All global trends such as pandemic, trade wars, environmental initiatives, workplace shifts and the fast rising of cybersecurity, have impacted all processes and systems of the organization and are also absolutely valid for Governance, Risk, and Compliance of course. But there are also some underlying currents that impact this area more particularly both in terms of overall risk & compliance practice and, closer to my focus, GRC-software technology.
Integrated approach to GRC
As per many reports, the huge impact of the pandemic on companies shone a light on the need for a more holistic approach to GRC, one that integrates it into the organizational strategy, inducing business planning.
Nevertheless, with each department or business unit having their own frameworks – and sometimes even tools, the data produced is not connected because the applications do not communicate. This lack of synergy prevents organizations from establishing an integrated approach to GRC. Hence the need for a new type of GRC solution that integrates to other “fit-for-purpose” software solutions that generate data to drive risk, compliance, and audit performance.
… But best of breed when and where it makes sense
To improve decision making, organizations have started rethinking their GRC strategy and adopt a “networked GRC” type approach by selecting specialized tools but also content and service providers addressing specific requirements. Since this somewhat conflicts with the first item in this list of integrated approach to GRC, we are now seeing a request to keep these specialized tools but connect the dots and bring them together in a single source of GRC truth where decision makers can get the information they need to assess the impacts on the business. And to enhance the GRC information with relevant additional data points coming from internal or external sources – not necessarily directly related to GRC topics.
As a matter of fact, and continuing on the requirement to add data points, companies require integration capabilities from their GRC solutions into a range of business systems, including Finance to support the Lead to Cash and Source to Pay processes, but also Human Resources for Recruit to Retire, or Supply Chain to (supporting Design to Operate), and many more! Not just for control automation or access review and provisioning, but also to enrich the risk and relate it to the organizational context.
… Especially with a Process Intelligence tool
Companies are also looking at visually laying out and documenting how business processes function in a GRC context in order to inform decision-making at every step of the process. With the intent to benefit from seeing where a process might be impacting the business, and enable the organization to identify where it may need to make changes.
The digital transformation is both a driver for company’s path to more technology and a trend since this new technology is not always adopted. With many digital transformation projects underway, organizations are looking at leveraging the technology acquired for GRC purposes as well as achieving true exception-based GRC where the processes are run automatically in the background and only deviances raised to the relevant stakeholder.
Technology, in particular Artificial Intelligence with Machine Learning, Natural Language Processing or Predictive Analytics type capabilities, are now prime-time ready and can be applied much more widely to the GRC discipline. It’s not new of course, and many solutions have included these capabilities for quite some time, but often in isolation as an add-on. These can now be fully leveraged – together – to lead to autonomous GRC.
Much more analytical GRC…
The GRC discipline itself is changing and so are its requirements. Not only are analytic capabilities leveraged to design, manage and optimize business processes and control risk, but they are now also often embedded into workflows and controls with a simple intent: quantification. Quantification of risk exposure, but also of the total value of all associated mitigating strategies to ensure adequate coverage – and not over-coverage for instance.
… Enabling Proactive Risk Management
With the automation capabilities mentioned just above, companies are also looking at moving to a much more proactive approach to risk management, for it to be able to take action by causing change and not only reacting to change when it happens. To do so, many companies are investigating predictive indicators, simulations & scenarios, but also, early identification of emerging risks.
Interestingly, I had been asked about this trend some time ago already so I had written a specific blog: GRC Tuesdays: Proactive Risk Management detailing what this (currently) includes for companies, such as:
- Providing a complete view of the risk: where is it today and where should it be tomorrow
- Rapidly escalating emerging risks, hence the potential threats that have not yet manifested but that could really endanger your operations, to the right level of authority
- Getting predictive data points trends based on forward looking indicators
Aligning Cybersecurity risks with Enterprise-wide Risk Management
On a final note in this short blog, I wanted to highlight a trend that is both functional and technological. As recommended by the National Institute of Standards and Technology (NIST), companies are looking at helping high-level executives and corporate officers understand the challenges that cybersecurity professionals face by providing them with the business impact information they are accustomed to getting for other types of enterprise-wide risks.
To do so, they are looking at further aligning cybersecurity risks with their enterprise-wider risk management framework.
Here again, it’s more then a trend, it’s a tsunami! As a result, I have also already released a dedicated GRC Tuesdays blog with more details and thoughts that you may find relevant: GRC Tuesdays: Cyber and Enterprise-Wide Risk Management – Bridging the Visibility Gap
What about you, what are the additional GRC trends that you are seeing and that I might not have mentioned in this blog? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard