MetricStream’s Gaurav Kapoor shares insights and trends he’s gleaned from connecting with leading CXOs this summer. Here are some of the common threads these influential minds in IT GRC and audit discussed.
This June, over 450 business executives, board directors, GRC practitioners, government leaders, industry analysts and more gathered to discuss the biggest risks and opportunities facing organizations today, as well as the emerging technologies poised to impact business and society the most profoundly.
1. Emerging Technologies
The GRC landscape is quickly changing, as emerging technologies are drastically augmenting businesses’ capabilities.
For example, chatbots and natural language processing are being leveraged to capture issue-related data from the first line of defense in a manner that is simple, seamless and engaging, while machine-learning-based tools enable executives to better determine risks and receive recommendations based on patterns given from predictive analytics.
Various CXOs highlighted that new opportunities in GRC are virtually endless due to emerging technologies, continuously shining a spotlight on how they can be leveraged to create a more pervasive environment.
2. Integrity in the Workplace
How does one build a culture of integrity?
The importance of establishing a culture of compassion that pervades every aspect of an organization – from the way it approaches customers to the way it treats employees and everything in between – is a common theme, as doing so fosters sustainable performance.
In today’s world, it doesn’t just matter what an organization delivers, but how it’s delivered, as integrity is a critical driver for trust in business.
Furthermore, experts repeatedly highlighted how accountability plays a huge role in maintaining an organizational culture of integrity. According to numerous business leaders, employees who act with integrity must be rewarded, while those who don’t need to be reprimanded, as it is important that organizations champion the values that they espouse in earnest.
3. Integrated Risk Management
“Where were the auditors?” was the question previously asked whenever there was a failure in financial reporting, according to Jim Quigley, CEO Emeritus at Deloitte and Member of the Board, Audit Committee Chair, Risk Committee and Credit Committee at Wells Fargo & Company.
Now, according to Quigley, companies ask:
“Where was the board? Where were the Chief Risk Officer and the Chief Compliance Officer?”
According to numerous CXOs, the most significant impact of nonfinancial risk incidents lies in the long-term erosion of shareholder value, not in direct losses.
As a result of increased pressure on boards to better provide risk oversight, many organizations are now strategically designing their integrated risk management (IRM) programs to optimize shareholder value to enable them to better identify risk events in advance and proactively respond.
Experts repeatedly highlighted the value of bridging risk programs and metrics with strategic initiatives and objectives.
4. Nimble GRC and Anticipatory Risk Management
“Risk management is everyone’s job.”
– Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk at Wells Fargo & Company
GRC must be agile in a society where disruption is the only constant. We need to anticipate risks more proactively to get ahead of the game. Starting this will require greater collaboration and participation across all the lines of defense, particularly the first line.
Others discussing risk culture indicated the importance of becoming more creative in risk management practices so more can be accomplished with less. They agreed that oversight processes must also become simpler.
Many organizations have begun tying compensation policies to risk mitigation and issue resolution. The idea is to get to a point where more issues are self-identified rather than being spotted by internal audit or regulators.
5. Secure by Design
Innovation in artificial intelligence (AI) -based technologies inherently raises cybersecurity concerns.
Tony Scott, former U.S. Chief Information Officer, reiterated the need to foster “secure by design” technologies instead of trying to retrofit security and privacy into legacy systems.
“GRC for AI” was a trending topic. Professionals need to understand how humans can lead the AI revolution while keeping pace with the innovations. Even more importantly, they need to create an ethical and socially conscious version of AI.
“The future is software-defined everything,” according to Scott. With new software, including AI, there needs to be as much, if not more, attention as the engineering side.
It is becoming a necessity to link cybersecurity to the broader enterprise risk framework. To make the right decision in the right context, it is important that people have access to the right information.
Scott also discussed the importance of “zero trust” computing and staying aware of the other risks associated with a variety of connecting technologies.