Introduction
The past two years have been nothing short of a whirlwind that shook businesses and industries around the globe – exposing how fragile and vulnerable we really are. While many failed and countless others struggled, there were those who demonstrated remarkable agility and resilience and are successfully riding this wave of disruption. So, what did they do differently?
Much of the answer lies in the approach of these organizations to manage governance, risk and compliance (GRC) functions.
To thrive in today’s highly unsettled business environment, it is critical for organizations to implement a GRC program that enhances visibility into existing and emerging risks, simplifies the understanding and communication of risks in business terms, provides actionable risk intelligence for faster decision-making, and ensures preparedness for unknown unknowns.
So, what’s next? What major risk event do you need to prepare for? We can only make assumptions – a geopolitical event such as the recent Brexit, an outage of cloud service providers, climate change, a massive cyber-attack, a supply chain disruption like the Suez Canal blockage, or even newer variants of the coronavirus threatening the return to normalcy?
What the future holds, nobody can be sure. What we can ensure, however, is our resilience in the face of such risk events. In this discussion, we take a look at where GRC is trending – and how you can use these trends to prepare for whatever’s around the corner.
What’s Next for GRC in 2022 and Beyond
MetricStream is hard at work to help organizations strengthen resilience and become future-ready. Based on the interactions with MetricStream customers and industry thought leaders, we have identified key trends that will shape the GRC space in 2022 and beyond.
The interconnectedness of Risks – Breaking Down the Siloes
In today’s digitized era, everything is interconnected – people, processes, organizations, and especially risks. The points of intersection among various types of risks – cyber, third-party, compliance, operational, etc. – will continue to multiply going forward. As such, looking at them in isolation will not provide a complete picture. Failing to understand and analyze interrelationships and dependencies can lead to myopic decisions that are not aligned with overall risk appetites and business objectives.
This, in fact, is one of the major pain points of organizations today. With various risk, audit, and compliance teams working in siloes with little common GRC taxonomy, there are opportunities for redundancies and duplication of efforts, inconsistent and unstructured data, and overlapping of controls. Measuring risk interconnectivity and velocity also becomes difficult as risk relationships are not well-defined and, therefore, not monitored.
It is essential to have an integrated and holistic approach to risk management – that connects people, data, and systems as opposed to disparate risk programs – to break down siloes and help organizations gain a deeper understanding of the risks they face from across their organizations and how their interrelationships may impact the business. If there’s a single watchword for 2022, it’s this: Connection.
Agility and Resilience – Two Sides of the GRC Coin
Multiple risks and uncertainties – cyber threats, climate change, geopolitical dynamics, and possibly new coronavirus variants, among others – will continue to test the resilience of organizations this year.
Therefore, it’s time to pivot from the traditional and reactive approach to risk management to one that is proactive, tech-driven, and resilient. The objective is to foster risk preparedness and strengthen the ability to minimize the impact of any risk event, to recover quickly, and to continue business operations in the aftermath of the event.
Operational Resilience is high on the radar of major regulatory authorities as well – the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) in the U.S.; the Bank of England, the Prudential Regulatory Authority (PRA), and the Financial Conduct Authority (FCA) in the UK; and the European Commission in the European Union, among others – are reviewing resiliency planning when evaluating GRC programs.
“Agility,” too, is no longer just “nice to have”. With the rapid pace of technological advancements, amplified digital interconnectedness, high risk velocity, and ever-changing regulations, organizations must act swiftly to not only identify, manage, and mitigate risks but also to capture opportunities created by their proactive GRC programs. Agility has become a “must-have” for organizations to quickly adapt to the evolving risk and regulatory landscape and create market advantage.
"We must rely on preparedness and proactive and preemptive approaches to GRC to inoculate our organizations to better handle the challenges and the risks in this digital age. Digital, agile businesses are the answer to the future"-Gunjan Sinha, Executive Chairman, MetricStream
Collaboration and Harmonization – Achieving Business Goals Together
An effective GRC program is like a finely tuned instrument that requires every part of an organization – business units, departments, and functions – to work in tandem to create the perfect melody. GRC is no longer just the responsibility of the risk teams – it extends from the board and the executive management to the first line of defense and frontline employees.
Especially in this post-pandemic world where a hybrid working environment is expected to be the norm, not only should there be a collaboration between various teams – risk, compliance, audit, security, and others – but also among all the members of a team whether working remotely or on-premises in a seamless and secure manner. All need to work together to tackle and address fast-moving risks.
A key enabler for this is a risk-aware culture across an enterprise, which requires a change in the very mindset of the employees. By clearly defining their roles, responsibilities, , educating them on emerging risks, and encouraging knowledge sharing, along with seamless channels for collaboration an organization can greatly enhance its risk visibility and preparedness.
"Not so long ago, GRC activities were often managed in small power centers or by a tiny group of individuals. Now, the responsibility is more central to the business."-Gaurav Kapoor, Co-CEO and Co-Founder, MetricStream
Ease of Use -Keeping It Simple and Intuitive
A key consideration for ensuring collaboration among various business functions across an enterprise is the ease of use of GRC tools – in particular, for the front line. Frontline executives are more likely to identify issues and emerging risks as they are closely associated with daily business operations. However, they could lack the expertise required to efficiently capture and report these risks. It, therefore, becomes important to empower the front line with simple and intuitive tools that make it easier to report any risk or issues – on the field and on the go.
On these lines, we see increasing adoption of advanced and cognitive technologies, such as artificial intelligence, machine learning, etc., in GRC software and products going forward. By quickly identifying similar past issues, risk categories, relevant policies, etc., these technologies can considerably simplify risk reporting by the front line as well as help GRC professionals save a lot of time and effort. AI engines can also significantly improve an organization’s risk foresight by automatically sifting through internal databases and external information to identify hidden and emerging risk trends and patterns.
ESG – Purpose Driven GRC
Environmental, Social, and Governance (ESG) is quickly becoming a top priority for every board of directors, and we expect this trend to continue well into 2022 and beyond. Particularly in this age of social media and speak-up culture, the market and broader community expect organizations to be increasingly accountable for their practices – Are they sustainable, ethical, and environment-friendly? What are their diversity, equity, and inclusion (DEI) metrics? What is their stance on social movements such as Black Lives Matter or LGBTQ Rights?
Failure to address ESG issues may cause serious damage to an organization’s reputation and brand. Moreover, with growing regulatory and investor interest in this area, ESG performance will become a key metric that will determine how consumers, regulators, investors, and other stakeholders gauge an organization’s progress and success.
Incorporating ESG performance metrics in an organization’s overall risk management framework will be critical going forward. Organizations today need to think beyond the maximization of their profits and become purpose-driven – the true architects of a sustainable world in which future generations can thrive.
Cyber Risk Quantification - Expressing Cyber Risk in Business Terms
Cyber risk is a business issue and needs to be expressed in business terms. The board and top management today want to understand their organization’s cyber risk profile and exposure in a manner that helps them to strategize in a fast, secure, and efficient manner.
Relying on qualitative metrics is no longer enough for cyber risk management when everything is driven by data. Quantitative metrics – quantifying cyber risk in monetary terms, adopting advanced analytics, representing the data in visual dashboards, etc. – equip security teams to better communicate cyber risk to the leadership.
Cyber risk quantification is a natural extension of the qualitative assessments that organizations have already been doing. The factors involved are the same. We’re talking about the assets, the threats, the vulnerabilities, and the assessment of those vulnerabilities, the controls that you have in place, and mitigating the risks and the losses. A good GRC software reduces the burden of how to go about it – how to bring the qualitative aspect along with the quantitative aspects. Quantification of cyber risk enables organizations to take a data and ROI-driven approach to stratify and prioritize cyber risks and controls as well as to ensure the optimum use of resources.
"Cyber risk quantification is also important for the prioritization of cyber risks and associated controls. Organizations face multiple risks and it’s critical to determine which are top priorities. Likewise, they might have hundreds of controls and they need to determine how much to spend on each control. Every dollar spent on these controls should be substantiated with the benefits/advantages realized." - Prasad Sabbineni, Co-CEO, MetricStream
Extended Enterprise – Managing Risk Across the Third-Party Ecosystem
With the growing reliance on third parties – business consultants, partners, contractors, service providers, etc. – effective management of the risks stemming from the extended enterprise is paramount. Third-party risk management (TPRM) has risen in importance and will continue to be a key focus area for organizations around the world this year.
TPRM is evolving and expanding its scope to include fourth and nth parties with which an organization can have indirect business relationships. A disruption anywhere on the value chain can create a domino effect, sending ripples down the chain and across the market. Visibility and GRC alignment across the network will continue to be key with growing interdependencies between organizations.
Furthermore, with the amplified digital interconnectedness of organizations, third-party cyber risks have become a major area of concern for organizations. Recent instances of cyber security breaches via third parties have underscored how a security incident at one organization can quickly travel to and paralyze several other connected businesses.
Employee Wellbeing – Caring for Employees’ Physical and Mental Health
In the post-pandemic world, the health and safety of employees have become a primary concern for organizations – not just physical wellbeing but mental well-being as well. This has become all the more important when employee attrition rates have reached an all-time high across industries – “The Great Resignation.”The ongoing exodus of skilled employees and an inability to forecast retention rates not only impact productivity but also pose a serious challenge to an organization’s security and resilience.
With employee interactions and communication often confined to virtual environments, many organizations are now thinking out of the box to secure employee retention and improve engagement. In addition to investing in upskilling and education initiatives, some organizations are arranging online sessions for yoga, health counseling, meditation, etc. as well as team-building activities such as online games and quizzes in an effort to reduce the risk of loss of resiliency and productivity.
Conclusion
The uncertainties and challenges faced by organizations will only escalate with ongoing technological advancements, a volatile economic and geopolitical landscape, mounting regulations, evolving environmental and social factors, and more. Risk is always an inherent element of doing business. The ultimate goal of an organization isn’t to avoid risk but rather to transform it into a strategic advantage. It is time for organizations to reflect on the lessons learned in the last 24 months, take on some tough decisions, evolve, and truly become future-ready – connected, purpose-driven, resilient, and agile. Adopt the best GRC practices and the right GRC software for making informed, risk-aware, and data-driven decisions that enable you and your organization to thrive and create business value and you’ll be ready – no matter what’s next.
The past two years have been nothing short of a whirlwind that shook businesses and industries around the globe – exposing how fragile and vulnerable we really are. While many failed and countless others struggled, there were those who demonstrated remarkable agility and resilience and are successfully riding this wave of disruption. So, what did they do differently?
Much of the answer lies in the approach of these organizations to manage governance, risk and compliance (GRC) functions.
To thrive in today’s highly unsettled business environment, it is critical for organizations to implement a GRC program that enhances visibility into existing and emerging risks, simplifies the understanding and communication of risks in business terms, provides actionable risk intelligence for faster decision-making, and ensures preparedness for unknown unknowns.
So, what’s next? What major risk event do you need to prepare for? We can only make assumptions – a geopolitical event such as the recent Brexit, an outage of cloud service providers, climate change, a massive cyber-attack, a supply chain disruption like the Suez Canal blockage, or even newer variants of the coronavirus threatening the return to normalcy?
What the future holds, nobody can be sure. What we can ensure, however, is our resilience in the face of such risk events. In this discussion, we take a look at where GRC is trending – and how you can use these trends to prepare for whatever’s around the corner.
MetricStream is hard at work to help organizations strengthen resilience and become future-ready. Based on the interactions with MetricStream customers and industry thought leaders, we have identified key trends that will shape the GRC space in 2022 and beyond.
The interconnectedness of Risks – Breaking Down the Siloes
In today’s digitized era, everything is interconnected – people, processes, organizations, and especially risks. The points of intersection among various types of risks – cyber, third-party, compliance, operational, etc. – will continue to multiply going forward. As such, looking at them in isolation will not provide a complete picture. Failing to understand and analyze interrelationships and dependencies can lead to myopic decisions that are not aligned with overall risk appetites and business objectives.
This, in fact, is one of the major pain points of organizations today. With various risk, audit, and compliance teams working in siloes with little common GRC taxonomy, there are opportunities for redundancies and duplication of efforts, inconsistent and unstructured data, and overlapping of controls. Measuring risk interconnectivity and velocity also becomes difficult as risk relationships are not well-defined and, therefore, not monitored.
It is essential to have an integrated and holistic approach to risk management – that connects people, data, and systems as opposed to disparate risk programs – to break down siloes and help organizations gain a deeper understanding of the risks they face from across their organizations and how their interrelationships may impact the business. If there’s a single watchword for 2022, it’s this: Connection.
Multiple risks and uncertainties – cyber threats, climate change, geopolitical dynamics, and possibly new coronavirus variants, among others – will continue to test the resilience of organizations this year.
Therefore, it’s time to pivot from the traditional and reactive approach to risk management to one that is proactive, tech-driven, and resilient. The objective is to foster risk preparedness and strengthen the ability to minimize the impact of any risk event, to recover quickly, and to continue business operations in the aftermath of the event.
Operational Resilience is high on the radar of major regulatory authorities as well – the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) in the U.S.; the Bank of England, the Prudential Regulatory Authority (PRA), and the Financial Conduct Authority (FCA) in the UK; and the European Commission in the European Union, among others – are reviewing resiliency planning when evaluating GRC programs.
“Agility,” too, is no longer just “nice to have”. With the rapid pace of technological advancements, amplified digital interconnectedness, high risk velocity, and ever-changing regulations, organizations must act swiftly to not only identify, manage, and mitigate risks but also to capture opportunities created by their proactive GRC programs. Agility has become a “must-have” for organizations to quickly adapt to the evolving risk and regulatory landscape and create market advantage.
"We must rely on preparedness and proactive and preemptive approaches to GRC to inoculate our organizations to better handle the challenges and the risks in this digital age. Digital, agile businesses are the answer to the future"-Gunjan Sinha, Executive Chairman, MetricStream
An effective GRC program is like a finely tuned instrument that requires every part of an organization – business units, departments, and functions – to work in tandem to create the perfect melody. GRC is no longer just the responsibility of the risk teams – it extends from the board and the executive management to the first line of defense and frontline employees.
Especially in this post-pandemic world where a hybrid working environment is expected to be the norm, not only should there be a collaboration between various teams – risk, compliance, audit, security, and others – but also among all the members of a team whether working remotely or on-premises in a seamless and secure manner. All need to work together to tackle and address fast-moving risks.
A key enabler for this is a risk-aware culture across an enterprise, which requires a change in the very mindset of the employees. By clearly defining their roles, responsibilities, , educating them on emerging risks, and encouraging knowledge sharing, along with seamless channels for collaboration an organization can greatly enhance its risk visibility and preparedness.
"Not so long ago, GRC activities were often managed in small power centers or by a tiny group of individuals. Now, the responsibility is more central to the business."-Gaurav Kapoor, Co-CEO and Co-Founder, MetricStream
A key consideration for ensuring collaboration among various business functions across an enterprise is the ease of use of GRC tools – in particular, for the front line. Frontline executives are more likely to identify issues and emerging risks as they are closely associated with daily business operations. However, they could lack the expertise required to efficiently capture and report these risks. It, therefore, becomes important to empower the front line with simple and intuitive tools that make it easier to report any risk or issues – on the field and on the go.
On these lines, we see increasing adoption of advanced and cognitive technologies, such as artificial intelligence, machine learning, etc., in GRC software and products going forward. By quickly identifying similar past issues, risk categories, relevant policies, etc., these technologies can considerably simplify risk reporting by the front line as well as help GRC professionals save a lot of time and effort. AI engines can also significantly improve an organization’s risk foresight by automatically sifting through internal databases and external information to identify hidden and emerging risk trends and patterns.
Environmental, Social, and Governance (ESG) is quickly becoming a top priority for every board of directors, and we expect this trend to continue well into 2022 and beyond. Particularly in this age of social media and speak-up culture, the market and broader community expect organizations to be increasingly accountable for their practices – Are they sustainable, ethical, and environment-friendly? What are their diversity, equity, and inclusion (DEI) metrics? What is their stance on social movements such as Black Lives Matter or LGBTQ Rights?
Failure to address ESG issues may cause serious damage to an organization’s reputation and brand. Moreover, with growing regulatory and investor interest in this area, ESG performance will become a key metric that will determine how consumers, regulators, investors, and other stakeholders gauge an organization’s progress and success.
Incorporating ESG performance metrics in an organization’s overall risk management framework will be critical going forward. Organizations today need to think beyond the maximization of their profits and become purpose-driven – the true architects of a sustainable world in which future generations can thrive.
Cyber risk is a business issue and needs to be expressed in business terms. The board and top management today want to understand their organization’s cyber risk profile and exposure in a manner that helps them to strategize in a fast, secure, and efficient manner.
Relying on qualitative metrics is no longer enough for cyber risk management when everything is driven by data. Quantitative metrics – quantifying cyber risk in monetary terms, adopting advanced analytics, representing the data in visual dashboards, etc. – equip security teams to better communicate cyber risk to the leadership.
Cyber risk quantification is a natural extension of the qualitative assessments that organizations have already been doing. The factors involved are the same. We’re talking about the assets, the threats, the vulnerabilities, and the assessment of those vulnerabilities, the controls that you have in place, and mitigating the risks and the losses. A good GRC software reduces the burden of how to go about it – how to bring the qualitative aspect along with the quantitative aspects. Quantification of cyber risk enables organizations to take a data and ROI-driven approach to stratify and prioritize cyber risks and controls as well as to ensure the optimum use of resources.
"Cyber risk quantification is also important for the prioritization of cyber risks and associated controls. Organizations face multiple risks and it’s critical to determine which are top priorities. Likewise, they might have hundreds of controls and they need to determine how much to spend on each control. Every dollar spent on these controls should be substantiated with the benefits/advantages realized." - Prasad Sabbineni, Co-CEO, MetricStream
With the growing reliance on third parties – business consultants, partners, contractors, service providers, etc. – effective management of the risks stemming from the extended enterprise is paramount. Third-party risk management (TPRM) has risen in importance and will continue to be a key focus area for organizations around the world this year.
TPRM is evolving and expanding its scope to include fourth and nth parties with which an organization can have indirect business relationships. A disruption anywhere on the value chain can create a domino effect, sending ripples down the chain and across the market. Visibility and GRC alignment across the network will continue to be key with growing interdependencies between organizations.
Furthermore, with the amplified digital interconnectedness of organizations, third-party cyber risks have become a major area of concern for organizations. Recent instances of cyber security breaches via third parties have underscored how a security incident at one organization can quickly travel to and paralyze several other connected businesses.
In the post-pandemic world, the health and safety of employees have become a primary concern for organizations – not just physical wellbeing but mental well-being as well. This has become all the more important when employee attrition rates have reached an all-time high across industries – “The Great Resignation.”The ongoing exodus of skilled employees and an inability to forecast retention rates not only impact productivity but also pose a serious challenge to an organization’s security and resilience.
With employee interactions and communication often confined to virtual environments, many organizations are now thinking out of the box to secure employee retention and improve engagement. In addition to investing in upskilling and education initiatives, some organizations are arranging online sessions for yoga, health counseling, meditation, etc. as well as team-building activities such as online games and quizzes in an effort to reduce the risk of loss of resiliency and productivity.
The uncertainties and challenges faced by organizations will only escalate with ongoing technological advancements, a volatile economic and geopolitical landscape, mounting regulations, evolving environmental and social factors, and more. Risk is always an inherent element of doing business. The ultimate goal of an organization isn’t to avoid risk but rather to transform it into a strategic advantage. It is time for organizations to reflect on the lessons learned in the last 24 months, take on some tough decisions, evolve, and truly become future-ready – connected, purpose-driven, resilient, and agile. Adopt the best GRC practices and the right GRC software for making informed, risk-aware, and data-driven decisions that enable you and your organization to thrive and create business value and you’ll be ready – no matter what’s next.
