Category: The GRC Pundit Blog

I am in London throughout June and interacting with various GRC RFPs in the United Kingdom; several are focused specifically on third-party risk management. Next week, many UK organizations will gather for my Third-Party Risk Management by Design workshop in London. Let’s explore the challenges these organizations and others around the world are facing in this context . .  .

In today’s interconnected business landscape, organizations are more reliant than ever on a complex web of third-party relationships. While this reliance is beneficial, it introduces significant risks that need to be managed effectively to ensure resilience, compliance, and integrity in and across these relationships. The governance, risk management, and compliance (3^rd Party GRC) of these third-party relationships are critical yet fraught with challenges that require a sophisticated and integrated approach. 

NOTE: I prefer third-party GRC over third-party risk management as, at the end of the day, it starts with governing relationships to achieve the objectives of the relationship and the business. Focusing on risk before governance is putting the cart before the horse. But I refer to third-party risk management as it is what is commonly used.

The Modern Organization’s Third-Party Landscape

Modern organizations operate in an environment that extends far beyond their physical and organizational boundaries. They depend on the extended enterprise of third parties, including suppliers, vendors, partners, and service providers, which collectively form an intricate web of interactions and dependencies that nest themselves in deep supply chains and subcontractors. This extended enterprise necessitates a robust mechanism for third-party risk management to navigate the inherent uncertainties and avoid disruptions that could impact business objectives.

The challenges organizations face in third-party risk management are:

• Fragmented Views and Siloed Oversight. One of the primary challenges in third-party risk management is the fragmented nature of oversight. Different business functions/departments often manage their third-party relationships independently, leading to silos that obscure the full spectrum of risk. This disjointed approach prevents organizations from seeing the cumulative risk exposure, which can be significant when aggregated across all functions.
• Limited Resources and Manual Processes. Organizations often struggle with limited resources to handle the growing risk and regulatory demands. Many still rely on manual processes such as spreadsheets, emails, and file shares to manage third-party risk, which is neither efficient nor scalable. This approach can lead to overlooked risks and delayed responses to emerging threats.
• Incomplete Risk Coverage. Another significant issue is the limited view of third-party risk vectors. Many organizations focus predominantly on financial and cyber risks, neglecting other critical areas such as compliance, operational risks, environmental, social, and governance (ESG) factors, and geopolitical risks. This narrow focus leaves the organization vulnerable to a broader range of risks.
• Overreliance on Periodic Assessments. Traditional risk management practices often involve periodic assessments at the onboarding stage and at set intervals thereafter. This sporadic monitoring fails to capture the dynamic nature of third-party risk, which can change rapidly between assessments. Continuous, real-time risk monitoring is essential to maintain an up-to-date understanding of third-party risks.
• Inadequate Incident Response & Issue Management. When incidents occur, the typical response involves sending surveys to third parties to assess the impact. This process is time-consuming and often yields low response rates. This reactive approach does not provide the real-time insights necessary to mitigate risks effectively as incidents unfold.
• Information Overload. Risk intelligence feeds can overwhelm organizations with vast amounts of data, much of which may be irrelevant or false positives. This deluge of information requires intelligent filtering to ensure that only actionable insights are highlighted, enabling risk teams to focus on critical issues.

The Need for an Integrated Third-Party GRC/Risk Management Approach

To address these challenges, organizations must adopt an integrated approach to third-party risk management that leverages both third-party risk intelligence content and robust risk management platforms. This approach should encompass the entire lifecycle of third-party relationships—from onboarding to ongoing monitoring and assessment to offboarding.

Some core elements of an integrated third-party risk management architecture

• Comprehensive Risk Framework. A hierarchical framework that categorizes third-party risk domains, ensuring all potential risk areas are covered.
• Intelligence Content Aggregation. Aggregating third-party risk intelligence from various sources, including regulators, law firms, feeds, and expert blogs, using automation and AI to filter out noise.
• Metrics, Dashboarding, and Reporting. Tools to monitor and report on third-party risk, providing visibility into current exposures and emerging risks.
• Defined Roles and Responsibilities. Clear assignment of third-party risk management responsibilities to subject matter experts (SMEs) within the organization.
• Workflow, Task & Process Management. Structured workflows to manage third-party governance, risk, and compliance across the onboarding, ongoing monitoring, issue resolution, and offboarding processes. This includes ongoing risk mitigation actions, ensuring accountability, and timely responses.
• Accountability Tracking. Ensuring that all third-party risk-related tasks are tracked and managed effectively.
• Business Impact Analysis. Assessing the impact of third-party risk changes on the organization and the supply chain, communicating these to relevant stakeholders.
• Mapping Risks to Policies and Controls. Linking third-party risks to organizational policies, controls, and processes to facilitate comprehensive risk management.
• Audit Trails and Reporting. Maintaining a detailed record of risk management activities and providing comprehensive reporting capabilities.

The Role of Artificial Intelligence in Enhancing Third-Party Risk Management

As organizations continue to grapple with the complexities of third-party risk management, artificial intelligence (AI) emerges as a powerful enabler, driving further efficiency and effectiveness in risk management processes. AI’s capabilities in aggregating risk intelligence content from diverse sources and automating assessments are particularly transformative.

AI can significantly enhance third-party risk intelligence content aggregation by leveraging advanced data processing and machine learning algorithms. Here’s how AI contributes to this critical aspect:

• Intelligent Data Aggregation. AI systems can scan and aggregate data from a vast array of sources, including regulatory updates, news feeds, legal documents, and social media. By processing this data in real-time, AI ensures that organizations have access to the most current risk information.

• Noise Reduction. One of the major challenges in risk intelligence is sifting through the sheer volume of data to identify relevant insights. AI algorithms can filter out noise and false positives, delivering only pertinent information to risk managers. This reduces the burden on human analysts and enhances the focus on critical risks.

• Contextual Analysis. AI can analyze data in context, understanding the nuances and implications of risk-related information. This capability allows AI to provide more accurate and actionable insights, tailored to the specific needs and risk profiles of the organization.

AI-driven automation of assessments and continuous monitoring is another area where AI proves invaluable. Here are the key benefits:

• Real-Time Risk Assessments. AI can automate the initial and ongoing risk assessments of third-party entities, continuously monitoring changes and providing real-time updates. This ensures that organizations are always aware of their current risk landscape and can respond promptly to emerging threats.

• Enhanced Predictive Capabilities. By analyzing historical data and identifying patterns, AI can predict potential risk events before they occur. This proactive approach allows organizations to implement preventative measures, reducing the likelihood of adverse incidents.

• Scalability and Efficiency. AI-driven automation can handle large volumes of assessments simultaneously, something that would be impractical with manual processes. This scalability ensures that even organizations with extensive third-party networks can maintain robust risk management practices without overburdening their resources.

• Consistent and Objective Evaluations. AI provides consistent and objective risk evaluations, eliminating human biases and errors. This consistency is crucial for maintaining the integrity and reliability of risk management processes across the organization.

• Dynamic Risk Scoring. AI systems can dynamically adjust risk scores based on real-time data, ensuring that risk ratings accurately reflect the current risk environment. This adaptive approach allows organizations to prioritize their risk mitigation efforts more effectively.

Incorporating AI into third-party risk management strategies empowers organizations to manage their extended enterprise with greater agility, accuracy, and efficiency. By automating data aggregation and assessments, AI enhances the quality of risk intelligence and frees up human resources to focus on strategic decision-making and critical risk mitigation efforts.

Integrating AI into third-party risk management processes marks a significant advancement, enabling organizations to navigate the complexities of their third-party relationships with confidence and foresight. As AI technology evolves, its role in enhancing third-party risk management will only grow, offering even more sophisticated tools and capabilities to safeguard the extended enterprise against an ever-changing risk landscape.

Adopting this approach will enable organizations to move beyond outdated, manual processes and towards a more agile, efficient, and effective system of managing third-party risks, ultimately securing their extended enterprise against potential disruptions and ensuring sustainable business operations.

Governance, Risk Management & Compliance (GRC) – along with all of its segments of ESG, third-party risk, audit, internal control and more – are hot topics globally, but particularly across Europe. The European market for GRC-related solutions, professional services, and intelligence/content is by far the busiest globally. The Middle East market for the same is the fastest-growing market.

I am headed right now to the United Kingdom for the next three weeks. I see a lot of activity across the UK, Nordics, DACH, and Benelux regions of Europe particularly. The United Kingdom is the busiest followed by these others. Currently, I am interacting on 14 RFPs at various stages in the UK, and there are more beyond that. The UK has its own regulatory and risk drivers, but many UK firms also have to respond to EU regulatory and risk drivers because of their presence in the EU as well. These interactions span from small organizations with 500 employees to the large global enterprises. They span industries from construction, life sciences, education, manufacturing, to financial services.

Over the next three weeks, the following are the hot topics I am interacting on in the United Kingdom in both speaking/event engagements as well as meetings with organizations looking for GRC solutions and professional services that seek my guidance on who to engage and why:

• Regtech/Fintech in Financal Services. I have four meetings set up with financial services firms looking for the latest in regtech solutions for regulatory change, monitoring/transactions/surveillance, consumer duty, SMCR, and KYC/AML. Even the leading USA financial services firms have their regtech experts operating out of London and not the USA. London is the regtech and fintech capital of the world. In addition to this, I am presenting my thoughts on RegTech at the following event:
  • June 26 @ 4:30 pm – 7:00 pm BST, RegTech Panel & Discussion
• Third-Party Risk Management. This is one of the hottest topics. There are three RFPs that I am interacting on specifically on third-party risk while there are several broader RFPs that include third-party risk in the breadth of functionality they are seeking. I will deliver my following workshop in London on this topic:
  • June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON
• I.T. Risk/CyberRisk Management. This is a particularly hot topic of interaction over the next three weeks. It is part of many of my meetings/interactions, and I already have over 60 that are registered and confirmed for my workshop in London this week on the topic:
  • June 12 @ 10:00 am – 4:00 pm BST, IT Risk/GRC Management by Design, LONDON
• Risk & Resilience Management. This is a huge subject of interaction over the next several weeks. While there are particular regulations in financial services, such as UK Operational Resilience and EU DORA, it is a topic of interest across industries in the UK and drives a lot of RFPs right now. There are two in financial services I am interacting with that are trying to harmonize a program that can address both UK Operational Resilience and EU DORA into one program. I will be presenting on Risk and Resilience at the following event in London:
  • June 19, Agility UK, LogicGate
• A.I. Governance/GRC. Every interaction and event I am part of over the next three weeks will include artificial intelligence. Whether it is the use of AI for GRC (what I call Cognitive GRC), but most often it is the governance of AI (what I call AI GRC). There are a lot of organizations responding to the EU AI Act particularly. I will be conducting a workshop on this topic:
  • June 21 @ 9:30 am – 1:30 pm BST, A.I. Governance & Risk Management Workshop, LONDON
• ESG – Environmental, Social, Governance. ESG is a very hot topic across Europe as 50,000 firms have to respond to the EU CSRD (and EU CSDDD in the context of third-party risk management). Of these firms, 12,500 have to start reporting in January 2025 (just 7 months away) and better be collecting data now. This is the topic in several of my RFP interactions for organizations building toward this now. Some of these are the focus of the RFP, others it is part of a broader GRC RFP.
• Internal Control & UK Corporate Governance Code. Another consistent topic across the range of the above interactions is the management and automation of internal controls. The UK Corporate Governance Code remains a big driver for RFPs in this area, even though it was scaled back when it was finalized in January. It is also a topic related to the ESG and other topics above in these conversations/interactions I am engaged in, including the RegTech panel above.

If you are in London over the next three weeks, reach out to me. If my schedule permits, I am always happy to stop by for an hour at your office or get a pint or coffee and discuss the breadth of GRC solutions, professional services, and intelligence/contet offerings in the market and my thoughts on particular ones. My job is research. I research what the challenges organizations face in context of governance, risk management, and compliance and how they go about solving those challenges with strategy, process, technology, and services.

Yesterday, I was in a hurry. I had a family medical appointment and needed to get back to the office. I got to our apartment, hopped on my bicycle, and took off for a five-block ride to the office. Intent on getting to my destination, I failed to be present where I was at the moment. My bike tire got caught in the light-rail tram tracks (The Hop in Milwaukee) and threw me. I skidded across the pavement and now have a bruised and banged-up body (but nothing broken or serious).

This is the second time those tram tracks have taken me for a spill, but have caused much greater hurt to others. My wife and I were walking and helped a young lady who needed to get to the emergency room as she was seriously injured a few years back. Two of my adult sons separately saw nasty bike accidents last week on those tracks. Even the lady at the bar in the public market shared her stories with me last night of people who have taken a spill on bikes from those train tracks.

Of course, this got me to thinking about the number of GRC-related RFPs I have interacted on that also have ended up in ‘crashes.’ Sometimes during the RFP, other times a year or two later. Too often from the same issues across RFPs that fail to pay attention to the details.

I work on A LOT of GRC-related RFPs. By related, I mean they are in a broad array of GRC domains and functionality. Some are for a broad enterprise GRC platform; others are focused on a specific aspect, like the array of third-party governance/risk management RFPs I am currently or regulatory change management RFPs I am currently interacting on. There are currently 14 RFPS of various GRC scopes with which I am interacting on in the United Kingdom (I am in the United Kingdom helping with several of these as well as other engagements from June 11th to 28th, if you are in the UK and want to get a pint, coffee, or have me stop by the office in London . . . let me know). Looking at my inquiries and engagements, there are 31 RFPs across Europe that I have interacted with recently (in addition to the UK ones). Two-thirds are in the DACH and Nordic regions, and then BENELUX is the next busiest. And 8 across North America. Several more in the Middle East and across Asia Pacific.

For some of these, my involvement is deep in establishing requirements and being an advisor throughout the process. For others, it is just a quick conversation where they want my perspective on who they are evaluating/considering. Sometimes, I get engaged at the beginning of the RFP in building a business case, and other times, I am asked for my perspective when they are down to the final 3.

I can point to highly successful GRC-related RFPs where the organization is extremely happy with the selection and implementation (I am happy to provide references and introductions where appropriate). Sadly, I can point to RFPs that have been wrecked and crashed, which have led to people losing their jobs and the projects failing (sometimes from not following my advice).

Like riding a bike, you need to know where you are starting from, what your destination is, and be present in evaluating what is around you as you progress through your GRC-related RFP.

GRC-related RFPs fail when:

• You blindly listen to analyst opinions. Yes, I am an analyst (and would think you should listen to my opinion). The analyst industry is a mess right now. Too often, some analyst firms have commoditized their research and fail to deliver objective value. In one firm’s last three reports comparing solutions, I have seen them rank one vendor as a leader in Enterprise GRC Platforms. This solution did not have a publicly available enterprise/operational risk management module at the release of these three reports. How can you be a leader in GRC without a risk management module? Too many analyst firms do not want to have live demos and do not want to work with the solution themselves in a sandbox. Instead, they want video demos submitted. Really??? That opens the doors to a lot of fiction. They also do not want to talk directly to client references but want to do web surveys. This is not market research where you can get into stories and ask hard questions (see below).
• You fail to test the product. I have seen people lose their jobs for choosing the wrong solution. They listen to the marketing and sales pitches, fail to dive deep into the product capabilities, and seek client references for similar implementations (size and industry). I remember one RFP where I advised them against the solution they chose. They were twitter-paited with the vision and story of marketing and sales. Additionally, the major analyst firms told them to select it. I told them NOT TO. I simply stated that there was no way that the solution they chose could support the complexity of their program. I was right. They came back less than two years later and said they wish they had listened to me and that they were back in RFP. The sad thing is that there are several that story fits.
• You blindly believe the RFP submissions. Solution providers realize that if they say yes to everything in an RFP, their chances of making the cut to the finalists and doing the live demos and POCs are much improved. Too often, the answers in RFPs are misleading and false. The functionality does not exist, or the solution provider believes they can build it on delivery. I have come into RFPs that have failed, and in reviewing them, I asked about the solutions I thought would be the ideal fit and found they were discredited as they did not answer the RFP as positively as the one that won the RFP (who misrepresented their capabilities in the RFP). I have even caught solution providers demoing competitor capabilities in RFPs; capabilities they did not have.
• You do not investigate what is meant by “no-code” solutions. Organizations want solutions that are easy to deploy and maintain and do not break on upgrades because of all the heavy customization. They desire agile solutions, what I call Agile GRC (GRC 4.0). So the world has moved to the marketing terms ‘low-code’ and ‘no-code,’ but these are not to be accepted blindly. Some low-code solutions are still very high-code solutions. And no-code means different things. I know no-code GRC solutions that are truly no-code but are also not agile or adaptable. They have a beautiful interface but can not be adapted to the organization’s GRC processes; the organization has to adjust its processes to how the solution was designed. However, there are no-code GRC solutions that are extremely agile and configurable to the organization’s needs. Careful understanding and inquiry are needed to determine the agility and configurability of so-called no-code GRC solutions.
• You fail to check client references adequately. Client references are challenging. Too often, the client reference is the decision maker that only has great things to say about how wise they were to choose this product over others. Those same decision-makers often speak on the solution’s webinars and conferences. They do not like to say negative things about the product. I ask them hard questions, like where the product has failed and where it has undelivered. They are hesitant to answer. I ask them the same question differently: what functionality/feature do they want to see delivered in the next release of the solution? They are more ready to answer this question, but what they are telling me is that it is not delivering today and is frustrating them. I then ask to speak to individuals on their team down in the weeds using the solution. I often get very different perspectives and views from those in the trenches when utilizing the solution. This is another example of why the client reference surveys of some analyst firms do not work; you cannot explore the truth and fiction.
• You fail to define strategy and process and think technology solves the problem. Technology is an enabler and delivers significant value, but only when there is a clear understanding of the strategy and process. I get frustrated when an organization calls me and says they just purchased GRC please come in and tell us how to do GRC. That is putting the cart before the horse. A clear understanding of strategy, process, and objectives should come before an RFP.
• You fail to understand your current and future state with a business case. To succeed in any GRC process (whether broad or focused), a clear and compelling business case is required. Organizations need to define their current state and process, what it is costing them, their ideal future state and the value/return it brings, and their roadmap to get to that future state involving strategy, process, information, and technology. Everything should be clearly documented and measured, empowering the RFP and selection process. When I work on business cases, I build them around the value angles of efficiency (time saved, money saved), effectiveness, resilience, and agility.
• You give preference to a solution already deployed or that one department wants. This happens time and time again. The organization has a broad vision of what it wants to achieve. Still, it either tries to do it with an existing solution being used that does not have the capabilities to deliver on the vision or goes with a solution that one department (such as IT with ITSM) desires that does not fit the broader vision. Too often, I see IT stepping in and saying it will only be this one solution they are using for other purposes when it is not always a good fit for the organization’s vision and requirements.
• You try to do everything in one GRC solution/platform. While I firmly believe there can be a core GRC platform to bring things together (as long as it is the right platform that meets the requirements), this does not mean this solution is the only solution. There is a place for best-of-breed GRC solutions that go deep in IT/cyber-risk, third-party risk, regulatory change, and other areas. A GRC strategy should be more about GRC architecture and not trying to force fit everything into one platform that does not do everything well but does do some things well.

Take heed of these cautions to maintain situational awareness and deliver on a successful GRC-related RFP. In other words, do not end up in a crash like I did on my bicycle.

I can go on and on, happy to chat about these and more on how to approach GRC-related RFPs. I have been in this space for 31 years, and 24 of those as an analyst. I was a top analyst and VP at Forrester Research for seven years and have been independent, competing against the big analyst firms for 17 years as a boutique. I can claim to have the longest history evaluating GRC-related solutions as I was the first to use the acronym GRC, model the GRC market, and compare solutions going back to February 2002.

Navigating the Shift from Manual to Automated Internal Control Management

The most recent Illustration in the GRC Technology Illustrated series has just been released! This is a collaboration between GRC 20/20 and our market research and segmentation on GRC technology segments with OCEG with a sponsor for each one.

This installment in the GRC Technology Illustrated Series outlines how Internal Control Management, Monitoring & Automation Solutions streamline an organization’s GRC management by automating the definition, documentation, and continuous monitoring of internal controls across processes and systems. These tools simplify assessments and reporting, and enable real-time enforcement and testing of controls, ensuring effectiveness and compliance.

Internal Control Management, Monitoring & Automation Solutions address the challenges presented by scattered silos of internal controls, manual methods of updating and testing controls, and the lack of enterprise-wide control visibility. Addressing these and other challenges from manual management of controls enables streamlined workflows and greater resilience and agility. 

Already Published Illustrations:

• Risk & Resilience Management Technology Illustrated

Upcoming Illustrations in Progress:

• Identity GRC Technology Illustrated
• ESG Management Technology Illustrated
• Third-Party Risk/GRC Technology Illustrated
• Compliance & Ethics Management Technology Illustrated
• IT GRC/Risk Management Technology Illustrated
• And many more . . .

In today’s fast-paced business environment, managing internal controls effectively is more crucial than ever. Companies face numerous challenges with manual processes and disparate systems, which can lead to inefficiencies, increased risk, and compliance issues. This blog explores the transition from manual to automated internal control management, highlighting the benefits of integrated systems and automation solutions.

Current State: Manual Processes and Disparate Systems

Organizations traditionally rely on manual processes to manage internal controls. This approach often results in scattered silos of internal control management, where information is fragmented across different documents, emails, and systems. Such fragmentation can hinder enterprise visibility, making it challenging to monitor and enforce controls effectively. Additionally, manual processes are prone to errors and inefficiencies, leading to compliance risks and increased operational costs.

Challenges with Manual Processes:

1. Scattered Silos of Internal Control Management: Lack of centralized control data hampers decision-making and risk management.
2. Manual Processes with Documents & Emails: Time-consuming and prone to human error.
3. Failure to Have Enterprise Visibility of Controls: Difficulty in getting a holistic view of control status and effectiveness.
4. Lack of Automated Control Monitoring & Enforcement: Inability to detect control failures in real-time.
5. Complexity of Regulatory Compliance: Ensuring compliance manually is labor-intensive and prone to errors.
6. Integration with Existing Systems: Manual processes do not integrate seamlessly with other business systems.
7. Data Quality & Accuracy: Manual data entry can lead to inaccuracies.
8. Change Management Impact on Controls: Updating controls to reflect changes in the business environment is cumbersome.
9. Limited Scalability: Manual processes cannot easily scale to meet growing business needs.
10. Evolving Technology: Keeping up with technological advancements is challenging with manual processes.

Future State: Automated Processes and Integrated Systems

Transitioning to automated internal control management solutions addresses these challenges by providing a unified view of controls and streamlining workflows. Automation solutions offer several critical capabilities that enhance the efficiency, effectiveness, resilience, and agility of internal control management.

Benefits of Automation Solutions:

1. Enterprise Visibility of Controls: Centralized control data provides a comprehensive view of the control environment.
2. Business Process and Service View of Controls: Controls are mapped to business processes and services, ensuring alignment with organizational objectives.
3. Real-Time Control Identification: Automation enables the continuous identification of controls in real-time.
4. Automated and Continuous Control Monitoring and Enforcement: Real-time monitoring and enforcement of controls reduce the risk of failures.
5. Advanced Control Data Analytics: Data analytics tools provide insights into control effectiveness and areas for improvement.
6. Seamless Business System Integration: Automation solutions integrate smoothly with existing business systems, enhancing operational efficiency.
7. Scalability and Flexibility: Automated systems can scale with the organization’s growth and adapt to changing needs.
8. Robust Audit Trail Creation: Automated systems maintain detailed audit trails for compliance and accountability.
9. Customizable Reporting and Dashboards: Tailored reports and dashboards provide actionable insights for management.
10. Control Issue/Incident Management: Automated issue detection and resolution ensure timely and effective responses to control failures.
11. Workflow and Task Management: Streamlined workflows enhance task management and accountability.
12. Predictive Control Modeling: Predictive analytics model potential control failures and mitigate risks proactively.
13. Control Effectiveness Testing: Automated testing ensures controls are effective and functioning as intended.

The transition from manual to automated internal control management is a strategic move that delivers significant benefits. By adopting integrated systems and automation solutions, organizations can achieve greater efficiency, effectiveness, resilience, and agility. This shift not only addresses the inherent challenges of manual processes but also positions companies to better manage risks, ensure compliance, and drive continuous improvement in their internal control environment.

As organizations increasingly integrate artificial intelligence (AI) into their operations, the importance of robust data governance cannot be overstated. Data GRC (Governance, Risk Management, and Compliance) form the bedrock upon which effective AI programs are built. These frameworks ensure that data is managed properly, data objectives are achieved, uncertainty and risks are mitigated, and compliance is maintained to ensure that organization acts with integrity, all of which are crucial for the ethical and efficient use of AI.  

Here are key data governance principles necessary for the successful deployment of AI programs in organizations . . .

[The rest of this blog can be read on the Archive360 blog, where GRC 20/20’s Michael Rasmussen is a guest author]

The Interconnected Reality of Modern Business

The modern organization operates in an interconnected world with the extended enterprise. However, recent global disruptions have highlighted the profound impact these connections have on business operations. This has underscored a vital lesson: the importance of relationships in defining business success.

Martin Luther King Jr. famously said, “Whatever affects one directly, affects all indirectly. I can never be what I ought to be until you are what you ought to be. This is the interrelated structure of reality.”

This principle applies not only to personal relationships but also to the intricate web of third-party relationships that sustain modern enterprises. Today’s businesses are no longer confined by physical walls or traditional employee structures. Instead, they are supported by an extensive network of suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, intermediaries, partners, and more. This is the extended enterprise.

Governance and Corporate Integrity

The ability of a business to achieve its objectives is closely tied to how well it governs its third-party relationships. Effective third-party governance ensures that an organization can manage risks and maintain resilience. The integrity of an organization, including its compliance with regulations, commitments, and core values, is also reflected in the integrity of its third-party relationships.

The old adage, “Show me who your friends are, and I will tell you who you are,” rings true in the business context: show me your third-party relationships, and I will tell you who you are as an organization. Modern businesses are defined by their ability to manage and govern third-party relationships. This ensures that the organization can reliably achieve its objectives, manage uncertainty/risk, and act with integrity across the extended enterprise.

Modern businesses face numerous risks stemming from their third-party relationships. These risks highlight the interconnectedness of today’s global business environment:

• Resilience. Disruptions in the operations of service providers and outsourcers can significantly impact an organization’s ability to deliver goods and services. For example, supply chain disruptions can halt production, and service outages can affect customer satisfaction and business continuity. In the context of IT risk, as organizations increasingly rely on digital tools and remote work, the risk of cyber breaches grows. Third parties may introduce vulnerabilities through their IT infrastructure, potentially compromising sensitive company data.
• Integrity. Rapidly changing business environments can strain controls over third-party relationships. This increases the risk of unethical behavior, such as fraud and corruption. Effective governance frameworks are essential to maintain high standards of conduct and compliance. Global supply chains often extend into regions with varying labor standards. Organizations must ensure that their third-party relationships uphold human rights, avoiding issues like forced labor, poor working conditions, and child labor.

These risks must be managed within the complex web of interconnections that define the modern organization. For instance, a disruption in one part of the supply chain can cascade, affecting numerous other areas and ultimately impacting the organization as a whole.

In response to these challenges, organizations are focusing on several strategic trends to enhance third-party governance, risk management, and compliance (third-party GRC):

1. Integrity & ESG. Companies are re-evaluating their core values, ethics, and standards of conduct and extending these principles across third-party relationships. This includes a strong emphasis on ESG, including human rights, privacy, environmental standards, and security.
2. Resilience. Maintaining operations amid uncertainty requires a comprehensive understanding of third-party relationships and their performance in the context of risk. Organizations need a holistic view of GRC within each relationship.
3. Governance. Clear governance of third-party relationships is crucial. This involves defining and managing the objectives and sub-relationships, such as contracts and service levels, to ensure risk and uncertainty are controlled effectively.
4. Federated Approach. Moving away from siloed operations, organizations are adopting a federated strategy for third-party governance. This ensures collaboration across departments like procurement, information security, compliance, and ethics, facilitating consistent management practices.
5. Integration. To support a federated strategy, organizations are redesigning their technology and information architectures. This involves creating systems that can manage diverse third-party governance needs and integrate seamlessly with existing ERP and procurement systems.

Implementing Effective Third-Party Governance

To address these strategic trends, organizations must implement comprehensive third-party GRC programs. These programs should include:

• Due Diligence. Conduct thorough due diligence on third parties before entering into relationships. This includes assessing their financial stability, compliance history, and ethical standards.
• Continuous Monitoring. Implement ongoing monitoring of third-party performance and risks. Use technology to track changes in risk profiles and compliance statuses in real-time. This requires third-party risk intelligence.
• Incident Management. Develop robust incident management protocols to respond quickly to any issues that arise in third-party relationships. This includes having clear communication channels and predefined response strategies.
• Training and Awareness. Ensure that both internal employees and third-party partners are well-trained on policies and practices. Regular training sessions and awareness programs can help maintain high standards across the extended enterprise.
• Collaborative Platforms. Use third-party risk management platforms to facilitate communication and coordination between different departments involved in third-party governance. This promotes a unified approach and helps break down silos.

The end game is that organizations need a complete view of what is happening with third-party relationships. This contextual awareness requires that third-party management have a central nervous system to capture signals found in assessments, and changing risks and regulations for interpretation, analysis, and holistic awareness of risk in the context of third-party relationships.

As my mother used to say, “You will be known by who your friends are.” In the world of business, our third-party relationships define us. Addressing third-party risk is not just about risk management; it’s about upholding corporate integrity and ensuring that our business practices reflect our core values.

GRC 20/20 is facilitating Third-Party Risk Management By Design Workshops in:

• SAN FRANCISCO: May 29 @ 1:00 pm – 5:00 pm PDT, Third-Party Risk Management by Design, SAN FRANCISCO
• LONDON: June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON

Boldly Going Where No GRC Professional Has Gone Before

My latest episode of “GRC After Hours” has been released. In this episode, we cleverly marry the adventurous spirit of Star Trek with the pragmatic world of governance, risk, and compliance (GRC). Captain James T. Kirk’s assertion from Season 2, Episode 20 of the Original Series, “Risk! Risk is our business!” sets the stage. This sentiment encapsulates the essence of the discussion: just as the Starship Enterprise embarks on daring missions into uncharted territories, modern organizations must navigate the complex frontier of GRC, facing risks head-on with innovation and strategic foresight.

Join me as I sit down with a glass of whiskey with Sam Abadir and John Michelsen of Krista.ai to discuss AI, GRC, and the iconic Star Trek franchise. We boldy explore strange new worlds in GRC that involve:

• Exploring the Final Frontier: AI in GRC. The episode delves into how artificial intelligence (AI) is revolutionizing the GRC landscape. Sam Abadir and John Michelsen discuss the role of AI technologies like Christa AI in transforming GRC tasks from mundane to strategic. AI’s ability to automate compliance monitoring and risk assessments is likened to the Enterprise’s computer, capable of processing vast amounts of data and making recommendations in real-time. This technological leap enables organizations to shift from reactive to proactive stances, anticipating risks before they materialize, much like the predictive capabilities seen on the bridge of the Enterprise.
• Universal Translators for Compliance: Multilingual and Multiregional Challenges. Navigating the complexities of global compliance is akin to the Enterprise crew interacting with diverse alien cultures, each with its own language and customs. The speakers highlight how AI can break down linguistic and regulatory barriers, ensuring that GRC strategies are adapted appropriately across different jurisdictions. This segment emphasizes the importance of technology in managing the intricacies of multinational compliance, drawing parallels to the universal translator device in Star Trek that facilitates communication between disparate species.
• Red Alert: Crisis Management in the GRC Enterprise. Drawing on Star Trek’s frequent crisis scenarios, the discussion pivots to crisis management within organizations. The ability of the Enterprise crew to swiftly mobilize resources and coordinate responses during emergencies serves as a model for GRC professionals. The use of AI can significantly enhance this capacity, providing tools that quickly aggregate data, assess risks, and propose actionable solutions, thereby reducing the time between crisis detection and response.
• The Prime Directive: Ethical AI in GRC. Ethics in AI usage takes center stage as the speakers address the potential perils and promises of AI in GRC. Just as Star Trek’s prime directive governs the exploratory protocols of the Federation, ensuring non-interference with alien civilizations, organizations must develop ethical guidelines to govern their use of AI. This ensures technologies are used responsibly, transparently, and in alignment with organizational values and societal norms.
• Star Trek or Blade Runner: Envisioning the Future of GRC. In the concluding segment, the future of GRC and its intersection with AI is envisioned not as a dystopian Blade Runner scenario but as a Star Trek-like advancement where technology supports societal improvement and ethical governance. The discussion speculates on how the integration of AI into GRC can lead to a more efficient, just, and risk-aware organizational culture, much like the cooperative and optimistic future portrayed in Star Trek.

This episode not only entertains with its Star Trek analogies but also provides deep insights into how GRC professionals can leverage AI to navigate the complexities of modern risk management and compliance. It encourages viewers to think of GRC not as a static set of rules and procedures but as a dynamic field that, with the aid of AI, can explore new realms of efficiency and strategic impact.

The fusion of Star Trek’s adventurous narratives with the detailed discussions of GRC creates a compelling vision for the future of governance, risk, and compliance. As organizations continue to explore this final frontier, the principles discussed in this episode will serve as a guide to managing the unknown with courage, innovation, and ethical responsibility.

Join GRC 20/20 for these Upcoming Related Webinars on this subject . . .

May 22 @ 12:00 pm – 1:00 pm EDT –

• The AI Chicken or the AI Egg – Which comes first?

June 6 @ 11:00 am – 12:00 pm EDT 

• Steering Clear of the Pitfalls: Essential Data Governance Strategies for Effective AI Compliance

Imagine a house built over 38 years, involving 147 different builders, without a clear design, blueprint, or architect. This might sound like an absurd way to build a home, but this is precisely what happened with the Winchester Mystery House. The resulting structure is a labyrinth of rooms, staircases leading to nowhere, and an overall confusing layout that leaves visitors baffled.

Unfortunately, this chaos is not unique to the Winchester Mystery House—it mirrors the typical organization’s approach to third-party risk management. In many organizations, third-party risk oversight is fragmented into isolated silos, resulting in a bewildering landscape of uncoordinated efforts. Over the last 38 years, organizations have had 147 different builders of third-party risk management with no design, no blueprint, and no architect. The result is a mess of confusion. The Winchester Mystery House serves as a cautionary tale, emphasizing the need for organizations to step back and design a cohesive, federated approach to third-party governance and risk management.

The Interconnected Modern Organization

In today’s business landscape, no organization is an island. Modern organizations are interconnected webs of relationships, spanning across suppliers, vendors, outsourcers, service providers, and more. The extended enterprise demands that businesses govern these relationships effectively, as third-party problems can quickly become organizational problems.

Fragmented third-party risk management through disconnected department silos leads organizations to inevitable failure. The lack of coordination, reactive processes, and scattered information blinds organizations to the risks and compliance exposures within their third-party relationships. Silos hinder the ability to see the big picture and address the complexity of the modern third-party ecosystem.

Much like the Winchester Mystery House, an organization that builds its third-party risk management without a cohesive design ends up with a confusing, inefficient, and ineffective system. Organizations face:

1. Growing Risk and Regulatory Concerns: With inadequate resources, organizations struggle to monitor third-party risks and regulations, leading to finger-pointing and inefficiencies.
2. Interconnected Third-Party Risks: Risks in one area can cascade into significant issues when not managed holistically.
3. Silos of Third-Party Oversight: Different departments manage third-party governance independently, lacking coordination and visibility.
4. Document and Email-Centric Approaches: Governing third-party relationships through documents, spreadsheets, and emails is prone to failure and inefficiency.
5. Non-Integrated Legacy Technologies: Disconnected legacy systems limit the ability to govern third-party relationships effectively.
6. Focus on Onboarding Only: Many organizations focus on onboarding but neglect ongoing monitoring and assessment.
7. Inadequate Change Management: Organizations struggle to govern third-party relationships amid constant change【8†source】.

Third-Party GRC Management by Design: From Chaos to Clarity

A mature third-party GRC (governance, risk management, and compliance) management program delivers effectiveness, efficiency, resilience, and agility by connecting the enterprise, business units, processes, and information. A federated approach aligns third-party governance, risk management, and compliance with organizational objectives and strategy.

A federated third-party risk management program begins with a strategic plan, connecting key business functions through a common framework and policy. Organizations should focus on critical elements such as understanding third-party relationship objectives and performance in the context of risk. It is necessary to know who you do business with, keep information current, and have structured oversight, policies, assessment, monitoring, controls, and inspections of third-party risk across the lifecycle of onboarding, ongoing monitoring, to offboarding.

This requires an integrated third-party risk management strategy and process that is supported by robust third-party risk intelligence/content integrated into a third-party risk management platform that can be used across departments/functions that have a stake in third-party governance.

The Winchester Mystery House serves as a cautionary tale for organizations that approach third-party risk management without a cohesive design. By designing a federated approach to third-party risk management, organizations can avoid the pitfalls of silos and create a cohesive, effective system. A federated approach enables organizations to be aware, aligned, responsive, and agile in managing third-party relationships, ensuring they achieve objectives, manage uncertainty, and act with integrity.

GRC 20/20 is facilitating Third-Party Risk Management By Design Workshops in:

• SAN FRANCISCO: May 29 @ 1:00 pm – 5:00 pm PDT, Third-Party Risk Management by Design, SAN FRANCISCO
• LONDON: June 25 @ 10:00 am – 6:00 pm BST, Third-Party Risk Management by Design, LONDON

GRC 20/20’s Michael Rasmussen will explore the following challenges, trends, and best practices in the upcoming webinar: Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management

In today’s rapidly evolving business landscape, organizations face an array of complex challenges. They operate in environments that are inherently complex, dynamic, distributed, and frequently disrupted by various internal and external factors. Amidst this uncertainty, effectively managing risk and building resilience has become imperative for organizational success.

As defined by ISO 31000, risk is the effect of uncertainty on objectives. To manage risk effectively, organizations must adopt a holistic approach encompassing a top-down strategic view aligned with objectives and a bottom-up operational perspective embedded within processes and activities. This aligns with the OCEG definition of GRC where GRC is a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].

Today’s organization needs to be agile in managing risk and its impact on the organization’s objectives from the moment it is developing on the horizon, as well as resilient in recovering from risk events when they materialize.

However, the modern organization faces many challenges in addressing an integrated risk and resilience management approach. These include:

1. Lack of Risk Agility. Organizations often struggle to respond promptly to emerging risks due to rigid processes and hierarchies. Failure to adapt quickly to changing circumstances can lead to missed opportunities or unanticipated threats.
2. Fragmented & Inaccurate Risk Data. Siloed data across disparate systems makes it challenging to obtain a comprehensive view of risks. Inaccurate or outdated data undermines the reliability of risk assessments and decision-making processes.
3. Limited Visibility. Limited visibility into interconnected risks and dependencies hampers the ability to anticipate and mitigate potential impacts. Organizations are vulnerable to cascading failures without a clear understanding of the full risk landscape.
4. Inefficient Risk Manual Processes. Manual and disjointed risk management processes result in inefficiencies and delays. Hundreds or thousands of out-of-sync documents, spreadsheets, and emails encumber these. The lack of automation and standardized workflows impedes timely identification and response to risks.
5. Inadequate Risk Reporting. Traditional risk reporting methods often fail to provide actionable insights or meaningful context. Poorly structured reports obscure critical risk information and hinder informed decision-making.
6. Limited Scalability. Scalability challenges arise when existing risk management practices cannot accommodate growth or organizational changes. Scaling risk management efforts across multiple business units or geographies becomes increasingly complex.
7. Resource Intensiveness. Resource constraints, both in terms of personnel and technology, hinder effective risk management efforts. Limited resources result in suboptimal risk mitigation strategies and increased vulnerability.
8. Ineffective Collaboration. Siloed organizational structures and cultural barriers inhibit collaboration and information sharing. Lack of cross-functional collaboration undermines the ability to identify and address systemic risks.
9. Resilience Planning Gaps. Inadequate focus on resilience planning leaves organizations vulnerable to disruptions. Failure to anticipate and prepare for potential risk events can lead to significant operational disruptions and financial losses.
10. Difficulties in Business Change Management. Resistance to change and organizational inertia pose challenges to keeping risk current as the business evolves..

To address these challenges, organizations must transition to bring risk and resilience management together in an integrated function as part of a broader GRC strategy. This function should be focused on enabling the organization to reliably achieve objectives in the midst of risk and uncertainty.

This requires a unified view of risk information and processes that deliver greater efficiency, effectiveness, resilience, and agility. By centralizing risk management functions and integrating risk accountability throughout all levels of the organization, organizations can achieve a more holistic understanding of risks and opportunities.

Leveraging technology solutions such as advanced analytics, artificial intelligence, and automation can enhance risk agility and enable proactive risk management strategies. Ultimately, a comprehensive risk and resilience management approach empowers organizations to navigate uncertainty with confidence, proactively prepare for potential risks, and effectively respond to disruptions when they occur.

GRC 20/20’s Michael Rasmussen will explore the following challenges, trends, and best practices in the upcoming webinar: Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management

Before COVID, I ran several Spartan races. The challenge of being outdoors and running down the trail while overcoming obstacles to finish the race . . . what a rush! The final accomplishment of achieving the objective of the finish line by leaping over the fire is an accomplishment.

In the ever-evolving landscape of uncertainty in achieving business objectives, organizations are like endurance athletes on a rugged trail encountering obstacles. Each turn and dip holds potential risks—yet also opportunities. The athlete’s dual objectives of maintaining speed while avoiding missteps mirror the organizational imperative of risk agility and resilience. This analogy paints a vivid picture of the strategic approach necessary for navigating today’s business environment to achieve objectives and sets the stage for a deeper understanding of integrating resilience (formerly business continuity) into risk management as part of a broader integrated GRC (governance, risk management, and compliance) strategy.

The Trail Ahead: Navigating with Agility

Imagine an athlete traversing a complex trail network with obstacles. Their success hinges on their ability to quickly perceive changes in the terrain and adjust their path accordingly. Similarly, organizations must cultivate risk agility: the capability to rapidly identify and react to risks as they arise on the horizon and plan on the best approach. This agility is crucial in avoiding potential pitfalls and capitalizing on opportunities swiftly. What is developing on the horizon may very well be a hazard, or it could be an opportunity, and perhaps both.

The foundation of risk agility lies in the organization’s ability to gain a holistic view of its risk landscape and understand scenarios on what is developing on the horizon. Modern businesses operate in a dynamic environment where risks such as market volatility, technological disruptions, economic uncertainty, and geopolitical shifts can arise suddenly and with little warning. Organizations that continuously monitor these horizon risks and opportunities can adapt their strategies proactively rather than reactively to achieve their objectives. For instance, a company might use predictive analytics to detect emerging market trends and technological innovations, allowing it to pivot its operations to exploit new market opportunities or mitigate potential disruptions from competitors. Scenario analysis, simulations, and table-top exercises are critical to navigating uncertainty/risk.

Staying the Course: The Resilience to Recover

No matter how agile an athlete—or an organization—might be, missteps are inevitable. Resilience is the ability to recover quickly from these setbacks, whether they are minor or catastrophic. For businesses, this means having systems and processes that can absorb the impact of a risk event and quickly return to normal operations or, in some cases, a new, more effective operational state. Organizations need strategic and operational intelligence on how the business operates and recovers.

Resilience in business is multifaceted, involving financial stability, operational redundancy, and a strong organizational culture that can withstand and adapt to challenges. For example, a multinational corporation might have backup supply chains to ensure continuity in the face of regional disruptions, such as what we are seeing on the Eastern seaboard of the USA with the bridge collapse in Maryland. Similarly, fostering a culture that encourages rapid problem-solving and adaptation among employees can enhance an organization’s ability to stabilize operations during and after a crisis.

From Continuity to Resilience: The Evolution of Strategy

The evolution from business continuity planning to operational resilience marks a significant shift in organizational strategy. Traditional business continuity focuses on recovery and restoration of operations post-disruption. In contrast, operational resilience is an ongoing strategy that integrates risk and resilience management into the very fabric of business operations, aiming not just for recovery but for continuous operation under adverse conditions.

This strategic shift requires organizations to rethink their approach to risk. It involves integrating risk management with strategic planning processes, ensuring that potential risks are considered in decision-making at all levels. It also means investing in technology that can provide comprehensive risk intelligence, such as systems that offer real-time insights into global operations, supply chains, and market conditions.

Implementing a Holistic Approach: Strategy, Process, Intelligence, and Technology

Achieving risk agility and resilience necessitates a concerted effort across four domains: strategy, process, intelligence, and technology.

1. Risk & Resilience Management Strategy. First, the strategy must align with the organization’s long-term goals and include a clear framework for risk and resilience management. This strategic alignment ensures that every part of the organization understands its role in mitigating risks.
2. Risk & Resilience Management Processes. Second, processes must be designed to support agile and resilient operations. This involves creating standard operating procedures that include risk assessments, scenario analysis, response protocols, and continuous learning cycles where insights from past incidents are used to strengthen future resilience.
3. Risk & Resilience Management Intelligence/Information. Third, strong risk and resilience intelligence enables the strategy and process. The ability to take in feeds of information on geo-political risk, market/economic risks, uncertainty, supplier and vendor alerts, and more. The organization needs complete 360° situational awareness, which requires intelligence feeds.
4. Risk & Resilience Management Technology. Finally, technology is crucial in enabling risk agility and resilience management. Advanced data analytics, artificial intelligence, and machine learning can provide organizations with the tools to predict, detect, and respond to risks in real-time. These technologies also support decision-making processes, ensuring that data-driven insights are available to guide strategic choices and provide structured workflow, accountability, reporting, and dashboards.

Conclusion: Leading the Race with Agility and Resilience

Just as an endurance athlete relies on both agility to navigate the trail ahead and resilience to overcome the inevitable falls, modern organizations must integrate these capabilities into their GRC strategies to integrate resilience into enterprise risk management strategies. The journey from traditional business continuity to operational resilience is complex and challenging but ultimately rewarding and becomes part of enterprise risk management that flows into the broader GRC, which enables an organization “to reliably achieve objectives [governance], address uncertainty [risk management], and act with integrity [compliance].” By fostering a culture of continuous adaptation and learning, organizations can not only survive but thrive in the face of uncertainty; to thrive on risk. This requires a comprehensive approach that blends strategic foresight with robust processes and cutting-edge technology, ensuring that the organization remains competitive and capable of overcoming any obstacle in its path.

GRC 20/20 Risk & Resilience Events & Resources

Upcoming Webinars

• May 1 @ 9:00 am – 10:00 am CDT, Navigating Uncertainty and Chaos: Key Trends in Risk and Resilience Management
• April 30 @ 8:00 am – 9:00 am PDT, Modern Enterprise Risk Management 
• May 1 @ 4:00 pm – 5:00 pm BST, Building a Robust and Resilient Supply Chain through Third-Party Risk Management
• May 2 @ 10:00 am – 11:00 am EDT, Compliance Countdown: Accelerating Cyber Resilience Initiatives

Illustration

• Risk & Resilience Management Technology Illustrated

Research Briefing

• April 29 @ 10:00 am – 11:30 am CDT, 2024 Buyers Guide: Risk & Resilience Management Solutions

Research Papers

• Risk & Resilience Management by Design

• Risk & Resilience Management Maturity Model

Upcoming Workshop

• April 24 @ 9:00 am – 6:30 pm BST, Risk & Resilience Management by Design Workshop, LONDON