The simplest way to consider what is likely to happen with governance, risk management, and compliance (GRC) in 2018 is to reflect on what happened in 2017, extrapolate from current trends, and identify what is likely to (or at least needs to) change.
So now that the year is well underway and as we kick off the Year of the Dog, what are six things that everyone involved in leading and managing GRC activities needs to be thinking about?
Refocusing on the things that matter.
A consistent theme of 2017, which is continuing strongly into 2018, is a focus on the things that matter to the organization overall. This is particularly the case with ERM, where the CEO and others in the executive suite increasingly question the value of activities that are not clearly put into the context of achieving corporate objectives.
This means a number of things in practice. Firstly, as we have been hearing for several years, we need to move beyond a series of risk and compliance silos in which each team focuses on their own issues and reports their status outside of an overall organizational context. Performing effective enterprise-level risk assessments means making sure that all components are based on comparable criteria and weightings, and can be seen in terms of the impacts on strategic and performance goals.
It also means taking a smart approach to compliance and control issues. Work out what needs to be in place to satisfy critical regulatory requirements and conform to industry standards, without blindly spending resources on every item in a checklist. Focus on making sure that you do about 20% of the important things necessary to take care of 80% of your issues. Control rationalization and optimization becomes increasingly important.
We heard much in 2017 about how Robotic Process Automation (RPA) will impact financial and accounting processes, reducing the need for human involvement, increasing productivity, and reducing errors.
Increased automation is just as important now in risk and compliance management, for a couple of reasons. Firstly, just because accounting processes are more automated does not eliminate the need to worry about fraud, error, and abuse. No automated control is perfect, and people will take advantage of automation to find control gaps to commit fraud and abuse. Using automation to test financial transactions against suites of control tests—checking for fraud, error, and abuse—will become increasingly commonplace.
The second reason that automation will become even more important ties back to the first trend: focusing on the important things. While focusing on things that impact corporate objectives and performance is highly desirable, it does not remove the need to manage risk and compliance activities that are not critical but still need to be addressed. It will make increasing sense to use technology and analytics to monitor all activities (both high- and low-risk ones) in order to ensure both regulatory compliance and the integrity of financial activities, without the need to commit extensive people resources to the task.
Increased automation will take place in many other aspects of risk and compliance management, such as the workflow of continuous monitoring processes; the distribution and gathering of risk and control surveys and questionnaires; and updating of regulatory content and industry standards.
Increasingly fact-based, data-driven GRC processes.
There is now widespread recognition of the importance of using data and analytics in risk management and compliance processes—despite actual implementation levels still being relatively low. Through 2018 we can expect to see a big uptick in the extent to which organizations are incorporating data analytics. This supports a far more objective and scientific approach to risk assessment and improves dramatically on the subjective approach that is still common in GRC processes.
Also expect to see a far broader range of data sources to be used for analytics and automated monitoring, not only examining and relating data from multiple financial process systems, but also including more external data and unstructured internal data, such as from social media and email systems.
Improved collaboration, enabled by technology.
The IIA’s Three Lines of Defense model has done much to draw attention to the need for professionals in all three lines to work together around common goals, while still focusing on their own particular area of responsibility. This means collaboration and communication around many things, particularly the sharing of data and information about risk and compliance activities.
Effective collaboration is not possible without using the right technology platform to share information and support the collaborative activities of each line of defense. Technology will support the entire collaborative process, but will also allow for the integration of specialized risk and compliance software components (e.g., those needed within specific industries, such as financial institutions, insurance, and healthcare).
Software technology will continue to become smarter, more powerful, and easier to use.
In GRC, as in every other part of our lives, the software we use will be better in 2018 than it was in 2017. Cloud-based applications will continue to demonstrate their advantages. In-memory computing (IMC) will deliver incredibly fast processing of big data. Visualization tools will enable greater insight into risk trends and compliance issues. GRC software will be accessed by users across multiple mobile devices, from laptops to tablets and phones.
Last but not least: improved performance.
Technology-based, data-driven GRC processes will increasingly add value to businesses, governments, and not-for profits. Those organizations that use GRC technology and practices in the smartest way in 2018 will outperform those that do not.