Increased Demand for Evidence-Based Compliance: EU Surpasses the USA

For many years, the global compliance landscape was dominated by a checkbox-driven approach, primarily led by the United States. Compliance programs in the U.S. focused on prescriptive rules, and adherence to specific frameworks, and largely followed a formulaic pattern where ticking the correct boxes and maintaining records sufficed to meet regulatory requirements. At the heart of this approach was the Chief Ethics and Compliance Officer (CECO), a role that has long been established as part of the American compliance infrastructure.

However, recent developments in Europe, especially within the European Union (EU), have reshaped the compliance landscape. With a significant shift toward evidence-based compliance, the EU is now spearheading a more agile, risk-based, and outcomes-focused approach to regulation. This shift has allowed Europe to leapfrog the U.S. in terms of structured compliance programs, creating a more mature and demanding framework for organizations to follow.

The Evolution of European Compliance

For many years, Europe lagged behind the U.S. in terms of organized compliance frameworks. U.S.-based organizations were at the forefront of building structured compliance programs, with the CECO role established as a key component in ensuring adherence to regulations such as the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley (SOX). In contrast, Europe’s regulatory environment was perceived as more fragmented, with less emphasis on the structured and formalized compliance initiatives seen in the U.S.

This, however, began to change with the introduction of sweeping regulatory frameworks within the EU. The General Data Protection Regulation (GDPR), which came into force in 2018, was the first signal that Europe was taking a different path. GDPR was not just a regulation; it was a paradigm shift that put data privacy and security at the forefront of global compliance conversations. The regulation’s stringent penalties and extraterritorial reach forced organizations worldwide to rethink their approach to compliance, especially in how they collect, manage, and protect personal data.

With this regulatory foundation, Europe has continued to develop regulations that go beyond prescriptive checklists, demanding a more principled and evidence-based approach. Three key regulations currently shaping this new approach are the Corporate Sustainability Reporting Directive (CSRD), the Digital Operational Resilience Act (DORA), and the EU Artificial Intelligence Act (EU AI Act), all have looming 2025 deadlines (and more in subsequent years). These regulations emphasize risk-based compliance, requiring organizations to provide clear, documented evidence that they are not only meeting regulatory requirements but also achieving the intended outcomes of those regulations.

Europe’s Shift Toward Evidence-Based Compliance

At the core of the EU’s new compliance landscape is a focus on evidence-based compliance, where companies must not only adhere to regulations but also demonstrate how they are achieving compliance in a way that is effective and sustainable. The EU’s regulations are broader in scope with a global impact outside of the EU, focus on outcomes rather than prescribed steps, and require companies to take a more risk-based approach.

Principled and Outcome-Based Compliance

Unlike the U.S., which has traditionally followed a checkbox-based, prescriptive model of compliance, the EU has adopted a more principled, outcome-based framework. This approach started in the United Kingdom under the old FSA (before it became the FCA) and moved to be part of the EU’s better regulatory policy nearly twenty years back.

It requires organizations to take a risk-based approach, tailoring their compliance programs to specific risks that are unique to their operations, industry, and geography. Simply following a list of mandated tasks is not enough. Organizations must show evidence of how they have mitigated risks, complied with regulatory outcomes, and adjusted their internal controls and procedures in real-time.

For instance, the CSRD requires organizations to report on a wide range of environmental, social, and governance (ESG) factors. But beyond simply reporting, they must provide evidence that their ESG strategies are embedded into their core business practices and demonstrate tangible impacts (including across the extended enterprise with the corresponding EU Corporate Sustainability Due Diligence Directive – CSDDD. This is in contrast to the U.S., where ESG reporting has been more voluntary, with scattered compliance mandates, and less comprehensive focus.

Similarly, the DORA regulation, which focuses on the operational resilience of digital infrastructures, requires financial institutions and third-party providers to show evidence of risk assessments, internal control measures, and continuous monitoring to safeguard against cyber threats. The directive’s emphasis on evidence-based reporting makes it clear that organizations need to proactively manage their operational resilience risks, rather than reacting to incidents as they arise.

The Challenges and Benefits of the European Model

The EU’s approach to compliance is undoubtedly more complex and demanding than the traditional U.S. model. While the prescriptive nature of U.S. regulations provides clarity and a structured approach, it can often become inflexible, making it difficult for companies to adapt to emerging risks or evolving regulatory landscapes.

In contrast, the EU’s evidence-based model, while more agile and adaptable, comes with challenges. One of the main hurdles for organizations operating in Europe is the requirement for continuous monitoring and documentation. Compliance teams must be proactive, constantly assessing risks and adjusting controls to ensure they remain compliant. The lack of prescriptive rules means that organizations must exercise greater diligence in interpreting regulations and building compliance programs that are tailored to their specific needs.

Another challenge is the sheer breadth of compliance requirements across different sectors and jurisdictions within the EU. For multinational companies, this can lead to significant resource allocation toward compliance functions, requiring more advanced tools for compliance risk management, reporting, and data governance.

However, these challenges come with significant benefits. The EU’s outcome-based approach allows for greater flexibility, enabling organizations to design compliance programs that are more tailored and responsive to their unique risks. This, in turn, fosters a culture of continuous improvement, as organizations are encouraged to go beyond minimum compliance standards to truly integrate risk management into their business strategy.

Moreover, by requiring evidence of compliance, the EU is pushing organizations to demonstrate transparency and accountability. This is not only beneficial for regulators but also strengthens trust with investors, customers, and other stakeholders. The focus on measurable outcomes means that organizations can build more resilient and sustainable compliance programs, which ultimately reduce long-term risk exposure.

The U.S. Compliance Landscape: Can It Keep Up?

In comparison to the EU, the U.S. compliance landscape remains more prescriptive, though there are signs of change. It is also disrupted by the political polarization in U.S. politics that fails to get broad compliance reform addressed. The U.S. Securities and Exchange Commission (SEC) has recently proposed new rules around ESG disclosures, which would require more comprehensive reporting on climate-related risks. However, this is only a piece of the broad EU CSRD pie of ESG. These developments are still in their early stages, and U.S. regulations continue to be driven by a checklist mentality, with less emphasis on the principles or outcomes of compliance.

While the CECO role remains central in U.S. organizations, there is growing recognition that compliance needs to evolve beyond rigid frameworks. The demand for data-driven, risk-based compliance is growing, especially as global regulations, particularly those in the EU, have a wider extraterritorial reach.

Be-Prepared for Evidence-Based Compliance

As the compliance landscape continues to evolve, the EU has emerged as a leader in structured, evidence-based compliance programs. The transition from a prescriptive, checkbox-based model to a principled, outcome-driven approach has propelled Europe ahead of the U.S., requiring organizations to be more agile, risk-focused, and diligent in their compliance efforts.

The upcoming deadlines for CSRD, DORA in 2025, and the forthcoming EU AI Act (as just a few examples) will further cement Europe’s leadership in this space, as organizations must not only comply but also demonstrate evidence of compliance in a way that is both transparent and risk-based. For compliance professionals, this shift presents an opportunity to build more resilient and effective compliance programs, though it will require significant investment in tools, resources, and expertise to meet these new regulatory challenges.

As global regulatory environments become more intertwined, it is likely that the U.S. will also adopt more elements of evidence-based compliance, though for now, Europe leads the charge in this new era of compliance oversight. However, many firms in the U.S. and around the world have to respond to the broad reach and scope of the EU regulatory environment.

The Tunnel of Eupalinos: a Blueprint for Connecting Strategic and Operational Risk & Resilience

Risk management, when done effectively, is both an art and a science, requiring a careful balance of top-down strategic insight in the context of the organization’s objectives and bottom-up operational risk, control, and resilience. To understand this delicate alignment, let’s take inspiration from an ancient engineering marvel: the Tunnel of Eupalinos on the Greek island of Samos.

The Tunnel of Eupalinos: An Architectural Feat

The Tunnel of Eupalinos, constructed in the 6th century BCE, was designed to supply fresh water to the city of Samos. What makes this tunnel remarkable is that it was excavated from two opposite ends of Mount Kastro, eventually meeting in the middle with stunning precision. It’s an ancient testament to the power of coordination, foresight, and understanding the bigger picture while working through the minute details.

In the same way that two teams of engineers worked from opposite ends of the mountain, risk management requires a meeting of two critical perspectives:

  1. The Top-Down Strategic View. This is the broader vision, where leaders define the organization’s objectives and set the stage for growth, innovation, and navigating a chaotic business world. In risk terms, this is where you need to align your risk management framework with the organization’s strategic goals and objectives. ISO 31000 defines risk as the “effect of uncertainty on objectives,” making it clear that risk is inseparable from business objectives. These objectives can be financial, operational, or even ethical (ESG) objectives. Objectives start at the entity level and filter down into division, department, process, project, asset, and even third-party relationship objectives. They go across business departments and functions from sales, marketing, IT, finance/accounting, and more. Risk is the uncertainty in achieving these objectives.
  2. The Bottom-Up Operational View. Down in the depths of the organization, there is the daily grind of mitigating and managing specific risks—cybersecurity threats, operational disruptions, supply chain vulnerabilities, and more. This is where resilience is built, controls are implemented, and where tactical responses to emerging threats are honed. The operational view of risk down in the weeds is critical as this is where some small thing goes wrong and can bring down the organization.

Much like the Tunnel of Eupalinos, these two approaches to risk management must converge for true risk management success. Focusing on only the strategic top-down view can lead to what the military calls a CLUSTER F***. Focusing only on the operational down-in-the-weeds view misses what risk management is about, and that is enabling the business to achieve its objectives amid uncertainty. Here’s how these two perspectives need to work together to navigate the chaotic and unpredictable world of modern business.

The Top-Down Strategic View of Risk: Charting the Course

In any organization, leadership needs to have a clear, top-down understanding of risk. This is not simply about identifying what could go wrong—it’s about understanding the broad landscape of risk in the context of organizational objectives. The leaders of the ancient city of Samos knew they needed a water supply to ensure the city’s survival and growth. Their strategic view informed the need for the tunnel.

Today’s business leaders need to ask similar strategic questions:

  • What are our business objectives from the top down into the functions and processes of the organization? Whether it’s growing market share, launching a new product, or entering a new geographical market, these objectives will shape the risk landscape.
  • How does uncertainty affect these objectives? This is where the ISO 31000 definition of risk becomes crucial. Uncertainty, whether economic, operational, technological, geo-political, regulatory/legal, or environmental, can affect the organization’s ability to meet its goals.
  • How do we allocate resources to manage these risks? Just like the city of Samos invested resources in building the tunnel, organizations must allocate the right talent, technology, and capital toward mitigating strategic risks.

At this level, risk management is not about individual incidents or isolated risks. It’s about understanding how uncertainty in the external and internal environment affects your ability to achieve strategic objectives and steer the organization accordingly. This top-down view provides clarity on where the organization is headed, but it is incomplete without understanding what happens at the ground level—down in the “tunnel” of daily operations.

The Bottom-Up Operational View: Navigating the Depths of Risk

While the top-down view provides the strategic direction, the bottom-up operational view ensures that the day-to-day management of risks is aligned with broader objectives. The workers digging the tunnel had a much different view of the project than the city leaders who envisioned it. But their work was just as critical to its success.

This is where operational risk and resilience comes into play. In today’s business environment, risks are increasingly complex and interconnected. Whether it’s a cyberattack, a natural disaster, or a supply chain disruption, organizations face risks that require resilience at every level of operations.

Some questions to consider from the bottom-up perspective:

  • How are risks manifesting at the operational level? These risks often appear in the form of cybersecurity vulnerabilities, supplier disruption, equipment failures, or human error. Understanding these risks in detail is key to building resilience.
  • How does resilience at the operational level support strategic objectives? It’s not enough to simply mitigate risks as they arise; you need to ensure that operational responses are aligned with the broader organizational goals. For example, if the strategic objective is to expand into new markets, how do you ensure that your operational resilience supports this expansion?
  • How do we ensure constant communication between operational risk managers and strategic decision-makers? Just as the two ends of the tunnel had to stay coordinated, the operational teams must maintain clear lines of communication with leadership to ensure that their efforts are contributing to overall success.

Operational risk management is about building resilience, and ensuring that the organization can continue to function effectively even when faced with disruptions. This is the nitty-gritty work that happens in the trenches, where risks are identified, assessed, and managed in real time.

The Convergence: Bringing Strategy and Operations Together

The true magic of risk management happens when these two perspectives—strategic and operational—meet in the middle. Just as the two teams digging the Tunnel of Eupalinos had to meet with precision, the top-down and bottom-up views of risk management must align seamlessly.

Why Both Perspectives Are Necessary:

  • Strategic Risk Management without Operational Insight is Blind. If leadership only focuses on the big picture, they miss the crucial details that could derail their strategy. Without understanding the specific risks at the operational level, they are essentially flying blind. This leads to a CLUSTER F***.
  • Operational Risk Management & Control without Strategic Alignment is Rudderless. On the flip side, operational risk managers can get bogged down in the details without understanding how their efforts support broader organizational objectives. Without the top-down view, they lack direction and purpose.

How to Bring Them Together:

  • Strategy, Collaboration, and Communication is Key. Leadership must foster an environment where communication flows freely between strategic and operational teams. Risk management is not a siloed activity—every level of the organization must be engaged.
  • Use a Common Framework. ISO 31000 provides an ideal framework for this convergence, emphasizing that risk management should be integrated into all processes of the organization, aligned with the overall strategy.
  • Build a Culture of Risk Awareness. When everyone from the C-suite to front-line employees understands their role in managing risk, the organization becomes more resilient. It’s not just about following a risk checklist but about cultivating a mindset that recognizes and responds to risks dynamically in the context of the organization’s strategy, objectives, and operations.
  • Risk Technology Architecture Enablement. Unfortunately, there are very few GRC solutions on the market that can enable the entire picture from strategic to operational. The majority of solutions are solely focused in the weeds of operational risks and completely miss the top-down strategic view. Feel free to inquire with GRC 20/20 in our coverage of the GRC market to know which solutions are best fit for bringing this broad picture together. But at the end of the day, it requires an architecture as one solution does not do everything, and certainly not everything very well.

Building the Future Tunnel of Resilience

The Tunnel of Eupalinos stands as a reminder that even the most ambitious projects require a balance of vision and detailed execution. In the same way, effective risk management in today’s chaotic business environment requires both a strategic view from the top and operational resilience at the bottom. These two perspectives must meet, support each other, and work in harmony to guide organizations through uncertainty.

In the end, it’s not just about avoiding risks; it’s about understanding how uncertainty affects your objectives and how to navigate through them with precision and purpose. Just like the tunnel builders of ancient Samos, risk managers must balance the broad view with the fine details, ensuring that their efforts lead to a successful and resilient future.

Ethics, Compliance & Risk Culture in Denmark: A Model of Orderliness and Mindfulness

Denmark is often lauded for its high quality of life, progressive social policies, and exemplary governance. However, there is something more subtle yet profoundly impactful that one notices when visiting Denmark—a deep-seated culture of orderliness and mindfulness. This is not just about following rules; it’s about a collaborative accountability to ethical behavior, mutual respect, and a sense of community responsibility that permeates every aspect of Danish life. Previously, I wrote on this specifically from a risk management perspective on a previous trip to Copenhagen, Risk Management Lessons from Denmark. My current trip causes some further reflection.

On my trip to Copenhagen, Denmark, this past week, I was struck by these characteristics of collaborative accountability to ethical behavior, mutual respect, and a sense of community responsibility in ways that were both surprising and enlightening. Even the smallest observations, such as the gentleman sitting next to me on the plane into Copenhagen, offered valuable insights. This individual was thoughtful and mindful throughout the flight, and when it was time to deboard, he took the time to neatly fold his blanket and leave his space orderly. This act, seemingly small, is a reflection of a broader cultural norm in Denmark: a commitment to mindfulness and respect for shared spaces and experiences.

As I spent more time in Denmark, I noticed that this wasn’t an isolated incident. Walking through the streets of Copenhagen at 1:00 a.m., I observed that people still waited patiently for the walk signal to cross the street—even when there were no cars in sight. This adherence to rules is not out of fear of punishment, as might be the case in places like Singapore, where strict laws and harsh penalties enforce orderliness. In Denmark, it is about something deeper: a shared understanding of the importance of following rules for the benefit of the community as a whole. This is about collaborative accountability, where the community collectively upholds standards of behavior, not because they are enforced by law, but because they are valued and respected.

Understanding the Danish Ethical Culture

The question then arises: how does Denmark cultivate such a strong ethical culture? The answer lies not in strict enforcement but in community values and social norms. Danish society is built on trust, mutual respect, and a strong sense of social responsibility. These values are ingrained from a young age, through education, family, and community interactions, leading to a society where individuals naturally conform to ethical standards because they believe in their importance, not because they fear punishment.

In Denmark, the concept of “hygge” (a sense of coziness and contentment) also plays a role in fostering a close-knit community. Hygge is about creating a warm atmosphere, enjoying the good things in life with good people. It reinforces the importance of community and the need to take care of each other, which naturally extends to following rules that benefit everyone.

Moreover, Denmark’s relatively flat organizational and social structures contribute to a culture where everyone feels responsible for the well-being of the community. There is a strong emphasis on equality and consensus, which means that people are more likely to collaborate and hold each other accountable, rather than relying on hierarchical enforcement of rules.

I am not trying to state that Denmark is some state of utopia and is perfect. It has its issues as well. But there are differences when you contrast Denmark to other nations, like the USA, that too often tend to have a utilitarian ethical framework focused on the best outcome for the individual.

Lessons for Organizations: Building a Culture of Collaborative Accountability

The Danish approach to ethics and compliance offers valuable lessons for organizations looking to build a strong culture of governance, risk management, and compliance (GRC). Here are some key takeaways:

  1. Foster a Sense of Community and Shared Responsibility. Organizations should work towards creating an environment where employees feel a sense of belonging and responsibility towards each other. This can be achieved through team-building activities, open communication, and encouraging collaborative decision-making processes. When employees see themselves as part of a community, they are more likely to adhere to ethical standards for the collective good.
  2. Promote Mindfulness and Respect in Everyday Actions. Just as the gentleman on the plane folded his blanket out of respect for the next passenger, organizations can promote small acts of mindfulness and respect that contribute to a positive culture. This can be as simple as encouraging cleanliness in shared spaces, or more broadly, promoting a culture of thoughtfulness in interactions and decision-making processes.
  3. Encourage Ethical Behavior Through Values, Not Fear. Instead of relying solely on strict rules and penalties to enforce compliance, organizations should focus on cultivating a culture where ethical behavior is driven by shared values. This can be done through leadership modeling ethical behavior, incorporating ethics into the core mission and vision of the organization, and recognizing and rewarding ethical behavior among employees.
  4. Create Flat Structures that Encourage Collaboration and Accountability. Just as Danish society values equality and consensus, organizations can benefit from flattening hierarchies to encourage open communication and shared accountability. When employees at all levels feel empowered to speak up and hold each other accountable, it creates a more robust and resilient ethical culture.
  5. Educate and Train Continuously. In Denmark, ethical behavior is taught and reinforced from a young age. Similarly, organizations should invest in continuous education and training to instill and reinforce the importance of ethics and compliance. This includes not only formal training programs but also informal opportunities for employees to discuss and reflect on ethical dilemmas and best practices.

Conclusion: Cultivating a Danish-Style Ethical Culture

Denmark’s culture of orderliness and mindfulness offers a powerful model for organizations looking to build strong ethical cultures. By fostering a sense of community, promoting mindfulness and respect, encouraging ethical behavior through shared values, creating flat organizational structures, and investing in continuous education, organizations can develop a culture of collaborative accountability that mirrors the Danish approach.

In doing so, they not only enhance their governance, risk management, and compliance efforts but also create a workplace where employees feel valued, respected, and motivated to contribute to the greater good. Just as the Danish people naturally follow rules and consider the impact of their actions on others, so too can organizations cultivate a culture where ethical behavior is the norm, not the exception.

While these are great thoughts, I am also concerned if they can be effectively promulgated in a country like mine, the United States of America. I fear the USA, in general, has a predominant utilitarian ethical culture that focuses on the individual and not the group. Too often individuals will make the decisions that provide them individually with the best outcome, which can lead to breaking rules and then even the law. Exploring these thoughts and appreciate any honest reflections and feedback on this . . .

Beyond the Heatmap: Rethinking Risk Management for the Modern Age

In today’s rapidly evolving business landscape, risk management is no longer just about avoiding pitfalls—it’s about navigating the uncertain waters of opportunity and danger with agility and resilience. The modern approach to risk management is about mastering the art of navigating through an intricate web of opportunities and threats with both agility and resilience. This new paradigm recognizes that risk is not just a challenge to be mitigated but an integral component of strategic decision-making. In an environment characterized by relentless change and uncertainty—driven by technological advancements, global interconnectedness, and shifting market dynamics—organizations must develop a proactive and adaptive risk management strategy. This means anticipating potential disruptions, seizing emerging opportunities, and building organizational resilience to bounce back stronger from setbacks. Effective risk management today requires a dynamic, forward-thinking approach that not only protects against adverse events but also leverages risks as catalysts for growth and innovation. By integrating risk management into the core of their strategic operations, organizations can better navigate the complex terrain of the modern business world, ensuring long-term success and sustainability.

For nearly two decades, I’ve questioned why business continuity often operates in a silo, buried deep within the organizational structure, rather than being an integral part of enterprise and operational risk management. The symbiotic relationship between these functions is undeniable, and the pandemic, along with regulatory bodies, is finally forcing a change. The Office of the Comptroller of the Currency (OCC) in the U.S. succinctly stated, “Operational resilience is . . . the outcome of effective operational risk management.”

But let’s be clear: resilience alone isn’t enough. Agility is equally crucial. True risk management involves not just surviving the storm but steering the ship towards opportunity while skillfully avoiding or mitigating hazards. As Teddy Roosevelt wisely remarked, “Risk is like fire; if controlled, it will help you; if uncontrolled, it will rise up and destroy you.” 

This sentiment is echoed by Judge Mervyn King of South Africa, who stated, “Enterprise is the undertaking of risk for reward.” Effective risk management is a strategic tool that enables organizations to thrive amid the chaos of the modern world, maximizing returns and performance while minimizing losses.

So, how does your organization approach risk management? Is it merely a . . .

[The rest of this blog can be read on the GRC Report, where GRC 20/20’s Michael Rasmussen is a contributor and CEO]

Strengthening the Bonds of the Extended Enterprise: A Unified Approach to Third-Party Risk Management

In today’s interconnected world, the relationships that businesses forge with third parties are akin to friendships—built on trust, integrity, and resilience. Just as strong friendships require shared values, ethical behavior, and the ability to withstand challenges, so too do the relationships that businesses maintain with their vendors, suppliers, and partners. These relationships form the backbone of what is known as the “extended enterprise,” a complex web of interactions that extends far beyond the traditional boundaries of a single organization.

As an analyst deeply entrenched in the field of third-party risk management, I can attest that this is one of the busiest and most critical areas in governance, risk management, and compliance (GRC) today. I am currently involved in over a dozen RFPs (Requests for Proposals) related to third-party risk management, all driven by the dual pillars of integrity and resilience. These are not just buzzwords; they are essential qualities that define the success and sustainability of business relationships in the modern enterprise.

Integrity and Resilience: The Cornerstones of Third-Party Relationships

Imagine a friendship that lacks integrity—one where trust is broken, and values are compromised. Such a relationship is bound to fail, as it lacks the moral foundation needed to weather challenges. In the same vein, business relationships must be built on a foundation of integrity, encompassing environmental, social, and governance (ESG) principles, as well as compliance with laws, regulations, and ethical standards. This is the very essence of corporate integrity.

But integrity alone is not enough. A relationship must also be resilient, capable of withstanding the inevitable challenges and disruptions that arise. In the business world, resilience translates to the ability to manage risk and maintain continuity in the face of adversity. Whether it’s a cyber-attack on a critical supplier, a geopolitical crisis affecting a key market, or a sudden regulatory change, businesses must be prepared to respond swiftly and effectively to protect their operations and reputation.

One of the most telling examples of the importance of resilience in third-party relationships came from a firm that DID NOT use Crowdstrike but found itself impacted because several of its critical third-party partners did. This situation underscores the interconnectedness of risk within the extended enterprise and the need for a comprehensive approach to third-party risk management that goes beyond the surface level and is focused on resilience.

One global bank even identified third-party risk as their largest area of concern, reflecting the growing recognition of the potential impact that third-party failures can have on an organization’s overall risk profile.

The Regulatory Landscape: Driving the Need for Third-Party Risk Management

The regulatory environment is a significant driver behind the increased focus on third-party risk management. Frameworks such as the EU Digital Operational Resilience Act (DORA) and the EU Corporate Sustainability Reporting Directive (CSRD) are pushing organizations to enhance their oversight and management of third-party risks. These regulations have a global impact, and not just regional. They also impacted downstream suppliers and vendors. And the EU DORA and CSRD are the primary drivers right now, but certainly not the only regulatory drivers.

Please free to ping me if you want a list of the dozens of laws/regulations I am tracking that impact third-party risk management.

The Call to Action: A Federated Third-Party Risk Management Program

To effectively manage third-party risks, organizations must move towards a federated third-party risk management program—a unified strategy that spans across departments and functions responsible for third-party risk. This approach requires structured processes that cover the entire lifecycle of third-party relationships, from onboarding and continuous monitoring to addressing issues and, crucially, offboarding—a phase that is often neglected.

At the heart of this strategy lies the need for robust third-party risk technology and real-time third-party risk intelligence feeds/content. These solutions, together, enable organizations to monitor their third parties continuously, ensuring that any emerging risks are identified and addressed promptly. Moreover, advancements in artificial intelligence (AI) are playing an increasingly important role, offering the ability to automate due diligence processes and provide deeper insights into the risk profiles of third parties.

A Holistic Approach to Third-Party GRC Management

Effective third-party risk management requires more than just a focus on risk; it demands a holistic approach that integrates governance, risk management, and compliance (GRC). This approach should be grounded in a clear understanding of the objectives and values that define each relationship, as well as the risks and uncertainties that may threaten those objectives. Myself, I prefer to call it third-party GRC or third-party governance, but third-party risk management is what is commonly used.

Organizations that adopt a federated approach to third-party risk management are better positioned to navigate the complexities of the extended enterprise. By fostering collaboration across departments, leveraging advanced technologies, and maintaining a clear focus on integrity and resilience, businesses can build stronger, more resilient relationships with their third parties—relationships that, like good friendships, stand the test of time.

In conclusion, as the extended enterprise becomes increasingly integral to the success of modern organizations, the need for a unified, proactive approach to third-party risk management has never been greater. Just as friendships require trust, communication, and shared values, so too must business relationships be nurtured and managed with care. By doing so, organizations can ensure that their extended enterprise is not only a source of strength but also a foundation for future growth and success.

Seven AI Samurai of GRC: Protecting the Organization

I love feudal Japan! After my love for medieval Europe is my love for feudal Japan. Perhaps they are on par with each other as both of these eras excite me. So when my sons asked me if I wanted to go see Akira Kurosawa’s 1954 classic, Seven Samurai, on the big screen here in Milwaukee . . . I lept at it. I have seen this before but not on the big screen.

Of course, my mind is racing and thinking of analogies to the ever-evolving world of governance, risk management, and compliance (GRC), as organizations are constantly besieged by a multitude of threats from different angles just like the village in Seven Samurai. Much like the defenseless village, modern organizations need protection against marauding threats to strategy and objectives, resilience, dynamic risks, regulatory change, cyber risks, operational hazards, and compliance breaches. Enter the Seven AI Samurai of GRC – a band of intelligent, automated warriors designed to defend and fortify the village that is your organization.

Meet the Seven AI Samurai of GRC

Just as Kurosawa’s samurai were each skilled in unique martial arts and skills, our AI Samurai each specialize in a different aspect of GRC. These samurai work together to create a robust defense system for organizations, ensuring that all facets of governance, risk, and compliance are covered.

  1. Risk Ronin: The Strategist of Scenarios. Our first Samuari is the Risk Ronin, who excels in identifying, assessing, and monitoring risks to the organization’s objectives (ISO 31000 states that risk is the effect of uncertainty on objectives). This samurai’s strategic mind uses AI to conduct deep dives into global external events and data, identifying relevant information to develop and refine risk scenarios. These scenarios are then used to run annual risk analyses and exercises, ensuring the organization is prepared for any eventuality. Risk Ronin’s analytical prowess provides the organization with accurate, up-to-date risk information, enabling informed decision-making and proactive risk management. His strategies ensure that the village can anticipate and navigate through the most treacherous threats.
  2. Visibility Vassal: The Overseer of Transparency & Resilience. Aiding the Risk Ronin is the Visibility Vassal, the second samurai, who brings clarity and transparency to the village and its objectives. This samurai’s AI-powered tools gather and consolidate data from various sources, providing a holistic view of risks and control issues. Visibility Vassal ensures that all risks and obligations are visible in the context of the organization and its objectives, creating a culture of accountability and informed decision-making. With his watchful eye, Visibility Vassal enables the organization to maintain a high-level overview of all organization objectives and activities, ensuring that nothing is overlooked and everything is accounted for in a dynamic and changing context.
  3. Regulatory Ronin: The Sentinel of Compliance. The third samurai, Regulatory Ronin, stands guard at the gate of regulatory changes. His sharp AI senses scan the horizon for any incoming regulations, monitoring over 2,000 sources across numerous jurisdictions. With unparalleled speed and accuracy, this samurai categorizes, parses, and maintains a version history of all regulatory updates. This ensures the village is always compliant, reducing the noise and focusing only on relevant changes. Regulatory Ronin’s strength lies in the ability to filter through the chaos and provide actionable intelligence. His presence ensures that the organization remains compliant with current laws, mitigating the risk of non-compliance fines and penalties.
  4. Obligation Oishi: The Keeper of Commitments. Obligation Oishi is the fourth samurai, tasked with maintaining the village’s obligations catalog, and is a close partner with Regulatory Ronin. With meticulous attention to detail, Obligation Oishi oversees the full lifecycle of regulatory change management, from creation to governance of policies. Using AI, this samurai treats internal policies and controls consistently with external regulations, ensuring that all organizational commitments are documented and managed. Obligation Oishi’s dedication ensures that the organization has a comprehensive, up-to-date record of all obligations, providing a single source of truth that is essential for effective compliance management.
  5. Control Katana: The Master of Alignment. Next is Control Katana, whose blade slices through confusion to align controls with business objectives, regulatory requirements, and risks. Using AI-powered gap analysis, Control Katana compares internal policies against external regulations, standards, frameworks, and benchmarks to optimize control coverage and common or best practices. This samurai ensures that the organization’s controls are not only effective but also consistently governed and accountable. Control Katana’s mastery allows for the elimination of redundant controls and the streamlining of processes, creating a lean, efficient, and resilient system. This samurai’s vigilance ensures that every control is precisely where it needs to be, performing at its best.
  6. Automation Ashigaru: The Worker of Efficiency. The sixth samurai, Automation Ashigaru, is the tireless worker who automates repetitive tasks, freeing up the villagers to focus on more value-added activities. This samurai’s AI-driven capabilities streamline risk, compliance, control, and audit processes, conduct regular risk and control assessments, and quickly identify and resolve gaps. Automation Ashigaru’s relentless efficiency saves time and resources, making the village’s operations more effective and agile. This samurai’s contributions allow the organization to do more with less, enhancing overall productivity and effectiveness.
  7. Innovation Itō: The Pioneer of Progress. Last but not least, Innovation Itō is the visionary samurai who pushes the boundaries of what is possible. Using advanced AI techniques, this samurai explores new areas such as predictive analytics and artificial intelligence, continually enhancing the organization’s GRC capabilities. Innovation Itō’s insights and innovations drive continuous improvement, ensuring that the village is always ahead of the curve. Innovation Itō’s forward-thinking approach keeps the organization at the forefront of GRC best practices, enabling it to adapt and thrive in an ever-changing landscape.

The Battle: Defending Against the Bandits of Organization Objectives

Just as the seven samurai banded together to defend the village from bandits, the Seven AI Samurai of GRC work in unison to protect the organization from the myriad threats it faces in reliably achieving objectives, addressing uncertainty, and acting with integrity. Each samurai brings their unique skills to the table, creating a comprehensive defensive and offensive system that is greater than the sum of its parts.

  • Phase 1: Establishing Context. The first step is understanding the organization, its culture, its objectives, and its internal and external environments. This allows the seven AI samurai of GRC to have the context for the rest of the defensive and offensive measures.
  • Phase 2: Identifying Threats to Objectives. Next, Risk Ronin and Visibility Vassal take charge of identifying and assessing threats to the organization’s objectives. Risk Ronin uses his strategic insights to develop risk scenarios, while Visibility Vassal provides a clear view of all risk, compliance, and control activities in the context of objectives, ensuring that nothing slips through the cracks.
  • Phase 3: Establishing Defenses. The third step in defending the organization’s village is establishing robust defenses. Regulatory Ronin sets up a perimeter by continuously monitoring regulatory changes. Obligation Oishi documents all commitments, creating a strong foundation for compliance, while Control Katana aligns controls with business requirements to ensure that every entry point is fortified for resilience.
  • Phase 4: Automating Responses. With threats and defenses identified, Automation Ashigaru steps in to automate responses, streamlining processes and ensuring that the village can respond quickly and effectively to any situation. These efforts free up resources, allowing the organization’s villagers to focus on more critical tasks.
  • Phase 5: Innovating for the Future. Finally, Innovation Itō pushes the boundaries, exploring new AI technologies and methodologies to keep the village ahead of the game. These innovations ensure that the village is not only protected but also continually improving and adapting to new challenges.

Through the combined efforts of the Seven AI Samurai, the organization village is secure and resilient. Regulatory changes are monitored and addressed in real time, controls are aligned and optimized, obligations are meticulously documented, risks are accurately assessed and managed in the context of objectives, and processes are automated and efficient. With continuous innovation driving improvement, the organization is well-equipped to face any challenge that comes its way.

In the world of GRC, just as in Seven Samurai, success depends on the right combination of skills and strategies. The Seven AI Samurai of GRC offer a powerful analogy for how AI can be harnessed to automate and enhance governance, risk management, and compliance. By leveraging the unique strengths of each samurai, organizations can build a robust defense system that achieves business objectives, mitigates risks and uncertainty, ensures compliance, and drives continuous improvement while maintaining integrity.

So, as you navigate the complex landscape of GRC, remember the Seven AI Samurai. They are your protectors, your strategists, your workers, and your innovators who extend your current subject matter expertise – ensuring that your organizational village remains secure, resilient, and agile, ever-ready to face the future.

BTW – I will be interacting with Anthony Stevens, and his book “AI and the Future of GRC,” on AI and the Future of GRC webinar on August 2 @ 10:00 am – 5:00 pm Chicago/CDT.

6 Ways to Create a Repeatable, Scalable Compliance Program

Compliance programs are critical in ensuring organizations adhere to established regulations, laws, and ethical standards, fostering trust with stakeholders, employees, business partners, and the public. A repeatable and scalable compliance program ensures consistency and efficiency in managing compliance risks across various operational scales and ensures compliance in the context of regulatory/obligation and business change. Organizations across industries and sizes must create a compliance program that meets the legal requisites and is repeatable and scalable in a dynamic, distributed, and ever-changing business environment.

What’s Required to Establish a Successful Compliance Program?

Creating a scalable and repeatable compliance program requires . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

Where Policy Management Fails

After exploring Where Third-Party Risk Management Fails and Where Risk Management Fails, I now turn my attention to my biggest soapbox, Where Policy Management Fails . . .

First it is essential to understand that policies are critically important to governance, risk management, and compliance. Through policies organizations can have reliable processes, transactions, and behavior so it can reliably achieve objectives [governance]. Policies are risk documents, the very fact that there is a policy means there is uncertainty/risk that needs to be governed and controlled [risk management]. Through policies, and their adherence, the organization maintains integrity to its values, ethics, conduct, ESG commitments, regulatory commitments, and contractual commitments [compliance].

HOWEVER, policies also set a legal duty of care and liability on the organization. A policy that is not followed can be used against the organization in a civil, criminal, and/or regulatory matter. What is shocking is how badly policies are managed in the organization given their critical nature to enable the organization to reliably achieve objectives, address uncertainty, and act with integrity. 

I teach Policy Management by Design workshops around the world and have a variety of research papers on policy management. I have also partnered with OCEG in developing PolicyManagementPro.com and the Certified Policy Management Professional certification. Here is where I see policy management fails in many organizations . . .

  • Not knowing what policies the organization has. Policies often are scattered across departments and many organizations do not even know what policies are out there. I was keynoting at a conference and asked a few hundred people in the room who has a master list of all their official policies, only two people raised their hands.
  • Policies scattered on different portals. Too often the organization does not have a singular portal for policies. One insurance company came to me moving into pandemic lockdowns in March of 2020 in a panic as they discovered they had 27 different policy portals from policy file shares to SharePoint sites, to commercial software. It was a maze of confusion and there was no singular point for employees to access policies.
  • Different writing styles and processes. Organizations often do not have a consistent template and writing style for policies, not a standard process to write and approve policies. Basically, they do not have a Policy on Writing Policies (also called a Metapolicy) nor a style guide on how to write policies in consistent grammar, use of active voice, punctuation, formatting, and how to approach gender neutral language. 
  • No standard template for a policy. Yes, I brought this out in the previous point, but it deserves to be mentioned again. Anyone should be able to recognize a policy by the template/formatting of the document (digitally or in print). It should be easily recognizable as an official policy.
  • Not addressing rogue policies. This is a HUGE issue. Too often managers across the organization are opening word processors and writing documents and calling them policies. They communicate this to employees, customers, and partners. Policies, as stated, establish a legal duty of care. If a manager is writing a document and calling it a policy, it exposes the organization to legal liability if it is not followed. 
  • Out of date policies. Organizations struggle with the number of policies that exist indefinitely and are not updated, lack an owner, and are no longer needed . . . or desperately need revision. 
  • Not keeping up with legal, regulatory, and business change. There is a variety of legal, regulatory, risk, and even business change that impacts policies. One bank had a policy that was being revised because of a regulatory change that went through 75 reviewers in a linear fashion of document check in and check out and took six months to get updated. In an industry where there are 257 regulatory change events every day this certainly is not agile and behind the game. Another organization, this one in healthcare, discovered they had 21,000 policy and procedure documents because of all the consolidation and acquisition of hospitals over a few decades. 
  • Not keeping up with employee change. Employees come into the organization, they change roles and departments, they leave the organization. Organizations need to ensure that employees are aware of the policies that apply to their role as they move to different functions and roles, particularly high-risk areas. 
  • Lack of audit trail and system of record. This is another HUGE issue. The legal and regulatory environment demand that the organization have a clear defensible history of what policies were communicated to employees, did they understand it, were they trained, how they were reminded. Look at the latest U.S. Department of Justice Evaluation of Compliance Programs where it focuses on the audit trail and system of record of the policy portal and employee interactions. Having a defensible audit trail on policies and awareness gets the organization out of hot water, ask Morgan Stanley.
  • Outdated policy portals and training. Every month I am getting inquiries from organizations looking for that next generation policy portal that brings together policies and training into one portal. Think about it, employees go out to Facebook and can watch a YouTube video in Facebook. They do not have to click on a link and go out to YouTube and come back to Facebook to comment on it. The same thing NEEDS to happen with the policy portal that brings policies and training on policies into one portal. Millennials and Gen Z expect this. And, mobility access to policies and training is also critical. 

As you can see, this is a soapbox of mine. I am passionate about policies and policy management. They are critical to the organization. Without policies, and policies that are adhered to and enforced, the organization’s behavior is like leaves blowing in the wind. Can you imagine an organization with no policies? What a mess of transactions and behavior. I am literally scratching the surface on all the areas of where policy management fails today. 

Organizations need to address the back-office of policy management, and the front-office of policy engagement . . .

  • Back-office policy management. This is the enterprise-wide consistent process to write, approve, monitor, enforce, manage, maintain, and audit policies in the organization. They key here is collaborative authoring and cooperation across departments supported by strong technology in this space to ensure nothing slips through the cracks and adheres to the Policy on Writing Policies.
  • Front-office policy engagement. This is the portal, training, awareness, and engagement to employees (and third parties) on policies. There should be a singular portal for all the official policies of the organization. Employees should have regular reminders and are properly aware and trained on policies that impact their role/function in the organization.

There are a variety of solutions for policy management in the market. Some focus on certain departments (e.g., EH&S, information security, privacy, HR), others focus on specific industries (e.g., healthcare, banking), and others are broad. Some solutions focus on back-office policy management, others excel in front-office policy engagement. Few do both well. 

Ask GRC 20/20 about our market research and coverage of policy management best practices and the range solutions in the market and what differentiates them and fits your particular need . . . 

Also, register for one of these upcoming webinars on Effective Policy Management . . .

3 GRC Priorities for Your Organization in 2022

The past two years have been a trial for organizations as they have been required to respond to the complications, risks, and intricacies of the pandemic and its impact on business strategy, operations, and objectives.

The focus has been on resiliency with the ability to recover quickly to changing risk conditions to keep the organization moving forward.

GRC, by definition, is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance) (source: OCEG GRC Capability Model).

The organization must be constantly aware of objectives and their achievement. Those objectives can be at the entity level or down into the division, department, process, project, relationship, or asset level. In this context, the organization needs insight into the risk and uncertainty in achieving those objectives and ensure that the organization acts with integrity in their achievement in a distributed, dynamic, and disrupted business environment.

As we head into 2022, this focus on . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Tale of Two Futures: Blade Runner or Star Trek?

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way – in short, the period was so far like the present period, that some of its noisiest authorities insisted on its being received, for good or for evil, in the superlative degree of comparison only.

Charles Dickens, A Tale of Two Cities (1859)

I love good literature and Charles Dickens is a favorite, particularly in the Christmas season. However, my thoughts right now are not on A Christmas Carol but on the haunting intro to A Tale of Two Cities. Charles Dickens’s evocative words come to mind as I think about enterprise risk management programs in organizations. We are at a nexus of paths right now that can lead to two very different outcomes for the future of the world, our organizations, and our personal lives.

My question for you: are we focused on the right risks?

The truth is that we are at a critical point in history, a point that can lead to two very different outcomes. In our age of technology advancement and knowledge will this be defined as the ‘age of wisdom?’ Or will it be seen as the ‘age of foolishness?’ The decisions we make and our organization’s make will lead us to a ‘season of light’ or a ‘season of darkness,’ either a ‘spring of hope’ or a winter of despair.’

In my keynotes and presentations, I ask the question: what is our future? 

Are we, as a global society that our organizations are part of, headed toward a Blade Runner future or a Star Trek future? In Blade Runner, you have a dark dystopia of social, ethical, and environmental disasters. In Star Trek, you see a green and prospering world where the environment and society thrive, and there is great social diversity and cooperation across galactic races.

My issue is that many of the enterprise risk management and GRC programs I interact with are limited in scope. If you look at these programs you would think that IT/information risk (e.g, cyber risk, digital risk) are the greatest concern. These are significant concerns, I am not trying to deny that. I cut my teeth in risk management in the 90’s in information security. My point of view is that IT/information risk is a great concern, but environmental risks are a GRAVE concern. And I mean that term literally. But environmental risk seems to be missing from the agenda of the organization’s enterprise risk, operational risk, integrated risk, and GRC agendas.

Look at the World Economic Forum’s Global Risks Landscape 2019. The most significant risks, and there are many, are environmental in focus. Where is this on the organization’s risk management agenda? Fortunately, we are seeing some changes here. I applaud the United Kingdom’s FCA/PRA that is now requiring banks and insurance companies, under the Senior Manager’s Regime/Certification Regime (UK SMCR), to have a senior management function defined and accountable to manage the firm’s risk from climate change.

It is disappointing that the leading analyst firms, Gartner and Forrester, do not cover environmental, health and safety risks in their IRM and GRC research. They are ostriches with their heads in the sand. Both of these firms talk about environmental risk and climate change in other parts of their organization, but it does not appear to be on the radar of their core research in IRM and GRC. Reading IRM and GRC reports from these analysts would leave one to think that environmental risk and climate change are not even on the radar and what we only need to focus on is IT/information risk. While Verdantix, in their Green Quadrant on Operational Risk, has a completely different set of solutions, with only two that appear on the Forrester reports and one on the Gartner report. Fortunately, with OCEG and GRC Capability Model, we have taken a true enterprise view of risk that includes environmental, health and safety, quality, and other risks that Gartner and Forrester do not see as part of their IRM and GRC research. How can a research organization in 2020 have a risk management strategy that does not include these areas? How can organizations themselves not be covering environmental risk in their enterprise and operational risk management programs?

CALL TO ACTION: it is time that our GRC/ERM programs include and integrate with ESG (environmental, social, governance), EHS (environmental, health and safety), CSR (corporate social responsibility), and sustainability initiatives. 

The reality is that organizations do need a true enterprise view of risk, and this view must include environmental risk and climate change impact on the business as well as health and safety risks. IT/information risk is critical, but it is time to ensure that environmental risk is on the radar as well in enterprise risk management programs. If we do not address this now our future will be Blade Runner and not Star Trek as we head to a ‘winter of despair’ and not a ‘spring of hope.’