We are in the threshold of interesting times where technology is radically changing the landscape individuals and organizations operate in. We live in times when a simple IoT device like a smartwatch can help gain access to confidential information. There is an increase in geopolitical undercurrents, business cycles are faster, regulations and compliance enforcements are becoming stringent, certain important economies are weakening and third party risks are getting complex.
In this dynamic and complex scenario, successful execution of an organization’s business strategy involves balancing operational efficiency and revenue generation while managing risk effectively. Organizations who are embarking on a GRC journey or are in the middle of it needs to evaluate their GRC strategies and think of ways by which they can build resilient enterprises comprising of process, people, information and technology and combine these factors well.
Let us highlight a few of the important GRC challenges plaguing organizations currently:
Ever changing regulations:
Organizations needs to constantly update themselves with new regulations every year. With limited resources at hand, organizations often find themselves overwhelmed by the demand these new regulations place on them. As a result, many a time, an organization develops an ad hoc approach instead of an integrated, well thought out one to comply with the regulatory requirements. Over time these approaches grow more complex and time-consuming with business spread across various geographies. As these processes fail to consider the long-term advantages of a coordinated strategic approach, it ends up underestimating the need to effectively mitigate risks and threats.
Management complexity of GRC programs:
Absence of standards and protocols across the organization, lack of board-level oversights followed by the inability of GRC programs (sometimes) to inculcate a transparent system obstructs prioritization of risk mitigation efforts. In spite of knowing the growing importance of GRC, quite a few corporate boards do not undertake sufficient oversight activities related to IT risks, security and compliance which results in slow response to risk incidents and potential failures.
Functioning in silos:
Organizations, both large and small still functions in silos. Each business unit has its own set of vendors, compliance regulations and processes to meet those regulations. This silo based work process creates duplication where critical information ends up being stored in numerous locations. This approach, besides being time consuming, makes it harder to manage important information and creates the inability to share information and data between departments. This also creates data redundancy and hides potential risks scenarios.
The rise of big data:
Organizations nowadays have data spewed from multiple data sources ranging from emails to conversations to social media to transaction details at an extremely fast pace. The combination of big data attributes – volume, variety and velocity challenges traditional tools and methods for extracting value. One of the important outcomes of these big data projects (many of which are highly dynamic) gives rise to new privacy laws, governance and regulatory obligations. However, big data can be a boon or a problem depending in how it is harnessed and managed.
Adopting emerging technologies, higher dependence on cloud based services, higher adaptability of smart devices and big data trends presents unthinkable few years back, cyber-attack scenarios. Perpetrators of modern day cyber-attacks are well researched, well-funded and are very capable of sophisticated attacks. As the way we work and live change, as we become inseparable with our devices the GRC landscape gets affected accordingly with new set of challenges. The inability of an organization to protect itself from potential cyber threats has far reaching consequences including loss of customer confidence, losing competitive business advantage and fines and sanctions from regulators.
Supply chain risks:
Supply Chain risks and compliance is another critical challenge in today’s GRC landscape. The confluence of smart devices, automation, geolocation tagging, machine-to machine transactions, cloud services and big data adds extra layers to GRC requirement. Cloud services and IT outsourcing actually extends the risks and compliance focus beyond the manufacturer- retail focused model. Organizations unable to manage risks in their supply value chain are open to potential data theft effecting their business service and credibility.
Unrelated solutions:
Similar to the situation when organizations work around data silos, many still use different software tools while operating different parts of the organization. These tools often do not integrate, causing inefficiencies and redundancies that create an atmosphere of greater potential risks.
Lack of customizable reporting capability:
Each organization is unique, and thus there cannot be a “one size fits all” approach when it comes to a compliance report. Many organizations have managed compliance reporting in a decentralized method i.e. by business processes, function or location, resulting in lack of visibility in monitoring risks and general operations. This presents a challenge while deploying GRC, as auditors demand reliable, up-to-date and auditable reports.
The popularity of BYOT:
The line between personal and professional work have started blurring. Organizations are leaning towards a BYOT (Bring your own technology) model to increase efficiency while managing costs. As resources have started bringing in their own PC, tablet and mobile devices to work, it has resulted in an unchecked number of rogue devices proliferating organizations without following any protocols. Besides privacy issues, IP threats and data loss, the other challenges presented by BYOT trend are:
- Applications downloaded by users in their personal device must be approved. Information stealing malwares are active in popular app stores opening up entry points
- Mobile ecosystem for security and compliance are still evolving
- Unsecured wi-fi and cellular communication capabilities expose such devices to NFC based hacking.
Aligning operational security with risk and compliance programs:
A lot of business organizations use discreet terms for IT security operations, IT compliance, IT audit and incidence response. A lot of these specialized units have their own best practices, standards and policies. It gets even more complex when geographical and business divisions are not centralized. In such scenarios aligning and prioritizing an integrated GRC program becomes a tough job because misalignment can cause undue burden on relevant domains besides increasing costs.
GRC challenges does remind one of the mythical Kaaliya; just as an organization thinks that they have it all under control and supervision, another compliance issue raises its head elsewhere. However organizations need to keep on mind the challenges while ideally opting for a holistic, proactive, integrated and programmatic approach.
is Global Practice Head – Governance, Risk and Compliance Consulting at Happiest Minds. He is Post Graduate Certificate of Management Studies from Universitas 21 Global Singapore and Bachelor’s in Engineering (Electronics), with 30+ years of IT experience. Sushil is a tenacious business leader with unique techno-functional experience in IT Security & Governance, Risk & Compliance, Business Resiliency Consulting. Sushil steered higher Customer Experience, practice Competency development and deployment with focus on reduction in cost to serve. He also represented at many conferences as a distinguished speaker.
