"You need a good [GRC] system. You need the right data. You need to share the data and take those organizational learnings." -Zeke Ward, Founder, North Star Compliance
Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying cyber risk, and operated in a business environment that's increasingly remote and increasingly focused on stakeholder capitalism. This has put a heightened focus on governance, risk and compliance (GRC). How have companies – and their boards – been managing it all?
"We see some real change happening. It's not just that organizations are making a big commitment to equity and inclusion, but that it's actually making its way into meaningful processes and being monitored," said Dan Zitting, who serves as Chief Product and Strategy Officer for Galvanize, a leading SaaS GRC software provider that is now part of Diligent.
Dyke Debrie, Managing Director for Steele – a leading ethics and compliance software provider recently acquired by Diligent – articulated the technology aspect to this shift. "Digital transformation has really accelerated everything," he said, from the way organizations communicate with employees, to how they do business with third parties, to the digitization of systems needed to support all operations.
"We are really at the start of digital transformation of the GRC space. There is so much more that we can do ... We can really start to think of how we can use GRC as a competitive advantage and as a growth lever." -Lisa Edwards, Diligent President and Chief Operating Officer
Diligent convened an expert virtual panel, "The Future of GRC," moderated by Vice President of Product Marketing Brittany Clark, to discuss the top GRC trends for 2021 and implications for boards, directors and executives. Highlights follow.
An Expanding Risk Landscape, With Heightened Scrutiny
Internally, companies are increasing their focus in areas such as vendor selection and vendor risk management, Zitting said. They are also beginning to audit carbon usage across the organization and supply chain. Debrie noted that externally, the risk landscape has expanded to include new areas of fraud like the risk of business disruption, which the pandemic brought front and center.
It's vital to give employees the channels and confidence to speak up if they see something, Debrie said. Regulators are intensifying their attention. The European Union recently issued a new directive on whistleblowing, and a draft directive on managing corporate due diligence is scheduled to take effect in 2023.
Zeke Ward, founder of regulatory consulting firm North Star Compliance, predicts the draft directive on corporate diligence will cause a "a sea change."
"This is going to be looking at how companies operate, right from the very beginning of their activities and their value chains through to how they sell their products," Ward said. "Companies are going to have to map out those chains and really begin to understand not only who they're doing business with directly but indirectly as well."
"Whether it's an ESG objective, a financial objective, or any other kind of corporate objective, strong GRC processes and practices will ensure the organization can reliably achieve those while addressing uncertainty." -Dan Zitting, Chief Product and Strategy Officer, Galvanize
New Tools and Skills Are Necessary to See the GRC Big Picture
Managing ESG, cyber, data privacy and more across multiple systems can quickly become complicated, and it requires boards to think of the big picture. "How do you think about GRC integrating into all of your existing tools?" Diligent President and COO Lisa Edwards asked. "How do you go deep into those systems and then float up just the things that are most important?"
Yvette Hollingsworth Clark, who served as Chief Compliance Officer and Regulatory Innovation Officer with Wells Fargo, noted challenges old and new. "It is no secret that, typically, compliance and risk management organizations have a lot of manual processes," she noted. "There's a greater need to introduce technology just to keep pace with the volume and complexity of regulatory requirements."
At the same time, during the pandemic, "technology solutions were propped up pretty quickly," she said. Now organizations will need to understand the designs behind them, especially if the solutions involve AI or machine learning.
"Typically, you have legal and regulatory professionals that operate in the compliance and risk management space, but when you're bringing in technology, you're going to have to reimagine what skill sets you need," Clark said. Examples include a data scientist who understands how data is being used, an analyst who can make sure to make sure there are no problems with how code is written, architects who know the technology environment, plus someone in the emerging role of digital ethics officer.
Ward touted the benefits of an integrated approach. For CCOs, heads of health and safety, heads of sustainability and other executive leaders, conversations about risk management often lead to the same fundamental problems, he said.
"Transparency and connectivity will be key to ensuring organizations meet their lofty goals." -Brittany Clark, Vice President of Product Marketing, Diligent
GRC as a Growth Driver
Zitting said he's seen more CEOs engaged in GRC-related projects in the last year than the previous 14 years combined. In another trend, executives have been expanding their definition of GRC, from a monitoring and reporting mechanism for regulators to a potential driver of growth.
Ward cited the emerging hydrogen sector. Policies that promote a greener economy are opening up opportunities for firms operating in this space: whether it's producing ammonia, using hydrogen in transport and logistics or other innovations.
Debrie referenced the tension that can exist between compliance and other business activities. 'I think that's diminishing somewhat, and boards can see the value of a compliance program as a generator of things like sales – certainly in the immediate and long-term.'
The Importance of Systems and Sharing Data
Whether spotting new market opportunities or keeping compliance and risk management on track, GRC oversight starts with getting the right people the right information at the right time.
Debrie presented the example of HR. "Those of us who have worked in large organizations know that it's a pretty constant churn of people in and people out," he said. "If you're going to be administrating all of that while at the same time keeping compliant and maintaining adequate procedures for your regulator, then you need a good system in place."
Debrie also recommended keeping tabs on the GRC issues that people are requesting guidance on. Trends here can help shape GRC strategy and response.
Effective management of GRC issues, from environmental risk to human rights risk to social risk, begins with collecting, sharing it with the right people, and analyzing it in the right way, Ward said.
The Heightened Role and Responsibilities of the Board
"As you are able to generate more information from technology, there is going to be an expectation that response times to remediate issues will lessen." -Yvette Hollingsworth Clark, Compliance and Risk Management Expert
Clark anticipates a heavier reliance on boards to be responsive on GRC issues. Because boards have more data, they'll be expected to use this information to credibly challenge management when needed in a more timely manner.
Boards can increase their involvement by starting small. Pilot projects can identify organizational pain points and lead to quick wins. Creating informal committees helps foster trust and collaboration among members.
Zitting encourages boards to put tools in place to monitor the metrics that guide their decisions. Once a process is established, they can utilize robotics and robot data automation to bring them data in real time – elevating those insight to the board level.
Throughout, board members should continue to educate themselves on GRC issues, particularly related to digital transformation. "I think that we will see a greater demand for board members who have an understanding of emerging technology so they can effectively challenge management and actually ensure that they're fulfilling their fiduciary responsibilities," said Clark.
"The space is moving so fast, you can quite quickly get left behind," said Debrie.
Learn more about the future of GRC.