Category: The GRC Pundit Blog

Looking Forward in 2021: What Can Be Expected 

In the previous blog we reviewed what lessons were learned in third-party risk management in 2020, we now look into 2021 and how organizations will address third-party governance, risk management, and compliance (GRC) . . .

The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed across a web of relationships. It is dynamic as business and relationships change day-by-day. Processes change, employees change, relationships change, regulations change, risks change, and objectives change. The ecosystem of business relationships is complex, interconnected, and requires a holistic, contextual awareness of third-party GRC, rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem. 

This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the business’s ability to manage them. 

This challenge is even greater when third-party risk management is buried in the depths of departments and operating from silos, not as an integrated discipline of decision-making that has a symbiotic relationship on performance and strategy of relationships. 

Five Strategic Trends in Third-Party GRC in 2021 

These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance strategies in organizations. In addressing third-party governance, risk management, and compliance, GRC 20/20 is observing five strategic trends organizations are focusing on in 2021: 

1. Integrity. The integrity of the organization relies on the integrity of its third-party relationships. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across third-party relationships. This includes a focus on human rights, privacy, environmental standards, health, safety, conduct with others (e.g., customers, partners), and security in third-party relationships. 
2. Resiliency. The organization has to maintain operations amid uncertainty and change. This requires a holistic view of third-party relationships’ objectives and performance in the context of uncertainty and risk within those relationships. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them. Given the reliance on third-party relationships, this requires a holistic view into the governance, risk management, and compliance of each third-party relationship and how it serves and provides value to the organization. 
3. Governance. Third-party risk management is not enough. The organization is shifting focus in 2021 to third-party GRC management. It starts with the governance of relationships. The relationship’s objectives and sub-relationships (e.g., contracts, service levels, facilities, etc.) need to be clearly defined and governed. It is only after a clear understanding of the objectives, and the governance of those objectives, that risk and uncertainty can be managed in the context of the relationship to deliver those objectives. The organization in 2021 is going to need to develop a more assertive approach to governance of relationships to ensure greater risk, resiliency, and integrity in those relationships. 
4. Federation. 2021 will see new third-party GRC strategies that focus on a federated approach. Instead of operating in silos of procurement, information security, privacy, compliance, ethics, quality, environmental-social-governance (ESG), and more that do not collaborate and talk to each other, the organization will develop a federated, third-party GRC strategy to manage and monitor the governance of third-party relationships, the risk (uncertainty), and compliance (integrity) within those relationships holistically. Consistency in onboarding, ongoing monitoring, auditing/inspections, incident management, assessments, and offboarding will be built across the needs of these collaborating departments. 
5. Integration. To support a federated, third-party GRC strategy in 2021, the organization will look to re-design Its third-party GRC technology and information architecture. This will involve moving to a solution that can manage the range of governance, risk, and compliance needs across third-party relationships and be able to integrate with ERP and procurement systems and provide robust analysis, assessment, and due diligence processes to ensure that objectives are met, while uncertainty, risk, and integrity are managed in each relationship. 

Key Supporting Drivers of Third-Party GRC in 2021 

The strategic drivers – integrity, resiliency, governance, federation, and integration – are supported by several key drivers impacting organizations in 2021. These are: 

• Defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of third-party risk and compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, are specifically looking for a robust system of record involving third-party due diligence and compliance activities. 
• ESG Reporting. The focus is turning to ESG (Environmental, Social and Governance) reporting at a board level. This has had a significant focus in Europe, and interest is gaining momentum in the USA, particularly with the new Biden administration. The recent National Association of Corporate Director’s report shows this as a growing board and corporate level issue. ESG practices and reporting of an organization dictates the evaluation and monitoring of third-party relationships in this context. 
• Environmental. It is a central component of ESG but also stands on its own. Environmental change is a significant focus for organizations and corporations. The World Economic Forum, in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe in environmental regulations, which impacts the governance of third-party relationships from an environmental perspective. 
• Health and Safety. The Pandemic of 2020 has brought front and center health and safety concerns to all aspects of governance, risk management, and compliance, including third-party governance. There is a renewed focus on monitoring the health and safety risks in supply chains and other third-party relationships from both a human rights and resiliency program. 
• Operational Resiliency. Firms globally and across industries are focusing on operational resiliency, which involves third-party governance, business continuity, and risk management. This concept is also a particular focus of regulators in the financial services industry. The United Kingdom’s Financial Conduct Authority, Prudential Regulatory Authority, and Bank of England have been leading in operational resiliency regulation, focusing on third parties as a part of it. This has also influenced the European Union (DORA), and the United States’ Office of the Comptroller of the Currency, to release operational resiliency guidance and regulation.
• Information Security & Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of third-party risk. The majority of data breaches happen with third parties. According to the latest Ponemon Institute Cost of a Data Breach report, a data breach’s average cost moves from $3.92 million to $4.29 million when a third-party is involved. Security has become a significant focus in third-party relationships, with the SolarWinds hack being reported at the end of 2020 – impacting over 250 organizations that use SolarWinds as a vendor/supplier. 
• Human Rights & Slavery. There is an increasing focus on legislation and regulation involving human rights and slavery. From US Conflict Minerals, EU Conflict Minerals, to California Transparency in Supply Chains Act, we have had regulation in this area for several years. The end of 2020 brought us more significant reporting requirements to the UK Modern Slavery Act, and Australia is picking up enforcement of the Australia Slavery Act. These require reporting on what the organization is doing to address human rights and modern slavery across the organization and its third-party relationships. The focus on ethnic discrimination in 2020 has brought a renewed focus on discrimination practices and supply-chain/vendor code of conduct assessment and enforcement. 
• Bribery & Corruption. Anti-bribery and corruption laws that impact third-party relationships have been in effect since 1977 with the US FCPA. This has picked up around the world over the decades from many other countries, such as the UK Bribery Act, Sapin-II in France, and others. Most of the bribery and corruption enforcement actions involve third-party due diligence and transaction issues. With the economic fall-out, lockdowns, restrictions in imports/exports that the pandemic brought in 2020, there is an increased risk of bribery and corruption issues as we navigate these challenges and enter recovery. Law enforcement is closely monitoring these activities with enforcement. 
• Accountability Regimes. There is a sweeping array of accountability regimes/ regulations that are putting personal liability on senior management functions (e.g., executives) for the conduct, risk, compliance, control, and ethics issues. Individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and in 2020, Singapore’s new accountability regime. While broad in scope, these regulations require a senior management function to be accountable for third-party risk and control. Firms that are not headquartered but have operations in these geographies still must comply as well.

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management:

Michael Rasmussen of GRC 20/20 will be speaking on these trends in the upcoming webinar:
2021 Trends in Third-Party Governance, Risk Management, Compliance (GRC)

“Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.” 

Martin Luther King, Jr. 

This statement by Dr. King is true in our conduct, and it is true in an organization’s conduct and its relationships. 

The structure and reality of business today has changed. It is not the same as it was a few decades back. Brick-and-mortar walls do not define today’s business, nor is it defined by traditional employees. The modern organization is comprised of an interrelated structure of business relationships. Roaming the hallways of an organization – when there is no pandemic lockdown forcing individuals to work from home – means crossing paths with contractors, consultants, temporary workers, and more. Today’s organization is an interconnected and interdependent web of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, etc. Business today relies and thrives on third-party relationships; this is the extended enterprise. 

The business’s ability to reliably achieve corporate objectives directly depends on the governance of third-party relationships and whether the organization can reliably achieve objectives in each relationship. The organization’s ability to manage uncertainty, risk, and resiliency requires that risk be managed in third-party relationships. The integrity and ability of the organization to comply with regulations, commitments, and values are measured in the integrity of its relationships as well. 

The saying, “Show me who your friends are, and I will tell you who you are” translates to business: show me who your third-party relationships are, and I will tell you who you are as an organization. The modern business depends on, and is defined by, the governance, risk management, and compliance of third-party relationships to ensure the organization can reliably achieve objectives, manage uncertainty, and act with integrity in each of its third-party relationships. 

The governance, risk management, and compliance of third-party relationships (third-party GRC) is in a state of growing maturity and evolution. The year 2020 has brought many third-party management lessons through the trials and tribulations worldwide, and as a result, 2021 is aiming for greater resiliency and integrity in third-party GRC. 

Looking Back on 2020: What Was Learned 

We cannot understand the 2021 trends in third-party GRC without understanding what transpired in 2020. The last year has taught organizations many lessons in third-party management which provides the foundation for the 2021 trends. 

2020 brought organizations disruption that impacted operations and third-party relationships. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to re-evaluating conduct rules within the organization and across relationships – followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a major security breach in a third-party context for the history books with the SolarWinds breach. 

A risk event has a domino impact on the organization and its relationships. What starts with one domino of risk has a cascading effect on other risks. Consider the 2020 global crisis and pandemic of COVID-19. It began as a health and safety risk coming out of Asia. It then had a cascading influence that caused other risks to materialize and ultimately change that impact of organizations and their third parties. Third-party risk cannot be managed in isolation but must be understood in the complex web of interconnections of risk and objectives that play out from it. What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. 

Consider the following: 

• Risk to objectives. As the pandemic unfolded, it had a specific impact on business objectives that further impacted third-party relationships’ objectives. Adapting to the crisis, businesses had to modify corporate objectives and, as a result, objectives in each relationship. Third-party relationship objectives had been modified and risk exposure had to be monitored in the uncertainty of meeting objectives in an environment of volatility with the pandemic. This plays out from the economic and business impacts of the virus. 
• Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes across third parties. Business continuity in many organizations had a sole focus on IT security and disaster recovery and they were not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global, biological virus. As employees were cut, processes were changed, relationships with third parties modified, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure. 
• Risk of information security. With the focus on supporting a broad work from home strategy for both employees and third parties, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, blender, or TV in the third-party employee’s home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data. The year ended with the SolarWinds breach in a third-party context. 
• Risk in third-party relationships. Half of the organization is typically not traditional employees but third parties. There were significant issues where service providers and outsourcers have entirely shut down because of lockdowns and were unable to support organizations and deliver services, including constrained supply chains and the inability to deliver goods. Outsourced data centers went dark and a skeleton crew of staff was left to maintain them, often remotely. 
• Risk of integrity, culture, and control. With rapidly changing processes to address the pandemic, the organization lacked controls to monitor third-party relationship changes. With reduced staff, employees were wearing multiple hats with greater exposure to segregation of duty conflicts. Individuals, either employees or third-party, were concerned about the economy and their well-being and security. Working from home offices and not in a corporate building contributed to a culture of insecurity for many. 
• Risk of fraud. In uncertain economic times and the unfolding of a recession, employees and third parties working on internal business systems and processes were under more stress to make ends meet. They might never think of stealing/ committing fraud during normal times but may choose the wrong path when faced with economic stress and uncertainty. 
• Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increased the risk of bribery and corruption. With customs, imports, and exports coming to a crawl in some countries, and borders shut down, there was greater corruption risk. Heightened exposure that someone may pay a third-party or foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done. 
• Risk of modern slavery and human rights. There was great unrest of human rights worldwide, which was an issue prior to the pandemic that has only been exacerbated further because of the pandemic. But it goes beyond civil rights and treatment of ethnic groups, it also extends into our facilities and supply chains. The pandemic hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there has been increased staffing with child or forced labor alongside poor and unwanted working conditions. 
• Risk of harassment and discrimination. Unrest abounding, combined with work from home policies for employees and third parties, contributed to growing discrimination and harassment happening because of the virus and a focus of anger on ethnic groups. People working from home and not in normal office conditions do not understand that the same corporate rules and policies apply. Communications such as email, text, and video calls have become more relaxed and individuals crossed boundaries of harassment and discrimination in statements made in these remote home offices. 

The organization’s continuity and resiliency required close monitoring of third-party relationships to maintain goods, services, and transactions during the pandemic. Enterprise risks do not stop at business boundaries but extend across third-party relationships. Risks themselves are also interconnected. What starts with a health and safety risk for the business and third-party relationships cascaded like dominos into resiliency/continuity risks, fraud risk, IT security risk, bribery/corruption risk, modern slavery/human rights risks, geopolitical risks, and more. 

2020 was the poster child for business and third-party disruption. It taught organization that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of third-party relationships as they serve the organization. This requires an enterprise view of third parties to monitor the interconnections and impact of uncertainty on objectives. 

The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Third-Party GRC Management:

Exponential growth and change in business strategy, risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Gone are the years of simplicity in business operations.

Managing the complexity of business from a legal and privacy perspective, governing information that is pervasive throughout the organization, and keeping continuous business and legal change in sync is a significant challenge for boards, executives, as well as the legal professionals in the legal department. Organizations need an integrated strategy, process, information, and technology architecture to govern legal, meet legal commitments, and manage legal uncertainty and risk in a way that is efficient, effective, and agile and extends into the broader enterprise GRC architecture.

In my previous blog, Operationalizing GRC in Context of Legal & Privacy: The Last Mile of GRC, I began this discussion, and here I aim to expound on it further from a legal context.

Legal today is more than legal matters, actions, and contracts. Today’s legal organization has to respond to incident/breach reporting and notification laws in a timely and compliant manner, respond to Data Subject Access Requests (DSAR), harmonize and monitor retentions obligations, conduct eDiscovery, manage legal holds on data, and continuously monitor regulations and legislation and apply them to a business context . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The role of legal is growing in significance as it guides the enterprise beyond putting out the fires of legal matters. It is expanding into a proactive role in legal governance, risk management, and compliance – with a focus on preventative law and becoming a critical pillar in an organization’s broader enterprise/integrated governance, risk management, and compliance (GRC) strategy. This requires that legal be an integrated role in the organization’s proactive enterprise GRC capabilities as well as deliver on governance, risk management, and compliance in the context of legal itself, what is called Legal GRC. 

Today’s legal department must have a full understanding of the regulatory, litigation, contractual, transactional, privacy, and intellectual property risks, as well as how they all relate to each other and fit into broader business operational, transactional, and GRC processes. The role of legal must be able to rely on a well-constructed understanding of how legal risks fit into enterprise risk frameworks. The general counsel has a critical role beyond the traditional stance as “protector” of the organization and its assets (via contract negotiation, litigation, and interpretation of legal requirements) and now is an active part of the strategic planning that leads to achieving higher performance and governance of the organization. 

Legal has the opportunity to serve as the hub for collaboration about how best to balance legal risks and opportunities presented by the organization’s decisions and actions. Today’s legal function must lead the organization to higher levels of performance while assuring the board and other stakeholders that the company can also maintain integrity, mitigate risk of legal exposure, and operate within legal and ethical boundaries. This means the organization will take full advantage of opportunities that will help meet its objectives, while staying within the boundaries of laws, regulations, contracts, and corporate commitments. 

As a key player at the center of the GRC strategic team of the enterprise, the role of legal must address wide-ranging stakeholder demands and concerns to:

• Identify key risk indicators for Legal GRC changes as they occur – which legal is aware of early due to its role in contracts or negotiations, such as merger and acquisition activity, litigation and settlements, licensing arrangements, vendor/partner contracts, and new/changing legislation and regulation.
• Define legal and/or contractual required controls to mitigate legal risk exposure in transactions and relationships and support business strategy and objectives.
• Lead the identification of legal requirements and interpreting the need for controls to address them.
• Monitor contractually and regulatory imposed requirements to ensure controls are correct in the context of the dynamic business environment.
• Participate in the design of the Legal GRC program regarding confidentiality, access limitations, and information governance.
• Assess potential impacts of noncompliance to determine correct level of control and allocation of legal and organization resources.
• Design escalation plans for issues and incidents — when should legal be involved right away, when does privilege have to attach, when does the board or external stakeholder have to be informed, and when does legal conduct certain investigations.
• Determine actions that may have a cumulative effect; for example, settling an environmental noncompliance matter may cause government contracting debarment if not handled properly.
• Understand new business opportunities and enable safe and responsible business growth by avoiding unnecessary legal exposure.
• Articulate to the board why a clear and integrated view of legal governance is critical to the organization’s culture, performance, as well as their fiduciary responsibilities.
• Manage the legal department in an optimized way that delivers effective, efficient, agile, and responsive service to the rest of the organization.
• Demonstrate how centralized oversight and supporting technologies for Legal GRC process management drives predictable behavior and performance results.
• Communicate the benefits of including legal risk management within business performance management and change initiatives.
• Influence other key functional executives to support legal’s role in the GRC strategy alongside the organization’s achievement of business objectives.
• Collaborate with key C-suite executives in developing Legal GRC processes that allow for measurable evaluation of legal effectiveness and efficiency.
• Assist the CEO in evaluating opportunities and preventing adverse legal ramifications and risks from materializing.
• Equip management to appreciate how an integrated Legal GRC model can improve processes while reducing or eliminating redundant efforts and be leveraged across other functions.
• Incorporate legal GRC management and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).

Across all of these points, the role of legal must embrace a strategic view that satisfies the demands of all these forces while keeping an eye on the prize — meeting the organizational objectives for value. 

This is driving forward-thinking organizations to define and establish an expanded role for Legal GRC that goes beyond the traditional role of managing litigation, negotiating legal agreements, and protecting intellectual property. Legal is becoming a high-impact GRC advisor that addresses: 

• Key stakeholders (investors, regulators, NGOs, local communities, etc.) demand transparency. 
• Board and C-suite need for clear, reliable, and measurable information about legal risk that will impact strategic decisions and future outcomes. 
• Board needs objective, independent assurance that the legal program is functioning effectively and efficiently as designed.
• Compliance, ethics, privacy, and security in legal’s role of applying regulations and legislation to the specific business context and meeting reporting, access, disposition, and notification requirements.
• Line of business need for matter management, issue identification, investigations, policy management, document and information management, reporting and filing, and legal risk assessments that do not disrupt operations, and are consistent to promote desired behaviors and transactions. 
• An overarching need for improved efficiencies and reduced legal risk throughout the extended enterprise.
• Growing the business in a safe, responsible manner that keeps it within established legal boundaries of conduct.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design:

What have we learned from 2020? I think all of us have learned quite a bit in both our personal and professional lives. 2020 has stretched us as individuals and as organizations in various and unexpected ways.

There certainly was a lot of tension, reaction, loss, trials, and tribulation. But there are also positive aspects of agility, adaptation, innovation, and collaboration. It has been a year of health and safety, environmental, information security, conduct, and leadership disasters, but also a year of metamorphosis. As we look to 2021, we all hope for a phoenix rising out of the ashes to take on new heights of ingenuity and advancement.

2020 has its share of business challenges. The year started with the devastation in the Australian wildfires (and later California’s), then entered COVID-19 and worldwide lockdowns and economic and health and safety crisis. Not to be outdone, we have major scandals, regulatory change, business change, and misbehavior. We now conclude the year with a major information security breach devastating government and major organizations in the SolarWinds incident.

From a compliance and ethics angle, what can we learn from 2020 and adjust to build a more resilient organization of integrity going forward?

The Compliance Management lessons learned in 2020 are:

• Business and operational integrity . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2020 was certainly a year for the history books. While it has been a roller coaster that moves on into 2021 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. The keywords for 2021 are integrity and resiliency. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency. I see both the terms business and operational resiliency used a lot, they are different but related. Business resiliency is the resiliency of the organization’s strategy, finance/treasury position, and operations. Operational Resiliency is that last piece in business resiliency: operations. Operational resiliency is looking at the risk and resiliency of the organization’s processes, functions, systems, and third party relationships.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2020 organized by topic area. However, it is critical that I refer to three research articles from the last few months of 2019 as they have been referred back to over and over again as foresight from GRC 20/20 into what the year 2020 brought us. These are:

• Navigating Chaos
• GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization
• Tale of Two Futures: Blade Runner or Star Trek?

Now let’s look at GRC 20/20’s 2020 Research Year in Review. As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process.

Enterprise GRC and the Broad GRC Market

This starts with GRC 20/20’s flagship annual research briefing that defines, segments, sizes, and forecasts the broad GRC market and its various individual segments:

• 2020 State of the GRC Market: Analysis, Sizing, Forecasting & COVID-19 Impact

Other Enterprise GRC research publications that GRC 20/20 led in 2020 are:

• OCEG GRC Maturity Survey 2020 Report
• GRC Pundit Podcast: ING GRC Orchestrate Project
• Engaging GRC to the Front-Office, and Not Just Back-Office Functions
• Role of Business Proces Modeling in GRC Requirements
• Managing Integrity Through GRC Engagement of Employees
• Delivering 360° Contextual Awareness of Your GRC Program
• Keep Calm & GRC On!
• Forrester GRC Wave = Tsunami of Confusion
• How Mature is Governance, Risk Management & Compliance (GRC) in Your Organization?​​​​

Corporate Compliance & Ethics Management

• Chief Ethics & Compliance Officer (CECO) SWOT Analysis
• Disclosure Management: Comparing Compliance Solutions
• Delivering on Agile Compliance in Dynamic Business
• Efficiency & Agility in Accountability Compliance – SMCR, BEAR, SEAR, MIC, GIAC
• How to Tie a Compliance & Ethics Bow Tie
• Agile and Integrated Compliance: Managing Compliance in Dynamic Business
• Next Generation Corporate Compliance & Ethics Architecture
• Driving Efficiency into Compliance & Ethics Processes: Time Saved = Money Saved
• Compliance & Ethics is Rapidly Evolving
• Centralizing Compliance and Ethics Communications in a Time of Crisis
• 7 Habits of a Highly Effective Privacy Compliance Program
• UK SMCR: Trekking Up the Mountain

Enterprise & Operational Risk Management

• Being Unprepared for the Crisis Does Not Make it a Black Swan
• Rethinking Risk Management RFP Requirements
• The Pandemic & the Dominos of Risk Interconnectedness
• Effective Risk Management in Context of the Pandemic
• GRC Supper Club: Operational Resiliency and the Interconnectedness of Risk
• Managing Risk Creatively & Structurally
• GRC Pundit Podcast: Toni Villanen of Majid Al Futtaim
• Managing Risk in Dynamic & Distributed Business
• avedos risk2value
• Protecht.ERM

Policy Management

• Policy Management Illustrated ebook
• Next-Generation Policy Management: Collaborative Accountability
• Why Policies, and Policy Management, Matters
• Policy Engagement In A COVID & Post-COVID World
• Policy Management and Remote Work: Adapting to the New Normal
• Communicating Policies in a Time of Crisis

Third-Party (e.g, Vendor/Supplier) Management

• Value of a Third Party Assessment
• A Business Case for Integrated Third-Party GRC Across the Extended Enterprise
• Ensuring Integrity in the Extended Enterprise
• At the Cross-roads: A Tale of Four Third Party GRC/Risk Management Roads to Travel
• Why Third-Party 360° Situational Risk Awareness is Needed Now More Than Ever
• Third Party GRC vs Third Party Risk Management

Corporate Legal Management

• Legal GRC Management by Design
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Privacy Management

• Privacy, Pandemics, and Business Change…OH MY!!!
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Internal Control Management

• Greenlight Business Controls Automation
• 360° Control Automation, Monitoring & Enforcement

IT Risk Management

• A New Framework for Defining and Approaching Information Governance
• SaltyCloud Isora

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past two decades has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after two decades of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE TRUOPS BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

At its core, GRC is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. GRC is something organizations do, not something they purchase. They govern, they manage risk, and they comply with obligations. However, there is technology to enable GRC related processes, such as legal and privacy, to be more efficient, effective, and agile.

However, too often the focus on GRC technology is limited to the process management of forms, workflow, tasks, and reporting. These are critical and important elements, but the role of technology for GRC is so much broader to operationalize GRC activities that are labor intensive, particularly in the context of legal and privacy. Simply managing forms, workflow, and tasks are no longer enough. Organizations need to start thinking how they can integrate eDiscovery and data/information governance solutions within their core GRC architecture.

What is needed is the ability to search, find, monitor, interact, and control data throughout the business environment. GRC platforms are excellent at managing forms, workflow, tasks, analytics, and reporting. But behind the scenes there are still labor-intensive tasks or disconnected solutions that actually find, control, and assess the disposition of sensitive data in the enterprise. eDiscovery and information governance solutions have been disconnected and not strategically leveraged for GRC purposes. Together, the core GRC platform that integrates with eDiscovery and information governance technologies builds exponential economies in . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Compliance disclosures are a critical element of an organization’s compliance and ethics management program. The organization requires structured approaches to managing disclosures such as conflicts of interest, and a way to address compliance related forms and processing for gifts, entertainment, and travel or facilitated payments. This requires the ability to intake information, route it for review and approval or denial, document exceptions, and provide a strong defensible system of record of the entire process.

The traditional approach to disclosure management has been manual processes involving print or electronic forms that thread compliance disclosures, like conflicts of interest, through time-consuming manual processes where things often get missed, slip through cracks, or mistakes are made. Manual processes or older software treat disclosures as static entities, making it difficult, if not impossible, for employees to access or update previously filed disclosures. This results in static disclosures that are filed and forgotten, rather than living documents that contain accurate, up-to-date insight into relationships and their potential impact on the business.

The next phase of disclosure management

There is a growing demand for compliance disclosure management solutions that can be more dynamically managed to address Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas of compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.

I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:

Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.

There are two primary items missing from traditional vendor and third-party risk management:

1. Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
2. Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.

What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.

What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.

How do you get there? Here are some simple steps:

1. Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
2. Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
3. Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
4. Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.

Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.