Top 6 2018 Predictions
As we say goodbye to 2017 and hello to 2018, let’s peer into the crystal ball to see what we can expect in the year ahead for GRC and integrated risk management. 2017 was a tumultuous year of good, bad, and ugly. 2018 is taking shape molded by new challenges and new priorities.
For a thought-provoking hour on what to expect next year, check out our 2018 GRC Predictions webinar held on Dec 14. It featured a guest panel of risk and compliance experts that included Tom Garrubba, Santa Fe Group, Peter Tessin, Discover Financial Services, Christina Whiting and David Grazer, Tevora and Sam Abadir, Lockpath.
In this post, we’ll revisit the webinar prognostications and edge out on the limb with one additional 2018 prediction.
- Risk management will be viewed increasingly as a competitive advantage
According to Peter Tessin, there has been an evolution in using risk management as a business enabler. For example, risk considerations are now part of the front-end thought process and planning with new products. What are the odds of us being hacked? What’s the risk of customer data being stolen?Said Tessin: “If I’m better at managing risk than my competitors, risk becomes a competitive advantage.”
- Third-party risk management will adopt continuous monitoring and trim vendor lists
As companies have relied more and more on third parties, risk concerns are forcing change. Tom Garrubba noted it’s not enough to assess a new vendor and schedule the reassessment. The question is, how are you going to continuously monitor third parties? Companies are also paring down their vendor pool for two reasons: one, to weed out lower-performing vendors and two, to address 4th party concentration risk stemming from several preferred vendors relying on the same support service.“Third-party risk management is not just assessing new vendors, but also how you plan to continually monitor and reassess all your third parties,” said Garrubba. “That amounts to additional workload for your program.”
- The digitization of the enterprise will continue to outpace regulatory guidance
The digitization of the enterprise is advancing faster than regulatory guidance. This view comes from Peter Tessin. The underpinnings of protection is regulation, along with appropriate standards and policies. As a step in the right direction, ISO published new guidance on process assessments.“We’re not updating guidance quick enough,” said Tessin. Until guidance catches up with digitization, businesses going digital will encounter more risk. The 2018 challenge will be in managing the additional risk. Many will seek guidance from key competitors and past court decisions.
- Expect a growing consumer awareness of data privacy worldwide
David Grazer is of the opinion that GDPR, the EU’s new data privacy regulation, will set the stage for data protection in the global economy. Delivering blanket statements about valuing customer privacy won’t be enough. Sooner or later, organizations will be obligated to create controls, policies, and procedures for protecting customer data. To maintain a healthy data environment, you’ll have to infuse privacy and security into the organization.“Put best practices in place for data protection and take a proactive standpoint,” said Grazer.
- IT and security ditch shiny objects in favor of processes and metrics for securing budget
Christina Whiting thinks we’re all victims of shiny object syndrome, mistakenly believing that silver bullet solutions exist for cybersecurity. The trouble is, IT and security have lost credibility with the executive team and the board who’ve grown weary of the shiny object budget pitch.To combat this executive perception and better articulate security spend and organizational value, Whiting advises pulling in concepts from game theory and microeconomics to convey competitive situations and outcomes. Instead of adding 30 percent to the budget only to have management cut 30 percent, force a paradigm shift. Bring a new strategic thinking approach to the budget battle.“See if you can get the business to take on some of the security budget because the organization benefits from security,” advises Whiting.
- Bonus prediction: the new keep-you-awake-at-night worry will be reputational risk
Business has taken a lot of punches in recent memory, from data breaches and natural disasters to sexual misconduct revelations. Regardless of the reason, when customers are disappointed, they take to social media and express their frustrations. An example was the national outcry over the EpiPen pricing fiasco that exploded online and in the press. The drugmaker’s reputation, not to mention its stock price, took a major hit.Reputations that took decades to build can be destroyed overnight and that’s a risk companies can’t ignore. Managing reputational risk will move up the priority list for the Board in 2018.
Those are our top six 2018 predictions for the world of GRC and integrated risk management. As our esteemed panel predicted, for every challenge, a strategy or solution exists. That’s the good news. When bad news happens, companies will need to adapt. The best solution is to be proactive and adapt before something bad occurs.
From all of us at Lockpath, may your 2018 be industrious and prosperous.
With Constitution Day tomorrow, September 17, let’s learn what the Constitution can teach your organization about corporate governance.
Learn how Lance completed his 50 mile race and how it relates to building a risk management program.
This month’s Risk Roundup is about data privacy, the biggest California earthquake in 20 years, and the business impact of the US-China trade war.