Digital technologies have profoundly changed our lives, blurring the lines between the digital and physical worlds. From its humble beginnings, the current constellation of tools and technologies that empower organizations has grown smarter. While digitalization makes businesses intelligent and offers immense value, it also opens up a diverse range of risks. Organizations often face challenges in effectively sensing and managing digital risks and in demonstrating reasonable compliance.
The impediments inhibiting effective GRC often get reflected as operational shortcomings, such as inadequate visibility into crown-jewel assets, a siloed view of risks, risk and compliance reports not catering to the right audience, redundant approaches restraining correlation and compounding exposure of risks, poor user experience and overwhelmingly complex GRC automation. With digital transformation going mainstream, organizations that fail to keep pace with relevant GRC strategies are likely to put themselves at a competitive disadvantage.
The following list summarizes the common misconceptions about the role of GRC in the digital ecosystem:
1) Traditional risk and compliance management practices organize operations into chunks of disconnected units, often noted as disparate departments merely administering their own chores to satisfy compliance requirements, with no homogeneity between risk frameworks, risk-scoring techniques, and terminologies, leading to misconceptions and cognitive disparities of GRC. The silo model also results in wasted resources and inefficiencies due to isolated approaches. Organizations should focus on bolstering effectiveness of GRC by breaking down silos and setting common or comparable frameworks and definitions.
2) With digitalization, businesses end up processing heaps of data of all forms, ranging from users' searches, clicks, website visits, likes, daily habits, online purchases and much more, to achieve their competitive edge. With data being the juice of digitalization, this also puts the organization on a path toward malicious attacks and information thefts. Given the fast pace of digital business and the burgeoning data underpinning the processes, GRC cannot work as a separate competence outside the digital processes – instead GRC should be integrated into design of digital transformation.
3) Digitalization is making inroads with novel delivery methods, and the supply chain is too big to ignore. The burgeoning growth of third-party relationships demands credible and timely insights of the risk and compliance posture underpinning supply chain entities. Remember, your organization is only as strong as its chain of suppliers, and any weak link in the chain is an opportunity for perpetrators to intrude. GRC cannot make the cut with a checklist focus.
4) GRC should communicate in the language of the audiences to demonstrate its value. How many times have we seen a risk assessment conducted at a theoretical level, highlighting the issues that management is already aware of; or a frontline questioning the context of the requirement in the controls framework and how it applies to his jurisdiction of support; or failing to keep the board’s attention due to technically overloaded risk presentations? It all sums up into a simple yet most complex expectation of “communication.” GRC should tailor its language to its audiences to advance user experience and to demonstrate value to business.
5) As speed and agility are the key influencers of success in the digitalization journey, administering GRC in spreadsheets and shared drives results in clear diminishing value for organizations. At the same time, automation is not the ultimate fix; the use of silo technologies without sufficient collaboration is far more upsetting than manual paperwork. Remember, the goal of GRC solutions is to deliver business value by providing accurate, credible and timely intelligence of risk and compliance, rather than getting tangled in solution warfare.
Digitalization is spreading its tentacles across organization. Though organizations are challenged to find new avenues of bulletproofing GRC, successful risk practitioners are staying ahead of the game by focusing on business value creation.
Editor’s note: Sathiyamurthy will provide more insights on this topic in his “Bulletproof your Governance, Risk and Compliance program - GRC by Design” session at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.
Author’s note: Sudhakar Sathiyamurthy, CISA, CRISC, CGEIT, CIPP, ITIL (Expert) is an experienced executive and director with Grant Thornton’s Risk Advisory Services with a broad range of international experience in building and transforming outcome driven risk advisory services and solutions. His experience has been shaped by helping clients to model and implement strategies to achieve a risk intelligent posture. Sathiyamurthy has led various large-scale programs helping clients stand-up and scale risk capabilities. He has led and contributed to various publications, authored editorials for leading journals and frequently speaks on international forums. He can be contacted at email@example.com.