For many years, GRC has focused primarily on reducing risks. No doubt, that’s an important mission because if organizations didn’t have someone to tell them when to pull back on the reins, they might end up taking risks blindly without a thought for the consequences. However, in today’s rapidly changing digital world where organizations have to move quickly simply to stay ahead of the curve, and take newer risks to get the rewards they seek, it isn’t enough for GRC to be focused merely on limiting risk. GRC objectives must evolve because the drivers of business success themselves have changed. Intangible assets like reputation and brand matter more than ever. Customer loyalty is influenced not just by traditional parameters such as product or service quality, but also by the transparency of business practices. Meanwhile, business models are evolving rapidly with the emergence of new technologies such as artificial intelligence, blockchain, the cloud, and the internet of things.
In this new world, GRC has tremendous opportunity to add value. For instance, by pushing for higher standards of corporate governance and integrity, GRC can help a business strengthen its reputation, and inspire trust. By providing a clear picture of the regulatory landscape, GRC can help the business expand into new markets faster. And by providing timely risk intelligence on new digital technologies, GRC can help the business capitalize on upside opportunities. In short, the future of GRC lies in being an enabler of business growth and performance.
The key to realizing GRC’s potential as a growth enabler is to empower the first line of defense. That’s where the action is. Front line employees take risks every day, be it when they’re interacting with customers, or building a product, or managing confidential information. Yet, in many organizations, they are not held accountable for their risks, or don’t clearly understand their role in risk management. As a result, they end up making uninformed business decisions without fully understanding the risk implications.
We saw it at United Airlines in 2017 when two security officers forcibly dragged a customer off a flight. Might things have turned out differently if the officers had been aware of how their actions would affect the company’s reputation? PwC’s 2017 Risk in Review report found that the companies who lead risk decision-making from the front line (13%) are more likely than others to experience revenue and profit margin growth over the next two years. What’s more, “front liners” are quicker to bounce back from adverse events and disruptions because they “enable each of their lines of defense to concentrate on their specific areas, thereby [helping] them be more agile and focused during challenging times.
” When the first line takes more accountability for GRC, then the second and third lines are freed up to focus on what they do best i.e. providing oversight, building robust GRC frameworks, optimizing efficiency and productivity, and finally, guiding and advising the board and executive team. But how do you get to that point where each of the lines of defense are effectively aligned and coordinated to enable business growth? That brings us to the four pillars of GRC:
GRC needs to be as simple as possible, so that the first line of defense is able to adopt and practice it easily
GRC needs to be pervasive – made an integral, yet non-intrusive part of the organizational fabric
GRC needs to be intelligent – decision-makers have to be empowered at the right time with accurate GRC insights that will allow them to drive growth and performance
GRC needs to be pervasive – made an integral, yet non-intrusive part of the organizational fabric
And finally, GRC needs to be cloud-based, so that it can be scaled up faster, flexibly, and cost-efficiently
To make GRC simple, pervasive, intelligent, and cloud-based, here’s what GRC professionals need to be focusing on:
1. USER EXPERIENCE – SIMPLE, EFFICIENT, PERSONALIZED If GRC has to be pushed to the front lines, then the systems and tools that support it need to be easy to use and intuitive. Users should be able to accomplish their GRC-related tasks in a simple and efficient manner, while seamlessly collaborating and sharing information with other users and teams wherever necessary. Personalization is also important. Gen Z—the first truly digital natives—who have just entered the workforce, expect a highly personalized and predictive digital experience. To engage them, a GRC system should be able to allow users to customize the system behavior and content to suit their needs. The system should also be able to anticipate user intent, and highlight relevant content and actions accordingly. Clunky, cumbersome spreadsheets simply won’t cut it anymore. The front line needs simpler, engaging tools to support their work – and GRC systems must be able to keep up.
2. ARTIFICIAL INTELLIGENCE, REPORTING, AND ANALYTICS – BETTER INSIGHTS FOR BETTER DECISIONS GRC, in a sense, is like a crossroads – it lies at the intersection between the business on one side, and third parties, regulators, customers, and other external entities on the other. Both sides are constantly generating data with implications for GRC. Regulatory updates, customer complaints, and industry and company news are constantly being produced outside the organization. Within the business are compliance findings, policies, risks, third-party due diligence issues, and more. In short, big data is a major reality in GRC and will only explode in the years ahead. GRC teams need to have a system that will be able to curate, aggregate, and integrate this colossal wealth of information, so that they can then make better informed decisions. For instance, by integrating with Dow Jones feeds on third-party risks, vendor governance teams can screen and validate their vendors effectively. Or, by integrating with the Unified Compliance Framework (UCF), IT GRC teams can harmonize their IT controls, thereby optimizing efficiency.
Aggregating and integrating GRC data from multiple sources is one thing. Making sense of it is quite another. This is where analytics and artificial intelligence can help by connecting the dots – enabling users to understand how an area of compliance like GDPR may be linked to reputational risks or financial risks, how those risks are linked to a particular set of controls, and which business functions or regions are most likely to be impacted. Intelligence tools map the organization’s risk universe to its compliance universe, audit universe, and business universe – all in a single source of truth. This makes it easier for the organization to uncover patterns and meaningful relationships between data sets which can then be used to drive better performance.
A lot of analytics and reporting tools draw out intelligence on GRC in the present – e.g. risks that are currently impacting the organization, and controls that are currently in place. However, in a rapidly changing and uncertain world, GRC teams also need to be able to look ahead i.e. predict the risks that are likely to emerge. This is becoming increasingly possible with predictive analytics and machine learning tools that can help slice and dice data to identify what is likely to happen and what has to be done.
As the external and internal business environment changes, GRC has to be flexible and agile enough to keep up. GRC systems and tools, while based on industry best practices, need to be tailored to each organization’s evolving needs – whether it’s to create a new type of report, or change a workflow, or alter a risk assessment form. The key is configurability, not customization. GRC teams shouldn’t have to spend weeks at a time implementing extensive code to customize their GRC systems. They should be able to make the changes they need quickly, without coding, and in an “upgrade safe” and scalable manner. That way, GRC can keep up with the company’s rate of evolution and innovation, rather than holding it back.
Businesses cannot expect the first line to go where GRC is – instead, they have to bring GRC to the first line. That means embedding GRC activities and tools into employees’ day-to-day applications e.g. Outlook inbox or desktop calendar. It also means ensuring a consistent GRC user experience across devices. Employees should be able to manage their GRC tasks from the convenience of their mobile devices and tablets just as effectively as they would on their laptop or desktop. Ultimately, GRC needs to be integrated into employees’ routine activities and decisions in such a way that it becomes a seamless part of their work life, rather than an additional burden. When the first line does GRC without even thinking about it, that’s when you know it’s truly pervasive.
As organizations move up the GRC maturity curve and begin bringing more GRC functions into their integrated vision, their GRC architecture should be designed to scale and grow – whether that involves adding new users, new functions, or new GRC apps and solutions. This is particularly important for large global enterprises. Their GRC systems need to be high-performing, reliable, and secure. Equally essential are accessibility and multi-lingual support for front line users across different geographies. Cloud-based architectures also provide value. In fact, more and more organizations are moving to the cloud – be it public, private, or hybrid clouds. The obvious benefits are, of course, lower infrastructure costs, flexibility, and faster time to value. GRC app implementations that would traditionally take months to complete can now be done in a matter of days on the cloud – it’s as simple as “turning on” a GRC app. And with increasingly stronger data security and governance controls, it isn’t surprising that more companies are getting onboard the cloud.
This year and beyond, GRC will be about empowering organizations to go after new opportunities, new markets, and new innovations. The business landscape is only getting more competitive and more disruptive. Companies that find ways to take better risks, drive better performance, and demonstrate better governance will be the ones to watch.