"You need a good [GRC] system. You need the right data. You need to share the data and take those organizational learnings." -Zeke Ward, Founder, North Star Compliance
Companies today face more change than ever before: new priorities in diversity, equity and inclusion, intensifying cyber risk and increasingly remote business environments that emphasize stakeholder capitalism. This has put a heightened focus on governance, risk and compliance (GRC) and the trends in compliance organizational structures that support it. How have companies – and their boards – been managing it all?
"We see some real change happening. It's not just that organizations are making a big commitment to equity and inclusion, but that it's actually making its way into meaningful processes and being monitored," said Dan Zitting, who serves as Chief Product Strategy Officer at Diligent.
Dyke Debrie, former Managing Director at Diligent, articulated the technology aspect to this shift. "Digital transformation has really accelerated everything," he said, from the way organizations communicate with employees, to how they do business with third parties, to the digitization of systems needed to support all operations, including modern GRC technology.
"We are really at the start of digital transformation of the GRC space. There is so much more that we can do ... We can really start to think of how we can use GRC as a competitive advantage and as a growth lever." -Lisa Edwards, Diligent President and Chief Operating Officer
Diligent convened an expert virtual panel, "The Future of GRC," moderated by Vice President of Product Marketing Brittany Clark, to discuss the GRC best practices and trends that began in 2021 and their future implications for boards, directors and executives. Highlights follow.
An Expanding Risk Landscape, With Heightened Scrutiny
Internally, companies are increasing their focus in areas such as vendor selection and vendor risk management, Zitting said. They are also beginning to audit carbon usage across the organization and supply chain, including a focus on carbon offsetting. Debrie noted that externally, the risk landscape has expanded to include new areas of fraud like the risk of business disruption, which the COVID-19 pandemic brought front and center.
It's vital to give employees the channels and confidence to speak up if they see something, Debrie said. Regulators are intensifying their attention. The European Union recently issued a new directive on whistleblowing, and a draft directive on managing corporate due diligence is scheduled to take effect in 2023.
Zeke Ward, founder of regulatory consulting firm North Star Compliance, predicts the draft directive on corporate diligence will cause a "sea change."
"This is going to be looking at how companies operate, right from the very beginning of their activities and their value chains through to how they sell their products," Ward said. "Companies are going to have to map out those chains and really begin to understand not only who they're doing business with directly but indirectly as well."
"Whether it's an ESG objective, a financial objective, or any other kind of corporate objective, strong GRC processes and practices will ensure the organization can reliably achieve those while addressing uncertainty." -Dan Zitting, Chief Product Strategy Officer, Diligent
Trends in Compliance Organizational Structures
The compliance organizational structure is one area where organizations should get ahead of the “sea change,” as Ward called it. The compliance and ethics landscape has evolved quickly, but regulations will only continue to tighten as institutions around the world see the value of ESG.
This renewed focus on ethics is also popular among stakeholders, meaning organizations can benefit both financially and reputationally from shoring up their team according to new trends in compliance organizational structures.
Today, building this culture of compliance means:
Keeping compliance and ethics in-house: Organizations are leaning on in-house compliance teams in place of costly third parties. GRC and compliance technologies help in-house teams to manage a greater set of compliance and ethics issues, which has made it even more cost effective for organizations to manage their own compliance programs.
Embedding officers within business units: Each business unit will have different compliance needs. Organizations can actually embed ethics and compliance officers within each business unit. This both helps the compliance team understand the unique needs of each unit and get ahead of any potential risks that might otherwise go unchecked.
Collaborating with other departments: Compliance and ethics can no longer function in a silo. As risks evolve, so should GRC strategies. In modern organizations, this means collaborating across functions to create more visibility for both risks and their associated compliance and ethics requirements.
New Tools and Skills Are Necessary to See the GRC Big Picture
Managing ESG, cyber, data privacy and more across multiple systems can quickly become complicated, and it requires boards to think of the big picture. "How do you think about GRC integrating into all of your existing tools?" Diligent President and COO Lisa Edwards asked. "How do you go deep into those systems and then float up just the things that are most important?"
Yvette Hollingsworth Clark, who served as Chief Compliance Officer and Regulatory Innovation Officer with Wells Fargo, noted challenges old and new. "It is no secret that, typically, compliance and risk management organizations have a lot of manual processes," she noted. "There's a greater need to introduce technology just to keep pace with the volume and complexity of regulatory requirements."
In response to the pandemic, "technology solutions were propped up pretty quickly," she said. Now organizations will need to understand the designs behind them, especially if the solutions involve AI or machine learning.
"Typically, you have legal and regulatory professionals that operate in the compliance and risk management space, but when you're bringing in technology, you're going to have to reimagine what skill sets you need," Clark said. Examples include a data scientist who understands how data is being used, an analyst who can make sure to make sure there are no problems with how code is written, architects who know the technology environment, plus someone in the emerging role of digital ethics officer.
Ward touted the benefits of an integrated approach. For CCOs, heads of health and safety, heads of sustainability and other executive leaders, conversations about risk management often lead to the same fundamental problems, he said.
"Transparency and connectivity will be key to ensuring organizations meet their lofty goals." -Brittany Clark, Vice President of Product Marketing, Diligent
GRC as a Growth Driver
Zitting said he's seen more CEOs engaged in GRC-related projects in the last year than the previous 14 years combined. In another trend, executives have been expanding their definition of GRC, from a monitoring and reporting mechanism for regulators to a potential driver of growth.
Ward cited the emerging hydrogen sector. Policies that promote a greener economy are opening up opportunities for firms operating in this space: whether it's producing ammonia, using hydrogen in transport and logistics or other innovations.
Debrie referenced the tension that can exist between compliance and other business activities. 'I think that's diminishing somewhat, and boards can see the value of a compliance program as a generator of things like sales – certainly in the immediate and long-term.'
The Importance of Systems and Sharing Data
Whether spotting new market opportunities or keeping compliance and risk management on track, GRC oversight starts with getting the right people the right information at the right time. This is an important part of effective compliance organizational structures.
Debrie presented the example of HR. "Those of us who have worked in large organizations know that it's a pretty constant churn of people in and people out," he said. "If you're going to be administrating all of that while at the same time keeping compliant and maintaining adequate procedures for your regulator, then you need a good system in place."
Debrie also recommended keeping tabs on the GRC issues that people are requesting guidance on. Trends here can help shape GRC strategy and response.
Effective management of GRC issues, from environmental risk to human rights risk to social risk, begins with collecting, sharing it with the right people, and analyzing it in the right way, Ward said.
The Heightened Role and Responsibilities of the Board
"As you are able to generate more information from technology, there is going to be an expectation that response times to remediate issues will lessen." -Yvette Hollingsworth Clark, Compliance and Risk Management Expert
Clark anticipates a heavier reliance on boards to be responsive on GRC issues. Because boards have more data, they'll be expected to use this information to credibly challenge management when needed in a more timely manner.
Boards can increase their involvement by starting small. Pilot projects can identify organizational pain points and lead to quick wins. Creating informal committees helps foster trust and collaboration among members.
Zitting encourages boards to put tools in place to monitor the metrics that guide their decisions. Once an effective process and compliance organizational structure is established, they can use machine learning and automation to deliver data in real time – elevating those insights to the board level.
Throughout, board members should continue to educate themselves on GRC issues, particularly related to digital transformation. "I think that we will see a greater demand for board members who have an understanding of emerging technology so they can effectively challenge management and actually ensure that they're fulfilling their fiduciary responsibilities," said Clark.
"The space is moving so fast, you can quite quickly get left behind," said Debrie.
Create Value With GRC Technology
GRC technology is no longer the future. It’s the here and now for organizations that want to cement their competitive edge. Because while organizations have always faced risks, they’ve never faced the diversity of risks they face today. Increasingly remote workplaces, burgeoning stakeholder capitalism and even digital transformations call for new approaches to GRC, the best of which center around technology.
But even the most tech-savvy of boards will want to see the business case. Download the GRC e-book from Diligent, which details how to deliver a business case for implementing GRC software, whether that’s in a one-page brief or a longer report.