As more and more organizations embrace digital transformation, business risk grows in scope and complexity, and the need to manage it in a more agile, responsive manner becomes increasingly pressing.
GRC in its initial incarnation—a set of tools for managing compliance risk— remains valuable for that specific challenge, but it aligns less precisely with today’s evolving definitions of risk and risk management. The answer is not to abandon GRC, though; rather, it’s to allow it to evolve into an approach that is better suited to today’s multifaceted challenges: integrated risk management. This paper maps out the path from a pre-digital, compliance-driven riskmanagement strategy to an adaptable, integrated approach that can keep pace with the fast-changing digital world.
STARTING POINT: RECOGNIZING NEW RISKS
GRC emerged early in this century as a way of improving corporate governance and internal controls to address regulatory compliance requirements. Today, however, the need has evolved from better managing compliance risk to better managing overall risk. And the definition and scope of risk itself has evolved as well, with areas such as digital third-party risk coming into play and moving to the forefront. Strategies that drive business success today, such as technology adoption or market expansion, are creating new opportunities—but at the same time, they are introducing more risk. Consider these examples:
Digital transformation is clearly a strategic priority today; IDC recently forecast spending in this area to reach $1.3 trillion in 2018. Digital transformation creates new opportunities to thrive and compete—but it also creates digital risk. Digital business typically involves fast-moving projects supported by processes that require a multitude of different applications, expanding the points of risk and the stakes for the organization. The key to seizing the opportunities is managing the risk in critical areas:
- VENDOR AND OTHER THIRD-PARTY RELATIONSHIPS: Looking to move more quickly and nimbly to exploit business opportunities, organizations are increasingly relying on external parties, such as service providers (especially cloud service providers), vendors, contractors and consultants. This increases risk, since organizations don’t have direct control over the risk a third party creates—but they are nevertheless responsible for managing the risk in third-party relationships.
- COMPLIANCE AND OVERSIGHT: That brings us to the area that originally led to the emergence of GRC: compliance risk. That risk has not gone away; it’s only been joined by other risks, such as those described above. Given the increasing complexity of business and IT today, compliance has grown more complex, increasing the risk associated with it.
The examples described above represent major categories of risk for organizations today, but they are by no means the only risks organizations face. Every organization is a complex ecosystem of people, processes and technology, and risk can be hidden away in many areas.
NEXT LOGICAL STEP: AN INTEGRATED VIEW OF RISK
A HORIZONTALLY INTEGRATED VIEW
As areas of risk within organizations continue to grow beyond just compliance risk, the need to view them as an integrated whole becomes increasingly clear. There are two primary reasons for this.
- One is that it’s simply unrealistic and operationally unsustainable to manage them separately, using different risk management platforms.
- The other reason—far more critical than the first—is that most areas of organizational risk today don’t really exist independent of other risks; rather, they cross over into other areas.
For example, if engaging with a cloud service provider presents a security risk, that’s both a digital risk and a third-party risk. And if that risk isn’t addressed, it may result in issues across multiple areas, from business disruption to compliance. Therefore, organizations need to be able to leverage business processes to build an integrated picture of risk that crosses operational functions and fosters a multidisciplinary approach to risk management. Think of this as a horizontally integrated view of risks that needs to be managed.
AND A VERTICALLY INTEGRATED VIEW
A horizontally integrated view is important—but incomplete. The other part of the picture is a vertically integrated view that connects strategic and operational risk. In the early days of GRC, independent functions were focused more on operational risks with less emphasis on connecting to the strategic business impact. Business and IT were essentially separate functional parts of an organization and there was little connection between these two worlds. That changed as enterprise GRC became a requirement of risk management.
Today, however, when business and technology are intimately connected (or at the very least, mutually influential), risk management must link operational risks to business strategies and vice versa. Security events are a great example. At RSA, we talk about Business-Driven Security™, which puts security-related IT incidents in a business context and makes it possible to calculate the business impact of a security event—and vice versa. This kind of interrelationship allows organizations to bridge the gap between security teams and their business counterparts, creating an environment in which they can reduce the risk that security incidents will negatively affect the business or that business decisions will negatively affect IT. The interrelationships between strategic business goals and operational events are becoming increasingly impactful.
- A decision made at the strategic level will cascade down and affect the organization’s ability to manage a risk in operations;
- a seemingly minor operational event can spiral out of control and impact strategic direction.
Thus, connecting the top-to-bottom, strategic-to- operational view of risk—as illustrated in the accompanying graphic—is essential to truly understanding, and addressing, the obstacles to achieving business objectives.