There is this popular slogan that is very close to my heart: Think tomorrow; Reinvent your business today. Succeeding today, requires transmuting your business by radically rethinking how you deploy technology, people and processes to create value in more effective ways.
For many, the digital age is simply the industrial era ‘amped up’ on tech steroids. Perhaps marked by the IT industry’s coming of age as new technology became as much part of the social fabric as it was in the world of business.
To be sure, digital or information age is defined as the time period starting in the 1970s with the introduction of the personal computer with subsequent technology introduced providing the ability to transfer information freely and quickly.
Digital advantage resides largely in the opportunity to customize not only products and services but also organizational strategy and structure. Digitalization is progression from industrial age. The key elements of the digital age is shown in the figure below.
There can be no doubt that GRC is of utmost importance in today’s digital age. Organizations need to understand and respond to challenges deriving from embedding technology in the way they operate their business.
Addressing GRC in an integrated manner allows a consistent view of information assets and efficient application of resources that should augment each process and the outcome these bring to the organization, with the goal of improving overall governance and performance.
Technology risks have become a reality for all kinds of businesses. Irrespective of the size and type of an organization, one cannot ignore the possibility of such risks. Organizations today need to manage an overwhelming amount of big data supported by technological solutions which compels them to revise their GRC processes.
The digital information age is characterized by great business value being placed on creating, controlling and accessing data — and lots of it. As companies make this conversion to increasingly digital processes, GRC challenges proliferate.
The traditional thinking in the GRC environment starts with defining the process, promptly followed by building teams, utilising existing tools and deploying various technology solutions in the familiar hierarchy of organisational pyramid structures.
In most cases, this approach leads to an array of point solutions to achieve individual control objectives, and significant manual operational checks. The GRC structure is typically tagged onto the firm’s business model and strategy, rather than the business strategy being overtly designed to maximize effectiveness.
Furthermore, the vast majority of existing solutions in the market are quite fragmented and while they aim to automate processes within established control structures and help achieve incremental efficiency improvement, they still do not offer robust and holistic GRC environment.
Beyond process and governance improvements, Ernst & Young argues that “technology implications will extend the scope, consistency and efficiency of existing GRC effort and thus empower users to support faster decision-making which can be achieved through digitally-infused and intelligent GRC technology” as depicted below.
The current approach with multiple solutions deployed often blights productivity and can impact customer relationships thereby presenting an obstacle to sustainable growth. The already high cost of compliance continues to grow further. Thus organisations struggle to manage as there are: “too many tools and too many point solutions”.
Successful organizations are embracing the digital revolution, placing data and technology at the core of enabling organisational strategy and governance, driving informed risk direction from the top rather than accessorising existing processes with some spicy gadgets.
As time is of the essence, machines and data become critical in helping across the GRC framework – holistically, proactively and consistently across all layers of risk activities, aligning the framework with growth strategy.
In this new environment, it is maintained by several experts that the key features of a robust enterprise-wide GRC would include:
• A unified platform and data architecture for enterprise-wide risk based monitoring, investigation and reporting;
• A focus on data quality, leveraging, layering and consistency, ensuring a single customer view and integration of internal and external data, structured and non-structured – into a single place where analytics can be run;
• A flexible and dynamic data model – facilitating integration of new public and private data sources and 3rd party systems as well as proactive thinking ;
• Automated analytics to continuously improve proactive alert activity and its accuracy; and
• Flexibility to adapt to different markets and regional/ international regulators.
Implementing strong GRC practices doesn’t involve one solution, one policy, or one team: It involves a collection of solutions, policies, and teams that work together to address the many concerns that make up GRC.
As businesses change in the wake of disruptive technologies in the digital ecosystem, each of the three prongs of GRC faces its own challenges. Data governance becomes more difficult in the face of exponential data growth.
One of the greatest risks of any digital enterprise is cybercrime, and preventing it becomes more challenging as hackers grow smarter. And the regulation compliance landscape is constantly changing, making it a challenge for organizations to keep up.
As GRC challenges mount, it is more important than ever to have a robust GRC platform. Everyone has seen stories in the news that illustrate what happens when a company is hacked, or knowingly or unknowingly skirts regulations. It’s hard to tell what’s worse – the loss of money or the negative publicity that follows.
Emerging threats in the digital era are influencing the future direction of business and forcing their way onto board agendas. Old-world challenges (such as the integration of risk management and financial planning, protecting tangible goods or the fragmentation of data and business functions) collide with new ones in the digital sphere. Now, GRC and other “line-of-defense” functions must invest in managing digital risks that matter, and risk functions must transform.
In the years ahead, in order to deliver further value to the business, we expect the scope and characteristics of three lines of defense functions to evolve as follows:
• Firms will increasingly be expected to demonstrate “one view” of their risk profile and control management activities, yet granular enough to have “sharper sub-views” into different ring-fenced/legal entities, business units, geography and processes; and
• Streamlined, coordinated efforts between the 1st LoD and control groups (operational risk, aligned with other risk groups, as well as audit and compliance functions) will be a key focus.
When considering next-generation capabilities, firms need to enhance and/or rationalize their risk data and systems, guided by a cohesive vision that explicitly aligns business and risk management priorities, risk appetite statements, and a converged framework — one that enables a risk management and its ecosystem capabilities to be extended tactically in parts towards a strategic whole.
Given the continued pace of innovation around digital services and emerging technologies, what seems like a far-fetched vision could be closer than we think. The limiting factor, however, could be implementation and execution capabilities within firms to invest appropriately to strengthen various lines of defenses within the GRC ecosystem.
The tools of the future would need to be designed to help organizations with their risk-informed strategy and to enable confident risk appetite decisions, thus underpinning sustainable growth and appropriate operating models to support effective implementation of GRC within the digital ecosystem.
Dr. Emmanuel Moore ABOLO is the President, Institute for Governance, Risk Management & Compliance Professionals/GMD, The Risk Management Academy Limited.