We all know that processes and technologies for governance, risk management, and compliance (GRC) have been evolving rapidly but, as the song goes, I think it’s safe to say we “ain’t seen nothin’ yet.” 

The velocity and scope of change in global regulation, geo-political shifts, and technology developments is almost immeasurable. The amount of data that is relevant to risk management and strategic decision making is overwhelming and growing exponentially. The very nature  of information today is vastly different than even five years ago. Who knows how different it will be by this time next year.

The post-modern business

At the same time, despite—and in some ways because of —the pace and impact of change, we are moving toward a post-modern business model that presents previously unseen opportunities. We must have the right capabilities in place to grasp them without taking on unwarranted risk or sacrificing integrity. We must be able to move faster from data to decisions. This demands that our GRC capabilities evolve at a faster pace with greater impact as well.

So what will accelerate comprehensive change in GRC capabilities and outcomes?

Evolution accelerators

I believe there are three significant accelerators that are now driving the velocity of evolution in GRC capabilities over the near term. Each of these has developed recently with advances in technology and reduction in related cost. Today, every organization no matter its size or nature can benefit from improvements brought about by these accelerators.

The ability to establish consistency

Today, GRC platform solutions are available that allow businesses to connect previously disparate parts of the organization and share data from many sources, with different access,  views, and reports for different needs.  By ensuring consistency in how data is collected, maintained, reconciled, and analyzed, heretofore isolated silos gain a more transparent and accurate  view of information they need to operate within risk and compliance parameters while supporting the performance goals of the business.

The opportunity to use big data

The volume of data both within and outside of the business is immense and constantly growing and changing. Only recently have affordable technologies advanced to allow for true data analytic capability that a non-technical professional can use. Now, there are GRC systems available that can almost immediately aggregate, sort, and analyze vast amounts of data and provide reports to risk and compliance professionals as well as operational managers.  Perhaps even more importantly, now systems can analyze data from multiple systems in any form, both structured and unstructured such as e-mail, voice messages or social media posts. New computing capabilities can support predictive assessments and modeling of future trends. Even looking solely at regulatory compliance, given the volume and variety of change, these capabilities are essential at some level for any business.

When your GRC capabilities are rapidly advanced by use of these accelerators, the possibilities are endless. You will build a post-modern business with insight, intelligence, and integrity.

The availability of cognitive computing

Being able to sort through and analyze large amounts of data is itself a game changer, but what if your technology could actually think about what it all means and offer deeper insights? That’s possible today with the use of cognitive computing that can understand native language, identify trends, determine relationships, and make well-founded predictions. The advantage in feeling confident about likelihood of future threats and opportunities and how strategic plans might change in response to that knowledge can’t be overstated. Even more eye-opening is the realization that today’s technology can help to identify options that you might not have thought of, providing true trusted advisor support that becomes more meaningful as your technology learns about your risk appetite and tolerances by assessing your decisions as a whole.

When your GRC capabilities are rapidly advanced by use of these accelerators, the possibilities are endless. You will build a post-modern business with insight, intelligence, and integrity.

An OCEG roundtable: The future of GRC technology

Switzer: At OCEG we talk about the goal of Principled Performance—the ability to reliably achieve objectives while addressing uncertainty and acting with integrity. This goal can only be achieved when we take an integrative approach to governance, risk management, and compliance. So I have to ask, how has technology changed in ways that better support these integrative capabilities?

What is fundamentally different in technology today than say 20, 10, or even perhaps 5 years ago, which allows us to have these more integrative capabilities that support Principled Performance?

Delaure: A key factor driving new approaches to GRC technology is the change in GRC structure and responsibilities. We are seeing many more chief risk officers with responsibility for establishing an overall view of risk. This goes beyond enterprise risk management to demand a systematic approach to how risk is identified, analyzed, and managed at all levels of the organization. As a result, we are seeing greater demand for a platform solution organized under the CRO but used by everyone managing risk. So while this isn’t itself a change in the technology, it is a change in demand that has helped to drive the technology developments.

Peters: The disciplines of GRC have certainly evolved over the last 10 years, but there has been a really significant acceleration in the last 5 years toward the Principled Performance objective. From a technology perspective, organizations have been focused on improving the integration of the distinct GRC disciplines in order to get the right visibility on risk as it relates to the entire organization. Integration can mean actions to consolidate risk systems so the data is harmonized within a single (or at least fewer) risk applications, or a focus on reporting analytics through a consolidated data store (like a data warehouse).

Within the last 2-3 years technology offerings have been taking a platform approach. The challenge organizations are having now is organizational harmonization of risk disciplines. When solutions were disconnected, risk area owners didn’t need to coordinate too closely regarding taxonomies or hierarchies. Now that the technology can better drive convergence executives, often pressured by regulatory requirements, are demanding a coordinated approach and result.

Now technology is pushing the boundary of how organizations can improve analytics and manage risk through the advances in cognitive computing. These developments are starting to show their benefits in areas like regulatory compliance and causal correlations. Organizations are looking at ways to use these advances to get to that Principled Performance result.

Switzer: We began GRC conversations ten years ago by talking about breaking down silos and standardizing processes. Lately we’ve been focusing on the value of analyzing “Big Data” to support risk-aware strategic planning and desired outcomes. How do you see “Big Data” in the context of GRC?

Peters: Many organizations have made steady progress in eliminating silos in the underlying technology and in the processes they use to manage risk. The challenge they now face is same one that every other data driven activity is experiencing—the overwhelming volume of data.

As GRC is converged, organizations need better analytics capabilities to mine value from the consolidated data. But challenging this desire is a steady increase in the amount of data per risk discipline and the shift from highly structured data to highly unstructured data.

The technology industry is responding with ever advancing capabilities in Big Data and data analytics. Organizations are struggling to apply these technologies to the GRC domain in part because of the weakness in analytics competence within their own organizations as well as the evolving importance of unstructured data. There is a pretty large gap between those who know how to mine the value and those who don’t. This is a gap that many see can be filled by evolving cognitive computing capabilities.


Carole SwitzerPresident,OCEGModerator
Christophe DelaureSenior Product ManagerIBM Analytics
Glenn PetersGlobal Solution ArchitectIBM Analytics

Switzer: What is cognitive computing and what are some of the capabilities it offers that are real eye openers?

Peters: It’s hard to know what to look for if you don’t have a hypothesis to pursue. Cognitive computing capabilities can help pick up on underlying themes or trends to form a basis for a more focused analytics approach.

The technology industry has been investing in the cognitive capabilities of advanced software for many years, and the results show real promise in the ability to provide value for many highly data-intensive domains, particularly when it comes to unstructured data. Some of the more impressive examples of where cognitive capabilities such as natural language analytics and content correlation analytics have made their mark are in industries like healthcare and science.

Now these capabilities are being focused on other opportunities, and GRC certainly has some high-value targets. Most recently cognitive capabilities are being applied to the GRC compliance domain with some promising results.

Considering the sheer volume and velocity of regulations and the impact to risk management, cognitive computing has real potential to improve not only the management result but effectively address the challenge of the volume of data with which many organizations simply can’t keep pace. The cognitive capabilities are also showing a lot of promise in the analytics correlation among risk data in the event, loss, and security disciplines of GRC.

Delaure: I can think of two GRC examples where many companies struggle and a cognitive system can really help—root cause analysis and regulatory change management. In both cases, the ability of cognitive software to now understand native language and learn what terms or descriptions different people might use when talking about essentially the same thing brings real value.

For root cause analysis, cognitive systems can sort through vast amounts of information and see patterns that human eyes might not or could not. In managing regulatory change, cognitive systems can read and develop relationships between tens of thousands of pieces of information to see changes as they take place or even in advance, and identify how they might impact operations and controls.

Switzer: Finding information is important but so is developing meaningful reports for each stakeholder about that information. How do cognitive capabilities change reporting today?

Peters: Its true, providing useful performance reports is a real challenge for organizations when they have succeeded in consolidating or converging their GRC data. Considering the volume of data directly managed in GRC, and the related data often supporting GRC decisions, getting a reporting environment to respond in real time presents a technology and investment challenge.

Active reports are an option to pre-fetch data from GRC and related areas to compose reports that present deep analytics. This technology meets most organizations’ needs without inflicting report delays or infrastructure risks and performance impacts. A benefit of active reports is that they have, for the most part, been designed to fit the multiple form factors users expect today, such as workstation and mobile views.

Organizations have also learned that the active report capability can be used in conjunction with real-time reports to present the deep analytics needed while providing real time results for specific risk domains. This allows an organization to get the best of both worlds regarding analytics.

Delaure: The next step beyond active reports, which allow a user to look at the information from different points of view, is toward real self-serve analytics and reporting. Now, a user of advanced analytics systems employed for GRC can develop his or her own reports without having advanced technology skills or maybe any technology skills at all. And cognitive systems let the user go beyond historic reports to include predictions of future opportunities and risks that used to be solely in the skill set of data scientists and statisticians.

Switzer: What do you see as the next advances or what would you like to see?

Peters: From a technology perspective I don’t know that I see any significantly new capability being introduced but I certainly see a continued acceleration in the application of the analytics and cognitive capabilities. Many organizations are still in various stages of their journey to converge the GRC disciplines and data. As this continues, the shift to the analytics and cognitive capabilities will grow significantly. The technology industry will continue to look for ways to expand and optimize these capabilities as more demand pushes the current boundaries. Ultimately I believe the cognitive capabilities, particularly natural language analytics, will move the GRC domain from a largely reactive result to a proactive position further meeting organizations’ objectives to get to a Principled Performance GRC operation.

Delaure: I see a rapid advance coming in understanding the value of cognitive capabilities for GRC and excitement that will drive even more innovation about using those capabilities to achieve Principled Performance in organizations of all types and sizes.