On June 2-5, MetricStream hosted the GRC Summit 2019, the most influential gathering of GRC-focused professionals from around the world.
GRC — governance, risk management and compliance
Over 450 business executives, board directors, GRC practitioners, government leaders, and industry analysts attended the summit in Baltimore to discuss the biggest risks and opportunities facing organisations today.
Here are some of the key themes that emerged over the course of the summit:
1. Perform with integrity
“The days of looking at performance as the be-all and end-all of success have gone,” said William Onuwa, chief audit executive, Royal Bank of Canada.
Today, it’s not just about what you deliver, but how you deliver it. And that’s where integrity comes in. Integrity is key to building trust, and trust drives business.
So how does one build a culture of integrity? MetricStream CEO, Mikael Hagstroem, talked about the importance of organisations cultivating a sense of compassion — whether it’s in the way they approach customers, in the way they treat employees, or in how they shape the future of technology. Compassion builds integrity, which, in turn, drives sustainable performance.
“The best companies will be those that have a culture of integrity ingrained in everything they do” — John Forlines, chief risk officer at Fannie Mae.
Accountability also matters. There must be ways of rewarding employees who act with integrity while correcting those that don’t. The key is observable behaviour — is the organisation truly walking the walk or are they just talking the talk? Are they embodying their purpose and values in everything they do? As MetricStream executive chairman, Gunjan Sinha, pointed out, we must evangelise purpose over raw performance or profits.
2. Ethical AI
“The future is software-defined everything,” announced Tony Scott, former US chief information officer. And with new software, particularly around artificial intelligence (AI), come new ethical risks — which is why Anna Felländer, co-founder, AI Sustainability Center, pointed out that the humanistic side of AI needs as much attention as the engineering side.
“GRC for AI” was a recurring theme at the summit. How should GRC steer the narrative towards creating a more socially conscious, ethical form of AI? How do we ensure that humans lead AI, not the other way around? How can regulation keep pace with new AI innovations? All important questions to consider.
As part of the debate around ethical AI, cyber security was cited by many speakers as a top concern. Scott emphasised the need to foster “secure by design” technologies instead of trying to retrofit security and privacy into legacy systems. He also talked about zero trust computing — staying vigilant to the risks of connecting technologies.
“We shouldn’t be asking ‘What can AI do?’ We should be asking ‘What should AI do?” — Felländer
Other speakers and panelists discussed the importance of linking cyber security to the broader enterprise risk framework. People need to have the right information, in the right context, to make the right decisions, they said.
3. Risk in the boardroom
Jim Quigley, CEO Emeritus — Deloitte, and member of the board, audit committee chair, risk committee and credit committee — Wells Fargo & Company pointed out that in the past, whenever there was a failure in financial reporting, the question asked was: “Where were the auditors?” Today, stakeholders are asking: “Where was the board? Where were the chief risk officer and the chief compliance officer?”
“Risk needs to be something that companies walk, talk, eat, and breathe every day” — Kenneth Bacon, member of the board, Comcast, and co-founder and managing partner, RailField Realty Partners
With increasing pressure on boards and executives to provide better risk oversight, the focus of integrated risk management (IRM) programs is shifting. As a CXO roundtable white paper pointed out, the biggest impact of non-financial risk incidents lies not in direct losses, but in the long-term erosion of shareholder value. Therefore, many organisations are designing their IRM programs to optimise shareholder value, which, in turn, helps them to predictively identify and proactively respond to risk events. The holy grail, so to speak, lies in bridging risk programs and metrics with strategic initiatives and objectives.
4. Agile GRC
In a world where disruption is the only constant, GRC must be agile. We need to be able to anticipate risks and issues more proactively to get ahead of the game instead of falling behind. Doing so will require greater collaboration and participation across all the lines of defense, particularly the first line. As Sarah Dahlgren, head of regulatory relations –corporate risk, Wells Fargo & Company, put it: “Risk management is everyone’s job.”
Many organisations have begun tying compensation policies to risk mitigation and issue resolution. The idea is to get to a point where more issues are self-identified rather than being spotted by internal audit or regulators.
Meanwhile, GRC teams are rapidly evolving. Internal audit functions, for instance, have begun to hire data analysts and process engineers in addition to traditional accountants and internal auditors. They’re also exploring the use of automation to enable 100% sample testing, which allows them to spot risks or issues more effectively than when testing a limited sample of controls.
“Change is the greatest challenge impacting GRC and demanding agility” — Michael Rasmussen, chief GRC pundit, GRC 20/20
Approaches to GRC are also shifting. Panelists at a discussion on risk culture indicated the importance of becoming more creative in risk management practices so that more can be accomplished with less. The panelists agreed that oversight processes must also become simpler.
As the need for GRC agility grows, GRC technologies are rapidly evolving. Andreas Diggelmann, chief technology officer at MetricStream observed that new technology opportunities are presenting themselves across the whole chain of GRC, from the first mile to the last mile.
For instance, chatbots and natural language processing are being used to capture issue data from the first line of defense in a manner that is simple and engaging — i.e. without the use of complex GRC terminologies. Predictive analytics are enabling the second and third lines to anticipate and respond to potential “unknown unknowns” more proactively. Machine learning tools are helping executive teams detect risk patterns and receive recommendations on optimal mitigation options based on historical evidence.
The possibilities with technology are endless — all of which will make GRC increasingly pervasive. And pervasive GRC will be the foundation on which the organisations of the future are built, pointed out Diggelmann.
You can learn more about the GRC summit and watch the sessions here.