Governance, Risk and Compliance- Trends and Predictions

Gunjan Sinha

Governance, Risk and Compliance (GRC) Trends

GRC Becomes Simpler and More Pervasive

Organizations are increasingly realizing that for GRC to be truly pervasive, the processes and tools that support it need to be as simple and intuitive as possible. It’s already happening with new generations of GRC software that are more personalized, responsive, and intuitive than ever. It’s happening with cloud-based GRC deployments that are faster and more efficient. Developers and partners are collaborating to build more GRC apps that can cover the whole gamut of requirements, ranging from IT risk management, to third-party management, and even regulatory change management. All of it brings us closer to achieving the vision of pervasive GRC.

Fewer Workflows, More Intelligence

GRC is no longer just about checklists, apps, capabilities, or workflows. It’s about building a true system of intelligence that leverages technologies such as natural language processing and artificial intelligence to glean critical risk insights from massive volumes of data. Imagine being able to automatically cluster thousands of suppliers into different groups based on specific variables, and then within each cluster, determine the outliers such as the highest risk suppliers, so that you can take action proactively. That’s where we’re headed towards – building intelligence not just for GRC practitioners, but also for executives, CEOs, and boardrooms. Just as ERP became the backbone of the system of transactions, and CRM became the backbone of the system of customer engagement, GRC will become the backbone of a system of intelligence.

GRC Extends Beyond the Four Walls of the Organization

As companies strive to grow leaner and more focused on their core competencies, they are outsourcing more of their business functions to suppliers, vendors, and partners. But with these third parties come issues of governance, risk, and compliance. How do you manage a global ecosystem of suppliers? How do you mitigate vendor risks before they impact the business? These are questions that GRC professionals are being called to answer. Today, when they think about audits, they have to think about auditing their vendors as well. When they manage risks or compliance, they have to think about the risk issues and regulations in their supply chains as well. The days of believing that GRC resides within the four walls of the organization are over.


The Cloud is the Future

The cloud will continue to change the economics of software across the board, including GRC. MetricStream has spent the last few years developing the next-generation of GRC cloud infrastructure based on the latest technologies such as VMware and Docker, as well as Amazon’s AWS and the Google Cloud. The GRC cloud will go beyond a traditional multi-tenant architecture in which data is co-mingled, and instead adopt a multi-instance approach. That means that customers will be able to fire up various GRC app instances in near real time – whether it’s an internal audit management app, or an enterprise risk management app, or a third-party management app. Already, 80% of our customers are deploying their GRC apps on the cloud, and more companies are likely to follow suit as they focus on lowering costs and accelerating deployments.

Customers: The Ultimate Regulators

With the increasing adoption of social media and hyperconnectivity, the voice of the customer will grow louder than ever. Consumers will hold companies to standards higher than those of regulators. We saw it happen at United Airlines when a video of a passenger being mistreated went viral, hurting the company’s brand. We saw it when scores of customers deleted the Uber app because they disagreed with the company’s practices. That’s the power of the collective voice of the customers. And companies will have to pay attention. They will have to consider the risks associated with the voice of the customer, right at the center of their GRC programs. The more they do that, the more value they will gain, and the better prepared they will be to meet the highest customer standards.

The Power of Now

In a world of Instagram, Facebook, and Snapchat, companies and businesses will increasingly demand instant value. They will want to see results today, not after multiple quarters, or long deployment cycles. Therefore, GRC professionals will need to find ways of meeting this need – be it through real-time reporting of risks, or through mobile audits that can be conducted anywhere, anytime. At MetricStream, we’ve built a mobile app called GRC Pulse, which can be downloaded in minutes from the Apple or Android app store and leveraged in compliance activities such as policy attestations or training videos. It’s an instant-download-instant-use kind of innovation, and that’s the direction that we need to continue heading in. 

The Promise of Artificial Intelligence (AI)

Who would have thought that someday, restaurants would make entire pizzas using AI, or that you could have personalized robotic chefs in your own kitchen thanks to Moley Robotics? It’s already happening! AI is changing the world as we know it, and it will also change how GRC is performed and delivered. Future generations of GRC software will have natively built AI algorithms that can perhaps discover risk automatically, or predict compliance behaviors and patterns based on machine learning. Many GRC tools are already incorporating capabilities such as predictive modeling, mind maps, and advanced visualization. But these are just baby steps. GRC teams and solution providers will need to work together, and collectively find ways of making AI a real asset in GRC.

Turning Data into Insight

Over the next ten years, we will see a massive explosion of data. It will create tremendous opportunities from a business perspective. But companies will also have to learn how to be able to harness data into their GRC programs, and find the needle in the haystack (i.e. areas of critical risk, compliance, or governance) that need to be addressed with priority. Data will need to be tamed, both in terms of volume and velocity, as well as security.