Organizations today face a powerful cocktail of risks. On one hand, regulations are constantly changing even as regulatory scrutiny and fines increase. On the other hand, digital risks are escalating as emerging technologies like artificial intelligence (AI) and the internet of things grow more pervasive. Meanwhile, as workforces change, policies and training programs have to be kept up-to-date to ensure that employees are compliant. As new technologies are integrated, new risks have to be monitored, be it potential data breaches from smart connected devices, or data biases in AI-powered systems. As third-party ecosystems grow more complex, due diligence and monitoring processes have to be strengthened. All these shifts, coupled with geopolitical risks, cybersecurity threats, and other issues, demand that organizations be agile in their GRC programs. The faster they can respond to risks, and adapt to new compliance requirements, the more resilient and high-performing their enterprises will be.
Here are four important steps that organizations can take to strengthen the agility and adaptability of their GRC programs:
Look at the Big Picture It’s no longer enough to manage risks in silos. Everything today is interconnected. Cyber risks, third-party risks, regulations like GDPR, quality standards, controls, business performance objectives – they are all enmeshed, each one influencing and being influenced by the other. A seemingly minor issue like an unpatched vulnerability could end up being a major business problem, simply because of its impact on other business risks, much like a domino effect. Therefore, the first step in strengthening GRC agility is to look at the larger picture – to understand not just the individual risk and its impact, but also how it connects to everything else in the risk and control universe, as well as the compliance, audit, and business universes. Managements and boards need an integrated, 360-degree view of GRC in order to skillfully navigate their organization through the risks and opportunities ahead. If each business or assurance function uses a separate system and taxonomy to assess and report risks, confusion and chaos are likely to result. Integrated GRC technology, on the other hand, brings everything together. It provides an overarching framework and data library that can be used by the risk function, as well as compliance, IT security, audit, legal, and the business to facilitate collaboration, insight, and intelligence. Context is important here. Third parties, for instance, need to be monitored not just against internal risk issues, but also against external data feeds such as corruption indices or alerts on politically exposed persons. Risks need to be assessed against strategic, process, and department objectives. Issues need to be analyzed in terms of the controls that have failed, as well as the policy gaps that need to be addressed. The key is to be able to join the dots. By leveraging a common information architecture to map internal and external data, organizations can derive contextual, meaningful intelligence to drive business performance, growth, and success.
To be agile and to make decisions faster, organizations need timely insights and intelligence. Risk and compliance information from across business units and departments needs to be captured, aggregated, sorted, and rolled up to the management and board, not just once a year, or even once a quarter, but as close to real time as possible. This kind of proactive reporting becomes difficult with spreadsheets, documents, and emails. Just reconciling information from all these sources can take weeks, leaving GRC practitioners with little time to actually analyze the data and draw out trends. In the process, reporting gets delayed. And without up-to-date insights on risk, management teams cannot proactively address festering issues, be it a sudden spike in internal harassment complaints or a looming IT security threat. Today, the C-suite is being held personally accountable for risk and compliance failures. Facebook CEO, Mark Zuckerberg, is now expected to certify that the social network is following federal consumer privacy rules. Senator Elizabeth Warren recently introduced new legislation that could hold tech executives responsible for data breaches. Trends like these make it all the more important for executives to be armed with real-time risk intelligence, not just on existing risks, but emerging ones too. Foresight is critical. How does one anticipate and predict those “unknown unknowns”? Advances in AI, machine learning, and big data analytics are making this possible by enabling business leaders to slice, dice, and compare large volumes of information in a way that uncovers potential hidden risks. Tools like these will be critical for organizations to make swift, well-informed decisions in an age of constant change and disruption.
Engage the First Line of Defense A truly agile GRC program doesn’t just focus on the second and third lines of defense. It also includes the first line. The nurse at the hospital, the teller at the bank, the driller on an oil rig, the insurance agent out in the field – all of them make key risk and compliance decisions every day. And as the front lines of the organization, they are more likely than most to spot emerging risks, issues, and concerns. Therefore, engaging them in GRC should be a top priority. Many organizations are tying performance incentives to risk mitigation and issue resolution as a way of motivating employees to be more risk aware and compliant. Others are finding ways to make GRC simpler and more engaging – for instance, providing mobile-based policy training programs that employees can take anywhere, anytime. In another example, a leading global bank has established a foundation of risk and compliance data that is fed to front-line business users as and when they make decisions. Desk traders are advised on the policy and governance implications of a trade. Retail loan sales agents are warned against certain customer segments. Third-party relationships are defined based not just on the “best deal” but on the “best value”. As a result, the front line is able to make confident, informed choices that are aligned with the organization’s risk appetite – all through a single, integrated user experience. Meanwhile, GRC platforms and solutions are increasingly being designed for the first line with intuitive interfaces, personalized pages, simple reporting mechanisms, and minimal user training requirements. All these measures will be critical in making GRC pervasive across the enterprise.
Strengthen Integration and Harmonization
An agile GRC program is like a well-oiled machine with multiple different parts working together in harmony. The idea is to aggregate and harmonize different perspectives on risk across various functions, be it quality, IT, or the business. A common risk library can help by standardizing taxonomies in risk communication. The other aspect of harmonization lies in ensuring that as internal and external environments change, GRC functions, processes, and systems also evolve – but in a well-coordinated and carefully thought-out manner. There’s no point in investing millions of dollars in short-lived or “solve for now” GRC programs which only result in multiple silos and disparate processes. A better approach would be to integrate and harmonize GRC initiatives, not with a “big bang” or a “rip and replace” approach but in a phased manner. Creating a solid, agile foundation of data and process frameworks is the starting point of a sustainable, future-ready, and agile GRC program.
References The Rise of Agile GRC In The Context of Dynamic and Disrupted Business – Michael Rasmussen, GRC Pundit, GRC 20/20 Research, speaking at the MetricStream GRC Summit 2019