As enterprises move their critical workloads to cloud and regulators tighten the norms in the wake of security breaches, the job of Governance, Risk and Compliance (GRC) professionals has become increasingly important and extremely difficult at the same time.
We inspect the escalating cost pressures and reflect on some of the key priorities that GRC Executives have in front of them, as we all look forward to move into 2021.
Cost of data breaches: An Accenture report estimated the cost of cybersecurity breaches over five years to be a whopping $700 billion. Another report by Ponemon Institute and IBM surveyed 524 organizations of varying sizes that experienced data breaches. The average cost of a data breach stood at $3.86 million with an average time of 280 days taken to identify and contain the breach. Such cost and duration of exposure can be a make or break situation for many organizations.
Cost of penalties and compliance: Boston Consulting Group estimated the escalating cost of strict enforcement of regulations post 2008 financial crisis at approximately $321 billion in penalties. A KPMG report pegged the amount of money spent by financial institutions on compliance at $270 billion annually.
On top of all these, Covid-19 pandemic put additional pressure on budgetary considerations when keeping the business up and running took higher priority. Thomson Reuters Regulatory Intelligence reported in their 2020 Cost of Compliance study that the highest challenge facing compliance teams is balancing of budgets in the wake of ever increasing compliance costs.
A new digital divide: With such huge costs of breaches, penalties, and pressures on compliance budgets, GRC executives are leveraging technology more than ever before. The Poneman Institute study, cited above, shows a new kind of digital divide emerging. Organizations with more advanced security processes and automation suffered much lower data breach costs than those with immature security postures, saving $3.58 million on average.
Top priorities of GRC Executives
Discussions with customer teams and with senior executives at events this year at SIBOS and OpRisk NA brought up a few key points:
Automation is a must
Executives are noticing that effective automation is drawing the line between leaders and the rest. Automation is being aimed at answering compliance-oriented business questions.
As an example, automated linkage of controls to internal frameworks and further into operational systems carries the promise of enabling faster response times with much less effort.
Data is key
Business decisions that rest on insights from data are often drivers for success. Further, new age automation technologies are largely AI-driven and heavily dependent upon data. As a result, data becomes an essential ingredient for growth.
Participants noted that data collected today by industry is often reflective of lagging indicators. This leads to a reactive approach rather than being proactive. For instance, in the U.S. anti-money laundering as well as transaction processing are both done post-facto. Instead, a proactive approach allows real-time client alerting on payments providing the ability to question in-flight transactions.
Data collection has traditionally been an after-thought. That leads to the generation of low-quality data resulting into poor metrics and insights. Data quality improvement came up as another key priority for 2021 among the participating leaders.
User-centered design influences the outcome
An important requirement raised by risk professionals is the intuitive use of advanced capabilities off-the-shelf. Referring to AI, often an expert data scientist is needed to train models before insights can be drawn. This acts as a barrier.
Similarly, simplification is crucial. A participant cited a real-life example where the system was implemented correctly but followed a pessimistic approach. It was too difficult for the users to get things done due to extreme checks in place and it eventually got abandoned.
Standardization provides flexibility
The industry players and regulators often do not speak a common language. Standardization of common concepts within an industry is important to reduce the effort that goes into interpretation, effective communication, systems integration and related skill building.
A similar argument applies to tools and platforms. Rather than have everything customizable in a GRC system, a standardized and modular set of solutions enables flexibility.
While this list is by no means exhaustive, it is reflective of issues occupying the minds of GRC Executives and the direction they desire to take.
Is it feasible to meet the priorities given current challenges?
The short answer is yes.
Automation and data harvesting tend to address the challenge of balancing budgets in the wake of ever-increasing compliance costs and dealing with a high volume of regulatory change. User-centered design and standardization, on the other hand, cater to imbibing a culture conducive to effective compliance management and thereby reducing the risk of personal accountability of compliance officers.
Today’s technological environment has two primary drivers for automation. First one is the increasing adoption of hybrid cloud that is helping organizations bring significant costs down while adding agility and avoiding vendor lock-in. The second driver is the deployment of AI for several use cases ranging from biometric based authorization, ML based fraud detection, NLP to understand documents and conversational assistants for helping users accomplish a range of tasks.
Recent offerings encompassing the above principles have made life much easier for GRC leaders. An entire cloud constructed solely with the purpose of providing security and compliance is available as IBM Cloud for Financial Services. Released in November, IBM OpenPages with Watson for Cloud Pak for Data offers a rare combination of user-centered AI services embedded within a GRC system and available on any cloud environment. A recent study by Forrester Consulting indicates that IBM OpenPages delivers three-year 218% ROI to clients.
This blog was originally published by the author at IBM Regtech Innovations
Disclaimer: Any views expressed in this article are personal views of the author.