Regulatory fines. New data breach records. Preparation for the CCPA. Oh my!
2019 was a whirlwind for all of us in the GRC game. Blink and you may have missed the GDPR fines handed over to British Airways and Marriott or the data breaches that befell Capital One and Macy’s.
Are we in for more of the same in 2020? New problems entirely? New opportunities?
When I look into my GRC crystal ball, it’s a little bit of both. New technologies will gain traction, new threats will emerge, new regulations will be written, and new skills will be required to manage all of it. Bottom line? Despite the obstacles, risk and compliance professionals—a plucky bunch—will continue to make headway toward overcoming the longstanding issues plaguing the industry.
Without further ado, here is my annual set of predictions for the year ahead.
Proactive (vs. reactive) risk management
Risk and compliance is becoming a predictive, proactive function versus a purely reactive function, which it has historically been. Risk managers are asking themselves, ‘How can I use data from my compliance, incident, and risk tracking systems to make strategic bets to protect my organization?’
As we forge ahead into a new decade, risks and their variety are on the rise. This is especially true as software systems are increasingly cloud-based, and leveraging third parties becomes the standard way of doing business.
CEOs put priority on creating a risk culture
Our recent report Enterprise Risk and the Modern Organization: A View from the Top shows more than half of CEOs think their ERM program is not extremely effective. Fortunately, CEOs are beginning to understand the need for their involvement in their company’s ERM program, with 66% wanting more involvement. As such, it’s a top priority for CEOs to create a culture of risk, making sure risk management and awareness have a seat at the table during strategic business discussions.
In order to avoid risk, employees first have to know about and understand it. Companies need a firm foundation of risk management and awareness so there is a first line of defense against risk with the visibility and empowerment to bubble any hazards up through management ranks. That won’t happen without a culture of risk. This will emerge as a priority and a growing area of investment in 2020.
Must-have skills for risk managers
Because risk and compliance are becoming integral parts of strategic discussions, the functions touch every part of the organization. In other words, risk managers need skills beyond purely technical skills. They need to work cross-functionally and wield their influence up and down the org chart, which requires strong leadership and communication skills. They need to be able to demonstrate influence without formal authority; the company’s future rests on their ability to do so. Historically these attributes have been beyond the scope of a risk manager, but that is no longer the case.
RPA beats out AI in risk and compliance
There are a number of flavors of AI and RPA and Machine Learning. With regard to risk and compliance, the one that will continue to make inroads in 2020 is RPA. The reason: when needing to analyze large volumes of data for Fortune 500 companies, the volume of data just isn’t there to make the predictions of AI relevant.
RPA works so well because many risk and compliance functions follow a formal process and there’s a much clearer path to automate those steps as companies put more and more data through the specific process. Then the question becomes how to optimize and iterate on that system. Other areas ripe for RPA application include third-party risk, IT, policy and procedure, and internal audits.
In the year ahead, Machine Learning could become a factor in regulatory change management, helping with flagging updates and issues.
Consumer privacy legislation
In 2020, we’ll start to see the groundwork for some sort of Federal, broad-sweeping consumer privacy regulation like what the EU did with GDPR. Unlike the California Consumer Privacy Act, which is in effect as of January 1, it will be a mandate from the federal level. This is somewhat dependent on the election outcome: it may not be formally enacted this year, but keep an eye out for the first steps. As far as individual states go, Nevada has a law already in effect and Maine is close to implementing its own legislation, too. This should be top-of-mind for CEOs and boards in the year ahead.
The board and cybersecurity
Ultimately the board thinks about dollars and cents—both top line and bottom line financial considerations. Cybersecurity is getting much more attention and importance at the board level than ever before due to increases in the number of data breaches, ransom attacks, and cyber incidents, as well as the larger role technology plays in companies’ day-to-day business. This all adds up to lots of spending. CEOs play a role in this too: according to Enterprise Risk and the Modern Organization: A View from the Top, cybersecurity ranks as the top concern for 1 in 3 CEOs who are most concerned about operational risk. This will continue to be a focus in 2020.
Are You Ready?
Want to set the bar for GRC excellence in 2020? LogicGate’s platform is a robust, scalable system that automates risk and compliance management processes across your organization. From mitigating risks to reporting to the board, a tool such as LogicGate can help your team do GRC better.