Developing a Vendor Risk Management Strategy – Info/CyberSecurity Perspective

Organizations are porous: the modern organization is not defined by brick and mortar walls but is a complex web of business relationships. These relationships span vendors, suppliers, outsourcers, service providers, contractors, consultants, temporary workers, agents, brokers, dealers, intermediaries. It grows even more complex as there are nested relationships in subcontractors and supply chains. Approximately half of a typical organizations “insiders” are no longer employees but are third party relationships.

The issues organizations face in managing vendor and third party risks are growing. These range from growing challenges in anti-bribery and corruption compliance (e.g., UK Bribery Act, US FCPA, OECD Bribery Convention), human rights and slavery (e.g., US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, California’s Transparency in Supply Chains Act), environmental, health and safety, physical security, business continuity and more.

However, one of the growing challenges organizations face is information/cybersecurity across third party relationships, particularly vendor relationships. A significant number of information/cybersecurity breaches are the result of third party vendor relationships. It is not just IT related vendors that put organizations at risk, but could be a wide range of vendor relationships. The Target breach from a few years back was the result of a heating and air conditioning vendor (HVAC) that was broken into that had a connection to the Target network. With the Internet of Things (IoT) upon us, it has become critical for organizations to address information security in and across their third party relationships.

I am doing a series of educational webinars on this specific topic over the next three weeks. These are as follow:

Here is my specific advice on how to go about purchasing solutions for vendor and third party risk management:

Additionally, here are some of my research papers that I have published on this topic:

Considerations and Lessons Learned from GRC RFPs

The GRC technology market landscape is broad with over 800 solution providers across seventeen segments of GRC (see bottom of this post for a breakout of GRC segments). Approximately seventy solutions can be characterized as Enterprise GRC platforms while hundreds of solutions focus on specific areas/segments of GRC with focused solutions.

In 2016, GRC 20/20 answered 412 inquiries from organizations looking for GRC related solutions and was actively involved in nearly a dozen formal RFPs that leveraged the GRC 20/20 RFP templates and libraries – some for Enterprise GRC, others for policy management, compliance management, risk management, audit management, issue reporting/management, IT GRC, EH&S, and more. Forty-one percent of these came from North America, 28% from Europe, and then rest of world. The most dominant role that interacts with GRC 20/20 is compliance, followed by risk management, then internal audit, and IT/information security. Approximately 30% of these interactions were for Enterprise GRC Platforms while 70% of GRC 20/20’s interactions were for more focused solutions and implementations.

GRC 20/20 is focused on helping organizations navigate solution provider hyperbole to get to the honest features and functionality to ensure the right technology is selected that has the correct capabilities that the organization needs.

One of the greatest challenges and frustrations I have in RFPs is the way many solution providers respond to them. They simply answer yes to every question with the thought that it is something that just needs to be built out and customized on their platform. Every year I hear horror stories of rollouts of a solution that take up to two years to build out and implement – all because the organization chose a solution that promised the world in RFP responses but did not have the functionality and features existing in the solution. Further, analysts like Gartner often rank and score these solutions very highly although their evaluation of solutions is getting lighter and lighter. Some of their recent Magic Quadrants for GRC related areas only want video demos and do not sit down with the solution and go through it feature by feature. I have even heard that one recent Magic Quadrant in a GRC area is not even requiring a video demo and just wants answers to questions in a survey, Gartner will determine if they want to see the product.

The level of customization in these multi-year rollouts have significantly hurt a few major solution providers in the GRC market that find that upgrades are extremely difficult and often break. Leaving clients frustrated and unhappy. Three RFPs that I worked on this past year specifically stated they would not consider solution providers that Gartner and Forrester consistently rank in the top leader position because of their experience with the level of customization, length of rollout, cost of ongoing administration, and had things break on upgrades in previous positions at other companies.

Please note: there are many great solutions across GRC domains/segments. Solutions that have proven great value with strong features that can be rolled out rapidly and not be an engagement the size of an ERP implementation.

To provide clarity on features and functionality, I historically have had drop-down fields in GRC 20/20’s RFP templates that ask if the functionality is a ‘native’ feature in the application or something that has to be ‘built-out’ and customized. To provide greater granularity into solution provider responses, I have now updated the GRC 20/20 RFP template library to have the four-fold drop-down responses that organizations should consider (this is from interaction and collaboration with one major GRC player looking to address these challenges head-on):

  • Personalization. Is this feature something that requires no-code changes and can easily be done by a business user to suit their individual needs and preferences? It is completely upgrade safe?
  • Configuration. Is this a feature that can be easily configured by a power-user or IT developer without coding and is completely safe during upgrades?
  • Extension. Is this a feature that can be done by a power-user or IT developer that requires coding but is upgrade-safe?
  • Customization. Is this a feature that requires working with the solution provider (or professional services) to deliver functionality with coding? Will additional effort be needed for testing during upgrade processes?

This is one careful area of evaluation when looking at solutions across GRC related areas. I will be detailing other considerations in GRC related RFPs and evaluations in future posts.

GRC 20/20 segments the GRC market, with RFP templates, across the following seventeen domains:

  • Enterprise GRC. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics.
  • Automated Control Monitoring & Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC/Security Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

Supporting Research Briefings on the topic of purchasing GRC technology are:

Increasing Exposure of Third Party Risks 

The Modern Organization is an Interconnected Mess of Relationships

Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries. Over half of the organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and suppliers.

In this context, organizations struggle to adequately govern risk in third party business relationships. Third party problems are the organization’s problems that directly impact brand, reputation, compliance, strategy, and risk to the organization. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor governance and risk management.  When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third parties behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Governing third party relationships, particularly in context of risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy to third party management from an enterprise perspective.

The challenge: Can you attest to the governance, risk management, and compliance or third parties across your organization’s business relationships?

Reality: Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails. Worse, they focus their efforts at the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship.

This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of third party relationships. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in context of the organization’s goals, objectives, and performance expectations in the relationship.

Failure in third party management happens when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. Many of these target third party relationships specifically, while others require compliance without specifically addressing the context of third parties. Organizations are, in turn, encumbered with inadequate resources to monitor risk and regulations impacting third party relationships and often react to similar requirements without collaborating with other departments which increases redundancy and inefficiency.
  • Interconnected third party risks that are not visible. The organization’s risk exposure across third party relationships is growing increasingly interconnected.  An exposure in one area may seem minor but when factored into other exposures in the same relationship (or others) the result can be significant. Organization often lack an integrated and thorough understanding of the interconnectedness of performance, risk management, and compliance of third parties.
  • Silos of third party oversight. Allowing different departments to go about third party management without coordination, collaboration, consistent processes, information, and approach leads to inefficiency, ineffectiveness, and lack of agility. This is exacerbated when organizations fail to define responsibilities for third party oversight and the organization breeds an anarchy approach to third party management leading to the unfortunate situation of the organization having no end-to-end visibility and governance of third party relationships.
  • Document, spreadsheet, and email centric approaches. When organizations govern third party relationships in a maze of documents, spreadsheets, and emails it is easy for things to get overlooked and buried in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source-of-truth on the relationship and it becomes difficult, if not impossible, to get a comprehensive, accurate, and current-state analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate information, analyze, and report on third party information. When things go wrong, audit trails are non-existent or are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies. When different parts of the organization use different approaches for on-boarding and managing third parties; the organization can never see the big picture. This leads to a significant amount of redundancy and encumbers the organization when it needs to be agile.
  • Due diligence done haphazardly or only during on-boarding. Risk and compliance issues identified through an initial due diligence process are often only analyzed during the on-boarding process to validate third parties. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship and that due diligence needs to be conducted on a continual basis.
  • Inadequate processes to monitor changing relationships. Organizations are in a constant state of flux. Governing third party relationships is cumbersome in the context of constantly changing regulations, risks, processes, relationships, employees, processes, suppliers, strategy, and more. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third parties is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance. Metrics and measurements of third parties often fail to properly encompass risk and compliance indicators. Too often metrics from service level agreements (SLAs) focus on delivery of products and services by the third party but do not include monitoring of risks, particularly compliance and ethical considerations.

The bottom line: When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, compliance, and impact on the organization. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing third party risk and compliance as an integrated framework. It is time for organizations to step back and define a cross-functional strategy to define and govern risk in third party relationships that is supported and automated with information and technology.


Additional resources on Third Party Management

Research Briefings

Upcoming Webinars

Written Research

GRC in Uncertain Times: 2016 and into 2017

In the past month there have been a lot of posts, articles, and discussion on the impact of Trump’s presidency on the GRC market, particularly compliance. Some fear that the need for compliance management within organizations is not going to be as strong as a Trump administration looks to deregulate. My perspective is that compliance management will continue to grow within organizations no matter who is in office. Whether conservative or liberal, regulations have grown and grown over the years. While President-Elect Trump is not your typical candidate, he is already toning down some of the rhetoric that he used during the campaign and coming to reality. There may be shifts in focus in certain areas, but ethics and compliance will remain a strong need within organizations for many years to come.

HOWEVER, the focus of the question should not be on compliance but on what the forecast looks like for risk management. While organizations will continue to need compliance processes and technologies, organizations will see a renewed focus and energy on risk management processes and related technologies.

Times are uncertain. 2016 has brought us Brexit, a forthcoming Trump administration, and turmoil politically around the world, particularly in European election possibilities. Economically things are topsy turvy with the British Pound, European Euro, caution on an outlook in China.

As I look to 2017 one word continues to come to mind: UNCERTAINTY.

If we go to ISO 31000 for a definition of risk, “risk is the effect of uncertainty on objectives.” Organizations face a world of uncertainty in 2017 and need defined risk management processes and systems in place to be able to manage risk in context of objectives. As we close 2016 and move into 2017, GRC 20/20 is seeing growing inquiries from organizations looking to improve risk management related processes and are asking questions related to risk management technologies to enable these processes.

It is interesting, the current OCEG GRC Maturity Survey, that GRC 20/20 Research collaborates on and authors, show a change in the respondents. This survey was fielded over the past two months and has 697 respondents with 578 of them in roles managing GRC internally within their organization. The past several GRC Maturity Surveys had Compliance and Ethics as the primary role responding to the survey, this year (the past few months to be specific) it is Risk Management roles that are the number one responder. Consider joining the webinar to learn more on the findings.

GRC 20/20 is seeing increased interest in enterprise and operational risk management technologies, but also increased interest in solutions for geo-political risk management, third party (vendor/supplier) risk management, IT/information security risk management, EH&S, and business continuity management.

What are your thoughts on 2017 and the outlook for GRC Related processes and systems? I look forward to hearing your thoughts.

How to Identify UBOs in an Unpredictable World

Business operates in a world of chaos, where relationship risk is ever present. What’s the secret to understanding and identifying ultimate beneficial owners?

The modern organization is an interconnected web of relationships and interactions that span traditional business boundaries. Complexity grows as these interconnected relationships and transactions layer themselves in intricacy.

In this context, organizations struggle to identify and govern their relationships with a growing awareness that they can face reputation and economic disaster by establishing or maintaining the wrong business relationships.

When questions of business practice, ethics, and corruption arise, the organization is held accountable for the actions of those who they do business with, and it must ensure adequate due diligence has been done to ensure it is doing business with the right individuals and organizations.

This is particularly critical in the context of knowing the ultimate beneficial owner(UBO) in business relationships.

Poor visibility

The fragmented governance of relationships can lead organizations to . . .

GRC 20/20 was engaged as a guest blogger for this thought piece. The full post can be read at the Inside Financial & Risk blog.

[button link=”http://blog.financial.thomsonreuters.com/identify-ubos-unpredictable-world/ “]READ MORE[/button]

The Role of Technology in Compliance Risk Management

Organizational exposure to compliance risk is rising while the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular obligations, resulting in multiple redundant initiatives working in isolation to respond to each obligation. These isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through unreliable spreadsheets, documents and email. This reactive methodology makes it difficult to adapt to new regulatory requirements and while increases pressure on management, employees, and third parties.

Business requires a common compliance risk management process, information, and technology architecture that is context-driven and adaptable to the enterprise and operational risk management strategy. Compliance must be an active, living part of the organization and culture that can detect and prevent issues as a continuous process to be monitored, maintained and nurtured in the context of governance, risk, and compliance management. Today’s organizations require integrated compliance risk management strategies as an integration function for effective enterprise risk management.

Past compliance processes were bogged down in documents and technology silos, which led to laborious and costly processes to gather information and report on compliance risk. Compliance departments over-relied on spreadsheets, documents, and email that lacked an audit trail, creating a legal disaster since organizations lack a defensible position when it cannot prove compliance. With no record, assessments can also be compromised or tampered with. What may seem like an insignificant risk in one source of information may have a different appearance when other relationships are factored in. Siloed documents and processes create inefficiency, out-of-sync controls, and corporate policies that are inadequate to manage risk and compliance. Organizations are encumbered by unnecessary complexity because they manage compliance within specific issues, without regard for an integrated framework and architecture, wasting time and resources in the process.

Effective compliance requires technology that has a robust system of record that proves a state of compliance and documents any changes made, thus providing a complete audit trail. In order for compliance to be an active and living part of the organization and culture, intelligent organizations are implementing a comprehensive compliance technology architecture.

A compliance technology architecture to support compliance risk management includes capabilities to perform:

  • Compliance risk management. Technology to manage compliance risk surveys, assessments, and related risk information; report, analyze and model risk of compliance and ethics.
  • Regulatory change management. Technology to track, document and manage regulatory changes and their business impact.
  • Learning and training management. Technology to communicate and document training programs related to compliance – includes delivery of training, testing of attendees, and maintenance of training records.
  • Policy and procedure management. Technology that maintains policy lifecycle management across development, maintenance, communication and attestation. Provides a robust audit trail and content management capability to ensure policies are current and communicated.
  • Investigations management. Technology that enables incident management, facilitates collaboration, and documents investigation processes. The ability to record the range of issues reported from all mechanisms, actions taken, and results of the investigation.
  • Issue reporting and hotlines. Technology that makes it easy for individuals to report issues and non-compliance, including a system to document reports made directly to all levels of management.
  • Survey and assessment. Technology that delivers a consistent experience for conducting compliance surveys and assessments.
  • Benchmarking, metrics, and dashboarding. Technology that produces reports of assurance to management that compliance is not only designed properly but also operating properly to address compliance risks in a dynamic business environment assure executives and the board that their fiduciary obligations for compliance are being met.
  • Due diligence management. Technology that facilitates due diligence efforts to validate the hiring of the right people and partnering with ethical vendors that share the same commitment to compliance and corporate values.
  • Forms automation and processing. Technology that creates and automates forms to manage processes such as interactions for gifts, entertainment, and facilitated payments through online forms, plus workflows for approval/disapproval.
  • Compliance program/project management. Technology that brings compliance risk management together in a cohesive system to manage compliance activities, metrics, and reports. All compliance management personnel and employees should have access to the system and see the relevant tasks that pertain to their job.

Check Out These GRC 20/20 Compliance Management Resources . . .

 

Compliance: An Integral Part of Risk Management

Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.

Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors.

Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.

Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive risk management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established risk management and governance processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.

Building Relationships Across the Business

The compliance function faces a big challenge today: encouraging executives to work together to revamp siloed, haphazard risk management systems and turn them into an integrated process that provides greater transparency, reliability and value.

It is critical that the compliance function play a key role in risk management strategy. To do so, it must first understand compliance and ethical risk facing the organization. Then focus on opportunities to control cost, improve resource utilization and create sustainable scalability and alignment with organization goals. In order to champion corporate compliance and ethics goals, compliance should be prepared to:

  • Articulate to the board why having a clear and conformed view of compliance risk is critical to the organization’s culture, performance, and fiduciary responsibilities.
  • Demonstrate how centralized oversight and supporting technologies for compliance risk management drives predictable behaviors and performance results.
  • Communicate the benefits of including compliance risk management within business change initiatives.
  • Influence key executives to support the compliance role in the achievement of business objectives.
  • Collaborate with key executives in developing compliance processes that allow measurable evaluation of effectiveness, efficiency, and support business agility.
  • Assist the CEO in evaluating opportunities and preventing adverse effects from regulatory compliance and ethical risks.
  • Help management appreciate how integrated compliance risk management processes can improve operations while reducing redundancies that can be leveraged across assessment, training, awareness, investigations, and policy management.
  • Incorporate compliance risk management and assurance across extended third-party business relationships

Understanding and Approaching Compliance Risk Management

Historically, the compliance function did not understand how to manage risk. Compliance was understood as: documenting and meeting requirements and finding and resolving issues. Modeling compliance risk to determine business impact and prioritization of resources was done on a limited basis, if at all. Non-existent was a proactive function tasked with interpreting and predicting compliance risk and developing corrective plans to mitigate damage. Most often, compliance was a reactive function trying to put out fires.

Compliance is now challenged to take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the context of dynamic and distributed business, and model risk and present and future business impact.

The core principles of compliance risk management are:

  • Understand your risk. An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic – done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and markets).
  • Approach compliance in proportionality of risk. How an organization implements compliance procedures and controls is to be based on the proportionality of the risk it faces. If a certain area of the world or a business partner scores as a higher risk to corruption or ethical issues, the organization is to respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business – smaller organizations are not expected to have the same measures as large enterprises.
  • Monitor the risk and regulatory environment. Content and information on changes to risk and regulatory environments is critical to understanding ever-changing compliance risk. New laws, changed regulations, court rulings and amended standards  change the organization’s compliance requirements. A defined process with accountability to monitor risk of changing regulatory environments is essential.
  • Tone at the top. The compliance risk management program should be fully supported by the Board of Directors and C-suite. Communication to top-level management must be bidirectional. Leadership is to communicate their definition of acceptable and unacceptable risk and their support for the compliance program. To fulfill their fiduciary obligations, executives and Board members should always be informed about the effectiveness and operations of the compliance risk management program.
  • Know who you do business with. Know your business relationships. This requires an established risk-monitoring framework that catalogs all third-party relationships, markets, and geographies. Strict due diligence ensures the organization is contracting with ethical partners. If there is a high degree of risk to corruption, compliance, and ethical issues, implement additional preventive and detective controls in accordance with the risk. Also, know your employees and conduct background checks to determine if they are susceptible to corruption or unethical conduct.
  • Keep information current. Due diligence and risk assessment efforts are to be kept current. These are not point in time efforts that happen once; perform assessments on a regular basis or when you become aware of conditions that point to increased risk due to ethics and compliance issues.
  • Compliance oversight. Make a trusted executive responsible for the oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to an independent monitoring body, such as the audit committee.
  • Manage change. It is essential to monitor the business for changes that can impact its compliance program or introduce greater risk to corporate ethics. Document changes required to business practices as a result of observations and investigations. Implement changes to address deficiencies through a deliberate program of change management. This requires that changes be monitored by compliance to be proactive in preventing corruption.

Check Out These GRC 20/20 Compliance Management Resources . . .

Compliance and Risk Bear Down on the Organization 

Compliance in Dynamic and Distributed Business

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to compliance risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, consultants and staffing) their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal risk (e.g., strategy, processes and internal controls) and external risk (e.g., legal, regulatory, competitive, economic, political and geographic environments). What may seem insignificant in one area can have profound impact on others.

In an ever-changing business environment, how does your organization validate that it is current with legal, regulatory, policies, and other obligations? 

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

The Inevitable Failure of Compliance Silos

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

A non-integrated approach to compliance risk management results in these phenomena, each one feeding off the last:

  • Redundant and inefficient processes. Managing compliance risk in silos hinders big-picture thinking. Little thought goes into how resources can be leveraged for greater effectiveness, efficiency and agility. The organization ends up with a variety of processes, applications and documents to meet individual compliance needs. The result: a major drain of time and resources.
  • Poor visibility across the enterprise. Siloed initiatives result in a reactive approach to compliance. Islands of information are individually assessed and monitored. Departments are burdened by multiple risk and compliance assessments asking the same questions in different formats. Limited visibility across the risk landscape ensues.
  • Overwhelming complexity. The lack of integrated processes introduces complexity, uncertainty, and confusion. Inconsistent processes increase inherent risk, more points of failure, and more compliance gaps leading to unacceptable risk. Mass confusion reigns for the organization, regulators, stakeholders, and business partners.
  • Lack of agility. Reactive risk and compliance strategies managed in information silos handicaps the business. Bewildered by a maze of approaches, processes and disconnected data, the organization is incapable of being agile in a dynamic and distributed business environment.
  • Greater exposure and vulnerability. When compliance is not viewed holistically, the focus is only on what is immediately in front of each department, at the expense of enterprise-wide co-dependencies. This fragmented view creates gaps that cripple compliance management and a business ill-equipped for aligning compliance initiatives to business objectives.

Compliance Risk Management: Does Your Organization Walk its Talk?

Organizations operate in a field of ethical, regulatory, and legal landmines. The daily headlines reveal companies that fail to comply with regulatory obligations. Corporate ethics is measured by what a corporation does and does not do when it thinks it can get away with something. Compliance risk management boils down to defining – and maintaining – corporate integrity.

Most companies today at least try to address the legal requirements and compliance obligations bearing down on it. However, the role of compliance is quickly changing. Compliance today is more than checking boxes on regulatory to-do lists, more than finding and fixing problems. Compliance and governance is evolving from scattered silos to a strategic enterprise pillar.

Today’s business entity must ensure compliance risk is understood and managed company-wide. That its obligations are more than written policies, but part of the fabric of operations. That a strong culture ensures transparency, accountability, and responsibility as part of its ethical environment. A strong compliance program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure.

The Bottom Line: Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

Check Out These GRC 20/20 Compliance Management Resources . . .

Complexities of IT GRC Hinders Organizations 

Organizations operate in a complex environment of risk, compliance requirements, and vulnerabilities that interweave through departments, functions, processes, technologies, roles, and relationships. What may seem as an insignificant IT risk in one area can have profound impact on other risks and cause compliance issues. Understanding and managing IT governance, risk management, and compliance (IT GRC) in today’s environment requires a new paradigm in managing these interconnections and relationships.

IT departments are scrambling to keep up with multiple initiatives that demand greater oversight of risk and compliance across the IT infrastructure, identities, processes, and information. Most organizations approach these issues reactively — putting out IT fires wherever the flames are hottest. It is time for IT to step back and think strategically; to figure out how to streamline resources and use technology efficiently, effectively, and agilely to manage and monitor IT GRC.  As these pressures mount, IT often fails to think strategically as it is too busy reacting to issues.  What gets attention is where the pain is the greatest. A reactive approach to IT risk is not only sustainable in an environment of growing pressures, but is also a recipe for disaster, and leads to:

Higher cost, from . . .

  • Wasted and/or inefficient use of resources. Silos of IT GRC lead to wasted resources. Instead of leveraging controls and resources to meet a range of risks and compliance requirements, controls are developed haphazardly to address specific pain with no thought for leverage across pains.  Organizations often try to relieve the symptoms instead of thinking how to address the root cause. IT ends up with different internal processes, systems, controls, and technologies ‘in play’ to meet individual risk and compliance needs.
  • Unnecessary complexity. Multiple IT risk and compliance approaches introduce complexity. With complexity comes an increase of inherent risk. Controls are impossible to streamline and manage consistently, introducing more opportunities for controls to fail or go unmonitored. Inconsistent controls also produce inconsistent documentation, which further confuses IT, regulators, and the line of business.

Inability to align with the business, resulting in . . .

  • Lack of agility. Complexity drives inflexibility. IT GRC becomes so wrapped up in spinning individual risk and compliance plates that support of the business is degraded. IT staff along with the business is bewildered by a maze of varying methodologies and control requirements that are not designed with any consistency or logic.
  • Vulnerability and exposure. A reactive approach leads to more exposure and vulnerability. Complexity means departments are focused on their own silo of risk, and no one sees the big picture. No one looks at IT GRC holistically or contextually, with regard for what is good for the business in the long run. Varying and independent efforts around IT GRC lead to difficulty demonstrating control with a result in confusing audits and assessments.

Not only does a reactive approach to IT GRC lead to greater vulnerability and exposure, it also means higher costs for the business. Addressing IT GRC across a series of disconnected projects and assessments leads to inefficiency in IT management and operations, wasted spending on redundant approaches, and a greater burden to the business.

The bottom line: When organizations approach IT GRC in scattered silos of documents and disconnected solutions and processes there is no possibility to be intelligent about IT GRC decisions that impact the broader organizations and its operations. Organizations need an integrated IT GRC architecture that delivers 360º contextual intelligence on IT security, risk, and compliance.

Check out GRD 20/20’s additional IT GRC resources . . .

Workshop: IT GRC by Design Workshop in San Diego, November 1st

  • Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Research Briefing: How to Purchase IT GRC Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting IT GRC management solutions and technologies. It reviews critical capabilities needed in IT GRC management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on IT GRC Management

  • The challenge is: how do you find the right IT GRV management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: IT GRC Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our IT GRC RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Research Briefing: How to Purchase Business Continuity Management Solutions & Platforms

  • This is GRC 20/20’s live Research Briefing that advises organizations on what to consider in evaluating and selecting business continuity management solutions and technologies. It reviews critical capabilities needed in business continuity management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Policy Management Demands Attention

The Foundational Role of Policies in GRC Strategies

Policies are critical to the organization as they establish boundaries of behavior for individuals, processes, relationships, and transactions. Starting at the policy of all policies – the code of conduct – they filter down to govern the enterprise, divisions/regions, business units, and processes.

GRC, by definition, is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” Policies are a critical foundation of GRC. When properly managed, communicated, and enforced policies:

  • Provide a framework of governance. Policy paints a picture of behavior, values, and ethics that define the culture and expected behavior of the organization; without policy there is no consistent rules and the organization goes in every direction.
  • Identify and treat risk. The existence of a policy means a risk has been identified and is of enough significance to have a formal policy written which details controls to manage the risk.
  • Define compliance. Policies document compliance in how the organization meets requirements and obligations from regulators, contracts, and voluntary commitments.

Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended.

Policy also attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must clearly train and communicate the policy to make sure that individuals understand what is expected of them. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy and training on policy.

Hordes of Policies Scattered Across the Organization

Policies matter. However, when you look at the typical organization you would think policies are irrelevant and a nuisance. The typical organization has:

  • Policies managed in documents and fileshares. Policies are haphazardly managed as document files and dispersed on a number of fileshares, websites, local hard drives, and mobile devices.  The organization has not fully embraced centralized online publishing and universal access to policies and procedures. There is no single place where an individual can see all the policies in the organization and those that apply to specific roles.
  • Reactive and inefficient policy programs. Organizations often lack any coordinated policy training and communication program. Instead, different departments go about developing and communicating their training without thought for the bigger picture and alignment with other areas.
  • Policies that do not adhere to a consistent style. The typical organization has policy that does not conform to a corporate style guide and standard template that would require policies to be presented clearly (e.g., active voice, concise language, and eighth-grade reading level).
  • Rogue policies. Anyone can create a document and call it a policy.  As policies establish a legal duty of care, organizations face misaligned policies, exposure, liability, and other rogue policies that were never authorized.
  • Out of date policies. In most cases, published policy is not reviewed and maintained on a regular basis. In fact, most organizations have policies that have not been reviewed in years for applicability, appropriateness, and effectiveness. The typical organization has policies and procedures without a defined owner to make sure they are managed and current.
  • Policies without lifecycle management. Many organizations maintain an ad hoc approach to writing, approving, and maintaining policy. They have no system for managing policy workflow, tasks, versions, approvals, and maintenance.
  • Policies that do not map to exceptions or incidents. Often organizations are missing an established system to document and manage policy exceptions, incidents, issues, and investigations to policy. The organization has no information about where policy is breaking down, and how it can be addressed.
  • Policies that fail to cross-reference standards, rules, or regulations. The typical organization has no historical or auditable record of policies that address legal, regulatory, or contractual requirements. Validating compliance to auditors, regulators, or other stakeholders becomes a time-consuming, labor-intensive, and error-prone process.

Inevitable Failure of Policy Management

Organizations often lack a coordinated enterprise strategy for policy development, maintenance, communication, attestation, and training. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved with supporting the business, including internal employees and third parties. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed.

If policies do not conform to an orderly style and structure, use more than one set of vocabulary, are located in different places, and do not offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory, and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

The bottom line: The haphazard department and document centric approaches for policy management of the past compound the problem and do not solve it. It is time for organizations to step back and define and approach policy management with a strategy and architecture to manage the ecosystem of policies programs throughout the organization with real-time information about policy conformance and how it impacts the organization.

Check out GRD 20/20’s additional policy management resources . . .

Workshop: Policy Management by Design Workshop in Dallas, October 11th

  • This is a complimentary full day interactive workshop to help organizations define a policy management strategy, write a policy on writing policies (meta-policy), define a policy management lifecycle, understand the role of technology in policy management, and build a business case for policy management. This workshop is only open to individuals managing policies in their internal environment and is not open to solution providers or consultants.

Research Briefing: How to Purchase Policy Management Solutions & Platforms

  • This is GRC 20/20’s on-demand Research Briefing that advises organizations on what to consider in evaluating and selecting policy management solutions and technologies. It reviews critical capabilities needed in policy management technology as well as what differentiates a basic, common, and advanced solution in the market. Particular guidance is given into considerations when engaging solution providers and navigating solution provider hyperbole.

Inquiry: Ask GRC 20/20 Your Questions on Policy Management

  • The challenge is: how do you find the right policy management solution for your organization? This is where GRC 20/20 comes in. If you are looking for policy management solutions for various purposes, GRC 20/20 Research offers complimentary inquiries to explore your needs and identify a short list of solutions that best fit your specific needs. Simply register an inquiry on the GRC 20/20 website.

RFP Template & Support: Policy Management RFP Requirements Template

  • GRC 20/20 can be engaged on policy management RFP projects to rapidly enable organizations to develop RFPs based on our policy management RFP criteria library. Simply email [email protected] and we can scope your needs for a RFP criteria project. GRC 20/20 is often engaged in more detailed RFP projects to help manage the RFP and keep solution providers honest based on our broad experience in the market.

Written Research on Policy Management