GRC Landscape in 2020: The unknown unknowns
December 23, 20191K views0 comments
By Dr. Emmanuel Moore ABOLO
2020 is around the corner as 2019 nears the end of its compass. Many are excited while others are uncertain about what 2020 would deliver. This is more so with the GRC landscape. What do we know and what do we not know?
Pliability will be tested in the coming year as cyber-attacks, geopolitical fears, extreme weather events, and other disturbances intensify. Resilience-building will be less about avoiding disruptions, and more about minimizing their impact when they do occur – because they will. The more prepared an organisation is to contain the impairment and get back on its feet, the better its credibility.
How will the scale and scope of risk priorities change in 2020? What are the fault lines that organisations need to watch for? How will digital advancements impact GRC? And what are the ethical issues that could hamper trust?
The market will continue to reward risk-takers, but to play the high-stakes game, organisations will need to move beyond the siloed, bitty risk programmes of the past. These programmes, which conventionally looked at risks in isolation, were not designed to respond to fast-changing risk environments, or to understand the interconnectivity of risks.
Future risk programmes, by comparison, will focus on building an all-encompassing integrative layer that maps the relationships between different risks—including their impact and related issues—while tying them back to business objectives.
Without an effective GRC programme, the fun soon stops when trouble calls. GRC projects must usually scratch and claw for adequate funding. The perception is that GRC is a cost centre with little or no benefit beyond keeping regulators at bay.
So why is that perception so prevalent, and how can it be changed?
Most GRC programmes start out with an enthusiastic sponsor in a random business unit with a healthy mix of anxiety and a can-do attitude – anxious enough to realize something is probably wrong without being sure what it is, yet industrious enough to hunt it down.
But deep down, where no one likes to confront stroppy truths, those are merely ways of ensuring they can keep doing the fun stuff without being accused of just existing to make money – as if that’s a dirty and ignoble purpose.
The general view is that GRC is a necessary evil (definition: cost) that impacts funding. There are significant performance gains that can be realized from an effective GRC programme. The data produced will pinpoint holes in a company’s operational effectiveness. Plugging those holes results in net gains.
We can put the many trends likely to upset GRC in 2020 into four broad categories:
- Global political, economic and demographic forces;
- Regulatory attitudes;
- Technology changes in how individuals work; and
- Operational changes in how businesses work.
Some trends will exist in one category and have repercussions in another. Some are likely to make compliance overall more difficult, but help GRC officers in their jobs and careers. Above all, specific companies, industries and GRC officers will all have their own individual experiences in 2020 and even beyond: some good, some bad.
So let’s consider what those trends are likely to be, and then spend some time contemplating how companies and GRC officers are likely to confront them.
The safest assumption to make is that the economy we see today—sluggish growth, high interest rates, tepid demand for products and services—is likely to persist. We may experience a recession or somewhat more energetic growth, but not soaring activity like the 1990s or awful financial crisis like 2008-2010.
One prime reason for the economic emphysema around the world today is that nations cannot resolve domestic and international differences to let business flourish. We see political governance failures in Russia, Brazil, the Middle East, China, Europe and in the United States. That leaves countries either unable to rid themselves of corruption, or to act decisively to reinvigorate economic growth.
Second, the Central Bank of Nigeria and other regulators will demand better Enterprise Risk Management to help their systemic risk management. We’ve already seen this attitude emerge in the financial sector, as regulators pressure boards to do better at “culture risk”.
Third, cyber security will change. The gurus of IT security know that cyber security based on authentication (passwords, tokens, challenge questions) is reaching its limit.
In the modern world of open wi-fi networks, mobile devices, the internet of things, contingent workforces and endlessly clever hackers, we will need to move to a system of identity assurance, where businesses monitor users of their networks to gauge “normal” behavior and investigate abnormal activity.
Fourth and lastly, risk analytics will keep getting better, and more important, and more complicated. This really is the consequence of all the trends above.
By 2020 and beyond, GRC officers will face persistent economic and regulatory risks, with not enough people skilled enough to manage them well, as more value is placed on the intangible qualities of an enterprise, which itself will be more expansive and ill-defined than ever.
So what happens next? The question facing GRC officers today is this: How can you structure your GRC program so you can meet the challenges coming tomorrow? Fundamentally, what you do won’t change much; how you do it will need to change enormously.
A big part of the answer is that you will need to leverage technology to “enhance” the GRC function—the people running it, the policies you distribute, the risks you monitor, the investigations you run. You’ll need to enhance all of it.
It does not mean that GRC officers should learn the latest social media app all the Millennials are using, or memorize every feature of every GRC software suite. Rather, you’ll need to understand how to make technology augment all your compliance operations.
In more hominid terms, this means GRC officers will need to do three things:
- Understand how the macro-scale forces in their world (economic, regulatory, technology) translate into practical challenges at their business;
- Work with internal partners (your CFO, CISO, HR, Legal, etc) as well as outside experts (consultants, technology providers and others) to develop cost-efficient answers to those challenges; and
- Communicate with the board, CEO, and business operations leaders about how your vision for enhanced GRC protects the company and, whenever possible, gives the business a competitive advantage.
In 2020 and beyond, an inability to hitch technology for GRC won’t simply leave you standing still or falling behind relative to your competitors—you will fall behind in absolute terms. Your organization will get worse at what it wants to do, because it will get worse at reaching the right decisions in a more difficult environment.
The time is now to take a hard look at your GRC programme, and begin moving it in the right direction.
________________________________________________________________
• Dr. Emmanuel Moore Abolo Managing Director/ CEO The Risk Management
Academy Limited 08021003297: mail@drabolomoore.com aboloemma@gmail.com