The following article is by Matt Kunkel. Matt is the Co-Founder and CEO of LogicGate, one of the sponsors of #RISK.
Like Meat Loaf said: “I Couldn’t Have Said It Better Myself”
Nick James, #RISK Founder
5 GRC Trends: How Will Governance, Risk, and Compliance Evolve?
The rate of change in the business world is mind-boggling.
Business risks are evolving daily, from third-party suppliers to supply chains, regulatory issues, privacy concerns, operational challenges, cyber attacks, financial worries, environmental compliance, and more.
These problems are not isolated – they’re interconnected risks that require comprehensive solutions. The need for a conscious, holistic approach to governance, risk, and compliance (GRC) has never been more critical to organizations.
As the business environment changes, companies need to evolve their GRC strategies to maintain a comprehensive view of interconnected risks, understand the financial implications of those risks, and make more informed decisions at all levels.
Here are some GRC trends to help your organization take a proactive approach to transform risk into a strategic advantage.
1. A culture of resiliency and agility to face GRC challenges
Try as you may, you can’t avoid all risks. Businesses must develop a culture of resiliency as they consider and prepare for the most pressing threats.
Agility in risk management refers to an organization’s ability to avoid a crash. On the other hand, resiliency is how an organization recovers from it.
As your business prepares for inflation, economic uncertainty, and the global risk of stagflation – a sharp slowdown in growth – you must build resiliency to recover from obstacles with minimal business impact.
Resiliency has gained importance in recent years. It integrates with enterprise-wide risk management and works across the organization, providing a comprehensive view of what’s at stake. Agility and resilience complement each other.
Agility offers a strategic view of uncertainty, while resiliency offers tactical measures to engage across departments. Resiliency is also a culture, as it requires action from all organizational stakeholders.
GRC expert Michael Rasmussen compares this culture to the human body:
“Departments function as organ systems that work independently and simultaneously toward the same goals. Organizations must move beyond systems isolation to break down silos and look at risk holistically to create a strong culture of resiliency.”
While 75% of organizations acknowledge that siloed technology systems pose a risk management challenge, only 35% take enterprise-level action to address the issue.
When companies leveraged intelligent technology and a “pan-and-glass” view of risk, PwC found that their boards and executives were five times more likely to have high confidence in the organization’s ability to deliver stakeholder trust, greater resiliency, and better business outcomes.
2. The CIO role is evolving
Technology leaders, like CIOs, have outgrown their “secondary” or “back-end” roles of software implementation and project management. They’re now at the center of corporate decisions, becoming critical decision-makers in core business functions such as marketing, sales, product development, and finance.
The 2022 State of the CIO report finds that CIOs see their role as balancing business innovation with operational excellence. Three-fourths of IT leaders expect their role to maintain its newfound importance, driven by accelerated digital transformation efforts, regardless of organizations’ cyclical focus on IT issues.
And more than 80% of CIOs said they’re viewed as changemakers, focused on innovation.
This dramatic shift from traditional IT service delivery to a more strategic role frees CIOs to focus on business goals. As your technology leaders increasingly present business cases to executives, they benefit from a risk quantification approach to achieve strategic goals and provide valuable insights to the rest of the C-suite.
Older risk measurement scales, such as low, medium, high, red, yellow, and green, were far too subjective and left stakeholders uncertain about how risk decisions aligned with business needs. By quantifying risk in monetary terms, your organization can have a common risk language that shows its impact on revenue generation.
This shared language leads to a shared view of risk – critical to business decision-making – further elevating the CIO’s role.
Risk quantification’s shared language also facilitates scenario planning and analysis as economic conditions force companies to review their budgets. Risk mitigation strategies differ significantly in cost and reduce risk by different amounts. Risk quantification enables CIOs to compare control implementations, weigh appropriate mitigations, and provide feedback to the board.
→ #RISK: Europe’s Leading Risk Focused EXPO - November 16 & 17, Excel, London
Risk is now everyone’s business
3. Third-party risks become more critical and endure more scrutiny
Organizations increasingly rely on third parties, from facility management and physical security to legal services and technical support.
Incorporating third-party services can make your business more competitive by allowing you to leverage specialized skills and expert knowledge without burdening yourself with developing internal programs. But as the relationships with third parties and vendors that touch every aspect of an organization expand, your organization’s potential for vulnerabilities grows.
When you work with vendors, their risks become your risks. What’s more? Third parties are increasingly working with third parties themselves. Any breach or failure experienced by your third parties (and their third parties) puts your business at risk. In addition to the financial losses you face due to third-party vulnerabilities, your organization risks operational resiliency and reputational damage.
Seventy-three percent of companies expressed concern that third parties exercise too much control over customer data with unnecessarily extensive privileges and authorizations. And nearly half of the organizations have reported a data breach within the last year, with three-quarters attributing the breach to a third party with too many privileged access rights.
In addition to the immediate business threats that result from a breach, the potential loss of customer trust can have a more immediate, quantitative business impact than regulatory fines or reputational risk. According to IBM, 38% of the cost of a data breach comes from lost business. That adds up to an average of $1.52 million.
To build and maintain customer trust in third-party vendors, you need a proactive approach to third-party risk management. Amid escalating economic uncertainty, you need to look closely at third-party companies as businesses – which vendors are mission-critical and which ones you can eliminate with minimal negative impact.
As organizations tighten the screws of evaluating current vendors and approving new relationships, third-party risk management plays a key role. Part of a holistic GRC software, third-party risk programs centralize all essential information about your company’s suppliers, making it easier to manage performance, costs, and risk.
Effective third-party risk management consists of three components: a consistent vendor screening process, meaningful vendor prioritization, and ongoing monitoring.
Since third parties reach every corner of your organization, everyone needs to play a role in risk management to ensure nothing falls through the cracks. As a company, you must agree on the evaluation criteria and framework to evaluate third parties. You also need to decide on key performance metrics.
You may review contracts to identify vendors not meeting their commitments and enforce and manage service-level agreements (SLAs) more rigorously. With the right holistic GRC software, every team member can access the necessary data, tools, and common language to perform these evaluations.
Most businesses work with dozens of vendors. The best way to ensure third-party risk management success is to prioritize your critical vendors. Using these rankings, you can develop a scoring process and cadence that reflects the vendor’s importance.
Follow these steps to get started:
- Rank each third-party relationship based on how essential it is to your operations.
- List each vendor’s data or network access: the systems and levels of authorization.
- For each vendor, detail the operations and functions potentially impacted by an incident.
- Use this information to decide what details you need to evaluate each vendor’s vulnerabilities.
Most companies conduct some due diligence, but many don’t monitor third-party risks beyond an annual checklist. By then, information could be outdated, vendors noncompliant, and your business at risk.
By continuously monitoring your third-party risk, you stay abreast of evolving risk surfaces to mitigate vulnerabilities and create contingency plans as needed, based on real-time data rather than information gathered at the beginning of the relationship.
TPRM is a team sport
Managing third-party risk affects everyone from business leaders and internal audit teams to legal, compliance, and IT departments. With the right tools and clear communication, your business can manage vendor risks to protect yourself and your customers.
4. ESG regulations ramp-up
The conversation about environmental, social, and governance (ESG) as part of a holistic GRC has increased recently, with ESG efforts driving employment decisions, consumer behavior, board deliberations, and investment strategies.
While in early 2022, companies like BlackRock have been vocal about making sustainable investing a priority, contradictions between claims about ESG funds and their actual reporting have sparked the interest of regulators.
The Securities and Exchange Commission submitted two draft rules to provide guidelines for ESG funds. These guidelines would require investment firms and the companies included in their funds to demonstrate their sustainability claims before using sustainability-related names.
More than 80% of consumers believe companies should actively shape ESG guidelines, and almost all (91%) business leaders believe their organization is responsible for acting on ESG issues. Additionally, 86% of employees want to work for businesses that share their values.
From cracking down on corruption to maintaining accountability for diversity, equity, and inclusion (DEI) goals to reducing emissions, companies must take ESG monitoring and reporting seriously, or they risk falling behind.
Various frameworks guide which ESG factors are most important to specific industries, but the US has no established standard for ESG. While the frameworks provide general reporting goals, they don’t provide insight into ongoing ESG management practices.
To facilitate monitoring and reporting, your organization should address ESG as part of your holistic GRC program. By integrating your existing initiatives, data, and goals into robust GRC software, you gain greater insight into your ESG progress and risk.
These efforts will pay off as companies increasingly provide reports demonstrating that their ESG promises align with their actions.
5. Hybrid work introduces people risks, cyber risks
A resilient organization requires flexible and adaptable structures in all operational areas. While hybrid work offers employees flexibility, it also increases operational risk.
Organizations working to establish their “new normal” in hybrid models must embrace change and agility to protect data, fairly manage employees, and meet DEI goals.
Talent management challenges
Hybrid work models introduce a new workforce risk as managers navigate the challenges of a dual workforce: establishing and maintaining equal relationships with on-site and remote employees. One danger of hybrid working models is that they rely on a “management by walking around” style, which could be disadvantageous for remote workers.
To avoid such a discrepancy, your organization should invest in leaders. Provide them with training and development to foster virtual leadership skills and help them build better connections and relationships with remote workers.
Your approach to performance evaluation also needs to change. Don’t focus on an employee’s time “in the office.” Base evaluations on whether employees meet their work obligations, regardless of where they work.
Obstacles to DEI initiatives
Managers navigating hybrid work environments can inadvertently create two “classes” of employees: in-office workers with a solid connection to company culture and remote workers with less attachment to the company.
Women and people of color find more fulfillment in working from home and are more likely to work remotely than their white male counterparts. This preference can impede internal mobility for some underrepresented employees and jeopardize the progress of company-wide DEI goals.
To combat this risk, use data to determine whether internal mobility, performance evaluation, and employee benefits are equitable.
Answer these questions as a foundation for understanding how hybrid work could stall your DEI efforts:
- Who spends more time in the office? Does the data show demographic trends?
- How much control do different roles have over their time in the office?
- Does time spent in the office correlate with the likelihood of a promotion or pay increase?
- Are remote management tactics like digital monitoring used consistently across demographics, or do some groups face more surveillance than others?
- What is the relationship between the preferred work environment and employee retention and engagement?
After analyzing the data, identify issues and adapt workplace strategies to more equitable approaches. Review these questions regularly to see if your teams are staying on track or if new concerns arise.
Cybersecurity and compliance threats
Data breaches, major IT outages, and ransomware attacks have been ranked as the top risk issues for businesses worldwide in 2022. Remote work, contributing to growing cybersecurity risks, is going nowhere. Over three-quarters of remote-enabled employees told Gallup they plan to work remotely or in a hybrid capacity at least through 2022.
Tessian’s Security Behaviors Report found that more than half of IT leaders believe their employees have picked up risky cybersecurity habits since going remote – and more than a third of employees agree. When your employees work from home, they leave the relative safety of the office’s secure connections.
Remote employees are more tempted to access work materials on personal devices. Add in employees working from coffee shops and other public locations, and you have a recipe for cyber disaster.
An HP Wolf Security study found that about a third of employees find security policies an impediment, and many even work to circumvent security measures. According to the security firm, almost all IT teams (91%) have been under pressure to compromise security to maintain business continuity, and 8 out of 10 teams identified remote work as a “ticking time bomb” of a potential breach.
Protecting against data breaches and ransomware attacks starts with updating your organization’s cybersecurity practices and policies.
- Adopt multi-factor authentication.
- Ensure employee training reflects the latest advances in cybersecurity protection.
- Finally, equip IT staff to support employees in reporting both suspicious communications and their own errors without fear of reprisals.
Prioritize risk management
Risk management is everyone’s responsibility. Cultivating a culture of resiliency and taking control of third-party relationships will improve your risk attitude. Risk becomes a strategic advantage when you empower your CIO as a changemaker and commit to robust ESG monitoring and reporting practices.
By paying proper attention to your people – any organization’s greatest asset and risk – you protect DEI progress, combat ever-evolving cyber threats, and ensure your teams remain efficient in complicated hybrid environments.
Improving your organization’s cybersecurity practices should be your priority. Choose single sign-on to make authentication safer and easier for your business.
→ #RISK - ExCel, LONDON: 16th & 17th November 2022
Europe’s Leading Risk Focused EXPO
Risk is now everyone’s business
#RISK is where the whole ‘risk’ community comes together to meet, debate, and learn, to break down silos and improve decision-making. Five content hubs with insightful sessions, case studies, networking, high level thought leadership presentations and panel discussions.