At the start of the millennium, GRC was still very much in its infancy. Fast forward to 2022 and it is no longer seen as a siloed process. Now it is an organisation-wide concern that permeates every decision from C-suite to the shop floor.
And its evolution shows no sign of slowing down as modern solutions are changing the way that GRC processes are delivered and embedded into day-to-day operations within organisations. So, what does the future look like? In an era where risk is accelerating, we need to look back to the past in order to understand the challenges that will shape tomorrow’s landscape.
The past
Historically the GRC market has been underserved. If you look back to the turn of the century when the market first began to form, everyone was doing things differently and there was no standardisation or best practice for companies to follow. What you’d find is that different companies were doing things in different ways, performing certain aspects of the wider GRC framework while ignoring others.
Instead, it formed out of a collection of various concerns ranging from the 2001 Enron scandal
This is largely due to how GRC came into operation. It never started from a clean slate, nor went in a single direction. Instead, it formed out of a collection of various concerns ranging from the 2001 Enron scandal and the introduction of SOX to the 2008 financial crisis, to concerns over financial controls and the assurances over the filing of listed companies.
Providing quantitative outputs
Since then, there has been a huge amount of evolution in the GRC market as risk management methodologies and processes become increasingly more sophisticated to provide quantitative outputs. There’s far less ambiguity today than there was in the past thanks in no small part to the software solutions that have sprung up to help companies manage their GRC processes.
Yet there is still a misalignment between GRC needs and much of the software that is being used to help address them. While organisations are crying out for functionality and flexibility, many are still left wrangling incredibly complex platforms that aren’t delivering the business quantifiable and measurable outcomes they need today.
The present
The good news is that there is now significant investment in GRC within organisations
The good news is that there is now significant investment in GRC within organisations. Companies are adopting software, implementing policies, and putting the resources in place to implement effective GRC systems. Clearly, much of that has been driven by compliance and contractual requirements. But businesses have also started to realise the value of GRC to their bottom lines.
Nevertheless, in the current landscape, many organisations still face challenges when it comes to utilising their GRC system effectively. Part of the problem is that GRC is increasingly siloed. At best it’s integrated across an organisation, but at worst it’s treated as little more than a tick-box exercise - in other words, just doing enough to ensure the company doesn’t get in trouble instead of adding business value like being secure or quicker to onboard suppliers.
Ineffective risk management
This can lead to ineffective risk management as organisations only have individual pieces of the jigsaw rather than the whole puzzle, and ultimately this means that they can't fully appreciate the full spectrum of risks that they face.
The siloed nature of GRC processes also creates unnecessary complexity
The siloed nature of GRC processes also creates unnecessary complexity. If each team or sector has its own risk management processes, it can create a confusion of mismatched systems and frameworks. That’s why many organisations turn to software in the hope that it can help to bring everything together in one place. However, software alone cannot solve this problem. Without first addressing the root cause of an organisation’s issues, implementing software only exacerbates it - becoming a huge cost center in the process.
The future
Technology is helping to shape the future of GRC. Increased automation means that organisations can not only see the bigger risk and compliance picture but respond to issues in real-time. AI will be a huge driver for change and looks set to become an increasingly prominent part of the GRC landscape. It’s critical because it has the potential to truly automate the GRC process and apply learning or past behavior to future threats.
Perhaps most interestingly, AI also frees up people to stop working reactively. Typically, at the moment, we see that organisations aren’t using GRC to solve any tangible business problems but are instead looking to tick a box for auditors or regulators. All too often that means that their highly skilled experts are being reduced to mundane admin tasks that center around reviews and checking.
Specific business challenges
However, more needs to be done to contextualise GRC and its value to the business
But by using the latest advancements in AI and machine learning, we can free these experts to work proactively, using data and insight to solve specific business challenges.
To truly harness the potential for the next generation of technology, however, more needs to be done to contextualise GRC and its value to the business. We need to see a shift toward outcome-driven metrics that translate risk management into tangible operational impacts.
Ensuring long-term success
The idea is that by understanding the impact that certain risks might have on your bottom line, you can better understand where to invest your resources and what your security priorities should be. This way of thinking also creates a much clearer business case for GRC, one that embeds it within decision-making across the entire organisation.
One thing that’s clear is that the future of GRC exists at the intersection between technology and expertise. In order to achieve desired outcomes faster, and with greater confidence, organisations will need to combine the automation and AI capabilities of the latest software with world-class insight in order to make decisions that ensure long-term success.
