GRC 4.0 – Agile GRC in a Dynamic & Disrupted Organization

Governance, risk management, and compliance (GRC) is the capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE]. The components of GRC provide the three legs of the stool that offer support and stability to the business and its operations. You take one leg away and the stool is no longer stable. It takes all three elements of governance, risk management and compliance working together to provide stability and balance for the organization.

Every organization is doing GRC, no matter what they call it. The question is, how mature is the organization’s GRC capability? Is it a reactive and disconnected process with departments going in many directions with much redundancy? Or is it mature, integrated and coordinated across the organization that aims to deliver on agility, efficiency and effectiveness of GRC-related processes in the context of organizational strategy, performance and objectives?

Organizations need a mature GRC capability that is supported by strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events and more. However, what confuses organizations is that they think GRC is about technology. That is putting the cart before the horse. GRC is about a capability delivered through a coordinated strategy and processes across the organization. Technology enables these processes to work together and function, but it does not define them. Too many organizations think GRC is something they purchase. GRC is not something you buy; it is something you do: GRC is the actions and activities of governance, risk management, and compliance.

There is technology for GRC and we often call this integrated or enterprise GRC platforms. However, these solutions are not GRC in themselves. Nor is there any single technology solution that does everything GRC. There can and should be a central core GRC platform that connects the fabric of governance, risk management and compliance processes, information and other technologies together across the organization. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

In my previous article, From GRC 1.0 to GRC 5.0: A History of Technology for GRC, I outlined the history of technology for GRC. From GRC 1.0 to the present of GRC 4.0 – Agile GRC, to the future of GRC 5.0 – Cognitive GRC. Today we focus on the present, what is GRC 4.0 – Agile GRC?

First to note that Agile GRC is not just about an enterprise/integrated GRC platform. Agile GRC is about the broader GRC architecture and encompasses many focused and deep solutions that do things like policy management, third party risk management, audit management, regulatory change management, and more. There are 20 segments to the GRC technology market that I have defined (which are at the bottom of this article). It is critical to understand that what is Agile GRC applies to the breadth of these segments and not just to a centralized all-encompassing platform that tries to promise to do everything and may do some things well, but often does other things only mediocre or not at all. This brings in where we came from in GRC 3.0 which was about GRC architecture and expansion of GRC beyond one platform to the integration of capabilities across best of breed systems when and where it makes sense.

The core concept of GRC 4.0 – Agile GRC technologies – is the capability to engage the entire organization on GRC and do so at a much lower cost of ownership of technology than we had in the past. Agile GRC is about the front office of the organization as much as it is about the back office GRC functions in the business. Frontline employees are making risk, compliance, and control decisions that impact organization strategy, objectives, and performance every day. Agile GRC is focused on bringing technology and engagement on GRC to the front office as well as the back office.

However, Agile GRC is also about new technology that has a much lower cost of ownership. Just because other analysts label someone as a ‘Leader’ in the upper right of their quadrants, does not mean that the solution is delivering value and is a modern solution. There are many solutions in the market that are struggling with underlying data architectures as well as user experiences that are going on being two decades old. This is not agile GRC software. Some put a fresh coat of paint on the user experience but have an underlying application and data architecture that is rotting with bloated code and complexity. This is not agile GRC software. It is critical to look deep under the hood and see what the solution is delivering and how it has evolved.

If the solution provider is not investing in updating the data/information architecture, the application architecture, and user experience – run away no matter what other analysts say. You do not need to be purchasing GRC software that is 20 years old under the hood (which is over 100 years old in human terms). It is expecting senior citizens to be competitive against twenty-year-old athletes. Buying old software that is not agile does not do the organization any good. Technology has changed. Established GRC solutions may still be very relevant, but it is critical to understand how they have evolved their underlying data and application architectures over the years. If the core code under the hood is 10 or more years old, you are dealing with a behemoth of age, complexity, bloat, and rot. I would argue that you should be concerned if the core code is over 5 years old. It is critical to understand how the solution has updated its application and data architecture over time.

This also leads to cost of ownership. Old GRC technology is expensive to implement, build-out, and maintain. One global financial services firm told them they are tired of having to have an army of ‘certified’ experts on staff for over $100,000/year each and any simple change takes months to get done. A LinkedIn post from last year described a legacy GRC implementation to the lyrics of the song Hotel California, that they are stuck and cannot get out. After having spent $500,000 in software license, and $2 million on implementation and build-out, three years later they are getting some basic functionality working. I have done an analysis of the RFPs I have worked on over the past three years. For every dollar you spend in software license for legacy GRC solutions that have not updated their data/information architectures, you are spending between $3 and $5 on implementation and buildout. For Agile GRC software, for every dollar you spend on software license you are spending between 50¢ to $1.50 in implementation and buildout. Organizations need to look at the total cost of ownership from software license to implementation to ongoing maintenance/management costs in making their decision for GRC software. Ironically, those that major analysts firms tend to rank as Leaders are the bloated dated software that are the most expensive to own and maintain. Not all of the ‘Leaders’ have kept their applications up to date and relevant.

Key factors of what defines an Agile GRC solution are:

  • Usable. The solution has a modern user experience. It does not look and feel like a solution that is 10 years old. It has a modern flat user experience design. It is contextually relevant to the role that the user logs in and sees the information most pertinent to them without having to dig through the solution. It has user-configurable dashboards and reports so the user can arrange the portal/experience to their needs that is easy to do by the user. It is also user-friendly for the front-office of the organization as well as the back-office of GRC functions.
  • Cost of ownership. The solution must have a low cost of ownership. From software licensing in relation to implementation and ongoing management. The solution should provide a compelling business case of value from efficiency (e.g., time saved, money saved), effectiveness (e.g., accuracy, thoroughness, more getting done, fewer things slipping), and agility (e.g., agile to a changing business, regulatory, and risk environment and responsive to identify and contain issues).
  • Configurable. The solution should not require custom coding where things break on upgrades. The solution should be highly configurable, even to the point of the ‘citizen developer’ where the average user in the business can understand how to configure, extend, and build out the system (Note: citizen development is great but comes at risks if the underlying data and process architecture are not thought out, so it also needs to be controlled). Things like visual workflow buildings, process diagraming, very visual forms and field buildout and placement are all part of this. But the key thing is if customization and coding are needed – CAUTION.
  • Scalable. The solution must be able to grow and adapt to the organization. The solution should streamline expansion to other departments and areas, be able to grow with the business, handle the breadth of data today but also in five years as the solution is expanded upon.
  • Adaptable. The solution combines the features of configurability and scalability to then become adaptable to the business. Where it is easy to configure and extend the solution. When there are mergers and acquisitions or business restructuring, this is easily mirrored in the GRC solution.
  • Integration. The solution must be able to integrate with other solutions. No solution does everything GRC, and GRC solutions also need to integrate with other business systems. The integration interfaces (e.g., APIs) should be easy to use and understand, and provide data integrity with the integration.
  • Analytics. The solution has a robust reporting, analytics, and dashboarding mechanism. Analytics is easy to configure and build out reports, scenarios, and comparisons and by the end-user.
  • Artificial intelligence/robotic process automation. The solution should be ready to evolve and move toward GRC 5.0 which is Cognitive GRC. This requires that the solution is starting to evaluate, leverage, and use artificial intelligence and robotic process automation capabilities to prepare for the future of GRC in the next couple of years. A solution that does not have an A.I. and robotic strategy is a caution.
  • Future proof. The solution should be easy to keep updated to the latest version. This particularly looks, again, at customization. If the solution requires so much customization and coding where things break on upgrades or upgrades are not even possible – run from it.

I am curious, what other data factors are important to you, the reader, for Agile GRC?

As we move to GRC 5.0 – Cognitive GRC, organizations need to ensure that their GRC 4.0 solutions have a strategy to embrace artificial intelligence and robotic process automation. Early adopters are starting to use these features today, but we are two years from these capabilities being broadly used for GRC. Cognitive GRC is where the solution

  • Learns from experience
  • Uses what is learned to draw conclusions
  • Identifies images and patterns
  • Solves difficult problem
  • Understands different languages
  • Creates new perspectives

When I look at the GRC market, I break it out into the following categories of solutions that I monitor and differentiate. Any solution in the market might just operate in one of these areas, or across several. But no one does it all. But there is a range of solutions that GRC 20/20 monitors, differentiates, and follows in our market research that span:

  • Integrated GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture. These are the hubs that bring multiple areas below together into one overall view of integrated GRC reporting across the enterprise.
  • Anti-Money Laundering/KYC, Fraud & Corruption. Capability to manage AML, KYC, bribery, corruption, and fraud in the organization.
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/fieldwork findings, reporting, and analytics.
  • Automated Continuous Control Management/Enforcement. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans,  and implement these plans expected and unexpected disruptions to all areas of operation. 
  • Compliance & Ethics Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report. 
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Finance GRC Management. Capability to manage the financial risks, controls, and reporting of the organization.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • HR GRC Management. Capability to govern and manage risk and compliance in employee relationships, training, activities, and issues/incidents.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization. 
  • IT GRC Management. Capability to govern IT in the context of business objectives and manage IT processes,  technology, and information risk and compliance.
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage,  monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to manage the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Reputation & Responsibility Management. Capability to manage the sustainability, ESG, and corporate social responsibility program of the organization.
  • Risk Management & Analytics. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects. 
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party GRC Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

While these are categories/buckets of capabilities that GRC 20/20 maps solutions in the market into, the reality is that one solution can go across many of these areas, or be confined to just one area. But no one does everything that is why it is about GRC information and technology architecture.

GRC 20/20 is here to answer your questions on strategy, solutions, and technology for GRC. We are a research organization so it is our job to objectively understand and differentiate solutions in the market and the problems they solve. 

Feel free to ask an inquiry.

The 3 Lifecycle Stages of Vendor Security Risk Management: Offboarding

How do you say goodbye to a third party?

This is the third of a three-part series on vendor risk management through the lifecycle of the relationship. Today, we focus on the offboarding monitoring process.

This is the third in a three-part guest blog series looking at risk management throughout the lifecycle of a third party relationship. Previously we looked at the onboarding process, then we explored ongoing security monitoring throughout the relationship [link to posted article], now we look at offboarding and terminating a relationship.

Goodbyes are difficult. Humans tend to avoid goodbyes. If it was a beautiful close relationship, or one that ends in frustration, anger, and tears . . . most do what they can to avoid goodbyes because they are difficult. Ironically, this is true of organizations as well.

The most neglected part of the lifecycle of a third party relationship is the goodbye. The termination of the relationship. It doesn’t matter if the relationship was very productive and served, or even exceeded, its purpose, or if the relationship soured and failed. Either scenario, organizations neglect proper offboarding and closure procedures to a relationship.

This is a critical concern in the context of information security. I have encountered in organizations network connections, VPN access, and access to systems that remain active long after the relationship was over. Even if there was no network access, or if that access was terminated, there still may be data and property of the organization that the third party has internally on file servers, physically, and can live on in archives. 

Terminating a relationship is not to be approached haphazardly at the end of a relationship but should be carefully defined in contracts and controls in the onboarding of the relationship. As relationships change overtime, such as expand services, it is also necessary to update scope, controls and responsibilities for termination throughout the relationship. The last thing an organization wants at offboarding is to look for termination provisions and notice they’re missing. 

In terminating a relationship, it is critical that an organization follow these steps . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Panorays site, follow the link below to read more]

Three Lines of Defense: Enabling High Performing Organizations

Like battling the multi-headed Hydra in Greek mythology, redundant, manual, and uncoordinated governance, risk management, and compliance (GRC) approaches are ineffective. As the Hydra grows more heads of regulation, legal matters, operational risks, and complexity, scattered departments of GRC responsibilities that do not work together become overwhelmed and exhausted and start losing the battle. This approach increases inefficiencies and the risk that serious matters go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business, at a time when the business environment requires greater agility.

Successful GRC strategy in complex business environments requires layers of protection to ensure that the organization can “reliably achieve objectives [Governance] while addressing uncertainty [Risk Management] and act with integrity [Compliance].” (source: Any strategist, whether in games, sports, combat, or business, understands that layers of defense are critical to the protection of assets and achievement of objectives. Consider a castle in the Middle Ages in which there are layers of protection by moats, gates, outer walls, inner walls, with all sorts of offensive traps and triggers along the way. Organizations are modern castles that require layers of defense to protect the organization and allow it to reliably achieve strategic objectives.

The Three Lines of Defense model is the key model that enables organizations to organize and manage layers of GRC controls and responsibilities. The European Commission originally established it in 2006 as a voluntary audit directive within the European Union. Since this time, it has grown in popularity and is now a globally accepted framework for integrated GRC across lines of defense within organizations – from the front lines, to the back office of GRC, to the assurance and oversight roles. GRC 20/20 sees the Three Lines of Defense Model as critical to enable organizations to reliably achieve objectives while addressing uncertainty and act with integrity.

As the name suggests, the Three Lines of Defense model is comprised of three layers of GRC responsibility and accountability in organizations. These are:

  • Business Operations. The front lines of the organization across operations and processes comprise the roles that make risk and control decisions every day. This represents the functions within departments and processes that ultimately own and manage risk and controls in the context of business activities. These roles need to be empowered to identify, assess, document, report, and respond to risks, issues, and controls in the organization. This first layer operates within the policies, controls, and tolerances defined by the next layer of defense, GRC professionals.
  • GRC Professionals. The back office of GRC functions (e.g., risk management, corporate compliance, ethics, finance, health & safety, security, quality, legal, and internal control) are the roles that specify and define the boundaries of the organization that are established in policy, procedure, controls, and risk tolerances. These roles oversee, assess, monitor, and manage risk, compliance, and control activities in the context of business operations, transactions, and activities.
  • Assurance Professionals. The third layer of defense is assurance professionals (e.g., internal audit, external audit) that provide thorough, objective, and independent assurance on business operations and controls. It is their primary responsibility to provide assurance to the Board of Directors and executives that the first and second lines of defense are operating within established boundaries and are providing complete and accurate information to management. This is accomplished through planning and executing audit engagements to support assurance needs.

The Three Lines of Defense Model is well understood and adopted globally. The major downside of the model is the name itself using the word ‘defense.’ This gives the model a perception of being reactionary and tactical and not strategic. This is unfortunate as the model enables high-performance by aligning accountabilities at different levels of the organization and getting these functions working together in context of each other. High performing organizations require consistency and controls to ensure the organization operates within boundaries of controls. The Three Lines of Defense Model is key to enable reliable achievement of objectives and consistent control of the business.

The key to success in implementing the Three Lines of Defense Model is collaboration. If the layers of accountability across the three lines do not collaborate and work together, GRC functions will remain in silos and be ineffective, inefficient, and lack agility to respond to a complex and dynamic business environment. Internal politics and divisions work against the Three Lines of Defense Model in organizations.

Another challenge for organizations in implementing the Three Lines of Defense Model is not having a consistent GRC process, information, and technology architecture. Not only do different groups across the lines of defense need to be able to work together, they need to be able to share information and have a consistent and single source of truth for GRC activities, accountabilities, and controls.

The Bottom Line: Three Lines of Defense is an integrated GRC framework with the goal of allowing different parts of the organization to work cohesively together to reliably achieve objectives while addressing uncertainty and acting with integrity. It enables what OCEG calls Principled Performance, and ensures that there are clear responsibilities, accountability, and oversight of risk and control at all levels of the organization. Organizations are adopting the Three Lines of Defense Model for GRC as they have come to realize that silos of GRC that do not collaborate and work together lead to inevitable failure. There is a need for visibility across these lines of defense that is scalable, integrated and consistent. The Three Lines of Defense Model enables efficient, effective, and agile business.

GRC 20/20’s latest research piece evaluating solutions on this topic is:

Legal at the Center of GRC Leadership and Strategy

Legal Challenges in a New Era

Today’s global business environment presents a broad spectrum of economic, political, social, legal and regulatory changes, which continually increase strategic and tactical complexity, and create commensurate pressures on business performance and exponential growth of often conflicting and overlapping legal and business requirements alongside global operations. The enterprise must reliably achieve business objectives while addressing uncertainty and act with integrity – all the while remaining within mandatory legal requirements. It must also manage and maintain legal risk within the limits that the organization has established.

Legal risks include:

  • Regulatory risk: The risk associated with myriad laws, rules and regulations. It includes common regulatory risks associated with labor laws, information privacy and anticorruption, as well as risks specific to industries such as banking, pharmaceuticals, energy and utilities and health care.
  • Entity management and corporate filings risk: The risk associated with keeping the entity in good standing with governing agencies, and filing information with regulators and government agencies.
  • Litigation risk: The risk associated with ongoing, imminent and potential litigation.
  • Contract risk: The risk involved in vetting contracts and monitoring compliance with contract requirements and provisions.
  • Transaction risk: The risk associated with mergers and acquisitions, including the legal risks of the acquired organization.
  • Intellectual property (IP) risk: The risk involved with copyrights, trademarks and patent infringements, as well as leakage and/or loss of confidential corporate information.

Most organizations try to address and effectively manage legal risks, IP protection, contracts, business requirements and compliance obligations. But both internal and external stakeholder forces and events have caused the organization to increase legal risk monitoring and reporting, particularly with regard to changing laws and regulations.

The Role of the Legal Department in GRC

In many organizations, the significance of the legal department is growing. Today, the department guides the enterprise beyond putting out fires in legal matters. It is being tasked to take on a proactive role in legal risk management and preventive law, while functioning as a critical pillar in an organization’s risk management strategy. This requires that legal be

The rest of this post can be found a guest blog on Wolters Kluwer ELM Solutions Blog . . .

[button link=””]READ MORE[/button]

The Agile Organization: GRC as a Transformational Process

Today, the organization is not only complex, but also chaotic in a constant state of metamorphosis. The organization is:

  • Distributed. Business is not done within traditional brick-and-mortar walls as it now has distributed operations complicated by a web of global business partner and client relationships. Physical buildings and conventional employees no longer define an organization. The organization is an interconnected mesh of relationships and interactions that span traditional business boundaries.
  • Dynamic. Organizations are in a constant state of metamorphosis. The organization has to manage shifting business strategy, technology, and processes while keeping current with changes to risk and regulatory environments around the world. Not only is the organization dealing with constant change in its business relationships, each individual relationship is dealing with change in its business and downstream relationships.
  • Disrupted. The intersection of distributed and dynamic business brings disruption. The velocity, variety, and volume of change is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly-effect’ in which a small event actually results, develops and influences what ends up being a significant event.

The primary challenge of the organization is a need to be agile in a distributed, dynamic, and disrupted environment. Agility and control naturally seem to be opposing forces . . .

Continued on the MEGA Corporate Governance Blog (The GRC Pundit is a guest blogger) . . .

[button link=”″ color=”default”]READ MORE[/button]

Exploring the New Frontiers Between Legal and GRC

The Role of Internal Audit in Autogrill’s GRC Journey