As a products organization, we have the good fortune of working with exceptional clients, industry analysts, market research teams and business partners. Through our many daily interactions we have been witness to a wave of patterns forming that are changing the face of governance, risk and compliance (GRC). This wave suggests the organizations have reached a tipping point in their GRC agendas. This tipping point represent an emerging energy focused on addressing existing challenges and exploring new frontiers with the potential to deliver greater value from required investments in GRC systems. While this natural evolution is by no means complete, as the industry changes so do those involved, adapting and evolving to meet the needs of their businesses. Three key observations from the front lines of GRC are apparent (Figure 1):

1. Organizations are transforming their GRC frameworks
2. They are driving to realize greater benefits from already significant GRC investments
3. There is an increasing focus on GRC solutions that are more forward-looking in their guidance

Figure 1

Transforming the GRC framework

• The pace of platform standardization is increasing

Many recent engagements have been in response to our clients looking to transform their existing GRC framework. These organizations are being pressured by increasing “asks” from institutions, accelerating the pace towards standardization. To meet these demands, organizations are reassessing their current GRC system approach. They are looking for ways to simplify the skill and support needed today, and to how they can reduce the number of GRC solutions and silos necessary to cover a larger set of enterprise needs and results.

• Institutions are targeting tactical, ad-hoc systems for replacement

As such, organizations are coming to the conclusion that they need a consistent, cross-discipline, cross-process view of risk and compliance. Current GRC configurations tend to constrain the realization of this holistic view. The result is often a “patch work” effort in an attempt to connect disparate systems that are putting undue strain on already limited organizational resources.

• Standardization is accelerated by the desire for modernization in both process and technology

In an attempt to realize the desired efficiencies, organizations are looking for less custom, more configurable platforms/solutions designed specifically for GRC. They desire a faster time to market, more agility and the opportunity to offload the burden of maintaining their environment. They want to be able to digitize their processes with less reliance on customizations and allow for iterative, visual designs as their business needs change.

• Standardization and IBM OpenPages with Watson

IBM OpenPages with Watson has been the beneficiary of this movement due in part to our architecture. Organizations have emphasized to us the inconsistent experiences they have had with existing solutions, where solution designs were fractured or cobbled together. Conversely, IBM OpenPages with Watson delivers standardization at enterprise scale through a common object library, native guided workflows, role-centric user interface, and market-leading analytics that share capabilities across the entire platform.

Our recent investments in a zero-training user interface, new oversight and tree navigation visualizations, all driven from a visually authored workflow and UI designer allow the desired digitization to take place in minutes not days. These workflows can be defined with data validations, multistage alerts, exit criteria and step-by-step customized guidance in context to the task being performed. For more information on these investments please see our previous posts, “What’s new in IBM GRC and OpenPages v8.0?” and “Get rid of the noise by streamlining your audit with IBM OpenPages.”

IBM OpenPages with Watson on Cloud allows organizations to add acceleration and agility on top of this with provisioned high-performance, secured, and isolated environments, without compromising capability. Projects can start faster and deliver value sooner. With IBM application expertise, our clients will not need to worry about being on older versions or missing out on exploiting new feature sets. Organizations can instead focus on driving their own business value and products, secure in the knowledge of the solution value that IBM OpenPages with Watson on Cloud gives them.

Driving better outcomes

• Increased confidence to manage, not minimize risk – systems are under scrutiny

Organizations are looking achieve the difficult balance across ensuring proper business conduct, controlling risks with adequate capital reserves, and spending on resources and systems. Organizational systems are under scrutiny to demonstrate that the proper behavior is in practice while not minimizing the opportunities for organizations to apply appropriate risk in their ventures.

• Engaging first line to participate more actively in GRC to develop a risk lens for better decision-making

Better outcomes are the result of better decisions each day across the organization. For that to happen decisions must be aligned to the individuals with the accountability and richness of experience to leverage risk as an important dimension in their decision process. Individuals in the first line need to be more actively engaged to facilitate this, and today’s GRC systems need to be better oriented towards these more casual users.

• Driving out GRC related costs with improvements to efficiency and quality of information

Efficiencies with GRC can come from many places such as: faster times to digitize processes, less reliance on costly, specialized skills, moving items faster through well-defined processes, and ensuring things are correct the first time. GRC systems need to be able to respond to these needs in the modern digital age leveraging technology for further automation.

•  Driving better outcomes and IBM OpenPages with Watson

IBM OpenPages with Watson provides a complete line of site across risk and compliance activities, associated key risk indicators (KRIs), and other sources of supporting evidence. Task views and information access at your fingertips enable more command and control allowing organizations to manage to their desired risk exposure without compromising business objectives.

Last summer, IBM OpenPages with Watson introduced a reimagined interface, designed in collaboration with our clients, to simplify and enrich the experience of the first line of defense. The objective was for organizations to empower the first line to use the system without reliance on the second line of defense experts. The design is task-centric, focusing the users on the data and the actions needed to complete the task, providing custom, contextual guidance at every stage. We also employed the power of Watsons’ AI to recommend classifications, reducing issues with data quality. The native workflow allows for standard and exception processes allowing work to move through the system faster. Clients have described this reimagining of the GRC solution experience as being a real game changer, freeing the second line of defense to work on other pressing activities.

Moving from what’s happened to what’s coming

• Emerging threats must be weighted more heavily than they have been

While using historical data can inform future decisions, emerging threats must be weighed more than they have and put into the context of evolving risk postures. We have seen trends such as the movement away from AMA towards a standardized approach as a potential barrier. Tom Osborn is his article entitled Op risk capital: looking back in anger (Risk.Net article, March 15, 2019) argues that “by simply setting capital primarily according to a bank’s size and crudely scaling it to reflect past losses, risk-weighted assets will inherently not reflect a firm’s current risk profile.” The contention being that by only looking at the tangible costs and not including expert judgement, assessment results and KRIs, that organizations are left looking in the rear-view mirror versus scanning the horizon. Enabling risk and compliance professionals to focus on future events allow them to properly assess trends, and what is coming next.

• There is a growing need for increased connection to related data

From acknowledging the need to understand emerging issues stems the need to make connections into determining, “what do these issues mean to us?” and “how much impact will they have?”  As Watson Financial Services’ Heather Gentile points out in her blog, Greater availability of data, facilitated by real-time integrations makes it possible for compliance experts to monitor a wide variety of sources.  Information relevant to the institution’s risk profile may take the form of proposed regulations, request for comment, final rules, guidelines, adoptions, authorizations and memoranda of understanding (MOUs), decisions and orders, exemption orders, policies, notices, news release, amendments, sanctions, warnings, and bulletins among others.

• GRC is providing insights to systemic issues

GRC is providing aggregate insights into systemic issues in controls, processes and compliance for dynamic areas such as Cyber Risk and Data Protection. This requires systems to have a connected library of risk and compliance items that can be viewed across different business dimensions. This information needs to be in a consumable form, able to be shared with other stakeholders in a timely, relevant fashion.

• A focus on future risks and IBM OpenPages with Watson

IBM is addressing these needs.  First, IBM Watson with IBM OpenPages with Watson incorporates IBM Cognos Analytics for self-service reporting and dashboards. IBM Cognos Analytics continues to advance both analytic and AI capabilities. The most recent version includes Business Insights from dashboards, data patterns, visualization suggestion, natural language processing, predictive charts, and a completely new data exploration tool. These features allow business users to find connections and see emerging patterns in their data without requiring specialized skills.

Second, IBM OpenPages with Watson also employs “Oversight” views in our task user interface, allowing supervisory roles to see not only the precise status of their activities but the activities of those that they oversee. This allows for more coaching and less policing and a clear line of sight into future activity.

Third, in our labs, we are continuing to reimagine the user experience to provide a personal, fully user configurable dashboard. Each user will be able to monitor tasks, KRIs, and other information at a glance navigating to details effortlessly. Business users will be able to create, show, rearrange, and hide a set of panels and apply filters to narrow down the information displayed. We believe this forthcoming capability will create a central, personalized “command center” for users to be more efficient and effective in their daily activities.

What does this mean for your organization?

The increasing pressures and pace of change that organizations are facing today require that leadership assess whether their current GRC solutions are tenable in the long-term. From our ground-level client conversations, it is clear that there is a wave of change on the horizon (see Figure 1). Organizations appear to have reached their “GRC tipping point.”  What this means for risk leadership is that they must ask themselves to what degree current frustrations with the costs and management of their organizational risk is attributed to their current solutions and systems. They must determine whether now is the right time to have a closer look at how changes can improve both their effectiveness and efficiency in managing their risk exposure and determine the benefit of freeing up resources in their hyper-competitive environments.