Pervasive GRC: The Way Forward For the Long Term
The Risk and Compliance Landscape
In 2014, blue-chip companies racked up billions of dollars of losses due to un-managed risks and incidents of non-compliance. These risk and compliance failures resulted in massive fines – some in excess of $1 billion dollars – for several individual organizations. Especially for heavily regulated industries, the risk and compliance landscape will only become more complex and more difficult to navigate. As companies become bigger, if they ignore potential risks and compliance issues, their losses will only become bigger, harder to manage, and harder to recover from.
It is increasingly important to read and understand regulators’ corporate sentencing guidelines in the countries where your organization operates — some compliance infringements involve actual jail time. Simply stated, the C-suite should comply for the right reasons. There are reasons why ignition switches should pass safety checks, reasons why organizations must protect customer data, and reasons why money from crime should not be laundered. A company should not just pay lip service to regulations; those at senior levels must behave with forethought.
The Age of the Customer
No matter the size, industry, or geography of your organization, 2015 is the age of the customer. Organizations are getting smarter, more proactive, and more sophisticated when it comes to listening to their customers and responding to their needs. With social media and hyper connectivity through mobile devices, your customers have an amplified voice, a platform to share it, and more clout than ever before. As such, social media is an important platform – for both listening to, and responding to your customers.
So, are companies today listening to their customers? Recent incidents at leading organizations such as Borders, Netflix, Lulu Lemon, BP, SeaWorld, Abercrombie & Fitch, and Radioshack serve as recent reminders of just how important this is. And, in the context of risk and compliance, listening to your customers and cultivating loyal long-term customer relationships is becoming a matter of any company’s ability to survive and thrive.
Are organizations thinking about their customers in the context of risk and compliance? In 2013, Lloyd’s Risk Index identified “loss of customer” or “cancelled orders” as the second most critical business risk, but only 13 percent of companies surveyed indicated that they link “customer risk” to their corporate strategy. Thus, many organizations are not adequately thinking about and planning for how to mitigate and manage customer-related risks.
It is important that companies take the steps now to proactively listen and take better care of their customers, so they don’t have to be legislated into good customer care. The good news is that some organizations and industries are already demonstrating this; for example, we can point to a few recent incidents of data breaches that have been handled with prompt notification and corrective action. Frequent and proactive communication with your customers is important, especially in a time of crisis.
I urge today’s risk and compliance executives to help lead this customer-centric charge. Review the top risks on your radar, and determine where “customer impact” fits in. With the right teams, the right strategies, and the right solutions, every department can start to move beyond a “checkbox” mentality when it comes to managing their customer relationships.
Managing Reputation by Harnessing The Wisdom of The Crowd
If your organization is not already monitoring online channels for emerging risk and compliance issues, then it is missing a huge opportunity. For example, every time your company is mentioned in a Tweet, does someone in your organization receive an automatic notification? The good news is that for the most part, organizations are aware of just how important this kind of active listening is; the bad news is that most organizations do not have the tools in place to do this.
Some might say that an organization’s reputation is worth more than the buildings it owns. In today’s interconnected world, the reputation of your organization, as well as that of your vendors and suppliers matters, too. In order to manage reputation as a strategic and competitive asset, organizations must listen.
Open Source Intelligence (OSINT) spans a number of reputation related data points: fraud, counterfeiting, third-party risk, corporate security, data protection, privacy, and corporate compliance. In short: anything and everything to do with your reputation. We are seeing organizations get smart about how they map together various and disparate data points. In particular, risk and compliance professionals are gradually starting to recognize the importance of OSINT, and integrating it into their GRC platform. They are also integrating sales, services and customer relationship management (CRM) systems with their GRC platform. After all, data is most actionable when it is holistic, comprehensive, and contextual.
GRC Market Shift
There are sophisticated GRC solutions on the market that can help organizations comb through massive volumes of data and create a central source of truth for their organization. Independent technology and market research company Forrester Research has studied the GRC market, and predicts a disruptive shift in the sale of governance, risk & compliance (GRC) software. The GRC market is expected to reach $1.3 billion in 2015, and is comprised of 65 software companies. Over the next 5 years, Forrester expects the GRC market to see increased competition from business applications such as Oracle, SAP, and salesforce.com.
Towards Pervasive GRC
No doubt, the GRC market is evolving to keep pace with the changing way in which business is conducted. One thing remains certain: GRC is more important than ever, and those carrying out its work are critical to the success of their organization.
Organizations are deriving significant value from embarking on a GRC journey, benefits which include lowered costs and reduced manual work. More importantly, with GRC, risks become more transparent, and the inter-linkages between risks become clear. Compliance processes become more streamlined and sustainable. Audit functions can be done less intrusively and with a significant time reduction – for example, a mobile expenses tool can be used when traveling to automate the evidence-generating side of audit. Expense report allowances are different in Hawaii and Vermont, and GRC technology can be attuned to the geographic location of your employees.
As GRC becomes further ingrained in the organizational DNA, its ability to positively build reputation, influence business performance, and establish the right balance between risk appetite and business goals becomes more self-evident. Pervasive GRC is really about the creation of a real time policy-making and risk-based decision-making mechanism within the organizational hierarchy, driven by the changing context of how business is done, and coupled with continued technological innovation and advancement.
By Vidya Phalke
Vidya Phalke is responsible for MetricStream’s technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering where he was responsible for MetricStream’s Software Products and Platform Delivery. Starting with MetricStream in 2003, Vidya has been instrumental in developing an industry-leading GRC software platform. Before joining the software industry, Vidya earned a PhD in Computer Science from Rutgers University, where he won two Small Business Innovation Research grants for his research on databases and network optimization.