Is This GRC in Our Future?
One of my other favorite blogs about compliance and risk management is the one maintained by ACL, a software vendor that caters to the internal audit industry. Those of you who like to ponder the future of our profession might want to read the most recent post there, “The Maturing World of GRC” by John Verver, which has a few astute observations about what’s likely to come.
Much of Verver’s post recaps an ACL forum he hosted, and much of forum itself seemed to recap how far our understanding of GRC has come in recent years. His astute observations are these:
One of the primary themes of the conference was how to manage risk and compliance functions to avoid “organizational drag”… the problem of these functions turning into inefficient resource drains, focused on risk avoidance, rather than on activities that can contribute value to the business. Avoiding operational drag requires a focus on collaboration and alignment with strategic objectives.
While just about everyone is going to agree that collaboration and alignment with key objectives are clearly desirable, the pressing issue is how to achieve this in practice. The simple answer is that you really cannot achieve an integrated approach without technology that is designed to efficiently enable the process.
I agree with Verver that these are fundamental challenges to GRC for the next few years, and I have faith in the GRC community that we’ll solve them. When you start thinking through how we’re likely to solve these challenges, however, those thought experiments take us to a place with significant implications for compliance officers today.
The key here is how we’ll end up using technology to improve business performance. People tends to focus on the theory part first: about how compliance and risk management can add value rather than be an organizational drag. That’s not quite right. Yes, turning compliance and risk management into functions that add value to the organization is a crucial goal—but that’s going to be the natural result if the technology that lets you analyze and improve business processes.
Compliance and risk management are just business processes, after all. You can pick them apart and reconfigure them like any other business, if you’ve mastered the fine art of picking apart and reconfiguring business processes in general. And that requires a mastery of IT and data analytics. Verver says as much in his last sentence above: “You really cannot achieve an integrated approach without technology that is designed to efficiently enable the process.”
By now compliance officers who went to law school (and that’s plenty of you) might feel a bit anxious, since designing technology to efficiently enable process isn’t something law schools teach. We have an abundance of compliance officers who can articulate compliance and risk objectives, but need help designing the processes to achieve them.
This is where I wonder how the lawyerly, subject matter expertise of so many compliance officers can mesh well with the technical, process-driven expertise required for modern risk management. I touched on this in a prior post, wondering how risk assessments will work in our Big Data future—a future where compliance risks are so important that they become operational risks.
Operations are processes, and processes are meant to be improved. In the future, we’re going to do that by studying the data those processes generate and then refining things, one iteration at a time. Will compliance officers be able to do that skillfully? Perhaps. Will audit executives be better able to do that? Probably.
One could even say that ultimately, compliance and risk management will blend into one tangled mass of operational risks that need to be observed, governed, and improved at all times. Could compliance even be split into two parts—one half still in the legal world, studying compliance objectives and investigating misconduct; while the other half resides in some souped-up internal audit or operational risk team that monitors business processes and performance at all times?
Yes. Yes it could.