6 governance, risk management, and compliance trends and predictions

for 2018

GRC

John Verver, CPA CA, CISA, CMC

Advisor to ACL

The simplest way to consider what is likely to happen with governance, risk
management, and compliance (GRC) in 2018 is to reflect on what happened in
2017, extrapolate from current trends, and identify what is likely to (or at least
needs to) change.
So now that 2018 is well underway and as we kick off the Year of the Dog, what are
six things that everyone involved in leading and managing GRC activities needs to
be thinking about?
1. Refocusing on the things that matter.
A consistent theme of 2017, which is continuing strongly into 2018, is a focus on
the things that matter to the organization overall. This is particularly the case with
ERM, where the CEO and others in the executive suite increasingly question the
value of activities that are not clearly put into the context of achieving corporate
objectives.
This means a number of things in practice. Firstly, as we have been hearing for
several years, we need to move beyond a series of risk and compliance silos in
which each team focuses on their own issues and reports their status outside of an
overall organizational context. Performing effective enterprise-level risk
assessments means making sure that all components are based on comparable
criteria and weightings, and can be seen in terms of the impacts on strategic and
performance goals.
It also means taking a smart approach to compliance and control issues. Work out
what needs to be in place to satisfy critical regulatory requirements and conform to
industry standards, without blindly spending resources on every item in a checklist.
Focus on making sure that you do about 20% of the important things necessary to
take care of 80% of your issues. Control rationalization and optimization becomes
increasingly important.
2. Increased automation.
We heard much in 2017 about how Robotic Process Automation (RPA) will impact
financial and accounting processes, reducing the need for human involvement,
increasing productivity, and reducing errors.
Increased automation is just as important now in risk and compliance management,
for a couple of reasons. Firstly, just because accounting processes are more
automated does not eliminate the need to worry about fraud, error, and abuse. No
automated control is perfect, and people will take advantage of automation to find
control gaps to commit fraud and abuse. Using automation to test financial
transactions against suites of control tests—checking for fraud, error, and abuse—
will become increasingly commonplace.
The second reason that automation will become even more important ties back to
the first trend: focusing on the important things. While focusing on things that
impact corporate objectives and performance is highly desirable, it does not remove
the need to manage risk and compliance activities that are not critical but still need
to be addressed. It will make increasing sense to use technology and analytics to
monitor all activities (both high- and low-risk ones) in order to ensure both
regulatory compliance and the integrity of financial activities, without the need to
commit extensive people resources to the task.
Increased automation will take place in many other aspects of risk and compliance
management, such as the workflow of continuous monitoring processes; the
distribution and gathering of risk and control surveys and questionnaires; and
updating of regulatory content and industry standards.
3. Increasingly fact-based, data-driven GRC processes.
There is now widespread recognition of the importance of using data and analytics
in risk management and compliance processes—despite actual implementation
levels still being relatively low. Through 2018 we can expect to see a big uptick in
the extent to which organizations are incorporating data analytics. This supports a
far more objective and scientific approach to risk assessment and improves
dramatically on the subjective approach that is still common in GRC processes.
Also expect to see a far broader range of data sources to be used for analytics and
automated monitoring, not only examining and relating data from multiple financial
process systems, but also including more external data and unstructured internal
data, such as from social media and email systems.
4. Improved collaboration, enabled by technology.
The IIA’s Three Lines of Defense model has done much to draw attention to the
need for professionals in all three lines to work together around common goals,
while still focusing on their own particular area of responsibility. This means
collaboration and communication around many things, particularly the sharing of
data and information about risk and compliance activities.
Effective collaboration is not possible without using the right technology platform to
share information and support the collaborative activities of each line of defense.
Technology will support the entire collaborative process, but will also allow for the
integration of specialized risk and compliance software components (e.g., those
needed within specific industries, such as financial institutions, insurance, and
healthcare).
5. Software technology will continue to become smarter, more powerful,
and easier to use.
In GRC, as in every other part of our lives, the software we use will be better in
2018 than it was in 2017. Cloud-based applications will continue to demonstrate
their advantages. In-memory computing (IMC) will deliver incredibly fast
processing of big data. Visualization tools will enable greater insight into risk trends
and compliance issues. GRC software will be accessed by users across multiple
mobile devices, from laptops to tablets and phones.
6. Last but not least: improved performance.
Technology-based, data-driven GRC processes will increasingly add value to
businesses, governments, and not-for profits. Those organizations that use GRC
technology and practices in the smartest way in 2018 will outperform those that do
not.