Category: The GRC Pundit Blog

Last week we looked at Why Policies Matter from the newly published Policy Management Capability Model that I developed with OCEG for PolicyManagementPro.com. This week we turn our attention to the principles of policy management for those seeking training and certification as a Certified Policy Management Professional (CPMP) . . .

Policy Management is a critical enabling element of the organization’s overall GRC capability. It should be built on a solid foundation of principles. There are both universal principles and organization-specific principles established to support the policy management capability. Universal principles for policy management are:

• Necessary – Effective policy management is necessary to enable governance, risk management, and compliance at every level of the organization. Without policy management-led and supported by senior management, it is difficult to have policies that consistently define organizational goals and values, define risks that must be addressed, and provide a roadmap to adherence.
• Tailored – The policy management capability must be designed to fit the business context, objectives, values, and strategies. There is no one size fits all structure for policy management. It needs to be aligned with the risk appetite and operational model of the organization. 
• Integrated – Policy management should be integrated into business operations. While centralized oversight and design of policy management are important, without acceptance of the defined approach and assignment of policy responsibilities within the affected operations, the system will be ineffective.
• People-Centered – At its heart, policy management is people-centered from employees, to clients, and even third-party relationships. It is significantly influenced by human conduct and culture – it cannot be automated away. Subject matter experts must develop policies that support the governance, risk concerns, and compliance requirements of the organization, and the audiences for policies must understand and apply them. The ecosystem of individuals impacted by policies must be able to provide input into policies.
• High-Performing – The capability must be designed to fit the organization and its objectives. It must be supported by resources to ensure high performance and embedding of policies into the culture of the organization. Policy management needs to be effective, resilient, efficient, and agile in the organization. 
• Standardized – Both policies and the procedures for developing, distributing, and enforcing them should be standardized. Having a consistent approach is key to enhancing understanding and developing an audit trail for the defense of the organization.
• Collaborative – Good policy management involves coordination and collaboration across a range of departments and roles in the organization. It is necessary to engage and collaborate on policy management as well as on individual policy authoring.
• Accessible – Policies, and therefore policy management, need to be accessible at all levels of the organization. At any point in time, the organization should have a complete view of what the official policies are. Employees should be able to readily find policies and interact with them. 
• Engaging – Policies need to be clearly written and understood. This requires policy management processes that conform to consistent writing style and language as well as communication strategies to engage employees.
• Dynamic – The policy management capability must be designed for continual improvement and adjustment as the business objectives and model, operations, and risk profiles change over time.

As you are developing the capability, consider ways to make these principles evident in the design and operation of policy management.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

From time to time, people ask why policies matter. After all, they argue, are not the laws and regulations we have to follow enough guidance? Beyond those requirements, can’t we let managers decide how to run their operations and have case-by-case flexibility? Don’t policies create liability when they are not followed? Isn’t it just more unnecessary bureaucracy?

The answer, at its most basic, is that when an organization fails to establish strong policies, the organization quickly becomes something it never intended. Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies are critical to managing risk, every policy is a risk document that aims to control behavioral related risks.

Good policies define the organization’s governance posture, corporate culture, behavioral boundaries, and objectives.

The longer answer is a bit more complicated. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships. Starting with a code of conduct defining ethics and values across the organization—and filtering down into specific policies for business units, departments, and individual processes—the organization states what it will and will not accept and defines the culture of integrity and compliance it expects. Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines. Policies, in context of this Policy Management Capability Model, can be understood collectively to encompass both the official policies themselves and the broader collection of governance documents. 

Policies are part of what can be called governance documents, which also include related standards, procedures, and guidelines.

Policies, done right, articulate and build the desired corporate culture and drive standards for individual and business conduct.

• Policies articulate the governance culture: Policies address more than how to meet legal requirements; they also drive the performance objectives of the organization. Without policies, the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Governance is not taking place. Can you imagine an organization that did not have policies? How could it ever reliably achieve objectives as there would be no consistency in behavior, processes, and transactions?
• Policies articulate the risk culture: This includes the establishment of risk management responsibilities, communication, appetite, tolerance levels, and risk ownership. Policies reduce bias in decision making. Every organization takes risk — it is part of the business and sometimes helps to get the business where it wants to be. Without clearly written guidance and ownership, however, risk governance will be ineffective and risk decisions will be made by each individual based on his or her personal appetite for risk. Essentially, every policy is a risk document. There would not be a policy if there were not a risk. Further, every policy must be risk-informed; the policy exists in response to a risk or anticipated risk and needs to be understood in that context.
• Policies articulate a culture of compliance: Policies define what is acceptable and unacceptable. This starts with legal and regulatory requirements: communicating how the organization will stay within legal boundaries given the various jurisdictions in which it operates. Policies also establish the values, ethics, commitments, and social responsibility of the organization when it comes to matters of discretion.  Policies, particularly policies that are enforced, provide an organization with a defensible position against the actions of rogue employees and demonstrate how the organization meets legal, regulatory, contractual, and other requirements.

In this context, policies are critical to all three aspects of GRC – governance, risk management, and compliance. Policies, and policy management, are a foundation that enables an organization “to reliably achieve objectives [governance], while addressing uncertainty [risk management], and acting with integrity [compliance].” Policies in and of themselves do not ensure the right corporate culture, nor do they resolve all the complex issues that arise in addressing performance, risk, and compliance. Merely creating thousands of policies is not the answer; in the case of policies, often “less is more.”  Even when well-written policies are issued, the game is not over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to, and the organization can end up in hot water. We know that an organization may develop a corrupt culture even with the right policies in place, but we also know that it cannot have a strong, effective culture without them.

Issuing well-crafted, and appropriately targeted policies is a necessary first step in clearly defining and communicating the organization’s boundaries, practices, and expectations. Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control. This enables the organization to embed culture into the action and behavior of processes, transactions, relationships, and individuals. A strong embedded culture is driven by an effective policy management capability that provides consistency in behavior, reduces costs and inefficiencies, and supports growth and change management. This leads to higher employee engagement and achievement of objectives. 

Policies are the vehicles that communicate and define values, goals, and objectives so that culture does not morph out of control.

Policies must be professionally managed so that they are both effective and efficient tools to help the organization stay on the path it chooses.

This article is from the newly published Policy Management Capability Model and tied to the Certified Policy Management Professional (CPMP) certification @ www.PolicyManagementPro.com that GRC 20/20’s Michael Rasmussen worked on in partnership with OCEG.

After years of discussion and more than 18 months in development, I am pleased to announce the launch of my latest collaboration with OCEG: Policy Management Pro and the publication of the Policy Management Capability Model. 

You should already be familiar with the GRC Capability Model, which is in use by organizations of all sizes and types worldwide. Now, we apply the same level of detail and clarity to the critical business need for effective policy management, which presents significant challenges in today’s ever-changing global operating and regulatory environments. 

Policy Management Pro brings policy standards and a professional certification in policy management to the market for the first time.

Our collaboration in this project with OCEG and the highly experienced practitioners in policy management who served on the review committee has led to a set of comprehensive practices that will benefit any organization.

The Certified Policy Management Professional designation indicates a strong understanding of the standard practices set out in the Policy Management Capability Model. Knowing your policy team or any new hires have the CPMP designation should offer peace of mind and confidence that your policy capability is in good hands. As we say on the site, we give you everything you need and nothing you don’t to build and run a strong policy management capability.

Check out what people have to say . . .

 “It was a great pleasure to read this document because of how thorough and well thought out it is. It has been frustrating with no industry standard for organizations to lean on when trying to stand up a policy management program. This really will be a fantastic and extremely valuable tool in helping organizations establish this capability.” 

Jeff Boyer, Governance Lead, Suncor Energy Services, Inc. and review committee member

This document has all the essentials, in sufficient detail, for any practitioner setting up a policy management project. This is virtually a step-by-step guide. I only wish the document was available to me all those years ago when I was in my first compliance role and had to get a new business unit with 150 frontline staff audit ready in 6 months!”

Meng Barnie, Compliance Officer & MLRO, BLOM Bank and review committee member

Take a few minutes to join!  View the Policy Management Pro website, download the Capability Model and check out the free sample lesson from the on-demand training program. Then take advantage of the opening discount offer and sign up today as the first step toward your standing as a Certified Policy Management Pro! 

Listen to the latest podcast from Tom Fox on PolicyManagementPro . . .

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Over the past few weeks, we looked at the STRENGTHS and WEAKNESSES of the typical CECO, this week we turn to the OPPORTUNITIES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. To achieve your strategy, it is important to look for opportunities to advance compliance and ethics within your organization.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. Here are some opportunities and messages that GRC 20/20 finds strong CECOs leveraging to advance the compliance and ethics agenda in their organization:

• Focus on integrity, in which the compliance and ethics function . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries (e.g., financial services). This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 

I am seeing a lot of interest in risk management and resiliency in my research. In this context, I come across the terms business resiliency and operational resiliency. There is a difference between business resiliency and operational resiliency. I see solution providers using these terms as either synonym, or I see some make the mistake thinking that operational resiliency is for financial services and business resiliency is for other industries. This mistake is because of the operational resiliency regulations in the financial services industry. The reality is that all industries have operations and processes and therefore have operational resiliency concerns. All organizations have business resiliency needs as well. There is not one organization that does not have business and operational resiliency needs.

What is the difference?

Business resiliency is broad, it includes the resiliency in the organization’s strategy, liquidity/cash, diversity/hedging, and operations. So operational resiliency is part of business resiliency just as its counterpart operational risk management (ORM) is part of, but not the same as, enterprise risk management (ERM). 

Here is how I differentiate the two and show that business resilience is broader than operational resiliency but also includes operational resilience.

• Business resilience is focused on the overall resilience of the organization, which includes strategy, liquidity/cash, diversity/hedging, culture/integrity, and operational resilience.
• Operational resilience is a component of business resilience focused on internal processes, services, people, systems, and relationships.

Let’s Dive Deeper into Operational Resilience

Operational resiliency is not business continuity 2.0. It is much more than that. Operational resiliency is an integrated effort that requires collaboration, processes, and information/technology shared between operational risk management, business continuity management, and even third-party GRC/risk management (for example, the FCA/BoE/PRA guidance on operational resiliency references third-party/vendor risk throughout the document).

As for definitions, let’s look at how the financial regulators define operational resilience and I will give you my opinion which is the best definition:

• UK FCA: We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
• EU DORA: ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
• US OCC: Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
• Basel Committee on Banking Supervision: The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.

Granted these definitions are focused on financial services, so let’s evaluate them objectively in a context that crosses industries (strip out the financial services specific language). 

My least favorite definition is the EU’s DORA (digital operational resilience act). This is because it focused specifically and exclusively on digital operational resiliency. Operational resiliency is so much more than the depths and bowels of the IT department, technology, and information. Operational resiliency is also about people, processes, services, and third-party relationships. I also find the definition to be very reactive and not proactive.

Next in my order of least to best definition is the Basel definition. It is stuck in the idea of disruption and recovery, but has a broader view than DORA and does include elements of risk management. It is also another definition that is more reactive than proactive.

The US Office of the Comptroller of the Currency (OCC) definition is better. I like the fact that it specifically leads with operational risk management and takes it out of a pure business continuity context. This is good, but not good enough. I find the definition still a little weak as it is still focused on prepare and recover from disruption, a reactive approach.

The UK Financial Conduct Authority provides the best definition, and I love this definition. It is the shortest definition, but the only one that takes a strong risk management approach to operational resiliency. It is the only definition that mentions PREVENT as organizations can monitor and address situations before they impact the organization (at least in some situations). The idea of PREVENT gives a strong governance focus to this that ties into objectives and strategy to navigate the organization to manage uncertainty, a concept of agility to avoid disruption. The other element I love about this definition is that it references LEARN as well, so the organization learns from events and disruption so it does not repeat the same mistakes.

The United Kingdom wins again. I personally am a fan of regulations that come out of the United Kingdom (and nearly half my interactions are in the UK). The UK brought us principle/outcome-based regulations back in the FSA days (before the FCA), which then became EU better regulatory policy. The UK is leading in accountability regime regulation with the UK SMCR and now we have Australia BEAR, Ireland SEAR, Hong Kong MIC, and Singapore IA that have followed suit. The UK FCA is leading the world in digitizing the rulebook and regulations. More work is going into the UK Modern Slavery Act with greater requirements and enforcement penalties expected. Now I have digressed into other areas . . .

What are your thoughts on business and operational resiliency? How are they different? How are they related? How would you define them?

Last week we looked at the overall three strategic trends in governance, risk management, and compliance (GRC) in 2021. These were integrity, resiliency, and integration. This week we turn our attention to the tactical, but very critical, trends that are driving these three strategic trends . . .

The primary directive of a GRC management capability in 2021 is to deliver effectiveness, efficiency, and agility to the business that needs to manage integrity and resiliency in the midst of uncertainty. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the organization. Organizations need a mature GRC capability that brings together a coordinated strategy and process. 

The strategic drivers – integrity, resiliency, and integration – are supported by several tactical trends impacting organizations in 2021. These are:

• ESG reporting. GRC strategy and focus is turning to ESG (Environmental, Social, and Governance) reporting at a board level. ESG practices and reporting of an organization dictate the evaluation and monitoring of the organization’s environmental, social, and governance practices across the organization and its relationships. This has been a significant focus in Europe and is now gaining momentum in the USA. Bloomberg, Blackrock, Social Accountability Standards Board (SASB), and the most recent National Association of Corporate Director’s report show this as a growing board and corporate level concern. 
• Maturing risk management. There is growing pressure to mature risk management in organizations. This includes more focus on risk quantification, aggregation, and normalization. The range of RFPs that GRC 20/20 is monitoring and advising on sees increased focus on these criteria elements. This is also moving forward through standards and regulations, such as in the German IDW PS 340 requirements. 
• Policy management and regulatory change. Organizations across industries – but particularly financial services, healthcare, and life sciences – are seeing ongoing changes to regulations. Combined with the focus on integrity, organizations are developing enterprise policy management strategies to provide for collaborative policy authoring, management, and engagement. This includes the back-office management, monitoring, and enforcement of policies as well as the front-office engagement and awareness of policies.
• Compliance and ethics management. It has become clear that organizations need a federated compliance management strategy. There is no single department responsible for every aspect of compliance. Compliance functions have been scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. Organizations are beginning to develop collaboration and federation across these compliance and ethics functions to work together yet retain their autonomy.
• Employee engagement and culture. 2020 has forced organizations to rethink how they engage employees in 2021. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate risks, controls, policies, and awareness.
• Compliance and defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, specifically are looking for a robust system of record involving compliance activities. Defensibility also is a focus of the organization’s risk management and assurance practices.
• Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of increased risk exposure. CCPA is now evolving into CPRA in privacy requirements in California. The Schrems II decision in the EU has shifted strategies. There are new privacy laws coming into effect (e.g., Switzerland). 
• Information Security. Information security remains a significant focus in 2021, particularly in the wake of the SolarWinds hack reported at the end of 2020 – which impacted over 250 organizations that use SolarWinds. The work from home environment, that is here to stay, has many organizations rearchitecting their strategy, processes, and technology for information security. 
• Accountability Regimes. There is a sweeping array of accountability regimes/regulations that are putting personal liability on senior management functions (e.g., executives) for conduct, risk, compliance, control, and ethics issues. These individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and most recently Singapore’s Individual Accountability regime. Firms that are not headquartered, but have operations in these geographies, have to comply as well.
• Third-Party GRC/Risk Management. The interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the ability of the business to manage them. These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance, risk management, and compliance strategies in organizations. 
• Environmental. It is a central component of ESG but also stands on its own because of the critical nature of environmental issues, risk, and regulation. Environmental change is a significant focus for organizations and corporations. The World Economic Forum in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe and environmental regulations, and this significantly impacts USA organizations. Some regulators, such as the UK FCA in the SMCR regulation, are putting pressure to have senior management functions accountable for managing climate change risk on the organization.
• Health and Safety. The Pandemic of 2020 has brought health and safety front-and-center to all aspects of governance, risk management, and compliance within the organization and in the extended enterprise. There is a renewed focus on monitoring the health and safety risks in the business from both a human rights (ties into ESG) and a resiliency program. 
• Greater Assurance. These drivers and trends in 2021 impact the role of internal audit and assurance functions. Audit is being tasked to do more to provide assurance across these areas. Gone are the days of audit being focused purely on internal controls of financial reporting and IT controls. Today’s audit department has to provide a range of assurance activities across operational areas and third-party relationships.
• GRC Technology. Technology is changing to address these trends. There is a greater focus on RFPs to select solutions that are agile and easy to adapt to the business environment. They also are becoming more engaging to provide contextually relevant information in modern user interfaces to engage front-office/first-line employees, as well as having the depth of analytics and modeling for back-office/second and third line GRC functions. Technology is also embracing the move to cognitive, artificial intelligence, and robotic process automation in 2021 and beyond. 

Successful GRC management in 2021 requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage, and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. This enables GRC management to be a seamless part of governance and operations. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives in 2021 have a much better chance of thriving in today’s complex business world. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):

We are in the midst of working through a CECO SWOT Analysis to help CECO’s develop their strategy in 2021 and into the future. Last week we looked at the STRENGTHS of the typical CECO; this week we turn to WEAKNESSES.

As you look to build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and your program and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. If you are like me, you do not want to focus on weakness. But we need to identify and address our weaknesses in order to do better. Some weaknesses we can overcome ourselves; others may require outside assistance. Perhaps it means finding capabilities on your team to provide balance to your weak areas.

The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future. The typical CECO today struggles with:

• Limited technical acumen: Most compliance roles have grown out of legal, which has often been more comfortable with . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business. 

The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of integrated governance, risk management, and compliance (GRC). Organizations in 2021 need to see the intricate relationships of objectives, risks, obligations, commitments, and controls across the enterprise. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implement an integrated governance, risk management, and compliance (GRC) management strategy. 

GRC is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” There is a natural flow to the GRC acronym:

• Governance – reliably achieve objectives. This is the governance function of GRC. To set, direct, and govern the reliable achievement of objectives. Objectives can be overall entity-level objectives, but also can be divisional, department, project, process, or even asset level objectives. Governance involves directing and steering the organization to reliably achieve objectives. 
• Risk management – address uncertainty. This is the risk management function of GRC. ISO 31000 defines risk as “the effect of uncertainty on objectives.” Good risk management is done in the context of achieving objectives; to optimize risk-taking to ensure that organization creates value.
• Compliance – act with integrity. This is the compliance function of GRC. It is more than regulatory compliance, but the adherence and integrity of the organization to meet its commitments and obligations. These commitments and obligations can be from regulations, but also can be found in ethical statements, values, code of conduct, ESG, and contracts. 

What Have GRC Functions Learned from 2020?

2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.

The year 2020 was a stress test of GRC related strategies, processes, and integration. Some industries and organizations failed, while others were resilient. But there are lessons to be learned looking back on 2020 for all. These lessons showed us:

• Interconnected risk. Organizations face an interconnected risk environment and risk cannot be managed in isolation. What started with a health and safety risk and became a global pandemic had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resiliency, human rights, and other risk areas.
• Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives. Objectives became dynamic in reaction to changes in risk exposure. These had to be monitored in the midst of uncertainty in a state of volatility with the pandemic. 
• Disruption. Business is easily disrupted from international to local events. In 2020, organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly with wildfires), and one of the largest information security breaches in the SolarWinds hack, which impacted over 250 organizations and still is unraveling.
• Dependency on others. No organization is an island. The year 2020 showed us that disruption and the interconnectedness of risk impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships the organization depends upon, as well as clients. 
• Dynamic and agile business. Business had to react quickly to stay in business in 2020. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture in the midst of global concern. 
• Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly in the midst of a crisis, to how they address human rights such as ethnic racism in their business, operations, and third-party relationships.

2020 taught us that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of governance, risk management, and compliance within the organization and across its relationships.

What Can GRC Functions Expect in 2021

This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s GRC processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes the ability of the business to be agile in times of uncertainty.

The elements of distributed, dynamic, and disrupted business are driving significant changes in GRC strategies in organizations in 2021. In addressing governance, risk management, and compliance, GRC 20/20 is observing three strategic trends organizations are focusing on in 2021:

1. Integrity. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, how risk is managed, conduct with others (e.g., customers, partners), privacy, and security. 
2. Resiliency. Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries. This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. 
3. Integration. To support a federated GRC strategy in 2021 the organization will look to rearchitect its GRC technology and information architecture. This will involve moving to agile GRC solutions that can manage the range of governance, risk, and compliance needs across the organization and engage back-office risk, compliance, and assurance functions (2nd and 3rd lines), as well as front-office risk-takers and owners (1st lines). Key to this integration is the ability to provide robust analytics and contextual awareness of objectives, risks, and controls to ensure that objectives are met, while uncertainty, risk, and integrity are managed across the business. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):

Distributed, dynamic, and disrupted business are driving significant changes to compliance strategies in 2021. In addressing compliance, GRC 20/20 observes that organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021, and how they extend and are enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, how risk is managed, conduct with others (e.g., customers, partners), privacy, and security.

2020 taught organizations they need an enterprise-wide compliance and ethics management strategy. The challenge is that there is no single department responsible for every aspect of compliance. Today, compliance functions are often scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. 2020 revealed that manual compliance processes slow down an organization when it needs agility. A federated compliance strategy that is agile requires an integrated compliance process, information, and technology architecture that enables the organization to greater levels of efficiency, effectiveness, and agility in the midst of chaos and change.

To maintain integrity in the midst of a changing and dynamic business requires collaboration across these departments, roles, and functions of compliance. 2020 has shown us that the CECO needs to step up and lead an organization-wide collaboration and strategy on federated compliance across these functions in 2021.

But is the CECO ready to step up and lead an enterprise-wide strategy for compliance across departments?

As you build your strategic compliance and ethics plan in 2021, it is critical to evaluate where you are now in your role, capabilities, and program, and what you need to work on to deliver the leadership and skills to achieve your goals moving forward. Let’s leverage a CECO SWOT Analysis to evaluate and measure which strengths, weaknesses, opportunities, and threats you identify with. An honest evaluation will inform your strategic plan as you prepare for the rest of 2021, and help you build a compliance and ethics program with an aim of integrity in an era of risk and change.

This week we will start with evaluating the STRENGTHS of the typical CECO. The points below are generalizations, so you may or may not identify with them. But they are good places for discussion, learning, and interaction as the CECO prepares for the future.

Today’s CECO strengths come from the CECO being:

• An enabler & leader that strives to . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, processes, employees, distributed operations, competitive velocity, technology, third parties, and business data make continuity a challenge.

The interconnectedness of risks requires 360° contextual awareness of the organization: from the very top-level strategy down into the bowels of processes and technology. It requires holistic visibility and intelligence of risk in the context of objectives to be resilient.

2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders.

Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.

2020 was a year of change

The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed and interconnected across a web of business relationships with stakeholders, clients, and third parties. It is dynamic as business changes day-by-day: processes change, employees change, relationships change, regulations and risks change, and objectives change. 

2020 was the poster child for business and third-party disruption, and it rolls into 2021. The ecosystem of business objectives, uncertainty/risk, and integrity requires contextual awareness of operations and risk to achieve resiliency – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.

This interconnectedness of risk in the business is driving demand for 360° contextual awareness to be resilient so the organization can reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business.

A new focus on resilience

The elements of distributed, dynamic, and disrupted business are driving significant changes in operational resiliency strategies in organizations in 2021. Firms globally and across industries are . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]