Risk management is at the heart of Governance, Risk, and Compliance (GRC). In our rapidly changing business world, GRC principles are more crucial than ever. They act as the bedrock for regulatory compliance, information security, and third-party relationships, ensuring businesses navigate the complexities and uncertainties of the modern era.
On that note, below we offer a summary of SAI360’s webinar, The ABCs of GRC Software: Where to Start if You’re Starting from Scratch, featuring Michael Rasmussen from The GRC Pundit and Kelvin Dickenson, SAI360’s Senior Vice President and General Manager of GRC.
Big-Picture Risk is Critical
Today’s modern organizations are not defined by brick-and-mortar walls and traditional employees. Instead, they are increasingly interconnected, with a web of suppliers, vendors, outsourcers, service providers, contractors, consultants, brokers, agents, dealers, partners, and competitors. This complexity introduces new risks organizations must manage.
Challenges ensue, such as the increasing reliance on third-party relationships that can introduce new risks to the organization.
Another area of risk that can’t be ignored is the increasing pressure to report on and manage environmental, social, and governance (ESG) performance. Increasingly, companies are being held responsible for knowing not only their ESG performance but that of their third-party partners as well. This explains the popularity of robust third-party risk management programs.
To identify and manage these new areas of risk, as well as the traditional ones, organizations need a comprehensive approach that aligns risk management with their strategy and objectives. Taking a top-down perspective with a bottom-up operational assessment of risks is a great place to start. Integration is essential for addressing current GRC requirements effectively.
Understanding the big picture when it comes to risk is critical. No longer can organizational operations be siloed across IT, environment, health, safety, accounting, and so on. It is about identifying and acknowledging the spectrum of risks, how risks interconnect, and how they impact business.
Four Key Trends Emerge
Regarding such risks, here are a few trends in response to the increasing volume and velocity of risks faced by modern organizations:
1. Agility and Resilience
These two concepts go hand in hand. Agility involves the ability to proactively respond to emerging risks and challenges. Resilience—a concept that gained traction amidst COVID-19, war in Ukraine, and beyond—focuses on the capacity to recover quickly from adverse events such as crises, supply chain disruptions, and regulatory changes.
An increasing focus on resilience is evident in laws and regulations such as:
- UK FCA and Bank of England PR Regulation: Regulatory framework enforced by the Financial Conduct Authority (FCA) and the Bank of England
- EU DORA (Digital Operational Resilience Act): European Union regulation to enhance the operational resilience of digital service providers
- Australia CPS 230 and 231: Regulations in Australia under the Basel Bank for National Guidance
- USOC (U.S. Operational Resilience Guidance): Guidance provided in the U.S. to enhance operational resilience
2. ESG Integrity
Organizations are increasingly emphasizing their commitment to things like environmental sustainability, inclusivity, diversity, human rights, privacy, governance, information security, and transparency. These values—communicated through policies and statements—are expected to be reflected in organizations’ actual practices.
There is a greater focus on accountability for GRC amidst diverse risks and regulations. Various regions have introduced accountability regimes that hold specific individuals and executives responsible for different aspects of risk, compliance, and control. This trend signifies a stricter approach to enforcing accountability at all levels.
Effective GRC programs should engage back-office risk, compliance functions, and front-line employees who make daily risk decisions. Training employees to recognize and avoid risk is key. The technology used in GRC should be intuitive and engaging for all stakeholders, facilitating better risk awareness and decision-making.
GRC Demands Updated Processes
GRC practices vary widely among companies, with some using multiple platforms and relying on documents, spreadsheets, and emails for processes.
Documents, spreadsheets, and emails drive inevitable failure. These methods lead to time-consuming processes for identifying issues, version control conflicts, lack of a reliable audit trail, and an inability to stand up in legal proceedings.
There’s a significant risk of critical information slipping through the cracks, making it challenging to respond promptly and effectively to emerging risks or compliance challenges.
On the other hand, an integrated GRC platform can prove to be a tremendous time saver. For example, one Michigan-based North American firm used to spend 200 hours annually creating a report for their board of directors detailing the materialized risk events of the past year. However, after transitioning to a more efficient automated process that takes under one minute, they found unaddressed risk issues that had been ongoing for 11 months. This shift from proactive risk management to reactive risk handling highlights the importance of timely risk monitoring and management.
Amidst constant business change and a dynamic regulatory landscape, organizations cannot afford to lag. Organizations can drive needed GRC changes and improvements, by focusing on these four benefits:
- Efficiency saves time and costs
- Effectiveness enhances risk and compliance management
- Resilience helps organizations withstand disruptions
- Agility helps organizations proactively adapt to change
In most organizations, driving change can be a slow, tedious process. Before you introduce change, you need others to recognize change is necessary. This begins by first assessing your current state, followed by defining the desired future state and then constructing a business case. This process involves mapping out the program and establishing priorities to ensure a smoother transition toward more agile and effective operations. You can have the best business case and still fail if you don’t have leadership involved. Establishing an enterprise GRC strategy necessitates executive support and the right leader capable of bridging departmental boundaries and fostering collaboration. For GRC initiatives to succeed, leadership must communicate effectively across various functions and ensure each department’s unique risks and concerns are considered in the organization’s overall risk profile. This horizontal approach to leadership is critical.
Another common misstep is addressing GRC needs with existing technology that was not developed with GRC activities in mind. Build a GRC platform that can deliver results for the current GRC landscape, but also has the capacity to adapt to future needs. Regulations change, geopolitical risks change, mergers and acquisitions evolve, and so forth, demanding adaptability.
Ultimately, GRC has the capability to reliably achieve objectives, address uncertainty, and follow through with risk assessment. It’s about asking key questions, such as:
- What are you trying to change?
- What are you trying to achieve?
- How can software help you get to where you want to be?
- What future state are we building toward?
- Now, how are we going to get there?
- What’s the road map needed and what’s the value of following it?