As remote work and cyber crime increase, so governance, risk and compliance (GRC) become more critical. Cognitive GRC, in particular, will deliver new worlds of understanding, insight and action.
The massive uptick in cyber crime since the start of the COVID-19 lockdown and the concomitant increase in people working from home, which puts them outside of their traditional corporate networks, has led to a growing focus on governance, risk and compliance (GRC) requirements.
The business interruption and financial impact of the COVID-19 pandemic has been a wake-up call for many organisations, says Pedro Maia, MD of Intdev. They are now realising that the activities of GRC, aligned with strategy, policy and process, can no longer be viewed as a ‘get to it when I can’ activity. Instead, it needs to be a core business-critical requirement, without which we may see the collapse of businesses that – under normal conditions – we would have felt would be impossible.
He suggests that given the sheer volume of information, spread across multiple domains and architectures and extending across multiple applications, environments and even borders, the ability of Excel spreadsheets and Word documents to manage GRC activities is simply not enough. This approach makes it impossible to provide the required levels of assurance – yet many businesses still undertake their GRC activities in this manner.
“The good news is that the age of cognitive GRC has well and truly arrived, and those that do not take the time to explore how to integrate and deploy a cognitive GRC strategy and toolset within the layers of their enterprises are only compounding the growing levels of risk and are opening the door for a truly devastating and damaging risk event to occur. Cognitive GRC should not be seen as a ‘grudge purchase’, but rather as a vital strategy that must be enabled and empowered within every business, by its board,” he says.
“It is understandable that many companies do not have a clear view of what they are doing that is necessary and effective, nor what they are not doing that they should be. The ideal approach is to begin with a deep dive maturity evaluation across key levels of the organisation, including C-Level, middle management and critical task owner level. The maturity evaluation should have the ability to apply some effective data analysis to bring out and highlight the areas of disconnect and anomalies across the answers provided in the assessment. This can then inform them as to key areas of weakness, which in turn result in vulnerabilities and risk exposure for the business as a whole.”
Maia explains that it is important for businesses to understand their ‘as is’ maturity, as this will enable them to determine the extent of the gap in their GRC when compared to regulations, legislation, standards and best practices. This knowledge will allow the company to establish and execute a remedial action plan, as they will know where to focus, what the priorities are and how to execute the necessary actions.
“The beauty of cognitive GRC is that it will take GRC from both the back-office and the front lines into new worlds of understanding, insight and action. Obviously, it also comes with its own unique set of risks – the greatest of these are laziness, subjectivity and bias from the human element.
“As we look to cognitive GRC technologies, it is essential that we still provide human input and analysis on actions that will support what the ‘GRC machine’ is learning and telling us. Machines are great at processes that require aggregating and analysing data to identify relationships, but humans are still needed for the creative, outside-the-box thinking that will enable the organisation to reliably achieve objectives, address uncertainty and act with integrity.”
He adds that there are some critical components that organisations should ensure are incorporated into their GRC strategy and attendant tools, including internal and external monitoring and profiling capabilities, in order to improve on information analysis and interpretation; benchmarking and measurement where the business is evaluated against best practices; and the capability of foresight versus hindsight. The latter is the ability to intuitively start to see the bigger picture – proper transparency and context for the data and the company’s ‘digital universe’, and the stakeholders’ interaction and engagement with this universe in GRC terms, related to the overall impact on the business objectives.
“As with anything, there are multiple such tools on the market, and in order to ensure your business utilises the best one for the job, it is imperative to reach out to the experts in this complex field, as they can provide you with the advice necessary to choose the best fit for your business.
“This should be one that will deliver the ability to know what you don’t know; to break down the silos and disrupt and dismantle the internal organisational fiefdoms that keep these silos of information in place; and ultimately that can help create a top-to-bottom culture of a risk-aware and risk-informed workforce. In this way, your whole business will be able to drive towards common, known objectives, for the greater good of the organisation,” he concludes.