MetricStream-OCEG Survey Reveals Growing Need for Connected GRC ProgramsGRC | 4 Min Read |10 August 22|by Loren Johnson
As someone who has been working in the GRC market for more than six years, it’s always interesting to tap into the trends and moods of the market and its buyers. In a former role, I built and ran annual market surveys on GRC systems, capabilities, needs, and evolving top concerns of risk and compliance professionals. This year, MetricStream collaborated with OCEG on an especially timely and topic-rich survey of GRC professionals. The outcomes are surprising, not surprising, and I believe, a strong reflection of the state of the market, all at the same time.
The survey, conducted in February 2022, was focused on GRC program readiness in a highly unpredictable and dynamic time for risk and compliance. Nearly 350 GRC professionals representing a cross-section of roles, industries, geographies, and company sizes completed a broad survey, resulting in a published report.
Download the Report: OCEG GRC Readiness for Rapid Change Survey 2022
The results show a handful of key findings and one trend that bears some analysis. Here’s a quick snapshot of a small handful of findings with data:
1. Too many organizations do not have a fully defined and documented GRC strategy. At a time when the pace and severity of risks and compliance challenges are increasing and intensifying, an organizational strategy that enables a holistic approach to managing, mitigating, and gaining advantage from risks from across the business is essential.
2. Too many GRC approaches rely on distributed, segmented, and separate systems. While virtually all GRC pundits and experts talk about the importance and urgency of investing in improved visibility, insight, and actionability across connected GRC systems, we still see that many are still using separate, unlinked systems and approaches, and far too many are using software not designed to support GRC functionality.
Similarly, we also see that many respondents are still struggling with siloed programs, even while the pressure to perform increases. There is palpable recognition among respondents of the limitations of segmented systems and the vulnerabilities they create. 34% of respondents reported that siloed risk and compliance management was their greatest barrier to rapidly responding to changes in risks.
While that chart might indicate a market without clear direction and priorities, we found that many respondents are clear on what they need to address many of their challenges. And given the pace, scale, and severity of risks these days – across economic and financial risk, regulatory compliance, cybersecurity risks, third party risks, audit risks – it’s good to see that so many identify integrated processes, technologies, controls and data as so central to addressing their challenges.
3. Not surprisingly, given the data above, only 7% of respondents said they have excellent GRC capabilities today. And 47% report that their programs are good. This is, ironically, an improvement over the last few years. Yet there are still improvements to make, and most seem to recognize it.
While those points tend to show progression on data that analysts have been collecting for years about the state of the GRC marketplace, the most interesting findings to me relate to how people perceive heightened challenges from the last few years, and how their GRC programs have had to adapt to them.
This survey showed that nearly 85% of respondents report significant changes in their GRC universe in the last two years, with nearly 70% reporting increasing challenges related to employees working remotely, and 60% reporting increased data privacy and cybersecurity concerns. At the same time, nearly 20% of respondents have not acted or can’t report any changes in their programs in response to broadly acknowledged increases in risk.
In terms of adapting to these rapid changes in the risk and compliance environment, 61% of respondents indicate their organizations place maturing cyber security and data protections as very important in the next 24 months, 56% indicate maturing regulatory compliance as very important, 54% operational risk and business continuity strategies as very important, and just over 50% indicate audit and financial controls as very important. In fact, there were no elements of a complete GRC program, including managing third-party risk and ESG risks, that did not score under 50% ranking it very important. Sadly, that’s not surprising, given the risk and compliance environment today.
The recent significant changes in the risk environment and a recognition of a need to adapt GRC programs for risk-readiness and organizational resiliency is central to how those with GRC oversight should be viewing their programs. The days of periodic risk assessments and separate risk and compliance functional teams are over. Any business that wants to be able to rapidly adapt to risks, regulatory changes, and cybersecurity best practices must strive to unify their systems, data, policies, controls, and actions in a connected solution to best enable holistic understanding, management, and advantage.
In an increasingly dynamic and unstable world, isolating risk signals in the noise, linking and aggregating data and enabling real-time insight can make the difference between organizations suffering from unexpected risks and being able to anticipate and gain an advantage from them. We are at a very interesting and consequential point in GRC maturity. GRC is a business-critical function with strategic significance for how businesses operate and succeed. Segmented and separated systems create strategic disadvantage where connected systems help deliver readiness, resiliency, and advantage.
Read the full report: Download OCEG GRC Readiness for Rapid Change Survey 2022.