Category: The GRC Pundit Blog

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. 

In an increasingly interconnected world, third-party risk management (TPRM) is becoming an imperative aspect of organizations. Navigating the complex maze of challenges inherent to TPRM can seem daunting.

Yesterday, I held my Third Party Risk Management by Design workshop in London. We had 51 organizations registered, with over 40 attending. Below is a summary of the challenges the attendees expressed and interacted with throughout the day. The same Third Party Risk Management by Design workshop will be in Chicago on October 13th.

The third-party risk management challenges the attendees stated that were keeping them up at night are:

• Fragmented Requirements. Often, due diligence is mired in fragmented requirements from different third-party risk functions. These functions operate in silos, each wielding its own tools and lacking a unified source of truth.
• Siloed Risk Insight. Third-party risk information is scattered across multiple departments/functions, leading to inefficiencies and, at times, contradictory and risky actions.
• Regulatory Disparities. Local regulations can often conflict with the guidelines of the head office, leading to operational hiccups. Additionally, managing compliance across jurisdictions and handing data over to third parties can be perilous.
• ESG and Due Diligence. Environmental, Social, and Governance (ESG) considerations, especially those pertaining to climate change, harmful chemicals like PFAS, and social accountability, are increasingly becoming focal points. The attendees were concerned about addressing ESG in complying with Germany LkSG and the EU CSDDD.
• Managing Outcomes of Relationships. Evaluating the material outcomes of risks in relationships is critical, as these can significantly affect an organization’s bottom line and reputation.
• Data Challenges in Third-Party Risk Intelligence. Data plays a pivotal role. However, accessing disparate third-party risk data sources and ensuring its veracity is challenging.
• The Unknowns of the Supply Chain. Understanding who constitutes the supply chain, nested entities, and determining the real executor of the work is imperative to managing risks.
• Resilience. From supplier resilience, safety, and cybersecurity to continuity, organizations must focus on building robust systems. There are significant fines and penalties for not complying with resilience regulations.
• Big Picture of TPRM. Having a strategic outlook that encapsulates the full spectrum of third-party risks is crucial. Who’s ensuring a holistic view? Are contractual arrangements under scrutiny?
• Artificial Intelligence. Technology, especially AI, can be a game-changer. While AI can streamline processes, there’s also the inherent risk in not governing it use within third-party relationships.
• Continuous Due Diligence. Relying on traditional methods like documents, spreadsheets, and emails is passé. Continual due diligence is the need of the hour.
• Social Accountability. Risks of bribery, corruption, and lack of social responsibility in third-party relationships can’t be overlooked.
• The Business Case. Building a business case for TPRM involves showcasing its value proposition and garnering top-down senior sponsorship.

The term “Third-party risk governance” or “GRC” resonates more accurately than risk management. It’s about instilling a governance culture to reliably achieve objectives in the relationship, address uncertainty and risk, and act with integrity, with a culture that fosters oversight and continual improvement. Organizations can sail smoothly in the choppy waters of third-party risks by leveraging technology and ensuring top-down buy-in. Remember, in the age of the extended enterprise, mastering TPRM isn’t just a necessity; it’s a strategic imperative.

A.I. presents significant risks to organizations regardless of whether they use the technology. There are potentially enormous reputational risks to an organization when technology like generative A.I. reaches a point where it is impossible to distinguish between actual evidence of corporate bad acts and deep fakes intended to harm the organization. This creates a novel set of risks for the organization, regulators, and the general public alike.

A.I. is also an accelerant to other risks. Generative AI could eliminate the awkward language in phishing email attempts that often make them easier to detect. That would allow foreign bad actors to level up their efforts in any language without many of the current telltale red flags. Generative A.I. has already passed the tests given to Google applicants, meaning that any bad actor now has an entry-level Google coder at their disposal to create all kinds of new malware. While there are guidelines designed to limit this type of result, bad actors will likely find workarounds.

The “simplicity risk” factor becomes far more concerning when A.I. is daisy-chained together. Just as the hurdle of linking large non-standardized distributed data sets used to be a natural brake to A.I. prep work, having one A.I. technology work on removing barriers for another A.I. technology could mean developing new models generated by A.I. with no explainability. With  A.I. having such low barriers, if that becomes the front door to creating other, more sophisticated technology, the path is set to have A.I. build A.I., which is an incredibly risky situation.

Organizations need A.I. GRC to ensure the responsible, practical, and appropriate use of A.I. technologies. A.I. GRC enables the organization to:

• Ensure A.I. systems comply with evolving laws and regulations helps prevent legal issues, financial penalties, and damage to reputation.
• Manage uncertainty and risk when A.I. can have unintended consequences, including biased decisions or privacy breaches. Effective risk management helps identify and mitigate these risks.
• Meet ethical standards, ensuring A.I. is used fairly and doesn’t perpetuate harmful biases.
• Deliver trust and transparency where A.I. GRC practices help organizations demonstrate that their A.I. systems are trustworthy and transparent, essential for customer and stakeholder confidence.
• Provide strategic business alignment where Strong A.I. GRC ensures that A.I. usage aligns with an organization’s broader strategic goals and doesn’t deviate into potentially harmful or unproductive areas. 
• Enable agility as the A.I. landscape rapidly changes; A.I. GRC practices help organizations prepare for future regulatory changes. 

A.I. GRC is necessary to ensure legal adherence and uphold ethical standards, manage risks, build trust, align with strategic goals, and prepare for the future. Organizations need A.I. GRC to ensure responsible and ethical use of A.I. technologies. 

Without a structure to govern A.I., risk exposure will grow, resulting in bad decisions from improper use, increased regulatory pressure, and legal liability and exposure. Organizations should not see A.I. GRC as simply a regulatory obligation; A.I. governance enables strategic decision-making and performance management. Short-term A.I. risk management projects may pass regulator scrutiny but fail in the long run to effectively manage risk and performance effectively.

To effectively govern A.I., organizations need a structured approach to:

• A.I. GRC Oversight. A well-defined A.I. governance framework to manage A.I. use that brings together the right roles, policies, and inventory.
• A.I. GRC Lifecycle. An end-to-end A.I. management lifecycle to manage and govern A.I. use from development/acquisition, throughout their use in the environment, including A.I. maintenance and retirement.
• A.I. GRC Architecture. Effective management of A.I. in today’s complex and dynamic business environment requires an information and technology architecture that enables A.I. GRC.

The blog above is taken from GRC 20/20’s paper on: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

I will be speaking on A.I. GRC at the upcoming events:

My keynotes at the upcoming #RISK in Amsterdam and in London is on A.I. GRC

September 27 – September 28

• #RISK EU 2023: Amsterdam

ber 18 – October 19

• #RISK 2023: London

Upcoming webinars where I am speaking on A.I. GRC

October 10 @ 10:00 am – 11:00 am AEDT 

• Practical Applications of AI in Governance, Risk & Compliance

October 11 @ 12:00 pm – 1:00 pm EDT 

• How to Use AI in Third-Party Risk Management

November 7 @ 12:00 pm – 1:00 pm CST 

• Navigating the AI Landscape: Responsibility, Risks, and Compliance

Other conferences where I am presenting on A.I. topics

October 2 – October 5

• Mitratech Interact 2023

Third-Party Risk Workshops where part of the focus will be on A.I. in the Extended Enterprise

September 25 @ 10:00 am – 5:00 pm BST 

• Third-Party Risk Management by Design Workshop, London

October 13 @ 10:00 am – 4:00 pm CDT 

• Third-Party Risk Management by Design Workshop, Chicago

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves . . .

[The rest of this blog can be read on the Diligent blog, where GRC 20/20’s Michael Rasmussen is a guest author]

The healthcare sector is ensnared in a relentless vortex of risk and regulation amid unanticipated disruptions and transformations. Navigating through this dynamic environment, healthcare entities grapple with a myriad of compliance obligations and frustrations that encompass patient safety, privacy, information security, operational practices, service delivery, billing protocols, and electronic medical records management.

Maintaining steadfast compliance and risk mitigation during times of smooth operation is challenging enough; doing so amid continuous change magnifies the challenge exponentially. Healthcare organizations frequently approach risk and compliance separately with a disjointed strategy that relies heavily on isolated documents, spreadsheets, emails, or outdated solutions, inadvertently escalating the cost, complexity, and risk of ensuring compliance.

Some of the compliance struggles within healthcare include . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In the modern business landscape, enterprises are increasingly intertwined through complex networks of suppliers, vendors, and other third-party relationships. While this extended enterprise system brings immense benefits, like specialization and economies of scale, it also introduces challenges in terms of ESG, compliance, and operational resilience. As organizations lean more heavily on their external partners, ensuring that these partners share values, meet regulatory requirements, and can withstand potential disruptions becomes paramount.

Compliance isn’t just about adhering to laws and regulations. In the realm of supplier and vendor management, compliance also encompasses. Resilience is about how your extended enterprise responds to unforeseen challenges. Recent global events have shown that disruptions can arise rapidly, from pandemics to geopolitical tensions. A resilient supplier and vendor network can mean the difference between continuity and chaos.

It’s crucial that partners have congruent ESG objectives, commitments, values, and standards. When an organization’s suppliers and vendors comply with shared values and standards, there’s less risk of reputational damage, financial loss, or operational disruptions. Increasingly, consumers and stakeholders demand that businesses act responsibly. Ensuring that your suppliers and vendors also uphold these standards can cement your reputation as a responsible enterprise. With digital resilience, protection, and other privacy regulations taking center stage, it’s vital that your partners treat data and processes with the care and respect it demands. Any breach on their part can have ripple effects, damaging trust and possibly resulting in hefty fines. One CIO was recently personally fined £80 million pounds for a third-party risk/resilience failure.

Organizations need to consider . . .

1. Diversify Supplier Bases: Don’t put all your eggs in one basket. By diversifying, you reduce the risk of a single point of failure.
2. Regularly Review and Update Resilience Plans: Make sure every stakeholder knows their role in case of disruptions. This should include communication protocols, resource allocations, and backup suppliers.
3. Invest in Technology: Modern supply chain technologies, like blockchain and AI, can provide real-time insights, helping to identify potential choke points and ensure smoother operations.

Organizations globally are gearing up to respond to a whole range of EU regulations and UK regulations/laws that impact this intersection of resilience, ESG, compliance, and the extended enterprise.  

• EU Corporate Sustainability Reporting Directive (EU CSRD)
• EU Corporate Sustainability Due Diligence Directive (EU CSDDD)
• EU Corporate Sustainability Reporting Standard (EU CSRS)
• EU Digital Operational Resilience Act (EU DORA)
• EU Cybersecurity Resilience Act (EU CRA)
• Germany’s LkSG (Supply Chain Due Diligence Act)
• UK FCA/PRA/BoE Operational Resilience Act
• UK Senior Manager Regime/Certification Regime (SMCR – a CIO was personally fined £80 million for a third-party risk/resilience failure)
• UK Governance Code (UK SOX, recently proposed revisions . . . which require resilience statements and a focus on ESG)

Many firms in the USA and the rest of the world have to respond to these laws. If your clients/prospects are anywhere in an EU supply/value chain, then many of these apply to them. Just the first three on Corporate Sustainability (what I call the EU ESG Trifecta as they all work and support each other) impact 50,000 firms directly, but exponentially many more in vendor and supplier relationships. There is a lot of movement right now on EU DORA as organizations become aware that it has a very broad net, including anyone that services and supports the financial services industry, with a lot of downstream impact.

Organizations must understand that their reputation, operations, and success are deeply linked to their extended enterprises to truly thrive in today’s interconnected world. By ensuring compliance and resilience in supplier and vendor relationships, businesses safeguard their operations and position themselves as trusted partners in an increasingly complex ecosystem.

Ultimately, these relationships aren’t just about transactions but trust, collaboration, and shared growth. As we look toward the future, organizations prioritizing these values will undoubtedly stand out as leaders in their respective industries.

Here are some of the events GRC 20/20 is involved in on this topic over the next few months . . .

September 14th Webinars

• A risk-based approach to operational resilience: When prevention isn’t always better than a cure.
• Third-Party Risk & Resilience: From Uncertainty to Business Confidence

September 18th Webinar

• Future of GRC in Complex, Distributed & Autonomous Environments

September 20th Webinar

• 3 – Terminating: Risk Management in the Vendor Relationship Lifecycle

September 25th Workshop in London 

• Third-Party Risk Management by Design Workshop, London

September 26th Seminar/Roundtable in Amsterdam

• Designing GRC programs to Manage Risk, Regulatory Compliance, Third-party, and Digital Operational Resilience Requirements 

October 10th Webinar

• Building Resilient Supply Chains: Strategies for Success

Governance, Risk, and Compliance (GRC) isn’t merely a buzzword but an essential strategy and framework (OCEG GRC Capability Model) for corporations to succeed in today’s complex and dynamic business environment. With increasing risks and regulations, it is evident that businesses require an effective GRC strategy. But while understanding the importance of GRC is one thing, effectively implementing and managing it is another challenge altogether.

The Challenges in GRC . . .

[The rest of this blog can be read on the CAMMS blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In John Donne’s famous line, “No man is an island, entire of itself; every man is a piece of the continent, a part of the main,” the seventeenth-century poet’s words are startlingly relevant to modern businesses. Translated into contemporary terms, it suggests, “No organization is an island unto itself; every organization is a piece of the broader ecosystem.”

The architecture of today’s business landscape has vastly changed, making the notion of self-contained entities antiquated. Traditional brick-and-mortar businesses, defined by physical locations and in-house employees, have transformed into intricate networks. The modern organization is now an elaborate, interconnected web of relationships that extends far beyond standard employment to include a multitude of third parties—such as suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, brokers, and partners. This growing complexity is evident in multilayered supply chains and subcontracting relationships, making it clear that the concept of an “extended enterprise” has evolved from a theoretical construct to a business imperative.

Navigating this web of relationships comes with its own set of challenges, particularly in governance, risk management, and compliance — GRC. Traditional siloed approaches to managing third-party risks and compliance are insufficient; they do not capture the holistic impact on an organization’s objectives or the interconnected nature of modern risk. A failure in third-party governance can lead to catastrophes that reverberate across an organization, damaging both its reputation and bottom line. Be it issues related to delivery timelines, ethical conduct, privacy measures, quality control, human rights, resiliency, corruption, or environmental sustainability, the organization bears ultimate responsibility.

This interconnectedness becomes even more complex when considering Environmental, Social, and Governance (ESG) criteria and the inclusion of per- and polyfluoroalkyl substances (PFAS) in the supply chain. ESG standards focus on a company’s broader impact on society, the environment, and governance practices. Misalignment of ESG criteria within the extended enterprise can expose organizations to reputational and financial risks that are often difficult to quantify but devastating in impact. For instance, if a supplier is found to be in violation of environmental norms, the onus falls upon the company to rectify. It may result in the severance of critical business relationships.

Similarly, the inclusion of PFAS, a group of man-made chemicals used in a wide range of products from textiles to packaging, in the supply chain complicates risk management due to evolving regulations and increasing public scrutiny and legal liablity over their health and environmental implications. Organizations must ensure that their third-party partners align with regulatory and organizational standards regarding PFAS, demanding a more intricate and rigorous governance process.

In recent conversations with a global hospitality firm, a global pharmaceutical firm, and a global food and beverage firm . . . they all listed ESG risks, particularly to Germany’s LkSG and now the EU CSDD, as their number one third-party/supply-chain risk. Second, they each listed PFAS as their second greatest supply chain risk.

Given the amplifying nature of risks—akin to the ‘butterfly effect’ in chaos theory, where a small event can lead to substantial consequences—businesses require a strategically integrated approach to third-party governance, risk management, and compliance (third-party GRC). The disparate data and fragmented insights yielded by a traditional department-centric approach inadequately address the nuanced complexity of today’s organizational ecosystem. Instead, companies need an integrated strategy, processes, and architecture that allow for real-time risk intelligence and comprehensive situational awareness across all third-party relationships.

In conclusion, the fabric of modern business is woven with threads of myriad third-party relationships. For organizations to reliably achieve their objectives, effectively manage uncertainty, and act with unassailable integrity, it is essential to harmonize governance, risk management, and compliance across the extended enterprise. This calls for a robust, integrated strategy that manages and anticipates the complexities and interconnected risks of our modern business landscape. This is only delivered on a robust third-party risk intelligence and management platform.

In an era characterized by ethical, social, and regulatory challenges, many organizations are finding it difficult to navigate the complex maze of compliance. Particularly in an ESG context. The daily news cycle frequently highlights companies falling short of regulatory expectations, painting a picture that corporate ethics is often judged by what firms do when they believe no one is watching.

Understanding the Compliance Conundrum

Compliance is not a one-size-fits-all endeavor. The larger and more global the organization, the more intricate its operational dynamics and associated compliance responsibilities become. In the ever-evolving corporate landscape, elements such as employee turnover, expansion into new markets, product launches, and changing regulations reshape the business environment constantly.

For compliance and ethics programs, this ever-shifting landscape poses unique challenges. As businesses grow and develop diverse partnerships—be it vendors, consultants, or expanding their supply chain—their compliance risk magnifies exponentially. Thus, there’s a pressing need for systems that vigilantly monitor both internal and external compliance risks.

Dismantling Compliance Silos

The age-old practice of managing compliance within isolated silos and manual processes is a recipe for disaster. It is the inevitability of failure. This fragmented approach:

• Promotes Redundancy. The organization wastes time and resources on redundant tasks using unique processes and approaches for each compliance function.
• Reduces Visibility. Different departments may use various methods for compliance checks, making it hard to have a holistic view of enterprise-wide compliance risks.
• Compounds Complexity. Non-uniform processes introduce ambiguity and confusion, leading to increased compliance and ethical risks, as well as gaps in compliance.
• Diminishes Agility. With every compliance area following different and non-integrated approaches, the organization finds it hard to pivot quickly in the face of change.
• Elevates Compliance Risk Exposure. By only focusing on immediate function needs and ignoring enterprise-wide interdependencies, businesses inadvertently create more compliance exposure and it impacts the ethical culture of the organization.

Rethinking Compliance Management

While many organizations are diligent about meeting legal and compliance obligations, the realm of compliance is rapidly transforming. It’s not just about addressing legal requirements but acting as the pillar of corporate integrity.Today’s compliance is evolving beyond just ticking regulatory checkboxes. It’s about championing corporate integrity. As a result, compliance departments are being granted greater autonomy and are increasingly reporting directly to CEOs or boards, especially in highly regulated sectors.

This shift means compliance teams need to be well-versed with the organization’s ethical, regulatory, and cultural risks, particularly in an ESG context. Relying on strong, integrated processes will ensure that compliance measures are both effective and efficient. For today’s businesses, it’s paramount that compliance isn’t just a written policy but embedded into daily operations. A robust compliance program should prioritize risks that pose the greatest threat to the organization’s values and ethos.

In summary, traditional compliance approaches are no longer viable. Boards are keen to understand the organization’s compliance framework, its efficacy, and its contribution to enhancing shareholder value. Modern challenges necessitate a comprehensive compliance program, one that is firmly rooted in integrated processes and transparent information.

Gone are the years of simplicity in business operations. Organizations today are evolving into more complex, distributed, and autonomous entities. While this evolution ushers in unprecedented growth and opportunities, it has also introduced challenges in ensuring consistent governance, risk management, and compliance (GRC). The digital age, characterized by its interconnectivity and advanced technological infrastructures, has added further challenges to this while also delivering GRC solutions in complex, distributed, and autonomous environments. Today’s organizations can be a complex array of distributed and autonomous businesses that still need some level of coordination and reporting centrally. 

The interconnectedness of risks and compliance requires 360° contextual awareness of integrated GRC within a business and across businesses. Some organizations have an operating model that allows subsidiaries and divisions autonomy but still needs centralized consistency and reporting. Professional service firms also engage diverse organizations in a consistent framework and methodology and look to do benchmarking across clients. Across these various businesses, organizations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls. It requires holistic visibility and intelligence of GRC. The complexity of business necessitates that the organization implements an integrated GRC management strategy, process, and technology/information architecture that can allow distributed and diversified businesses to work autonomously but provide some consistency in management and reporting. 

Many organizations also require some level of autonomy within distributed businesses and operations while still providing centralized governance and reporting. This is also a need within professional service firms that manage a portfolio of clients in a GRC context. Organizations facing these challenges should look for technology that enables distributed and autonomous businesses to manage GRC in their context while still providing centralized governance, reporting, and benchmarking. The best reference to this is called Hub and Spoke^TM GRC (note: this is a trademarked term by one vendor in the space, 6clicks, used with permission in this blog). This allows a master entity a framework for overall governance, risk management, and compliance control and engagement across a range of diverse, distributed, and sometimes autonomous entities with specific GRC needs and privacy and isolation requirements. 

The use cases for this approach to GRC . . .

• Conglomerates/global holding companies/diversified businesses which need to track and manage GRC activities across a range of disparate entities businesses. 
• Private equity portfolios that own a range of companies and need insight into their portfolio companies in a GRC context.
• Franchises, this one has come up a few times in the past few months, providing a consistent framework for GRC management and reporting across franchises.
• Managed services/consulting/professional service firms that have established methodologies and services for GRC-related engagements across their portfolio of clients. 
• Insurance companies that must manage their brokers’ compliance (and other GRC activities) where brokers/entities can be profiled and grouped, then managed consistently to meet regulatory obligations.
• College/university campuses that house a range of entities that need to be governed in a consistent GRC context but also allow autonomy and independence. 
• Hospital networks comprising a range of complex and diversified businesses that need consistent GRC frameworks applied in different contexts. 

As you can see, the various use cases can continue. Many modern organizations are characterized by complex, distributed, and autonomous structures that present unique challenges in ensuring consistent GRC. Addressing these challenges requires a strategic GRC technology architecture that few solutions deliver in the space. Organizations need to be very selective in evaluating solutions that address these scenarios; those that do will ensure their GRC survival and carve out a competitive advantage in today’s highly complex business environment.

Curious about the solutions that can deliver this? Ask an inquiry of GRC 20/20 Research in our market coverage of the range of governance, risk management, and compliance solutions available in the market. 

One of the top inquiry areas for GRC 20/20’s market research is the role of Corporate Compliance and Ethics Management, managing the range of conduct, ethics, regulations/obligations, policies, and boundaries of the organization. Particularly now in the era of ESG. We regularly get inquiries from organizations looking for solutions for policy management, hotline/whistleblower, case management, forms/disclosures, third-party compliance/risk, compliance assessments, and more.

A growing area for solutions for corporate compliance is in regulatory change management and regulatory intelligence. This is an area where the traditional approach of armies of subject matter experts is now automated with artificial intelligence. 

Managing and keeping up with regulatory change is one of the most significant challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.

Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more worldwide. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year.

In the past five years, the number of regulatory changes has more than doubled, while the typical organization has not increased staff or updated processes to manage regulatory change. According to Thomson Reuters, financial services had an average of 257 regulatory change events every business day in 2020, just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.

GRC 20/20 Research is seeing a steady pace of regulatory change management inquiries and research interactions, focusing on artificial intelligence in this context. In our market research, we have reviewed/evaluated many solutions in this space. Some solutions deliver real value, and some solutions claim A.I. but are stretching the term (anyone with some logic in a workflow claims it as A.I.), or it is the Wizard of Oz with the man behind the curtain doing the work as the A.I. tech is not fully baked and delivering. 

The best solutions deliver a lot of value in A.I. for regulatory change, with natural language processing, machine learning, deep learning, predictive analytics, generative A.I., and more. 

I am told that if you print off the entire UK FCA rulebook, it is a stack of paper six feet tall. Printing off the U.S. Code of Federal Regulations and stack it end to end is longer than a marathon. Internal documents, like policies, are also a mess. One bank I built a business case for policy management had one policy that took six months to get updated because of a regulatory change and went through 75 reviewers in a linear document check-in and check-out fashion . . . that certainly is not agile. Another bank states that if every branch printed the policy manual, it would be a stack of paper as tall as the Elizabeth Tower (Big Ben) in London. 

A machine with natural language processing can read the US CFR or UK FCA rulebook in minutes. It would take me a year or more. But a machine can read it in minutes and direct, map, and categorize it in minutes. 

The Chief Ethics and Compliance Officer (CECO) I interacted with at a life sciences firm did some internal testing on A.I. for regulatory change management. They not only found that a machine was a ‘gazillion’ times faster at reading and mapping regulations, but they also found it was 30% more accurate/effective. Think about it, if we are going to read a lot of legal documents/regulations, and I mean a lot, looking for changes/updates . . . are minds are going to wander and think about the plans for dinner or the weekend, or how our favorite sports club is doing. We miss things where a machine stays on point. 

There are a variety of use cases for A.I. in regulatory change management. Not one solution has all of this covered in detail, so it takes an architecture and often plugs into your favorite enterprise GRC platform for even broader value. These include:

• Horizon Scanning. Using A.I. to monitor and evaluate pending legislation, proposed rules, changes in enforcement, speeches, and comments made by regulators to determine what we need to pay attention to that will be tomorrow’s concerns. 
• Regulatory Obligation Library. Using A.I. to monitor the current situation of regulations, changes in regulations, comparisons of change (side-by-side markups), and notifications, all to keep the organization current with regulatory changes impacting the hear and now. 
• Policy Management. This is mapping regulations and changes to your current policy library and leveraging A.I. to inform you what policies should be reviewed because of changes and suggest language for the update to address the change (generative A.I.)
• Control Management. I worked on a large risk management RFP for a global organization a few years ago. Once they were done with that RFP, they looked to using A.I. to keep controls updated and current in their environment. They specifically leveraged Natural Language Processing to derive content-related information from local control descriptions. They then used Machine Learning to score quality and identify quality gaps in documentation. This enabled them to provide real-time feedback to control owners directly and indicate areas for improvement. They then did Scoring Reports & Dashboards to generate an overview of the documentation quality of ICS Principles in Business Units.

And this is just exploring the regulatory change management-related use cases of A.I. I also see a lot of interest in using A.I. for third-party risk management, from reading and comparing differences in policies/controls between an organization and a supplier/vendor to monitoring the range of third-party risk databases (e.g., ESG ratings, financial viability/corporate ratings, reputation and brand lists, watch lists, sanction lists, negative news, security ratings, politically exposed persons, geo-political risk, and more).

My job as an analyst is to research and understand the variety of GRC solutions (both very narrow and specific to broad platforms) and understand what differentiates one vendor from another and what is the best solution for an organization. 

In that context, GRC 20/20 covers the range of Cognitive GRC solutions available in the market, around the world, and in which industries . . . and know which are real and provide value, and which are ’the Wizard of Oz.’