I recently had the chance to sit down and visit with Dan Zitting, Chief Executive Officer (CEO) at Galvanize, a Diligent company. We chatted about Dan’s new role for himself and Galvanize. We also focused on a recent Galvanize Report on Governance, Risk and Compliance (GRC) going forward, entitled “The Technology Turning Point for GRC Professionals”. Covid 19 drastically altered the role of GRC, from employee workload to C-suite (and Boards of Directors) perception of risk and risk managers. GRC has become even more valuable to organizations, but the workload of risk managers only increased during the pandemic. The Report found that risk management workload and the breadth and scope of risk have increased while resources shrink. One of the clear solutions coming out of the pandemic is GRC technology to streamline operations and help make strategic decisions.
Zitting believes that the pandemic accelerated the work of GRC professionals. Indeed, the Report showed that a solid six out of 10 GRC professionals said that GRC and risk management have become valued and more impactful inside of their organization since the pandemic. All of this led Zitting to opine “the role of the GRC professional was as always there, now the pandemic accelerated how it’s valued and how it’s considered to be strategic.” Moreover, GRC has shown “the ability to work through one of the most pervasive risk issues to come along and it demonstrated the value of risk management, the value of strong governance.”
The Report supported these views, finding that (1) GRC pros are almost four times as likely to say they are more risked focused than before: 38% vs. 10% of other professionals; (2) 62% of GRC professionals say their workload has increased in scope, vs. 42% of other professionals and 58% say their workload has increased in volume, vs. 37% of others; (3) Finally, more GRC professionals are concerned about changing regulations: 35% vs. 14%, with 54% of respondents saying they have complete visibility into the risks faced by their organization.
One of the key themes that Zitting raised started with a great phrase, as he believes GRC is in the “Roaring 20’s”. Further, he believes the 2020’s will be the “Decade GRC Embraces Technology”. The Colonial Pipeline ransomware attack also helped drive home the need for a robust technological solution to business continuity. This means that “the 2020’s will be the decade that organizations strengthen themselves with GRC technology.” Coupled with the Department of Justice (DOJ) mandate for more access to data for the compliance function, noted in the 2020 Update to the Evaluation of Corporate Compliance Programs, the need for GRC professionals to have the same access to data has become even more paramount.
We next turned to the reputational side of risk and the role of GRC in helping to manage that risk. While Zitting sees this side of risk as something that has been harder to quantify, the risk can be higher than fines or penalties and it can take much longer “to be undone and also tends to have far longer and broader reaching impact.” The key now is that with a greater tech focus, a GRC platform can help move towards prevention rather than detection. Zitting sees two key issues. First is the nature of building strong governance programs, which he believes “in and of itself creates prevention.” The second is the increased reliance on data analytics that use machine learning models, where we are seeing “real tangible on the ground working examples of where machine learning” can spot patterns and anomalies so that “we can work proactively on avoiding an issue occurring rather than just picking up the red flags after they’ve happened and trying to resolve them and undo the policy violence.”
We concluded by looking down the road, into the Roaring 20’s for GRC. Zitting noted that as GRC embraces technology for the purpose of operationalizing and implementing good governance, “successes, not only financially, but on successes in improving our impact on the climate, improving diversity and social justice amongst our employees, our customers and our vendors” will be more forthcoming. All of those things are going to really accelerate in this decade, and this makes it even more critical for the GRC professional and the GRC profession to adopt technology to move forward. The key will be getting GRC professionals the access to data that is widely available to other corporate disciplines such as sales or finance.
Zitting concluded that is why GRC needs to “embrace technology rather than staying tied to manually evaluated governance programs or controls, trying to ask people questions through forms and documents to capture employees input”. By fully automating the corporate GRC function and using “technology to our advantage, we can really unlock the full power of data and help these programs move along more.” The Report concluded, “To increase the odds of a successful journey, look for an intuitive and accessible platform, an active customer community, and the ability to scale, grow, and evolve with GRC roles and responsibilities—both during recovery from the pandemic and beyond.”
[View source.]
