Category: The GRC Pundit Blog

In my first post, A Quick Guide to ESG and Risk Management in the Extended Enterprise, I outlined what ESG (environmental, social and governance) is and how it impacts third-party risk management. Next, we looked deeper into a specific aspect of Governance in ESG: anti-bribery and corruption (ABAC). This post discusses a social aspect: how modern slavery can impact your extended enterprise.

What Is Modern Slavery and How Does It Apply to Modern Supply Chains?

Modern slavery exists when people are subjugated by companies and controlled by threats of harm or debts they cannot repay. Human trafficking is a related term used to describe when people are moved between countries (e.g., the slave trade). Slavery is found in the supply chains of corporations producing materials and products, as well as in the forced compulsion of children to make products in factories. In fact, 40 million people are estimated to be enslaved around the world today, resulting in $150 billion in ill-gained profits every year.

The good news is the world has been taking action. Governments in several countries have passed legislation requiring organizations to report on modern slavery in their supply chains. A few examples of legislation include . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Gone are the years of simplicity in business operations. Exponential growth and changes in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.

GRC (governance, risk management, and compliance) by definition starts with the G for governance. Because of the board’s role in corporate governance, one would think that GRC is a board-driven strategy and initiative. However, the opposite is most often the case. It is the R for risk management and C for compliance that drive most GRC initiatives – and fail to engage senior executives and the board who ultimately have fiduciary obligations for all aspects of GRC.

Understanding GRC in Context

Let’s unpack GRC to provide context to what it truly is. GRC as detailed in the OCEG GRC Capability Model drives Principled Performance. It is a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].¹ The flow starts with governance which provides context for risk management and compliance:

• Governance – reliably achieve objectives. This is the governance function of . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE DILIGENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

There is a new CIO in town . . . the Chief Ethics and Compliance Officer (CECO). This is not to replace the Chief Information Officer, but the CECO is an executive focused on the organization’s integrity being the Chief Integrity Officer.

Back in 1992, I remember being in the backcountry of Montana hiking with some friends. I was carrying with me my longbow (yes, I love all things medieval, and the English longbow has long been an interest to me). We were on top of this rock overlooking a small mountain lake. Across the lake, there was an old tree that had fallen into the water. I looked over at my friends and stated I would shoot an arrow across the lake and hit that log in the water. They laughed at me; it was a long shot, not one of those point the arrow at the target shots, but one of those shoot the arrow up into the air with an arch to get the distance needed to hit the target shots. I pulled my bow back and let the arrow fly. It flew gracefully in an arch and landed to embed itself in the log in the water across the lake.

Back in 2004, I made another shot. I stated that the CECO is mislabeled, that the role of compliance and ethics is beyond checkboxes and compliance but is the bastion of the organization’s integrity. I stated back then that the CECO should be renamed the CIO, the Chief Integrity Officer. The shot was fired high, and it arched over the years to land solidly in 2021.

The role of the CECO is changing, and it is for good. This role continues to move out of legal to become its own executive function focused on compliance and ethics. As it grows and establishes itself, it is focused more and more on the organization’s integrity, particularly as it is this role that is leading ESG – environmental, social, and governance – strategies for the organization.

Integrity is a mirror revealing the truth about an individual or a corporation. It involves walking the talk — not just talking it.

On a personal level, integrity is measured by what an individual does and does not do when no one is looking. Do they hold to their values, beliefs, and ethics? Or do they compromise and do the opposite of what they believe is right?

Integrity is the same at the corporate level. Does the organization’s reality reflect what is stated in corporate reports, filings, ESG statements, regulatory compliance, and stakeholder communications? Does the organization walk its talk or just talk a talk?

Integrity is violated when corporate policies and procedures are thrown out the window in the quest for personal or corporate gain. From an organization’s perspective, personal and corporate integrity are two sides of the same coin. In order for a corporation to have integrity, it must have an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. From an individual’s perspective, an employee or partner wants to make sure they are working with a corporation aimed at doing the right thing and is in sync with their values and beliefs.

Consider the words of Aristotle . . .

We are what we repeatedly do. Excellence then is not an act but a habit.

Aristotle

Integrity itself is not something that is written on paper, but something that is lived and breathed in the organization. Integrity is a mirror reflecting what the organization truly is. Or does it communicate and portray to the world something that really does not exist?

The role of the CECO is becoming firmly rooted in establishing, maintaining, and monitoring the integrity of the organization. What it commits to in values, ethics, code of conduct, policies, regulatory obligations, contractual commitments . . . is it a reality that the organization lives and operates by. It is the role of the CECO to monitor and ensure corporate/organization integrity. In the 2021 era of ESG, this role of being the Chief Integrity Officer is more critical than ever and is fundamentally evolving and changing the role of the CECO.

I have mentioned in previous posts that it is a good thing that the CECO comes out of legal to be an operationally functional department that has a direct line of communication to the board of directors and senior executives. In my idealistic view of the world, it is also critical that this role also not get buried in risk management. Integrity is critical to today’s modern organization. This role and function provide a balance to the forces of risk management that keep the organization on the track of integrity.

Here are some of the resources I have published on compliance and ethics management that can assist readers in developing an organization of integrity and the role of a Chief Integrity Officer . . .

• ESG is about to ROCK the Third-Party Risk World
• Where Should Compliance & Ethics Report?
• Improving Your Organizations Policy Management Capability
• Is Your Organization Lawful Good or Chaotic Evil?
• Delivering ESG in GRC
• The Principles of Effective Policy Management
• Why Policies Matter
• 2021: An Integrated Focus on Business Integrity & Resiliency
• Lessons Learned in Compliance Management in 2020
• Next-Generation Policy Management: Collaborative Accountability
• How to Tie a Compliance & Ethics Bow Tie
• Agile and Integrated Compliance: Managing Compliance in Dynamic Business
• Next Generation Corporate Compliance & Ethics Architecture
• Compliance & Ethics is Rapidly Evolving

In my previous post, A Quick Guide to ESG and Risk Management in the Extended Enterprise, I outlined what environmental, social and governance (ESG) is and how it impacts third-party risk management. This post expands on a specific aspect of governance in ESG: anti-bribery and corruption (ABAC).

ABAC Risk and Compliance 

Organizations today face a tremendous amount of anti-bribery and corruption risk – especially as they conduct business globally. Anti-bribery and corruption laws govern business transactions and prohibit exchanges of value that illegally influence the actions of either party in a transaction. There is a range of laws meant to enforce ABAC measures – from the U.S. Foreign Corrupt Practices Act (FCPA, passed in 1977), to more recent legislation such as the U.K. Bribery Act (2010) and France’s Sapin II (2016). In fact, 46 different countries have bribery and corruption laws. These laws address bribery in business transactions, often focusing on the actions of foreign government officials.

Enforcement of ABAC laws is expanding . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The extended enterprise defines business today. An organization is not defined by brick and mortar walls and traditional employees. The organization is a web of third-party relationships of suppliers, vendors, outsourcers, service providers, distributors, contractors, consultants, brokers, dealers, agents, and more. The actions and behavior of these third parties impact and shape the reputation and brand of the organization. Their risk issues are the organization’s risk issues.

Third-party risk programs are about to change significantly. In the past, there was a dominant focus on information security and privacy risk in these relationships. They also were fragmented where different departments monitored and managed their silos of risk without seeing the big picture of risk across a third-party relationship. This is changing. There is a growing array of regulations that will restructure how organizations define and manage risk in the extended enterprise.

Particularly, there are pending directives and legislation that have an expansive scope that is expected to be passed this summer. This is the EU Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence alongside Germany’s corresponding Corporate Due Diligence Act. These are SIGNIFICANT pieces of legislation that are expected to become law in the next few months.

The scale and impact of these laws will be global. Think EU GDRP (global data protection regulation) in scope. Organizations around the world have had to respond to GDPR because they have EU citizen data. These two pieces of legislation have a potentially global impact with significant teeth.

Consider that the governing EU directive, which is to become country law in each EU member country, is projected to impact any organization with operations in Europe (but does not have to be headquartered in Europe) with more than 250 employees and/or more than €50 million in annual revenue. So if an organization has any presence in Europe regardless of where it is headquartered, it will have to address the requirements coming from this directive. Germany’s legislation is the first EU country legislation to support this directive and is expected to become law in the same timeframe that the EU directive gets finalized.

These laws are more than reporting requirements; they will have teeth. They are NOT like the United Kingdom Modern Slavery Act and California’s Transparency in Supply Chains Act. These new laws are expected to have significant enforcement penalties and sanctions and large administrative fines (similar to anti-trust and GDPR fines). They require thorough and continuous due diligence of third-party relationships in the context of environmental practices, social and human rights, and governance to address corruption.

Here are a few excerpts from the published notes on the draft directive:

• For the purposes of this Directive, due diligence should be understood as the obligation of an undertaking to take all proportionate and commensurate measures and make efforts within their means to prevent adverse impacts on human rights, the environment, or good governance from occurring in their value chains, and to address such impacts when they occur.
• In practice, due diligence consists in a process put in place by an undertaking in order to identify, assess, prevent, mitigate, cease, monitor, communicate, account for, address, and remedy the potential and/or actual adverse impacts on human rights, including social, trade union and labour rights, on the environment, including contribution to climate change, and on good governance, it its own operations and its business relationships in the value chain.
• Due diligence should not be a ‘box-ticking’ exercise but should consist of an ongoing process and assessment of risks and impacts, which are dynamic and may change on account of new business relationships or contextual developments.

This is going to fundamentally change and restructure third-party risk management programs. I have advocated that organizations need to move beyond scattered silos of third-party risk oversight to create an integrated third-party GRC (governance, risk management, and compliance) program. This unifies a single approach to govern risk in third-party relationships and delivers a 360° contextual awareness of risk in relationships. It also is more than risk management; it is also about the governance of these relationships to ensure they reliably achieve objectives, address uncertainty, and act with integrity in each relationship in the extended enterprise.

The writing is on the wall, as the EU GDPR changed the world’s understanding and approach to privacy; this new EU directive and Germany’s law will change how organizations manage and monitor risk in the extended enterprise. Organizations should start defining an integrated strategy for third-party GRC to address these forthcoming requirements in a unified and consistent approach.

Having an opinion of where corporate compliance and ethics should report outside of legal is like the opening sequence to Indiana Jones: Raiders of the Lost Ark.

Indiana carefully makes his way through the jungle, while his colleagues are taken out by traps. But Indy is cautious and experienced. He gets deep into the jungle following his map to find the caverns with the ancient artifact. He navigates the traps of the cavern to get the treasure, he works meticulously. He finds the gold idol, and then chaos breaks loose.

The cavern begins collapsing, he is betrayed, traps are sprung as he runs, the huge boulder comes crashing down behind him, the local natives chase him to his plane. He barely escapes with his life.

Having an opinion that compliance and ethics should report outside of legal tends to upset some of the natives of legal. Despite caution, careful crafting of argument, and presentation you find that some natives of legal are upset as you just rocked their domain.

You may have guessed, but I am an advocate that corporate compliance and ethics need to report outside of legal and have direct lines of communication to senior executives and the board.

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Environmental, social and governance practices are under increasing regulatory scrutiny. How well is your third-party risk management program structured to assess these risks?

Today, organizations are increasingly challenged to address environmental, social and governance (ESG) practices and reporting. Stakeholders, customers and regulators want to ensure that the companies they interact with and invest in share the same values and commitments that they do. The heart of ESG is about the integrity of the organization. What the organization commits to – the organization’s obligations whether voluntary, regulatory or contractual – is a reality throughout the organization.

What is ESG?

ESG covers a wide spectrum of a company’s conduct:

• E = Environmental: Measures . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE PREVALENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes continually takes the organization to a new level of strategic and tactical complexity and creating commensurate pressures on business performance. The legal department has become essential in navigating this risk in today’s complex, dynamic, distributed, and disrupted business environment. In this context, legal plays multiple roles in the organization.

One role is as an advisor to the business to ensure the organization can reliably achieve objectives (governance) while addressing uncertainty (risk management) and act with integrity (compliance). This is GRC at an enterprise level or Enterprise GRC/eGRC. It involves multiple . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE EXTERRO BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Previously we looked at Why Policies Matter and The Principles of Policy Management from the newly published Policy Management Capability Model that I developed with OCEG for PolicyManagementPro.com. This week we turn our attention to the structure of a strong policy management capability in your organization found in the Policy Management Capability Model (which is free and opensource, but also has a training and certification program for policy management professionals and authors/subject matter experts as a Certified Policy Management Professional (CPMP) . . .

Policy management has been one of the hottest topics in my GRC research for the past few years. When the pandemic hit and lockdowns started in March of 2019, I found my interactions increased even more. Organizations are restructuring their strategy, processes, roles, and a move to the work from home environment found policy management a complete mess to a disaster internally. Several organizations found that they had over 20 policy portals in their environment, and policies looked different, were written in different styles, used terms inconsistently, were out of date. Employees were scrambling to try to find policies in the work from home environment and were very confused.

In an environment this past year organizations found policy management a critical element to address to communicate confidence, ease employees’ frustration and concern, reinforce a strong culture of ethics, and provide stability in the midst of uncertainty. Organizations have been working hard to address consistency in policy management, authoring, and engagement across departments and to deliver a singular portal for policies that engage employees.

I see even more attention to policies and policy management as we come out of the pandemic. Many organizations are maintaining a remote workforce and see the need to have an intuitive and engaging policy portal for employees and consistency in policy management. There is also heightened concern of rogue unauthorized policies that open the doors to legal liability and a duty of care. Particularly if managers at different levels think they are a little smarter than the rest of the organization and writing what they think the COVID-19 related policies should be (e.g., personal safety equipment, vaccine policy). I am seeing a lot of attention being focused on structured policy management programs that provide a singular interface and process into all official and approved policies in the organization to reduce exposure to rogue unauthorized policies.

A structured approach to policy management is found in the Policy Management Capability Model. This is a free and open-source tool that I authored with OCEG and is available at www.PolicyManagementPro.com. This comes from years of experience advising on policy management programs and teaching my Policy Management by Design Workshop around the world. I encourage you to look at this free guidance to what an effective policy management program looks like and adapt it to your environment.

There is a related training and certification program based on the model to become a Certified Policy Management Professional (CPMP). Several organizations are sending dozens of employees (in one case a healthcare organization is looking at sending 300 employees – being all policy management related staff as well as policy authors and subject matter experts) through this training so everyone is on board and shares the same vision of what an effective policy management program is in their organization. The goal in these organizations is to increase consistency and deliver efficiency, effectiveness, and agility in policy management and communications. It is also to define and enhance a culture of integrity in the organization.

There are also professional service firms as well as solution providers sending their staff through this training to better advise and deliver policy management strategies and solutions to their clients. This is a really exciting time for policy management!

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles with a defined capability model that provides consistent processes and engagement on policies in your organization . . .

Anatomy of the Policy Management Capability Model

COMPONENTS

The Policy Management Capability Model is organized into five Components that outline an iterative, continuous improvement process to achieve Principled Performance in policy management. While there is an implied sequence beginning with Govern, once the capability is established, Components operate concurrently, interactively, and also symbiotically.

• G – GOVERN — Govern policy management by establishing policy governance and management teams and developing a “Policy on Policies” to guide the design and operation of the Policy Management Capability with standardized forms and processes.
• D – DEVELOP — Establish standard methods for policy development to apply, whether creating new policies, revising existing ones for broader application, making changes in response to change in the external or internal environment, and retiring out-of-date policies.
• C – COMMUNICATE — Establish a risk-based and ongoing communication and training approach for each policy or category of policy, taking advantage of enabling services with skilled personnel and tools relevant to the design, delivery, attestation, and measurement of outcomes.
• E – ENFORCE — Establish tasks, methods, and processes for implementation, exceptions, enforcement, and assurance of policies.
• I – IMPROVE — Establish methods to periodically review and improve policies, retire policies, and evaluate the policy management capability’s design, effectiveness, and operation.

ELEMENTS and PRACTICES

Each Component contains Elements that outline key aspects of high-performing integrated policy management capabilities. Each Element includes Practices that outline specific management actions and controls and address documentation considerations. Elements define the core aspects of effective capabilities and can serve as the starting point for assessing the current state of your organization’s approach.  

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

Anyone that knows me knows that I love science fiction and fantasy books and movies. In the 70’s I remember being in 2nd grade and watching the cartoon of J.R.R. Tolkien’s The Hobbit. I instantly devoured the book and read all of The Lord of the Rings and Silmarillion by the 4th grade. I was hooked. I devoured fantasy books. I remember my grandmother coming to visit and taking me to the local Waldenbooks bookstore wanting to buy me a book. I had read every one of them in the fantasy section. I remain a fan. For those of you on video conference calls with me, you can see a medieval sword hanging up behind me and my bookshelves filled with Tolkien books as well as medieval history books.

Loving fantasy books at a young age, I also started playing Dungeons and Dragons. I loved role-playing. To create a character, assign them a personality and capabilities, equip them, and then go on adventures with them to conquer evil. My young mind was continuously inventing new characters and other worlds. I loved it.

One of the things you have to do when creating a character is to give them an alignment. Your character’s alignment defines their moral, ethical, and personal attitudes framework. It is central to developing your character’s identity and personality type. In general, good characters are the protectors of life and evil characters destroy life. Neutral characters are in the middle. But it is more than just good versus evil, it is how you go about accomplishing good or evil. Lawful characters tell the truth and respect authority and structures, whether good or evil. Chaotic characters are more utilitarian and will break rules and go against structures to accomplish what they desire, whether good or evil. There are nine character types across this spectrum, I will adapt those below . . .

This past year given all the focus on ESG, corporate values, ethics, integrity, human rights, and more, has caused me regularly to ponder the alignment of organizations. Is that organization a Lawful Good organization or a Chaotic Good organization? Are they neutral or evil?

Your alignment is more than something on paper, it is more than your code of conduct. Your organization’s alignment is determined by taking a close critical look at the overall actions and behavior of the organization. In a role-playing game, I can state my character’s alignment is good, but if my actions during the game are not good then my real alignment is something else. The same is true for an organization, your alignment is determined by the overall behavior and culture of your organization. Policies, such as a code of conduct, can be fiction or can be a tool to achieving a stronger culture and reality of the integrity and values of the organization.

A lawful organization will have policies and will work to ensure those policies are followed and adhered to (whether they are good or evil). A chaotic organization may or may not have policies, but if it does it really does not focus on enforcing policies as it does not matter if their overall goals, good or evil, are achieved.

Using the nine alignments adapted from Dungeons and Dragons to a corporate profile and not a personal one, I ask you what is your organization’s alignment?

Is your organization . . .

• Lawful Good. This is the crusader organization. The organization that acts within the boundaries of laws and aims to be a good corporate citizen giving back to the community and making the world a better place. This organization opposes evil and works relentlessly for good. This is an honorable and humane organization. A benevolent organization.
• Lawful Neutral. This is the organization that acts within laws, traditions, and codes and finds order and organization critical, but does so in a way without being a zealot. This is an honorable and realistic organization.
• Lawful Evil. This is the dominator of organizations. This organization loves order, structures of accountability, and laws but aggressively pursues its own cause within order and structure without thinking of the good of others. It is an organization acting with honor in self-interest. This is the honorable and determined organization, honor being operating within law and order.
• Neutral Good. This is a benefactor organization. The organization generally stays within the boundaries of laws and regulations but does not feel strictly beholden to them. It works for good without bias for or against order and structures of authority. This is a practical and humane organization.
• Neutral. This is the middle of everything, the undecided organization that will allow circumstances to bend it towards lawful or chaotic choices at different times, or good and evil choices at different times. It does not feel strongly one way or another. This is a practical and realistic organization.
• Neutral Evil. This is the organization that does whatever it can get away with. If it means breaking a rule, law, value . . . then it will if the reward outways the risk. This organization does not love conflict, so avoids sticky situations. It is evil as it pursues its endeavors without honor and will break rules but do so sneakily and cover things up. This is a practical and determined organization.
• Chaotic Good. This is the rebel with a cause organization. The organization is kind and benevolent but willing to break laws and order to achieve them. Sort of the libertarian organization that prefers to follow its own moral compass, and may not agree with the society around them. This organization has a good heart and a free spirit in its actions. This is an independent and humane organization.
• Chaotic Neutral. This is very much the free-spirited organization. This organization values its own liberty and choices and does not actively strive to work for or against the liberty of others. They do not intentionally disrupt others and are not motivated by good or evil. This is an independent and realistic organization.
• Chaotic Evil. This is the organization that actively seeks to destroy and bring others down. It has no motivation by law or order, none at all. It is motivated purely by greed, avarice, and desire. It does not try to even pretend to work within the boundaries of society and laws. This is an independent and determined organization. This is a hedonistic organization.

Taking this back to individuals, Superman would be Lawful Good while Darth Vader and Hitler would be Lawful Evil. While the Joker or Charles Manson are examples of Chaotic Evil. Han Solo is an example of a Neutral alignment.

Organizations are complex, so it is hard to nail this down to a specific alignment. But if you had to honestly measure the culture and behavior (not just the policies but actual behavior) of your organization, what would it be? What would you like it to be or believe that it should be?

Organizations are also made up of individuals. Those individuals have their moral and ethical predispositions/alignment. What is your alignment based on your behavior? What would you like it to be? How should understanding concepts like alignment impact how we evaluate and hire employees? After all, it is the employees that make up the organization and its behavior. As an employee, what alignment of an organization do you want to be part of?

I know it is not a perfect framework, but it is an interesting exercise and discussion. While individuals can be mapped across these alignments, is there a truly 100% lawful good or 100% chaotic evil organization?