With March upon us, 2013 is well underway. GRC related activities – process and technology – is increasing as organizations look for better ways to do things while they face distributed and dynamic risk and regulation. Fresh budgets, new resolutions, growing risk and regulatory burdens, understanding risk in the context of strategy, dynamic and distributed business: all lead to process reengineering for governance, risk management, compliance, legal, security and audit functions across the business.
GRC Process & Strategy Drivers
The bulk of GRC spending is happening at the department level to address specific issues or department level GRC process and technology improvement. GRC 20/20 Research is following several enterprise GRC strategies and implementations, but this represents less than twenty percent of the overall GRC market.
The number-one driver for improving GRC is dealing with the explosive growth of GRC “Big Data” in documents, spreadsheets, paper trails, and emails with no audit trails to validate who did what, when, how, where, and why. One RFP that GRC 20/20 worked on for a financial services firm revealed that the risk, compliance and audit staff were spending 80% of their time managing documents and reconciling information and only 20% of their time in actually managing risk and compliance.
Organizations are swamped from the amount of regulatory change— new laws, changing regulations, administrative decisions to court cases. Keeping current on regulations, documenting impact assessments, and maintaining compliance has been a critical driver within several industries to adopt stronger GRC approaches to manage regulatory change. Specific focus is on anti-bribery and corruption (e.g., US FCPA, UKBA, OECD).
GRC 20/20 is seeing significant activity in the area of managing vendor/supplier risk, compliance, and performance across extended business relationships. This includes seeking improved third-party governance because of anti-bribery and corruption, conflict minerals, vendor assessments and attestations, security, and privacy. This includes the need to do due diligence and provide assessments, audits, policy communication, training, forms, and attestations across third-party relationships. Specifically, there is a particular growing need to manage risk and compliance around international labor standards across third party relationships. GRC 20/20 has seen increased activity from organizations developing strategies and RFPs to address social accountability across extended busines.
Critical 2013 GRC Process and Technology Trends
GRC, properly defined, is “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance).” To address this understanding of GRC, and what OCEG calls Principled Performance, GRC approaches are evolving to address the mature the matrix of enterprise strategy, process, information, and technology. This is what GRC 20/20 defines as GRC 3.0 – where GRC becomes pervasive across the business and its operations. Where GRC extends from the risk and compliance departments to the executives as well as the “coal-face” of the organization.
The major trends GRC 20/20 is researching and monitoring in 2013 are as follows. GRC 20/20 major trends identify game changing GRC trends and identify significant shifts in GRC strategy and technology.
- GRC Architecture. The core of GRC 3.0 is to approach GRC as architecture involving strategy, process, information, and technology working together across the business and its operations. Organizations are leveraging enterprise architecture concepts and applying them to GRC. GRC requires the integration of different types of applications and content across the business to achieve efficiency, effectiveness, and agility in a dynamic and distributed business environment. This requires that we understand the business and how it operates – leading to an enterprise architecture approach to GRC.
- Risk Socialization & Collaboration. Organizations are recognizing that effective risk management includes those on the front lines of the business – the “coal-face.” To execute on this, GRC leaders are exploring ways to make risk management social and collaborative, easy to understand and engage across all levels of the organization. One of the emerging methods is to utilize social technology to facilitate risk collaboration and gameification across the risk management process.
- Engaged Employee. On the topic of socialization, GRC is part of everyone’s job description. Forward-thinking companies are looking for the user experience: getting employees involved and providing elegant interfaces that employees enjoy working with. A lot of work has been done on GRC technology and process to manage the back-end of GRC—the processes and operations of audit, compliance, and risk management. However, little has been done to improve the front-end of GRC: engaging employees and providing them with interface, content and collaboration technologies to participate in GRC without feeling intimidated and lost.
- Operationaling GRC. Operationalizing GRC is taking GRC to the business. This ties into the above trends of GRC Architecture, Risk Socialization/Collaboration, and the Engaged Employee, but is more than that. It is about enabling GRC across business systems and processes. It is bringing GRC to the process and ERP fabric of the business to improve real-time insight into business decisions, operational intelligence, and monitoring of the business environment.
- Mobility. There’s an app for GRC! GRC is embracing mobile technology on tablets and other devices. Issue reporting will readily be done through mobile devices. Tablets will be used to deliver policies, training, and other interactive content to employees, particularly those without desktop workstation access. Mobile devices will be used in conducting investigations, audits and compliance assessments. The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.
- Business, Risk, & Regulatory Change Management. GRC strategies are looking to integrate GRC process and technology with content from content providers to rapidly assess changing regulations, risks, industry and geopolitical events, and how they impact strategy, performance, controls, policy and the integrity of the organization. When the business changes, such as through mergers and acquisitions, GRC is getting involved to assess and harmonize policies, controls, and processes impacted by business change.
Other significant trends in 2013, but not categorized as major trends, that GRC 20/20 continues to research and monitor closely are:
- 3rd Party Management. Do you really know who you are doing business with? GRC is being used to more effectively manage and communicate integrity across its business relationships with vendors, suppliers, outsourcers, contractors, consultants, service providers, third party intermediaries, and other non-employee roles. The goal is holistic management of third-party relationship performance, integrity, risk and compliance throughout the business ecosystem.
- Business Process Modeling. Leading GRC solutions are adopting more business process modeling capabilities. This allows the organization to see how business processes function and information flows combined with control and risk areas. Organizations w ant to see a visual representation of a business process and where it is having issues and incidents—in other words, to see a graphical dashboard of the process in a GRC context.
- Policy & Procedure Management. Organizations are driven to replace ad hoc approaches to policy management. The goal is a user-friendly environment policy portal. Employees will easily be able to find the current policy with interactive tools to explain the policy. Policy resources and related forms will be part of the portal. Learning management and delivery of training will be an integrated part of the portal itself and not require disconnected platforms to be integrated. There are over a dozen policy management deals that GRC 20/20 is monitoring at the moment in Fortune 500 companies—and more beyond that.
- Corporate Compliance Management. In the past GRC focused on financial controls/compliance and IT risk and control. Then it moved to enterprise/operational risk and audit management. Now GRC 20/20 is seeing growing demand for compliance management platforms that bring together regulatory change management, policy management, compliance assessments, reporting/hotlines, training and investigations.
- Anti-bribery and corruption. Growing anti-bribery and corruption laws, requirements and enforcement actions challenges organizations. Organizations are looking for a mixture of process, technology and content to effectively address anti-bribery and corruption compliance requirements on a global basis. Organizations are looking for a mixture of solutions to address process, policies, training, screening, due diligence, and transaction monitoring.
- Identity & access governance. Who forgot identity? Identity and access governance is a critical enterprise GRC technology. Many risk and compliance issues boil down to who has access to what in both the physical and logical environments and whether that access is rational and justified. This includes making sure individuals are trained and aware of policies for the access they are given. 2013 will show greater awareness and integration of identity and access governance and technologies as part of a GRC strategy. Significant focus will be on compliance reporting and risk exposure.