Governance, Risk and Compliance (GRC) is a complex, yet critical process. And, like it or not, it should be crucial to everyone’s business. It’s a topic that many C-Suite members, particularly CISOs and CIOs within your organisation, are beginning to think is vital to the success of the business. It’s a relief, then, that compliance and information security teams are taking this area seriously. Although many organisations are at various stages of maturity in there GRC journey, more and more organisations are looking at GRC technology to support them. Many are then taking a more consistent risk management approach by adopting a single framework or platform to consolidate all of the different data from risks, regulations and controls.
Simply put, GRC today is not what it was ten years ago. It has evolved significantly during this time. If we rewind back to 2010 – eight years after Michael Rasmussen first coined the term during his time working as an analyst at Forrester Research – the concept of GRC technology has gained serious traction.
GRC allows multiple risk and compliance disciplines to work off one common organisational hierarchy and technology architecture to manage risks, controls, policies, threats, audits, assessments, and incidents. This web of information enabled the GRC market to grow in size and complexity. From 2007 to 2012, GRC expanded and moved into a multitude of new areas including things such as internal audit management, vendor risk, enterprise and operational risk as well as expanding from the compliance solution beyond the base of the financial control.
Organisations have moved from GRC technology just been used to support the second line of defence to been embedded within the first line in the business. Its been a common trend within larger organisations to procure multiple GRC tools to meet the complex requirements. Within the last few years, organisation have moved away from this trend and are looking to simplify the process.
The so-called death of the term GRC has since irritated industry experts such as Rasmussen who shared his alternative view here. In early 2020 due to changing market needs for Risk and Compliance management solutions, Gartner has decided to no longer continue with the IRM magic quadrant and are currently re-evaluate how they address the GRC or IRM market. Early signs suggest they will be focusing on specific GRC areas such as; IT Risk, Vendor Risk, corporate compliance, BCM and enterprise legal solutions.
Regardless of which camp you sit in, both terms are here to stay. GRC continues to evolve and, over the last few years, its approach has become more responsive to the ever-changing business. GRC technology is now highly configurable, intuitive and interactive, supporting the entire enterprise and engaging its employees more and more. There are now different solutions serving different needs on the market. All of which are aiming to be simple, flexible, and easy to use and they can be tightly integrated into the broader IT environment using modern, cloud-based technology which is, replacing many legacy GRC solutions.
Although this might sound like a something that is only just been looked at in your organisation, it is, in fact, something Forrester Research analyst, Chris McClean, predicted back in 2009, before the turn of the last decade. And he was right. An uncertain and tumultuous economy, coupled with rising regulations, has put GRC top of mind for businesses. While the importance of GRC remains unchanged, its approach hasn’t.
Essentially, GRC technology has evolved from providing basic data capture and reporting to intelligent GRC. And it’s only just the beginning. We will soon see cognitive technologies take GRC to the next level. Machine learning, predictive analytics and automation, for example, will help GRC solutions learn from experience and draw conclusions, identify trends and patterns, solve difficult problems, create new perspectives and more. Here are just three use cases we are excited about:
Predictive analytics is fast gaining popularity – and rightly so. This powerful resource can scan through thousands of data sets and records, making it easy for organisations to learn from mistakes made in the past and predict the future. It also aids them in deciding on adequate precautionary actions to prevent or minimise potential losses as well as avoid similar risks returning.
It’s no wonder, then, that organisations are adding predictive analytics to their arsenal of risk management techniques. They can be confident that, as long as it’s applied appropriately, a machine will provide the best assessment and estimation of what would happen under any given circumstances – helping risk and compliance teams to identify and address issues immediately.
Advances in machine learning and automation are enabling organisations to efficiently and effectively manage GRC data. An example – that the most critical controls are well understood and managed, many organisations are still faced with tackling poorly designed and duplicate controls which are often challenging to manage and maintain and, at worst, do not address all risks faced.
An automated solution can remediate such control issues. It will be able to identify where there are gaps in control coverage across the organisation, improve the quality and readability of control documentation as well as act as a quality gateway to reduce the manual effort required in the control management process. This will only free up time for GRC teams to spend on higher-value tasks.
The emergence of data analytics technologies has unlocked opportunities for enterprises to take a more proactive approach to GRC. As such, many are now exploring real-time Continuous Auditing (CA) and Continuous Monitoring (CM) disciplines – as well as Continuous Controls Monitoring (CCM) techniques – to automate the monitoring and testing of a range of internal controls. All can deliver regular risk and insight into the status of controls and transactions across the business.
In return, GRC teams can benefit from greater audit efficiency and effectiveness, enhanced internal controls and improved performance and more timely information to expedite a response and reduce cost. They will also see far greater transparency and a reduction in complexity.
This blog is the start of our commentary on digital transformation and the future of risk management.