Michael Rasmussen

The world is in turbulence all around us. What started as a health and safety issue in Asia has had a cascading impact around the world. Economic uncertainty, health and safety, work from home, IT security issues, continuity, and operational resiliency…it is like an intricate pattern of dominos falling over.

In response to the pandemic, business has changed. Business processes have changed, organizations are supporting remote home working on a huge scale, economic and health constraints have business operating with a reduced workforce with employees sharing responsibilities and wearing multiple hats. A time of change and crisis leads to compliance exposure.

One critical area of compliance risk exposure is privacy compliance. As business processes change in context of the pandemic, the flow and use of personal information has also changed.

The pandemic’s threats to data privacy

Access to personal data is . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE MITRATECH BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.

A risk event has a domino impact on the organization. What starts with one domino of risk has a cascading impact on other risks. Consider the current global crisis and pandemic of COVID-19. It started as a health and safety risk coming out of Asia. However, it has a cascading impact that causes other risks to materialize and change that impact the organization. It cannot be managed in isolation but has to be understood in the complex web of interconnections of risk and objectives that play out from it.

What originated as a health risk in a community in Asia now has a global impact that goes far beyond just an illness. Consider the following:

• Risk to objectives. As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic. This plays out from the economic and business impacts of the virus.
• Risk of operational resilience and continuity. Organizations have increased exposure to their operations and delivery of business processes. Business continuity in many organizations had an isolated focus on IT security and disaster recovery and was not prepared for a pandemic of this nature. They were ready for a computer virus, but not a global people virus. As employees were cut, processes were changed, and a focus on work from home put in place . . . the organization scrambled and faced growing uncertainty and exposure.
• Risk of information security. With the focus on supporting a broad work from home strategy, the organization faced increased exposure to IT security issues. Home office environments are often not secure. With the Internet of Things (IoT), the light switch, vendor, or TV in the employee home could be a source of exposure to company data and connections. Further, hackers and organized crime have taken the crisis as an opportunity to infiltrate organizations and steal data.
• Risk in third party relationships. It is typical that half of the organization is not traditional employees. Brick and mortar walls and employees no longer define the organization. Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
• Risk of company culture and control. With rapidly changing processes to address the pandemic, the organization is lacking controls or navigating around controls. With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
• Risk of fraud. In uncertain economic times and the unfolding of a recession, employees are under more stress to make ends meet. Employees who might never think of stealing/committing fraud during normal times may choose the wrong path when faced with the economic stress and uncertainty they now face.
• Risk of bribery and corruption. Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others. Or to get specific contracts or permits at a time when not much is being done.
• Risk of modern slavery and human rights. We see the unrest of human rights all around us right now. What was an issue before the pandemic has exploded further because of the pandemic. But it goes beyond civil rights and treatment of people groups by those in authority, it also extends into our facilities and supply chains. The pandemic has hit certain areas of the world hard. Factories have lost employees to illness and death. As a result, there is increased staffing with child or forced labor and unwanted working conditions.
• Risk of harassment and discrimination. Unrest is abounding. Stepping beyond the protests right now, there was growing discrimination happening because of the virus and a focus of anger on ethnic groups (particularly Chinese where the virus started). People working from home and not in normal office conditions, do not understand that the same rules apply. Communications such as email, text, video calls have become more relaxed and individuals are crossing boundaries and making statements that are sexual harassment.

I can go on and on and on. I have not touched privacy risk, compliance exposure and inability to meet compliance requirements because of changed business processes, and so much more.

The point is that risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacts. I personally love bow-tie risk analysis to explore these connections and relationships.

Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions. Good risk management will also bring together both risk quantification and qualification and it requires left-brain structured thinking as well as right-brain creative thinking on risk and impact. Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

Upcoming Webinars . . .

The Future of Compliance: A Virtual Summit

• June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17

Risk Management to Support Operational Resilience

• June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18

Adapting to Pandemic Disruption: TPRM Lessons Learned

• June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18

How COVID-19 Learnings Will Shape the New Normal of Risk Management

• June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24

Minimize Growing Data Risks: Best Practices for Legal Leaders

• June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30

Why Policy Management Matters

• July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]

The COVID-19 pandemic has caught a lot of organizations by surprise. But, should it have?

We have had pandemics in the past—history teaches us this over and over. The World Economic Forum has regularly reported pandemic risk on their global risk reports over the years. Political and business leaders have warned us of pandemics. 

So, why has it caught so many organizations off guard?

The problem: an unbalanced view of ERM

The reality is that organizations have not had a balanced view of enterprise risk. Too many enterprise risk management programs (including corporate risk management and operational risk management) have been focused on highly visible risks, such as IT security, while not paying attention to the significant, but low-likelihood, risks like a pandemic. 

Risk management will fundamentally change because of the COVID-19 pandemic. We will see a lot of enterprise risk management (ERM) programs become . . .

[THE REST OF THIS ARTICLE CAN BE FOUND ON THE WORKIVA BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]

The past two months have been a crazy whirlwind of webinars, phone calls, and video meetings. Organizations the world over have been asking for calls on how to respond to the pandemic from a GRC perspective, and what the world of GRC will look like and how corporate governance, enterprise risk, and compliance and ethics management will change coming out of the pandemic. From 5:00 am to midnight here in Milwaukee, it has been a full sprint. RFPs, shortlists, strategy calls, competitive analysis of solutions, input on strategy, to market sizing and forecasting of GRC segments for solutions and services . . . it is a crazy time. I have done more webinars in two months than I normally do in an entire year.

One of the fun and unique engagements I did was the GRC Supper Club last week! This is an event that is normally done in person in the United Kingdom and led by my friend Lee Edge. With the pandemic it went virtual. So while the amazing host and many of the attendees were enjoying dinner and drinks in their homes in the UK and Europe, myself and a few others were doing lunch here in the United States.

Lee moderated the event, and I was one of three panelists for the virtual GRC Supper Club (you can access the recording for the virtual GRC Supper Club here). While we were speaking, Lee had an artist capturing the conversation and insight and putting it into the graphic you see above. I love how the graphic turned out! It captures so many of the points and analogies I brought up in the virtual GRC Supper Club. These are (working across the top and then clockwise around the bottom):

• The Pandemic is NOT a Black Swan Event. I stated that being unprepared for risk does not make it a black swan. There were plenty of warning signs, history of events, and people and organizations speaking out on the potential for a pandemic. It does not meet the requirements of a black swan event. I blogged on this here: Being Unprepared for the Crisis Does Not Make it a Black Swan.
• A Tale of Two Futures. Playing on the Charles Dickens novel, Tale of Two Cities, I discussed in the GRC Supper Club how we have a tale of two futures: we are headed toward either a Blade Runner dystopia or a Star Trek future. The choices organizations make today on the environment, climate change, and health and safety impacts what future we are headed toward. I blogged on this here: Tale of Two Futures: Blade Runner or Star Trek?
• The Interconnectedness of Risk & Chaos Theory. Looking at the bat stating, “I am no butterfly but I’ve had a big impact” was in reference to my discussion in the Club about the interconnectedness of risk and how small things matter. I referenced Chaos Theory and the Butterfly Effect in which the flutter of a butterfly’s wings in Amsterdam can influence the development and path of a hurricane in the Gulf of Mexico. What started with a bat at a wet market in China has had a worldwide impact that is more than a health and safety risk but cascades into economic risk, strategic risk, supply-chain third party risk, security risk, geopolitical risk, IT security risk, modern slavery and human rights risk, bribery and corruption risk, and even harassment and discrimination risk (I detail all of this in the Supper Club recording). I have blogged on this here: Navigating Chaos.
• Cover Your Behind & IT Risk. This part of the illustration detailed my discussion on how too many enterprise and operational risk management programs have been operating with a myopic and overly focused view on IT security risk. IT security is a huge risk, but there are other significant risks the organization faces that have not got the same level of attention. Look at the world around you and nothing more needs to be said. IT security has been the dominant risk focus in ERM and ORM programs at the cost of other risks like environmental, health and safety, and quality. I make reference to this in this blog: Forrester GRC Wave = Tsunami of Confusion.
• The Titanic of Risk. Next in the GRC Supper Club illustration and discussion, I referenced the illustration of the Titanic. This is an analogy I have been using in presentations for nearly 15 years. It is about all the risk exposures that contributed to the disaster of the Titanic, including environmental, overconfidence, third party risk issues, lack of control, health and safety, oversight, and more. Further illustrating the interconnectedness of risk. I have blogged on this here: The Titanic: An Analogy of Enterprise Risk.
• Right-Brain & Left-Brain Risk Thinking. In the lower right corner of the illustration you can see my dialogue during the GRC Supper Club in which I shared that good risk management involves both right-brain thinking and left-brain thinking. Too often we focus on the left-brain side of risk models and analytics, but good risk management also involves the out of the box creative thinking on risk and scenarios. I have blogged on this here: Managing Risk in Dynamic & Distributed Business.
• Environment, COVID & The World. This part of the illustration was in reference to my comments on the Economist cartoon from a few weeks back in which the world is fighting COVID in the boxing ring but a much bigger opponent of the environment and climate change is about to step into the ring.
• IT Security and the Home Office Blender. At this point in the GRC Supper Club I was discussing the IT security threats in the home office/work from home environment with the Internet of Things (IoT). I detailed how in my home in Milwaukee I have outlets, TVs, and even a blender that is connected to the Internet. If one of these devices has a vulnerability, or worse, a trojan horse, this could compromise organization data and connections.

It was a great event! There are two upcoming VIRTUAL GRC Supper Clubs you can register for, though I am not speaking on these. Hopefully, it will be back to in-person dinners back in the United Kingdom soon . . .

I am a James Bond fan and eagerly anticipate the next James Bond film, “No Time to Die.” Unfortunately, because of the global crisis we all now face, we have to wait until November 2020 instead of seeing it on the big screen this month. While we wait for this next installment in the 007 sagas, we can still learn and apply what makes the master spy so great to our world of business that is situational awareness.

Today’s organization needs situational awareness. Situational awareness is the perception of the details and events around us and the interpretation of how they can or will impact us to determine our course of action. James Bond looks at the big picture and sees all the details. Situational awareness is needed across the business but is particularly needed in the context of risk in third-party relationships . . .

The remainder of this article can be found on the SureCloud site where GRC 20/20’s Michael Rasmussen has contributed his thoughts in a guest blog on this site.

In a time of crisis, like what we face with the global pandemic, centralizing compliance and ethics communications and reporting is critical to streamline interactions, maintain corporate culture and integrity, improve employee morale, and communicate expectations.

However, a lot of organizations are finding they are not prepared. Consider that a lot of policies are changing right now, such as remote office worker policies, home office expense policies, and conduct policies. Other policies may not have changed, but employees still need to be reminded of them as they operate in a high-risk environment for fraud, privacy, customer/client communications, health and safety, and security.

In this current crisis, one large organization I was talking to discovered they had over 20 policy portals scattered in different departments. Policies were on different fileshares, Sharepoint sites, and ad hoc technology platforms. Policies looked different on each portal and used language inconsistently. Some policies were out of date.

In a time of crisis when people are working from home, having . . .

[The rest of this blog can be found at the Convercent website where GRC 20/20’s Michael Rasmussen contributed this as a guest blog post]

I may be going out on a limb and stepping on a lot of toes right now by frustrating some careers and reputations of risk managers. Simply put, this global pandemic/crisis is not a black swan event. I am finding too many GRC and specifically risk management professionals are trying to cover their behinds by claiming that the pandemic is a black swan. Being unprepared for a risk does not make the risk a black swan.

You may ask what is a black swan?

A black swan is defined as an unforeseen/unpredictable event has a significant impact on the organization (or industry, or economy). The term refers to how in Europe it was understood that all swans, as in the bird, are white. There was no concept of a black swan. Then some explorer overseas finds a black swan and changes the paradigm of what swans are.

The truth is that we have had pandemics in the past. We have had threats of pandemics. We have been warned countless times about it:

• World Economic Forum Global Risk Reports. This has been on the chart of top risks by the World Economic Forum for years, including the most recent. It has been a topic of conversation in the past at Davos.
• Business Experts Have Pointed it Out. The most vocal being Bill Gates and his predictions.
• Governments Have Been Reporting On It. Look at this report from the Council of Economic Advisors from the White House.
• History Teaches Us. There has been a recorded history of pandemics, some recent, some going back hundreds of years.

The reality is that this should have been on the ‘risk radar’ of organizations but it was not for many. Now there are a lot of risk managers trying to misdirect scrutiny on them by claiming it was a black swan. Again, being unprepared for risk does not make it a black swan.

I find that too many risk management programs (e.g., corporate risk management, enterprise risk management, operational risk management, GRC, IRM . . . pick your favorite label) have been hijacked by IT security, a department that really does not understand environmental, health and safety, and other risk areas that have a potential big impact on the organization and its objectives. If we look at the WEF report, the top risks the world faces are environmental risks and health and safety risks.

Don’t get me wrong, IT security is a huge risk area; one of great concern that can impact the organizations objectives. My issue is that too many risk management programs have overly focused on IT security where it was not balanced and ignored other risks such as the pandemic we now face.

I would like to see the organization that has been tracking this. That on the corporate risk heat map (I am not a particular fan of heat maps and find them misleading and misused) they have tracked this from a high impact low likelihood event six months back and can show how their risk monitoring has moved this risk event over month by month to week by week to a high impact and high likelihood event. I would estimate that 99.9% of organizations have failed in tracking and monitoring this risk with regular reporting at a board and executive level. Which of these organizations have actually quantified the risk and its various scenarios in how it unfolds to put actual numbers to the risk and the impact on the organization? Which organization has the best case study in how they have been historically monitoring this type of risk and have been the best prepared for it?

I remember a decade back, coming out of the Swine Flu pandemic that cost 200,000 lives, that many organizations were building continuity plans and even doing cross-industry table-top exercises and scenarios to prepare for the next pandemic. Were any of these organizations that worked on this then ready now? Most closed the history ledger of even recent history in their risk planning and monitoring.

Coming out of this crisis, we will see enterprise risk strategies that are more balanced with a broader understanding of risks to the organization’s objectives. Environmental, health and safety, quality, supply chain/procurement, and others will have a stronger and more active role at the enterprise risk management roundtable of the organization.

We are also going to see a lot of regulation across industries and around the world come out of this that is focused on operational resiliency. This is already happening in the financial services industry in the United Kingdom with the Operational Resiliency requirements from the FCA, PRA, and Bank of England. I predict we will see operational resiliency regulation that requires an integrated approach to operational risk and business continuity across industries and geographies.

What are your thoughts on this crisis and how unprepared organizations are but should have seen this coming?

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . . 

• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies 
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality 
• April 9 @ 12:00 pm – 1:00 pm CEST : Operational Resilience in a Time of Unprecedented Uncertainty
• April 9 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Engaging The First Line Of Defense In A Time Of Crisis
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations 
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit 
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis 
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis 
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management 
• April 28 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Monitoring Risk In The Second Line Of Defense In A Time Of Crisis
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management 
• May 12 @ 1:00 pm – 2:00 pm EDT : Navigating Chaos: Providing Assurance And The Role Of The Third Line Of Defense In A Time Of Crisis
• May 18 – May 19 : MetricStream GRC Virtual Summit US 2020

Policies are critical documents in organizations. They define how business is to be conducted as they establish boundaries and expectations for individual and process behavior. Policies enable and intersect all three elements of governance, risk management, and compliance (GRC). It is through policies that are clearly written, communicated and understood, and enforced that the organization can “reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

As the global crisis of the pandemic unfolds and impacts business operations, one of the clear areas of mismanagement being exposed is the scattered approach to policies. Organizations need to at least temporarily change policies and communicate them to a remote workforce. In this context, they are finding that they have policies and procedures scattered across many portals, One organization I just talked to found they have 20 portals for policies and each had different formats/templates and writing styles. This works against the organization that is trying to respond to a global crisis and provide a singular consistent view of policies and procedures across the organization. This is necessary to make sure there is one single source of truth and that remote employees are working from the same consistent and current policies and procedures.

Even worse, many organizations I am talking to right now are finding they do not even know what policies they have in their organization. It is the Wild West – complete anarchy – as different parts of the organization have gone in different directions in writing policies. In a time of crisis, organizations are finding out that there is no master list of all of the organization’s policies and procedures. This is critically needed to be able to flag which ones need to be communicated in a time of crisis as well as modified to address changing business processes, transactions, relationships, and a remote workforce.

Already GRC 20/20 Research has seen a growing interest in enterprise policy management that provides a consistent policy on writing policies with an established policy management lifecycle to ensure that policies are documented, consistent, and available in a single portal in the organization. The need for this is becoming more apparent in the current crisis, and the demand for a singular integrated approach to managing and communicating policies across the organization is growing. This includes

• Back office management of policies. It requires a consistent process to author, approve, communicate, manage, monitor, maintain, and retire policies.
• Front office engagement on policies. It also mandates a consistent singular portal for an employee to access policies and procedures with related resources (e.g., training, issue reporting, helpline, forms). This portal needs to be available from the desktop and laptop down to the tablet and smartphone. And it needs to be available whenever and wherever an employee needs to access policies . . . particularly in a time of crisis.

What are your thoughts on how to manage and communicate policies in a time of crisis?

My point of view: Organizations need to be moving to an enterprise-wide view of policies that are consistent, with a consistent portal for employees to access every policy and procedure in the organization. In a time of crisis, not having a singular view into policies causes confusion and mistakes and has a direct impact on the culture and morale of employees who need guidance.

Check out GRC 20/20’s upcoming webinars and events in this time of crisis . . .

• March 31 @ 8:00 am – 9:00 am CDT : How to Maintain a Strong Compliance Culture when Working Remotely
• April 7 @ 8:00 am – 9:00 am CDT : Policy on Writing Policies
• April 8 @ 12:00 pm – 1:00 pm AEST : Agile GRC: from Theory to Reality
• April 14 @ 8:00 am – 9:00 am CDT : 3 Steps to Integrate Regulatory Change Management into Operations
• April 15 @ 10:00 am – 1:00 pm CDT : IBM RegTech Virtual Summit
• April 15 @ 10:00 am – 11:00 am CDT : Navigating Chaos: Effective Policy Management & Communication During a Crisis
• April 21 @ 8:00 am – 9:00 am CDT : Ensure Resilient & Agile Compliance in the Midst of Crisis
• April 23 @ 10:00 am – 11:00 am CDT : Risk and Compliance Pros: Distinguish Your Role in Uncertain Times
• April 28 @ 11:00 am – 12:00 pm CDT : Best Practices for Effective Policy Management
• May 6 @ 12:00 pm – 1:00 pm CDT : Risk as a Team Sport: Taking a Cross Functional Approach to Risk Management

These are crazy and uncertain times, but this does not mean governance, risk management, and compliance (GRC) comes to a halt in organizations. It is the opposite, this is the time for strong corporate governance, risk management, and compliance. This is what gets organizations through the crisis and allows them to navigate the chaos. As the British taught us in World War II, we all need to “keep calm and carry on.” That last part is critical. Now is not the time for GRC to stall in your organization but to lead. We need to KEEP CALM AND GRC ON!

The official definition of GRC is that GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” [source OCEG GRC Capability Model] Now is the time for greater GRC strategy, practices, and processes to enable your organization to

• reliably achieve objectives, though those may be changing to respond to the environment;
• manage uncertainty, which these times are very uncertain; and
• act with integrity in the face of changing business processes and economic conditions.

GRC strategies and infrastructure will come out of this stronger than ever. I have been a research analyst for 20 years, I saw GRC functions thrive after 9/11 in 2001. I saw them thrive after the 2008 financial crisis. GRC related departments, processes, and technology architecture will be stronger because of the horrible global crisis we face. GRC strategies, solutions, and services are and will be in demand.

Risk management, business continuity, operational resiliency, third party GRC, policy management are all hot topics right now that I am interacting on because of the crisis. Coming out this will see changes to regulations that will cause more demand for compliance management. Strategies related to ESG, EH&S, and CSR will grow in organizations because of this crisis.

How GRC Will Change in Organizations

I have been interacting on a number of inquiries this past week from organizations (across buyers of solutions as well as solution/service providers). Here are my thoughts:

• Risk management will fundamentally change. Too often enterprise and operational risk management programs have been dominated or even consumed with IT security risk focuses. IT risk is huge and an important topic, but our most significant risks are from other areas such as environmental, health and safety.
  • Just a few months back I blogged on this, “Tale of Two Futures: Blade Runner or Star Trek?” While information security will remain a critical risk area, we are going to see more balanced enterprise and operational risk management strategies that include environmental and health/safety risks across industries.
• Operational resiliency – integrating risk and business continuity management. The UK, in financial services, has had a specific regulatory focus on operational resiliency which requires an integrated approach top operational risk and business continuity management (as well as third party risk).
  • This is the buzz word right now and will be a global cross-industry focus coming out of this crisis. In most organizations, business continuity has been overly focused on disaster recovery from an IT focus. There will be a new focus in true business continuity management that is part of an enterprise/operational risk management program. Operational resiliency is what brings this together. 
• Third-party risk management is a necessity. Business today is not defined by employees and brick and mortar walls. It is a complex web of relationships. The crisis is showing this.
  • Organizations need 360° situational awareness of risk and continuity in their third party relationships. This cannot just be an IT security focus but needs to be complete situational awareness of risk and continuity in the extended enterprise. 
• Policy management is in demand. I get a lot of inquiries on policy management, but I am the only analyst that covers it as its own defined area of GRC. I have been getting inquiries on best practices and ideas on how to communicate changing policies, track understanding/acknowledgment, and monitor compliance in times of crisis. The fact is that business operations have changed this past week — this means policies and procedures have changed. The common question is how do we change and manage policies in times of crisis and then bring the organization back to a state of normal (or a new normal)?
  • There are a lot of organizations that have realized how messed up their policies are and that they need a centralized portal for all corporate policies to deal with crisis and change. When an organization has 20 policy portals scattered in different corners of the organization it makes reacting to crisis and change challenging if not impossible.
• Look for CSR/ESG to evolve. Many organizations are doing great things to respond to the crisis, and others are failing miserably.
  • Look for a variety of lessons learned and new perspectives and initiatives in CSR/ESG particularly on matters of social accountability and responsibility in organizations. 

I would love to hear your thoughts . . .