Chartis: Slow Progress in Uncertain Times for Enterprise GRC
Posted: 8 May 2017 | Author: John MacDonagh | Source: Chartis
Despite gradual progress toward integrated enterprise Governance, Risk and Compliance (GRC) in the past few years, vendors and end users have struggled with the concept. It’s easy to see why: integrating established systems that were designed to be independent is not a simple task, and other developments in the GRC sector have kept vendors busy. Although it’s hard for vendors, this slow but steady push toward integrating their GRC systems will ultimately be beneficial for end users. They will be able to use data more easily from functions that were previously separate, and simplify the governance of their GRC processes.
The breadth of enterprise GRC requirements and solutions means that progress has been varied. Some aspects of GRC, like governance-level IT risk management and internal audit management, have changed little. Others, meanwhile – notably conduct and third-party risk and the application of Artificial Intelligence – are advancing rapidly.
- Conduct and third-party risk. In an attempt to restore public trust, regulators have become more active in punishing misconduct, issuing large fines and increasingly targeting individuals at fault, as well as imposing organization-level sanctions. To avoid action from the regulators, and damage to their reputations, firms must now be more rigorous in how they design and enforce their conduct risk programs, to the benefit of their clients. As well as managing their conduct risk, firms must also be more aware of the integrity and conduct of third parties they are associated with; ignorance is no longer a valid excuse.
- AI. This has been a key area of progress: AI technologies employed elsewhere in firms (especially financial institutions) are being used in novel enterprise GRC applications – most often to automate simple repetitive processes, with regular input and validation from humans. Following these relatively basic applications, some vendors are also developing more advanced statistical AI applications for GRC, including communications monitoring and systems for quantifying reputational risk.
As well as pushing toward more integrated GRC, vendors and users of enterprise GRC solutions must also plan for an uncertain future. The current climate of political change is threatening the status of existing and planned regulations. In particular, a presidential executive order released by the U.S. government in early February 2017 stated seven core principles of regulation, and ordered an evaluation of ‘the extent to which existing laws, treaties, regulations, guidance, reporting and recordkeeping requirements, and other Government policies promote the Core Principles’. This review will focus on the effectiveness of the Dodd-Frank Act, as well as the financial regulatory agencies who implement it, and could result in replacement, or a significant rework of the Act. While this executive order does not make any direct changes to the regulatory environment itself, there is a very real chance that it will lead to significant change for U.S. financial institutions.
Unfortunately, plans to deregulate particular industries, or make significant changes to regulations, are very difficult to predict, introducing further uncertainty in many industries. This uncertainty affects firms everywhere, who must now assess how regulatory change might affect them, and how best to react to it. GRC software vendors, meanwhile, must carefully consider which regulations will be most relevant in future, and how the demands of their clients are likely to change; vendors may need to reassess the functionality and coverage of their solutions, and remain flexible to keep their offerings in line with future changes to regulation.
For an executive summary of Chartis’s report Enterprise GRC Solutions: Market Update 2017, visit www.chartis-research.com.