How analytics is influencing GRC

Humans excel at analytics; it is the way our brains are wired. We are constantly taking in information, processing, analyzing, and making decisions. Whether it is crossing a street, reading a book, watching a show, being a spectator or a participant at a sporting event . . . we are constantly analyzing everything around us.

The challenge is that we can be throttled and slowed down in analysis. This is particularly true in a Governance, Risk Management, and Compliance (GRC) context. The official definition of GRC is that it is “a capability to reliably achieve objectives [GOVERNANCE], while addressing uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].” To achieve GRC means that GRC roles and functions have to take in a massive amount of information, process it, align it in context, and make decisions.

Historically, we have done this manually. A lot of manual information gathering, processing, and reporting. Documents, spreadsheets, and emails were the backbone of this process. I was recently talking to one organization that was spending 200 employee hours building one report on GRC for the board of directors. They were combing through stockpiles of documents, spreadsheets, and emails gathering, calculating, and documenting information. This is not agile in today’s dynamic, distributed, disrupted business environment. We need GRC context quickly and efficiently. We need information to make the organization agile in a dynamic risk environment.

GRC related technologies have provided great benefit in automating reports and providing tasks and workflows that keep deadlines from being missed. The same organization I referenced that took 200 employee hours to build a report now gets the report in less than a minute.

The future for GRC related technologies is improving this further. Through modern intuitive user interfaces, cheaper technology, and enhanced data visualization technologies, individuals and departments across the organization are being empowered in greater risk and compliance understanding and contextual awareness. Individuals without an advanced degree in mathematics can see and contextually understand large sets of structured and unstructured data. This puts it in context of the individual and how and where they operate in the organization. Good analytics enables all three lines of defense in an organization. Not just the second and third lines that are the back office of GRC, but the first line of defense in the front office of the organization.

Adding to this is a host of advanced technology that we call cognitive GRC in which artificial intelligence enhances GRC related processes with predictive analytics, machine learning, natural language processing, and robotics to further contextually understand information and automate responses in the environment so the organization can reliably achieve objectives, while addressing uncertainty, and act with integrity. This new technology can crunch mass data sets, contextually link and understand information, and speed up response processes. This means less time on GRC related manual activities and reporting and more time contextually understanding risk and mitigating exposure.

However, this is not without its own risks. To rely on the next generation of GRC related technology requires that the organization have good information. The automation and contextual intelligence GRC technology provides is only as good as the underlying data. Bad or poor-quality data results in bad decisions. It is necessary that organizations ensure that their underlying data is of a good, relevant, and high quality.

In the end, organizations can leverage the new generation of GRC related cognitive technologies to be proactive in risk management, to monitor leading indicators so they can ensure that they hit their strategic objectives. This is what I call 360° contextual awareness in GRC.