The Challenges & Risk in Artificial Intelligence

This blog is an excerpt from GRC 20/20’s latest research paper, READ MORE in: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

Artificial Intelligence (A.I.) has emerged as a disruptive force, propelling organizations into the future. Its transformative capabilities promise efficiency, accuracy, and scalability, providing a significant competitive edge. However, alongside the immense potential, A.I. usage poses unique risks and challenges that organizations must acknowledge and address.

While A.I. offers numerous opportunities for organizations, it is not without risks and challenges. Recognizing and addressing these challenges is necessary in the successful integration and responsible use of A.I.. Some of the challenges of A.I. include:

  • Powerful. A.I. can impact significant change with minimal effort. While this is a major strength, it also means a little A.I. use by an unskilled worker could result in a profoundly negative outcome. Companies may be wise to adopt a “first do no harm” approach.
  • Complexity. One of the primary challenges in using A.I. is the complexity of its implementation. Effective A.I. integration requires substantial investment in technology, skilled labor, and time. Organizations need experts capable of governing, developing, maintaining, and managing A.I. systems, which often leads to costly upskilling or recruitment   of new resources. Additionally, compatibility with existing systems and workflows must be considered, often requiring a complete overhaul of current practices.
  • Simplicity. Complexity is certainly a challenge, but the recent A.I. gold rush also has the opposite concern, simplicity. The necessity of data scientists, advanced technology infrastructure, and sizable ongoing support costs, all served as a check to keep many companies from running amok with the technology. With generative A.I., however, that bar is removed. Anyone can leverage these technologies, with limited resources and no training or consideration of the consequences. Essentially, the brakes have been removed while traveling at high speed.
  • Productivity. For many cases of A.I. uses, their are productivity enhancements, such as GitHub Co-pilot, which suggests to the developer what their next code block should be. The developer either accepts, modifies, or declines the suggestion. This is the same type of technology iPhones use, GSuite uses, etc. How A.I. is being used is a major determining factor between IT tool governance and A.I. model governance. As organizations use productivity tools laced with A.I. (versus full process automation) we will see ITGCs, SOC 2s, and data agreements that will cover many of these issues.
  • Data Privacy. Data privacy is another critical concern with A.I. usage. A.I. systems are data-hungry, needing vast quantities of data for training and operation. This dependence raises significant issues regarding data security, user privacy, and compliance with regulations such as GDPR. Breaches can lead to severe reputational and financial damage.
  • Bias. Bias is an inherent problem in A.I. systems that poses significant ethical and practical concerns. If the data used for training is biased, the A.I. system can amplify and reproduce these biases, leading to unfair outcomes. Examples include discrimination in hiring through A.I.-powered recruitment tools or unequal treatment in A.I.-driven healthcare solutions.
  • Opaqueness. Another risk with A.I. is the “black box” problem, referring to the opaqueness of A.I. decision-making. Advanced A.I. models, particularly in deep learning, often make decisions in ways that humans cannot easily understand. This lack of transparency can be problematic, especially in sensitive areas like healthcare or finance where understanding the rationale behind decisions is crucial.
  • Legal Liability. A.I. systems also present a potential liability issue. Determining culpability when an A.I. system causes harm is not straightforward. Is the developer, user, or even the A.I. system itself at fault? Legal systems worldwide are currently grappling with these novel issues. This can be further broken down into: 
    • Supply Chain challenges because A.I. systems and models are being developed using open source or other code where the country of origin or its reliability is not known.
    • Inappropriate or unintended use, which could lead to legal exposures.

Addressing these challenges requires a multifaceted approach. Organizations must develop a comprehensive A.I. strategy (see A.I. GRC below), addressing the technical aspects of A.I. implementation and ethical, legal, and social considerations. They must also invest in upskilling their workforce and adopt a culture of continuous learning to keep up with this rapidly evolving technology. This also requires ongoing collaboration between organizations, regulators, and policymakers. These collaborations can help create a conducive environment for A.I. usage, with adequate regulations to manage risks without stifling innovation. As A.I. technology evolves, organizations must remain vigilant, adaptive, and ethical in their A.I. journey.

If the enterprise has existing model risk management (MRM) processes, A.I. models that are being used for process automation should be handled within an MRM framework that this paper promotes. It is critical to not reinvent the wheel and instead adapt existing MRM best practices.

Increasing Regulatory & Legal Pressure on A.I.

A cavalier approach to A.I. has led to a monumental lack of structured A.I. governance within organizations at a time when there is a growing need for enterprise visibility into A.I. and its use. Organizations should keep an accurate inventory of A.I. technology and models, documentation, and defined roles and responsibilities in A.I. governance, risk management, and compliance throughout the A.I. use lifecycle. A.I. is evolving rapidly, fundamentally reshaping various industries, including healthcare, finance, and defense. However, its escalating integration into everyday life has raised many legal and regulatory challenges. 

There are several legal issues tied to A.I. usage. These include:

  • Privacy and Data Protection and Leakage. A.I. systems often require large amounts of potentially sensitive data, posing risks to privacy rights and data protection. For instance, A.I. applications like facial recognition technology have raised significant privacy concerns. Therefore, jurisdictions worldwide are deliberating on stricter data protection laws to control A.I. misuse. This also includes data leakage, where responses may inadvertently include sensitive information from training data sets. And given the often global nature of organizations, issues around cross-border transfer of data also arise.
  • Bias and Discrimination. A.I. systems can potentially reflect and amplify societal biases, which could lead to discriminatory practices. There have been cases where A.I. algorithms used in hiring or criminal justice systems have produced biased outcomes. Lack of visibility into methodology also makes diagnosis and solving of bias/discrimination difficult to identify and resolve.
  • Liability & Accountability. There is a legal ambiguity surrounding who should be held accountable when A.I. systems cause harm, or in the event of errors or failures that lead to compliance violations.
  • Intellectual Property Rights. Questions regarding A.I.’s creative outputs, whether these should be considered intellectual property, and if so, who should hold the rights, remain largely unresolved. There are also questions about intellectual property rights associated with Inputs, and whether or not these comply, for example with licensing and copyright terms and conditions.
  • Security. A.I. could be exploited for malicious purposes, like deepfakes or autonomous weapons, necessitating legal provisions for managing these risks.

Regulators are focusing on these legal issues with increased regulatory requirements and scrutiny in the governance and use of A.I. It is understood that A.I. is becoming a necessary part of business, but regulators want to ensure that A.I. is governed, developed, validated, used, and maintained properly to ensure the stability of organizations and industries. In that context, this is putting greater emphasis on A.I. governance and risk management. Financial services regulators have been leading in this area. MRM is an established function in financial services, recent statements highlight A.I. as “just another” model type to be included (e.g., OCC model Risk handbook and PRA SS1/23).

The regulatory landscape for A.I. varies globally, reflecting different cultural, societal, and political contexts. However, many jurisdictions are moving towards comprehensive legal frameworks to manage A.I. risks.

  • European Union. The EU has been at the forefront of A.I. regulation, with its proposed A.I. Act aiming to establish robust and flexible rules for A.I. use across its member states.
  • United States. The U.S. currently relies on sector-specific regulations, like the Fair Credit Reporting Act for A.I. in finance. However, there is an ongoing discussion on comprehensive federal A.I. laws. As well as OCC 2011-12 SR 11/7 for model risk management in finance. The White House has published an AI Bill of Rights that will be applicable across the board.
  • United Kingdom. In the U.K., the PRA CP6/22 proposed firms should adopt five principles which it considers to be key in establishing an effective MRM framework. The principles were intended to complement existing requirements and supervisory expectations in force on MRM.
  • China. China’s A.I. regulation encourages innovation while setting certain limits to protect national security and public interests.
  • Other International Efforts. Organizations such as the OECD and UNESCO are working towards global A.I. standards and principles to ensure responsible A.I. use.

A.I. presents both enormous potential and significant challenges. As A.I. use grows, corresponding legal and regulatory frameworks evolve in tandem to mitigate risks while promoting innovation. Harmonizing regulations across jurisdictions and developing comprehensive, flexible laws are key steps to responsibly integrating A.I. into society. A.I.’s complexity and rapid evolution of A.I. necessitate ongoing research and dialogue among all stakeholders – regulators, A.I. developers, users, and society at large.

The Bottom Line: A.I. is rapidly growning in variety, complexity, and use within organizations. It is quickly moving from tactical focus to a strategic pillar that provides the infrastructure and backbone for strategy and decisions at all levels of the organization. Time and evolution of A.I. left ungoverned bring forth loss and potential disaster. Unfortunately, many organizations lack governance and architecture for A.I. risk management. Organizations need to provide a structured approach for A.I. governance, risk management, and compliance that addresses the A.I. governance, lifecycle, and architecture to manage A.I. and mitigate the risk they introduce while capitalizing on the significant value of A.I. when properly used.

This blog is an excerpt from GRC 20/20’s latest research paper, READ MORE in: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

360° Risk Intelligence in the Extended Enterprise

The Modern Organization is an Interconnected Web of Relationships

The structure and reality of business today has changed. Traditional brick-and-mortar business is a thing of the past: physical buildings and conventional employees no longer define the organization. Instead, the modern organization is an interconnected web of relationships, interactions, and transactions that extend far beyond traditional business boundaries. Even the smallest organization can have dozens of relationships that they depend on for goods, services, processes, and transactions. In large organizations, this can expand to tens of thousands of third-party relationships with suppliers, vendors, partners, and service providers.

With businesses increasingly relying on a complex network of third-party relationships to thrive, the governance, risk management, and compliance (GRC) of third-party relationships become even more critical. Without effective GRC, organizations will fail to manage uncertainty, avoid disruptions, act with integrity, and achieve business objectives. 

In a dynamic risk environment, resiliency requires agility and the ability to navigate great uncertainty.  Effectively mitigating the exposure of potentially disruptive events requires real-time and comprehensive risk intelligence with insights to both assess the current and future risk landscape and drive sagacious action. 

The Inevitability of Failure: Fragmented Views of Third-Party Risk

Too often, organizations struggle to adequately govern their third-party relationships because of their reliance on outdated practices. Recent technological advances in automation, machine learning, and data science enable organizations to be more effective and do more with fewer resources, but unfortunately, too many organizations have failed to seize the opportunity to evolve beyond expensive and inefficient legacy solutions.    

Failure in third-party GRC comes about when organizations rely on outdated risk practices including: 

  • Silos of third-party oversight. Silos of oversight occur when an organization allows different business functions to conduct third-party oversight without coordination, collaboration, and architecture. The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on the same third party. Without a single pane of visibility into the risk in their third-party relationships, silos leave the organization blind to risk exposures that are material when aggregated. 
  • Limited resources to handle growing risk and regulatory concerns. Organizations are facing a barrage of increasing regulatory requirements and an ever-expanding risk landscape. While risk functions are operating with limited budgets and human teams, they need to do more with less. In reality, truly effective continuous monitoring and mitigation of today’s dynamic and ever-expanding risk landscape is beyond human capabilities alone. 
  • Overreliance on manual processes. When organizations govern third-party relationships in a maze of documents, spreadsheets, emails, and file shares, it is easy for risks to be missed amidst the extensive volume of data. In addition, when things go wrong, these manual processes neither support agility nor a robust feedback loop to improve processes going forward.
  • Limited view of risk vectors. Organizations often over-rely on third-party financial and cyber risk management and suffer from risk exposure in domains such as compliance, operations, ESG, location and Nth parties. To fully understand the complete risk picture, an organization needs to have full-spectrum risk coverage.
  • Scattered third-party risk solutions. When different parts of the organization use different third-party risk solutions, silos of risk data and intelligence are created that are difficult to assimilate, thus making it difficult to maintain, aggregate and provide comprehensive, accurate, and current third-party analysis. The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs. 
  • Overreliance on periodic assessments. For many organizations, third-party risk analysis occurs primarily during the onboarding process at the onset of the business relationship with only periodic re-assessment of risk over the length of the engagement. This approach fails to keep organizations informed in a timely manner when the risk exposure changes between assessments. Without a continuous source of real-time risk intelligence feeds, the organization lacks the ongoing situational awareness necessary for proactive risk mitigation.  
  • Inadequate incident response. How organizations respond to incidents can often dictate how quickly and adequately they mitigate risk. Most enterprises often respond to an incident today by sending a survey to all their third parties asking them if they have been impacted. This process takes time, often with low response rates and then has the added burden of how to assess and report on the responses. Most importantly, this is at a point in time and so often a wasted effort. Incidents and impact often unfold over time and the best approach is one that is real-time and continuous.
  • Negative news services can overwhelm risk teams. Risk intelligence has the potential to overwhelm organizations. Information feeds from various sources such as legal, regulatory updates, newsletters, websites, emails, journals, blogs, tweets, and content aggregators can drown the risk team as they struggle to monitor a growing array of regulations, legislation, corporate ratings, geopolitical risk, and enforcement actions. Risk intelligence that requires weeding through an exorbitant volume of notifications that includes noise and false positives to identify relevant risks only compounds the problem. One needs an intelligent system that can deliver accurate and actionable insights and remove the noise.

The bottom line: The modern business is dependent on third-party relationships and requires real-time and continuous awareness of its current and future risk landscape. A manual and point-in-time approach to third-party risk intelligence compounds the problem and can lead to elevated risk exposure. It is time for organizations to step back and move from legacy practices, defined by manual processes and periodic assessments, to a third-party risk intelligence architecture that includes integrated full-spectrum real-time feeds of situational awareness that impacts the extended enterprise and operations. 

This is an excerpt from GRC 20/20’s latest Strategy Perspective research publication: 360° Risk Intelligence in the Extended Enterprise:
Ensuring Agility, Resiliency & Integrity in Third-Party Performance.

Have You Done your Policy Enforcement Push-ups?

I love teaching my By Design” Workshops! This past Monday it was Policy Management by Design, my favorite of all of them, in New York City. It is great to be back live teaching these interactive workshops, and it was a great day in New York with engaged attendees from a range of organizations.

The Policy Management by Design Workshop has a lot of new content. Including the Policy Management Capability Model that I worked hard on publishing with OCEG in our joint venture with It also includes my new Policy Management Maturity Model.

In discussing Policy Enforcement, one of the 5 components of the Policy Management Capability Model, one organization in attendance stated how they increased policy awareness and compliance by getting creative in policy enforcement. The example this person gave was in the context of their Background Check Policy. If an employee does not follow the background check policy then they and their manager have to do push-ups in front of others. That is one example of creatively building a culture of integrity and policy compliance.

In a previous workshop, before lockdowns, a global software firm stated they take their inclusion, diversity, equality, harassment, and discrimination policies very seriously. If an employee gets behind in their policy acknowledgment and required related training in these areas . . . they go to log in to their computer and they will find all they can access is the policy management portal with the policy acknowledgment and training they have to complete. Another example of policy enforcement.

This is what I love about these workshops. I can lecture and teach all day, but attendees learn from each other as much as they do from me.

Myself teaching on the Policy Management Capability Model in the New York Policy Management by Design Workshop this week.

Upcoming Workshops . . .

November 30

Enterprise GRC Management by Design – Minneapolis

Blueprint for an Effective, Efficient & Agile Enterprise GRC Program Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives  while addressing uncertainty  and acting with integrity .” This requires that GRC needs […]December 2021THU2

December 2

Compliance Management by Design – New York

Blueprint for an Effective, Efficient & Agile Compliance Management Program Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Complicating matters, today’s organization is dynamic and constantly changing. The modern organization adjusts by the minute. New employees come, others leave, roles change. […]March 2022THU10

March 10 

Risk Management By Design Workshop – New York

Risk is pervasive throughout business strategies, operations, and processes. Siloed approaches to risk management leave the organization not seeing the big picture of risk. The reaction is often to centralize risk management which forces different areas of the organization into a one-size-fits-all risk management model that fails to adequately manage and monitor risk. Defining strategy, […]

Complexity of Business Demands a New Paradigm in Legal Governance, Risk Management & Compliance

Understanding the Interrelationship of Legal Risk and the Business

In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes are continually bombarding the organization. The organization continues to see exponential growth of regulatory requirements and legal obligations (often conflicting and overlapping) that must be met, which multiply as the organization expands global operations, products, and services. This requires an integrated approach to legal governance, risk management, and compliance (GRC) with a goal to reliably achieve objectives while addressing uncertainty and act with integrity. This includes adherence to mandatory legal requirements and voluntary organizational values and the boundaries each organization establishes. The legal department, with responsibility for understanding matter management, issue identification, investigations, policy management, reporting and filing, legal risk, and the regulatory obligations faced by the organization, is a critical player in GRC (what is understood as Enterprise or Integrated GRC), as well as improving GRC within the legal function itself (what is defined later in this paper as Legal GRC).

Most organizations today at least try to address legal risks, intellectual property protection, contracts, business requirements, and compliance obligations they face. Both internal and external stakeholders and events have caused many to increase legal monitoring and reporting, especially with regard to changing laws and regulations where demands grow every day. Boards and executive management desire a deeper understanding of how their teams address legal matters, whether activities are effective and efficient, and how they can enhance activities to create the greatest reward for their shareholders and mitigate legal damage. Legal risk is a significant exposure that fits into a broader enterprise risk management strategy to address the strategic, operational, and financial risks bearing down on the organization. As this demand for transparency increases, so increases the need for the legal to manage and monitor legal risks within a defined GRC capability.

The physicist, Fritjof Capra, made an insightful observation on ecosystems that rings true when applied to legal governance in the modern organization: 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”

Fritjof Capra

Capra’s point is that ecosystems are complex, interconnected, and require a holistic understanding of the intricacy in interrelationships as an integrated whole, rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts the entire ecosystem. 

Legal GRC: a New Paradigm for Governing Legal

Legal governance, risk management, and compliance as it is conducted in the business is pervasive, complex, and interconnected; when it comes down to it, legal risk and exposure goes beyond the legal department as it intersects with other departments and their strategy, obligations, processes, transactions, relationships, information, and contracts. Business functions are often taking legal risks without involving legal, or legal does not have the resources to get involved. 

What complicates this is the exponential effect of legal governance on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Silos of data, systems, processes, activities, and transactions can leave the organization with fragments of truth that fail to see the big picture of legal risk exposure. Legal risk, such as in DSARs, could unfold inappropriate use of personal information and exposure of that information that could have a cascading impact on the brand, reputation, as well as fines to the organization. The organization has to have holistic visibility and 360° contextual awareness into legal risk relationships across the enterprise and its operations. Complexity of business combined with the intricacy and interconnectedness of legal data, requires that the organization implement a new strategy and paradigm for legal governance, risk management, and compliance (Legal GRC).

Legal GRC is a capability to reliably achieve the objectives of the legal department and ensure they are aligned with business objectives and needs [GOVERNANCE], while addressing legal uncertainty and exposure [RISK MANAGEMENT], and act with integrity to the obligations and ethical commitments of the organization [COMPLIANCE]. This is adapted from the official GRC definition in the OCEG GRC Capability Model. Breaking this down, Legal GRC delivers:

  • Legal Governance. Governance of the legal function that sets direction and strategy for legal to reliably achieve objectives within the department and support the business in achieving its objectives. 
  • Legal Risk Management. Legal risk management seeks to manage and understand uncertainty in the business, particularly the legal impact of activities by the identification, assessment, and monitoring of legal risk within the context of business and to act on legal risk through acceptance, avoidance, mitigation, or transfer.
  • Legal Compliance. Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. Compliance follows through on legal risk treatment plans to assure that legal risk is being managed within limits and controls are in place and functioning.

The lack of a coordinated strategy for Legal GRC management fails to deliver insight and context, rendering it nearly impossible to make a connection between legal risk management and decision-making, business strategy, objectives, and performance. 

The bottom line: Organizations need to adopt a new paradigm of an integrated approach to Legal GRC. This is done through a common Legal GRC strategy, process, information, and technology architecture that supports overall legal activities, as well as integrates and supports the broader business objectives and GRC activities from an enterprise view. Organizations need to clearly define and develop the breadth and depth of their Legal GRC management strategy and process requirements, and from there select the right information and technology architecture that is agile and flexible to meet the range of Legal GRC management needs for today and into tomorrow.

The above blog is an excerpt from GRC 20/20’s latest research paper, Legal GRC Management by Design:

Next-Generation Policy Management: Collaborative Accountability

Policy management is a critical issue for organizations across industries and geographies and various sizes. In a time of chaos and change, organizations must get control of an enterprise’s perspective and control of what policies they have and how they are communicated.

In 2020, I am finding organizations have realized what a mess policies are in their environment. They are out of date, scattered on different portals, sites, and file shares. Policies are in different templates with different writing styles. Most organizations could not even produce a list of what all the official policies are in their organization. In a time of crisis and change, organizations are scrambling to provide consistent policies in a singular portal the reflect the brand and reinforce the culture of the organization. A culture that needs policies and assures individuals that the company is in control and is part of a broader organization when working from home or an office.

One of the key elements I see in RFPs and inquiries for policy management software, particularly among large global organizations, is the need for collaborative accountability in policy authoring, approvals, and maintenance. Let’s break this apart into the two components:

  1. Collaborative. Policy management needs to be collaborative. Multiple authors and subject matter experts provide input into policies and various regional/jurisdictional impacts of policies. Organizations want a collaborative policy authoring environment where multiple people can be working on the same policy at the same time. I can be writing the new conduct policy here in the USA, and someone else can be making edits, contributions, and comments in Singapore, and someone else can in London . . . all at the same time. What no longer works for organizations is document check-in and check-out where new or updated policies take 6 months to write and get approvals. In a time of continuous business, risk, and regulatory change, this needs to be brought to a few weeks to keep the organization agile, in control, and out of the hot waters of regulatory and legal actions. One business case I was recently advising on found that one recent policy went through 70 different reviewers, subject matter experts, and approvers. This took months and months to complete in a linear document check-in and check-out approach. Their business case is collapse this to weeks with a collaborative approach where everyone can access, comment, and edit the policy simultaneously.
  2. Accountability. Policy management needs accountability. There needs to be a complete system of record and audit trail on who did what and when to a policy. Not at the document level, but down to the section, paragraph, clause, or event word level. Full traceability of who authored, who edited, what was modified. This is supported by workflow and task to that same section or clause level, not just the document level. Perhaps I am the primary policy author of the new anti-money laundering policy. But I want to assign a task and action item to someone in Australia to review a specific wording and paragraph to ensure it meets local regulatory requirements there. I need to assign that task not just to the document, but to the exact portion of the policy I need them to look at and approve. There needs to full accountability and traceability of policy authoring, edits, comments, and actions.

Collaborative accountability in policy management goes hand in hand. They are a symbiotic relationship that supports each other. Greater collaboration requires greater accountability.

This is causing a lot of change in the policy management technology world. Many older legacy solutions allow you only to attach policy documents. Some allow for a policy authoring environment but limit you to a linear approach with document check-in and check-out that takes months to write or update a policy. Newer solutions enable collaborative accountability authoring environments that bring policy development from several months to less than a month. Collaborative accountability delivers greater efficiency (e.g., time), effectiveness, and agility to policy management.

However, the handful of solutions that are offering collaborative accountability are not all created equal. Some do this natively with the most robust features and value. Others are parading an integration with other platforms such as Office365 or GoogleDocs that limit the collaborative accountability benefits, particularly as they are not purpose-built for policy management.

Some important things to consider are:

  • Policy specific workflows and tasks. You want a solution that automates notifications that engage stakeholders to perform required tasks, actions, reviews, edits, comments, contributions, and approvals to the actual section, paragraph, or clause level. To point where they need to focus in the document with audit trails down to that level.
  • Full audit and versioning. You want to see all collaboration across the entire history of versions of the same document down to that section and clause level. Some jimmy-rigged solutions that integrate with Office365 do not give you full visibility into the audit trail unless you download a local copy to your locally installed software, causing issues.
  • Gap analysis. You want to ensure that the entire organization has a full view of policies and evidence of policies for compliance to provide assurances that policies are sufficient, non-contradicting, and integrate and are mapped to processes.
  • Mapping. Part of this requires that the organization can map documents and even sections/clauses of policies to other policies as well as to regulations. When one changes, it can trigger changes and review in related items.
  • Master language. You also should look for the capability to define master language elements. So if I have a clause in a policy, and I edit it, it can be reflected in other documents that reference or use that same language. Consider a Code of Conduct. You may have a statement on discrimination/racism that appears in the Code of Conduct, and if you change it you want that language changed in any associated policies that use that same language such as the discrimination policy itself, as well as procedures, manuals, and such.
  • Security. Another important consideration is the security of your environment. One global firm that I helped with their RFP left a solution leveraging Office365/Sharepoint as they found security bugs that exposed their data and users in the integration with the policy management software leveraging it.

These are some considerations among many features and requirements I am advising on in enterprise policy management RFPs. I will be talking in detail on these and other elements of policy and compliance management in these upcoming webinars:


  • Industry experts come together online for a 30mins discussion on the future of compliance Between March and April 2020, businesses had 3,000 regulatory updates to deal with. But the compliance workload was huge even before the Covid-19 pandemic. In 2019, businesses received 200 regulatory updates a day, compared to just 10 a day in 2004. […]THU15


  • Compliance and ethics programs are rapidly evolving. Organizations are required to have a structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, […]

GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization

Governance, risk management, and compliance (GRC) is the capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE]. The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organization.

Every organization is doing GRC, no matter what they call it. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

Organizations need a mature GRC capability that is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, but it does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance.

There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organization. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

In my previous article, From GRC 1.0 to GRC 5.0: A History of Technology for GRC, I outlined the history of technology for GRC. From GRC 1.0 to the present of GRC 4.0 – Agile GRC, to the future of GRC 5.0 – Cognitive GRC. Today we focus on the present, what is GRC 4.0 – Agile GRC?

First to note that Agile GRC is not just about an enterprise/integrated GRC platform. Agile GRC is about the broader GRC architecture and encompasses many focused and deep solutions that do things like policy management, third party risk management, audit management, regulatory change management, and more. There are 20 segments to the GRC technology market that I have defined (which are at the bottom of this article). It is critical to understand that what is Agile GRC applies to the breadth of these segments and not just to a centralized all-encompassing platform that tries to promise to do everything and may do some things well, but often does other things only mediocre or not at all. This brings in where we came from in GRC 3.0 which was about GRC architecture and expansion of GRC beyond one platform to the integration of capabilities across best of breed systems when and where it makes sense.

The core concept of GRC 4.0 – Agile GRC technologies – is the capability to engage the entire organization on GRC and do so at a much lower cost of ownership of technology than we had in the past. Agile GRC is about the front office of the organization as much as it is about the back office GRC functions in the business. Frontline employees are making risk, compliance, and control decisions that impact organization strategy, objectives, and performance every day. Agile GRC is focused on bringing technology and engagement on GRC to the front office as well as the back office.

However, Agile GRC is also about new technology that has a much lower cost of ownership. Just because other analysts label someone as a ‘Leader’ in the upper right of their quadrants, does not mean that the solution is delivering value and is a modern solution. There are many solutions in the market that are struggling with underlying data architectures as well as user experiences that are going on being two decades old. This is not agile GRC software. Some put a fresh coat of paint on the user experience but have an underlying application and data architecture that is rotting with bloated code and complexity. This is not agile GRC software. It is critical to look deep under the hood and see what the solution is delivering and how it has evolved.

If the solution provider is not investing in updating the data/information architecture, the application architecture, and user experience – run away no matter what other analysts say. You do not need to be purchasing GRC software that is 20 years old under the hood (which is over 100 years old in human terms). It is expecting senior citizens to be competitive against twenty-year-old athletes. Buying old software that is not agile does not do the organization any good. Technology has changed. Established GRC solutions may still be very relevant, but it is critical to understand how they have evolved their underlying data and application architectures over the years. If the core code under the hood is 10 or more years old, you are dealing with a behemoth of age, complexity, bloat, and rot. I would argue that you should be concerned if the core code is over 5 years old. It is critical to understand how the solution has updated its application and data architecture over time.

This also leads to cost of ownership. Old GRC technology is expensive to implement, build-out, and maintain. One global financial services firm told them they are tired of having to have an army of ‘certified’ experts on staff for over $100,000/year each and any simple change takes months to get done. A LinkedIn post from last year described a legacy GRC implementation to the lyrics of the song Hotel California, that they are stuck and cannot get out. After having spent $500,000 in software license, and $2 million on implementation and build-out, three years later they are getting some basic functionality working. I have done an analysis of the RFPs I have worked on over the past three years. For every dollar you spend in software license for legacy GRC solutions that have not updated their data/information architectures, you are spending between $3 and $5 on implementation and buildout. For Agile GRC software, for every dollar you spend on software license you are spending between 50¢ to $1.50 in implementation and buildout. Organizations need to look at the total cost of ownership from software license to implementation to ongoing maintenance/management costs in making their decision for GRC software. Ironically, those that major analysts firms tend to rank as Leaders are the bloated dated software that are the most expensive to own and maintain. Not all of the ‘Leaders’ have kept their applications up to date and relevant.

Key factors of what defines an Agile GRC solution are:

  • Usable. The solution has a modern user experience. It does not look and feel like a solution that is 10 years old. It has a modern flat user experience design. It is contextually relevant to the role that the user logs in and sees the information most pertinent to them without having to dig through the solution. It has user-configurable dashboards and reports so the user can arrange the portal/experience to their needs that is easy to do by the user. It is also user-friendly for the front-office of the organization as well as the back-office of GRC functions.
  • Cost of ownership. The solution must have a low cost of ownership. From software licensing in relation to implementation and ongoing management. The solution should provide a compelling business case of value from efficiency (e.g., time saved, money saved), effectiveness (e.g., accuracy, thoroughness, more getting done, fewer things slipping), and agility (e.g., agile to a changing business, regulatory, and risk environment and responsive to identify and contain issues).
  • Configurable. The solution should not require custom coding where things break on upgrades. The solution should be highly configurable, even to the point of the ‘citizen developer’ where the average user in the business can understand how to configure, extend, and build out the system (Note: citizen development is great but comes at risks if the underlying data and process architecture are not thought out, so it also needs to be controlled). Things like visual workflow buildings, process diagraming, very visual forms and field buildout and placement are all part of this. But the key thing is if customization and coding are needed – CAUTION.
  • Scalable. The solution must be able to grow and adapt to the organization. The solution should streamline expansion to other departments and areas, be able to grow with the business, handle the breadth of data today but also in five years as the solution is expanded upon.
  • Adaptable. The solution combines the features of configurability and scalability to then become adaptable to the business. Where it is easy to configure and extend the solution. When there are mergers and acquisitions or business restructuring, this is easily mirrored in the GRC solution.
  • Integration. The solution must be able to integrate with other solutions. No solution does everything GRC, and GRC solutions also need to integrate with other business systems. The integration interfaces (e.g., APIs) should be easy to use and understand, and provide data integrity with the integration.
  • Analytics. The solution has a robust reporting, analytics, and dashboarding mechanism. Analytics is easy to configure and build out reports, scenarios, and comparisons and by the end-user.
  • Artificial intelligence/robotic process automation. The solution should be ready to evolve and move toward GRC 5.0 which is Cognitive GRC. This requires that the solution is starting to evaluate, leverage, and use artificial intelligence and robotic process automation capabilities to prepare for the future of GRC in the next couple of years. A solution that does not have an A.I. and robotic strategy is a caution.
  • Future proof. The solution should be easy to keep updated to the latest version. This particularly looks, again, at customization. If the solution requires so much customization and coding where things break on upgrades or upgrades are not even possible – run from it.

I am curious, what other data factors are important to you, the reader, for Agile GRC?

As we move to GRC 5.0 – Cognitive GRC, organizations need to ensure that their GRC 4.0 solutions have a strategy to embrace artificial intelligence and robotic process automation. Early adopters are starting to use these features today, but we are two years from these capabilities being broadly used for GRC. Cognitive GRC is where the solution

  • Learns from experience
  • Uses what is learned to draw conclusions
  • Identifies images and patterns
  • Solves difficult problem
  • Understands different languages
  • Creates new perspectives

When I look at the GRC market, I break it out into the following categories of solutions that I monitor and differentiate. Any solution in the market might just operate in one of these areas, or across several. But no one does it all. But there is a range of solutions that GRC 20/20 monitors, differentiates, and follows in our market research that span:

  • Integrated GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture. These are the hubs that bring multiple areas below together into one overall view of integrated GRC reporting across the enterprise.
  • Anti-Money Laundering/KYC, Fraud & Corruption. Capability to manage AML, KYC, bribery, corruption, and fraud in the organization.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/fieldwork findings, reporting, and analytics.
  • Automated Continuous Control Management/Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans,  and implement these plans expected and unexpected disruptions to all areas of operation. 
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report. 
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Finance GRC Management. Capability to manage the financial risks, controls, and reporting of the organization.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • HR GRC Management. Capability to govern and manage risk and compliance in employee relationships, training, activities, and issues/incidents.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization. 
  • IT GRC Management. Capability to govern IT in the context of business objectives and manage IT processes,  technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage,  monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Reputation & Responsibility Management. Capability to manage the sustainability, ESG, and corporate social responsibility program of the organization.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects. 
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party GRC Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

While these are categories/buckets of capabilities that GRC 20/20 maps solutions in the market into, the reality is that one solution can go across many of these areas, or be confined to just one area. But no one does everything that is why it is about GRC information and technology architecture.

GRC 20/20 is here to answer your questions on strategy, solutions, and technology for GRC. We are a research organization so it is our job to objectively understand and differentiate solutions in the market and the problems they solve. 

Feel free to ask an inquiry.

The Intersection of GRC and Policy Management

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place. 

Why policies are critical to GRC

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Workiva site, follow the link below to read more]

The 3 Lifecycle Stages of Vendor Security Risk Management: Offboarding

How do you say goodbye to a third party?

This is the third of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the offboarding monitoring process.

This is the third in a three-part guest blog series looking at risk management throughout the lifecycle of a third party relationship. Previously we looked at the onboarding process, then we explored ongoing security monitoring throughout the relationship [link to posted article], now we look at offboarding and terminating a relationship.

Goodbyes are difficult. Humans tend to avoid goodbyes. If it was a beautiful close relationship, or one that ends in frustration, anger, and tears . . . most do what they can to avoid goodbyes because they are difficult. Ironically, this is true of organizations as well.

The most neglected part of the lifecycle of a third party relationship is the goodbye. The termination of the relationship. It doesn’t matter if the relationship was very productive and served, or even exceeded, its purpose, or if the relationship soured and failed. Either scenario, organizations neglect proper offboarding and closure procedures to a relationship.

This is a critical concern in the context of information security. I have encountered in organizations network connections, VPN access, and access to systems that remain active long after the relationship was over. Even if there was no network access, or if that access was terminated, there still may be data and property of the organization that the third party has internally on file servers, physically, and can live on in archives. 

Terminating a relationship is not to be approached haphazardly at the end of a relationship but should be carefully defined in contracts and controls in the onboarding of the relationship. As relationships change overtime, such as expand services, it is also necessary to update scope, controls and responsibilities for termination throughout the relationship. The last thing an organization wants at offboarding is to look for termination provisions and notice they’re missing. 

In terminating a relationship, it is critical that an organization follow these steps . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring

This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.

Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.

Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.

A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today. 

This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.

Five Necessities of Security Monitoring

Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Compliance Disclosure Solutions: Separating the Simple from the Advanced

GRC 20/20 is seeing a growing demand for compliance management technologies from the Corporate Compliance and Ethics department (e.g., Chief Ethics and Compliance Officer, Chief Compliance Officer). This demand spans from a broad compliance management platform to manage the range of compliance tasks and activities, to focused solutions in areas such as policy management, third party GRC (e.g., vendor/supplier), issue reporting and case management, and the area of compliance disclosures management.

The inquiries on Compliance Disclosure Management solutions is increasing as organizations look to get a handle on areas such as Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is the focus. Some are purpose-built for a specific disclosure area such as Conflicts of Interest, and not to be a platform to address a range of compliance disclosure areas. Others are broad disclosure platforms that are highly agile where the organization can adapt fields and customize forms, workflow, tasks, and reporting to meet a range of compliance disclosure areas. While some compliance disclosure solutions operate in a module in a broader compliance management platform (or GRC platform) where disclosure can be managed and cross-referenced to policies, regulations, risks, assessments, and cases.

GRC 20/20 separates Compliance Disclosure Management solutions in the market into basic and competitive solutions, but then also distinguishes advanced capabilities that separate competitive solutions in the market.

  • Basic compliance disclosure management solutions. These are solutions, and there are many of them, that address the basic forms, workflow, and task management of compliance disclosures management with some basic reporting capabilities. They can present a disclosure form, capture attestations, and route the form through a workflow for review and approval/denial. Most often, but not always, they focus on a single compliance disclosure areas such as Conflicts of Interest.
  • Competitive compliance disclosure solutions. These are the solutions that most often come up in RFPs regularly and have stronger capabilities to manage a breadth of compliance disclosures in the organization. They have more advanced reporting capabilities and provide a stronger portal for the configuration and customization of disclosures. Some key capabilities of competitive solutions are:
    • The ability to manage a breadth of disclosure types
    • Configurable and adaptable to organizations specific needs down to the field and value level
    • Strong graphical workflow builder and task management that allows for parallel as well as linear workflows
    • The breadth of templates for forms and reports on disclosures
    • Strong dashboard and reporting engine with pre-built reports as well as the ability to do custom reports
    • The ability to present the relevant policy, gather attestation to the policy and provide the training with the disclosure
    • Provide for regularly scheduled/periodic disclosure campaigns as well as the ad hoc/triggered disclosures when they arise
    • Ability to manage and document disclosures that are exceptions/exemptions to the defined policy and regularly track and monitor them
    • Provide a robust and legally defensible audit trail/system of record of disclosure related activities
    • Allow for attachments, such as documents/evidence, to disclosures

However, what really separates Compliance Disclosure Management solutions in the market are the advanced capabilities. These include:

  • Disclosure forms and workflow that are highly configurable by the average business user (e.g., citizen developer) without extensive IT knowledge
  • Advanced workflow based on disclosure type and role (e.g, hierarchical workflows)
  • Integration with other business systems, such as HR management systems, to populate information and provide information consistency between systems, or to integrate with ERP systems to pull up transaction history for disclosures related to gifts and entertainment to a particular entity in the past
  • Advanced reporting capabilities, including regulatory reporting in which reports are automatically generated in the format specific regulators are looking for (e.g., securities industry reporting for COI)
  • The ability to define and manage disclosure campaigns to broad and specific employee audiences
  • Integration with policy and training so the disclosure form also includes the written policy as well as training on the policy
  • The ability to provide anonymous reporting on issues related to compliance disclosure
  • Risk management capabilities to measure risk and track key risk indicators (KRIs) related to disclosures
  • Mobile interface/application where disclosures can be reported on smartphones and tablets
  • Collaborative engagement that allows disclosure reviewers and disclosures to communicate and interact back and forth to ask questions and provide more information
  • The ability to provide confidential notes that are encrypted and protected by the disclosure reviewer(s)
  • Provide for follow-up tasks and action items that may be scheduled out in advance to follow-up on disclosures that were approved but needs closer monitoring or other activities

These are some of the advanced capabilities that I am encountering regularly. If you are looking for or evaluating Compliance Disclosure Management solutions, feel free to ask an inquiry of GRC 20/20 . . .

Here are some compliance disclosure and policy management resources and events you should be aware of:


Policy Management by Design Workshops

Published/Recorded GRC 20/20 Research