In an environment of increasing focus on business risk connected to governance, regulation and compliance, how do you get the most from your GRC strategy in 2016?
- Cyber Security – Top of the list is the much publicised threat from external attacks. The increased uptake of mobile and cloud-based technology means that internal business users are accessing company data and assets through more agile channels, increasing the opportunities of cyber-attacks further. Clearly, companies must be planning their approach for managing this risk.
- GDPR – Now that the EU has formally ratified the global data privacy regulations, there are increased powers to fine, based upon percentage of revenue, for identified breaches. Ensuring adherence to the requirements and evidencing that compliance statement must be on the radar.
- Integration of Risk and Control – It is vital for companies to perform corporate risk management and use a control mechanism. Without understanding the underlying risks, control activities can be applied inefficiently causing redundant effort. Now, regulators expect these activities to be fully integrated to centralise both risk and control data, creating a single view of the truth that all stakeholders can work with.
- Alignment of Strategic > Tactical > Operational Risk – Greater integration of strategic business risks at the corporate level should link to, and be influenced by, tactical and operational risk instances. This integration provides a much clearer picture of the total operating environment of the business. To ensure efficiency, there should be a mechanism to highlight the relevant risks to appropriate stakeholders, regardless of the source and type of risk.
- Control Automation Initiatives – Financial constraints on discretionary spend and various cost saving challenges remain important, especially in terms of control for auditors and regulators. Moving to automated control activities improves the environmental control by identifying preventative and system-driven controls which can be repeated more often and with greater trust than manual alternatives.
- Mobility & App Integration – There is now the expectation and requirement for permanent access to corporate data across many different devices, including personal ones. Therefore, the security of corporate data and the associated technology that governs it, must be high on the agenda for GRC strategies in 2016, ensuring the right balance between agile and productive channels and tight security.
- Cloud / Service – Customers are making decisions to move to a more cloud based architecture and trusting more of their corporate applications to standardised service offerings. With that in mind, the GRC angle needs to adequately ensure that the risks are properly identified and met with the appropriate levels of controls put in place to safeguard the corporate assets, including data.
- Big GRC Data – Data analytic services is commonplace in consumer facing business models but there is definitely value in shining that torchlight on internal data, to gain insights into corporate governance processes. Using GRC technology to analyse high volumes of data and identify patterns, can act as a predictor of fraud. This introduces a fourth line of defense to your controlling environment and should definitely be a consideration for 2016.
- GRC in the Digital boardroom – Making use of live risk data and scenario simulations allows the board to make strategic decisions with realistic forecasts of impacts against their risks. For this to work, GRC processes will be challenged to provide instant access to much more information with far greater agility.