As 2016 comes to a close, we set our sights on 2017. What’s in store for governance, risk management and compliance (GRC) platforms and integrated risk management processes? Will cybersecurity be the top issue? What will the new administration mean for compliance?
We live and breathe risk management and compliance, so we have a good idea of what to expect in the New Year. However, our predictions come with a caveat. Change is the only sure thing you can expect in the future.
Here are our top 10 GRC predictions for 2017.
- Companies will spend billions on cybersecurity. Only a fraction will be satisfied with their return on investment.
Despite billions spent on cybersecurity solutions, most will fail. Many companies are responding to the cybersecurity threat by throttling up their spending on information security. Some of it warranted. A lot of it misplaced. Research shows the most likely source of cyberattacks is careless employees.
- Cyber risk management of all disciplines will be mandated by governments, first at the industry level and then across all businesses.
To illustrate, the New York Department of Financial Services issued the first-in-the-nation cybersecurity regulation for all New York financial services firms effective in 2017. The Department of the Treasury, the Federal Reserve System, and the Federal Deposit Insurance Corporation have all proposed similar regulations for financial entities.
- President-elect Trump will usher in an era of deregulation.
Expect a bevy of regulatory reforms with the new administration. But don’t expect change overnight. Regulations like SOX, Dodd-Frank, and the Affordable Care Act will take time to modify.
- Expect a marked increase in third parties found in violation of regulations and laws, resulting in fines for both the third parties and the companies they are working for.
Third parties will be in the spotlight for violations in 2017. Why? Perhaps it’s because of the sheer number of third parties, the fact that many are located in other countries, or third parties by their size may lack compliance sophistication.
- Vendor risk management practices will extend to customers.
Companies are well versed in managing risks associated with vendors. In 2017, a greater focus will be given to managing risks associated with customers, everything from managing the risk of class action lawsuits and environmental concerns to response procedures for a social media snafu.
- Reporting and compliance initiatives will cost more due to a lack of data integration.
Companies trying to manage compliance in silos will see a rise in time and resources spent on reporting and compliance activities. That’s the result of duplication of efforts and data not being shared across the organization.
- Companies will reach the tipping point for linking risks to value initiatives and starting to integrate risk management with business operations.
A growing awareness and increasing adoption of integrated risk management practices will serve companies well in 2017.
- Internal audit teams will be mandated in many industries by the government. Their effectiveness will be more scrutinized by regulatory bodies, investors, and the courts.
A government shortage in resources and expertise will lead agencies to shift auditing responsibilities to internal audit teams. That will then lead to increased scrutiny by regulatory bodies, investors, and the courts.
- Businesses in greater numbers will view business resiliency in a broader context than business continuity.
In 2017, business resiliency will expand to include an increased focus on brand value and reputation, as well as corporate social responsibilities like environmental safety and anti-bribery.
- Whistleblower reports to government policing agencies will decrease in 2017.
The decline can be attributed to companies building and promoting anonymous reporting to their internal review teams. Whistleblower rewards, however, will grow as the government dangles the carrot for more information on wrongdoing.
Those are our top 10 GRC predictions for 2017. The New Year may have something to say about the veracity of our predictions. One of the benefits of having a GRC platform is you don’t have to read the tea leaves. The platform helps you prepare for changes and manage them as they happen.