Posted on 1 Comment

Step 1: Develop a 3rd Party GRC Strategic Plan

I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.

The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.

This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:

  • Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
  • Business/supplier continuity
  • Data privacy & protection (EU GDPR, California CCPA, information security)
  • Ethics & Values (vendor/supplier code of conduct)
  • Geopolitical risk
  • Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
  • Import/export compliance
  • Quality (ISO 9000)
  • Environmental, Health & Safety (REACH, RoHS)
  • And more . . .

GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:

“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”

Adapted from the OCEG GRC Definition

The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.

GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:

  • Anarchy – ad hoc department silos.  This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together. 
  • Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems. 

The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. 

The core elements of the third party strategic plan include:

  • Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Posted on Leave a comment

Maintaining Internal Controls in Dynamic and Distributed Business

Organizations operate in a field of risk landmines. The daily headlines reveal companies that fail in risk, compliance, and internal controls. Business today is complex in its operations and corresponding internal control obligations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, and operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to an internal control program. As organizations expand operations, their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal and external risk in context of a changing business environment. What may seem insignificant in one area can have profound impact on others.

Risk and control is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing requirements and fluctuating risk exposure, yet fail to actively manage and understand the interrelationship of internal control data in the context of business and business change. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing internal controls as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined internal control practices that are monitored and adapted to the demands of a changing business and regulatory environment. 

Today’s business entity must ensure internal controls are understood and managed company-wide; that internal controls are more than a list in a spreadsheet, but are part of the fabric of business operations and processes. A strong culture of control ensures transparency, accountability, and responsibility as part of its ethical environment. A strong internal control program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Traditional processes of managing internal control programs (e.g., shared drives, spreadsheets, emails, etc.), can be time-consuming, error-ridden, mundane, and most importantly lacking in providing transparent insight on the state of controls across the organization. Requirements and processes can change frequently as a result of new or emerging risks, making it increasingly difficult for organizations to identify control requirements, map them against organizational processes, and then report on the level of compliance across the enterprise.

The organization has to be able to see the individual area of control as well as the interconnectedness of risk and controls. A GRC professional’s most challenging task therefore, is developing a process or framework to understand how internal and external risks interrelate with controls and business processes in context of change, and how to evaluate organizational initiatives against these requirements.

The Bottom Line: Organizations cannot readily understand control from a series of lists or spreadsheets. They need intelligence and insight into the relationships between the hierarchical dimensions that describe an organization’s internal control and risk ecosystem that predict the full scope of potential impacts (direct and cascading) due to actual or exploratory change to risk and business strategy. Organizations need solutions that support simulation and scenario planning for strategic and tactical action plans in response to change.

Upcoming Workshops (no cost & CPEs) . . .

Upcoming Webinars . . .

Posted on Leave a comment

Efficient and Effective Third-Party GRC Management

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties. In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization. The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance. Failure in third party governance comes about when organizations have:
  • Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.
Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization. The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.

GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

Posted on Leave a comment

Managing Risk & Compliance in the Extended Enterprise

Modern Organization: Interconnected Maze of Relationships

No man is an island, entire of itself; Every man is a piece of the continent, a part of the main.[1]

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet John Donne is describing the post-modern twenty-first century organization. In other words, “No organization is an island unto itself, every organization is a piece of the broader whole.” Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties. In this context, organizations struggle to identify and govern their third party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them and fail to actively manage and understand the interrelationship of third parties across the organization. The challenge:“Can you attest to the governance, risk management, and compliance of the organization’s extended business relationships?” Typical response: Organizations tend to look at the formation of a third party relationship and fail to foresee issues that cascade and cause damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship. The fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance.  Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship and the organization’s goals, objectives, and performance. Failure in third party governance comes about when organizations have:
  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected. The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight.Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches.When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on third party information. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies.When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency, impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only.Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change.Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance.Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[2]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy. Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization. The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Third party management is “a capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrityin and across its 3rdparty relationships.[3]Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

GRC 20/20 Events & Resources for Third Party Management Include . . .

Third Party Management Workshop

GRC 20/20 will be leading a complimentary interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions


[1]A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions(1624) found in the section Meditation XVII. [2]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3. [3]GRC 20/20’s adaption of the OCEG definition of GRC found in the OCEG GRC Capability Model applied to third party management.
Posted on Leave a comment

Enabling the 1st Line of Defense with Policy, Training & Issue Reporting

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility. Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].”[1] Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives. The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity. As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:
  1. Business Operations.The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  2. GRC Professionals.The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  3. Assurance Professionals.The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.
While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defense, not a lot has focused on how to effectively engage the first line of defense: the employees and managers in the front line of the organizations. Front line employees are making risk and compliance decisions every day and can either protect or expose the organization to unwanted issues. Risk and compliance are not just about the back office of risk, compliance, and audit management but it is about the front office engagement and education of employees on what is acceptable and unacceptable and how to report issues.  While a lot of attention has been given to effective management of the second (risk and compliance managers) and third line (internal audit) of defence, not a lot has focused on how to effectively engage the first line of defence: the employees and managers in the front line of the organizations. GRC 20/20 is presenting on a webinar on how to engage and enable the front lines of your organization through effective communication and training on policies and how to report issues and incidents in the organization. Attendees will learn:
  • GRC in the context of the Three Lines of Defence Model
  • How the second and third line of defense depend on the first line to protect the organization
  • How to effectively communicate and train the first line of defence on policies
  • Methods for first line employees to identify and report issues and incidents
  • How technology can automate and enable the first line of defense
  • Driving efficiency, effectiveness and agility into all three lines of defense
[button link=”https://www.brighttalk.com/webcast/11811/333341?utm_campaign=user_webcast_register&utm_medium=email&utm_source=brighttalk-transact&utm_content=title”]REGISTER[/button]
[1]This is the official definition of GRC that is found in the OCEG GRC Capability Model. www.OCEG.org
Posted on Leave a comment

Is SMR & CR, the UK Financial Services biggest challenge for 2018?

The UK Senior Manager’s Regime and Certification Regime (UK SMR/CR) is one of the most significant challenges financial services firms are facing right now. The Financial Conduct Authority (FCA) has recently announced that this regulation is going to be applied to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives on risk, compliance, and control. These individuals could go to jail or be personally fined (and their organization cannot reimburse them). The fines and actions are against them personally. For example, Barclay’s CEO was recently fined £640,000 personally under UK SMR/CR. It is the UK SMR/CR regulation that sees that other regulations as well as risks are properly managed in the organization. Compliance to UK SMR/CR is a huge issue and is the next wave of compliance and accountability. This is not just a UK trend, but a global shift in personal accountability and responsibility to senior executives and directors that is taking shape around the world. Hong Kong, Australia, Singapore, Japan, Ireland, and even New York (more of a board focus) all have similar developing legislation/regulation in varying aspects . . . The rest of the article can be read via the link in the button below. Michael Rasmussen of GRC 20/20 posted this as a guest blog on www.governorsoftware.com. [button link=”https://www.governorsoftware.com/news/is-smr-cr-the-uk-financial-services-biggest-challenge-for-2018″]READ MORE[/button]
Posted on Leave a comment

Defining the Issue Reporting & Case Management Process

Distributed and dynamic business requires the organization to take a strategic approach to issue reporting and case management. Organizations require complete situational and holistic awareness of issues, incidents, investigations, and cases across business operations and processes. This is best approached through structured and accountable processes enabled through an integrated information and technology architecture for issue reporting and case management. The goal is to manage individual issues at the detail level while being able to see the big picture and trends of issues and their impact on overall risk and compliance exposure. Two essential components for a mature and robust issue reporting and case management program are:
  1. Structured processesfor issue reporting and case management.
  2. Integrated information and technology architecturefor issue reporting and case management.
Issue reporting and case management processes determine the types of information needed, gathered, used, and reported. It is through the integrated information and technology architecture that processes can be properly managed. The architecture defines how organizational processes, information, and technology is structured to make issue reporting and case management effective, efficient, and agile across the organization.

Issue Reporting & Case Management ProcessStructure

Issue reporting and case management processes are a subset of overall business and GRC processes. Issue reporting and case management identifies where things are going wrong with a goal of containing, addressing, and correcting exposure, loss, and incidents. The issue reporting and case management process is the structural design of tasks and management of how issues are reported, investigated, and resolved. Structured processes for issue reporting and case management defines responsibilities, workflow, tasks, how issues are reported, cases managed, and how the processes work together as an integrated whole with other GRC and organizational processes. Issues and cases provide objective information that should in turn feed into risk management models as well as compliance reporting. For a mature GRC program, the organization requires the ability to track all issues across the enterprise (e.g. employee issues, customer issues, poor product quality, and supply chain).

There are five foundational process components that organizations should have in place for issue reporting and case management:
  1. Strategic/operational case planning and administration.This involves the ongoing planning and administration of issues, cases, investigators, workload, and tasks. Core to this is resource and case planning and administration, the ability to measure cycles/seasonality of cases, backlog, resource planning, and costs.
  2. Issue intake & triage.This is the foundational component where issues are reported. It involves being able to report and process issues coming from hotlines, web forms, management reports, and other inputs. The goal is to eliminate noise, consolidate duplicated issue reports, flesh out non-cases, and focus on what is critical and exposes the organization to the greatest risk. It is critical that the organization has the ability to automate and link between issues being reported, cases, parties, processes, places, and other relationships. From here initial planning and assignment of cases is done.
  3. This is the heart of the process that takes reported issue(s) and manages the process of investigation through to closure. Investigators need structured templates and processes to keep everything organized, document the investigation, manage tasks, provide notifications and escalation, and keep all information in one place for ease of reporting. The more the organization can automatically define the process to investigate an issue/case, the better. Accountability, centralization of information, keeping everything current and up to date, and having a defensible system of record that can stand up in court is critical to this stage of the process.
  4. Remediation & resolution.History repeats itself because no one was listening the first time. This stage of the issue reporting and case management process ensures that remediation steps are followed to mitigate or eliminate the risk of further issues and incidents. The organization needs to be able to track action items and ensure that things do not slip through cracks to obtain a reduction in repeated and future cases. The organization requires the ability to link issues to policies and procedures to ensure they are updated as resolutions dictate.
  5. Reporting, analytics & metrics.This is the stage of the process that provides detailed reports on both individual and aggregate cases. The organization should be able to track past due tasks, benchmark timelines of cases, identify where loss can be mitigated, and reduce gaps.

Issue Reporting & Case Management Information & Technology Architecture

With processes defined and structured the organization can now define the information architecture needed to support issue reporting and case management processes. Issue reporting and case management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a structured and coordinated whole. The issue reporting and case management information architecture involves the structural design, labeling, use, flow, processing, and reporting of information to support issue reporting and case management processes. This architecture supports and enables the process structure and overall issue reporting and case management strategy. Successful issue reporting and case management information architecture will be able to integrate, manage, and report on issues and cases across the organization. This requires a robust and adaptable information architecture that can model the complexity of information, transactions, interactions, relationship, cause and effect, and analysis of information that integrates and manages with a range of business systems and data. The issue reporting and case management technology architecture operationalizes information and processes to support the overall strategy. The right technology architecture enables the organization to effectively manage issues and facilitate the ability to document, communicate, report, and monitor the range of investigations, tasks, responsibilities, and action plans. There can and should be a central core technology platform for issue reporting and case management that connects the fabric of the processes and information together across the organization. Many organizations see issue reporting and case management initiatives fail when they purchase technology before understanding their process and information requirements. The “best” systems are the ones that are highly configurable to a client’s situation and can be adapted to the company’s forms, processes, technical architecture. The system should not run the business, the business should run the system. Organizations have the following technology architecture choices before them:
  • Documents, spreadsheets, and email.Manual spreadsheet and document-centric processes are prone to failure as they bury the organization in mountains of data that is difficult to maintain, aggregate, and report on, consuming valuable resources. The organization ends up spending more time in data management and reconciling as opposed to active risk monitoring. This is where most organizations have focused in managing issues and cases. There is increased inefficiency and ineffectiveness as this document centric and manual approach grows too large and limits the amount of information that can be managed.
  • Custom built databases.Organizations also have built custom internal databases to manage issues and cases. The challenge here is that the organization ends up maintaining a solution that is limited in function and costly to keep current. Many companies go from the document and spreadsheet approach to building a custom database that is limited in features, reporting, and scalability at a cost of internal IT resources and maintenance.
  • Issue reporting and case management platforms.These are solutions deployed for issue reporting and case management and have the broadest array of built-in (versus built-out) features to support the breadth of case management processes. In this context, they take a full-lifecycle view of managing the entire process of issue reporting and case management. These solutions allow an organization to govern incidents and issues throughout the lifecycle and enable enterprise reporting.
Most homegrown systems are the result of starting with tools that are readily available and easy: documents, spreadsheets, emails, and desktop databases. Too many organizations take an ad hoc approach to issue reporting and case management by haphazardly using documents, spreadsheets, desktop databases, and emails, which then dictates and limits what their issue reporting and case management process will be limited to. This approach then grows and expands quickly outgrowing these desktop tools to the point where it grows cumbersome. Organizations suffer when they take a myopic view of issue reporting and case management technology that fails to connect all the dots and provide context to analytics, performance, objectives, and strategy in the real-time business operates in. The right issue reporting and case management technology architecture choice for an organization involves an integrated platform to facilitate the correlation of issue and case information, analytics, and reporting. NOTE: GRC 20/20 will be conducting a Research Briefing on how to build a business case, define value/return, and navigate the range of requirements and solutions to automate and enable the issue reporting and case management process. For example, one organization spent 200 FTE hours on doing an end of year report on the organizations cases, investigations, incidents, and issues . . . it now takes them less than 5 minutes. Register to attend (and gain access to the on-demand recording afterwards) Buyer’s Guide: Issue Reporting & Case Management Solutions.

Upcoming Research Briefing On Issue Reporting & Case Management

Research Paper: Value of Issue Reporting & Case Management

Research Paper: Case Study on Issue Reporting & Case Management

Solution Perspectives: Solution Overviews in Issue Reporting & Case Management

Strategy Perspectives: Strategic Directions in Issue Reporting & Case Management

Posted on Leave a comment

An Enterprise Approach to Issue Reporting & Case Management

GRC 20/20 has seen many organizations take an enterprise perspective on aspects of GRC, such as Enterprise Policy Management, Enterprise Third Party Management, and, of course, Enterprise Risk Management. Over the past 18 months, GRC 20/20 has seen a growing demand for Enterprise Case Management which involves issue reporting (e.g., hotlines, management reports, complaints) and case management (e.g., issues, incidents, cases, investigations). This is a holistic strategy to manage all issues/case types in a federated and collaborative strategy across departments. This is particularly interesting as case/issue information ties closely into and feeds metrics and data into policy management and risk management programs. Issue reporting and case management has become a moving target which needs a structured approach supported by a strong process, information, and technology architecture. Whether unintentional issues or acts of the malicious miscreant, organizations need to be prepared and have established processes in place to manage issues as they arise in the organization. GRC professionals are challenged to get a big picture point of view of the range of issues being reported across the organization and the management of cases that impact how the organization’s “ability to reliably achieve objectives while addressing uncertainty and acting with integrity.”[1] The typical organization has a variety of departments managing a diverse range of issues, cases, incidents, and investigations.[2] These issues and cases are often managed in silos of documents, spreadsheets, and emails or in home-grown databases and applications. Different departments often have diverse approaches and the organization does not have insight into the range of issues that are happening across operations. Organizations often lack a central repository for case management and the use of home grown solutions has limitations that make the issue management processes inefficient, ineffective, and burdensome to the organization. Issue reporting and case management is often a tactical and fragmented approach with highly diverse approaches taxing the business. Issue management across the organization is often scattered across departments, such as
  • Corporate security
  • Complaints
  • Compliance
  • Environmental
  • Ethics and compliance
  • Fraud and corruption
  • Health and safety
  • Human resources
  • Insurance claims
  • IT security
  • Legal
  • Physical security
  • Privacy
  • Quality
  • Third party suppliers and vendors
The breadth of silos to issue reporting and case management results in a maze of disconnected processes, reporting, and information. These are redundant, document-centric, and manual approaches that do not integrate and are highly inefficient. Different functions spend more time managing the volume of emails, documents, and spreadsheets than they actually do managing the issues themselves. The line of business is overwhelmed with inconsistent approaches to issue reporting and case management. This fragmented approach to issue reporting and case management resembles battling the multi-headed Hydra in mythology. As the Hydra grows more heads of risk, regulation, and ethical challenges, issue reporting and case management professionals find that scattered approaches leave them exhausted and overwhelmed as they lose the battle. This results in a reactive fire-fighting approach to issue reporting and case management, with silos of data that professionals struggle to find the time to coordinate and link together manually. This piecemeal approach is inefficient, increases risk exposure, and leads to serious matters that fall through the cracks. Redundant and inefficient processes lead to overwhelming complexity that slows down the business in an environment that actually requires agility. The document-centric, scattered, and manual processes of the past have impaled case management functions with inefficiency. Process management and reporting is primarily comprised of emails, documents, shared files, homegrown databases, spreadsheets, and manual processes. Case management professionals are spending a disproportionate amount of time collecting data and reporting on data instead of time spent adding strategic value to the business through analyzing and trending the data collected. This antiquated approach leaves teams with flat metrics that lack context and don’t help professionals identify or address problematic processes, culture, or behavioral issues. GRC professionals often express to GRC 20/20 Research their frustration with the:
  • Inability to gain a clear view of issue reporting and case management interdependencies
  • High costof consolidating silos of GRC and issue management information
  • Difficulty maintaining accurate GRC and issue management information
  • Failure to trend across issues, departments, and reporting periods
  • Incapability of providing GRC and issue intelligence to support business decisions and strategic planning
  • Redundant approaches that limit correlation, comparison, and integration of information
  • Lack of agility to respond promptly to changing regulations, laws, and business environment

Dynamic & Distributed Business Compounds the Problem

Organizations today are distributed and dynamic. The modern organization is a complex web of employees, suppliers, vendors, contractors, consultants, agents, and third parties. At the same time, organizations are constantly changing: business is dynamic. Employees, relationships, regulations, risks, economies, litigation, regulation, and legislation are constantly changing. These challenges are making organizations rethink their approach to issue reporting and case management. Organizations are looking for greater agility and effectiveness, while achieving greater efficiency with human and financial resources in identifying and resolving issues. The goal is to:
  • Align stakeholder demands for transparency and accountability.
  • Leverage emerging technologies to improve efficiency, effectiveness, and agility.
  • Enable GRC professionals to better target resources where issues identify the greatest exposure.
This trend points in one clear direction: a new issue reporting and case management architecture that is dynamic, predictive, and information-based through the deployment of an integrated information, intelligence, and analytics architecture to overcome the inefficiencies of the manual and document-centric approaches of the past. This approach to issue reporting and case management delivers demonstrable proof of risk and compliance management, discovery and containment of issues, and shifting the focus of efforts from being reactive and “checking the box” to being proactive and forward-looking. Organizations need greater efficiency in processing and managing issues with structured information and process, greater effectiveness in ensuring corporate integrity, and increased agility in addressing rapidly changing business, regulatory, legal, and reputational risks. The bottom line: Issue reporting and case management programs have been very tactical and inefficient in the past in collecting issue reports and managing cases. GRC functions across the organization have lacked an overall approach to manage issues, provide reporting and analytics, and the ability to move issue reporting and case management from the tactical approach to an integrated strategic approach that aligns with governance, risk management, and compliance strategy and processes. A centralized issue reporting and case management system saves time and money and creates an environment where the organization can measure the effectiveness and efficiencies of GRC resources. [1]This is the official definition of GRC as found in the OCEG GRC Capability Model. [2]For the purpose of this post, the term issues and cases will be used but should be understood to include incidents and investigations.

Upcoming Research Briefing On Issue Reporting & Case Management

Research Paper: Value of Issue Reporting & Case Management

Research Paper: Case Study on Issue Reporting & Case Management

Solution Perspectives: Solution Overviews in Issue Reporting & Case Management

Strategy Perspectives: Strategic Directions in Issue Reporting & Case Management

Posted on Leave a comment

3 Key Findings from the Policy Management by Design Workshop

Policy management is a crucial component of a larger corporate governance, risk management, and compliance (GRC) program. Adherence to external regulations and instilling employee accountability starts with well-established organizational policies and procedures. In GRC 20/20’s recent workshop Policy Management by Design (Workiva hosted). Attendees from across industries came together to learn about policy management best practices and how they can be implemented to modernize compliance programs. Here are three of the top takeaways from the Policy Management by Design Workshop.

1. Policy management affects organizations of all sizes

The challenges of managing policies and procedures were common across all attendees—impacting large and small, public and private companies alike. Attendees shared several concerns for internal compliance, including:
  • Updating policies is a reactive process rather than proactive, meaning policies are often outdated
  • Searching for policies is difficult without a cross-organizational master index
  • Ownership and enforcement is insufficient
  • Version control is not available and understanding what changed in the event of an audit is problematic
  • Visibility into how policies link to other internal control frameworks is limited
  • Measurement of policy effectiveness is inadequate or unavailable

2. Policy management can be like a “choose your own adventure”

A key part of the discussion revolved around how the creation, review, and update of policies is like a “choose your own adventure,” as no two programs are alike, even within the same company. Departments see varying levels of stakeholder commitment and uncoordinated use of policy management tools. Many in the room agreed: there is a need for standardization in order to create a clear path from point A to B.

3. Consistency, consistency, consistency

Many attendees cited the challenges of policies that are managed by multiple departments. Everyone has their own way of doing things, which means the way an employee code of conduct is written, accessed, and enforced may be very different than a non-disclosure agreement (NDA). A united approach keeps everyone on the same page and should include:
  • Consistent user experience (UX): The number one criteria attendees want in policy management software is ease of use. How can leaders expect to engage employees if the tools they are given are disconnected, clunky, or require a steep learning curve?
  • Consistent policies: Intent, messaging, and enforcement among policies must match. Conflicting messages between policies weakens buy-in and generates mistrust across the organization.
  • Consistent governance: Leaders must be able to track issues or incidents back to policies in order to ensure the proper level of training. Selecting when and what to enforce is ineffective.

What should you look for in a policy management technology?

Evaluating policy management options can be daunting. Rasmussen suggested looking solutions which are proven to streamline the process of policy drafting, document management, and distribution across the team. Rasmussen recommended comparing the following criteria when selecting a policy management solution:
  1. Ease of use and intuitiveness
  2. Defensible system of record with a precise, electronic record of who changed what policy, how, and when
  3. Access to a master index of all policies
  4. Ability to cross-reference linking to other policies
  5. Ability to link policy information across documents, spreadsheets, and presentations
  6. Tools for policy review and attestation workflow and tasking
  7. Survey capabilities

Continuing the conversation on governance, risk, and compliance

The Policy Management by Design Workshop enabled participants to learn from experts, share ideas, and network with peers on best practices for company policies. Attendees came away from the event with a number of new strategies for strengthening policy management in their own workplaces. This post was originally published by Workiva.

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies

Posted on 1 Comment

Improving Policies Through Metrics

It is unfortunate that many policies are written and then left to slowly rot over time. What was a good policy five years ago may not be the right policy today. Those out-of-date but still existent policies can expose the organization to risk if they are not enforced and complied with in the organization. Effective policy management requires that the policy lifecycle have a regular maintenance schedule. My recommendation is that every policy goes through an annual review process to determine if the policy is still an appropriate policy for the organization. Some organizations rank their policies on different risk levels that tie into periodic review cycles—some annually, others every other year, and others every three years. In my opinion, best practice is for every policy to undergo an annual review. A system of accountability and workflow facilitates the periodic review process. The policy to be reviewed gets assigned to the policy owner(s) and has a set due date for completion. The decision from this review process will be to retire the policy, keep the policy as it is, or revise the policy to meet the current needs and obligations of the organization. Policy owners need a thorough understanding of the effectiveness of the policy. This requires the policy owner have access to metrics on the effectiveness of the policy in the environment. Some of the things that the policy owner will want to look at are:
  • Violations. Information from hotline as well as investigation systems to determine how often the policy was violated. The data from these systems indicate why it was violated—lack of awareness, no training, unauthorized exceptions, outright violations.
  • Understanding. Completion of training and awareness programs, policy attestations, and related metrics show policy comprehension. Questions to a helpdesk or compliance department uncover ambiguities in the policy that need to be corrected.
  • Exceptions. Metrics on the number of exceptions that have been granted and the reasons they were granted. Too many exceptions indicate that the policy is inappropriate and unenforceable and needs to be revised.
  • Compliance. At the end of the day the policy needs to be complied with. Any controls that the policy governs and authorizes and the state of those controls is to be reviewed by the policy owner to determine policy effectiveness.
Environment. The risk, regulatory, and business environment is in constant change. The policy may have been written to address a state that no longer exists. Changes to the business (e.g., mergers/acquisitions, relationships, strategy), changes to the legal environment (e.g., laws, regulations, enforcement actions), and changes to the external risk environment (e.g., economic, competitive, industry, society, technology) are to be reviewed to determine if the policy needs to change. When a policy does change it is critical that the organization be able to keep a history of the versions of the policy, when they were effective, and the audit trail of interactions around the policy. The audit train is used to present evidence of effective policy management and communication and includes a defensible history of policy interactions on communications, training, acknowledgments, assessments, and related details needed to show the policy was enforced and operational.

I am presenting in detail on this specific topic in the following webinar . . .

On-Demand Policy Management Research Briefings

Published Research on Policy Management – Strategy Perspectives

Published Research on Policy Management – Solution Perspectives

Published Research on Policy Management – Case Studies