GRC Management Practices From Credit Debt to Sustainability
Governance, risk, and compliance are not new concepts but have taken on new initiatives and strategic direction since the practice initially emerged in the financial sector. In this blog, we’ll review where GRC originated, some of the core elements that still produce vital insights, as well as new programs designed to navigate the modern and digitized risk landscape.
It all began at the turn of the century. If you were here for it, you likely remember a few key events. We saw a dotcom boom, a stock market bubble collapse, the 2008 financial crisis, and the rise of social media.
Elements of change across GRC Management Practices
These core events created the world we live in now: a completely digital one. And with the rise of the internet came the free flow of data and information. If the 21st century has taught us anything, it’s that data is a new form of currency, and one of the most valuable assets a business has. This new currency resulted in a drastic rise in cyber attacks, not only for companies and individuals alike.
Today, a hacker attack takes place every 39 seconds. All of this Lends to the need for integrated cybersecurity and coordinated governance, risk, and compliance (GRC) management practices.
As the digital world makes advancements each day, so does the way businesses protect themselves. There’s still work to be done in regards to GRC management practices and understanding how to scale and operationalize practices across your organizational three lines of defense. So, where did GRC management practices originate? How have they evolved? And what it means for your business in the future?
The History of GRC
The true start of GRC
GRC became a widespread practice in the early 2000s with the expansion compliance, most notably the mandated regulatory obligations introduced by Sarbanes Oxley (SOX). Businesses had to adapt to new striker compliance enforcement.
Essentially the term “GRC” was coined at this point, but GRC management practices had been active across financial departments protecting against financial loss for years. The activities instead are referred to by several names, keeping everything in silos. These different activities spanned key disciplines of GRC management practices today, including audit, risk management, policy, and vendor. All of it was done with manual efforts through pen and paper and stored in file cabinets.
Like everything in history, we typically are pretty underprepared until a crisis happens and wakes us up. And GRC is no different. The Enron and Worldcom scandal was the crisis that highlighted the importance of having a financial reporting control platform.
The point is, companies were managing this process long before GRC management software was available. Companies have since evolved and implemented advanced strategies and tools to automate, consolidate, and optimize their GRC management practices.
GRC from 2000-2010
In the early 2000s, GRC adapted to dotcom and to focus on two departments: IT and finance. While the two groups had the same initiative, their operational requirements were completely different. The finance team is the longest standing responsible party for company assets, managing the company balance sheet. Their strategic needs of today are some of the most well-defined throughout organizations. The maturity of GRC management practices for finance needs is evident in how legacy GRC applications have traditionally catered and customized solutions for the financial market. As financial transactions and business processes began shifting to digital formats, the need to incorporate strategic IT data protections
As the market began expanding at the turn of the decade, the new term became “eGRC” or enterprise GRC. Company operations have become more interdependent than ever before, and with that, organizations have realized that governance, risk, and compliance was important across departments, not just IT and finance.
Recognizing these interdependencies also emphasized the siloed nature of evaluating business performance. Companies have since worked toward productivity and efficiency. Business leaders have saught a holistic approach to how business divisions manage their data. Audits, vulnerability management, business continuity plans, vendor management, and more are top priorities. The GRC market has expanded and specialized to meet these needs.
At this time, GRC was understood as the capabilities needed to integrate the governance, management, and assurance of performance, risk, and compliance activities. The problem was, most companies weren’t breaking functional silos within their organizations.
Today, GRC is viewed as an integrated collection of all capabilities necessary to support “Principled Performance” as defined by OCEG. This means organizations must address a multitude of factors including but not limited to:
- Transparency among customers and key stakeholders
- Complying with ever-changing regulations
- Managing third-party relationships
- Protecting against cybersecurity attacks of multiple forms
- Meeting ethical standards of operating for long term sustainability
Today, companies are hiring dedicated compliance leaders to manage this process and invest an average of $1.34 million on specialized compliance or security technology. Also, 47% of companies (OCEG 2019) using GRC tools plan to increase spending in the next years.
In short? Businesses are no longer questioning whether GRC management tools are a nice-to-have or need-to-have. It’s 100% a necessity to have GRC tools operating correctly within your organization.
The future of GRC management practices lies in automation.
The future of GRC management tools has already begun. Given the evolution from legacy leaders to new agile GRC platforms. There are a number of solutions with the software infrastructure to take your business to the next level.
More and more companies are delivering artificial intelligence and machine learning tools capable of:
- Predicting future risks and vulnerabilities
- Eliminating risk assessment bias and opinions
- Preventing exposure to risk events like fraud
- Providing continuous monitoring across all enterprise processes,
- Enabling specific, industry-based Integrated Risk Management Solutions
- Supporting multiple regulatory and compliance processes, certification requirements, and risk management functions.
The future of GRC is heavily automated, to streamline manual and repetitive processes largely in transferring data from one system to the next. With a connected infrastructure cognitive GRC solutions can come into play to maximize your use of human resources on analyzing and executing on key risk decisions.
And through continuous monitoring, predictive risk management capabilities, and a truly integrated risk management process, businesses of the future will be able to implement GRC successfully and, above all, have a definite competitive advantage.