GRC 2021: ESG, Risk Management, Compliance . . . Driving GRC Maturity
Last week we looked at the overall three strategic trends in governance, risk management, and compliance (GRC) in 2021. These were integrity, resiliency, and integration. This week we turn our attention to the tactical, but very critical, trends that are driving these three strategic trends . . .
The primary directive of a GRC management capability in 2021 is to deliver effectiveness, efficiency, and agility to the business that needs to manage integrity and resiliency in the midst of uncertainty. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks and controls across the organization. Organizations need a mature GRC capability that brings together a coordinated strategy and process.
The strategic drivers – integrity, resiliency, and integration – are supported by several tactical trends impacting organizations in 2021. These are:
- ESG reporting. GRC strategy and focus is turning to ESG (Environmental, Social, and Governance) reporting at a board level. ESG practices and reporting of an organization dictate the evaluation and monitoring of the organization’s environmental, social, and governance practices across the organization and its relationships. This has been a significant focus in Europe and is now gaining momentum in the USA. Bloomberg, Blackrock, Social Accountability Standards Board (SASB), and the most recent National Association of Corporate Director’s report show this as a growing board and corporate level concern.
- Maturing risk management. There is growing pressure to mature risk management in organizations. This includes more focus on risk quantification, aggregation, and normalization. The range of RFPs that GRC 20/20 is monitoring and advising on sees increased focus on these criteria elements. This is also moving forward through standards and regulations, such as in the German IDW PS 340 requirements.
- Policy management and regulatory change. Organizations across industries – but particularly financial services, healthcare, and life sciences – are seeing ongoing changes to regulations. Combined with the focus on integrity, organizations are developing enterprise policy management strategies to provide for collaborative policy authoring, management, and engagement. This includes the back-office management, monitoring, and enforcement of policies as well as the front-office engagement and awareness of policies.
- Compliance and ethics management. It has become clear that organizations need a federated compliance management strategy. There is no single department responsible for every aspect of compliance. Compliance functions have been scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more. Organizations are beginning to develop collaboration and federation across these compliance and ethics functions to work together yet retain their autonomy.
- Employee engagement and culture. 2020 has forced organizations to rethink how they engage employees in 2021. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate risks, controls, policies, and awareness.
- Compliance and defensibility. Organizations are driven by regulators, law enforcement, external auditors, civil suits, and more to have a clear and defensible system of record of compliance activities. Regulator and law enforcement guidance, such as the updated U.S. Department of Justice Evaluation of Compliance Program Guidelines, specifically are looking for a robust system of record involving compliance activities. Defensibility also is a focus of the organization’s risk management and assurance practices.
- Privacy. The EU’s GDPR and California’s CCPA are top of mind in many organizations in the context of increased risk exposure. CCPA is now evolving into CPRA in privacy requirements in California. The Schrems II decision in the EU has shifted strategies. There are new privacy laws coming into effect (e.g., Switzerland).
- Information Security. Information security remains a significant focus in 2021, particularly in the wake of the SolarWinds hack reported at the end of 2020 – which impacted over 250 organizations that use SolarWinds. The work from home environment, that is here to stay, has many organizations rearchitecting their strategy, processes, and technology for information security.
- Accountability Regimes. There is a sweeping array of accountability regimes/regulations that are putting personal liability on senior management functions (e.g., executives) for conduct, risk, compliance, control, and ethics issues. These individuals can be personally fined or go to jail. It started with the UK’s Senior Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and most recently Singapore’s Individual Accountability regime. Firms that are not headquartered, but have operations in these geographies, have to comply as well.
- Third-Party GRC/Risk Management. The interconnectedness of business is driving demand for 360° contextual awareness in the organization’s third-party relationships. Organizations need to see the intricate intersection of objectives, risks, and boundaries in each relationship. Gone are the years of simplicity in operations. Exponential growth and change in risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data impedes third-party relationships and the ability of the business to manage them. These elements of distributed, dynamic, and disrupted business are driving significant changes in third-party governance, risk management, and compliance strategies in organizations.
- Environmental. It is a central component of ESG but also stands on its own because of the critical nature of environmental issues, risk, and regulation. Environmental change is a significant focus for organizations and corporations. The World Economic Forum in their Global Risk Report each year lists environmental risks at the top. With an incoming Biden administration in the USA, there will be a renewed focus on joining Europe and environmental regulations, and this significantly impacts USA organizations. Some regulators, such as the UK FCA in the SMCR regulation, are putting pressure to have senior management functions accountable for managing climate change risk on the organization.
- Health and Safety. The Pandemic of 2020 has brought health and safety front-and-center to all aspects of governance, risk management, and compliance within the organization and in the extended enterprise. There is a renewed focus on monitoring the health and safety risks in the business from both a human rights (ties into ESG) and a resiliency program.
- Greater Assurance. These drivers and trends in 2021 impact the role of internal audit and assurance functions. Audit is being tasked to do more to provide assurance across these areas. Gone are the days of audit being focused purely on internal controls of financial reporting and IT controls. Today’s audit department has to provide a range of assurance activities across operational areas and third-party relationships.
- GRC Technology. Technology is changing to address these trends. There is a greater focus on RFPs to select solutions that are agile and easy to adapt to the business environment. They also are becoming more engaging to provide contextually relevant information in modern user interfaces to engage front-office/first-line employees, as well as having the depth of analytics and modeling for back-office/second and third line GRC functions. Technology is also embracing the move to cognitive, artificial intelligence, and robotic process automation in 2021 and beyond.
Successful GRC management in 2021 requires the organization to provide an integrated process, information, and technology architecture. This helps to identify, analyze, manage, and monitor GRC, and capture changes in the organization’s risk profile from internal and external events as they occur. It requires the organization to take a top-down view of risk linked to objectives, led by the executives and the board. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of objectives. This enables GRC management to be a seamless part of governance and operations. While that may sound like hard work – and it is – organizations that get a good grip on their GRC initiatives in 2021 have a much better chance of thriving in today’s complex business world.
The above blog is an excerpt from GRC 20/20’s latest research paper, 2021 Trends: Governance, Risk Management & Compliance (GRC):