Innovative Governance and Compliance to Mitigate Digital-Era Risk

Innovative Governance and Compliance to Mitigate Digital-Era Risk

​

Article Abstract

This article proposes reframing risk management and governance for today’s digital era. Organizations now use modern, always-updating, interconnected, data stream-creating technologies to conduct their work. A simplified version of the Governance, Risk, and Compliance Capability Model, combined with the International Standard for risk management, could guide organizations in managing the novel risks and innovations necessary to meet new challenges posed by the modern workplace and its technologies.

 

The leading frameworks in governance, risk, and compliance were reviewed. These frameworks did not anticipate the risks of modern technologies and cloud-based technologies’ potential for stimulating innovation and compliance. Considering recent compliance failures that imperiled organizations’ value and survival, a new framework is proposed that addresses changes resilient organizations must make.

 

Public and private organizations, both large and small, could achieve better risk management, improved compliance with laws and social norms, and innovation if they adopt, effectively govern, and adapt work processes to use digital-era technology.

 

 

Introduction

Effective organizations unite governance, risk, and compliance via a framework that addresses people, processes, and technology. Following this framework helps organizations focus their personnel on the organization’s mission, so all develop a shared sense of purpose that guides effective technology adoption and adaptation. Organizations also monitor compliance with policies and procedures and improve training where compliance is found to be lacking. Yet, the leading governance, risk, and compliance framework misses one key input and output for the digital era: innovation.

 

The digital era is characterized by cloud-based, continuously updating technologies that induce fundamental change to work processes and workplace behaviors.[1] Technology now takes precedence over an organization’s people or its own processes.[2] The inability to modify modern technologies, including those that are the operating systems of Facebook, Google, and the iPhone, is a shock to organizational leaders, who have long managed by bending business processes to their will.[3] Cloud-based technologies arrive with set processes developed by others, and users must learn new ways of working each time the technologies themselves evolve.

 

With its rapid changes and automation, the digital era poses novel risks for an organization. There is danger that the organization may not understand or control the inherent challenge posed by digital-era technologies, which create a data stream from all users and processes and which interconnect users of the same technology.[4] Organizations are also jeopardized by the risk that technologies may be used in illegal or unethical ways, imperiling an organization’s legal standing, reputation, and value.

 

Innovative, digital-era technologies do not only pose risks to organizations. Use of these technologies may underpin organizational approaches to risk mitigation. New technology can make for more robust and effect monitoring of compliance with process and legal requirements. Automated compliance exercises free an organization’s personnel from procedural drudgery, giving them time to imagine and to innovate.

 

The converse is also true: compliance as assured through good governance can spur innovation, inspiring organizations to find better, novel ways to achieve business goals while adhering to the law and meeting organizational and societal expectations. The bad compliance case studies – those tales of inappropriate risk-taking and inadequate controls from boldface names like Desjardins, Facebook, Uber, and Wells Fargo – have made some organizations and their leaders afraid of innovation. However, this perceived trade-off between compliance and innovation is a false choice: compliance is required, often by law, and the need to innovate is a modern reality.

 

The organizations and businesses that arose, phoenix-like, from the smoldering rubble of the COVID19 economic meltdown were those that rapidly reinvented themselves. They employed technologies like Zoom, Teams, and WebEx to continue working virtually when stay-at-home orders shuttered offices and worksites. These innovators found new ways to sell their goods and services in a marketplace that changed overnight, for they realized that holding onto pre-2020 business processes would lead to ruin. They adapted themselves to the requirements of digital-era technologies and used these as the backbone of their innovations.

 

The challenges posed by the modern era and its technologies require uniting a risk management framework with organizational governance. This article opines that the 2020s require a new Framework for Risk Management and Governance in the Digital Era. This combined risk and governance framework is based on application of the International Standards Organization (ISO) standard for risk management, composed of three steps, and is a simplified version of the Governance, Risk, and Compliance Capability Model. The proposed new framework guides organizations to use modern, always-updating, interconnected, data stream-creating technologies to strengthen compliance with laws and social norms, thereby leading to innovation.

 

Review of Previous Governance, Risk, and Compliance Frameworks

Anthony Taratino’s definitive tome on governance, risk, and compliance (GRC) dates from 2008.[5] That handbook exhaustively examined the application of governance, risk, and compliance initiatives in a variety of industries, including the up-and-coming technology sector, and in several countries. Although Taratino did not suggest a single GRC framework that might be applied across sectors and jurisdictions, he called for a holistic approach to GRC.[6] He also pointed to the promise of technology to automate internal controls to improve compliance.[7]

 

In 2009, the Association of Accountants and Financial Professional in Business (IMA) examined at its annual conference the 2002 Sabanes-Oxley Act,[8] which required financial institutions to establish risk management activities.[9]  Authors Mark Frigo and Richard Anderson presented to the conferees their proposed Strategic Framework for Governance, Risk, and Compliance, an attempt to bring together these disciplines and to assist organizations with their Sabanes-Oxley compliance. The Frigo-Anderson Framework borrowed heavily from the 1992 enterprise risk management framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).[10] To the COSO framework, Frigo and Anderson added policy creation and risk appetite review steps, which would be set by an organization’s board and executive management.[11] However, governance was presumed to be addressed by the creation of a single risk management policy, and not via a framework of policies and procedures.

 

In 2018, the International Organization for Standardization (ISO) revised its 2009 guidelines for risk management to account better for cyber and other modern risks. [12] Described at ISO: 31000:2018, these guidelines establish a four-part standard for risk management: 1. identify risks, 2. assess the severity and likelihood of each risk, 3. develop monitoring plans for critical risks, and 4. mitigate those risks that cannot be eliminated, accepted, or transferred.[13] Whereas governance is considered in the risk identification step of risk management, it is not explicitly addressed in ISO: 31000.

 

More recently, the OCEG Governance, Risk, and Compliance (GRC) Capability Model attempted to unite the previously disparate disciplines of risk, governance, and compliance.[14] The Capability Model has four parts: learn, align, perform, and review.[15] The Model appears to presume that a team external to the organization should first learn about the organization’s context, its governance modalities, and it internal compliance efforts. Then, OCEG includes risk identification, risk assessment, and mission acknowledgment in its “align” step. In “preform,” OCEG lists many activities, including policies and procedures development, role assignment, and managerial incentives. Finally, the last step of the Model, “review,” focuses on monitoring and evaluation, which are compliance activities.

 

A New GRC Framework for a New Era

The challenges of digital-era technologies call for a new application of the ISO:31000 risk management framework to organizational governance. That combined risk and governance framework is composed of three steps and is a simplified version of OCEG’s GRC Capability Model.[16]  Below, I set out the Framework for Risk Management and Governance in the Digital Era.

 

First, assuming each organization will manage risk and develop governance structures internally, this Framework does not include OCEG’s “learn” step, which seems designed to present the organization’s structure to an external consultant. Instead, the Framework’s initial step is to identify and assess risk. This step directs the organization to consider the likelihood and severity of a possible threat to the organization. Where a likely and severe risk is foreseeable, it is a governance failure to leave a policy hole through which the organization could be adversely affected. Thus, the organization should undertake activities in risk identification, risk assessment, and mission acknowledgment.

 

Second, the organization should ensure that a policy or policies constrains identified risks. The organization must write or revise policies or procedures, to assign authority for addressing risks, and to set out responsibilities related to governance. Activities at this Framework step are policies and procedures development, role assignment, and managerial incentives.

 

As a final Framework step, to control risk, the organization should consider laws, industry regulations, and ethics, and assure compliance with these. Yet, the definition of “risk” includes both hazard and opportunity.[17] Modern risk management must allow organizations both to control and to exploit the digital era’s opportunities. The concept of innovation is added to the Framework’s last step. The very digital-era processes that pose risk to organizations may also serve to mitigate these risks. 

​

Framework Step One: Identify and Assess Foreseeable Digital-Era Risks.

Three recent examples show the risks of the digital era wrought by inadequate governance and insufficient compliance with policies and procedures. In June 2019, an employee of Desjardins Group, a Canadian banking cooperative, was accused of stealing the personal data of 2.9 million individual and corporate members, over 40 percent of the financial group’s customers.[18] The employee downloaded onto USB drives the surnames, first names, dates of birth, social insurance numbers, addresses, phone numbers, emails and other information about transactional habits and banking products held by Desjardins customers.[19] The information was transmitted to third parties on the “dark web.”[20] During the first half of the year, Canadian police investigated 450 identify fraud cases, many linked to the Desjardins data leak; more cases are anticipated.[21]

 

Desjardins management blames a rogue employee and insufficient internal security procedures for the leak, assuring the public that the employee was terminated, and the procedures strengthened.[22] However, the Privacy Commissioner of Canada and his Quebec province counterpart are investigating whether Desjardins acted in compliance with national and provincial privacy protection laws.[23] In addition, aggrieved customers have filed class action lawsuits against the organization, alleging Desjardins’ negligence in safeguarding private, consumer information.[24]

 

Contrasting with Desjardins, which may have paid inadequate attention to its own corporate procedures and Canadian law regarding data privacy, Facebook’s policies did not prohibit data harvesting from users.[25] In its public statements, Facebook misrepresented to users how their data would be used, stored, shared, and maintained, resulting in government investigation of the company.[26]

 

The Guardian newspaper first informed Facebook of unauthorized data harvesting in 2015.[27] In response to this warning, Facebook did nothing; the company developed no new policies to control for future occurrences of third-parties’ access to Facebook customers’ data. Then, in March 2018, after a massive data breach at Facebook, the US Federal Trade Commission (FTC), the US Senate Judiciary Committee, the US House Judiciary Committee, and the attorneys general of 37 American states initiated investigations of the company over its privacy policies for users’ browsing and other personal data.[28] Facebook admitted providing its users’ data to a private company, which attempted to use these data to manipulate the user beliefs and votes in a US presidential election.[29] Although the company finally announced policies to protect user data, it was too little, too late. The debacle threatened the company’s stock price and leadership, culminating on July 24, 2019 in Facebook’s $5 billion settlement with the FTC for deceiving and undermining users’ choices about protecting their data.[30] The breach of public trust also portends ill for Facebook’s future initiatives, including the company’s move into cryptocurrency.[31]

 

Like Facebook, Uber suffered the foreseeable risks of inadequate governance. The company had no policies that prohibited its staff for using customer data to harass, bully, or for personal amusement.[32] Senior Uber managers used a proprietary technology, “God View,” to track users’ ride data.[33] To retaliate against journalists who published critical reviews of the company, Uber followed the journalists and used ride information to bully them and their families.[34] For fun, Uber managers recorded users’ trips that suggested they were having “one-night stands” (sexual encounters).[35] These governance failures resulted in value loss for Uber when customers, especially women, departed in droves for Uber’s competitor, Lyft.[36]

 

Framework Step Two: Develop or Revise Policies and Procedures to Manage Risk.

If properly created, governance through a hierarchy of policies and procedures will ensure control of risks from an organization’s adoption of and adaptation to modern technologies. Governance is the people, policies, procedures, and other technologies required to manage implementation or operations, under the charge of an executive leader. [37] Governance is assured through stimulating employees’ mission focus, creating a framework of policies and procedures that governs the entire organization, establishing managerial responsibility for these policies and procedures, and compliance monitoring.

 

• Mission focus

Technology-driven risks are paramount for leaders to manage to prevent operational failure. Organizations’ governance is stretched to address and constrain situations never-before contemplated. An organization’s mission guides its governance decisions and serves as the ultimate check on the demands and risks of technology.

 

An organization’s mission is its lodestar, as demonstrated by technology taking in the United Nations. Several UN organizations have recently adopted digital-era ERPs to serve as information management systems.[38] Any ERP system had to assist the organizations to achieve their missions in human rights, health, or development in a more efficient and responsive way. The organizations’ zeal to launch their ERPs did not supplant their missions; the ERPs were merely tools for better achievement of missions.

 

Modern technology should be used throughout an organization, and not only by administrative units, to create efficiencies and to bring efficacy to achievement of the mission. That is, digital-era tech can support an organization’s intent at innovation in the areas where the organization already adds value. UN organizations such as the World Food Program did not develop blockchain technology.[39] Instead of becoming distracted at being a technology maker, the WFP became a technology taker, using the blockchain to provide food assistance to more refugees at a lower cost.[40]

 

• Creation of a whole-organization policies and procedures framework

Organizations next should develop a governance framework that manages digital-era risk. There is incredible pressure for organizations to develop a separate governance structure for their new technological systems. But governance of change, risk, and technology must be lodged within overall governance. Separate governance structures limit technology adoption and adaptation, constrain the behavior-changing potential of digital-era systems, and threaten compliance and control.

 

An organization should also ensure its current policies and procedures describe the proper and permissible use of this technology. Prior to – and not after - purchasing and implementing a technological application, the organization’s governance committee should draft new policies to cover emerging or other areas ungoverned by any current policy. If the organization is unwilling or unable to mitigate the risks related to use of modern technology, that technology must not be used.

 

Certain digital-era systems arrive with their own processes, which must be integrated within the organization’s overall procedures and ruled according to the organization’s policies. The Global Positioning System (GPS) was invented by the US military, is still paid for by the US taxpayer, but has been commercialized by a myriad of private corporations from automobile to cellular telephone makers.[41] GPS data have been incorporated for personal use in mini-quadcopters, also called drones. These drones share users’ location data the drones’ makers, who may employ these data for espionage purposes.[42] Although the US government invented the very technology used by drones, GPS’ technology maker is no longer are able to control those data and their use. In June 2018, the US Department of Defense banned purchase and use of all commercial, off-the-shelf drones because the Department “had not implemented an adequate process to assess cybersecurity risks associated with using” this technology.[43]

 

Data-leaking drones and the Desjardins hack demonstrate why, in the digital era, an organization’s governance must also include policies governing data. Organizations should devise policies on data access, sharing, use, retention, security, and disposal.[44] Standard operating procedures that describe digital-era technologies should be regularly reviewed and revised to match the constant system updates of cloud-based systems.[45]

 

• Establishment of managerial responsibility for policies and procedures

Next, organizations should foster managers’ responsibility for governance. Managers must own their policies and business processes, understanding their content and assuring their use.  Managers too should work across departments to promote their policies and procedures, to ensure that competing processes are not developed by other managers, and to defend the integrity of the organization’s governance framework.

Although managers are responsible for the accuracy of policies and procedures related to their functional areas. Business Process Experts (BPE) assist managers in the conduct of their duties as policy and business process owners. SAP, the German software company, first developed the Business Process Expert (BPE) role to test proposed software enhancements.[46] More recently, UN organizations have applied the BPE concept to their change management related to technology adoption.[47]

 

BPE unite understanding of business processes with technology applications. They must be aware of and test technology-driven procedural changes so that the organization is not caught unaware of these automatically updating features. BPE further have a critical role in assuring that their organizations can realize the efficiency potential of digital-era technologies. As process experts, BPE will keep abreast of technology-driven procedural simplifications employed by other, competing organizations. The BPE will test these simplifications with their own employers, driving reductions of staff time, effort, and expense in undertaking work processes.

 

BPE should not become siloed in their own departments, with fealty to a single middle manager who wishes to use technological applications in a way that is optimal for one department, but suboptimal for the rest of the organization. BPE will be convened together to guarantee work across departmental lines. Importantly, the BPE should report to the organization’s governance lead, to ensure that recommended procedural changes are instilled throughout the organization and controlled by the organization’s overall governance.

 

Framework Step Three: Comply and Innovate.

Finally, organizations should control digital-era risks through monitoring staff compliance – both with internal policies and procedures and with external laws and norms. Compliance is achieved through a three-pronged approach. Instead of simply waiting for a crisis to occur, an organization should proactively ensure compliance through training, especially on policies and procedures; communication, including centralization of announcements of policies and procedures change; and analysis of data on work conducted according to policies and procedures.

 

This very approach to compliance was followed by Wells Fargo to respond to the recent scandals that rocked it. Wells Fargo employees manufactured fake accounts in the names of existing customers, causing many to pay fees.[48] Appropriate policies were in place and “plenty” of ethics training was offered.[49] But these simply were ignored by an employee race to make more money and to achieve their next promotion.[50] Managers pressured employees to meet tough performance goals with no review of how these goals were met.[51] Wells Fargo lacked audits and other controls to monitor employees’ compliance with policies and procedures.[52]

 

To correct its compliance problems, Wells Fargo fired 5,300 employees and lost its CEO.[53] To prevent these issues’ recurrence, the bank made a concerted effort to improve its risk management by focusing on identifying practices that are inconsistent with the company’s policies and procedures.[54] The bank created new teams to address governance and data analytics.[55] Centralizing these teams within a more robust auditing group allows for a broader view of risk and compliance across the company. [56] Previously Wells Fargo limited its compliance personnel to “niche” areas, resulting in scandals that blossomed throughout the bank, including in its retail banking, wealth management, and foreign exchange divisions.[57] Compliance managers could cross-train Wells Fargo personnel throughout the company about expectations, laws, and consequences for failing to adhere to these.

 

• Assure innovative compliance with laws and social norms

In addition to assuring their compliance with their own policies and procedures, organizations are focused on compliance with new laws, such as the GDPR in Europe and the US Federal IT Acquisition Reform Act and the Consolidated Appropriations Act of 2017, that require protection of consumers’ data. In 2015, use of outmoded technology and insufficient attention to data security resulted in the hack of personal data of 22 million US federal government employees and applicants.[58] Hackers have since used these stolen data to open fraudulent loans, ruining the good financial standing of US employees.[59] The US Office of Personnel Management (OPM) has spent tens of millions of dollars to procure modern, security software and hardware to prevent future data breaches. However, the OPM’s inspector general found that the Office’s procurement plan lacks a strategy, cost analysis, and business case to evaluate fully the costs, benefits, and risks associated with the project.[60] In addition, a member of OPM’s congressional oversight body noted with concern OPM’s failure to comply with US laws requiring consumer data protection.[61] The predictable consequence of this compliance failure is that OPM has been stripped of many of its duties and the current US presidential administration seeks to close the Office entirely.[62]

 

However, the need to adhere to modern privacy norms is simply one of the compliance challenges de jour. Organizations too are concerned about following other laws and norms and the about the adverse effect on organizational reputations if compliance is not achieved. For example, organizations risk harm to their reputations due to association with their suppliers’ involvement in illegal activities such as fraud, collusion, and human rights abuses, including trafficking in people.

 

To manage exposure to these risks and plan for their mitigation, organizations can make innovative use of the United States’ and World Bank’s sanctions and debarment mechanisms spur their suppliers’ legal compliance.[63] Suspension and debarment are powerful, versatile legal tools for excluding contractors from competing in markets and for limiting organizational exposure to irresponsible suppliers who engage in practices not consistent with the buyers’ images.[64] Contractors are excluded to mitigate risk, including the reputational risk of doing business with a contractor perceived to lack integrity.[65]

 

When the World Bank enters into a loan agreement with a project country to implement a development project, the Bank’s anti-corruption policy is incorporated into the loan agreement. The Bank enforces this policy against subcontractors by initiating administrative proceedings through the Bank’s sanctions system.[66] If the contractor is found to have violated the policy and is debarred, the contractor’s name and brief description of the grounds for debarment are posted on the Bank’s external website.[67] The World Bank and other multilateral development banks mutually recognize each other’s debarment actions, with debarment from one bank extending to all banks.[68]

 

Like the World Bank, the United States too has a debarment and suspension regime with which federal contractors, including those with the US Agency for International Development (USAID), must comply. The US Federal Acquisition Regulation (FAR) requires US agencies to impose debarment or suspension against irresponsible contractors to protect the government’s interest.[69] Suspension and debarment actions are usually based on underlying convictions or civil judgments, such as for fraud and corruption through the civil False Claims Act and the Foreign Corrupt Practices Act.[70] Suspended and debarred contractors and their affiliates are publicly listed on a government-wide website.[71]

 

Since 2012, participation in human trafficking-related activities is also a cause for exclusion from US federal government contracts.[72] A presidential executive order and the Trafficking in Victims Protection Act (2000), as amended under the 2013 reauthorization of the Violence Against Women Act, hold USAID grantees and contractors responsible for the off-duty engagement of their employees or subcontractor employees in a commercial sex act, even if the act was legal in the jurisdiction in which it took place.[73] Consequences for violating the order and law include contractor or subcontractor termination, the termination of specific employees, or suspension and debarment from future federal contracts.[74]

 

The public vendor sanctions databases of the World Bank and the United States provide a listing of contractors that pose reputational risks to organizations that might associate with them. To mitigate these risks of the modern era, organizations should establish a policy to require their consult of these lists of poor and good actors to determine which suppliers are eligible to do business with them. Similarly, as the US Congress opined in the wake of the OPM data hack, compliance with data privacy laws “would actually help [the affected agency] secure its networks, protect the data of millions of federal employees, and better serve its customers.”[75]

 

• Innovative digital-era technologies can assist compliance, and vice versa

Compliance should not stifle an organization’s success in the digital era; to be a “technology taker,”[76] a leader in the digital era, is to be innovative. Modern technologies’ data streams can be used to spur an innovative approach to compliance. Using the very digital-era technologies they have adopted, organizations can collect and review data about which processes are being used to accomplish the organizational mission and to what effect. Via cloud-based technologies’ interconnection, costs and staffing time per process can be compared across industries, allowing organizations to benchmark themselves against their competitors. With these data, compliance with policies, procedures, and laws can be measured, perhaps finally lending a solution to the devastating organizational risk of non-compliance.[77]

 

As a foil to OPM, the US Internal Revenue Service (IRS) Criminal Investigation branch began in 2018 an initiative that uses big data about tax filing non-compliance to uncover financial crimes.[78] The IRS used new tools, individual and compiled data, and analytical methodologies to innovate while implementing its new program. This effort, along with an earlier data-based compliance program begun in 2011, achieved significant monetary savings in refund fraud, tax gap reduction, and core compliance examination activities.

 

However, organizational leaders struggle to add innovation to a risk management approach geared merely to meeting the legally required minimum and at avoiding lawsuits or disasters. Innovation is defined as going beyond the minimum required to comply with a law or norm to develop proactive responses that deliver additional value to the consumer.[79] Recently, the Conference Board surveyed 54 corporate executives about the approach to compliance - especially with the GDPR - and innovation. Many corporate executives agreed that compliance offers an opportunity for innovation,[80] but few companies said they are deploying innovation around compliance as a competitive advantage.[81] Only a fraction of Conference Board respondents (15 percent) said their company’s compliance-related changes were “innovative responses that differentiate our organization in the market/establish us a thought leader.”[82]

 

Automation of compliance brings an opportunity for innovation. Machine learning and AI free resources from compliance monitoring to invest in innovative ways of working. Because an ERP system computes employee compliance with required procedures (e.g., time limits to file expense reports or required demographic diversity in candidate panels), human resources (HR) no long need to be dedicated to monitoring these tasks. The ERP system can alert the HR department when it finds exceptions to required procedures. Provided that the organization has the correct metrics for tracking these data and the ability to apply multivariate regression analysis to understand the data,[83] HR can manage these rare exceptions instead of undertaking organization-wide audits to find them. An organization’s personnel can be shifted from policing their colleagues to seeking new business opportunities.

 

Innovation using digital era technologies also helps to mitigate digital-era risks. Lack of acceptance from users of a new or transformed service is another major risk in the digital era, and various approaches to engaging users in the development process and testing of new services and products are available to manage these risks.  Advertising and public relations firms now use artificial intelligence (AI) to collect data about public opinion and message resonance. As one such example, Delvinia is a Canadian company that developed a market research technology platform called Methodify.[84] This platform allows for customer polling in a real-time environment and instantaneous feedback from members of large, online research panels. Methodify also uses AI-powered chatbots and text-based interviews to help understand customer opinions and motivations. Organizations use the data they collect from these tools to check client satisfaction, test potential price increases, and avoid costly, ineffective advertising and marketing.[85]

 

 

Conclusion

The unmitigated risks and inadequate controls of the bad boys of the GRC world, Desjardins, Facebook, Uber, Wells Fargo, the US Department of Defense, and OPM, have reportedly caused corporate leaders to fear innovation. Instead of embracing new technologies and using these to improve GRC efforts, organizations misread the expensive lessons of scandals a la Uber to require hunkering down and charting a risk-adverse path. But, as we all experienced during the COVID19 crisis, the digital era requires innovation and will soon push aside those who fail do so. Surviving the modern age requires adopting the latest cloud-based technologies, accepting their risks, adapting to their requirements, and controlling how and for what purpose these technologies are used.

 

What about the good GRC actors? Various UN agencies, the World Bank, USAID, IRS, SAP, and Delvinia all have used modern technologies to rise to the challenge of the modern age, renovating their working processes in the process of maintaining compliance with laws and social norms. Like these innovators, other organizations can use digital-era technologies to improve compliance and manage their risks related to people and work processes. Good risk management, which necessarily includes good organizational governance, can spur use of new technologies in even more innovative ways to ensure process and legal compliance and reputational risk mitigation.

 

Though, new technologies come with inherent risks because they force upon organizations new processes to be governed and greater potential for ungoverned wrongdoing. A new Framework for Risk Management and Governance in the Digital Era is needed to unite the international standard for risk management with older operational frames for organizational governance and compliance. This novel, three-step GRC framework will guide organizations in their use of digital-era technologies to strengthen compliance with laws and social norms.

 

First, successful management of risks depends on focusing an organization’s people on common, joint mission. Then, organizational leaders should ensure policies and procedures related to new technologies are written to constrain foreseeable risk, to assign authority for addressing it, to set out responsibilities related to it, and to follow the organization’s set policies and procedures about it. Last, assurance must be had that the organization’s use of technology complies with the legal norms and social expectations of operating in the digital age.

 

The tools of the digital era can be deployed to automate compliance activities, moving organizational effort away from annual audits and to daily, routine monitoring and analysis of procedural exceptions. Organizations thus can use technologies to innovate, to maintain their competitiveness, and to evolve to meet unprecedented challenges. The reverse is also true: compliance can stimulate innovation. Digital-era technologies’ data streams, interconnection, and constant revision suggest a world of opportunity beyond merely controlling bad actors and decreasing costs. As agile, creative organizations have found, use of artificial intelligence and data mining allows for real-time reactions to consumer demands and for the creation of value. These innovations permit organizations to survive modern risks and to thrive in the digital era.

 

 

Innovation is an expected output an organization’s application of the new GRC framework. Liberated from the need to review compliance logs manually and confident the whole of the organization – including the technologies it employs – is well governed by the same policies regarding risk taking, an organization’s leaders have time and ability to innovate. When the marketplace demands, organizations can offer new goods or services, or offer the same goods and services but in new ways. And, should social distancing become the expected social norm or the legally required mandate, organizations can use the power of new technologies and the solid mooring of a renovated GRC framework to comply with these expectations and to continue to meet the surprises and challenges of the new decade.

 

Endnotes

 

[1] See Jens Flanding, Genevieve Grabman, and Sheila Cox, The Technology Takers: Leading Change In The Digital Era (Emerald: 2018) at 2. The Technology Takers describes five plays, including governance, for adapting to the digital era. See id. at 81 – 94. This paper expands concepts introduced in the governance play.

[2] See id.

[3] Id. at xvi.

[4] See id. at 20.

[5] Anthony Taratino, ed., The Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices (2008).

[6] Id. at 30.

[7] Id. at 34.

[8] United States Code (2002), 'Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745' , Codified in Sections 11, 15, 18, 28, and 29 USC .

[9] See Mark L. Frigo and Richard J. Anderson, A Strategic Framework for Governance, Risk, and Compliance, Strategic Finance (Feb. 2009), available at https://sfmagazine.com/wp-content/uploads/sfarchive/2009/02/STRATEGIC-MANAGEMENT-A-Strategic-Framework-for-Governance-Risk-and-Compliance.pdf.

[10] COSO, Applying COSO’s ERM-Integrated Framework (2017) at 7, available at https://www.coso.org/Documents/COSO-ERM-Presentation-September-2017.pdf.  

[11] See Frigo and Anderson.

[12] See International Organization for Standardization (ISO), ISO: 31000:2018 Risk management - Guidelines, available at https://www.iso.org/standard/43170.html.

[13] See id.

[14] OCEG, GRC Capability Model (2019), available at https://go.oceg.org/grc-capability-model-red-book. 

[15] See id. 

[16] See id. 

[17] See ISO:31000:2018 at 3 “Terms and Definitions.”

[18] See Jérôme Labbé, Vol massif de données personnelles chez Desjardins, Radio-Canada (June 20, 2019), available at https://ici.radio-canada.ca/nouvelle/1193006/caisses-populaires-desjardins-vol-donnees-personnelles.

[19] See id.

[20] See id.

[21] See id.

[22] See Christopher Reynolds, Desjardins says info for 2.9M members shared outside of organization, CTV News (June 20, 2019), available at https://www.ctvnews.ca/canada/desjardins-says-info-for-2-9m-members-shared-outside-of-organization-1.4475253.

[23] See Rachel Aiello, MPs holding emergency meeting on massive Desjardins data breach, CTV News (July 15, 2019), available at https://www.ctvnews.ca/politics/mps-holding-emergency-meeting-on-massive-desjardins-data-breach-1.4508559.

[24] See Christopher Reynolds, Privacy watchdogs launch probe over Desjardins data breach, Global News (July 8, 2019), available at https://globalnews.ca/news/5473060/desjardins-privacy-breach-investigation/.

[25] See Aric Jenkins, Facebook Just Revealed 3 Major Changes to Its Privacy Settings, Time Magazine (March 28, 2018), available at https://time.com/5218395/facebook-privacy-settings-changes-cambridge-analytica/.

[26] See Alix Langone, Facebook’s Cambridge Analytica Controversy Could Be Big Trouble for the Social Network. Here’s What to Know, Time Magazine (March 20, 2018), available at https://time.com/5205314/facebook-cambridge-analytica-breach/.

[27] See Olga Kharif, Why (Almost) Everybody Hates Facebook’s Cryptocurrency Libra, Washington Post (July 16, 2019), available at https://www.washingtonpost.com/business/why-almost-everybody-hates-facebooks-cryptocurrency-libra/2019/07/16/53c584ca-a787-11e9-8733-48c87235f396_story.html.

[28] See Tony Romm, Facebook, Google and other big tech giants are about to face a ‘reckoning,’ state attorneys general warn, Washington Post (March 15, 2019), available at https://www.washingtonpost.com/technology/2019/03/15/facebook-google-other-big-tech-giants-are-about-face-reckoning-state-attorneys-general-warn/.

[29] See Tony Romm and Elizabeth Dwoskin, U.S. regulators have met to discuss imposing a record-setting fine against Facebook for privacy violations, Washington Post (Jan. 18, 2019), available at https://www.washingtonpost.com/technology/2019/01/18/us-regulators-have-met-discuss-imposing-record-setting-fine-against-facebook-some-its-privacy-violations/.

[30] See Tony Romm, U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations, Washington Post (July 24, 2019), available at https://www.washingtonpost.com/technology/2019/07/24/us-government-issues-stunning-rebuke-historic-billion-fine-against-facebook-repeated-privacy-violations/.

[31] See Robert Schmidt et al., Facebook’s Crypto Plan Called ‘Delusional’ as Senate Digs In, Bloomberg.com (July 16, 2019), available at https://www.bloomberg.com/news/articles/2019-07-16/facebook-gets-sharp-questions-as-senators-tee-off-on-crypto-plan.

[32] See Will Evans, Uber said it protects you from spying. Security sources say otherwise, Reveal News from the Center for Investigative Reporting (Dec. 12, 2016), available at https://www.revealnews.org/article/uber-said-it-protects-you-from-spying-security-sources-say-otherwise/.

[33] See Brian Fung, Uber settles with FTC over allegations it failed to protect customer data, Washington Post (Aug. 15, 2017), available at https://www.washingtonpost.com/news/the-switch/wp/2017/08/15/uber-is-settling-with-the-ftc-in-a-major-case-over-privacy-and-security/.

[34] See Johana Bhuiyan and Charlie Warzel, "God View": Uber Investigates Its Top New York Executive For Privacy Violations, BuzzFeed News (Nov. 18, 2014), available at https://www.buzzfeednews.com/article/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy#.qs5GAa7dV7. 

[35] See Derrick Harris, The one-night stand, quantified and visualized by Uber, GIGAOM.com (Mar. 26, 2012), available at https://gigaom.com/2012/03/26/uber-one-night-stands.

[36] See Jefferson Graham, Vows to 'delete Uber' weren't just talk: Uber loses market share to Lyft after year of scandal, USA Today (May 15, 2018), available at https://www.usatoday.com/story/tech/talkingtech/2018/05/15/uber-lost-market-share-lyft-after-year-scandals-emarketer-says/612348002/.

[37] See Flanding at al. at 81.

[38] See  UNLOCK/UNSSC, Case Study Series: Delivering Successful Change with Enterprise Resource Planning Systems (2018), available at https://www.unssc.org/sites/unssc.org/files/case_study_series1.pdf.

[39] See Raul Zambrano et al., Connecting Refugees to Aid through Blockchain-Enabled ID Management: World Food Programme’s Building Blocks, GovLab Case Study (Oct. 2018), available at https://blockchan.ge/blockchange-resource-provision.pdf.

[40] See id.

[41] See  Mark Sullivan, A brief history of GPS, PCWorld (2018), available at https://www.pcworld.com/article/2000276/a-brief-history-of-gps.html.

[42] See Sarah Ludwig, Drones: A Security Tool, Threat and Challenge, Security (Mar 9, 2018), available at https://www.securitymagazine.com/articles/88803-drones-a-security-tool-threat-and-challenge.

[43] See Gidget Fuentes, Pentagon Grounds Marines' 'Eyes in the Sky' Drones Over Cyber Security Concerns, USNI News (Jun 6, 2018), available at https://news.usni.org/2018/06/18/pentagon-grounds-marines-eyes-sky-drones-cyber-security-concerns.

[44] Flanding et al. at 87.

[45] Id.

[46] See Corinne Reisert et al., How to Move from Paper to Impact in Business Process Management: The Journey of SAP, BUSINESS PROCESS MANAGEMENT CASES. MANAGEMENT FOR PROFESSIONALS 21- 26 (2018).

[47] See UNLOCK/UNSSC at 30.

[48] See Emily Glazer, Wells Fargo Is ‘Working Hard’ to ‘Rebuild Trust,’ The Wall Street Journal (Jan. 30, 2019), available at https://www.wsj.com/articles/wells-fargo-is-working-hard-to-rebuild-trust-11548886641.

[49] See Joe Mont, The many compliance lessons of Wells Fargo, Compliance Week (Sept. 20, 2016), available at https://www.complianceweek.com/the-many-compliance-lessons-of-wells-fargo/2923.article

[50] See Glazer.

[51] See id.

[52] See Emily Glazer and Robert Barba, Well Fargo’s Chief Administrative Officer, Auditor on Leaves of Absence, The Wall Street Journal (Oct. 24, 2018), available at https://www.wsj.com/articles/wells-fargos-chief-administrative-officer-auditor-on-leaves-of-absence-1540414804.

[53] Id.

[54] See Kristin Broughton, Wells Fargo Breaks Down Internal Audit Silos to Fend Off Scandals, The Wall Street Journal (Feb. 1, 2019), available at https://www.wsj.com/articles/wells-fargo-breaks-down-internal-audit-silos-to-fend-off-scandals-11549061368.

[55] See id.

[56] See id.

[57] See id.

[58] See Maryland woman pleads guilty to using IDs from massive U.S government hack, Reuters.com (Jun 18, 2018), https://www.reuters.com/article/us-usa-cybersecurity-opm/maryland-woman-pleads-guilty-to-using-ids-from-massive-us-government-hack-idUSKBN1JF09D.

[59] See id.

[60] See Jason Miller, 3 years after data breach, OPM still struggling to modernize IT, FederalNewsRadio.com (Feb 27, 2018), https://federalnewsradio.com/opm/2018/02/three-years-after-data-breach-opm-still-struggling-to-modernize-its-it.

[61] See id.

[62] See Eric Yoder, Personal information for 22 million people was exposed. A court blames a federal agency, Washington Post (June 25, 2019), available at https://www.washingtonpost.com/politics/personal-information-for-22-million-people-was-exposed-a-court-blames-a-federal-agency/2019/06/25/543d63e4-9767-11e9-8d0a-5edd7e2025b1_story.html.

[63] UNDP/CIPS, Strategic Diploma in Public Procurement Student Handbook (2015) at 200.

[64] Nathaniel E. Castellano, Suspensions, Debarments, and Sanctions: A Comparative Guide to United States and World Bank Exclusion Mechanisms, 45 PUB. CON. L. J. 403-46: 406 (2016).

[65] Id. at 409.

[66] See id. at 405.

[67] See Procurement - World Bank Listing of Ineligible Firms & Individuals (2019), available at https://www.worldbank.org/en/projects-operations/procurement/debarred-firms.

[68] See id.

[69] FAR, 48 C.F.R. § 52.222-50 (2014) at 9.402(b).

[70] Castellano at 414.

[71] See US System for Award Management, Search Records (2019), available at https://www.sam.gov/SAM/pages/public/searchRecords/advancedPIRSearch.jsf.

[72] See Exec. Order No. 13,627, 77 Fed. Reg. at 60,031.

[73] See Exec. Order No. 13,627, 77 Fed. Reg. at 60,031.

[74] See FAR.

[75] See Maryland woman pleads guilty to using IDs from massive U.S government hack, Reuters.com, (Jun 18, 2018), https://www.reuters.com/article/us-usa-cybersecurity-opm/maryland-woman-pleads-guilty-to-using-ids-from-massive-us-government-hack-idUSKBN1JF09D (last visited Aug 21, 2018).

[76] Jens Flanding, Genevieve Grabman, and Sheila Cox, The Technology Takers: Leading Change In The Digital Era (2019) at xv (“[t]o be a technology taker is to asset to the behavior transforming benefits of modern technologies”).

[77] See Hui Chen and Eugene Soltes, Why Compliance Programs Fail—and How to Fix Them, HARVARD BUSINESS REVIEW (Mar. - Apr. 2018), available at https://hbr.org/2018/03/why-compliance-programs-fail. 

[78] See comments of Todd Egass, Director of Technology, Operations, and Investigative Services, IRS at The IRS’ Modern Use of Artificial Intelligence and Big Data in Tax Enforcement, Continuing Legal Education Seminar, American Bar Association (Dec. 5, 2018).

[79] See Susan Getgood, Innovate or Hunker Down: What Executives Think about Data Privacy, Security, and Regulation, The Conference Board Marketing and Communications Center (Mar. 2019) at 3.

[80] See id. at 6.

[81] See id. at 1.

[82] See id. at 5.

[83] See Chen and Soltes.

[84] See Delvinia at http://www.methodify.it (accessed on July 19, 2019). 

[85] See emailed communication from Ana Tacket of spPR Inc. on July 17, 2019 (regarding clients Delvinia and Research for Good).

 

 

References

1. Aiello, R., MPs holding emergency meeting on massive Desjardins data breach, CTV News (July 15, 2019). Retrieved from https://www.ctvnews.ca/politics/mps-holding-emergency-meeting-on-massive-desjardins-data-breach-1.4508559.

2. Bhuiyan, J., & Warzel, C., "God View": Uber Investigates Its Top New York Executive for Privacy Violations, BuzzFeed News (Nov. 18, 2014). Retrieved from https://www.buzzfeednews.com/article/johanabhuiyan/uber-is-investigating-its-top-new-york-executive-for-privacy#.qs5GAa7dV7. 

3. Broughton, K., Wells Fargo Breaks Down Internal Audit Silos to Fend Off Scandals, The Wall Street Journal (Feb. 1, 2019). Retrieved from https://www.wsj.com/articles/wells-fargo-breaks-down-internal-audit-silos-to-fend-off-scandals-11549061368.

4. Castellano, N.E., Suspensions, Debarments, and Sanctions: A Comparative Guide to United States and World Bank Exclusion Mechanisms, 45 Public Contracts Law Journal 403-46 (2016).

5. Chen, H., & Soltes, E., Why Compliance Programs Fail—and How to Fix Them, Harvard Business Review (Mar. - Apr. 2018). Retrieved from https://hbr.org/2018/03/why-compliance-programs-fail. 

6. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Applying COSO’s ERM-Integrated Framework (2017). Retrieved from https://www.coso.org/Documents/COSO-ERM-Presentation-September-2017.pdf.  

7. Delvinia at http://www.methodify.it (accessed on July 19, 2019). 

8. Egass, T., The IRS’ Modern Use of Artificial Intelligence and Big Data in Tax Enforcement, Continuing Legal Education Seminar, American Bar Association (Dec. 5, 2018).

9. Evans, W., Uber said it protects you from spying. Security sources say otherwise, Reveal News from the Center for Investigative Reporting (Dec. 12, 2016). Retrieved from https://www.revealnews.org/article/uber-said-it-protects-you-from-spying-security-sources-say-otherwise/.

10. Flanding J., Grabman G., & Cox S., The Technology Takers: Leading Change in the Digital Era (Emerald: 2018).

11. Frigo, M.L. & Anderson, R.J., A Strategic Framework for Governance, Risk, and Compliance, Strategic Finance (Feb. 2009). Retrieved from https://sfmagazine.com/wp-content/uploads/sfarchive/2009/02/STRATEGIC-MANAGEMENT-A-Strategic-Framework-for-Governance-Risk-and-Compliance.pdf.

12. Fuentes, G., Pentagon Grounds Marines' 'Eyes in the Sky' Drones Over Cyber Security Concerns, USNI News (Jun 6, 2018). Retrieved from https://news.usni.org/2018/06/18/pentagon-grounds-marines-eyes-sky-drones-cyber-security-concerns.

13. Fung, B., Uber settles with FTC over allegations it failed to protect customer data, Washington Post (Aug. 15, 2017). Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2017/08/15/uber-is-settling-with-the-ftc-in-a-major-case-over-privacy-and-security/.

14. Getgood, S., Innovate or Hunker Down: What Executives Think about Data Privacy, Security, and Regulation, The Conference Board Marketing and Communications Center (Mar. 2019).

15. Glazer E., & Barba, R., Well Fargo’s Chief Administrative Officer, Auditor on Leaves of Absence, The Wall Street Journal (Oct. 24, 2018). Retrieved from https://www.wsj.com/articles/wells-fargos-chief-administrative-officer-auditor-on-leaves-of-absence-1540414804.

16. Glazer, E., Wells Fargo Is ‘Working Hard’ to ‘Rebuild Trust,’ The Wall Street Journal (Jan. 30, 2019). Retrieved from https://www.wsj.com/articles/wells-fargo-is-working-hard-to-rebuild-trust-11548886641.

17. Graham, J., Vows to 'delete Uber' weren't just talk: Uber loses market share to Lyft after year of scandal, USA Today (May 15, 2018). Retrieved from https://www.usatoday.com/story/tech/talkingtech/2018/05/15/uber-lost-market-share-lyft-after-year-scandals-emarketer-says/612348002/.

18. Harris, D., The one-night stand, quantified and visualized by Uber, GIGAOM.com (Mar. 26, 2012). Retrieved from https://gigaom.com/2012/03/26/uber-one-night-stands.

19. International Organization for Standardization (ISO), ISO: 31000:2018 Risk management - Guidelines. Retrieved from https://www.iso.org/standard/43170.html.

20. Jenkins, A., Facebook Just Revealed 3 Major Changes to Its Privacy Settings, Time Magazine (March 28, 2018). Retrieved from https://time.com/5218395/facebook-privacy-settings-changes-cambridge-analytica/.

21. Kharif, O., Why (Almost) Everybody Hates Facebook’s Cryptocurrency Libra, Washington Post (July 16, 2019). Retrieved from https://www.washingtonpost.com/business/why-almost-everybody-hates-facebooks-cryptocurrency-libra/2019/07/16/53c584ca-a787-11e9-8733-48c87235f396_story.html.

22. Labbé, J., Vol massif de données personnelles chez Desjardins, Radio-Canada (June 20, 2019). Retrieved from https://ici.radio-canada.ca/nouvelle/1193006/caisses-populaires-desjardins-vol-donnees-personnelles.

23. Langone, A., Facebook’s Cambridge Analytica Controversy Could Be Big Trouble for the Social Network. Here’s What to Know, Time Magazine (March 20, 2018). Retrieved from https://time.com/5205314/facebook-cambridge-analytica-breach/.

24. Ludwig, S., Drones: A Security Tool, Threat and Challenge, Security (Mar 9, 2018). Retrieved from https://www.securitymagazine.com/articles/88803-drones-a-security-tool-threat-and-challenge.

25. Miller, J., 3 years after data breach, OPM still struggling to modernize IT, FederalNewsRadio.com (Feb 27, 2018). Retrieved from https://federalnewsradio.com/opm/2018/02/three-years-after-data-breach-opm-still-struggling-to-modernize-its-it.

26. Mont, J., The many compliance lessons of Wells Fargo, Compliance Week (Sept. 20, 2016). Retrieved from https://www.complianceweek.com/the-many-compliance-lessons-of-wells-fargo/2923.article

27. OCEG, GRC Capability Model (2019). Retrieved from https://go.oceg.org/grc-capability-model-red-book. 

28. Reisert C., et al., How to Move from Paper to Impact in Business Process Management: The Journey of SAP, Business Process Management Cases: Management for Professionals (Springer: 2018).

29. Reuters, Maryland woman pleads guilty to using IDs from massive U.S government hack, Reuters.com (June 18, 2018). Retrieved from https://www.reuters.com/article/us-usa-cybersecurity-opm/maryland-woman-pleads-guilty-to-using-ids-from-massive-us-government-hack-idUSKBN1JF09D.

30. Reynolds, C., Desjardins says info for 2.9M members shared outside of organization, CTV News (June 20, 2019). Retrieved from https://www.ctvnews.ca/canada/desjardins-says-info-for-2-9m-members-shared-outside-of-organization-1.4475253.

31. Reynolds, C., Privacy watchdogs launch probe over Desjardins data breach, Global News (July 8, 2019). Retrieved from https://globalnews.ca/news/5473060/desjardins-privacy-breach-investigation/.

32. Romm, T., Facebook, Google and other big tech giants are about to face a ‘reckoning,’ state attorneys general warn, Washington Post (March 15, 2019). Retrieved from https://www.washingtonpost.com/technology/2019/03/15/facebook-google-other-big-tech-giants-are-about-face-reckoning-state-attorneys-general-warn/.

33. Romm, T., U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations, Washington Post (July 24, 2019). Retrieved from https://www.washingtonpost.com/technology/2019/07/24/us-government-issues-stunning-rebuke-historic-billion-fine-against-facebook-repeated-privacy-violations/.

34. Room, T., & Dwoskin, E., U.S. regulators have met to discuss imposing a record-setting fine against Facebook for privacy violations, Washington Post (Jan. 18, 2019). Retrieved from https://www.washingtonpost.com/technology/2019/01/18/us-regulators-have-met-discuss-imposing-record-setting-fine-against-facebook-some-its-privacy-violations/.

35. Schmidt, R., et al., Facebook’s Crypto Plan Called ‘Delusional’ as Senate Digs In, Bloomberg.com (July 16, 2019). Retrieved from https://www.bloomberg.com/news/articles/2019-07-16/facebook-gets-sharp-questions-as-senators-tee-off-on-crypto-plan.

36. Sullivan, M., A brief history of GPS, PCWorld (2018). Retrieved from https://www.pcworld.com/article/2000276/a-brief-history-of-gps.html.

37. Tacket, A., spPR Inc. (July 17, 2019) (emailed communication regarding clients Delvinia and Research for Good).

38. Taratino, A. ed., The Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices (Wiley: 2008).

39. UNDP/CIPS, Strategic Diploma in Public Procurement Student Handbook (2015).

40. UNLOCK/UNSSC, Case Study Series: Delivering Successful Change with Enterprise Resource Planning Systems (2018). Retrieved from https://www.unssc.org/sites/unssc.org/files/case_study_series1.pdf.

41. US Exec. Order No. 13,627, 77 Fed. Reg. at 60,031.

42. US Federal Acquisition Regulation (FAR), 48 C.F.R. § 52.222-50 (2014).

43. US Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745.

44. US System for Award Management, Search Records (2019). Retrieved from https://www.sam.gov/SAM/pages/public/searchRecords/advancedPIRSearch.jsf.

45. World Bank, Procurement - World Bank Listing of Ineligible Firms & Individuals (2019). Retrieved from https://www.worldbank.org/en/projects-operations/procurement/debarred-firms.

46. Yoder, E., Personal information for 22 million people was exposed. A court blames a federal agency, Washington Post (June 25, 2019). Retrieved from https://www.washingtonpost.com/politics/personal-information-for-22-million-people-was-exposed-a-court-blames-a-federal-agency/2019/06/25/543d63e4-9767-11e9-8d0a-5edd7e2025b1_story.html.

47. Zambrano, R., et al., Connecting Refugees to Aid through Blockchain-Enabled ID Management: World Food Programme’s Building Blocks, GovLab Case Study (Oct. 2018). Retrieved from https://blockchan.ge/blockchange-resource-provision.pdf.