When it comes to Governance, Risk, and Compliance, vigilance is everything.
GRC managers need to stay on the ball, which means being alert to any emerging developments and trends.
And being a bunch of curious compliance professionals ourselves, we thought it’d be an awesome idea to put together insights from some of the most talented folks in the GRC space today.
So here you have it. Straight from the sources. The most important GRC trends you should be on the lookout for in 2023.
Kevin Thomson – GRC Manager at Cognizant
“Smart systems powered by AI will bring a new level of accuracy and efficiency to GRC controls and metrics.”
The biggest trend we’ll see in the coming year will be smart systems that help make GRC more accurate and efficient.
In the GRC space, everything kinda falls into the realm of controls, policies, or metrics.
You wanna have better controls—you know, firewalls, authentication tools, that sort of thing—better policies on how those controls are used, and super accurate metrics on how those policies are actually being implemented and how effective they are.
Collecting evidence across your controls and policies can be tedious, to say the least, especially when you’re dealing with a large organization. But once we have smart systems powered by AI to collect all this info, getting a better read on how well our GRC framework is doing will be much—and I mean much—easier.
To prepare for audits, all GRC managers will need to do is print out a report based on all the data collected across the organization. What’s even better is that since the report is being generated by a computer, it can frame the compliance status in hard numbers instead of talking in highly technical details pertaining to a given department, system, or regulation. Here’s a pretty straightforward example: Let’s say you have 20 employees in a specific department, but only 10 have completed the required training to be in compliance with personnel regulations. The AI will recognize that and interpret it as 50 percent compliance.
This is extremely important when it comes to communicating numbers to the board and CEO, who are likely not that familiar with the compliance jargon. What they want to know is how close they are to the goal, and what resources they need to invest in order to get there.
Sumitra Lohiya – GRC Manager at Wipro UK
“Cloud systems will be vital for robust GRC frameworks.”
Integrating cloud systems and their security controls will be an important measure for GRC in the future.
Cloud-based systems offer vital benefits for creating robust GRC frameworks. Centralizing identity management helps make sure access controls are being applied uniformly and makes them easier to revoke when needed. The cloud also enables an organization to scale up or down resources as needed, making it easier to accommodate changes in their risk profile.
Finally, there’s the cost factor. Cloud systems can dramatically lower the costs associated with GRC, as organizations don’t need to invest in expensive hardware and software to support their GRC initiatives.
Amiran Sapir – GRC SAP Manager, Big Four Consulting Firm
“Growing dependence on third parties and the increase in third-party hacks means more pressure to tighten vendor policies.”
I’ve been keeping an eye on several important developments in GRC.
From my vantage point, I can see two truly game-changing trends emerging.
First on the list is an increased focus on Third-Party Risk Management (TPRM). Driving this is the growing dependence on third-party relationships in the digital era and the noticeable increase in third-party hacks affecting the digital sphere. This means that GRC managers will be under more pressure to secure their organizations’ vendor policies, either by the board or by new laws mandating it.
Second is the heightened emphasis on cybersecurity risk management. C-level execs now understand that information security is not a static thing. The “buy the best platforms, set and forget” approach is no longer enough. The threats are constantly evolving. Furthermore, an organization can only dedicate a limited number of resources to cyberspace. So organizations are going to start looking for a more strategic approach to cyber defense: quantifying risk, figuring out real ROI on cyber investment, and creating a strategy based on these metrics. GRC managers will ultimately build their frameworks in the future based on these measurements.
Nick Dolinich – GRC Analyst at Johnson & Johnson
“From a security perspective, the golden standard is secure by design. This means development teams want to get GRC guys involved in the early stages.”
From my perspective, one of the most important developments in GRC is the approach to product development.
Everyone knows that from a security perspective—and therefore from a compliance perspective—the golden standard is “secure by design.” This means that development teams want to get GRC guys involved in the early stages of the product development. This is really a win-win since whenever security is a focus from the start of development, it ends up making the job of GRC analysts and managers a hell of a lot easier.
What’s pushed more organizations to adopt the GRC-development partnership is the growing complexity of regulation. Here in the US, many states are adopting their own data security laws. So you end up having one standard for California, another for Colorado, and another for New York. So it gets pretty complicated pretty quickly. If you can know your compliance requirements from the get-go, it makes everyone’s lives a lot easier. This will probably require some organizational changes in some companies—for some it’s a foreign concept for GRC and product guys to collaborate in this way. But I definitely think the GRC industry is moving in that direction.
And so, to sum it all up, we’re looking at four super impactful changes coming down the pipe for enterprise compliance:
#1 – First, the use of AI-powered smart tech to improve metrics and controls—elements that lie at the heart of any GRC strategy.
#2 – Next is the opportunity to scale GRC implementations smoothly and effectively by adopting cloud capabilities.
#3 – GRC managers will focus more and more on third-party risk management and ensuring their vendors are secure.
#4 – In order to optimize compliance input for their products, companies will begin to integrate GRC at the development level, which will likely bring about changes in the workflows and processes businesses are currently using.
Thanks to our experts for the amazing, value-added insights.
Keep an eye out for Part 2 of our “Ask the Experts” series.
Bye for now.
