Digital Risk Management: Moving Beyond GRC
Let’s face it, if you’re not up to speed on governance, risk and compliance (GRC), you’re already way behind the curve. The next wave of mitigation is called digital risk management (DRM), and its transformational impact can’t be denied. DRM is about applying advanced, state-of-the-art technology capabilities to keep your business moving forward without interference, safeguard customer delight and ensure stakeholder satisfaction.
We’ll explain how:
- Traditional GRC tends to be applied in prescriptive ways—the known risk landscape
- Intelligent Automation (IA) with DRM can identify risks you might not know you had—the unknown risk landscape
- DRM can deliver always-on digital monitoring and mitigation
- DRM can be operationalized with virtual governance and digitally matrixed remediation services
- Properly integrated DRM amplifies your risk professionals and service providers in a multi-faceted way
Our world of ever-increasing technology complexity is transforming risk from a game of checkers to chess. The permutations are multiplying faster than our ability to identify and mitigate. DRM helps us get ahead and stay ahead by extending traditional GRC/ERM/IRM capability. This approach provides new tools and techniques, and amplifies the expertise of risk professionals by enmeshing risk management into operations and technology with unprecedented detail.
Move Over GRC, DRM is the Future
GRC has been a necessity driven by new regulations around privacy, the explosion in environmental, social and governance (ESG) compliance and increasing instances of cybercrime. In addition, we’re facing the dawn of new generations as global market force displacing Boomers. It’s time to board the mothership of full-scale digital transformation. If not, you’ll watch your customers and investors drop off, while giving the keys to the treasury away to whoever wants them.
Traditional approaches to GRC, enterprise risk management (ERM) and integrated risk management (IRM) tend to rely on people more than technology. These practices are often implemented after a risk or new regulation is identified, even with monitoring in place. The pandemic has only accelerated this global digital transformation (even brickmakers are becoming digital).
Risk professionals should be proud of the work they’ve done safeguarding their domains. Yet, risk occurrences seem to be accelerating and the impacts of failure grow astonishingly graver. GRC orthodoxy was formalized around the turn of the century, and much has changed since then, including the markets, our customers and the nefarious actors. The ever-increasing deployment of technology in our businesses has surpassed the ability of policy, procedure and traditional operations. This is where DRM shines, by pulling risk management into the future.
DRM at Inception
Building DRM mitigation and occurrence capability into new initiatives creates an integrated digital system that brings value upfront and sets the stage for continuous improvement in the future.
In companies with risk professionals and advisors proficient in DRM, risk management starts alongside strategies, objectives, and the target operating model as both process and technology are defined. Straight-through digital process paths are engineered with real-time DRM in place from the beginning. Integrated DRM can provide intelligent automation (IA) to operational staff inline in business process, amplifying the effect of risk professionals dramatically. Typically, this also reduces the cost of risk management and the time between risk occurrence and remediation. Besides transferring some risk responsibility to staff, we’ll see later how DRM can also shift risk avoidance to line staff as part of routine execution, also known as a “shift left.”
At EPAM, we use the phrase, “compliance as a code” to signify the inclusion of risk management, compliance and governance within the full software development lifecycle (SDLC), alleviating the need to come back and add these requirements later.
Take into consideration who your most important stakeholders are. Ultimately, we’re talking about your customers. So, the question to ask is: How can you best safeguard your customers? If you’re practicing customer-centric design, risk ought to be a thread throughout the entire customer journey. If you are not including risk in your customer experience work, then you’ll always play catch-up.
DRM Requires Patience & Planning
Before you put a DRM strategy in place, it’s important to create a map of your current digital tools and the protocols around them. As your technology portfolio broadens and more processes are automated, your company may be unknowingly creating openings that let the nefarious in. Even worse, you might be unaware of all the ways employees accidentally let things out of the vault. DRM addresses this with cyber security requirements and active vulnerability management.
In business, the constant push to do something can sometimes mean skimping on documentation and auditability, leaving those hidden trails at the edges (where you may have fluid staff movement in the form of subcontractors). The emerging DRM philosophy already addresses these with mountains of informational material and more tooling and services than you can assess, let alone implement, in a multi-year time frame.
Of course, this all comes with a cost. The budget for DRM is rarely weighted toward the theoretical value of cost avoidance; it’s the upfront cost that requires an immediate executive signature. The best way forward for most companies is to partner with an experienced DRM vendor. That vendor will understand all the moving parts, as well as how they need to intertwine to develop a DRM strategy that serves your unique business case.
Understanding Risk Operations
DRM can enhance existing risk management. There are new techniques available for handling traditional risks using the digital aspect of DRM by utilizing new developed platforms, such as MetricStream, OneTrust, ServiceNow (GRC) and many others.
Some businesses are applying digital governance up and down their organizations; companies such as Prim Gov and Diligent are virtualizing board activity. Down at the execution level, virtualizing operational risk escalation sits well alongside other cross-functional breakpoints, such as data governance, semantic governance and continuous improvement. This increases transparency within the hierarchy of an organization and allows for better controls and optimization of decision-making, risk control and management.
Virtualization also helps deal with governance fatigue, where there is stakeholder overlap with similar activities. We believe that the next step for the software community is to consider open standards, which would allow risk management and other governance to operate on a common platform. Modular ontology can help drive this convergence.
As for investigation, digitization leaves a trail that risk analysts can follow for more rapid resolution—and more importantly—rapid escalation for outsized risk occurrence. Data-centric risk investigation means risk staff can now collaborate more effectively with service providers, addressing security at all digital and physical levels.
On the regulatory side, transitions to digital semantic content for compliance in various domains, like contracts and pharmaceutical material, enable IA inline to the same professionals doing the work the manual way. Virtualization of compliance matters across firewalls, with partners and counterparties helping to speed up the regulatory compliance dimension of commerce.
Finally, new DRM techniques are expanding risk coverage. You may find that DRM allows you to retire some threads of your GRC/ERM/IRM practices, expanding your free budget for inline digital de-risking.
Considerations Around Physical Risk
DRM is even positively impacting physical risk. Companies like Knightscope are deploying robots on lease to help facility’s security personnel greatly expand their scope of surveillance. Both legacy companies like Honeywell and plucky startups like Quantridge are deploying IoT sensors to monitor risk and digitally trigger remediation and escalation in physical plants and facilities. Drones are monitoring anything they can get their “eyes” on without violating airport flight space: crops, buildings, perimeters and restricted land. Insurers are not only writing drone liability into their policies; they’re consulting with businesses to implement drones to reduce risk and, as a result, occurrence and claims. As modern innovation and DRM practices converge in new security and monitoring technology, management of physical risk will streamline.
Building a DRM Culture
Risk management can sometimes feel like Big Brother is always watching. This is not the case at all, because proper change management and communications can help employees understand the urgency of DRM and buy into the concept of a tightened digital enterprise. In some industries, such as financial services, this is old news—at least for the employee base.
However, there are other communities attached to our businesses, and these changes affect them too. AT&T has announced smartphone virtual partitioning to separate work and play. This has long been possible on laptops, but surely digital transformation is bringing us closer to an administrator configuration that would simplify this process, significantly.
How long before those early adopters are startled when their company asks for remote monitoring and the ability to initiate a device wipe? When this does happen, don’t go running for the door. In a world where your browser may know you better than your best friend, you might want a service that backs up your personal partition, too, and can wipe it if you’re pickpocketed.
This leads to another question: If our employees don’t trust us, is there a larger problem? For that matter, is the lack of trust a risk? Take care that your risk management is not so intrusive that you are inhibiting innovation and creating a stifling culture as a biproduct.
Now consider the next degree of separation—vendors connecting through their devices on browsers that may be compromised. Or imagine that your enterprise app is mistakenly caching sensitive data. Your bring-your-own-device (BYOD) policy extends to vendors. Imagine your vendor’s BYOD is partitioned by her company. That means the cached data is surveilled by her company. Is this on the radar of your legal counsel for master agreements? It may already be in your insurance, as cybercrime supplements are now integrated with these policies.
How DRM Impacts Your Customers
Be certain to factor your customers as stakeholders in your DRM strategy. After all, we are all consumers, and companies are pushing ever more risk management onto us. For example, cryptic passwords and two-factor authentication (zero trust) has become the new norm, along with many other additional security measures.
To this end, you must put impetus on your customers to proactively involve them in security and minimizing risk exposure. To many of them it may seem onerous, but this exercise can strengthen your brand and improve the relationship with your customers. Approach it with suitable change management and anticipate any disruption to avoid customer churn. We don’t usually think of DRM as part of customer delight, but maybe we should. Make sure your customers see your controls as part of what makes them feel safe in the journey you create for them.
Creating an Implementation Roadmap
Digital transformation provides tremendous opportunity, and DRM vendors have rich offerings for prophylaxis, surveillance, machine anomaly prediction and resolution platforms. With tremendous opportunity comes tremendous responsibility, and the more complex the world becomes, the harder it is to achieve something meaningful alone. The trick is to get the most out of your risk dollar with the least disruption to your stakeholders.
Our best suggestion is to find a partner you can call a trusted advisor and work with rigor on a roadmap. Design a risk program that helps your organization balance safety with agility. This will change the way GRC/IRM/ERM confront risk, by bringing DRM into the forefront of this technological evolution.