The changing face of GRC
Hi Gaurav, thanks for speaking with us – can you begin by telling us a bit about MetricStream?
MetricStream is a global provider of software solutions and enterprise cloud applications for governance, risk management and compliance (GRC) and quality management. We use cutting-edge technology to improve business performance by strengthening risk management, corporate governance, regulatory compliance, audit management, vendor governance, and quality management for organisations across industries.
What technologies do you consider to be really moving the needle when it comes to GRC?
In my conversations with customers and industry analysts, some key aspects of technology are coming into focus. For example, in the current pandemic situation, organisations are seeing the need now more than ever to manage high velocity risks, which means they need to deploy technologies that have the capabilities for continuous risk monitoring and auditing. Customers are also increasingly telling us that risk quantification is becoming a ‘must have’ in managing the risk posture of a business.
Another key area of focus is risk awareness – how do we improve our ability to have peripheral vision into risks emerging on the horizon? Technology needs to create a console of risk intelligence that brings in data from numerous internal and external sources to offer organisations a 360-degree real-time picture of the risk environment. And by risk awareness, I mean across the organisation – enabling the frontline to be an integral part of the business.
AI chatbots will be increasingly relied upon to carry out a simple, natural conversation that can automatically capture frontline observations on risks and issues, and in doing so significantly improve risk awareness across the organisation.
Organisations will need to be agile and responsive and automation of controls will be relied on to reduce human intervention and error. AI will help in reviewing new legislations and their impact on business processes and assets across regions, keeping the business compliant with regulatory requirements.
Has the impact of COVID-19 in rapidly increasing WFH and remote working set any GRC trends in motion?
COVID-19 has changed the way GRC is being perceived with increased pressure on GRC teams and processes. The sudden onset of the coronavirus outbreak has led to a huge transition in the way we live and work across the world. This has led to a renewed focus on GRC processes to keep a handle on all exposure to risk which could lead to unfortunate pitfalls. GRC is now being recognised as a core, essential function to keep an organisation compliant, resilient and delivering on its performance goals.
Organisations are looking to their GRC programmes to provide a clearer view into the interconnectedness of risk – as the lockdown has not only severely impacted people’s daily routines, but has disrupted supply chains and business operations, and exposed vulnerabilities to cyberattacks and fraud. Organisations that have an integrated view of risks can make informed business decisions. Common risk taxonomies, common risk data repositories, and collaboration will all make a difference in producing powerful risk insights to drive the business forward.
The pandemic is prompting organisations to rethink their approaches to business continuity planning and resilience. We are likely to see new models of operational resilience emerge based on new ways of working, new business models, and new risk paradigms.
Priorities across the lines of defence are being realigned. The need for dynamic and real-time risk assessments has blurred the barriers between each line of defence. No longer is it important to have compartmentalised roles and responsibilities for each line. The more important question is whether or not all of them are working together to catalyse business performance. Are they combining their collective strengths to drive business growth? And are they doing all this fast enough?
Has the pandemic brought GRC to the fore for companies in a way you’ve not seen before?
Yes, in some ways this global pandemic has been an eye-opener into what can happen when organisations aren’t prepared for new, emerging risks. Going forward, leadership teams and boards will rely even more on their governance, risk, and compliance (GRC) functions to help them effectively manage the risks and opportunities ahead.
Organisations will emerge from the crisis in different ways. Some will be unsure about the future. Others will focus on building their resilience i.e., the ability to withstand future shocks. Ultimately, it’s about being prepared. We can’t always predict every single risk, but we can be ready to ride it out.
The pandemic has also compelled our organisations to adapt quickly, to pivot, to innovate, and to build our agility and resilience like never before. We’ve gained new insights to transform our businesses for better performance. And that’s the silver lining.
Is there evidence that companies are struggling to maintain operations because of dispersed workforces?
Depending on their preparedness, industry and customer and employee profiles, organisations are going through different scenarios. Companies operating more in the digital world like technology, ecommerce, financial services have been less impacted compared to organisations that deal with more of the physical world like retail, both in terms of employees and customers.
How is technology changing the recruitment process and what risks do companies need to take into account?
Organisations are undergoing transformations in the recruiting process. For example, due to the openness of working from home, the location of candidates has expanded vastly.
The two significant risks, the first of which is the inability to interact face to face during the recruitment process leading to possible errors for both the companies and candidates, and secondly the onboarding process where new employees have a latency in terms of understanding their co-workers.
Is the technology available to ensure that recruitment processes and decisions can be taken to ensure companies are as diverse and unprejudiced as possible?
Yes, recruitment processes have been leveraging technology for quite some time and technology with more ‘learning’ is getting more unbiased. However, it would be extremely important to ensure that precision of what is needed for the role, as well as data bias, continues to be watched very carefully.
Can the likes of AI and machine learning ever be truly impartial given they are being developed by humans?
The notion that AI is impartial probably stems from the fact that traditionally programmed machines indeed are unbiased. What makes machine learning different, however, is that it learns from data. Since some data is a direct product of human effort, and since humans cannot be completely unbiased, AI taught on such data also cannot be unbiased.
However, the benefits that AI delivers to businesses is growing and needs to have constant checks and balances. Data scientists need to be cognizant of such potential biases and prepare datasets for training with the right balance and representations, periodic monitoring of models to ensure no data drift is introduced. It’s important to choose interpretable and explainable models vs complex and opaque models. Developers also need to consider potential ethical and societal implications of the AI system being built. Technologies like Generative Adversarial Networks (GANs) are being looked at as options for checks-and-balances for AI.
It is equally crucial to map your expectations from such technological assets to your business objectives. To cite a few examples in which business functions are leveraging analytics; many ﬁnancial organisations utilise algorithmic trading to sell or buy commodities as the system shows clients which are more likely to trade at given data points based on historical behaviour; immediately identify a suspicious financial transaction, predict when a machine might fail to get the maintenance done to avoid any downtime. However, there are cases where the in-built algorithms might not be what was needed, and that is one of the challenges for organisations to focus on.
What risks are companies without robust GRC planning taking when it comes to recruiting and retaining staff?
The most important thing in our view is that integrity is increasingly driving performance of brands. Integrity includes ethics, purpose, inclusion, resilience, and the right controls driving the right behaviours. With an increasingly younger workforce and buying power shifting to Millennials and Gen Zs, companies with integrity will have a substantial positive impact on their performance. GRC technology helps keep the various aspects of Integrity managed and in turn drives performance.
Which trends do you think will shape GRC over the next three to five years?
Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will integrate a rigorous assessment of risks. Risk findings and metrics will be aligned much more closely to resilience and strategic objectives, so that when the next global crisis comes—because it will—organisations will be better prepared to respond and pivot quickly.
We’re likely to see a sea-change in business models post COVID-19. Some companies may shift to a permanent remote working model, while others may replace physical customer interactions with virtual or self-service options. Most will accelerate digital transformation, investing in AI, automation, and analytics to drive their business forward.
Going forward, organisations will focus on the investments that will truly generate value in both the short and long term. Among those investments is digital. More organisations will accelerate digital transformation and innovation even in GRC. Robotic process automation, AI, machine learning, and other digital tools will increasingly be deployed to strengthen resilience and agility against future disruptions. Many of the businesses that rode out the pandemic were those that used the full potential of the cloud, mobility, and automation.
Underlying it all is the awareness that to succeed in a post-COVID-19 era, we will need to stay one step ahead of risks. COVID-19 may have been a novel disruption, but it certainly won’t be the last.