRC principles, helping to embed a culture of ethics, risk management, and integrity.

In summary, the GRC landscape in 2024 is characterized by a dynamic interplay of integration, innovation, and responsiveness. The trends outlined above reflect a holistic and forward-thinking approach to governance, risk management, and compliance. Organizations are increasingly weaving GRC into the fabric of their business operations, aligning it with strategic objectives and cultivating a culture of resilience and integrity.

The shift towards Business-Integrated GRC, the emphasis on predictive risk management, and the orchestration of GRC across departments highlight a proactive and integrated approach. Addressing geopolitical risks, ensuring risk agility, and maintaining business resilience are now fundamental to organizational sustainability and success. Moreover, the focus on ESG, trust assurance, and accountability underscores the growing importance of ethical practices and transparency.

Technological advancements in AI and cognitive GRC tools are transforming how organizations manage compliance and risks, bringing efficiency and agility to the forefront. The extended enterprise concept emphasizes the need for ethical and compliant practices beyond an organization’s immediate boundaries.

Finally, the human element remains central to effective GRC. Engaging employees, fostering a culture of compliance, and creating GRC champions at all levels are crucial for embedding these practices deeply within an organization.

As we navigate through 2024, these trends in GRC are not just about managing risks or complying with regulations; they are about creating sustainable, resilient, and ethical organizations capable of achieving their objectives while thriving in an ever-changing global landscape.