GRC. What’s Next?

The past seven years have brought many changes to the GRC world. Management is more engaged in talking about risks. Organizations have implemented Enterprise Risk Management (ERM); enhanced Operational Risk to include more than just fraud; strengthened model risk management and at least accepted data risk management as an emerging risk.

Additionally, there has been a wave of developments on the technology front. Software that supports ERM and GRC are readily available. Support for data analytics can easily be found and even Board reporting software is available and in some instances quite robust. Yes there has been a lot of advance in GRC and risk management. So much so that it may make sense to explore what exactly can we do to continue to develop GRC to address future concerns.

While there are several, and some might say many, different developments that will happen or that needs to occur let us share just a few ideas.  These next steps we share are meant to strengthen the holistic risk management approach, not just use of software or development of a report. After all, GRC is more than software or words: it is, or at least it should be, a way of managing risk.

Number 1:  Develop risk management talent that understands the disciplines of GRC so that the organization can easily communicate emerging risk, the impact of risks to processes and controls and provide holistic perspective to the Board of Directors on risks affecting the organization. The one aspect missing in too many of todays Board conversations is the impact one risk has on another. Software alone cannot tell stakeholders what the ramification is of that synergetic impact. While some events may represent an integrated risk perspective that is not always the case. Yet no risk is a stand-alone risk and risk managers need to understand, quantify and communicate that risk synergy.

Number 2: Develop a risk response methodology, process and plan. If we are completely honest with ourselves, predicting risk events is not our strength. It never has been. Each of the past few risk events: 2011, 2017 and COVID-19 have been exacerbated by the lack of adequate response.  That alone should be the lesson to us but it is not evident that we have learned much in this regard. If we focus on the principles of risk management: recognize, measure and mitigate we may be better prepared to actually take advantage of the market in times of trouble.

Number 3: Get software that meets your culture and risk management goals and understand its use, purpose and limits. We often focus on costs and implementation time as key decision points when selecting GRC software. Don’t do that. Focus on cultural fit, ease of building response plans in the software, intuitive links within the software, the ability to recognize risk synergies and the actual “risk” support that the company offering you software provides. Any one can learn to use software but a company that will also train staff, share experienced based risk perspectives and support your risk management processes beyond the software sale is what we should expect.