We live in a world where markets, economies, and business networks are so deeply interconnected that a single risk event can cause widespread disruption. We saw it with the Equifax data breach, Brexit, the migrant crisis, and various political upheavals whose implications extended far beyond local boundaries.
Risks themselves are becoming more interconnected. The World Economic Forum’s report on the top risks of 2017 emphasized how deep the links are between risks such as unemployment and social instability. Even regulatory enforcement risks are crossing boundaries, as is evident through corporations being fined by cross-jurisdictional regulators. Today, compliance risks are not just compliance risks; they are also reputational risks, strategic risks, and financial risks. Understanding these interconnections will be crucial to building risk maturity.
GRC intelligence drives business performance
For years, GRC was about assurance, controls, and compliance. But today, that is changing. GRC professionals are increasingly being given a seat at the company strategy table, the revenue generating side. Decision-makers need them to interpret risk profiles and data, and provide intelligence on how to increase revenue and sales.
Soon, operating controls will not only help mitigate operational risk, but also enable faster go-to-market opportunities. Similarly, vendor risk management won’t just be about calculating vendor risks, but also tying those metrics to vendor performance and chargebacks. The emphasis, more and more, will be on linking GRC to business performance.
Simplicity and efficiency
With the advent of a younger workforce and technologies such as the cloud and mobility, the emphasis is on the consumerization of software. People want simple and contextual apps on their smartphones, available to them anywhere, anytime – even in their GRC activities. Efficiency is also becoming important. An energy company experienced a 90% reduction in the time taken to manage compliance activities. A bank minimized the number of controls by 10,000, thereby re-routing hundreds of employees to revenue-generating activities. All these benefits were gained with better GRC efficiency. Personalization is another emerging trend. People want GRC insights that are customized to their roles and responsibilities instead of generic reports or analytics. In response, companies need to be able to implement tools and technologies that can meet these requirements.
Big data, robotics, the cloud, and artificial intelligence have implications for GRC
AI holds tremendous potential to automate daily risk activities, and rationalize costs. Blockchain technology will enable companies to manage and share GRC information faster than ever, whether it is around vendor risk assessments or continuous auditing. Robotics is all about automation, increasing efficiency and providing intelligence that cannot be seen with the human eye. The cloud, in turn, is enabling the seamless flow of data.
However, the challenge, as well as the opportunity with these new technologies lies in the variety, volume, and velocity of information generated. There are terabytes of unstructured information where nuggets of risk intelligence can be found – and the time it now takes to process intelligence from large volumes of data is shrinking. This is key for filtering and contextualizing data for the right insights.
Today, companies need to know less about what happened, and more about what is happening, what is likely to happen, and what needs to be done – the possible scenarios, decisions, and constraints. They also need to be able to tie all this information back to their core business performance. Risk analytics will be key to achieving these objectives.
"For years, GRC was about assurance, controls, and compliance. But today, that is changing. GRC professionals are increasingly being given a seat at the company strategy table, the revenue generating side."
Integrated GRC holds the power to bring everything together
It’s tempting to manage risks in silos. But if companies want to move up the risk maturity curve, they need to find ways of tying various GRC elements together. For years, GRC programs were largely unstructured, fragmented, and lacking in flexibility and accountability. However, recent research found that 70% of organizations now have a strategy for GRC integration and collaboration.
When the same respondents were asked about the benefits of integrated GRC, 70% reported reduced gaps in risk and compliance processes, 52% reported reduced impact on operations from siloed and uncoordinated risk assessments, and 46% reported greater ability to present consolidated, meaningful information and analyses. Enabling these benefits will require companies to embark on a phased journey towards integrated GRC with a well-thought-out road map, processes, and technologies.
The focus on culture has increased
Today, there is a growing awareness that if enterprises want to retain their license to operate, and achieve their business objectives, while following regulations and managing risks, they need to have a number of different risk management and compliance groups in place – ranging from the board risk and audit committees, to ethics and governance, safety, security, and compliance.
Under audit, there may be divisions for internal audit, operational audit, and supplier audit. Compliance, in turn, might be divided into regulatory compliance, corporate compliance, legal compliance, and case management. Essentially, GRC needs to touch almost every part of the organization. It needs to be at the heart of corporate culture.
Risk management is being driven down to the frontlines
The trend of empowering the first line of defense in GRC began in the non-banking world because companies were dealing with multiple operational issues on the ground, and didn’t have a formal risk management function. But today, increasingly in financial services, we are seeing enterprises push more risk management responsibilities down to the front lines. That is where the action is in terms of actual risk assessments, control testing, issue management, policy attestations, and compliance.
The second line is where the risk program is being managed in terms of planning and budgeting, governance and review, GRC libraries, policy building, and executive reporting.
The third line is where results are being audited and assured in terms of risk assessment reviews, as well as assurance reviews and signoffs. But the focus is really on the first line – both from a technology and process perspective. That frees up the second line to focus on ensuring that accurate risk management frameworks are in place, risk plans are appropriate, and effective GRC libraries are being created to scale across the organization.
GRC partnerships matter
As the world becomes more complex, enterprises need a range of GRC skills and capabilities that may not all be present with a single provider or a single business function. Some may lie with a consulting firm, others with a data or content firm, and still others with a technology platform provider or a system integrator. Going forward, the emphasis will be on how we can bring more of these companies and their capabilities together in a single, comprehensive GRC community – one that fosters open and transparent communication, and enables people to learn from each other’s best practices and mistakes.
The author is COO, MetricStream.
Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).