Over the past year, MetricStream has spoken to numerous executives at large and small companies across industries to understand their GRC challenges and areas of concern, as well as the risks and opportunities ahead. We’ve also talked to regulators, advisory companies, government bodies, and central banks around the globe. What’s evident is that while each organization is different in terms of their culture, or speed of reaction to risk, or even digital maturity, there are several trends that are consistent across all of them.Download an Insight
- Disruption as the Only Constant
Disruption is one of the largest and often most under-represented risks that organizations face today. Banks, insurance firms, life sciences organizations, transportation companies, and even college admission processes are being disrupted at multiple levels.
How are organizations responding? Many are trying to predict and mitigate the risk of disruption ahead of time. A leading airline company, for instance, has created a risk-weighted customer experience where they aggregate and consolidate all their customer issues, operational issues, quality issues, and system related issues, and then align this data with their material risks and emerging risks. In doing so, they are able to proactively identify and address potential risk patterns, lapses, or gaps in customer experience that could be leveraged by the competition to disrupt the market.
Other organizations are strengthening their preparedness to deal with disruptions - both known and unknown. For instance, a large national railway provider is responding to potential market changes by prioritizing risk events related not just to internal operations, but also to customers, the economy, and the entire national logistics infrastructure. This kind of risk vigilance is essential because the organization plays a critical role in ensuring that basic amenities reach some of the most remote locations in the country. A lack of readiness for disruptions could lead to potentially life-threatening situations.
- Harmonization as the Future
Businesses are changing at an unprecedented pace. Some are being acquired, others divested. Strategic priorities are shifting, while business models are evolving. And by extension, GRC functions, processes, and tools are also changing. The key is to ensure that these changes occur in a harmonized, carefully thought-out, and phased manner.
A leading global insurance company learned this the hard way when they invested tens of millions of dollars in short-lived or “solve for now” GRC programs which resulted in multiple silos and disparate processes. Compelled to rethink their strategy, the company sought to integrate and harmonize risk management, not with a “big bang” or a “rip and replace” approach but in a phased manner. They created a solid, agile foundation of data and process frameworks that allowed multiple legacy systems to co-exist. This data foundation formed the basis of a sustainable, future-ready risk management program.
That’s one aspect of harmonization in action. The other lies in aggregating data from multiple sources, and then using it to provide risk insights in the context of business goals and strategic objectives – “context” being the operative word here. A leading investment firm understood that after struggling for a long time to aggregate different perspectives on the same risk from quality, business resilience, IT, and most importantly, business owners. They created a common risk library and taxonomy that smoothed out inconsistencies in risk communication. They also implemented a federated approach to risk management which gave them the flexibility to accommodate various risk perspectives.
- Crowdsourcing - The Front Line Knows the Lurking Risks and Opportunities
As organizations look for better risk information to guide their strategies, many are beginning to harness the knowledge and insights available in the front line. After all, it is there that emerging risks, opportunities, and hidden areas of concern are likely to be spotted. But getting that information starts with educating the front line about risk culture and expectations of ethical behavior, backed by policies. Employees need to be aware of key risks in order to mitigate them effectively.
The second step is about empowering the front lines with the information they need to make “in-stream” decisions. For example, a leading global bank has established a foundation of risk and compliance data that is fed to front-line business users as and when they make decisions. Desk traders are advised on the policy and governance implications of a trade. Retail loan sales agents are warned against certain customer segments. Third-party relationships are defined based not just on the “best deal” but on the “best value”. As a result, the front line is able to make confident, informed choices that are aligned with the organization’s risk appetite – all through a single, integrated user experience in transactional GRC systems that are built specially for the front line i.e. non-GRC experts.
The next step in getting the front line more involved in risk management is to aggregate information from them as unobtrusively as possible. A leading mortgage financial institution successfully achieved this through a “raise your hand” program which encourages the front line to report risks and issues using an easy-to-use, intuitive system. The data is then rolled up to the second and third lines for further investigation. It’s a simple, pervasive, and effective way to gather risk information from across the organization.
- Foresight as a Competitive Advantage
The crystal ball is here. With digital information and the power of artificial intelligence, GRC functions can, to a large extent, predict risk events, prevent anomalies, and act as true strategic advisors to the business. Instead of simply policing the organization, they can actually drive business performance by providing forward-looking insights on risks and opportunities. That’s “AI for GRC” in action.
Just as important is “GRC for AI”. How do we effectively manage the risks around artificial intelligence, machine learning, and robotics – be it biases, immature technology, or incomplete data? One way is by bringing humans back into the equation. Human-assisted AI is key to better accuracy and governance in automated decision-making.
As an example, a leading social media company had been relying on AI to automatically weed out posts that weren’t politically or socially correct – till they realized that the tool was only 99% accurate. Humans had to be employed to assist the bots in making that last 1% work.
- Agility as the Future Strategy
However large and established an enterprise is, it has to be agile to keep pace with rapid changes in internal and external environments. The same applies to GRC. As the volume and velocity of information escalates even while the time for decision-making comes down, GRC programs have to be agile and adaptable – be it in terms of frameworks, processes, technologies, data models, context, data aggregation, or dissemination. Adaptability is key in responding to change without disrupting the business.
Being agile also means designing GRC programs that are driven by outcomes and value, rather than the desire to “complete” the program. GRC is an ongoing journey - its objectives will change as the business and external environment also change. By designing for outcomes, organizations can respond faster to change, and recalibrate their approach more efficiently.
A leading global technology services company started out to transform their risk program with a focus on assurance; but today, that program is being designed to drive predictability into their cash flows by aggregating risks and evaluating possible scenarios from over 65,000 customer projects. It is this focus on outcomes that has helped the company derive optimal value from their risk program.
The GRC challenges ahead are many. But so are the opportunities. For the first time, we have the tools to predict key risks with a considerable degree of accuracy. We have reports that offer us a real-time view of the big picture – how various risks influence each other and how that in turn impacts the achievement of business objectives. We have the ability to harness the potential of the front line in uncovering and mitigating risks before they snowball into bigger issues. All these opportunities open up new avenues to build a strong foundation of good governance and integrity that will ultimately power sustainable growth and success.