Libby Bevin

I think it’s fair to say that as your company grows, you will likely need to engage with outside parties to supplement or outsource elements of your business. This may include vendors and suppliers, contractors or service providers. Engaging with third parties has a lot of benefits, but it also comes with challenges. Mainly, you can outsource the work but not the risk. Partnering with third parties exposes you to higher levels of risk because in many cases you give up control over the work, how it is done and how it is secured. You must rely on the third party to put sufficient measures in place to reduce the risk to your acceptable level.

If you’re an avid reader of the RiskOptics blogs, and I hope that you are, you may have had some strong emotions in response to our recent post Making the Shift From Vendor Risk Management to Third-Party Risk Management. I received a lot of feedback. Some folks reached out to thank me and some folks reached out to tell me I’m crazy. But overwhelmingly, people reached out to ask me for help. Most of you recognize the need and the value behind data-driven and continuous monitoring of third-party risk but struggle to identify ways to put the concepts into practice.

So here’s 5 steps you can take toward a better third-party risk management program!

You don’t have to be an expert to know that risk management and corporate compliance are different things. Risk management refers to events that can result in some unexpected or undesirable consequence, and how your organization keeps those threats at bay. Corporate compliance is about conforming your business operations to various rules or requirements set forth by an oversight body.

That oversight body may be internal, such as your board of directors enforcing standards for a Code of Conduct; or external, such as the U.S. Securities and Exchange Commission’s rules for publishing financial reports or various data protection agencies that set standards for protection of consumers’ personal information.

Despite these differences, risk management and compliance go hand-in-hand. Complying with established regulations can protect your company from many risks, while a robust risk management program can prevent the many problems that may occur due to non-compliance.

Ultimately, you need both risk management and compliance to meet regulatory obligations, manage risk, safeguard assets, and maintain financial stability. And all of this is easier to do with risk and compliance automation.

Automation eliminates the need for time-consuming manual processes to maintain compliance and manage risk. In this pocket guide, we explore this and other benefits of automation.

What is Risk Automation?

Risk automation enables organizations to eliminate manual risk management workflows and manage and mitigate risk programmatically. Automation powered by modern technologies such as robotic process automation (RPA), machine learning (ML), and artificial intelligence (AI) streamlines risk assessment and analysis processes and reduces the effort required for risk reduction.

Click here to learn more about compliance considerations for RPA.

With automated tools instead of old-fashioned spreadsheets, your organization can:

• Monitor risk continuously to increase business resilience;
• Strengthen third-party and supply chain risk;
• Protect data from cybersecurity attacks;
• Implement and strengthen risk management controls;
• Stay updated on the risk landscape.

Risk automation simplifies risk communication. It helps to break down information silos, and fosters better alignment across multiple processes and departments. Both are vital to optimize risk management throughout the enterprise.

What Is Compliance Automation?

The regulatory landscape evolves quickly; keeping up with these changes can be difficult. That, in turn, can increase the risk of non-compliance and result in financial losses, lawsuits, fines, and even reputational damage.

Compliance automation helps to minimize this risk. The right automation tools will continually and automatically check your organization’s regulatory compliance posture. They will also track new or updated regulations so you can respond quickly to changes without manual methodologies or burdening the compliance officers or team.

Automation also makes it easier to manage compliance workloads, implement and document internal controls, simplify data collection, and track audit requests. In addition, compliance automation is vital to:

• Control compliance costs;
• Improve internal governance;
• Increase visibility into business processes;
• Better identify, analyze, manage, and monitor non-compliance risks;
• Maintain data security and privacy.

Compliance monitoring is also easier with automation. With automated tools, you are more likely to detect potential misbehaviors and risks, and then fix them before they can cause material damage to the organization or its assets, customers, or reputation.

The Benefits of Risk and Compliance Automation

So, why automation for risk and compliance?

For one, automation eliminates manual, administrative work so you can more easily scale your risk and compliance activities as your business grows, and to match evolving regulatory requirements. Automated tools will also monitor the enterprise ecosystem for risks and respond automatically to potential issues, minimizing the probability of loss or disruptions.

A compliance automation program enables effective monitoring of compliance requirements. It also reduces mistakes that are common with human compliance processes.

Automation software provides a complete overview of the organization’s risk and compliance posture. It can also help:

• Inform what controls are required to minimize risk and ensure asset and data protection;
• Improve cross-functional collaboration to improve enterprise risk management;
• Reduce the costs of audits and remediations;
• Communicate risk information to stakeholders more efficiently;
• Improve enterprise decision-making.

Best Practices to Implement Risk and Compliance Automation

Keep the following best practices in mind when implementing automation, to assure that your compliance and risk automation program delivers its expected ROI.

Always start with the objectives

Clear objectives for the automation initiatives will help you choose the best technologies, software, and tools for your specific requirements.

Implement an automated risk intelligence system

An enterprise-wide risk intelligence system should consider the organization’s specific risk appetite and tolerance. It should also calculate risk scores and accordingly determine the appropriate risk mitigation actions.

Implement measures and controls

Identify your compliance and risk management requirements to identify the required controls. If some controls are already in place, perform a gap analysis to see where they might be falling short. Then develop a remediation plan.

Select automation tools carefully

The tools you select should support your risk and compliance objectives. Look for an automation solution that will:

• Automate and monitor risk in your enterprise environment;
• Support your governance, risk, and compliance strategy;
• Integrate with other enterprise tools to facilitate seamless collaboration;
• Provide dashboards and reports to communicate risk and compliance information to stakeholders.

Implement a human risk response center

Tools are crucial for automated risk response. That said, you should also have a human risk and compliance team to mitigate the most critical risk events that automation cannot handle.

Make Compliance Automation Work for You with ZenComply

Automation is the key to mitigating risk quickly and assuring ongoing compliance. With Reciprocity ZenComply, you can do all this and more. This compliance and audit management solution automates task workflows to simplify compliance and risk management.

ZenComply includes expert-built content for more than 20 compliance frameworks, helping you speed up compliance efforts. It also provides prescriptive guidance so you can clarify scoping requirements and implement appropriate controls.

Get real-time reporting to understand the status of your compliance programs and see your current audit status. ZenComply will also help you connect compliance with risk and determine how compliance activities are affecting your risk posture.

Get a free demo of ZenComply and see how the solution can help you achieve compliance and minimize the risks of non-compliance.

SAN FRANCISCO, Calif. – September 8, 2022 – Reciprocity (the “Company”), a leader in information security, risk, and compliance, today announced it has closed on a $60M strategic growth investment from Francisco Partners (“FP”), a leading global investment firm that specializes in partnering with technology businesses. This investment will support Reciprocity to build on the momentum of its powerful new approach to risk management with accelerated product innovation and expansion of go-to-market activities.

Following the strong reception and market validation of the Company’s pioneering approach to cyber risk management, Reciprocity’s Risk Observation, Assessment, and Remediation (“ROAR™”) Platform has become an essential technology solution for businesses by tying an organization’s risk directly to its business strategy.

“Our vision is a world where risk is automatically identified and rapidly assessed in context of a customer’s business objectives and can be communicated in a way that everyone can understand. With our ROAR platform, companies can easily see, understand, and take action on their IT and cyber risks to quickly identify what is driving cyber risk for the business,” said Michael Maggio, CEO and Chief Product Officer for Reciprocity. “With this investment from Francisco Partners, we’ll be able to accelerate product innovation and offer new levels of functionality and deeper intelligence with our technology, providing our customers with risk insight that is quantified and actionable.”

The Reciprocity ROAR™ Platform provides organizations with a game-changing level of actionable risk insight – at both the business process level and at the executive corporate level – to make risk more manageable. The Platform delivers rich, expert-provided guidance that enables companies to protect their most valuable assets, quantify the value of security investments, accelerate business initiatives, and effectively inform leadership on the levels of risk and improvements.

“Michael and the team have done an exceptional job building Reciprocity’s approach to risk management, specifically with its ROAR Platform. As Reciprocity enters its next phase of growth, we are excited to partner with the team and help scale the business and expand into new markets to serve the needs of CISOs and business leaders,” said Peter Gingold, Managing Director at Francisco Partners.

About Francisco Partners

Francisco Partners is a leading global investment firm that specializes in partnering with technology and technology-enabled businesses. Since its launch over 20 years ago, Francisco Partners has invested in over 400 technology companies, making it one of the most active and longstanding investors in the technology industry. With approximately $45 billion in capital raised to date, the firm invests in opportunities where its deep sectoral knowledge and operational expertise can help companies realize their full potential. For more information on Francisco Partners, please visit www.Franciscopartners.com.

About Reciprocity

Reciprocity is pioneering a first-of-its-kind approach to IT risk management that ties an organization’s risk directly to its business strategy. The fully integrated and automated Reciprocity ROAR™ Platform empowers security executives to communicate the direct impact of risk on high-priority business initiatives to key stakeholders, helping them make smarter, more informed decisions. With Reciprocity, InfoSec teams can strategically support their organization and foster company growth by optimizing resources and mitigating expensive data breaches, system failures, lost opportunities and vulnerabilities with their customers’ data.

###

Media Contact for Francisco Partners:

Whit Clay / Sarah Braunstein
wclay@sloanepr.com / sbraunstein@sloanepr.com

Media Contact for Reciprocity:

Julie Seymour
Julie.seymour@reciprocity.com

This article first appeared on radicalcompliance.com August 16^th, 2022

The other week I had coffee with a veteran compliance officer passing through town. This CCO has worked at numerous global organizations, some of the biggest names in his industry and to the public at large. So when my friend – we’ll call him the Dinosaur, since that’s how he described himself – started talking about how a compliance officer can succeed, I took notes.

Right away, the Dinosaur raised a provocative point.

“I don’t really care whether I formally report to the CEO,” he said. “I only care that when I call the CEO and tell him or her, ‘I need to speak with you right away,’ the CEO will listen to me.”

Hmmm. I’m not sure what to do with that statement. More precisely, I’m not sure others know what to do with that statement, which is what gives pause.

On one hand, I suspect few people would say the Dinosaur’s view is wrong. On the contrary, he’s absolutely right about the most important thing: that when you sense a compliance crisis coming, the CEO will be there to hear your concerns. That’s what matters most for a successful compliance function. Every compliance officer I know would welcome a relationship like that. (Even if actual reporting relationships are all over the map.)

On the other hand, I wonder how one would document such a relationship to satisfy federal prosecutors comparing your compliance program to the Justice Department’s guidelines on effective compliance programs. Those guidelines never expressly say that the CCO should report to the CEO, but they do imply that point via a series of questions about reporting relationships and seniority status:

• Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)?
• To whom does the compliance function report?
• How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?

How do those conversations unfold when the CCO doesn’t report directly to the CEO, but does have a strong informal working relationship with him or her? When you give an answer something along the lines of, “Yes I report to the general counsel and only have observer status on executive committee meetings, but I can call the CEO whenever the need arises” – what are prosecutors supposed to do with that? Or, what other evidence of a strong control environment and tone from the top would you need to provide?

Like I said, I wholly agree with the Dinosaur’s point. I’m just not sure how his wisdom fits into the structures of “effective compliance” that the Justice Department has etched into stone. (If you have suggestions, please email me at mkelly@radicalcompliance.com and let me know.)

Why Compliance Projects Fail

The Dinosaur also talked about compliance technology, and why so many compliance investments – a new technology, or a new set of risk management procedures – don’t achieve the goals you hoped for.

The biggest challenge, he said, isn’t identifying the best technology or the wisest way to govern risk. The biggest challenge is understanding the corporate culture of your organization. He faults compliance officers for not taking the time to understand which people are in what roles at the enterprise, and how information flows through the business. Gloss over those steps, he warned, and you end up with technology and processes that look impressive, but don’t fit how your company actually works.

For example, many large organizations rely on a certain risk management philosophy or framework: COSO or Six Sigma or some ISO standard or whatever. That’s fine, but compliance officers need to be sure that any new technology you want to buy can accommodate that risk management approach. Otherwise you’ve spent a lot of money for a new toy, and soon enough, people will put it aside and go back to the old way of doing things.

The Dinosaur also stressed that this point, as obvious as it may seem today, is a still relatively new concept. Ten or 15 years ago, he said, most companies didn’t have a compliance function – they had compliance officers, alone, trying to build a sustainable compliance function.

Well, now most large organizations already do have a compliance function, complete with frameworks and workflows and “we’ve always done it this way” habits among the workforce. Maybe you’ve been hired in the wake of a severe crisis, where you have the freedom to put the organization on an entirely new path; but much more likely, you’ve been hired as the new conductor for a train already in motion. Take the time to understand that train’s momentum and direction, or else you risk getting derailed.

And with that, the Dinosaur finished his coffee, said farewell, and left me to ponder his pearls of wisdom. In my line of work, those are the best sort of meetings to have.

Today’s organizations operate in a highly risky business environment comprising many types of risks. One such risk is strategic risk.

Strategic risk is the risk that an internal or external event may prevent your organization from executing or achieving its strategic objectives. These failures can have severe long-term consequences for the firm and its stakeholders.

To prevent such failures, a robust strategic risk management (SRM) process is essential. Moreover, SRM should be part of an overall enterprise risk management (ERM) program and integrated risk management system.

What Is Strategic Risk?

Strategic risk arises when the organization’s strategy fails to deliver on expected outcomes. The term can also refer to the risk that the company may make an incorrect strategic choice, resulting in losses or other kinds of damage.

Strategic Risk vs. Operational Risk

Strategic risk is often confused with operational risk, but the two are different types of risk. Operational risk is the risk of losses arising from inadequate or failed business processes, employee errors, or cybersecurity events. Its impact is more immediate.

Strategic risk has a more long-term time horizon. It is the risk that prevents the organization from meeting its strategic goals.

Examples of Strategic Risk

Strategic risk may arise from decisions taken by enterprise leadership or from the organization’s position in its environment.

Some examples of strategic risk are:

• The introduction of new products or services by a competitor;
• Unsuccessful mergers or acquisitions;
• Evolving customer demands;
• Changes in senior leadership;
• Damage to the company’s reputation;
• Poor cash flows and other financial challenges;
• Changes to the competitive or industry landscape (such as a merger of two rivals into a single, larger one);
• Supply chain issues, such as problems with suppliers or vendors;
• Technology risk.

In addition, some organizations also consider the following as sources and examples of strategic risk:

• Human resource issues, such as staffing shortages;
• Cybersecurity or IT disasters;
• Economic instability;
• Political risk;
• Exchange rate risk.

Any of these risks can affect the firm’s future performance and innovation capability. They can also make it harder to respond to change and deal with supply chain and other disruptions.

How to Identify Strategic Risk

Strategic risk management starts with strategic risk identification. There are many ways to identify the organization’s strategic risks. One is through brainstorming. A group of people – senior managers, board members, the ERM team – work together to identify potential strategic risks and determine which risk mitigating controls are required.

It’s also useful to interview or survey key stakeholders to identify strategic risk and design the risk management framework.

Finally, different types of analyses can be used to identify strategic risk, such as:

• Scenario analysis: an analysis of the potential causes and consequences of a risk that may be created in some future scenario;
• Fault tree analysis: a technique to identify the factors that may result in or contribute to an undesirable outcome;
• Bow tie analysis: a graphical depiction of risk causes and consequences that informs risk treatment strategies;
• Incident analysis: a technique to uncover the root cause of a strategic risk.

Strategic Risk Assessment vs. Strategic Risk Management

The terms strategic risk assessment (SRA) and strategic risk management (SRM) are often used interchangeably, but the two concepts are not the same. SRA is part of an ongoing SRM program. It is a systematic process to assess the strategic risks facing the enterprise.

An SRA is crucial for organizations to understand strategic risks and build their risk profile. For maximum effectiveness, an SRA should involve senior management teams and board members.

The SRA should also be tailored to the organization’s strategic objectives and support its unique culture. Finally, stakeholder consensus about the key risks facing the organization is vital for effective SRM.

Performing a Strategic Risk Assessment

Harvard Business Review recommends a seven-step risk assessment process.

1. Understand the organization’s business objectives and strategies. Without this data, the SRA will result in a “laundry list” of potential risks without showing a way to prioritize them or create appropriate risk management strategies.
2. Gather data about strategic risks. The previous section identifies the many ways to identify strategic risks.
3. Create the risk profile. The risk profile clearly communicates the top risks and ranks them by potential severity.
4. Validate the risk profile. Key executives should validate, refine, and finalize the risk profile.
5. Develop the SRM plan. Strategic planning enhances risk monitoring and guides risk management.
6. Communicate the strategic risk profile and SRM plan to stakeholders. The goal is to communicate risk information and build a strong risk culture across the enterprise.
7. Implement the SRM plan. SRM is a circular, ongoing, and continual process within the organization.

Strategic Risk Management

SRM is aimed at managing and monitoring identified strategic risks. For this, a proper SRM action plan is essential. The plan allows risk teams to prioritize each risk, predict potential impact, and identify the appropriate risk response – for example, risk avoidance versus risk reduction.

The SRM plan also:

• Clarifies the organization’s risk appetite;
• Identifies the forward-looking key risk indicators (KRIs) to anticipate potential risks and trigger proactive actions;
• Establishes metrics and key performance indicators (KPIs) to measure the program’s performance;
• Assigns roles and responsibilities for risk monitoring and management;
• Guides robust risk analysis and treatment.

The right risk management software can streamline SRM. It will also provide integrated reporting and dashboards to simplify the monitoring of significant risks, allowing the organization to mitigate new risks as they emerge.

Manage Strategic Risk with Reciprocity ZenRisk

Strategic risk is one of the most dangerous risks to a company. To avoid the danger and minimize exposure, it’s crucial to manage strategic risk at the enterprise level. Here’s where SRM and Reciprocity ZenRisk come in.

With ZenRisk, an integrated, feature-rich risk management software tool, you can manage all kinds of enterprise risks, including strategic risk. Leverage ZenRisk’s guided approach, built-in content, beneficial templates, real-time risk monitoring, and cross-object risk scoring to stay ahead of threats and strengthen your risk posture.

ZenRisk also provides advanced contextual insights to guide decision-making and help you optimize security. Schedule a demo to see what Reciprocity ZenRisk can do for you.