Is AI the answer to effective risk management? IsoMetrix’s John Castner details why companies need to stop focusing on predictive analytics and instead prioritize removing a siloed risk management approach to deal with the impact of COVID-19.
As industries push to leverage technology, in today’s COVID-19 world, many are looking for the next generation of GRC technology to integrate predictive analytics and artificial intelligence (AI). However, many have overlooked the challenges we still need to overcome to apply these use cases to GRC technology.
Right now, businesses are under a time crunch to understand, manage and mitigate the impact of COVID-19. One failed control or one materialized risk could have ripple effects impacting stakeholders and the bottom line. By lacking a proper risk management infrastructure, it is difficult to understand the impact of existing risks and the emerging risks caused by COVID-19.
Many hope that AI can help them understand how COVID-19 is impacting their bottom line. However, to date, predicting the unpredictable has proven difficult. Before thinking about predictive analytics, companies should focus their efforts on integrating GRC data across the entire business. This starts with removing the silos between a company’s financial, environmental, health, safety and social disciplines. After this critical step, companies can add HR, enterprise resource planning (ERP) and other systems into the data pipeline to gain a more holistic view of the risk landscape.
In risk management terms, COVID-19 now sits on most companies’ enterprise risk register, and the impact and consequences have also manifested at the operational level. The actual impact of COVID-19 can change regularly. Without continuously reviewing the core risk factors – such as the spread of COVID-19 throughout a business – and continuously monitoring and re-assessing causes, controls and safeguards, companies will have a difficult time understanding the day-to-day risks – let alone be able to use AI to predict an unwanted event. Additionally, a siloed approach to risk management makes it impossible to make the connections between the different areas of your business.
For a business to leverage the power of AI in a GRC solution, it needs an infrastructure to implement risk data across each business unit so it can clearly link enterprise risk. This comprehensive view of the risk environment will help businesses leverage GRC platforms and move closer to predicting unwanted incidents.
Handling the “New Normal” with GRC Technology
Change is a part of business, but rarely does it happen as quickly as it did in early 2020 due to COVID-19. Over the past six months, governments have created new regulations and guidance that continues to change. However, many software solutions that aim to assist in managing this regulatory change don’t help companies actually manage their broader risks. Thus, companies need to also find the connections between compliance and risk management, which is where GRC solutions thrive.
The problem is that traditional approaches to risk management create more challenges than solutions. According to Forrester and Disaster Recovery Journal, 51 percent of organizations are still using ad hoc tools and methods to manage business continuity and risk management.
This traditional approach doesn’t provide the speed, scale and agility needed to keep up with today’s business environment, particularly in the time of COVID-19. Businesses need GRC context quickly and efficiently. What was the norm yesterday may not be the norm today.
To get ahead of these ever-evolving risks, businesses need to start leveraging technology as a tool to help guide business decisions.
Creating Cross-Office Synergy
In traditional risk management approaches, businesses conduct risk assessments every six months to a year, and those risks are reassessed periodically to create the next year’s risk register. However, this approach isn’t working in the era of COVID-19. Risk management approaches need to be consistent and agile. This means GRC technology needs to be agile enough to allow for continual monitoring to help businesses implement a risk approach that can handle ever-evolving risks.
With most companies now working remotely, there is a plethora of emerging risks businesses must consider. Manually tracking these and doing so in a traditional risk management approach puts the business itself at risk, as well as its people. These emerging risks also necessitate the move to an integrated risk management approach in order to understand the interconnected risks, or the “golden threads,” those links between people, processes, risks, controls and events.
Not understanding these golden threads causes different departments to duplicate efforts, increasing the time it takes to respond to incidents. For example, if an employee tests positive for COVID-19, the social, safety, health, HR and legal teams have to execute a unified response plan.
Without an integrated infrastructure in place, these departments could repeatedly contact the same stakeholder. Siloed approaches may also create gaps in communication due to misidentified or unclear ownership. In the case of the employee with COVID-19, the team could forget to notify a critical stakeholder group, such as third-party contractors. Without notice, the third-party contractors could come on-site and risk contracting the virus. This could result in litigation and financial damage for putting the contractors at risk. In a sense, what COVID-19 has done is force companies to address these types of gaps in their existing processes and systems.
Digital Risk Ecosystems, Analytics and COVID-19
While an ever-changing landscape is the norm in the time of COVID-19, there is no doubt that there will be a plethora of opportunities to leverage from the lessons learned. From a pure risk management perspective, COVID-19 will create a shift to more regular risk and control monitoring. In the past, a lack of data has acted as a barrier to predicting unwanted events in the environmental, health and safety realm. Through continuous monitoring, businesses can remove their data barrier and increase the amount of data they’re collecting to better understand the risk environment.
COVID-19 has put health and safety at the forefront at the employee, customer and community level. For businesses to operate and manage this new type of risk, they have to leverage the power of technology. Fortunately, given the proliferation of software tools to help companies manage COVID-19 and the return to work, options are plenty.
The truth is, there is no single technology solution that gives companies a holistic view of risks, no matter how integrated that company may be. Even companies that have already broken down the traditional silos still have a technology landscape that is either immature or has a myriad of best-of-breed solutions that solve specific problems for each department. Thus, it is still a challenge for companies to leverage all the information they capture to create a 360-degree view of risks. This makes it even more difficult to implement predictive analytics into GRC technology.
Therefore, leading companies are finding ways to not only create an integrated business, but also support the business with an integrated technology landscape. These companies are pulling data from GRC platforms, asset management systems, ERPs and many other solutions, pushing them into data warehouses and then leveraging corporate analytics tools to make key business decisions. This digital risk ecosystem is the technical realization of an integrated risk management approach.
If Culture Eats Strategy for Breakfast, then Technology is the Fork and Knife
To actually reap the benefits of GRC technology, businesses must integrate GRC tech into their larger operational strategy. Proper integration with HR, ERP and environment, health, and safety (EHS) systems incorporates risk management processes into businesses’ strategic objectives.
One outcome of COVID-19 is that it has encouraged businesses to adopt technology where they were previously resistant to do so. Government organizations that didn’t allow remote work now do everything remotely. Restaurants no longer hand out menus; instead, you scan the menu using your phone. Going to work at many places means using an app to self-screen in order to enter the facility.
Want “evidence” that technology is the key to business success going forward? Look no further than the fact that the S&P 500 has set a record amidst COVID-19. What drove that? Big Tech. The challenge going forward with GRC technology is the question around who it serves: executives or employees. To successfully integrate GRC technology, businesses need to create an organizational culture around GRC technology. This may sound simple, but often, employees’ lack of buy-in leads to a platform’s demise.
Knowing that management is prioritizing the GRC platform’s success, employees may be hesitant to share feedback as it could be negatively perceived. However, lacking an understanding of the platform leads to incomplete tasks or missing data. Not inserting that data changes how GRC platforms identify risky events.
Educating employees on the importance of GRC platforms provides more context and encourages feedback. Empowering the people closest to the project streamlines its implementation and creates more accurate data to drive key business decisions.
Successfully integrating GRC platforms into every business unit gives the executive team a comprehensive overview of people’s movement, training, attendance and more. This gives GRC platforms the data to determine what could go wrong and what could go right. If used effectively, technology influences culture, culture influences technology and businesses are more apt to achieve their strategic objectives. If data is the key to prediction and analytics, then a technology-focused organizational culture will move businesses closer to being able to leverage the power of AI and predictive analytics.
Looking at where things are today, there’s still a long way to go before GRC technology platforms can truly leverage AI. So, let’s not get ahead of ourselves – let’s focus on what really matters in terms of leveraging GRC technology: breaking down the siloed nature of business and risk management.