These are crazy and uncertain times, but this does not mean governance, risk management, and compliance (GRC) comes to a halt in organizations. It is the opposite, this is the time for strong corporate governance, risk management, and compliance. This is what gets organizations through the crisis and allows them to navigate the chaos. As the British taught us in World War II, we all need to “keep calm and carry on.” That last part is critical. Now is not the time for GRC to stall in your organization but to lead. We need to KEEP CALM AND GRC ON!
The official definition of GRC is that GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].” [source OCEG GRC Capability Model] Now is the time for greater GRC strategy, practices, and processes to enable your organization to
- reliably achieve objectives, though those may be changing to respond to the environment;
- manage uncertainty, which these times are very uncertain; and
- act with integrity in the face of changing business processes and economic conditions.
GRC strategies and infrastructure will come out of this stronger than ever. I have been a research analyst for 20 years, I saw GRC functions thrive after 9/11 in 2001. I saw them thrive after the 2008 financial crisis. GRC related departments, processes, and technology architecture will be stronger because of the horrible global crisis we face. GRC strategies, solutions, and services are and will be in demand.
Risk management, business continuity, operational resiliency, third party GRC, policy management are all hot topics right now that I am interacting on because of the crisis. Coming out this will see changes to regulations that will cause more demand for compliance management. Strategies related to ESG, EH&S, and CSR will grow in organizations because of this crisis.
How GRC Will Change in Organizations
I have been interacting on a number of inquiries this past week from organizations (across buyers of solutions as well as solution/service providers). Here are my thoughts:
- Risk management will fundamentally change. Too often enterprise and operational risk management programs have been dominated or even consumed with IT security risk focuses. IT risk is huge and an important topic, but our most significant risks are from other areas such as environmental, health and safety.
- Just a few months back I blogged on this, “Tale of Two Futures: Blade Runner or Star Trek?” While information security will remain a critical risk area, we are going to see more balanced enterprise and operational risk management strategies that include environmental and health/safety risks across industries.
- Operational resiliency – integrating risk and business continuity management. The UK, in financial services, has had a specific regulatory focus on operational resiliency which requires an integrated approach top operational risk and business continuity management (as well as third party risk).
- This is the buzz word right now and will be a global cross-industry focus coming out of this crisis. In most organizations, business continuity has been overly focused on disaster recovery from an IT focus. There will be a new focus in true business continuity management that is part of an enterprise/operational risk management program. Operational resiliency is what brings this together.
- Third-party risk management is a necessity. Business today is not defined by employees and brick and mortar walls. It is a complex web of relationships. The crisis is showing this.
- Organizations need 360° situational awareness of risk and continuity in their third party relationships. This cannot just be an IT security focus but needs to be complete situational awareness of risk and continuity in the extended enterprise.
- Policy management is in demand. I get a lot of inquiries on policy management, but I am the only analyst that covers it as its own defined area of GRC. I have been getting inquiries on best practices and ideas on how to communicate changing policies, track understanding/acknowledgment, and monitor compliance in times of crisis. The fact is that business operations have changed this past week — this means policies and procedures have changed. The common question is how do we change and manage policies in times of crisis and then bring the organization back to a state of normal (or a new normal)?
- There are a lot of organizations that have realized how messed up their policies are and that they need a centralized portal for all corporate policies to deal with crisis and change. When an organization has 20 policy portals scattered in different corners of the organization it makes reacting to crisis and change challenging if not impossible.
- Look for CSR/ESG to evolve. Many organizations are doing great things to respond to the crisis, and others are failing miserably.
- Look for a variety of lessons learned and new perspectives and initiatives in CSR/ESG particularly on matters of social accountability and responsibility in organizations.
I would love to hear your thoughts . . .