Last year brought GRC to the forefront in unimaginable ways. 2020 gave us opportunities to support our clients and partners in ways we never could have predicted as we all adjusted to a new way of work.
As I look ahead to what this year will bring, I feel confident that GRC will continue to be a top priority as workplaces evolve to be more sustainable and flexible, and companies pivot to new ways of doing business. I see risk management professionals keeping their seat at the table to provide insights on changing market conditions and drive operational resilience. More importantly, as businesses recognize the value of risk professionals’ contributions, risk assessment and quantification will be integral to future strategic planning and prioritization.
Given what we learned from 2020, and the continued uncertainty going into the new year, here are my predictions to help you prepare for 2021.
Business Continuity Remains Key
The pandemic has reshaped how business gets done, and business continuity and enterprise risk management will remain a critical focus for this year. Though no one was wholly prepared for the events of 2020, organizations with operational risk management and business continuity plans generally fared better than those that didn’t have something in place. Given the ongoing uncertainty we’re still experiencing coupled with rapidly evolving markets, business continuity, risk management, and mitigation will continue to be top of mind in boardrooms. We’ll see an increase in resource allocation and investment in building out robust systems and processes to weather future disruptions.
Risk as a Strategic Advantage
Risk management has historically been viewed as an impediment or ancillary to the core business of organizations. As this past year has shown though, a robust risk management system not only protects the organization but can help it navigate through uncertainty and take advantage of market opportunities. As boards and executives integrate risk management into strategic and operational priorities, they are demanding more holistic assessments and better insights into the aggregate risk of business units and strategic projects. Employing risk as a strategic advantage is only possible when a company’s risk culture involves the entire organization in the identification and assessment of risk. Enterprise-wide awareness of risk will improve decision-making, better protect assets and operations, and support a culture of innovation.
Accelerated Investment in Digital Transformation
With the COVID-19 pandemic reshaping how people live, work, and play, investment in cloud migration and digital transformation programs will accelerate even further. Digital transformation is not just about migrating existing business practices to online platforms, but leveraging technology to re-envision business models and processes. Remote work is just one example of this. As companies pivot to new technologies or deploy digitally enabled products or services, they must actively manage the associated digital risk. This will require a collaborative, enterprise-wide effort that thoroughly evaluates the potential impact of any digital initiative across the organization.
Heightened Stance on Internal Security
COVID-19 forced many organizations to rapidly evolve from centralized operations in a few key locations to flexible and decentralized workplaces, both in terms of geography and scheduling. With many employees working remotely, internal threat parameters expanded significantly. According to IBM’s report on the Cost of Insider Threats, negligence, and credential theft were the top two causes of internal threat incidents. The transition to flexible and remote work will be permanent to some degree, and companies will need to allocate additional resources to support their security posture, with enhanced investment in internal security controls and processes.
Leaning In on Automation
With robotic process automation (RPA) proving helpful in automating rules-based GRC processes, further investment in automation is expected. Obtaining certifications of compliance, such as SOC 2 and FedRAMP, requires companies to submit evidence to auditors and regulators to prove the effectiveness of their controls. This is typically a tedious process that involves many people and a highly coordinated effort. Automation and AI can increasingly support the evidence collection process, making it easier for organizations to maintain compliance.
Redistribution of Risk Management
If 2020 has taught us anything, it’s that risk management is not solely the responsibility of risk and compliance departments. An effective management and controls environment requires enterprise-wide commitment. This starts at the top, with boards and executive leadership setting a risk culture that everyone must embrace. Risk identification and assessment must be shared throughout the enterprise to effectively manage and mitigate risk and uncertainty. GRC professionals, too, must be mindful of educating business units and process owners and involving them in conversations using quantification metrics and a shared language understood by all. By distributing the principles of risk management throughout the organization, risk can truly become a strategic advantage.