Skip navigation

How GRC’s Past & Present Can Help Companies Thrive in the Future

Ralph Duff

Senior Compliance Manager, EPAM US
Blog
  • Business Information & Media

Looking back over the past decade, much has been accomplished in the GRC landscape. However, there is still room for improvement. The GRC story began to unfold as the new millennium ushered in a tidal wave of risk exposures, including the dot-com bubble stock market collapse, the 2008 financial collapse and a rise in cybersecurity attacks. These events, and others, spurred the passing of several laws to protect stockholders and the general public, such as the Sarbanes-Oxley Act. American companies also responded by developing two similar Enterprise Risk Management (ERM) frameworks: ERM Cube and GRC.

Leading into the second decade of the new millennium, GRC practitioners realized that their traditional, siloed approaches to risk management were no longer adequate for assessing the complex risks faced by large firms. As a result, leading companies looked for an integrated approach, applying the elements of GRC across all areas of the business, such as finance, HR, IT and more. In 2017, Gartner identified this trend and coined the term "Integrated Risk Management" (IRM). 

Four Keys to Integrated GRC: Strategy, People, Processes & Technology

Unfortunately, many organizations are still not unlocking the full benefits of GRC and its recent transition to IRM. According the 2016 OCEG GRC Technology Strategy Survey, 14% of respondents indicate their organizations have fully integrated GRC processes, 21% are partially integrated, 38% have standardized some processes, and 27% are largely siloed. The key to achieving value from GRC is related to an organization’s ability to implement all four principles of the GRC model: strategy, people, processes and technology. Some businesses fail to incorporate all four of these principles because they do not fully understand the importance of each one, or the critical interactions and relationships between them. 

Implementing GRC is a complex task and requires a strategy that defines the scope, business requirements, stakeholders, resources, timelines, budgets and risks. Purchasing expensive GRC tools and technology without a formal strategy and an understanding of businesses processes can result in costly modifications to customize GRC to ‘match’ or align with current risk management practices. Another common mistake companies make is in neglecting to identify or mitigate risks associated with organizational change, and the resulting impact on people, brought on by GRC implementation. Without a common ‘risk language’ and normalizing risks across departments, communicating and reporting to C-level management can be misleading to the organization’s overall risk profile. 

A Simple Analogy: GRC as an Automotive Dashboard

When thinking about how these GRC principles work together, consider the simplicity of a car’s dashboard. As the driver, you are essentially acting as the CEO/COO/CTO/DPO/CISO. The dashboard only offers the data (KPIs) that you require to safely operate the vehicle (speed, distance traveled, available fuel, tire pressure, brake functions). This is similar to the operational GRC inputs received by C-level management and their respective governing boards to enable effective business decisions.

Consider also the control systems associated with your vehicle’s engine. There are thousands of data points being captured and sampled every second to ensure proper engine and vehicle performance.  Still, you are only receiving limited actionable information through the dashboard. Your vehicle’s computer [engine monitoring unit (EMU) and system monitoring unit (SMU)] handles all the details, logging any abhorrent events or errors. If a serious event occurs, you are alerted again via the dashboard. These alerts, such as a ‘check engine’, require you to schedule an appointment with your mechanic to review your vehicle’s EMU/SMU logs. All engine processes are integrated and function as a single unit to deliver power to the vehicle, which enables you to meet your personal travel objectives.

Now imagine what would happen if: 1) your vehicle’s fuel system decided it would only send fuel to the combustion chamber when the engine’s pistons are in a ‘down stroke’ position; or 2) the cam shaft decides not to communicate with the values based on a different schedule; or 3) spark plugs all fire at the same time. If any of these events occur, your vehicle will fail to function effectively or won’t function at all. In a similar fashion, if GRC practices are not properly integrated across the enterprise, your organization won’t achieve its desired results or benefits. 

Intelligent Automation’s Role in GRC Integration

To enable this integration, GRC platforms of the future should leverage next-generation technologies, such as artificial intelligence (AI) and machine learning (ML) to:

  • Predict future risks and vulnerabilities
  • Eliminate risk assessment bias and opinions
  • Prevent, not just detect, exposure to risk events like fraud
  • Provide continuous monitoring across all enterprise processes, including Security Information Event Management (SIEM) tool inputs
  • Enable specific, industry-based Integrated Risk Management solutions
  • Support multiple regulatory and compliance processes, certification requirements and risk management functions

When considering the past and the direction we are headed for GRC’s future, first start by incorporating all four principles (strategy, people, processes and technology) and their dependent relationship to gain true value from GRC. Companies should rely on tools and practices supported by intelligent automation to ensure an integrated approach to GRC. Through continuous monitoring, predictive risk management capabilities and a true integrated risk management mindset, businesses of the future can successfully implement GRC and most importantly, maintain competitive advantage in the market.

Hello. How Can We Help You?


Our Offices

  • Canada

    • Ottawa

      343 Preston Street,
      ON K1S 1N4, Ottawa
      Canada

      Map
    • Toronto

      5 Park Home Avenue,
      Suite 400,
      ON M2N 6L4, North York,
      Toronto
      Canada

      Map
      F: +1-416-595-1551
  • Mexico

    • Guadalajara

      Periférico Sur #8110,
      Col. El Mante
      45609 Tlaquepaque, Jalisco
      Mexico

      Map
  • United States

    • Newtown, PA

      41 University Drive,
      Suite 202,
      Newtown, PA 18940
      USA

      Map
      F: +1-267-759-8989
    • Bellevue, WA

      110 110th Ave. NE,
      Suite 310
      Bellevue, WA 98004
      USA

      Map
    • Boston, MA

      21 Drydock Avenue,
      Suite 410 W,
      Boston, MA 02210
      USA

      Map
    • Conshohocken, PA

      101 East 8th Ave,
      Suite 201,
      Conshohocken, PA 19428
      USA

      Map
    • Los Angeles, CA

      11601 Wilshire Blvd,
      Suite 350,
      Los Angeles, CA 90025
      USA

      Map
    • New York, NY

      24 West 25th Street,
      5th Floor,
      New York, NY 10010
      USA

      Map
      F: +1-267-759-8989
    • Philadelphia, PA

      30 South 15th Street,
      9th Floor,
      Philadelphia, PA 19102
      USA

      Map
    • San Francisco, CA

      222 Kearny Street,
      Suite 308,
      San Francisco, CA 94108
      USA

      Map
    • San Jose, CA

      2055 Gateway Place,
      Suite 510,
      San Jose, CA 95110
      USA

      Map
    • Washington D.C.

      7901 Jones Branch Drive,
      Suite 400,
      McLean, VA 22102
      USA

      Map
  • Australia

  • China

    • Guangzhou

      Unit B01, 23/F,
      Yuexiuxinduhui Building,
      No. 236, 6th Zhongshan Road,
      Yuexiu District, Guangzhou,
      China 510180

      Map
    • 广州

      中国广州市越秀区
      中山六路236号
      越秀新都会大厦中座 23楼 B01室
      邮编510180

      地图
    • Shanghai

      Room B509, 5th Floor,
      48 Weihai Road,
      Huangpu District, Shanghai,
      China 200000

      Map
    • 上海

      上海市黄浦区
      威海路48号
      5楼B509室
      邮编200000

      地图
    • Shenzhen

      3/F, Block 5, Vision Shenzhen Business Park,
      9th Gaoxin South Road, 
      Shenzhen Hi-tech Industrial Park,
      Nanshan District, Shenzhen,
      Guangdong, China 518057

      Map
    • 深圳

      中国广东省深圳市
      南山区高新南九道
      威新软件园5号楼3楼
      邮编518057

      地图
    • Suzhou

      Building 12, Creative Industrial Park,
      328 Xinghu Street,
      Suzhou Industrial Park,
      Suzhou, China 215123

      Map
    • 苏州

      中国江苏省苏州市
      苏州工业园区星湖街328号
      创意产业园内12号楼
      邮编215123

      地图
  • Hong Kong

    • Hong Kong

      26F&17F, The Wellington Tower,
      198 Wellington Street,
      Central, HK

      Map
  • India

    • Bangalore

      Smartworks,  
      Global Technology Park,
      Block C, Outer Ring Rd,
      Adarsh Palm Retreat, Bellandur,
      Bengaluru, Karnataka 560103
      India

      Map
    • Hyderabad

      10, 11 & 12th Floors,
      Salarpuria Sattva Knowledge City,
      Plot No. 2, Phase - 1,
      Survey No. 83/1,
      Raidurgam Village,
      Serilingampally Mandal,
      Hyderabad, Telangana - 500081
      India

      Map
    • Pune

      SmartWork Business Center Pvt Ltd,
      Suite 8, Level 1,
      West Wing, Nyati Unitree,
      Samrat Ashok Road,
      Yerwada, Pune - 411006,
      Maharashtra
      India

      Map
  • Japan

    • Tokyo

      Floor 1-10-11
      Shibadaimon Centre Building 10th
      Shibadaimon Minato-ku
      Tokyo 105-0012
      Japan

      Map
      F: +81-03-6880-9201
  • Singapore

    • Singapore

      5 Shenton Way
      UIC Building, #10-01,
      Singapore (068808)

      Map
  • United Arab Emirates

    • Dubai

      EPAM Systems FZ-LLC Dubai Branch
      2307 Arenco Tower, Dubai Media City
      PO Box 501929 Dubai
      United Arab Emirates

      Map