With normal, day-to-day business processes interrupted and organizations increasingly adopting cloud infrastructure services, the GRC landscape is rapidly changing. LogicGate CEO Matt Kunkel offers predictions based on changes he’s seen within risk and compliance management this year.
Things in governance, risk, and compliance (GRC) change really quickly. And if you throw in the fact that normal, day-to-day business practices have been disrupted as a result of the pandemic, our compliance and risk mitigation processes have been drastically altered since the start of the year.
With this new environment, businesses have been forced to compress their digital transformation timelines, producing an uptick in cloud-based investments. According to Synergy Research Group, through the first quarter of 2020, corporate spending on cloud infrastructure services reached $29 billion, a 37 percent increase over the same quarter last year.
Increased demand for cloud services and emphasis on digital transformation initiatives throughout the first and second quarters of the year not only heighten the importance of GRC now, but also as we look toward Q4 2020 and beyond. The outlook of the entire governance, risk and compliance industry has changed. C-suite executives and GRC professionals alike need to understand the new requirements, best practices and paradigm set before us.
With all that is happening within the GRC space, transforming entire business structures and functions, it’s best to reassess predictions and where we are as an industry.
Managing a Spiderweb of Third-Party Vendors
The rise of the cloud has led to the emergence of more third-party vendors and outsourcing of non-core business functions. How does this impact the future of risk?
According to estimates, up to 50 percent of a large organization’s total workforce is outsourced, and in 2019, the global outsourcing market amounted to $92.5 billion. Furthermore, industries with high-risk potential and more nuanced compliance mandates, such as health care, are no different. According to Transparency Market Research, health care IT outsourcing, by itself, is expected to reach $61.2 billion by 2023.
While utilizing third-party vendors allows businesses to focus on core functions and is incredibly beneficial to bottom lines, it also raises many privacy and security concerns. As third-party networks expand, those vendors have third parties of their own, creating a complex spiderweb of programs and data.
And with consumer data privacy legislation like CCPA and CPRA on the rise, CEOs and other C-suite executives need to get in front of risk mitigation processes and security concerns. They can no longer afford to be reactionary; they must be proactive.
In order to securely manage third-, fourth- and even fifth-party vendors, more organizations will look to partner with GRC cloud solutions with the capacity to screen potential partners against lists of high-risk individuals or entities and offer risk-scoring metrics, ongoing compliance assessments and escalation frameworks.
Risk-Monitoring Analytics
As more companies invest in quantifying and benchmarking risk, robust risk-monitoring analytics will soon become the most important aspect of GRC processes.
In order for businesses to simultaneously scale and grow during this time, they need to turn risk into opportunity. Because GRC is constantly changing, the ability to measure mitigation and vulnerability via metrics and data gives an organization a 360-degree view of its risk profile. Thus, the ability to more easily identify the interconnectivity of various GRC processes enables organizations to make more informed, strategic decisions.
In the future, it’ll be easier for risk managers to identify, define, gather and process risk data according to the company’s risk tolerance, making it easier to assign financial value. With assigned financial values, it’ll also be easier to communicate risk opportunities with the board, C-suite executives and other departments.
Quantitative data yields a more straightforward, specific approach to risk scoring. Similar to assigning dollars and cents to risk opportunity, managers can eventually determine the probability of risk within organizational activities and, subsequently, the amount of money at risk. Ultimately, GRC analytics have the ability to change much more than just GRC processes, as it can scale entire enterprise-level businesses.
RPA: The Future of GRC
There’s certainly a variety of different automated processes that SaaS solutions, digital transformation initiatives and management platforms can utilize: AI, machine learning and robotic process automation (RPA) to name a few. But, within GRC, RPA is the future.
RPA works so well because of the many risk and compliance functions that follow a formal process. There’s a much clearer path to automate those steps as companies put more and more data through specific processes. As a result, RPA gives businesses the fortitude to make smarter decisions more quickly while also freeing talent from tedious, mind-numbing manual tasks and allowing them to take on more strategic, complex work.
That being said, not all companies looking to implement RPA within their GRC processes are ripe for success. The P (process) in RPA determines organizational progress and improvement.
RPA is a force multiplier, meaning it’ll enhance good processes and make them better, but it will make bad processes even worse. So, it’s vital for companies to have refined workflows before turning to technology to keep GRC momentum. In order to drive top-line revenue growth, businesses must have a culture of risk and compliance already in place, with great emphasis from all levels of organizational structure, top to bottom.
GRC Becomes About Revenue Generation, Not Just Asset Protection
Many view risk as revenue protection; especially CEOs and board members. But, if leveraged properly, risk can be a major revenue driver for businesses.
Companies need to devise proper GRC processes that reflect modern-day risk management practices, like risk-scoring and predictive analytics. With these reporting capabilities constantly monitoring up-to-date companywide initiatives and holistic, customizable visualizations, risk managers and CISOs can provide CEOs and other C-suite executives with valuable information. This information includes quantifiable, digestible insights and data transforming all departments – not just finance or legal, the functions most traditionally associated with risk. They can then identify and respond to the most pressing concerns affecting the health of their organizational structure, internally and externally, and better predict the outcomes of business decisions.
For example, risk managers and a cloud-based GRC platform can quantify, in terms of percentages and dollars and cents, the risk and payoff associated with entering a new market or vertical, even in a more tightly regulated industry, like health care or finance.
Businesses need to remember: Risk isn’t a bad thing. Companies are built and scaled based on taking big, strategic risks.
With companies executing digital transformation initiatives earlier than anticipated and, in some cases, rushing implementation processes, they’re exposing themselves to greater risk and compliance concerns. As a result, the importance and presence of GRC will only continue to grow. Yet, within an ever-changing landscape, risk and compliance managers and C-suite executives need to reassess internal processes and, in the case of third-party risk evaluation, external processes.
Matt Kunkel is Co-Founder and CEO of 
