GRC Trends in 2022 (Part 1): Resilience & Agility

Megan Phee: (singing). Hi, I'm Megan Phee, and this is GRC& Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry- specific challenges, trends, and more. Learn about our methods, solutions, and outlook in this space. Hello, this is Megan Phee with GRC& Me. Today, we have a two- part episode to kick off the new year with a very special one- on- one conversation between the CEO of LogicGate and risk management enthusiast, Matt Kunkel, and GRC analyst and pundit at GRC 20/ 20 Research, Michael Rasmussen. In this first discussion on GRC trends in 2022, Matt and Michael focus on resiliency and agility and how the two are connected. Now, let's listen in on this engaging conversation.

Matt Kunkel: Welcome, everyone, to another episode of the GRC& Me podcast. I am joined today by my good friend and GRC pundit, Michael Rasmussen. Michael, thank you for joining us.

Michael Rasmussen: It's my pleasure to be here.

Matt Kunkel: So this is actually going to be a two- part episode just because there's so many trends that are going on in GRC in 2022. The first one's going to be around agility and resiliency. So why don't we dive right in there, Michael, and can you give us the importance of why resiliency is really important in a organizations' risk management programs?

Michael Rasmussen: Well, from one perspective, I think you would say it's a no- brainer right now, coming out of the pandemic. Organizations need to be resilient. Resilience is this idea, if you go by the dictionary definition, the elasticity, the ability to spring back, to be able to recover. So resilience is about, when we have a negative event, how quickly can we get the processes and services, the organization itself, back up and running and to recover from the event? That's what resilience and resiliency is about. We have different types of resiliency. We have overall enterprise or business resiliency that's going to look at our strategic resiliency and our strategy, our capital, and the liquidity resiliency, and our finances, but then also, our operational resiliency, but then we also can even look at cultural resiliency. But most of the focus today is on this operational resiliency. So when we have operational issues, events, risk issues that rear their ugly head, how quickly can we get back up and running? How quickly can we recover from those events? The pandemic is just one example that everybody's having to struggle with resilience. But moving beyond that, you've got the idea that the events and issues, like around IT security, that happens quite frequently. When you look at the press from the solar winds example, to the colonial pipeline, to whatever's happening this month, how quickly can we recover? Now, resilience is more than just traditional business continuity. Resilience requires an integration where business continuity is actually a part of enterprise and operational risk management. I've been saying this for 15, 20 years. I don't understand why we have a risk management group over here, a business continuity group over here, and they never talk to each other. It makes absolutely no sense. And so, all of a sudden, now we've got this whole focus on resiliency, that this idea of continuity is maturing and becoming part of risk management. In fact, the United States OCC, The Office of the Comptroller of the Currency, defines operational resilience as an effective... that resilience is an effective outcome of operational risk management. To be resilient, it's more than just continuity. It's also being able to manage risk, and resilience belongs in risk management. So right now, I'm seeing a lot of programs rebranding and relabeling themselves to risk and resiliency, not just risk management within organizations.

Matt Kunkel: Yeah, that's interesting. And I think that's a trend that we're seeing too, is that you can't have resiliency without the risk part of it and the risk management and smashing those. It's not just about the traditional BCP and traditional risk managements. How did those interact and commingle and relate together? You mentioned some of these things, COVID is one of the ones that you mentioned, but some of the trends that we're seeing from a resiliency perspective, some of the things that we need to be resilient around, that we saw in 2021, and that you think we'll continue to see in 2022.

Michael Rasmussen: Well, you need to understand the interrelationship of risk. The physicist Fritjof Capra stated," The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they're interconnected and interdependent." The whole idea of risk and resiliency is that there's a lot coming at us, and it's an interconnected risk environment. You take COVID- 19 as one example, a health and safety risk, and we have to be resilient because of the pandemic. Well, this has this downstream impact on all these other risk and resiliency areas, IT security risk in the work from home environment. Look around me. My TV behind me is connected the internet, my exercise bike is connected to the internet, the speaker in front of me, my blender in my kitchen is connected and I can program it with my iPhone. I have no idea why I'd want to program my blender with my iPhone, but I can. But if any of these devices has a Trojan horse or backdoor, it compromises my home office network and data. So we move people to work from home environment, we have a pandemic risk and resiliency issues there, then we got IT risks because of that, we've got increased risk of fraud because there's economic constraints and there's greater risk that employees might do the wrong thing when they normally would just try to do the good thing, we've got increased risk of bribery and corruption because there's restrictions and customs and ports are backed up, there's limited government contracts and permits, there's greater risks that somebody might bribe a foreign government official to expedite their goods through customs, there's resiliency issues around reputation and brand, around modern slavery, as in the supply chain, factories go dark, and all of a sudden, because of the pandemic and the illness, and they reopen with child labor and forced labor. I can go on and on, conduct issues. We move people to work from home environment. They're wearing their nice shirts on the video, but they might be wearing their pajama bottoms underneath the desk. They're very relaxed. They're not in the corporate office. They're saying things on Zoom calls like this that would never be allowed in the corporate conference room, that crosses the line of harassment and discrimination. So we look at this. It's an interconnected risk environment, and we have to be resilient from multiple angles and themes and see these complex risk relationships. That's the big trend right now, is, how do we model and see the complexity of risk out there, because we can't be managing risk in isolation where I'm just looking at IT security risk without thinking about the range of other risks because it is an interconnected risk environment.

Matt Kunkel: I couldn't agree with you more on that, and the ones that I would hit on are the supply chain. I think that's going to be a huge risk in 2022, the work from home environment, and that's not going away anytime soon, right, and-

Michael Rasmussen: Oh, that's even getting worse. I have a whole blog on that. We could do a whole episode just on that. But you look at the hybrid risk environment and you've got IT security risks that I've already mentioned, you've got physical security risks. What documents are being left on the desk and things that roommates and spouse and others can see? What's being said? Oh, I'm on a Zoom call in my apartment right now. What can be heard by other people in the apartment? What sensitive company information is being leaked? Customer, client, private information is being overheard that shouldn't be overheard. You go to the local coffee shop in this new hybrid environment. You look around and people are having all these business meetings and working on laptops there and exposing all sorts of information. Then you have issues of moonlighting. People are working from home and they're working multiple jobs, and there's actually been one case where somebody's actually outsourced their job to somebody overseas and is collecting the paycheck and paying them a fraction of it. There's all sorts of risks in this hybrid risk environment that we need to... I'm going to diatribe. That could be a whole nother episode.

Matt Kunkel: I couldn't agree with you more. I think the other big one too out there is, and it's been... This year has been coined as the great resignation, right? There's, I think, so much risk in just workforce management, and to be able to attract and retain amazing talent so that organizations can execute on their strategic roadmap, right, and there's a big, big, big risk from an organization perspective there. You've said that," Hey, resiliency has been around for a while now." What are the common threads that you've seen between companies that have really strong cultures of resiliency?

Michael Rasmussen: Well, for one aspect, it's being able to see across departments, good collaboration, and being able to get multiple perspectives from different department views, because to be resilient, it's not just one organization. It's like the human body. The organization is like a body. When you look at the human body, you've got the skeletal system, the muscular system, the circulatory system, the digestive system, the endocrine system, the nervous system. Each of those make the body. Within the organization, all these different departments and functions make the organization. You can't just diagnose and look at just one system. You got to look at the whole. And that's the big thing that we're seeing right now with resiliency, is it can't be just focused on one department. That's where a lot of times, business continuity disaster recovery has failed us in the past, because it was seen as an IT security issue buried in the bowels of the IT department and not truly a broader operational risk issue. And so, it's being able to see across these areas and be able to work collaboratively together. That's a key thing. Another one, which I think was one of the next things we're going to talk about, is the idea of agility, to be able to navigate to avoid issues as well, but I'll pause in talking about that till we get there.

Matt Kunkel: That is an absolutely amazing T- up and I think that both of us believe that best in class companies really have very, very, very strong resiliency in them and cultures of resiliency. But it's that next step that I want to talk about now, and it's, before resiliency, being able to understand and adapt before we have big problems happening, and we need to put that resiliency in place. And the answer there is, like we were talking about, is agility. So why is agility really important to organizations' risk management programs, and actually, how does agility relate to resiliency?

Michael Rasmussen: Well, there's a symbiotic relationship. It's like a yin and yang thing. Resiliency is this ability to recover from a risk event, spring back, get the organization running again. Agility is the ability to navigate the environment to even prevent events. If you take an analogy of running, if I'm running along and I trip, I'm falling on my face, how quickly can I get back up and start running again? That's resiliency. Agility is the ability to be able to see as I'm running and to see that obstacle I was going to trip over and to avoid it, to leap over it, to go around it. That's the idea of agility. Now, we need both because there are risk events that are going to happen, so we need to be a resilient organization, but it's better to be an agile organization to even avoid those risk events. Now, I've looked at a lot of the definitions of operational resilience around the world, the United Kingdom's at the FCA, Bank of England, and PRA operation resilience regulation, the EU DORA, Digital Operational Resilience Act, the US Bank for National Settlements and Basel guidance on operational resilience, and the US OCC guidance on operation resilience. The one I like the most is the United Kingdom's definition because it's the only one out of those four that talks about agility, not just resilience. In the definition in the UK regulation, it talks about the ability to prevent and avoid events, not just recover from events. All the others talk about recovery from event. It's the United Kingdom's that brings this idea of agility with resiliency, the ability to prevent and avoid events as well.

Matt Kunkel: On that exact topic then, what are some of the trends from an agility perspective that we're seeing in the GRC market this year, and what do you think that we'll see into 2022?

Michael Rasmussen: Well, it's to get out and look at what's happening in the world around us immediately, but also in the future. It involves things like horizon scanning for risk trends, horizon scanning for regulatory trends, monitoring geopolitical risk and developments that can impact the supply chain and things like that. There's a lot of horizon scanning and monitoring of the environment to know what's coming at us and how we can react. The other key trending aspect, and this is something you and I have discussed before, but is the need to move beyond just logical risk thinking, left brain risk thinking. That's still important. We need our quantitative risk models and things like that, and that's what risk management's been focused on in the past, is building out risk models and scenarios and things like that. And that's still extremely important. We need that. We need left brain thinking on risk, that logical and structured thinking on risk. But to add to that, we need the creative right brain thinking on risk, thinking outside the box, where are these models broken? Where are they weak? A model can never accurately represent the real world because the real world is too complex. There's too many variables around us to be able to represent in a model, so models are never precise. The best they can be is somewhat accurate. And so, we need the good right brain thinking of, how can our models be improved? What are these models not telling us? How can risk happen that we haven't really forecasted, foretold, or seen? So good agility is going to bring together our traditional left brain thinking of risk with our risk models and quantified risk analytics and our different scenario modeling with right brain risk thinking outside the box.

Matt Kunkel: Yeah, I agree with you on that, and I think the big thing too is, and you touched on this, is how do we bring all of this together, right? How do we bring things like IT and cyber risks management with vendor risk management, with compliance and regulatory risk management, with HR risk management, like we were just talking, with the work from home environment, into one succinct platform so you can get a holistic view of what the risk profile looks like for the organization and then apply some quantitative analysis and modeling over the top of it? So I think we've got time for one last question here, and really, I want to take it up one level and say, from a resiliency perspective and this concept of resiliency and this concept of agility, how does that resonate with the board within organizations, right? What trends are we seeing there, and how does agility really manifest itself from an executive and a board- level conversations?

Michael Rasmussen: So to me, the idea of agility really rings well with the board because the traditional resilience approach to risk, that's tactical, that's recover. The idea of agility is strategic because it can align to their strategic plan. How are we thinking? How are we planning? How are we budgeting? What are the objectives of the organization? And the idea of agility is allowing us to really take a risk view of those areas, to look at the uncertainty on objectives. ISO 31000 tells us, by definition, that risk is the effect of uncertainty on objectives. So as the board and various governance bodies set those objectives for the organization, agility allows us to look at the risks to those objectives and the uncertainty and what we can do about that, so it's much more strategic thinking.

Matt Kunkel: I could not agree with you more on that point. Well, Michael, I appreciate you being here on GRC& Me and talking to us and all of the listeners today about resiliency and agility and those trends that we'll see in 2022 and beyond, so thank you very much.

Michael Rasmussen: Oh, it's my pleasure.

Megan Phee: And to learn more about how to help your organization become more resilient and agile in 2022, visit logicgate. com or rcx. logicgate. com.