Gone are the years of simplicity in business operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Keeping business strategy, performance, uncertainty, complexity, and change in sync is a significant challenge for boards and executives, as well as management professionals throughout all levels of the business.
The interconnectedness of objectives, risks, resiliency, and integrity require 360° contextual awareness of integrated governance, risk management, and compliance (GRC). Organizations in 2021 need to see the intricate relationships of objectives, risks, obligations, commitments, and controls across the enterprise. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implement an integrated governance, risk management, and compliance (GRC) management strategy.
GRC is: “a capability to reliably achieve objectives [governance], while addressing uncertainty [risk management], and act with integrity [compliance].” There is a natural flow to the GRC acronym:
- Governance – reliably achieve objectives. This is the governance function of GRC. To set, direct, and govern the reliable achievement of objectives. Objectives can be overall entity-level objectives, but also can be divisional, department, project, process, or even asset level objectives. Governance involves directing and steering the organization to reliably achieve objectives.
- Risk management – address uncertainty. This is the risk management function of GRC. ISO 31000 defines risk as “the effect of uncertainty on objectives.” Good risk management is done in the context of achieving objectives; to optimize risk-taking to ensure that organization creates value.
- Compliance – act with integrity. This is the compliance function of GRC. It is more than regulatory compliance, but the adherence and integrity of the organization to meet its commitments and obligations. These commitments and obligations can be from regulations, but also can be found in ethical statements, values, code of conduct, ESG, and contracts.
What Have GRC Functions Learned from 2020?
2020 brought organizations lots of disruption to objectives, operations, and employees. What started with devastating wildfires in Australia moved into a global pandemic that shut down the world and its various borders. Then, racial tensions and a focus on discrimination led to reevaluating policies and conduct rules within the organization and across relationships. Followed by more wildfires in California, disrupting businesses. And the year concluded with significant political turmoil, controversies, and a security breach in a third-party context for the history books with the SolarWinds breach. Throughout all of this was a risk and economic rollercoaster.
The year 2020 was a stress test of GRC related strategies, processes, and integration. Some industries and organizations failed, while others were resilient. But there are lessons to be learned looking back on 2020 for all. These lessons showed us:
- Interconnected risk. Organizations face an interconnected risk environment and risk cannot be managed in isolation. What started with a health and safety risk and became a global pandemic had downstream risk impacts on information security, bribery and corruption, fraud, business and operational resiliency, human rights, and other risk areas.
- Objectives became dynamic. As the pandemic unfolded, it had a specific impact on business objectives. Adapting to the crisis, businesses had to modify their strategies, departments, processes, and project objectives. Objectives became dynamic in reaction to changes in risk exposure. These had to be monitored in the midst of uncertainty in a state of volatility with the pandemic.
- Disruption. Business is easily disrupted from international to local events. In 2020, organizations had to respond to disruption from the pandemic, political protests and unrest, economic uncertainty, change in business models and a work from home environment, human rights and discrimination protests, environmental disasters (particularly with wildfires), and one of the largest information security breaches in the SolarWinds hack, which impacted over 250 organizations and still is unraveling.
- Dependency on others. No organization is an island. The year 2020 showed us that disruption and the interconnectedness of risk impacts more than traditional employees and brick-and-mortar business, but also the range of third-party relationships the organization depends upon, as well as clients.
- Dynamic and agile business. Business had to react quickly to stay in business in 2020. This required agility in changing employees, reduced staff with more responsibilities, and shifting to work from home environments. All this introduced new risks, as well as a demand for engaging employees and maintaining a strong corporate culture in the midst of global concern.
- Values were defined and tested. Organizations had to react to what their core values were and how they practiced those values. From treating employees and customers fairly in the midst of a crisis, to how they address human rights such as ethnic racism in their business, operations, and third-party relationships.
2020 taught us that to reliably achieve objectives, manage uncertainty, and act with integrity requires a 360° view of governance, risk management, and compliance within the organization and across its relationships.
What Can GRC Functions Expect in 2021
This interconnectedness of business is driving demand for 360° contextual awareness in the organization’s GRC processes to reliably achieve objectives, address uncertainty, and act with integrity. Organizations need to see the intricate intersection of objectives, risks, and boundaries across the business. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes the ability of the business to be agile in times of uncertainty.
The elements of distributed, dynamic, and disrupted business are driving significant changes in GRC strategies in organizations in 2021. In addressing governance, risk management, and compliance, GRC 20/20 is observing three strategic trends organizations are focusing on in 2021:
- Integrity. Organizations are re-evaluating their internal core values, ethics, and standards of conduct in 2021 and how this extends and is enforced across the organization. The integrity of the organization is a front-and-center concern. Organizations see the need to define and live their corporate values in the business, its transactions, with clients, and in third-party relationships. This includes a focus on human rights, privacy, environmental standards, health and safety, corruption, conflicts of interest, compliance, how risk is managed, conduct with others (e.g., customers, partners), privacy, and security.
- Resiliency. Firms globally and across industries are focusing on resiliency. The organization has to maintain operations in the midst of uncertainty and change, and this is becoming a key regulatory requirement in some industries. This requires a holistic view into the objectives and performance of the organization in the context of uncertainty and risk. Organizations are striving for business and operational resiliency that requires integration and symbiotic interaction of risk management and business continuity. The organization in 2021 has to be a resilient organization with full situational awareness of the interconnected risk environment that impacts them.
- Integration. To support a federated GRC strategy in 2021 the organization will look to rearchitect its GRC technology and information architecture. This will involve moving to agile GRC solutions that can manage the range of governance, risk, and compliance needs across the organization and engage back-office risk, compliance, and assurance functions (2nd and 3rd lines), as well as front-office risk-takers and owners (1st lines). Key to this integration is the ability to provide robust analytics and contextual awareness of objectives, risks, and controls to ensure that objectives are met, while uncertainty, risk, and integrity are managed across the business.
The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):