The governance, risk and compliance landscape is changing

Governance risk and compliance (GRC) has come a long way since its conception and integration in business. Along with many other areas of business, GRC has benefitted from the introduction and fusion of new technologies, helping to replace the perception of GRC as an afterthought and embed GRC processes holistically throughout organisations.

2017 was a year of regulatory anticipation with organisations preparing for large regulations, such as GDPR and MiFID II, using GRC technology enterprises are staying ahead of the curve and ensuring total compliance. Moving through 2018, the GRC market will continue to transform in the following ways.


Over the past year, GRC trends have arisen both on an organisational level and across markets globally. First, there has been a shift in the way technological risks are being identified within an organisation. Internal auditors are often relied on to help the second line of defence uncover and assess risks, particularly when resources are tight. However, as independent assurance providers, this doesn’t fall into their job description and, rightly so, it is fast changing.

>See also: 3 mega trends transforming governance, risk and compliance

Second, a string of high profile third-party data breaches and money laundering incidents have turned businesses attention to operational risk management (ORM). Moving forward, specialists will need to apply analytics and data mining techniques to an integrated framework of organisational risks to drive operational decisions through risk intelligence.

Globally, compliance risks have mushroomed due to extraterritorial regulatory oversight. For example, Brexit may see the UK leaving the EU, but issues of extraterritorial jurisdiction mean that business activities will require the existing regulatory framework. Similarly, while the General Data Protection Regulation (GDPR) may be an EU regulation, it will have a global impact since it applies to any countries that process the data of EU citizens. Globalisation means that regulatory and legislative requirements, including their reach and penalties, are crossing geographical boundaries more than ever.


Risk and compliance data management go back to basics

The upcoming regulation the Basel Committee on Banking Supervision’s standard 239 (BCBS 239) requires large banks to collate risk information for accurate and timely risk reporting. By creating a ‘single source of truth’ from the risk universe, organisations can map risks to the business universe, the compliance universe, and the audit universe.

>See also: Come together – a federated approach to GRC and risk management

Indeed, this information model provides a holistic view of organisational risks, as well as the impact of these technological risks on each other and on business objectives, audits, compliance processes, and other elements.

The first line will take the lead on risk management

As more companies move away from the reactive and defensive risk management programmes towards a proactive and agile approach, the first line of defence will be best positioned to own, understand, and managing risks they take.

According to a survey by PricewaterhouseCoopers, organisations where the first line had greater risk management responsibilities were better at anticipating and mitigating risk events.

In response to this shift, the second line will take up advisory and strategic roles, defining and implementing risk management frameworks, and collaborating with the first line to challenge and strengthen risk-based decisions and maybe work together.

Technology will strengthen risk intelligence

Innovations in technology are changing risk intelligence from cognitive and algorithmic – what happened and why – to anticipatory and assistive. Machine learning and advanced natural language processing, will create rules to drive intelligence and provide intuitive risk exploration and analysis, strengthening both risk management programmes, and augmenting human decision-making with predictive risk insights. By collating structured and unstructured data from multiple data sources and databases and extracting insights, these tools will enable companies to make swift, risk-aware decisions.

Cyber security incidents will continue to appear

Data breaches of 2017 such as Equifax, Yahoo, and Three stand as a testament to the widespread reach of their impact including on shareholder value and even election outcomes.

>See also: ‘Lack of investments in GRC holding back cyber security maturity’

Last year, the Dutch government decided to manually count ballots instead of relying on its software. Through 2018 and beyond, governments and businesses will need to address the problem with practical and sustainable solutions and a holistic cybersecurity strategy that integrates IT policies, risk assessments, control tests, and audits as part of a broader enterprise and ORM programme.


Regulatory and financial crime compliance approaches must do more for less

Despite budget cuts for regulatory compliance and financial crime compliance groups, expectations remain high. Groups and organisations turn to workflow automation but then teams realise they need a data model to drive data aggregation, group-wide compliance analytics and collaboration. The results include improved reporting, compliance control rationalisation, accountability and overall efficiency improvements.

GRC technologies will evolve to perform well at scale

While risks awareness and compliance requirements are growing year-on-year, companies must look for GRC solutions that are scalable, flexible, and extensible.

>See also: Digital compliance turns defensive discipline into competitive advantage

Organisations should invest in bringing together all this information in a consolidated framework in order to harness insights from across business units, operational locations, and third parties in such a way that it illuminates to business leaders what their priorities should be for growth and retrenchment.

Corporate resiliency to events is as good as its lowest common GRC denominator

The lowest common GRC denominator often grabs the headlines and casts doubt on others. For example, one event at one organisation can tarnish the wider industry, moreover, governance within an organisation can be disrupted when one area cannot execute initiatives and manage risks. A CEO needs quality analytics across each business and functional group. This will lead to powerful and consistent data, which can be mined to identify emerging issues.

Indeed, businesses are at an exciting, yet critical, time for GRC programmes and technologies. Organisations need to implement holistic programmes to ensure they stay above board in this age of breaches, hacks and reputational threats. It is vital for companies to act efficiently and effectively, utilising GRC technologies to move toward proactive, rather than responsive, GRC.


Sourced by Brenda Boultwood, SVP of Industry Solutions at MetricStream

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Breach