Greatest GRC Challenges: Regulatory Change Management, Part 2

This is the second in a multi-part blog series on the greatest GRC challenges organizations face. This is part 2 on the topic of regulatory change management.  In the previous post we explored the pressure organizations are under in context of regulatory change, in this post we look at how organizations processes are broken and insufficient to manage regulatory change.  Other topics in the series will be risk change management, business change management, and 3rd party management.

Broken Process and Insufficient Resources to Manage Regulatory Change

The typical organization does not have adequate processes or resources in place to monitor regulatory change. Organizations struggle to be intelligent about regulatory developments, and fail to prioritize and revise policies, and take actionable steps to be proactive. Instead, most organizations end up fire fighting trying to keep the flames of regulatory change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing regulatory and legal landscape. New regulations, pending legislation, changes to existing rules, and even enforcement actions of other organizations can have a significant impact. Organizations that GRC 20/20 has interviewed in the context of regulatory change management reference the following challenges to process and resources:

  • Insufficient headcount and subject matter expertise. Regulatory change has tripled in the past five years. The effort to identify all of the applicable changes related to laws and regulation is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in regulatory change.
  • Frequency of change and number of information sources overwhelms. The frequency of updates is challenging from the regulators themselves but then comes the flood of updates from aggregators, experts, law firms and more. Organizations often subscribe to and utilize multiple sources of regulatory intelligence  that take time to go through and process to identify what is relevant.  
  • Limited workflow and task management. Organizations rely on manual processes that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing compliance—the organization has no idea of who is reviewing what and suffers with an inability to track what actions were taken, let alone which items are “closed.” Compliance documentation is scattered in documents, spreadsheets, and emails in different versions. 
  • Lack of an audit trail. The manual and document-centric approach to regulatory change lacks defensible audit/accountability trails that regulators require. This leads to regulator and audit issues who find there is no accountability and integrity in compliance records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception, individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble. 
  • Limited reporting. Manual and ad hoc regulatory change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc regulatory change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage regulatory change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources, unable to respond to regulatory change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned business and regulatory agility. Regulatory change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of regulatory change and business intelligence. The organization is spinning so many compliance plates it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for regulatory change that is strategically coordinated and the process fails to be agile, effective, and efficient in use of resources. Accountability is critical in a regulatory change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who change is assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.

The current situation: The typical organization has a myriad of subject matter experts doing ad hoc monitoring of regulatory change and emailing parties of interest with little or no consistent follow-up, accountability, or business impact analysis. The organization is in a resource intensive confused state of monitoring regulatory risk, enforcement actions, new regulations, and pending legislation resulting in an inability to adequately predict the readiness of the organization to meet new requirements. There is no overall strategy to gather and share regulatory change information, and decide what to do about it.  

 

Greatest GRC Challenges: Regulatory Change Management, Part 1

This is the first in a multi-part blog series on the greatest GRC challenges organizations face. The first topic is regulatory change management in which there will a few posts.  This one describes the pressure the organizations are under to manage regulatory change.  Other topics in the series will be risk change management, business change management, and 3rd party management.

Tsunami of Change Overwhelms Organizations

Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and intricate nature of change and how it cascades in impact is driving organizations toward improving their approach to regulatory change management as a defined process and integrated part of a GRC strategy within the organization.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive. Consider the scope of change financial services organizations have to keep in sync:

  • External risk environments. External risks such as market, geo-political, societal, competitive, industry, and technological forces are constantly shifting in nature, impact, frequency, scope, and velocity. 
  • Internal business environments. Within, the organization has to stay on top of changing business environments that introduce a range of operational risks such as employees, 3rd party relationships, mergers & acquisitions, processes, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat. 

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other. Change in economic or market risks bear down on the organization as it impacts regulator oversight and requirements. Internal processes, people, and technology are impacted as well. As internal processes, systems, and employees change this impacts regulatory compliance and risk posture. Change is an intricate machine of chaotic gears and movements that make the aspects of GRC challenging in organizations (as well as organizations in several other industries). Keeping current with change and keeping the organization aligned with it is one of the greatest challenges to GRC stratgies in organizations.

Regulatory Change Overwhelming the Organization

Regulatory change is overwhelming organizations across industries. Organizations are past the point of treading water as it actively drowns in regulatory change from turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more around the world. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations and changes to existing regulations each year.  Regulatory change impacts the organization as it reacts to:

  • Frequency of change. In the past five years the number of regulatory changes has more than tripled while the typical organization has not increased staff or changed processes to manage regulatory change. According to Thompson Reuters, in 2008 there 8,704 changes to regulations impacting financial services organizations, in 2013 there were over 26,950 changes. Those are just the ones they tracked. Global organizations are often dealing with more than one-hundred and twenty-five notifications of regulatory change alerts a day.
  • Global context.  Regulatory change is not limited to one jurisdiction but is a turbulent sea of change around the world. Regulations have a global impact in the market. In Asia, GRC 20/20 finds that there is often more concern over US regulation than over regulation from Asian countries. Inconsistency across regulations from jurisdiction to jurisdiction brings complexity to regulatory compliance. 
  • Inconsistency in regulations. Managing compliance and keeping up with regulatory change, exams, and reporting requirements becomes complicated when faced with International requirements. Regulatory jurisdictions have varying approaches such as principle-based regulation (also called outcome-based regulation) popular across Europe and other countries around the world, while the United States and several other countries approach a prescriptive approach to regulation that is more akin to a checkbox list of requirements in specifically telling the firm what has to be done. The principle-based approach gives the organization flexibility with the focus on the achievement of an outcome and not the specific process that got them there.  There are conflicting challenges in privacy regulations and other laws impacting financial services organizations across jurisdictions.
  • Expansion into new markets.  It has become complex for organizations to remain in foreign markets as well as enter into new markets. The pressure to expand operations and services is significant as the organization seeks to grow revenue and be competitive while at the same time being constrained by the turbulent sea of changing regulations and requirements.
  • Focus on risk assessment.  Regulatory compliance is increasingly pushed to integrate with broader enterprise and operational risk strategies with a focus on delivering specific assessment of compliance risks. For example, FINRA regulators in the US seek to ensure that compliance officers do compliance risk assessments. The discipline of risk management is becoming a pre-requisite for compliance officer skills and ensuring that compliance has a seat at the enterprise risk management (ERM) table.
  • Hoards of regulatory information. Organizations are overwhelmed by information from legal, and regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators. Compliance and legal roles struggle to monitor a growing array of regulations, legislation, regulator findings/rulings, and enforcement actions. The volume and redundancy of information adds to the problem. Managing regulatory change requires weeding through an array of redundant change notifications and getting the right information to the right person to determine the business impact of regulatory change and appropriate response. Organizations must search for the marrow of regulatory details and transform it into actionable intelligence, which can be acted upon in a measurable and consistent manner.
  • Defensible compliance. Regulators across industries and jurisdictions are requiring that compliance is not just well documented, but is operationally effective.  Case in point, Morgan Stanley is praised by regulators as a model compliance program and is the first company in 35 years of Foreign Corrupt Practices Act (FCPA) history to not be prosecuted despite bribery and corruption in their Asian real estate business. One of the points the Securities and Exchange Commission (SEC) and Department of Justice (DoJ) referenced was Morgan Stanley’s ability to keep compliance current in the midst of regulatory change: “Morgan Stanley’s internal policies . . .were updated regularly to reflect regulatory developments and specific risks.” 

The amount of regulatory change coming at organizations is staggering. Consider an international bank headquartered in South America who embarked on a project to build a database of regulatory requirements impacting the bank globally. The detail went down to the requirement level so an individual regulation may have a few requirements to more than a thousand, d
epending on the regulation. After eighteen months and cataloging over 81,000 requirements they abandoned the project. The reason was that the content was already obsolete—so much had changed during the process of documenting they did not have the resources to maintain the volume of regulatory change.  A Tier 1 Canadian bank has expressed a similar regulatory requirement documentation project demise for the same reason.   

In the next installment we will look at “Broken Process and Insufficient Resources to Manage Regulatory Change”

What are your thoughts on the increasing pressure of regulatory change management?  Please comment and share below (no promotions or solicitations).

 

The Role of Technology in Managing Anti-Bribery, Corruption & Fraud

Compliance must be an active part of the organization and culture to prevent and detect corruption, bribery and fraud. This continuous and ongoing process must be monitored, maintained and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents and detects risk.

The distributed and dynamic nature of business makes anti-bribery, corruption, and fraud compliance a challenge. Compliance in the context of a complex and dynamic business environment is particularly challenging as organizations face broadening anti-bribery and corruption laws and regulations. Ultimately, the best offense is a good defense. Regardless of the models, technologies and strategies enabled to help, organizations must be prepared to show they have a strong compliance program in place to mitigate or risk exposure to investigations, penalties and possible prosecution. This is the example that the DoJ and SEC put forward when they praised Morgan’s Stanley’s compliance program in result of their FCPA investigation.

This requires technology to manage anticorruption compliance. Technology can help organizations manage and monitor anti-bribery, corruption, and fraud compliance by enabling and automating:

  • Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires a system for managing compliance activities, metrics and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anticorruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.
  • Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to determine how new developments — such as new anti-bribery and corruption laws, requirements, enforcement actions, and other matters and decisions — impact business. Organizations should leverage technology to integrate legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.
  • Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs technology to manage risk surveys, assessments, and related risk information to report, analyze, model, and treat anti-bribery and corruption risk.
  • Policy management: A core component of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All policies for anti-bribery, corruption and fraud should be documented, maintained, communicated and attested to, with a robust audit trail and content management. This includes code of conduct, anticorruption and other related policies.
  • Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations increasingly use online training to deliver courses on anticorruption and to test employee understanding of policies and requirements. Some organizations are building portals of anti-bribery and corruption information that integrate policies, training, games, scenarios, and more in an intuitive interface to educate employees.
  • Third-party management and due diligence: Central to an anti-bribery and corruption compliance program is the ability to manage risk presented by third-parties such as agents. Due diligence processes are built upon review of third-parties and checking against databases of known politically exposed persons. Technology and integration of content feeds enables ongoing due diligence to monitor and score vendor and third-party risk, communicate policies, deliver training, track attestations and deliver surveys and assessments.
  • Internal Control Monitoring: Anti-bribery and corruption also requires (e.g., FCPA enforcement has a books and records and internal control provisions) that the organization have defined and operating controls over financial reporting. This includes a control environment that covers approvals, authorizations, reconciliations, transactions, master data, and segregation of duties.
  • Forms processing and automation: A critical component of an anti-bribery and corruption program is the ability to process and automate forms related to policies and procedures. Transactions and requests for gifts, entertainment, travel, customs and cross-border shipping, charitable giving, political contributions, conflicts of interest, and facilitated payments should be managed through online forms and workflow for approvals with integration into the transaction environment to review history in the course of approval.
  • Issue reporting & investigations management: Technology enables the organization to manage and monitor issues and incidents and collaborate and document investigations. This includes the ability to record issues reported from hotlines and other mechanisms, what actions were taken and the results of the investigation.

Some related GRC 20/20 events happening in October are:

 

Components of an Anti-Bribery & Corruption Program

To effectively prevent and detect issues of corruption, bribery and fraud in business, compliance has to be an active part of the organization and culture. It is a continuous and ongoing process that must be monitored, maintained and nurtured. This requires a new paradigm that moves away from reactive fire-fighting to managing, monitoring for, preventing and detecting corruption and compliance risks: a paradigm to effectively manage anti-bribery and corruption (ABC) across global or domestic business.

There are two primary models to manage compliance to anticorruption obligations:

  1. One approach is build-your-own, ad hoc and ultimately labor-intensive, and produces significant manual processes and documents. Siloed ABC initiatives never see the big picture. An ad hoc approach to ABC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing bribery and corruption risk and compliance. When the organization uses scattered documents and processes that do not collaborate, there is no way to be intelligent about risk and understand its impact.
  2. A more strategic approach focuses on technology designed to manage the complex and diverse needs of anticorruption compliance. In a mature ABC program, the organization has an integrated process in an information and technology architecture that provides visibility across compliance tasks and interactions.

The best offense in anticorruption is a good defense. In today’s complex business environment, incidents do happen. The organization defends itself by demonstrating it uses appropriate compliance measures to prevent and detect corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.

An integrated view of the U.S., U.K. and OECD guidance requires that the following compliance elements be in place:

  • Understand your risk: An organization must have a risk-based approach to managing anticorruption. This includes periodic assessment (e.g., annual) of corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners and geographies.
  • Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or a business partner carries a higher risk for corruption, the organization must respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Management must communicate that they support the anticorruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anticorruption initiatives.
  • Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk.
  • Compliance oversight: The organization needs someone who is responsible for the oversight of anticorruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
  • Established policies and procedures: Organizations need documented and up-to-date policies and procedures. The code of conduct filters down to other policies that address anticorruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments and solicitation and extortion. These requirements and processes must be clearly documented and adhered to.
  • Effective training and communication: Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anticorruption training to educate employees and business partners at risk of exposure to bribery, corruption and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
  • Implement communication and reporting processes: The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
  • Assessment and monitoring: In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
  • Investigations: Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Internal accounting controls: Organizations must keep detailed records that fairly and accurately reflect transactions and disposition of assets. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable, financial account reconciliation and commission payments.
  • Manage business change: The organization must monitor for changes that introduce greater risk of corruption. The organization must document changes that result from observations and investigations and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to prevent corruption.

Policy Engagement Starts With Policy Writing

Policy engagement: There is a lot to be said for how technology can make policies easier to find, social, and interactive. In fact, I have been on my soapbox proclaiming next-generation policy and training management for the past decade in which organizations deploy a portal that brings together policies, training, and related resources in one integrated interface that is intuitive and engaging for employees to use. 

Policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorizes other policies to govern the entire organization. These filter down into specific policies for business units, departments, and individual business processes. 

To deliver engaging policy requires a firm foundation. We might be quick to think this foundation is technology itself. No. Technology is important, but the foundation for good policy is a well-written policy. A policy that is clear, void of cluttered language, written in the active voice, and delivers the message. 

The typical organization is a mess when it comes to policies. Policies are scattered across the organization, reside in a variety of formats ranging from printed documents to internal portals and fileshares, are out of date and poorly written. Policy writing that is wordy and confusing is damaging to the corporate image and leads to confusion and misunderstanding, which then costs time and money. Organizations are not positioned to drive desired behaviors or enforce accountability if policies are not clearly written and consistent. 

Well-written and presented policies aid in improving performance, producing predicable outcomes, mitigating compliance risk, and avoiding incidents and loss. Good policy writing and layout: 

  • Articulates corporate culture 
  • Shows that the organization cares about policy 
  • Demonstrates professionalism 
  • Avoids expensive misunderstandings 
  • Aids those that struggle with reading or do not speak the language natively 
  • Provides consistency across policies 

Consider a supply chain code of conduct I was asked to review for a global brand with thousands of suppliers. This code of conduct had long paragraphs that were written in the passive voice and not active voice. It was cluttered with unnecessary and complex language. The audience for this code of conduct is an international audience of whom many did not speak the language of the code of conduct as their native tongue. Further, the first sentence of the first paragraph stated “Company believes …” and the next paragraph began, “Company strongly believes …” Do we have different levels of belief in the code of conduct? 

We are working against ourselves when we deliver such rubbish. As a native English speaker this might be quick to glance over, but for someone that has English as a second language, they will analyze every word and come to the erroneous conclusion that the second paragraph is more important than the first. Organizations are full of individuals who are not native speakers (or in this case readers) of the language policies are written in. We do them a disservice when we write policy that is not clear and to the point. 

Good policy writing is not just about clear and concise language but also about layout and design. How we structure paragraphs and present them in print or digital form matters. 

I have three sons; two are now adults and the third is in his last year of high school. The oldest and youngest do well academically. My middle son is very reliable and can be counted on to get things done but has struggled academically. He is brilliant but has been plagued with a learning disability—dyslexia—his whole life. In educating him, my wife and I tried a variety of options. I remember giving him something to read that was a page of nearly solid text in just a few paragraphs. He struggled to get through it. I then gave him the same text broken out into many paragraphs with plenty of white space between them. His comprehension of the text skyrocketed with the revised version. The text itself did not change, simply the presentation of it. 

When we break policies out into shorter paragraphs and utilize white space it aids in the comprehension of the policy. White space, and in that context design and layout of the policy, is just as important as the actual written words of the policy. 

Critical to the success of policy engagement is a policy style guide. Every organization should have a policy style guide in place to provide clear and consistent policy. This establishes the language, grammar, and format guidance to writing policies. It expresses how to use active over passive voice, avoid complicated language and “legalese,” how to write for impact and clarity, use of common terms, how to approach gender in writing, and even internationalization considerations. 

Benchmarking Your Policy Management Program: Deficient, Common & Leading Practices

Corporate policies define boundaries for the behavior of individuals, business processes, relationships, and systems. At the highest level, policy starts with a code of conduct, establishes ethics and values to extend across the enterprise, and authorize other policies to govern the entire organization. Unfortunately, most organizations do not connect the idea of policy to the establishment of corporate culture. Without policy, there is no written standard for acceptable and unacceptable conduct — an organization can quickly become something it never intended. Policy attaches a legal duty of care to the organization and cannot be approached haphazardly. Mismanagement of policy can introduce liability and exposure, and noncompliant policies can and will be used against the organization in legal (both criminal and civil) and regulatory proceedings. Regulators, prosecuting and plaintiff attorneys, and others use policy violation and noncompliance to place culpability.

An organization must establish policy it is willing to enforce — but it also must closely manage and monitor policy in place. Policy is a necessary means to clearly define, articulate, and communicate boundaries, practices, and expectations. An organization can have a corrupt and convoluted culture with good policy in place, though it cannot achieve strong and established culture without good policy.

Organizations often lack an auditable means of policy maintenance, communication, attestation, and training. To defend itself, the organization must be able to show a detailed history of what policy was in effect, how it was communicated, who read it, who was trained on it, who attested to it, what exceptions were granted, and how policy violation and resolution was monitored and managed. An ad hoc approach to policy management exposes the organization to significant liability. This liability is intensified by the fact that today’s compliance programs affect every person involved supporting the business, including internal employees and third parties.

If policy documentation doesn’t conform to an orderly style and structure, uses more than one set of vocabulary, is located in different places, and don’t offer a mechanism to gain clarity and support (e.g., a policy helpline), organizations are not positioned to drive desired behaviors in corporate culture or enforce accountability.

With today’s complex business operations, global expansion, and the ever changing legal, regulatory and compliance environments, a well-defined policy management program is vital to enable an organization to effectively develop and maintain the wide gamut of policies it needs to govern with integrity.

GRC 20/20’s Effective Policy Management Benchmark provides a framework for an organization’s approach to policy management to be measured against its peers within industry as well as organizations of similar size and structure across industries. The purpose is to identify whether an organization is Below Parity, at Parity, or Above Parity relative to its peers in the context of policy management.  Where an organization is significantly lacking ability it is ranked Inferior, while an organization that demonstrates outstanding ability is referenced as Best in Class.

The Effective Policy Management Benchmark can be used at a department or enterprise level. The Benchmark comparison is based on GRC 20/20 research and interactions. These interactions include projects, surveys, inquiries, and advisory engagements. The rankings are a guideline and represent GRC 20/20’s opinion and professional experience working with a variety of organizations across industries.

There is not a one-size fits all approach to policy management.  One organization’s approach to policy management will vary from another depending on size, nature of the business, scope of policies, resources, and executive sponsorship of a policy management program.  Care must be given when measuring an organization as many facets need to be taken into consideration.

GRC 20/20’s Effective Policy Management Benchmark synthesizes GRC 20/20 research and analysis of the following six key Policy Management Program components:

  1. Governance of Policy Management Program. Policy management program governance comprises the program management architecture, policy review cycles, executive “tone from the top” on policy governance, extending policy governance to mergers and acquisitions, compliance monitoring and assurance activities, and management reporting and dashboards.
  2. MetaPolicy.  The MetaPolicy, often referred to as the “policy on policies,” is the foundation on which to build an effective policy management program. It defines the critical elements of the organization’s policy management program. 
  3. Supporting Policy Management Resources.  Supporting the MetaPolicy, is an array of other resources to build out the policy governance process within an organization.  
  4. Policy Management Lifecycle.  The policy management lifecycle is the actual operation and process of the MetaPolicy in action to develop, manage, and maintain policies throughout their effective use. Failure to manage policy lifecycles results in policies that are out-of-date, ineffective, and not aligned to business needs. It also opens the door to liability when an organization is held accountable for a policy that is not appropriate or properly enforced. 
  5. Operational Effectiveness of Policy Management Program.  The Operational Effectiveness component of the Effective Policy Management Benchmark addresses how effectively the GPM and policy management lifecycle are implemented and managed across the organization. 
  6. Technology Enablement of Policy Management Program. A well-conceived technology strategy for policy management can enable a common policy framework across multiple entities, or just one entity or department as appropriate. Business requires a policy management platform that is context-driven and adaptable to a dynamic and changing environment. Compared to the ad hoc method in use in most organizations today, a governance, risk management, and compliance (GRC) technology approach to policy management enables better performance, less expense and more flexibility. 

GRC 20/20 does a number of benchmark projects for organizations.  The Effective Policy Management Benchmark is one among several, others include Effective GRC Management, Effective Risk Management, and Effective Compliance Management Benchmarks.

The latest GRC 20/20 research paper that provides more detail on the Effective Policy Management Benchmark has recently been published and can be accessed at the link below. It is free to access but requires registration on the GRC 20/20 Research website.

ACCESS BENCHMARK RESEARCH

There are also a variety of upcoming webinars GRC 20/20 is presenting on on the topic of Policy Management in August. These include:

Where Risk (and GRC) Technology Fails

Risk management is a huge topic these days with organizations looking for solutions to help them manage enterprise and operational risk across the departments and functions. However, there are many risk management technology projects that have failed to meet expectations, have gone over budget, and well past project deadlines.

Why? . . . there are many reasons. 

One is simply that the organization is trying to do too much too fast. They are overly ambitious on what can be achieved in a given time frame. This is particularly true when risk management has been an ad hoc “fly by the seat of our pants” operation (Urban Dictionary: to pilot a plane by feel and instinct rather than by instruments, to proceed or work by feel or instinct without formal guidelines or experience). Many areas of the organization have not thought through risk management and then it is pushed upon them.

Another reason is a failure to align risk with business strategy, objectives, and performance. The ISO 31000:2009 definition of risk is “risk is the effect of uncertainty on objectives.” This might be done well at a project or operational process, but as you rollout enterprise and operational risk technology the organization fails to provide the alignment of risk to business strategy and objectives.

The primary and disastrous failure of risk technology implementations I want to focus on in this post is risk normalization and aggregation. This is something that the major analyst firms leave out of their reviews and ranking of GRC solutions (note: GRC is a broad market and includes the range of risk management technology solutions available).

Risk normalization is simply the ability to compare apples to apples. If one department’s high risk is another department’s low risk this should be evident in risk reporting. Risk aggregation is the ability to take risks from different areas of the business and roll them up into an enterprise view of risk that makes sense. Risk normalization and risk aggregation work hand and hand. To aggregate risks properly requires that the technology have the logic to do risk normalization.

CASE IN POINT: I will never forget a panel I hosted at a GRC conference. On this panel was the Corporate Secretary/Assistant General Counsel for a major financial services brand. This role was responsible for the overall risk and GRC reporting that went to the Board of Directors. He stated to all in attendance that his Board never wants to see a risk report from their __________ GRC platform again (consistently a leader in major analyst reports).  Explaining this further he stated the risk reports were broken and meaningless as one departments high risk was discovered to be another departments low risk and everything globulated to the center on heat maps and made no sense (my view of risk heat maps is that they are often very broken and misused).

If Department A’s risk exposure is $10 million and ranked a high risk and Department B’s risk exposure is $100 million and ranked a medium risk, the overall risk report needs to reflect this accurately.  Organizations run the ‘risk’ that Department A’s risk will be focused on while Department B’s may be overlooked. This is oversimplification, there are many other variables such as frequency, probability/likelihood, velocity, and more to consider as well.

The challenge is that many risk management solutions (including some leading GRC platforms) were developed as a department level solution for risk.  They have a fairly flat view of the world. This leads to two points of risk technology failure in solutions that do not have native approaches for dealing with risk normalization and aggregation:

  1. Force everyone into one flat view of risk. This essentially pushes every department and function into the lowest common denominator. All have to manage risk to a common set of criteria and scoring and individual departments lose out in depth and detail they need within their specific context. It limits the ability to get a true department perspective of risk for the sake of enterprise risk reporting that is in turn degraded and can no longer be trusted as departments lose their granularity needed to accurately measure and manage risk to their specific needs. There is a need to measure, model, and analyze risk in different ways in different departments/functions of the organization. The way an organization measures models market risk will be different than how it models health & safety risk.
  2. Expensive services engagement to built out. Solutions that do not have risk normalization and aggregation as native features inherent in their technology will address this issue through implementation projects that are expensive and take a lot of time. GRC 20/20 has seen risk/GRC implementation projects that typically span from six months to over two years to rollout. The most common reason is customizing the platform to do risk normalization and aggregation. Then the platform breaks during the next upgrade process because of the behind the scenes customization of logic and rules done to support risk normalization and aggregation. 

BOTTOM LINE: when buying risk/GRC technology solutions that are to do risk reporting across risk areas, make sure that the solution has been designed from the ground up to measure and model risk in the variety of ways different areas need and that the solution supports risk normalization and aggregation without the need for expensive customization and implementation projects. Further, do not assume that a ‘Leader’ in analyst reports actually has addressed risk normalization and aggregation because many of them have not. Failure to consider this may mean expensive implementation projects that take more time than expected, result in broken upgrades, and outright scrapping the platform to move to a different solution. GRC 20/20 has seen it all happen.

I encourage you to share your experience and insight into this issue below.  It is one that GRC 20/20 has encountered several times in the market. Be bold; help other organizations understand this issue and its impact if not considered up front.

If you are considering risk technology to use within your environment, click on the Ask Inquiry button to the right.  GRC 20/20 offers complimentary inquiries to organizations evaluating GRC technology, solutions, and services. We are here to provide you insight into the market to make intelligent choices. GRC 20/20 can give you specific insight into what solutions do what aspects of risk management and GRC well and which do not.

Mature Governance, Risk Management & Compliance Needs an Enterprise Architecture Approach

Continued on the MEGA Corporate Governance Blog (The GRC Pundit is a guest blogger) . . .

[button link=”http://community.mega.com/t5/Blog/Mature-Governance-Risk-Management-amp-Compliance-needs-an/ba-p/9315″ color=”default”]READ MORE[/button]

2014 GRC Value Award Nominations are Being Accepted

The 2014 GRC Value awards are to recognize GRC solutions that have returned significant and measurable value to an organization.

Whether technology, content, or professional service providers – all can submit an award about a solution or service.  However, the nomination must be on a specific implementation/project in a verifiable client.  No generalizations or consolidations of multiple clients.  The GRC Value awards are to acknowledge specific QUANTIFIABLE value in a specific instance.  Every nominee if selected for final recognition (both solution provider and client) must be willing to spend up to an hour on the phone (separately and not together) to discuss the submission and validate accuracy of submission.  Only the top nominations in each category will go through the validation process. 

All award submissions are based on a single real-world implementation.   Factual accuracy and integrity is necessary.  GRC 20/20 will take all the nominations and select in each category the submissions that articulate the greatest quantifiable value in objective, measurable terms.  We are looking for hard facts not just soft bullet points.  Time saved, dollars saved, FTEs reduced.  Numbers win, generalizations lose.  Every submission must have contact information of the organization that claims to have received this value.  These organizations will be contacted and interviewed to determine if they have actually received the stated value as portrayed.  Any misrepresentation of issues found will disqualify the nomination from receiving the award and the next set of nominations in each category will be evaluated.   

Each recipient of an award will be written up and acknowledged.  Details of the nomination will be referred to but can be handled anonymously (if formally requested) in award announcements/communications from GRC 20/20.

Nominations must be received by June 30, 2014.  Recipients will be notified in August 2014 at least two weeks before formal announcements/publications are made in early September 2014.

Download the nomination form:

{rsfiles path=”2014 GRC Value Nomination Form.docx”}

 

Inevitable Failure: Disconnected Risk & Policy Management

Business is complex.  Gone are the years of simplicity in business operations.  Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.

The modern organization is:

  • Distributed.  The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations.  An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization.  Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
  • Dynamic.  Organizations are in a constant state of flux.  Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe.  Regulatory change has more than doubled in some industries in the past five years and has grown for all industries.  Managing risk, regulatory and business change on numerous fronts has buried many organizations.
  • Disrupted.  The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.”  Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.

Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate.  Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events.  The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points. 

A backbone of GRC is risk management.  Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together.  To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value. 

Isolated Risk and Policy Initiatives Introduce Greater Risk

Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.  

The official definition of GRC is:

The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance.  All three of these provide a natural flow.  Governance provides strategy and objectives that deliver the context for risk management.  Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives.  Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives. 

The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization. 

A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:

  • Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other.  Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address. 
  • Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
  • Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners. 
  • Lack of business agility. The organization is constantly changing and  therefore its risk profile is changing.  The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic. 
  • Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the
    job done.  This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.

What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework. 

More on this topic can be found in the following items from GRC 20/20 . . .