Posted on 3 Comments

Tale of Two Futures: Blade Runner or Star Trek?

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way – in short, the period was so far like the present period, that some of its noisiest authorities insisted on its being received, for good or for evil, in the superlative degree of comparison only.

Charles Dickens, A Tale of Two Cities (1859)

I love good literature and Charles Dickens is a favorite, particularly in the Christmas season. However, my thoughts right now are not on A Christmas Carol but on the haunting intro to A Tale of Two Cities. Charles Dickens’s evocative words come to mind as I think about enterprise risk management programs in organizations. We are at a nexus of paths right now that can lead to two very different outcomes for the future of the world, our organizations, and our personal lives.

My question for you: are we focused on the right risks?

The truth is that we are at a critical point in history, a point that can lead to two very different outcomes. In our age of technology advancement and knowledge will this be defined as the ‘age of wisdom?’ Or will it be seen as the ‘age of foolishness?’ The decisions we make and our organization’s make will lead us to a ‘season of light’ or a ‘season of darkness,’ either a ‘spring of hope’ or a winter of despair.’

In my keynotes and presentations, I ask the question: what is our future? 

Are we, as a global society that our organizations are part of, headed toward a Blade Runner future or a Star Trek future? In Blade Runner, you have a dark dystopia of social, ethical, and environmental disasters. In Star Trek, you see a green and prospering world where the environment and society thrive, and there is great social diversity and cooperation across galactic races.

My issue is that many of the enterprise risk management and GRC programs I interact with are limited in scope. If you look at these programs you would think that IT/information risk (e.g, cyber risk, digital risk) are the greatest concern. These are significant concerns, I am not trying to deny that. I cut my teeth in risk management in the 90’s in information security. My point of view is that IT/information risk is a great concern, but environmental risks are a GRAVE concern. And I mean that term literally. But environmental risk seems to be missing from the agenda of the organization’s enterprise risk, operational risk, integrated risk, and GRC agendas.

Look at the World Economic Forum’s Global Risks Landscape 2019. The most significant risks, and there are many, are environmental in focus. Where is this on the organization’s risk management agenda? Fortunately, we are seeing some changes here. I applaud the United Kingdom’s FCA/PRA that is now requiring banks and insurance companies, under the Senior Manager’s Regime/Certification Regime (UK SMCR), to have a senior management function defined and accountable to manage the firm’s risk from climate change.

It is disappointing that the leading analyst firms, Gartner and Forrester, do not cover environmental, health and safety risks in their IRM and GRC research. They are ostriches with their heads in the sand. Both of these firms talk about environmental risk and climate change in other parts of their organization, but it does not appear to be on the radar of their core research in IRM and GRC. Reading IRM and GRC reports from these analysts would leave one to think that environmental risk and climate change are not even on the radar and what we only need to focus on is IT/information risk. While Verdantix, in their Green Quadrant on Operational Risk, has a completely different set of solutions, with only two that appear on the Forrester reports and one on the Gartner report. Fortunately, with OCEG and GRC Capability Model, we have taken a true enterprise view of risk that includes environmental, health and safety, quality, and other risks that Gartner and Forrester do not see as part of their IRM and GRC research. How can a research organization in 2020 have a risk management strategy that does not include these areas? How can organizations themselves not be covering environmental risk in their enterprise and operational risk management programs?

CALL TO ACTION: it is time that our GRC/ERM programs include and integrate with ESG (environmental, social, governance), EHS (environmental, health and safety), CSR (corporate social responsibility), and sustainability initiatives. 

The reality is that organizations do need a true enterprise view of risk, and this view must include environmental risk and climate change impact on the business as well as health and safety risks. IT/information risk is critical, but it is time to ensure that environmental risk is on the radar as well in enterprise risk management programs. If we do not address this now our future will be Blade Runner and not Star Trek as we head to a ‘winter of despair’ and not a ‘spring of hope.’

Posted on Leave a comment

Have You Hugged Your CECO/CCO Today?

Today is the official National Compliance Officer today! This is a very challenging role in organizations and one that is in the midst of a lot of change. Below is a link to my SWOT Analysis of the CECO role on this topic. I am presenting on this next week at Converge19 as well.

Here is a link with Tom Fox on his podcast discussing my upcoming presentation on the SWOT Analysis of the CECO

Posted on Leave a comment

Understanding Third Party GRC Maturity: Defined Stage

A haphazard department and document centric approach for third party GRC compounds the problem and does not solve it. It is time for organizations to step back and mature their third party GRC approaches with a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to mature their third party governance with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance, as well as how it impacts the organization.

GRC 20/20 has developed the Third Party GRC Maturity Model to articulate maturity in the Third Party GRC processes and provide organizations with a roadmap to support acceleration through their maturity journey.

There are five stages to the model:

  1. Ad Hoc
  2. Fragmented
  3. Defined
  4. Integrated
  5. Agile

Today we look at Stage 3, the Defined level of Third Party GRC

The Defined stage suggests that the organization has some areas of third-party GRC that are managed well at a department level, but it lacks . . .

[this is a guest blog authored by Michael Rasmussen of GRC 20/20 that can be found at Aravo site, follow the link below to read more]

Posted on Leave a comment

The Rhythm of Risk: Managing Risk Throughout the Context of Business

Writing about risk management is like trying to have an intelligent conversation today about religion or politics.

Individuals in the risk management community have polarized views and if someone does not agree with you 100% you end up in the crosshairs of an attack. It is sad. Instead of intelligent discussion where we can come together and learn, there are many ready to pounce if you do not express their exact ideology. Some view risk management as purely top-down from objectives and strategy, others are risk professionals down in the bowels of the organization looking bottom-up. Some feel that risk registers, risk appetite, and other aspects of traditional risk management are meaningless, others see this as the core part of how they have managed risk. Some hate heat maps and qualitative approaches, others live by them. Some, I feel, are simply trying to relabel corporate performance management to be risk management, instead of seeing that risk management is a part of performance management.

While I feel there is objective truth when it comes to matters of religion/theology . . . what if that was not the case for risk management?

  • What if the best approach to risk management brought together the top-down and the bottom-up?
  • Used both quantitative and qualitative methods?
  • Leverages risk registers but does not get locked into thinking only in their context?
  • Knew the weaknesses of a heatmap and how to overcome them while still using them as a visualization tool?

My view of risk management is that all sides of the debate have something valid to bring to the table. To truly do enterprise risk management requires a 360° contextual awareness of risk in the context of performance, objectives, and strategy as well as day to day operations and hazards of the business. Organizations need both a top-down view of risk management in the context of strategy and objectives as well as a bottom-up view of risk down in the weeds of operations and hazards. Good risk management requires both.

My favorite approach to risk management I have encountered in my research was with Microsoft when Brad Jewett was the ERM Director there from 2003 to 2008 (I cannot speak to Microsoft today as I have not interacted with them recently, Brad is now the CFO of Corel Corporation). I have served with Brad as an OCEG Fellow over the years and have a deep respect for him as a risk management professional. Brad defined his approach to risk management at Micorosft as ‘The Rhythm of Risk.’ This he defined by his desire to integrate risk management into daily decision making that would follow the corporate calendar for key processes such as multi-year strategic planning, annual planning, mergers and acquisitions, audit planning, SEC reporting, investor communications, product and service roadmaps, etc. It an aspirational agenda but it set the tone and expectation that risk management was a priority that should Influence and be integrated into the way things get done every day. This included the strategic as well as the operational. The top-down as well as the bottom-up

To maintain the integrity of the organization and execute on strategy, the organization has to be able to see the individual risk (the tree), as well as the interconnectedness of risk to strategy and objecrtives (the forest). Many organizations are asking for this to go even deeper, as they need to see the leaf and branch as it connects to the tree, and how it is part of the forest.

Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and sometimes chaotic, relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.

Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both top-down view of risk to objectives as well as a bottom-up view of risk within operations and processes. It can integrate internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling.

Successful risk management requires the organization to provide an integrated process and information architecture. This helps to identify, analyze, manage, and monitor risk, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board that is not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk down in the depth of the business.

Organizations striving to increase risk management maturity in their organization need to be:

  • Aware. They need to have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
  • Aligned. They need to align performance and risk management to support and inform business objectives. This requires continuously aligning objectives and operations of risk management to the objectives and operations of the entity, and to give strategic consideration to information from the risk management capability to affect appropriate change.
  • Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions. This requires that the organization have a bottoms-up view of risk as well as the top-down.
  • Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Mature risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
  • Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have the confidence necessary to rapidly adapt and respond to opportunities.
  • Efficient. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced capability and related decisions about the application of resources.

My point is simple, there are many perspectives on risk management that brought together properly and in balance can really build an effective and mature risk management program. While there are issues with qualitative methods, heat maps, and risk registers, that does not mean they are useless. They need to be effectively used and their issues and weaknesses understood. The same goes for a complete top-down view of risk management that only focuses on objectives and misses the hazards and issues that lie in the depths of the weeds of the organization that can cause significant harm. The best world is one that brings the strengths of all of these together and avoided throwing the baby out with the bathwater.

I will be presenting my views on how risk management technology enables and mature risk management capabilities in the webinar tomorrow:

I will be presenting my views on how organizations can mature their risk management capability in the webinar this Wednesday:

GRC 20/20 also has the upcoming Risk Management by Design Workshops:

GRC 20/20 has also just updated it’s flagship research paper on this topic:

Posted on Leave a comment

Michael Rasmussen on GRC value & creating your GRC RFP template

What do you need to include in a GRC RFP? We asked one of the experts in this interview.

Enterprise governance, risk, and compliance (GRC) strategies can help organizations across the board become more efficient and agile in navigating the ever-changing regulatory and risk environment. However, in order to maximize efficiency, effectiveness, and agility, organizations need to approach GRC with a collaborative, inter-departmental strategy.To make GRC software implementation as strong as possible, organizations should have a clear business case, strategy with defined goals, and detailed system requirements.

We sat down with Michael Rasmussen of GRC 20/20 to talk about the components of a successful GRC business case and strategy, how to understand the range of GRC capabilities, how to navigate selecting a solution, and what to include in a GRC RFP. Here are some of his responses.

The value of GRC

Eric Goldberg: How do we go about articulating the value, or the ROI, of a GRC strategy?

Michael Rasmussen: It starts with finding . . .

[This is an interview done with Galvanize, the rest of this post can be found through the button link below]

Posted on 1 Comment

Step 2: Conditioning is Critical, Make Sure Your Team and Systems are Ready for 3rd Party GRC

This is the 2nd blog in a 5-part series on developing a strategic plan for Third Party Governance/Management in your organization.

With an understanding of where you are at and where you want to go with 3rd Party Governance, the next step is to make sure your team and systems are ready for the journey. The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to 3rd Party Governance, Risk Management, and Compliance (3rd Party GRC): 

“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”[1]

Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts.  Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem.  This is true in 3rd Party GRC. What further complicates this is the exponential effect of 3rd party risk on the organization.  Business operates in a world of chaos.  Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of 3rd party performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives.

The organization needs to have holistic visibility and situational awareness into 3rd party relationships across the enterprise. Complexity of business and intricacy and interconnectedness of third party data requires that the organization implement a third party management strategy. 

The primary directive of a mature 3rd Party GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of 3rd party relationships in context of performance, risk, and compliance. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of third parties across the extended enterprise.

Organizations need to ensure that the various departments and roles involved in governing 3rd party relationships are on board and willing to work together in a cohesive strategy. The goal is to provide the greatest balance in collaborative 3rd party governance and oversight to allow for some department/business function autonomy where needed, but focuses on a common governance model and alignment that the various groups in 3rd party governance utilize. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across 3rd party relationships, as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in third party management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.

The goal is to have centralized 3rd party governance oversight to create consistent and aligned strategy with a common 3rd party governance process, information and technology architecture. Organizations with this collaborative approach report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on third party performance, risk and compliance, and greater effectiveness through the ability to report and analyze 3rd party risk and compliance data. The goal should not only to manage risk and compliance, but to integrate 3rd party governance in the context of performance, objectives, and strategy in relationships.

To achieve the full benefits from an 3rd party GRC strategy, GRC 20/20 recommends the following next steps:

  • Gain executive support and sponsorship of the third party governance strategy.The organization needs to work in harmony on third party governance. Different groups doing their own thing handicap the business. Executive support is critical to align the organization.
  • Develop harmonized systems and processes. Key to success is identification of shared processes and information for 3rd party GRC across the enterprise. This includes identifying technology and information solutions to support integrated information and process architecture.

This team needs to be aligned to share a common vision to move to an integrated approach to 3rd party GRC across the business that includes an understanding of risk and compliance in context of performance and objectives in third party relationships.

[1]Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.

Supporting 3rd Party GRC Research . . .

GRC 20/20 has defined this in our key research paper (currently being revised):

GRC 20/20 is also presenting on how to build a business case for and evaluate the range of 3rd Party GRC solutions in the market:

GRC 20/20 is also facilitating several upcoming workshops on this topic as well:

Other Case Studies, Strategy Perspectives, and Solution Perspectives on Third Party GRC can be found here.

Posted on Leave a comment

UK SMCR: A Paradigm Shift to GRC Accountability

The UK Senior Manager’s Regime and Certification Regime (UK SMCR) is a paradigm shift in regulation and accountability. In one context, I have used the analogy that it is the “One Ring” in Tolkien’s Lord of the Rings. Instead of a ring, it is the:

One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them.

UK SMCR is a significant challenge for financial services firms. This year, the Financial Conduct Authority (FCA) is applying the regulation to all firms governed by the FCA: over 58,000 organizations. This is the governing regulation of all regulation and risk as it enforces senior manager/executive accountability for all aspects of risk and compliance. It puts personal accountability on senior directors and executives if there is negligence or lack of due diligence in managing risk, conduct, compliance, and controls. These senior managers could go to jail or be personally fined (and their organization cannot reimburse them). It is the UK SMCR regulation that sees that other risk and compliance is properly managed across the organization. For example, Barclay’s CEO was recently fined £640,000personally under UK SMR/CR.

This is a significant shift from responsibility to accountability. The difference may seem subtle, but it is real. Accountability means . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the SureCloud site]

Posted on Leave a comment

Chief Ethics & Compliance Officer: SWOT Analysis

Last week a Global CECO (manufacturing company operating in more than 60 countries with over 17,000 employees) reached out to me on a research piece I had published back in 2012 (a report I wrote for OCEG). It was a SWOT Analysis of the CECO role. This CECO asked me if I had updated this as it had provided him insight into his career and direction six years back and curious how my research and thoughts on this have changed since then. Before we get into the my current SWOT analysis on the CECO role, it is important to understand a few things happening that is shifting the role of compliance in organizations . . .

  • Compliance the Bastion of Organization Integrity. For the past fifteen years I have stated that if we could rebrand the CECO role I would advocate it to be the Chief Integrity Officer, but we already have a CIO so that most likely will not work. Integrity is the purpose and focus of compliance and ethics. This is becoming more and more apparent as the years move on and the compliance and ethics role evolves.
  • Compliance is Dealing with Lots of Change. The greatest challenge for the compliance and ethics function is keeping up with change, and then keeping all that change in sync. There is a barrage of regulatory, risk, and business change happening. Global financial services firms are dealing with 216 regulatory change events every business day (source: Thomson Reuters). Other industries are seeing a similar onslaught of evolving legislation, regulation, litigation, and enforcement actions. But the business is changing just as rapidly through shifts in strategy, employees, technology, mergers/acquisitions, and more. The challenge is keeping all that change in sync. Being intelligent about the law or regulation does not make you compliant if compliance is not operational in context of an evolving and dynamic organization.
  • Compliance Becoming an Independent Function in the Organization. There has been increased pressure for the compliance and ethics function to report outside of legal. This comes from a string of consent decrees, deferred prosecution agreements, non-prosecution agreements, corporate integrity agreements, and changes to the US Sentencing Commission Organizational Sentencing Guidelines. Compliance has the duty to discover and fix, while legal generally has the duty to deny and protect. This can be at odds with each other and a conflict. So in the slight majority of organizations we now see that the operational aspects of compliance now reports outside of legal. As a result, compliance functions are getting their own budgets and looking for improvements in compliance/ethics strategy, process, and technology to support their initiatives.
  • Compliance Accountability (more than Responsibility). Regulations like the United Kingdom’s Senior Manager’s Regime/Certification Regime (which has had a cascading impact on other jurisdictions such as Australia, Singapore, Hong Kong, Japan, Ireland) is focused on putting senior managers and executives personally accountable for compliance failures as a result of negligence or lack of due diligence. Last year, Barclay’s CEO was fined over £640,000 (nearly $900,000) under UK SMR/CR in context of a whistle blower issue. He personally had to pay this and the bank cannot reimburse them. I have likened UK SMR/CR to the one regulation to rule them all, one regulation to find them, one regulation to bring them all and in the enforcement bind them (for all of you Tolkien fans). It is the regulation of all regulations that puts personal accountability and exposure on senior managers and executives.
  • Compliance Roles Gaining Risk Management Skills. Another paradigm shift I have been monitoring for the past twelve+ years is the dichotomic differences in compliance between the USA and much of the rest of the world. In the USA you have a very prescriptive, check-box mentality to compliance. Organizations want their checklist and if they check the checkboxes they want their get out of jail free card. This is in contrast to what we see in the UK, across Europe, and much of the rest of the world which takes a principle, or outcome-based, approach to compliance. In this approach organizations are not given a checklist, but what the expected outcomes or principles are. The way one organization achieves compliance is different from the way another organization might choose to get there. The focus is on the end results. This is requiring that compliance executives have a stronger background in risk management as they have to understand the compliance risk and choose the best approach to mitigate the risk for their particular organizations situation. As regulations are written with a cross-jurisdictional impact, like GDPR, this means that principle/outcome-based approaches are making a global impact requiring compliance executives to build strong risk management skillsets.
  • Compliance as a Federated Function. There are lots of departments of compliance – corporate compliance, HR compliance, IT compliance, quality compliance, environmental compliance, health & safety compliance. The CECO role is becoming a facilitator and leader of compliance across these departments in a federated and collaborative capacity.

SWOT Analysis of the Chief Ethics & Compliance Officer Role

SWOT Analysis is a powerful technique for identifying strengths and weaknesses, and for examining the opportunities and threats a CECO faces in managing and maintaining organization integrity and driving toward a strategy of Principled Performance®.  A SWOT analysis can help a CECO develop his or her career in a way that takes best advantage of one’s talents, abilities, and opportunities. What makes SWOT particularly powerful is that with a little thought, it can help uncover opportunities an executive can take advantage of. By understanding one’s weaknesses, an executive can manage and eliminate threats that could otherwise catch them unaware. More than this, using the SWOT framework, the CECO can start to distinguish him or herself from peers, and move quickly to develop the specialized talents and abilities needed to accelerate one’s career.

Approaching a SWOT analysis on a role/function like the CECO can be divided into:

  • Internal Qualities
    • Strengths: Your personal professional capabilities 
    • Weaknesses: Your personal professional challenges
  • External Dynamics
    • Opportunities: Organizational prospects to leverage and advance your career 
    • Threats: Organizational challenges to overcome and advance your career

Strengths: Professional Capabilities

  • Enabler & leader, that strives to enable the organization to reliably achieve objectives while addressing uncertainty and act with integrity.
  • Evangelist & visionary, that provides leadership, direction and insight for creating and protecting organization integrity, ethics, and values as well as maintain compliance with laws, regulations, policies, and procedures.
  • Energetic & engaging, with good communication skills that builds interest in better approaches to compliance management, ethics, and values throughout the organization.
  • Agile & versatile, that brings broad experience in compliance, ethics, regulatory issues, and corporate values and how they impact other business disciplines and roles.
  • Dedicated & driven, a passionate goal-oriented problem-solver that moves the enterprise forward through strong execution of finding and fixing compliance and ethical problems while enabling the business to execute on strategy in a principled manner.
  • Collaborator & facilitator, of compliance and ethics across a range of compliance functions scattered across the business and operations that acts as a partner with peers in the organization, adept at leveraging best practices and initiatives across operating units.

Weaknesses: Professional Challenges

  • Limited technical acumen, most compliance roles have grown out of legal that has often been more comfortable with documents and paper with limited understanding of how technology can make compliance more efficient, effective, and agile. When compliance executives are approached with technology they tend to find a solution to a specific problem as opposed to thinking big picture on how an integrated compliance technology architecture can provide greater contextual insight into compliance.
  • Manual processes and myopic technology, related to the limited technical acumen, this overwhelms the compliance officer and function with documents and manual processes that takes time to reconcile and report. For example, one organization was spending 200 FTE hours building a compliance report that now takes them 1 minute.
  • Project management skills are needed, compliance and ethics management has become a complex and intricate set of projects, tasks, and reports that requires compliance management to have an integrated view into compliance deadlines, resources, reports, and activities. This means that the CECO needs to have strong project management capabilities.
  • Federated facilitation experience, while the CECO role is the figure head of compliance, this role often has a limited view into the expanse of compliance across departments. The CECO role needs to be the chief herder of the compliance cats to get various fragments of compliance scattered in business operations to work together collaboratively.
  • Moving beyond checklists, the compliance function has a tendency to focus on corporate compliance checklists to find and resolve compliance issues, and now is being challenged to understand compliance risk and take on ethics, values, social responsibility, and become a champion for corporate culture.
  • Stigma of the corporate cop, the compliance role has historically been seen as a corporate cop rather than a strategic and operationally influential champion of organization integrity. This leads to a misperception of compliance being the department of NO instead of the principled enabler of ethical business.
  • Fire fighting and reactive approaches to compliance, where resources are consumed in investigations and putting out compliance fires which leaves little to no resources for proactive planning of compliance and ethics. The CECO is constantly behind in trying to keep a changing business compliant while reacting to ever-changing laws, regulations, and court and regulatory rulings.

Opportunities: Organization Prospects

  • Focus on integrity, in which the the compliance and ethics function continually assesses regulatory, ethical, and social responsibility trends to develop a full understanding of mandatory and voluntary obligations and requirements for compliance that align with the organizations values.
  • Federated Governance, Risk Management & Compliance (GRC) focus in which the CECO is part of an executive strategy to enable an organization “to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” This requires that the CECO be able to collaborate across the range of compliance areas that he or she has not typcially covered before to facillitate compliance across the organization.
  • Leverage an integrated information and technology architecture to manage the range of compliance projects, tasks, assessments, exams/audits, investigations, policies, and training. So the organization has 360° contextual intelligence on compliance. Where there is one common portal for policies and training for employees.
  • Enable the organization to be a Principled Performer to pursue competitive advantages with superior GRC capability aligned with compliance and ethics that is kept current and managed in a dynamic business, risk, and regulatory environment.
  • Improve compliance reporting to senior management and the board by integrating compliance metrics, information into existing reporting processes and forms to assist in their fiduciary obligations of oversight of compliance.
  • Build superior shareholder relations and broader stakeholder communications around ethics, values, and compliance activities.

Threats: Organization Challenges

  • Third party risk and compliance in which vendors, suppliers, outsourcers, and such expose the organization to issues of fraud, corruption, social responsibility, and compliance violations across these extended business relationships that result in reputational damage and substantial fines and penalties. Over half of insiders are not traditional employees but third parties which requires that a compliance program extend across third party relationships.
  • Keeping a changing organization in sync with changing compliance requirements, the volume of change impacting compliance is staggering. Being knowledgable at regulations and the law does not good if the organization is not operationally compliant. Keeping a dynamic business compliant with ever changing laws, regulations, and enforcement actions is a huge issue for most organizations.
  • Lack of competitive edge as competitors with more agile, effective, and efficient compliance programs outpace the organization in the market as it is encumbered with slow processes and reactive approaches. This stems from:
    • Failure to implement adequate compliance and ethics infrastructure and architecture to monitor, mitigate, and respond to compliance and conduct risk of unethical conduct.
    • Inadequate integrated GRC technology infrastructure, which reduces the quality and flow of information.
    • Siloed processes and systems causing delayed reporting and inconsistent quality and reliability of risk information.
    • Document centric approaches handicap compliance reporting and relative value to the rest of the organization.
  • Culture reinforcing compliance communication after an event or incident occurs, rather than proactively identifying potential problems before the occur.
Posted on Leave a comment

Leveraging Data Classification to Enable GDPR/CCDP Data Subject Requests

Regulatory requirements are driving organizations to clearly define processes to manage personal data requests from data subjects [1], which in turn requires clear data classification and disposition controls in the environment. Chief among these regulations is the EU Global Data Protection Regulation (GDPR) but following suit later this year is the California Consumer Privacy Act (CCPA).

A key component of these regulations, with some nuances between them, is to assure data subjects of the control, use, protection and privacy of their personal data. To do this, GDPR empowers data subjects with specific rights. These rights enable data subjects to make specific requests and be assured that their personal data is only used for approved purposes for which it was provided. They include the right to access and rectify data collected on the data subject, the right for erasure of personal data, and the right to object to the data subject’s information being used.

These data subject rights provide the foundation for GDPR and CCPA compliance and an organization, the . . .

[The rest of this blog is continued as a guest blog by GRC 20/20 on the InfoGoTo site]

Posted on Leave a comment

2019 GRC User Experience Award Nominations

GRC 20/20 is accepting nominations for the 2019 GRC User Experience Awards!

Governance, risk management and compliance (GRC) is a part of everyone’s job. Too often we shovel GRC into the bowels of the organization thinking it is the responsibility of the obscure and behind-the-scenes individuals in the back office of GRC in the organization. The user experience for GRC related solutions has been typically poor in most organizations, resulting in time-consuming and redundant processes.

The core of GRC related technologies is operationalizing GRC across the fabric of business. This involves employee engagement in GRC related solutions with systems that are simple, mobile and easy to use from the frontline of the business to the back-office operations of GRC.

GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. Organizations need to be:

  • Efficient:GRC engagement provides efficiency and savings in both human and financial capital. GRC should reduce operational costs by providing access to the right information at the right time for employees, and reduce the time spent searching for answers (or just giving up). GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
  • Effective:At the end of the day it is about effectiveness. How does the organization ensure risk and compliance is effectively understood, monitored and managed at all levels of the organization? That policies are not only read but understood, that employees are trained properly, that they know how to ask questions when in doubt, to report issues and how to be intelligent about risk in their specific context.
  • Agile:GRC engagement delivers business agility when organizations can respond rapidly to changes in the business environment (e.g., employees, business relationships, mergers and acquisitions, new laws and regulations) and communicate to employees GRC context to these changes. GRC engagement is measured in responsiveness to events and issues so organizations can identify and react quickly to incidents because they are reported in a timely manner.

Employee engagement in GRC requires GRC technologies to extend across the organization: Even to extended third party relationships such as vendor, suppliers, agents, contractors, outsourcers, services providers, consultants and temporary workers. To engage stakeholders at all levels of the organization requires GRC technologies are relevant, intuitive, easy to use and attractive. Employees live their personal and professional lives in a social-technology permeated world. GRC needs to engage employees and not frustrate or bore them. It has to be easy to use and interact with.

It has been stated that:

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.This quote has been attributed both to Einstein and E.F. Schumacher.

A primary directive of GRC related technologies is to provide GRC engagement that is simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The  goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.

The 2019 GRC User Experience Award nominations will be accepted through 31 January 2019 (no exceptions, nomination form closes down at midnight CDT on 31 January). Recipients will be determined by end of March, write-ups for each recipient (one per category) will be completed in April and May with announcements in June 2019. Each recipient of an award will be written up and acknowledged.

The seventeen categories for submission are:

  • Audit Management & Analytics User Experience
  • Automated / Continuous Control User Experience
  • Business Continuity Management User Experience
  • Compliance & Ethics Management User Experience
  • Enterprise GRC User Experience
  • Environmental, Health &; Safety User Experience
  • IT GRC/Information Security User Experience
  • Internal Control Management User Experience
  • Issue Reporting & Case Management User Experience
  • Know Your Customer User Experience
  • Legal Management User Experience
  • Physical Security Management User Experience
  • Policy & Training Management User Experience
  • Quality Management User Experience
  • Reputation & Responsibility User Experience
  • Risk Management Value User Experience
  • Strategy & Performance User Experience
  • Third Party Management User Experience

Please submit nominations before midnight on 31 January  2019.

2019 GRC User Experience Nomination Form

2019 GRC User Experience Nomination

  • GRC Solution Provider Organization Details

    The details requested in this section are for the organization overall and not specific to the solution.
  • Solution Provider Nomination Submitter Contact Details

    Please enter the contact information for the primary individual responsible for this nomination.
  • Nomination Details

    Please enter the details for this nomination.
  • Is this solution and innovation operating in real-world client environments as of this nomination? Concepts, good ideas, prototypes, etc. will not be considered. The innovation has to have real-world implementations that can vouch for the innovation (client reference asked for later).
  • Please avoid hyperbole and stick to specific facts and details, answer agnostically of solution itself.
  • Please avoid hyperbole and stick to specific facts and details.
  • The nomination has to be something released or made available in the past year.
  • Basically, why would organizations care about this and what value does it bring them.
  • Drop files here or
  • Client Reference

    Please submit a client reference that we can call that can validate that this solution is operating in the real-world and delivering as indicated on this nomination if your nomination is selected as a finalist.
  • This field is for validation purposes and should be left unchanged.