Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)

2020, The Defining Decade Of GRC & The Road Ahead

2020, The Defining Decade Of GRC & The Road Ahead
Written by

Matthew Davies

Published on

30 Oct 2020

2020, The Defining Decade Of GRC & The Road Ahead


Governance, Risk and Compliance (GRC) is a complex, yet critical process. And, like it or not, it should be crucial to everyone’s business. It’s a topic that many C-Suite members, particularly CISOs and CIOs within your organisation, are beginning to think is vital to the success of the business. It’s a relief, then, that compliance and information security teams are taking this area seriously. Although many organisations are at various stages of maturity in there GRC journey, more and more organisations are looking at GRC technology to support them. Many are then taking a more consistent risk management approach by adopting a single framework or platform to consolidate all of the different data from risks, regulations and controls.

History of GRC

The evolution of GRC

Simply put, GRC today is not what it was ten years ago. It has evolved significantly during this time. If we rewind back to 2010 – eight years after Michael Rasmussen first coined the term during his time working as an analyst at Forrester Research – the concept of GRC technology has gained serious traction.

GRC allows multiple risk and compliance disciplines to work off one common organisational hierarchy and technology architecture to manage risks, controls, policies, threats, audits, assessments, and incidents. This web of information enabled the GRC market to grow in size and complexity. From 2007 to 2012, GRC expanded and moved into a multitude of new areas including things such as internal audit management, vendor risk, enterprise and operational risk as well as expanding from the compliance solution beyond the base of the financial control.


The future of simplicity

Organisations have moved from GRC technology just been used to support the second line of defence to been embedded within the first line in the business. Its been a common trend within larger organisations to procure multiple GRC tools to meet the complex requirements. Within the last few years, organisation have moved away from this trend and are looking to simplify the process.

Out with the old, in with the new?

The so-called death of the term GRC has since irritated industry experts such as Rasmussen who shared his alternative view here. In early 2020 due to changing market needs for Risk and Compliance management solutions, Gartner has decided to no longer continue with the IRM magic quadrant and are currently re-evaluate how they address the GRC or IRM market. Early signs suggest they will be focusing on specific GRC areas such as; IT Risk, Vendor Risk, corporate compliance, BCM and enterprise legal solutions.

Regardless of which camp you sit in, both terms are here to stay. GRC continues to evolve and, over the last few years, its approach has become more responsive to the ever-changing business. GRC technology is now highly configurable, intuitive and interactive, supporting the entire enterprise and engaging its employees more and more. There are now different solutions serving different needs on the market. All of which are aiming to be simple, flexible, and easy to use and they can be tightly integrated into the broader IT environment using modern, cloud-based technology which is, replacing many legacy GRC solutions.

Future of GRC

Although this might sound like a something that is only just been looked at in your organisation, it is, in fact, something Forrester Research analyst, Chris McClean, predicted back in 2009, before the turn of the last decade. And he was right. An uncertain and tumultuous economy, coupled with rising regulations, has put GRC top of mind for businesses. While the importance of GRC remains unchanged, its approach hasn’t.


The next generation of GRC

Essentially, GRC technology has evolved from providing basic data capture and reporting to intelligent GRC. And it’s only just the beginning. We will soon see cognitive technologies take GRC to the next level. Machine learning, predictive analytics and automation, for example, will help GRC solutions learn from experience and draw conclusions, identify trends and patterns, solve difficult problems, create new perspectives and more. Here are just three use cases we are excited about:


1. Predictive analytics

 Predictive analytics is fast gaining popularity – and rightly so. This powerful resource can scan through thousands of data sets and records, making it easy for organisations to learn from mistakes made in the past and predict the future. It also aids them in deciding on adequate precautionary actions to prevent or minimise potential losses as well as avoid similar risks returning.

It’s no wonder, then, that organisations are adding predictive analytics to their arsenal of risk management techniques. They can be confident that, as long as it’s applied appropriately, a machine will provide the best assessment and estimation of what would happen under any given circumstances – helping risk and compliance teams to identify and address issues immediately.


2.  Data validation

Advances in machine learning and automation are enabling organisations to efficiently and effectively manage GRC data. An example – that the most critical controls are well understood and managed, many organisations are still faced with tackling poorly designed and duplicate controls which are often challenging to manage and maintain and, at worst, do not address all risks faced.

An automated solution can remediate such control issues. It will be able to identify where there are gaps in control coverage across the organisation, improve the quality and readability of control documentation as well as act as a quality gateway to reduce the manual effort required in the control management process. This will only free up time for GRC teams to spend on higher-value tasks.


3. Continuous risk and control monitoring

The emergence of data analytics technologies has unlocked opportunities for enterprises to take a more proactive approach to GRC. As such, many are now exploring real-time Continuous Auditing (CA) and Continuous Monitoring (CM) disciplines – as well as Continuous Controls Monitoring (CCM) techniques – to automate the monitoring and testing of a range of internal controls. All can deliver regular risk and insight into the status of controls and transactions across the business.

In return, GRC teams can benefit from greater audit efficiency and effectiveness, enhanced internal controls and improved performance and more timely information to expedite a response and reduce cost. They will also see far greater transparency and a reduction in complexity.

The Road Ahead

This blog is the start of our commentary on digital transformation and the future of risk management.