Using insights from time spent on the ground with businesses in a variety of sectors, Gaurav Kapoor, Office of the CEO and COO at MetricStream, explores five universal GRC trends
Over the past year, executives at large and small companies across a variety of industries have experienced fresh GRC challenges, bringing with them new risks and opportunities. What’s evident is that while each organisation is different – in terms of its culture, or speed of reaction to risk, or even digital maturity –there are several trends that remain consistent across all.
Disruption as the only constant
Disruption is one of the largest and often most under-represented risks that organisations face today. Banks, insurance firms, life sciences businesses, transportation companies, and even university admission processes, are all being disrupted at multiple levels.
Many are trying to predict and mitigate the risk of disruption ahead of time. A leading airline company, for instance, has created a risk-weighted customer experience where it aggregates and consolidates all its customer, operational, quality, and system related issues, and then aligns this data with its material and emerging risks. In doing so, the airline is able to proactively identify and address potential risk patterns, lapses, or gaps in customer experience that could be leveraged by the competition to disrupt the market.
Other firms are strengthening their preparedness to deal with both known and unknown disruptions. For example, in the national railway industry, a large provider is responding to potential market changes by prioritising risk events related not just to internal operations, but also to customers, the economy, and the entire national logistics infrastructure. This kind of risk vigilance is essential because of the critical role the organisation plays in ensuring that basic amenities reach some of the most remote locations in the country. As such, a lack of readiness for disruptions could lead to potentially life-threatening situations.
Harmonisation & the future
Enterprises are changing at an unprecedented pace, some are being acquired, others divested. Strategic priorities are shifting, while business models are evolving and, to match this, GRC functions, processes, and tools are also evolving. The key is to ensure that these changes occur in a harmonised, carefully thought-out, and phased manner.
A leading global insurance company learned this the hard way when it invested tens of millions of dollars in short-lived or ‘solve for now’ GRC programmes, which resulted in multiple silos and disparate processes. Compelled to rethink their strategy, the company sought to integrate and harmonise risk management, not with a ‘rip and replace’ approach but in a phased manner. They created a solid, agile foundation of data and process frameworks that allowed multiple legacy systems to co-exist. This data foundation formed the basis of a sustainable, future-ready risk management programme.
Another aspect of harmonisation lies in aggregating data from multiple sources, and then using it to provide risk insights in the context of business goals and strategic objectives. One firm undertook such a task after struggling for a long time to aggregate different perspectives on the same risk from quality, enterprise resilience, IT, and most importantly, business owners. By creating a common risk library and taxonomy the company was able to smooth out inconsistencies in risk communication. Additionally, implementing a federated approach to risk management provided the flexibility to accommodate various risk perspectives.
Crowdsourcing – knowing the lurking risks and opportunities
As organisations look for better risk information to guide their strategies, many are beginning to harness the knowledge and insights available in the front line. After all, it is there that emerging risks, opportunities, and hidden areas of concern are likely to be spotted. Getting that information starts with educating the front line about risk culture and expectations of ethical behaviour, backed by policies. Ultimately, employees need to be aware of key risks in order to mitigate them effectively.
The second step is about empowering the front lines with the information they need to make “in-stream”decisions. Closely followed by getting the front line more involved in risk management is to aggregate information from the mas simply as possible. A leading mortgage financial institution successfully achieved this through a “raise your hand” programme, which encourages the front line to report risks and issues using an easy-to-use, intuitive system. The data is then rolled up to the second and third lines for further investigation. It’s a simple, pervasive,and effective way to gather risk information from across the organisation.
Foresight as a competitive advantage
With digital information and the power of artificial intelligence (AI), GRC functions can, to a large extent, predict risk events, prevent anomalies, and act as true strategic advisors to the business. Instead of simply policing the enterprise, they can actually drive an organisation’s performance by providing forward-looking insights on risks and opportunities. That’s “AI for GRC” in action.
Just as important is “GRC for AI”. How do organisations effectively manage the risks around artificial intelligence, machine learning, and robotics – be it biases, immature technology, or incomplete data? One way is by bringing humans back into the equation. Human-assisted AI is key to better accuracy and governance in automated decision-making.
As an example, a social media company that relied on AI to automatically weed outposts that weren’t politically or socially correct realised that the tool was only 99% accurate. Humans had to be employed to assist the bots in making that last 1% work.
Agility as a key strategy
No matter how large and established an enterprise is, it has to be agile to keep pace with rapid changes in internal and external environments and the same applies to GRC. As the volume and velocity of information escalates – even while the time for decision-making comes down – GRC programmes have to be agile and adaptable, be it in terms of frameworks, processes, technologies, data models, context, data aggregation, or dissemination. Adaptability is key in responding to change without disrupting the business.
Being agile also means designing GRC programmes that are driven by outcomes and value, rather than the desire to “complete” the programme. GRC is an ongoing journey, its objectives will change as the business and external environment also evolve. By designing for outcomes, organisations can respond faster to change, and recalibrate their approach more efficiently.
Indeed, the GRC challenges ahead are many but so are the opportunities. For the first time, the tools to predict key risks with a considerable degree of accuracy are available to enterprises. There are also reports that offer a real-time view of the big picture – how various risks influence each other and how that in turn impacts the achievement of business objectives. Organisations can harness the potential of the front line in uncovering and mitigating risks before they snowball into bigger issues. All these opportunities open up new avenues to build a strong foundation of good governance and integrity that will ultimately power sustainable growth and success.