Posted on 1 Comment

GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization

Governance, risk management, and compliance (GRC) is the capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE]. The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organization.

Every organization is doing GRC, no matter what they call it. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

Organizations need a mature GRC capability that is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, but it does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance.

There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organization. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

In my previous article, From GRC 1.0 to GRC 5.0: A History of Technology for GRC, I outlined the history of technology for GRC. From GRC 1.0 to the present of GRC 4.0 – Agile GRC, to the future of GRC 5.0 – Cognitive GRC. Today we focus on the present, what is GRC 4.0 – Agile GRC?

First to note that Agile GRC is not just about an enterprise/integrated GRC platform. Agile GRC is about the broader GRC architecture and encompasses many focused and deep solutions that do things like policy management, third party risk management, audit management, regulatory change management, and more. There are 20 segments to the GRC technology market that I have defined (which are at the bottom of this article). It is critical to understand that what is Agile GRC applies to the breadth of these segments and not just to a centralized all-encompassing platform that tries to promise to do everything and may do some things well, but often does other things only mediocre or not at all. This brings in where we came from in GRC 3.0 which was about GRC architecture and expansion of GRC beyond one platform to the integration of capabilities across best of breed systems when and where it makes sense.

The core concept of GRC 4.0 – Agile GRC technologies – is the capability to engage the entire organization on GRC and do so at a much lower cost of ownership of technology than we had in the past. Agile GRC is about the front office of the organization as much as it is about the back office GRC functions in the business. Frontline employees are making risk, compliance, and control decisions that impact organization strategy, objectives, and performance every day. Agile GRC is focused on bringing technology and engagement on GRC to the front office as well as the back office.

However, Agile GRC is also about new technology that has a much lower cost of ownership. Just because other analysts label someone as a ‘Leader’ in the upper right of their quadrants, does not mean that the solution is delivering value and is a modern solution. There are many solutions in the market that are struggling with underlying data architectures as well as user experiences that are going on being two decades old. This is not agile GRC software. Some put a fresh coat of paint on the user experience but have an underlying application and data architecture that is rotting with bloated code and complexity. This is not agile GRC software. It is critical to look deep under the hood and see what the solution is delivering and how it has evolved.

If the solution provider is not investing in updating the data/information architecture, the application architecture, and user experience – run away no matter what other analysts say. You do not need to be purchasing GRC software that is 20 years old under the hood (which is over 100 years old in human terms). It is expecting senior citizens to be competitive against twenty-year-old athletes. Buying old software that is not agile does not do the organization any good. Technology has changed. Established GRC solutions may still be very relevant, but it is critical to understand how they have evolved their underlying data and application architectures over the years. If the core code under the hood is 10 or more years old, you are dealing with a behemoth of age, complexity, bloat, and rot. I would argue that you should be concerned if the core code is over 5 years old. It is critical to understand how the solution has updated its application and data architecture over time.

This also leads to cost of ownership. Old GRC technology is expensive to implement, build-out, and maintain. One global financial services firm told them they are tired of having to have an army of ‘certified’ experts on staff for over $100,000/year each and any simple change takes months to get done. A LinkedIn post from last year described a legacy GRC implementation to the lyrics of the song Hotel California, that they are stuck and cannot get out. After having spent $500,000 in software license, and $2 million on implementation and build-out, three years later they are getting some basic functionality working. I have done an analysis of the RFPs I have worked on over the past three years. For every dollar you spend in software license for legacy GRC solutions that have not updated their data/information architectures, you are spending between $3 and $5 on implementation and buildout. For Agile GRC software, for every dollar you spend on software license you are spending between 50¢ to $1.50 in implementation and buildout. Organizations need to look at the total cost of ownership from software license to implementation to ongoing maintenance/management costs in making their decision for GRC software. Ironically, those that major analysts firms tend to rank as Leaders are the bloated dated software that are the most expensive to own and maintain. Not all of the ‘Leaders’ have kept their applications up to date and relevant.

Key factors of what defines an Agile GRC solution are:

  • Usable. The solution has a modern user experience. It does not look and feel like a solution that is 10 years old. It has a modern flat user experience design. It is contextually relevant to the role that the user logs in and sees the information most pertinent to them without having to dig through the solution. It has user-configurable dashboards and reports so the user can arrange the portal/experience to their needs that is easy to do by the user. It is also user-friendly for the front-office of the organization as well as the back-office of GRC functions.
  • Cost of ownership. The solution must have a low cost of ownership. From software licensing in relation to implementation and ongoing management. The solution should provide a compelling business case of value from efficiency (e.g., time saved, money saved), effectiveness (e.g., accuracy, thoroughness, more getting done, fewer things slipping), and agility (e.g., agile to a changing business, regulatory, and risk environment and responsive to identify and contain issues).
  • Configurable. The solution should not require custom coding where things break on upgrades. The solution should be highly configurable, even to the point of the ‘citizen developer’ where the average user in the business can understand how to configure, extend, and build out the system (Note: citizen development is great but comes at risks if the underlying data and process architecture are not thought out, so it also needs to be controlled). Things like visual workflow buildings, process diagraming, very visual forms and field buildout and placement are all part of this. But the key thing is if customization and coding are needed – CAUTION.
  • Scalable. The solution must be able to grow and adapt to the organization. The solution should streamline expansion to other departments and areas, be able to grow with the business, handle the breadth of data today but also in five years as the solution is expanded upon.
  • Adaptable. The solution combines the features of configurability and scalability to then become adaptable to the business. Where it is easy to configure and extend the solution. When there are mergers and acquisitions or business restructuring, this is easily mirrored in the GRC solution.
  • Integration. The solution must be able to integrate with other solutions. No solution does everything GRC, and GRC solutions also need to integrate with other business systems. The integration interfaces (e.g., APIs) should be easy to use and understand, and provide data integrity with the integration.
  • Analytics. The solution has a robust reporting, analytics, and dashboarding mechanism. Analytics is easy to configure and build out reports, scenarios, and comparisons and by the end-user.
  • Artificial intelligence/robotic process automation. The solution should be ready to evolve and move toward GRC 5.0 which is Cognitive GRC. This requires that the solution is starting to evaluate, leverage, and use artificial intelligence and robotic process automation capabilities to prepare for the future of GRC in the next couple of years. A solution that does not have an A.I. and robotic strategy is a caution.
  • Future proof. The solution should be easy to keep updated to the latest version. This particularly looks, again, at customization. If the solution requires so much customization and coding where things break on upgrades or upgrades are not even possible – run from it.

I am curious, what other data factors are important to you, the reader, for Agile GRC?

As we move to GRC 5.0 – Cognitive GRC, organizations need to ensure that their GRC 4.0 solutions have a strategy to embrace artificial intelligence and robotic process automation. Early adopters are starting to use these features today, but we are two years from these capabilities being broadly used for GRC. Cognitive GRC is where the solution

  • Learns from experience
  • Uses what is learned to draw conclusions
  • Identifies images and patterns
  • Solves difficult problem
  • Understands different languages
  • Creates new perspectives

When I look at the GRC market, I break it out into the following categories of solutions that I monitor and differentiate. Any solution in the market might just operate in one of these areas, or across several. But no one does it all. But there is a range of solutions that GRC 20/20 monitors, differentiates, and follows in our market research that span:

  • Integrated GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture. These are the hubs that bring multiple areas below together into one overall view of integrated GRC reporting across the enterprise.
  • Anti-Money Laundering/KYC, Fraud & Corruption. Capability to manage AML, KYC, bribery, corruption, and fraud in the organization.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/fieldwork findings, reporting, and analytics.
  • Automated Continuous Control Management/Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans,  and implement these plans expected and unexpected disruptions to all areas of operation. 
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report. 
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Finance GRC Management. Capability to manage the financial risks, controls, and reporting of the organization.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • HR GRC Management. Capability to govern and manage risk and compliance in employee relationships, training, activities, and issues/incidents.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization. 
  • IT GRC Management. Capability to govern IT in the context of business objectives and manage IT processes,  technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage,  monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Reputation & Responsibility Management. Capability to manage the sustainability, ESG, and corporate social responsibility program of the organization.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects. 
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party GRC Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

While these are categories/buckets of capabilities that GRC 20/20 maps solutions in the market into, the reality is that one solution can go across many of these areas, or be confined to just one area. But no one does everything that is why it is about GRC information and technology architecture.

GRC 20/20 is here to answer your questions on strategy, solutions, and technology for GRC. We are a research organization so it is our job to objectively understand and differentiate solutions in the market and the problems they solve. 

Feel free to ask an inquiry.

Posted on Leave a comment

The Intersection of GRC and Policy Management

Policies matter, and policy management matters. Period.

Policies are critical governance documents for every organization. They set guardrails and parameters of acceptable and unacceptable behavior for individuals, processes, and transactions. When they are managed and enforced properly, policies guide and define corporate culture.

So, why do organizations approach and manage policies so carelessly?

Policies set a duty of care for the organization, and the wrong or mismanaged policy could expose the entire operation to liability and risk. But, I find that most organizations do not even know what policies they have in place. 

Why policies are critical to GRC

Since policies are critical governance documents of the organization, they require structured management and monitoring. They simply cannot be approached haphazardly, as many organizations do.

Changes to risks and regulations, as well as constant modifications to internal business environments, can quickly make policies out of date, misaligned, and irrelevant to the organization.

As defined by OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Dissecting this definition hints at the importance of policies in the context of GRC:

  • Policies enable . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Workiva site, follow the link below to read more]

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Offboarding

How do you say goodbye to a third party?

This is the third of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the offboarding monitoring process.

This is the third in a three-part guest blog series looking at risk management throughout the lifecycle of a third party relationship. Previously we looked at the onboarding process, then we explored ongoing security monitoring throughout the relationship [link to posted article], now we look at offboarding and terminating a relationship.

Goodbyes are difficult. Humans tend to avoid goodbyes. If it was a beautiful close relationship, or one that ends in frustration, anger, and tears . . . most do what they can to avoid goodbyes because they are difficult. Ironically, this is true of organizations as well.

The most neglected part of the lifecycle of a third party relationship is the goodbye. The termination of the relationship. It doesn’t matter if the relationship was very productive and served, or even exceeded, its purpose, or if the relationship soured and failed. Either scenario, organizations neglect proper offboarding and closure procedures to a relationship.

This is a critical concern in the context of information security. I have encountered in organizations network connections, VPN access, and access to systems that remain active long after the relationship was over. Even if there was no network access, or if that access was terminated, there still may be data and property of the organization that the third party has internally on file servers, physically, and can live on in archives. 

Terminating a relationship is not to be approached haphazardly at the end of a relationship but should be carefully defined in contracts and controls in the onboarding of the relationship. As relationships change overtime, such as expand services, it is also necessary to update scope, controls and responsibilities for termination throughout the relationship. The last thing an organization wants at offboarding is to look for termination provisions and notice they’re missing. 

In terminating a relationship, it is critical that an organization follow these steps . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Posted on Leave a comment

The 3 Lifecycle Stages of Vendor Security Risk Management: Ongoing Monitoring

This is the second of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the ongoing monitoring process.

Too often organizations conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant) and fail to monitor security throughout the lifecycle of the relationship. Ongoing security monitoring throughout a relationship is critical to protect the organizations.

Organizations are dynamic, they are in a constant state of change. Regulations are changing, risk is changing, and internal business processes, employees, and technology is changing. As much as an organization’s business has changed it is important to remember that each and every third party they do business with has changed.

A third party might have been the right third party to contract with two years back, but are they still the right third party? Are they current with security controls and processes? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today. 

This is further complicated that security impacts a wider range of third parties than it has in the past. It used to be that it was predominantly IT vendors that were an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organizations network and have access to information. The Internet of Things further complicates this as the microwave in the break room now poises a security threat when in the past it did not.

Five Necessities of Security Monitoring

Organizations need to have established processes in place to monitor security throughout the lifecycle of a relationship. This includes . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Posted on Leave a comment

Compliance Disclosure Solutions: Separating the Simple from the Advanced

GRC 20/20 is seeing a growing demand for compliance management technologies from the Corporate Compliance and Ethics department (e.g., Chief Ethics and Compliance Officer, Chief Compliance Officer). This demand spans from a broad compliance management platform to manage the range of compliance tasks and activities, to focused solutions in areas such as policy management, third party GRC (e.g., vendor/supplier), issue reporting and case management, and the area of compliance disclosures management.

The inquiries on Compliance Disclosure Management solutions is increasing as organizations look to get a handle on areas such as Conflicts of Interest; Gifts, Entertainment and Hospitality; Political Contributions; and other areas compliance disclosure.

While there are several dozen solutions available in the market that do Compliance Disclosure Management, they are not all created equal. One differentiator is the focus. Some are purpose-built for a specific disclosure area such as Conflicts of Interest, and not to be a platform to address a range of compliance disclosure areas. Others are broad disclosure platforms that are highly agile where the organization can adapt fields and customize forms, workflow, tasks, and reporting to meet a range of compliance disclosure areas. While some compliance disclosure solutions operate in a module in a broader compliance management platform (or GRC platform) where disclosure can be managed and cross-referenced to policies, regulations, risks, assessments, and cases.

GRC 20/20 separates Compliance Disclosure Management solutions in the market into basic and competitive solutions, but then also distinguishes advanced capabilities that separate competitive solutions in the market.

  • Basic compliance disclosure management solutions. These are solutions, and there are many of them, that address the basic forms, workflow, and task management of compliance disclosures management with some basic reporting capabilities. They can present a disclosure form, capture attestations, and route the form through a workflow for review and approval/denial. Most often, but not always, they focus on a single compliance disclosure areas such as Conflicts of Interest.
  • Competitive compliance disclosure solutions. These are the solutions that most often come up in RFPs regularly and have stronger capabilities to manage a breadth of compliance disclosures in the organization. They have more advanced reporting capabilities and provide a stronger portal for the configuration and customization of disclosures. Some key capabilities of competitive solutions are:
    • The ability to manage a breadth of disclosure types
    • Configurable and adaptable to organizations specific needs down to the field and value level
    • Strong graphical workflow builder and task management that allows for parallel as well as linear workflows
    • The breadth of templates for forms and reports on disclosures
    • Strong dashboard and reporting engine with pre-built reports as well as the ability to do custom reports
    • The ability to present the relevant policy, gather attestation to the policy and provide the training with the disclosure
    • Provide for regularly scheduled/periodic disclosure campaigns as well as the ad hoc/triggered disclosures when they arise
    • Ability to manage and document disclosures that are exceptions/exemptions to the defined policy and regularly track and monitor them
    • Provide a robust and legally defensible audit trail/system of record of disclosure related activities
    • Allow for attachments, such as documents/evidence, to disclosures

However, what really separates Compliance Disclosure Management solutions in the market are the advanced capabilities. These include:

  • Disclosure forms and workflow that are highly configurable by the average business user (e.g., citizen developer) without extensive IT knowledge
  • Advanced workflow based on disclosure type and role (e.g, hierarchical workflows)
  • Integration with other business systems, such as HR management systems, to populate information and provide information consistency between systems, or to integrate with ERP systems to pull up transaction history for disclosures related to gifts and entertainment to a particular entity in the past
  • Advanced reporting capabilities, including regulatory reporting in which reports are automatically generated in the format specific regulators are looking for (e.g., securities industry reporting for COI)
  • The ability to define and manage disclosure campaigns to broad and specific employee audiences
  • Integration with policy and training so the disclosure form also includes the written policy as well as training on the policy
  • The ability to provide anonymous reporting on issues related to compliance disclosure
  • Risk management capabilities to measure risk and track key risk indicators (KRIs) related to disclosures
  • Mobile interface/application where disclosures can be reported on smartphones and tablets
  • Collaborative engagement that allows disclosure reviewers and disclosures to communicate and interact back and forth to ask questions and provide more information
  • The ability to provide confidential notes that are encrypted and protected by the disclosure reviewer(s)
  • Provide for follow-up tasks and action items that may be scheduled out in advance to follow-up on disclosures that were approved but needs closer monitoring or other activities

These are some of the advanced capabilities that I am encountering regularly. If you are looking for or evaluating Compliance Disclosure Management solutions, feel free to ask an inquiry of GRC 20/20 . . .

Here are some compliance disclosure and policy management resources and events you should be aware of:

Seminars

Policy Management by Design Workshops

Published/Recorded GRC 20/20 Research

Posted on Leave a comment

Understanding Third Party GRC Maturity: Ad Hoc Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

1. Ad Hoc
2. Fragmented
3. Defined
4. Integrated
5. Agile

Today we look at Stage 1, the Ad Hoc level of Third Party GRC

Organizations at the Ad Hoc stage of maturity have . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on 1 Comment

Step 1: Develop a 3rd Party GRC Strategic Plan

I grew up in the Northwest corner of Montana, a beautiful but wild country. From my earliest years I loved the outdoors. In fact, long before any aspirations to build a career in Governance, Risk Management & Compliance (GRC), I wanted to be a backcountry ranger in Glacier National Park. To spend time in the outdoors requires planning and a respect for the outdoors. To go trekking requires a plan of where you are going so you know who and what to bring with you on that journey. This planning is exactly what organizations need in context of 3rd party governance/management.

The greatest challenge upon organizations in the context of GRC is the governance, risk management, and compliance of the range of 3rd party relationships. We have reorganized, outsourced, and distributed business around the world. Today’s modern organization is not a traditional brick and mortar business. Organizations are now defined by a complex, intricate, interconnected, and nested web of relationships and transactions. Traditional employees no longer define who works for an organization as over half of our insiders are now outsourcers, service providers, contractors, consultants, temporary workers, suppliers, vendors, brokers, agents, dealers, intermediaries, customers, partners, and even competitors who collaborate and work with us. Their issues, challenges, and problems are your organization’s issues, challenges, and problems. These relationships bring significant value but also significant risk as well as compliance and integrity concerns.

This is compounded by the growing array of risks and regulations that impact the organization and its extended relationships. Such as:

  • Anti-bribery and corruption (US FCPA, UK Bribery Act, Sapin II, OECD)
  • Business/supplier continuity
  • Data privacy & protection (EU GDPR, California CCPA, information security)
  • Ethics & Values (vendor/supplier code of conduct)
  • Geopolitical risk
  • Human rights (US Conflict Minerals, EU Conflict Minerals, UK Modern Slavery Act, international labor standards)
  • Import/export compliance
  • Quality (ISO 9000)
  • Environmental, Health & Safety (REACH, RoHS)
  • And more . . .

GRC 20/20 defines 3rd Party GRC (or 3rd party management, or what some more narrowly call vendor risk, supplier risk, etc.) as:

“the capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE] in and across and down throughout an organizations third party relationships: the extended enterprise.”

Adapted from the OCEG GRC Definition

The challenge and danger many organizations face in the journey to manage these relationships is a haphazard approach in which there is no careful and strategic plan. The organization, in its various departments, randomly addresses aspects of 3rd party GRC without thinking about the big picture. The result is a lot of redundancy, gaps, inefficiency, lack of agility and effectiveness, and thing slipping through the cracks. IT security has their approach, procurement is doing their thing, legal/compliance/ethics are doing something else, other groups such as quality, environmental, health and safety all have their approaches. Some are using documents, spreadsheets, and emails to govern third parties, others are using siloed commercial tools, and some are only putting out fires when a problem arises. No one sees the big picture and there is no coordinated effort to govern these relationships strategically to ensure that the value they are delivering outweighs the risk and exposure bring as well.

GRC 20/20 has identified three approaches organizations take to manage 3rd party relationships:

  • Anarchy – ad hoc department silos.  This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed 3rd party initiatives never see the big picture and fail to put 3rd party management in the context of business strategy, objectives, and performance. The organization is not thinking big picture about how 3rd party GRC processes can be designed to meet a range of needs. An ad hoc approach to 3rd party GRC results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about 3rd party risk and performance. The organization fails to see the web of risk interconnectedness and its impact on 3rd party performance and strategy leading to greater exposure than any silo understood by itself. 
  • Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has issues as well. Organizations run the risk of having one department be in charge of 3rd party GRC that does not fully understand the breadth and scope of third party risks and needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing 3rd party relationships with the lowest common denominator and watering down 3rd party management. Further, there is no one-stop shop for everything 3rd party GRC as there are a variety of pieces to 3rd party management that need to work together. 
  • Federated – an integrated and collaborative approach.The federated approach is where most organizations will find the greatest balance in collaborative 3rd party governance and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in 3rd party GRC participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in 3rd party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems. 

The modern organization has to have a strategic plan to govern 3rd party relationships to ensure they reliably achieve the objectives they were established for while managing the uncertainty and risk and act with the integrity and values that is expected of them. This requires a cross-department strategic plan, coordination, and collaboration on 3rd Party GRC. Designing a federated third party management program starts with defining the third party strategy. The strategy connects key business functions with a common third party governance framework and policy.  The strategic plan is the foundation that enables thi3rdrd party transparency, discipline, and control of the ecosystem of third parties across the extended enterprise. 

The core elements of the third party strategic plan include:

  • Third party governance team. The first piece of the strategic plan is building the cross-organization 3rd party governance team (e.g., committee, group). This team needs to work with 3rd party relationship owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in 3rd party GRC and get them collaborating and working together on a regular basis. Various roles often involved on the third party governance team are: procurement, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the third party governance team.
  • Third party GRC charter. With the initial collaboration and interaction of the 3rd party GRC team in place, the next step in the strategic plan is to formalize this with a 3RD party GRC charter. The charter defines the key elements of the 3rd party management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of 3rd party GRC, the members of the 3rd party governance team, and define the overall goals, objectives, resources, and expectations of enterprise 3rd party GRC. The key goal of the charter is to establish alignment of 3rd party GRC to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on third-party management.
  • Third party governance policy.The next critical item to establish in the 3rd party GRC strategic plan is the writing and approval of the 3rd party GRC policy (and supporting policies and procedures). This sets the initial 3rd party governance structure in place by defining categories of 3rd parties, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all 3rd party relationships be maintained with appropriate categorizations, approvals, and identification of risks.

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Posted on Leave a comment

Maintaining Internal Controls in Dynamic and Distributed Business

Organizations operate in a field of risk landmines. The daily headlines reveal companies that fail in risk, compliance, and internal controls. Business today is complex in its operations and corresponding internal control obligations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, and operational), impacting how business is conducted.

The dynamic and global nature of business is particularly challenging to an internal control program. As organizations expand operations, their risk profile grows exponentially. To stay competitive, organizations need systems to monitor internal and external risk in context of a changing business environment. What may seem insignificant in one area can have profound impact on others.

Risk and control is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing requirements and fluctuating risk exposure, yet fail to actively manage and understand the interrelationship of internal control data in the context of business and business change. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing internal controls as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined internal control practices that are monitored and adapted to the demands of a changing business and regulatory environment. 

Today’s business entity must ensure internal controls are understood and managed company-wide; that internal controls are more than a list in a spreadsheet, but are part of the fabric of business operations and processes. A strong culture of control ensures transparency, accountability, and responsibility as part of its ethical environment. A strong internal control program requires a risk-based approach that can efficiently prioritize resources to risks that pose the greatest exposure to the organization’s integrity.

Traditional processes of managing internal control programs (e.g., shared drives, spreadsheets, emails, etc.), can be time-consuming, error-ridden, mundane, and most importantly lacking in providing transparent insight on the state of controls across the organization. Requirements and processes can change frequently as a result of new or emerging risks, making it increasingly difficult for organizations to identify control requirements, map them against organizational processes, and then report on the level of compliance across the enterprise.

The organization has to be able to see the individual area of control as well as the interconnectedness of risk and controls. A GRC professional’s most challenging task therefore, is developing a process or framework to understand how internal and external risks interrelate with controls and business processes in context of change, and how to evaluate organizational initiatives against these requirements.

The Bottom Line: Organizations cannot readily understand control from a series of lists or spreadsheets. They need intelligence and insight into the relationships between the hierarchical dimensions that describe an organization’s internal control and risk ecosystem that predict the full scope of potential impacts (direct and cascading) due to actual or exploratory change to risk and business strategy. Organizations need solutions that support simulation and scenario planning for strategic and tactical action plans in response to change.

Upcoming Workshops (no cost & CPEs) . . .

Upcoming Webinars . . .

Posted on Leave a comment

Efficient and Effective Third-Party GRC Management

Modern Organization: Interconnected Maze of Relationships

Traditional brick and mortar business are a thing of the past. Physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, etc. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships, with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation, while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them, and fail to actively manage and understand the interrelationship of third parties across the organization.

The fragmented governance of third party relationships, through disconnected silos, leads the organization to inevitable failure. Reactive, document-centric, and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance. Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship, as well as the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources – Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating, which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected – The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor, but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight –Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches –When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report onsupply chain data. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies –When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency – impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only –Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change –Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, etc. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe – in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships are changing – introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance –Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services, but do not include monitoring risks such as compliance and ethical considerations.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated supply chain data management strategy, the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance – resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches data management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance, and understand its impact on the organization.

The bottom line: A haphazard department, and document centric approach for third party management, compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy, as well as teams to define and govern third party relationships. Third party management is, “A capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrity in and across its 3rdparty relationships”. Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about performance, risk, and compliance, and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Upcoming Third Party Management Webinars

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions

Posted on Leave a comment

Managing Risk & Compliance in the Extended Enterprise

Modern Organization: Interconnected Maze of Relationships

No man is an island, entire of itself;
Every man is a piece of the continent, a part of the main.
[1]

Replace the word ‘man’ with ‘organization’ and the seventeenth-century English poet John Donne is describing the post-modern twenty-first century organization. In other words, “No organization is an island unto itself, every organization is a piece of the broader whole.”

Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. The modern organization is an interconnected maze of relationships and interactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, intermediaries, and more. Complexity grows as these interconnected relationships, processes, and systems nest themselves in intricacy, such as deep supply chains. Today, business is interconnected in a flat world in which over half of the organization’s ‘insiders’ are no longer traditional employees but third parties.

In this context, organizations struggle to identify and govern their third party relationships with a growing awareness that they stand in the shoes of their third parties. Risk and compliance challenges do not stop at traditional organizational boundaries. An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak governance of the relationship. Third party problems are the organizations problems that directly impact the brand and reputation while increasing exposure to risk and compliance matters. When questions of business practice, ethics, safety, quality, human rights, corruption, security, and the environment arise, the organization is held accountable, and it must ensure that third party partners behave appropriately.

Inevitable Failure of Silos of Third Party Governance

Third party management is like the hydra in mythology — organizations combat each head, only to find more heads springing up to threaten them. Departments are constantly reacting to third party risks appearing around them and fail to actively manage and understand the interrelationship of third parties across the organization.

The challenge:“Can you attest to the governance, risk management, and compliance of the organization’s extended business relationships?”

Typical response: Organizations tend to look at the formation of a third party relationship and fail to foresee issues that cascade and cause damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.

The fragmented governance of third party relationships through disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the third party relationship and broader organization strategy and performance.  Silos leave the organization blind to intricate relationships of risk and compliance exposure that fail to get aggregated and evaluated in context of the overall relationship and the organization’s goals, objectives, and performance.

Failure in third party governance comes about when organizations have:

  • Growing risk and regulatory concerns with inadequate resources. Organizations are facing a barrage of growing regulatory requirements and expanding geo-political risks around the world. The organization is encumbered with inadequate resources to monitor risk and regulations impacting third party relationships; different parts of the organization end up finger pointing thinking others are doing this. Or the opposite happens, different parts of the organization react to the same development without collaborating which increases redundancy and inefficiency.
  • Interconnected third party risks that are not connected. The organization’s risk environment across third party relationships is becoming increasingly interconnected. An exposure in one area may seem minor but when factored into other exposures in the same relationship can become significant. The organization lacks a complete record or understanding of the scope of third parties that are material to the organization.
  • Silos of third party oversight.Allowing different parts of the organizations to go about third party governance in different ways without any coordination, collaboration, and architecture. This is exacerbated when the organization fails to define responsibilities for third party oversight. This leads to the unfortunate situation of the organization having no end to end visibility of third party relationships.
  • Document and email centric approaches.When organizations govern third party relationships in a maze of documents, spreadsheets, emails, and file shares it is easy for things to get overlooked and bury silos of third party management in mountains of data that is difficult to maintain, aggregate, and report on. There is no single source of truth on the relationship and becomes difficult to impossible to get a comprehensive, accurate, and current analysis of a third party. To accomplish this requires a tremendous amount of staff time and resources to consolidate, analyze, and report on third party information. When things go wrong document trails are easily covered up and manipulated as they lack a robust audit trail of who did what, when, how, and why.
  • Scattered and non-integrated technologies.When different parts of the organization use different solutions and processes for onboarding third parties, monitoring risk and compliance, and managing the relationships, the organization never sees the big picture. This leads to a significant amount of redundancy and inefficiency, impacts effectiveness, while encumbering the organization when it needs to be agile.
  • Processes focused on onboarding only.Risk and compliance issues are often only analyzed during the on-boarding process to validate the organization is doing business with the right companies through an initial due diligence process. This approach fails to recognize that additional risk and compliance exposure is incurred over the life of the third party relationship.
  • Inadequate processes to manage change.Governing third party relationships is cumbersome in the context of constantly changing regulations, relationships, employees, processes, suppliers, strategy, and more. Organizations are in a constant state of flux. The organization has to monitor the span of regulatory, geo-political, commodity, economic, and operational risks across the globe in context of its third party relationships. Just as much as the organization itself is changing, each of the organization’s third party relationships is changing introducing further risk exposure.
  • Third party performance evaluations that neglect risk and compliance.Metrics and measurements of third parties often fail to fully analyze and monitor risk and compliance exposures. Often, metrics are focused on third party delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.

The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third party management:

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[2]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in third party management. What further complicates this is the exponential effect of third party risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of third party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into third party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

The bottom line: A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Third party management is “a capability that enables an organization to reliably achieve objectives, while addressing uncertainty, and act with integrityin and across its 3rdparty relationships.[3]Organizations need to approach third party management with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.


GRC 20/20 Events & Resources for Third Party Management Include . . .

Third Party Management Workshop

GRC 20/20 will be leading a complimentary interactive workshop to facilitate discussion and learning between organizations on Third Party Management on the following dates and locations:

Strategy Perspective on Third Party Management

Research Briefings on Third Party Management

Case Studies on Organizations Doing Third Party Management

Solution Perspectives on Third Party Management Solutions


[1]A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions(1624) found in the section Meditation XVII.

[2]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

[3]GRC 20/20’s adaption of the OCEG definition of GRC found in the OCEG GRC Capability Model applied to third party management.