Category: The GRC Pundit Blog

Exponential growth and change in business strategy, risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Gone are the years of simplicity in business operations.

Managing the complexity of business from a legal and privacy perspective, governing information that is pervasive throughout the organization, and keeping continuous business and legal change in sync is a significant challenge for boards, executives, as well as the legal professionals in the legal department. Organizations need an integrated strategy, process, information, and technology architecture to govern legal, meet legal commitments, and manage legal uncertainty and risk in a way that is efficient, effective, and agile and extends into the broader enterprise GRC architecture.

In my previous blog, Operationalizing GRC in Context of Legal & Privacy: The Last Mile of GRC, I began this discussion, and here I aim to expound on it further from a legal context.

Legal today is more than legal matters, actions, and contracts. Today’s legal organization has to respond to incident/breach reporting and notification laws in a timely and compliant manner, respond to Data Subject Access Requests (DSAR), harmonize and monitor retentions obligations, conduct eDiscovery, manage legal holds on data, and continuously monitor regulations and legislation and apply them to a business context . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The role of legal is growing in significance as it guides the enterprise beyond putting out the fires of legal matters. It is expanding into a proactive role in legal governance, risk management, and compliance – with a focus on preventative law and becoming a critical pillar in an organization’s broader enterprise/integrated governance, risk management, and compliance (GRC) strategy. This requires that legal be an integrated role in the organization’s proactive enterprise GRC capabilities as well as deliver on governance, risk management, and compliance in the context of legal itself, what is called Legal GRC. 

Today’s legal department must have a full understanding of the regulatory, litigation, contractual, transactional, privacy, and intellectual property risks, as well as how they all relate to each other and fit into broader business operational, transactional, and GRC processes. The role of legal must be able to rely on a well-constructed understanding of how legal risks fit into enterprise risk frameworks. The general counsel has a critical role beyond the traditional stance as “protector” of the organization and its assets (via contract negotiation, litigation, and interpretation of legal requirements) and now is an active part of the strategic planning that leads to achieving higher performance and governance of the organization. 

Legal has the opportunity to serve as the hub for collaboration about how best to balance legal risks and opportunities presented by the organization’s decisions and actions. Today’s legal function must lead the organization to higher levels of performance while assuring the board and other stakeholders that the company can also maintain integrity, mitigate risk of legal exposure, and operate within legal and ethical boundaries. This means the organization will take full advantage of opportunities that will help meet its objectives, while staying within the boundaries of laws, regulations, contracts, and corporate commitments. 

As a key player at the center of the GRC strategic team of the enterprise, the role of legal must address wide-ranging stakeholder demands and concerns to:

• Identify key risk indicators for Legal GRC changes as they occur – which legal is aware of early due to its role in contracts or negotiations, such as merger and acquisition activity, litigation and settlements, licensing arrangements, vendor/partner contracts, and new/changing legislation and regulation.
• Define legal and/or contractual required controls to mitigate legal risk exposure in transactions and relationships and support business strategy and objectives.
• Lead the identification of legal requirements and interpreting the need for controls to address them.
• Monitor contractually and regulatory imposed requirements to ensure controls are correct in the context of the dynamic business environment.
• Participate in the design of the Legal GRC program regarding confidentiality, access limitations, and information governance.
• Assess potential impacts of noncompliance to determine correct level of control and allocation of legal and organization resources.
• Design escalation plans for issues and incidents — when should legal be involved right away, when does privilege have to attach, when does the board or external stakeholder have to be informed, and when does legal conduct certain investigations.
• Determine actions that may have a cumulative effect; for example, settling an environmental noncompliance matter may cause government contracting debarment if not handled properly.
• Understand new business opportunities and enable safe and responsible business growth by avoiding unnecessary legal exposure.
• Articulate to the board why a clear and integrated view of legal governance is critical to the organization’s culture, performance, as well as their fiduciary responsibilities.
• Manage the legal department in an optimized way that delivers effective, efficient, agile, and responsive service to the rest of the organization.
• Demonstrate how centralized oversight and supporting technologies for Legal GRC process management drives predictable behavior and performance results.
• Communicate the benefits of including legal risk management within business performance management and change initiatives.
• Influence other key functional executives to support legal’s role in the GRC strategy alongside the organization’s achievement of business objectives.
• Collaborate with key C-suite executives in developing Legal GRC processes that allow for measurable evaluation of legal effectiveness and efficiency.
• Assist the CEO in evaluating opportunities and preventing adverse legal ramifications and risks from materializing.
• Equip management to appreciate how an integrated Legal GRC model can improve processes while reducing or eliminating redundant efforts and be leveraged across other functions.
• Incorporate legal GRC management and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).

Across all of these points, the role of legal must embrace a strategic view that satisfies the demands of all these forces while keeping an eye on the prize — meeting the organizational objectives for value. 

This is driving forward-thinking organizations to define and establish an expanded role for Legal GRC that goes beyond the traditional role of managing litigation, negotiating legal agreements, and protecting intellectual property. Legal is becoming a high-impact GRC advisor that addresses: 

• Key stakeholders (investors, regulators, NGOs, local communities, etc.) demand transparency. 
• Board and C-suite need for clear, reliable, and measurable information about legal risk that will impact strategic decisions and future outcomes. 
• Board needs objective, independent assurance that the legal program is functioning effectively and efficiently as designed.
• Compliance, ethics, privacy, and security in legal’s role of applying regulations and legislation to the specific business context and meeting reporting, access, disposition, and notification requirements.
• Line of business need for matter management, issue identification, investigations, policy management, document and information management, reporting and filing, and legal risk assessments that do not disrupt operations, and are consistent to promote desired behaviors and transactions. 
• An overarching need for improved efficiencies and reduced legal risk throughout the extended enterprise.
• Growing the business in a safe, responsible manner that keeps it within established legal boundaries of conduct.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design:

What have we learned from 2020? I think all of us have learned quite a bit in both our personal and professional lives. 2020 has stretched us as individuals and as organizations in various and unexpected ways.

There certainly was a lot of tension, reaction, loss, trials, and tribulation. But there are also positive aspects of agility, adaptation, innovation, and collaboration. It has been a year of health and safety, environmental, information security, conduct, and leadership disasters, but also a year of metamorphosis. As we look to 2021, we all hope for a phoenix rising out of the ashes to take on new heights of ingenuity and advancement.

2020 has its share of business challenges. The year started with the devastation in the Australian wildfires (and later California’s), then entered COVID-19 and worldwide lockdowns and economic and health and safety crisis. Not to be outdone, we have major scandals, regulatory change, business change, and misbehavior. We now conclude the year with a major information security breach devastating government and major organizations in the SolarWinds incident.

From a compliance and ethics angle, what can we learn from 2020 and adjust to build a more resilient organization of integrity going forward?

The Compliance Management lessons learned in 2020 are:

• Business and operational integrity . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

2020 was certainly a year for the history books. While it has been a roller coaster that moves on into 2021 now, it certainly had a lot of impact on governance, risk management, and compliance (GRC) strategies, processes, and technology. The keywords for 2021 are integrity and resiliency. Organizations are seeking to increase organizational integrity that they live up to their ethics, values, commitments, and obligations in the midst of uncertainty. They are also looking to increase business and operational resiliency. I see both the terms business and operational resiliency used a lot, they are different but related. Business resiliency is the resiliency of the organization’s strategy, finance/treasury position, and operations. Operational Resiliency is that last piece in business resiliency: operations. Operational resiliency is looking at the risk and resiliency of the organization’s processes, functions, systems, and third party relationships.

Below is a summary of the research blogs and papers that GRC 20/20 has published throughout 2020 organized by topic area. However, it is critical that I refer to three research articles from the last few months of 2019 as they have been referred back to over and over again as foresight from GRC 20/20 into what the year 2020 brought us. These are:

• Navigating Chaos
• GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization
• Tale of Two Futures: Blade Runner or Star Trek?

Now let’s look at GRC 20/20’s 2020 Research Year in Review. As always, you can ask GRC 20/20 Research questions in the context of governance, risk management, and compliance strategies and processes, as well as solutions available in the market we cover in our objective market research through the inquiry process.

Enterprise GRC and the Broad GRC Market

This starts with GRC 20/20’s flagship annual research briefing that defines, segments, sizes, and forecasts the broad GRC market and its various individual segments:

• 2020 State of the GRC Market: Analysis, Sizing, Forecasting & COVID-19 Impact

Other Enterprise GRC research publications that GRC 20/20 led in 2020 are:

• OCEG GRC Maturity Survey 2020 Report
• GRC Pundit Podcast: ING GRC Orchestrate Project
• Engaging GRC to the Front-Office, and Not Just Back-Office Functions
• Role of Business Proces Modeling in GRC Requirements
• Managing Integrity Through GRC Engagement of Employees
• Delivering 360° Contextual Awareness of Your GRC Program
• Keep Calm & GRC On!
• Forrester GRC Wave = Tsunami of Confusion
• How Mature is Governance, Risk Management & Compliance (GRC) in Your Organization?​​​​

Corporate Compliance & Ethics Management

• Chief Ethics & Compliance Officer (CECO) SWOT Analysis
• Disclosure Management: Comparing Compliance Solutions
• Delivering on Agile Compliance in Dynamic Business
• Efficiency & Agility in Accountability Compliance – SMCR, BEAR, SEAR, MIC, GIAC
• How to Tie a Compliance & Ethics Bow Tie
• Agile and Integrated Compliance: Managing Compliance in Dynamic Business
• Next Generation Corporate Compliance & Ethics Architecture
• Driving Efficiency into Compliance & Ethics Processes: Time Saved = Money Saved
• Compliance & Ethics is Rapidly Evolving
• Centralizing Compliance and Ethics Communications in a Time of Crisis
• 7 Habits of a Highly Effective Privacy Compliance Program
• UK SMCR: Trekking Up the Mountain

Enterprise & Operational Risk Management

• Being Unprepared for the Crisis Does Not Make it a Black Swan
• Rethinking Risk Management RFP Requirements
• The Pandemic & the Dominos of Risk Interconnectedness
• Effective Risk Management in Context of the Pandemic
• GRC Supper Club: Operational Resiliency and the Interconnectedness of Risk
• Managing Risk Creatively & Structurally
• GRC Pundit Podcast: Toni Villanen of Majid Al Futtaim
• Managing Risk in Dynamic & Distributed Business
• avedos risk2value
• Protecht.ERM

Policy Management

• Policy Management Illustrated ebook
• Next-Generation Policy Management: Collaborative Accountability
• Why Policies, and Policy Management, Matters
• Policy Engagement In A COVID & Post-COVID World
• Policy Management and Remote Work: Adapting to the New Normal
• Communicating Policies in a Time of Crisis

Third-Party (e.g, Vendor/Supplier) Management

• Value of a Third Party Assessment
• A Business Case for Integrated Third-Party GRC Across the Extended Enterprise
• Ensuring Integrity in the Extended Enterprise
• At the Cross-roads: A Tale of Four Third Party GRC/Risk Management Roads to Travel
• Why Third-Party 360° Situational Risk Awareness is Needed Now More Than Ever
• Third Party GRC vs Third Party Risk Management

Corporate Legal Management

• Legal GRC Management by Design
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Privacy Management

• Privacy, Pandemics, and Business Change…OH MY!!!
• Operationalizing GRC in Context of Legal & Privacy: the Last Mile of GRC

Internal Control Management

• Greenlight Business Controls Automation
• 360° Control Automation, Monitoring & Enforcement

IT Risk Management

• A New Framework for Defining and Approaching Information Governance
• SaltyCloud Isora

At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again.  One of my prominent soapboxes over the past two decades has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.

Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint.  However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC.  They are very useful tools.  I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.

In fact, after two decades of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down.  I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.

The reasons documents, spreadsheets, and emails fail for GRC are as follows . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE TRUOPS BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

At its core, GRC is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. GRC is something organizations do, not something they purchase. They govern, they manage risk, and they comply with obligations. However, there is technology to enable GRC related processes, such as legal and privacy, to be more efficient, effective, and agile.

However, too often the focus on GRC technology is limited to the process management of forms, workflow, tasks, and reporting. These are critical and important elements, but the role of technology for GRC is so much broader to operationalize GRC activities that are labor intensive, particularly in the context of legal and privacy. Simply managing forms, workflow, and tasks are no longer enough. Organizations need to start thinking how they can integrate eDiscovery and data/information governance solutions within their core GRC architecture.

What is needed is the ability to search, find, monitor, interact, and control data throughout the business environment. GRC platforms are excellent at managing forms, workflow, tasks, analytics, and reporting. But behind the scenes there are still labor-intensive tasks or disconnected solutions that actually find, control, and assess the disposition of sensitive data in the enterprise. eDiscovery and information governance solutions have been disconnected and not strategically leveraged for GRC purposes. Together, the core GRC platform that integrates with eDiscovery and information governance technologies builds exponential economies in . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE X1 BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Compliance disclosures are a critical element of an organization’s compliance and ethics management program. The organization requires structured approaches to managing disclosures such as conflicts of interest, and a way to address compliance related forms and processing for gifts, entertainment, and travel or facilitated payments. This requires the ability to intake information, route it for review and approval or denial, document exceptions, and provide a strong defensible system of record of the entire process.

The traditional approach to disclosure management has been manual processes involving print or electronic forms that thread compliance disclosures, like conflicts of interest, through time-consuming manual processes where things often get missed, slip through cracks, or mistakes are made. Manual processes or older software treat disclosures as static entities, making it difficult, if not impossible, for employees to access or update previously filed disclosures. This results in static disclosures that are filed and forgotten, rather than living documents that contain accurate, up-to-date insight into relationships and their potential impact on the business.

The next phase of disclosure management

There is a growing demand for compliance disclosure management solutions that can be more dynamically managed to address Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas of compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CONVERCENT BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

One of the greatest challenges to organizations today is managing the extended enterprise; the web of third-party relationships that support the business and its operations. The integrity of the organization is no longer defined by traditional brick and mortar walls and employees. The integrity of the organization requires continuous monitoring and control of the governance, risk management, and compliance of third-party relationships.

I argue that we should stop calling this area vendor risk management, or third-party risk management. What is needed is third-party GRC that is integrated across the business. I define third-party GRC (modifying the OCEG GRC definition) as:

Third-Party GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in each of the organization’s third-party relationships across the extended enterprise.

There are two primary items missing from traditional vendor and third-party risk management:

1. Governance. Third-party governance involves ensuring that the organization reliably achieves the objectives of each relationship. You cannot manage risk in a relationship without clearly understanding and defining the objectives of the relationship. In fact, the official definition of risk in ISO 31000 is that risk is the effect of uncertainty on objectives. Every relationship is established for a purpose. The most fundamental element of managing risk in a relationship is if we are achieving those objectives and measuring the uncertainty of achieving the objectives. You cannot do third-party risk management without starting with governance first.
2. Integration. Too many vendor and third-party risk management programs are focused on silos of risk. IT security is looking at security in third-parties, privacy is looking at similar things related to personal information, but compliance is looking at conflicts of interest and anti-bribery and corruption, procurement is looking at reliability and viability of suppliers and vendors, legal may be looking at intellectual property protection and contracts, ESG/CSR is looking at human rights and ethical sourcing, or perhaps conflict minerals, quality is looking at the delivery of goods and services to requirements, EH&S is looking at traceability of components and environmental impacts, business continuity is looking at resiliency in third party relationships. Everyone has their view, but no one has a complete view of objectives, risk, and integrity in and across these relationships. For the most part, too may vendor and third-party risk management programs are exclusively fixated on IT security and privacy and not the range of other risks in these relationships.

What is needed is a federated strategy that brings 360° contextual insight into each relationship. We need to see the big picture of achieving objectives in the relationship while addressing risk and compliance. This involves a cross-department strategy to holistically address third-party GRC. A strategy that provides a framework, process, and information/technology architecture that allows greater insight into third-party GRC across procurement, IT security, privacy, legal, compliance, ethics, ethical sourcing, resiliency and continuity, and more. Where the organization can get a complete report card on the performance, risk, and integrity in each of its relationships to ensure they are doing business with the right entities and achieving objectives in the relationship.

What the organization has implemented for client relationship management (CRM) systems, we need a similar collaborative approach to managing the other side of the organization, the extended enterprise. Where CRM systems allow marketing, sales, and service and support to get a 360° view of clients and their interactions/transactions with the organization, the same is needed with third-party management to get a complete view of third-parties.

How do you get there? Here are some simple steps:

1. Understand your current state. Inquire and find all the departments, functions, roles that have a stake in some element of third-party GRC in the organization. Find how they are approaching this, what is working well, and what is not.
2. Define your future state. This involves developing a charter for third-party GRC to get distributed groups to work together and from there define a strategy, process, and architecture for where you want to be in three years.
3. Build a business case. Measure the value the organization will achieve for an integrated and collaborative view across third-party GRC. Define how this will make the organization more efficient (e.g., time saved, money saved), more effective (e.g., complete view of delivery/objectives, continuous monitoring of risk, stronger relationships), and more agile (e.g., keeping up with change, being responsive to and containing issues).
4. Start your journey. Take things in stages, break down the project plan, and start delivering on this vision.

Happy to share resources and information on this. I teach a full-day workshop on Third-Party GRC by Design and have written and advised extensively on this journey.

Organizational exposure to compliance risk is rising while the cost of compliance soars. Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with obligations and value. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance management boils down to defining – and maintaining – corporate integrity.

However, compliance is not easy. Organizations are complex and dynamic. The modern organization changes by the minute or even second. The organization can go from a state of compliance to non-compliance in a blink of an eye. Processes change. Technology changes. Employees change. Business relationships change. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations?

To maintain compliance, an organization must . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE CURA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Accountability is More Than Responsibility

There is a difference between accountability and responsibility. An individual or organization can outsource or delegate responsibilities, but one cannot do so with accountability. To address the breadth of compliance and ethics failures, as well as risk management, in financial services there have been a growing array of accountability regulations sweeping the world.

It all started with the United Kingdom’s Senior Manager Regime & Certification Regime (UK SMCR). This put accountability on senior management functions (SMFs) for failures in risk, compliance, control, and ethics. If there is willful wrongdoing these SMFs can go to jail. If there is negligence or lack of due diligence in compliance, risk, control, or ethics these SMFs can be personally fined from their personal bank accounts. This framework has sped around the world in Australia’s Banking Executive Accountability Regulation (BEAR), Ireland’s Senior Executive Accountability Regulation (SEAR), Hong Kong’s Managers in Charge Regulation (MIC), and now the stringent requirements in Singapore’s Monetary Authority’s Guidelines on Individual Accountability and Conduct (GIAC). These regulations have a global impact, I have talked to several financial services headquartered in the USA that are struggling with compliance with accountability regulations as they have operations in these countries.

I am a J.R.R. Tolkien fan, so I have characterized accountability regulations as the one ring in Tolkien’s Lord of the Rings. It is the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them. Accountability regulations are the uber regulation that puts the sharp teeth of personal accountability to enforce other regulations and ethical practices. I will be presenting on this in the webinar Escaping the SMCR Quagmire.

There are various stages of compliance. In the context of UK SMCR (noting there are other regimes I have mentioned) solo-regulated firms are just coming into the spotlight. Larger firms have been dealing with this for the past few years but at various stages. Even these large firms have a looming requirement coming up (postponed by the FCA from December 2020 to March 2021) to communicate conduct rules (which are policies) to all employees (except ancillary staff like receptionists and caterers). This requires communicating a policy(ies) to every employee and documenting communication (e.g., attestation). Already these firms have had to document SMFs, certify staff, get approval from regulators, and regularly communicate conduct rules to SMFs and certification staff. Now it extends to all employees (except ancillary staff).

Making Accountability Compliance Efficient, Effective, and Agile

What is becoming apparent is that the ongoing management of accountability regulations, the reporting to regulators, the certification of SMFs, the communication of conduct rules on a regular basis with documentation of communication and attestation, the definition and maintenance of accountability and responsibility maps . . . this is not going away. As financial services firms grapple with ongoing and continuous compliance they are now looking for ways to automate the process.

The approach many firms have taken to accountability regulations is very typical of other regulations, such as when Sarbanes Oxley first hit us in 2002. For the first year or two firms use manual processes involving lots of documents, spreadsheets, and emails. Then as they build their process, address compliance, and realize that this obligation for oversight and reporting is not going away but continuing, they then start to look for technology to automate the process and make it more efficient, effective, and agile. The regulators also crackdown as the audit trails (system of record) are weak and not defensible in manual processes when relying on documents, spreadsheets, and emails. On top of this, business is changing minute-by-minute and second-by-second. Processes change, management changes, employees change, risk changes, regulations change. This all means that accountability compliance has to be agile in a dynamic, distributed, and disrupted business environment. Manual processes with documents, spreadsheets, and emails are cumbersome, slow the organization down, and certainly are not agile.

Technology for accountability compliance falls into three areas:

1. Solutions focused on aspects of the regulations. Organizations here look for solutions to manage and automate aspects of the regulation, but not the entire regulation. This most often is a policy management solution to communicate conduct rules and track attestations to those rules to provide a documented system of record of these communications. Think about it, if you are a firm with thousands of employees, then manually communicating, tracking, monitoring, and reporting on the communication of conduct rules becomes very time consuming quickly.
2. Solutions for full accountability compliance. These are solutions built for the regulations (e.g., UK SMCR, BEAR, SEAR, MIC, GIAC). The solutions are designed to manage the process of defining senior management/accountable functions, building responsibility/accountability maps, certifying functions and staff, reporting and interacting with the regulators for approvals of staff, and communicating conduct rules/policies to all employees.
3. Solutions BECAUSE of accountability compliance. This is the interesting one that has come up a lot this past year. These are not solutions to manage the specific requirements of compliance in the accountability regulation. These are solutions BECAUSE of the regulation. Think about it, if you are an SMF that is personally accountable for an area of ethics, compliance, risk, control – such as vendor risk, GDPR, or operational resiliency – then you will want to make sure your organization is properly managing this area and want visibility into this. After all, it is your personal bank account on the line (or possible prison time).

The good news is that technology delivers across these functions. Technology relieves the burden of ongoing compliance monitoring and reporting. It makes accountability compliance efficient in reduction of human and financial resources, more effective in a strong system of record and audit trail with fewer things sipping through cracks, and agile to keep compliance current in a dynamic business environment where risks, processes, regulations, and particularly employees such as SMFs are changing constantly. Again, I will be presenting on this in the webinar Escaping the SMCR Quagmire (which the details here can also be applied to BEAR, SEAR, MIC, and GIAC).

How is your organization approaching accountability compliance?