What is GRC? Its Past, Present and Future
What is GRC? And why is it a catalyst for commerce? The best way to answer this is by looking at GRC’s past, present, and future. To make sense of the present, it’s helpful to look at the past. To predict GRC’s future with confidence takes both an appreciation of GRC’s past and present.
Thomas Edison once famously said, “I find out what the world needs. Then I go ahead and try to invent it.” Back in the early 2000s, what the world needed was help complying with SOX, better known as the U.S. Sarbanes-Oxley Act of 2002.
It was a classic example of necessity being the mother of invention. The advent of the GRC platform can be traced to the necessity of business to comply with SOX. As companies responded to SOX and formalized their internal processes, the SOX influence spread to other parts of the enterprise and gave rise to a new way of governance.
Industry visionaries in the U.S. saw how SOX compliance was the trend-setter and embodied a new and productive way of doing business in a climate of more governance. Never shying away from a good acronym, these visionaries settled on GRC, which stands for governance, risk management and compliance, to express this new business modus operandi.
While not actually calling it GRC, organizations have been implementing GRC strategies for years to improve quality processes, assess and manage risk and control activities, as well as comply with environmental, safety and other industry-specific regulations.
As of 2016, North and South America lead the way in the GRC platform market with more than a 50 percent market share. Europe, Middle East and Africa are second with nearly 31 percent. Asia Pacific countries are third in GRC platform adoption with just over 19 percent.
Seeking new perspectives, Gartner conducted a survey of its clients to better understand the use of GRC software. In that survey, nearly 40 percent of clients were not using GRC software. Moreover, 65 percent of those same clients are not even familiar with the term “GRC.”
The technology adoption curve helps explain the current circumstances of the GRC term. The late majority and laggards are unaware of GRC and how it can transform their businesses. The early majority and early adopters see GRC as supporting risk management.
The growing emphasis on risk management is the result of the expanding regulatory requirements, the influence from global supply chains and third-party vendors, and the exponential growth of information technology and its associated risks. For businesses involved, GRC has a different connotation–one focused more on integrated risk management, in essence, the management of risks across the many tentacles of an enterprise.
What is GRC’s future in the next five to 15 years? That’s anybody’s guess, but there are a few things we can be certain of. Here are a handful of projections.
The pace of GRC platform adoption will continue for the foreseeable future.
Regulation and risk drive business to seek out technology solutions like GRC platforms. For example, business will continue to outsource and utilize third parties and fourth parties that will require risk and performance management.
Cyber risk will grow to dominate the risk management challenge.
The cybersecurity regulation that just became effective in New York portends what is to come. High profile data breaches will lead to cybersecurity legislation nationwide.
Deregulation may happen, but regulations are here to stay.
While the Trump administration calls for regulations to be rolled back, there will still be plenty of regulations to comply with like SOX, HIPAA, and countless others. Not to mention labor, environmental and privacy laws requiring compliance.
GRC platforms will expand into other areas like best practices and ethics programs.
Forward-thinking organizations will see how the integrated aspect of a GRC platform can be used to spread adoption of best practices and communicate ethics throughout the organization.
Artificial intelligence and algorithms will automate and optimize many GRC activities.
As Accenture noted, “AI will affect all levels of management, from the C-suite to the front line…it will increase collaboration between humans and machines.” In business, change is the constant while the goals are efficiency and productivity. If AI can help in that regard, it will be put to work.
Regardless of GRC’s past, present, or future, GRC platforms represent the best way forward to meet the twin requirements of compliance and risk management. No matter how you define it, the adoption of a GRC platform can be a defining moment at your company.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.