Delivering 360° contextual awareness of your GRC programme
By Michael Rasmussen, GRC 20/20 Research LLC.
Governance, risk management, and compliance — what we refer to collectively as GRC — is the capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance). Over the past 20 years, we have seen technology evolve and mature to assist organisations in achieving this definition of GRC.
This evolution of GRC technology started with engaging the back-office functions of GRC, what we often call the second and third-line of defense. These are the risk, compliance, security, internal control, and audit/assurance departments that manage and monitor areas of GRC day in and day out.
Over the past several years, we have seen GRC technology grow and also spread to engage the front-office of the business, as well as all levels of management. These are the people that own risk and controls and are making risk and compliance decisions throughout the day. When you think about it, GRC is not about the back-office departments of GRC but about the front-office engagement and commitment to GRC. This moved technology into the Agile GRC era that focused on usability and experience to make GRC relevant for the front-office of the business — not just the back-office of traditional GRC functions and roles.
We are now moving into the era of Cognitive GRC. This extends Agile GRC engagement throughout the organisation and automates it with the use of artificial intelligence and cognitive technologies to make GRC more efficient, effective, accurate and agile at all levels and areas of the business.
All the core elements of Agile GRC are still in place as far as usability, ease of integration, configurability of the solution, and not customisation and coding. Organisations are taking the capabilities of Agile GRC technology and now starting to look toward the future of Cognitive GRC capabilities as part of their purchasing decision. This includes capabilities for:
- Internal and external monitoring and profiling. The ability to assimilate, integrate, and relate a range of external and internal data sources to analyse and monitor for risk. This can include external feeds from data aggregators of loss, third-party information, know your customer, geo-political risk information, economic indicators, and regulatory intelligence. This is combined with aggregating internal information from various GRC-related technologies and business systems with transactions and master data records.
- Benchmarking and measurement. The ability to measure, monitor, contrast and benchmark internal GRC processes, actions, tasks, activities, controls, risks and issues against normalised common practices in your industry.
- Predictive analytics. With integrated and aggregated external and internal data combined with benchmarking, the organisation can understand its current state and analyse and predict with technology the future outcomes, impacts, and exposure on the organisation and its objectives. Predictive analytics acts on this data to contextually map and provide situational awareness to information — to identify relationships, and from there, identify actions. This provides alerts and monitors when thresholds, such as key risk indicators (KRIs), are crossed.
- Virtualised subject matter experts. Through the assimilation of all this data, combined with machine learning and natural language processing, the organisation can deploy virtual subject matter experts to answer risk, compliance, policy and control questions. Think of this as the Siri or Alexa of GRC. The ability to ask the system questions and get immediate answers.
- Robotic process automation. This all leads to robotic process automation, where the system can identify issues and automate responsive actions. This could be sending a user a policy reminder when they land in a high-risk country for bribery/corruption. Or it could cut off access to someone suspected of wrongdoing or stop a suspicious transaction from going through and be put on hold for review.
Cognitive GRC will take GRC from the back-office and the front-lines to new worlds of understanding, insight and action. Though it also comes with its own unique set of risks — the greatest of these is human laziness. As we look to Cognitive GRC technologies it is essential that we still provide human input and analysis on actions to support what the ‘GRC machine’ is learning and telling us. The machine can be wrong at times, and we need humans to do their work as well to make sure the right decisions are made. Machines are great at processes that require aggregating and analysing data to identify relationships. But humans are still needed for the creative, outside the box thinking to enable the organisation to reliably achieve objectives, address uncertainty, and act with integrity.