How GRC’s Past & Present Can Help Companies Thrive in the Future
Looking back over the past decade, much has been accomplished in the GRC landscape. However, there is still room for improvement. The GRC story began to unfold as the new millennium ushered in a tidal wave of risk exposures, including the dot-com bubble stock market collapse, the 2008 financial collapse and a rise in cybersecurity attacks. These events, and others, spurred the passing of several laws to protect stockholders and the general public, such as the Sarbanes-Oxley Act. American companies also responded by developing two similar Enterprise Risk Management (ERM) frameworks: ERM Cube and GRC.
Leading into the second decade of the new millennium, GRC practitioners realized that their traditional, siloed approaches to risk management were no longer adequate for assessing the complex risks faced by large firms. As a result, leading companies looked for an integrated approach, applying the elements of GRC across all areas of the business, such as finance, HR, IT and more. In 2017, Gartner identified this trend and coined the term "Integrated Risk Management" (IRM).
Four Keys to Integrated GRC: Strategy, People, Processes & Technology
Unfortunately, many organizations are still not unlocking the full benefits of GRC and its recent transition to IRM. According the 2016 OCEG GRC Technology Strategy Survey, 14% of respondents indicate their organizations have fully integrated GRC processes, 21% are partially integrated, 38% have standardized some processes, and 27% are largely siloed. The key to achieving value from GRC is related to an organization’s ability to implement all four principles of the GRC model: strategy, people, processes and technology. Some businesses fail to incorporate all four of these principles because they do not fully understand the importance of each one, or the critical interactions and relationships between them.
Implementing GRC is a complex task and requires a strategy that defines the scope, business requirements, stakeholders, resources, timelines, budgets and risks. Purchasing expensive GRC tools and technology without a formal strategy and an understanding of businesses processes can result in costly modifications to customize GRC to ‘match’ or align with current risk management practices. Another common mistake companies make is in neglecting to identify or mitigate risks associated with organizational change, and the resulting impact on people, brought on by GRC implementation. Without a common ‘risk language’ and normalizing risks across departments, communicating and reporting to C-level management can be misleading to the organization’s overall risk profile.
A Simple Analogy: GRC as an Automotive Dashboard
When thinking about how these GRC principles work together, consider the simplicity of a car’s dashboard. As the driver, you are essentially acting as the CEO/COO/CTO/DPO/CISO. The dashboard only offers the data (KPIs) that you require to safely operate the vehicle (speed, distance traveled, available fuel, tire pressure, brake functions). This is similar to the operational GRC inputs received by C-level management and their respective governing boards to enable effective business decisions.
Consider also the control systems associated with your vehicle’s engine. There are thousands of data points being captured and sampled every second to ensure proper engine and vehicle performance. Still, you are only receiving limited actionable information through the dashboard. Your vehicle’s computer [engine monitoring unit (EMU) and system monitoring unit (SMU)] handles all the details, logging any abhorrent events or errors. If a serious event occurs, you are alerted again via the dashboard. These alerts, such as a ‘check engine’, require you to schedule an appointment with your mechanic to review your vehicle’s EMU/SMU logs. All engine processes are integrated and function as a single unit to deliver power to the vehicle, which enables you to meet your personal travel objectives.
Now imagine what would happen if: 1) your vehicle’s fuel system decided it would only send fuel to the combustion chamber when the engine’s pistons are in a ‘down stroke’ position; or 2) the cam shaft decides not to communicate with the values based on a different schedule; or 3) spark plugs all fire at the same time. If any of these events occur, your vehicle will fail to function effectively or won’t function at all. In a similar fashion, if GRC practices are not properly integrated across the enterprise, your organization won’t achieve its desired results or benefits.
Intelligent Automation’s Role in GRC Integration
To enable this integration, GRC platforms of the future should leverage next-generation technologies, such as artificial intelligence (AI) and machine learning (ML) to:
- Predict future risks and vulnerabilities
- Eliminate risk assessment bias and opinions
- Prevent, not just detect, exposure to risk events like fraud
- Provide continuous monitoring across all enterprise processes, including Security Information Event Management (SIEM) tool inputs
- Enable specific, industry-based Integrated Risk Management solutions
- Support multiple regulatory and compliance processes, certification requirements and risk management functions
When considering the past and the direction we are headed for GRC’s future, first start by incorporating all four principles (strategy, people, processes and technology) and their dependent relationship to gain true value from GRC. Companies should rely on tools and practices supported by intelligent automation to ensure an integrated approach to GRC. Through continuous monitoring, predictive risk management capabilities and a true integrated risk management mindset, businesses of the future can successfully implement GRC and most importantly, maintain competitive advantage in the market.