MetricStream recently joined hands with OCEG on curating a very relevant and insightful survey of risk and compliance professionals. The survey, conducted globally in February 2022, focused on understanding GRC program readiness in an extremely uncertain and volatile landscape for risk and compliance. The outcomes strongly echo the present market conditions and bring to light the need for a unified strategy – one that links risk and compliance seamlessly. Here’s a closer look at what risk and compliance professionals representing a wide spectrum of industries and geographies have to say.
Siloed risk and compliance approach is the biggest barrier to an effective risk response
There is an absence of a fully defined and documented GRC strategy in most organizations. Business leaders however believe that the gravity and momentum of risks and compliance challenges are escalating steadily. To, address this, it is more important now than ever to have an organizational strategy that facilitates a holistic approach to managing, mitigating, and gaining advantage from risks across the business. A majority of GRC approaches used by companies depend on distributed, segmented, and separate systems. Respondents were found grappling with siloed programs, even as the pressure to perform rises. There is visible recognition among respondents regarding the limitations of segmented systems and the vulnerabilities they create. As many as 34% reported that siloed risk and compliance management was their biggest barrier to swiftly responding to changes in risks. This is a time when almost all GRC experts propagate the importance and need for investing in improved visibility, insight, and actionability across connected GRC systems. And yet, it’s seen that many are still relying on separate, unlinked systems and approaches, and too many are using software that is not designed to support GRC functionality.
One might say that the data points towards a market that lacks clear direction and priorities. In fact, it was quite the opposite. Many respondents were sure about what they needed to address their challenges. In the background of the speed, scale, and seriousness of risks these days, this comes across as a positive development. GRC professionals view integrated processes, technologies, controls, and data as fundamental to addressing their challenges. Hardly surprising is the fact that given the data above, only 7% of respondents said they have excellent GRC capabilities today. And about 47% report that their programs are good. Incidentally, this is an improvement over the last few years. Yet there is room for much more improvements and most, luckily, seem to understand it.
There is a need to adapt GRC programs for risk-readiness and organizational resiliency
The observations discussed tend to point to the progression of data that analysts have been putting together for years about the state of the GRC marketplace. But clearly, the most interesting findings are related to how people regard magnified challenges from the last few years, and how their GRC programs have had to adjust to them. According to the survey findings, approximately 85% of respondents reported significant changes in their GRC universe in the last two years, with nearly 70% reporting growing challenges related to employees working remotely, and 60% reporting increased data privacy and cybersecurity concerns. Similarly, as many as 20% of respondents have not acted or cannot report any changes in their programs vis-a-vis broadly acknowledged increases in risk.
When it comes to adapting to these growing changes in the risk and compliance environment, 61% of respondents have mentioned their organizations consider maturing cyber security and data protection as very important in the next 24 months. Nearly 56% indicate maturing regulatory compliance as seminal, 54% say operational risk and business continuity strategies as essential, and just over 50% say audit and financial controls are very important.
The noteworthy changes of the recent past in the risk environment and a recognition of a need to adapt GRC programs for risk-readiness and organizational resiliency are pivotal to how those with GRC oversight should be looking at their programs. The era of periodic risk assessments and separate risk and compliance functional teams is far behind us. If businesses wish to quickly adapt to risks, regulatory changes, and cybersecurity best practices, they must endeavour to integrate their systems, data, policies, controls, and actions in an integrated solution to enable expansive understanding, management, and advantage.
In a fast-paced and unsteady world, it is steps like identifying risk signals in the noise, linking and aggregating data, and facilitating real-time insight that can differentiate organizations that suffer from unexpected risks and those that can forecast and benefit from them. This is a very exciting and significant point in GRC maturity. GRC is a necessary function with a strategic importance that could determine how businesses work and succeed. Compartmentalized and segmented systems bring in strategic disadvantages while connected systems help deliver readiness, resiliency, and benefits.
Article by: Shankar Bhaskaran, Managing Director – India, MetricStream