2015

Trends and Predictions

for GRC

As regulations get tougher, and risks get more complex and

interconnected, the success - and very survival - of any business will
depend largely on how risk-aware, compliant, and well-governed they are.

Therefore, it becomes obvious why

governance, risk management, and
compliance has become so critical to the
health and viability of any business today.

The Big Picture

A power and transportation company pays
millions of dollars in nes to settle charges of
bribery. A leading nancial services company
is penalized billions of dollars for engaging in
transactions with sanctioned countries. A top
automobile manufacturer recalls millions of
cars over faulty parts.
These were some of the stories that captured
our attention, and dominated news reports in
2014. They demonstrate just how big of an
impact risk can have when not properly
identied, understood, and managed.
The volume, velocity, and variety of risks are
only likely to increase in todays digital age,
where a single Tweet or an unsecured mobile
device is all it takes to damage the long-term
protability and reputation of an
organization. Added to that, regulations
across industries are becoming increasingly
onerous and complex.

In 2014, many organizations embarked on a

journey towards creating a pervasive culture
of GRC across their organization and
extended ecosystem of third parties and
suppliers. In 2015, MetricStream predicts that
GRC will evolve to the next level, spanning
areas such as social media, mobility, and the
cloud all integrated within the enterprise
risk management and compliance framework.
Risk managers will work towards establishing
a real-time, 360-degree view of organizational
risks. Sophisticated listening and big data
analytics tools will be used to help
decision-makers transform unstructured
enterprise data into valuable business
intelligence that can help predict risk
scenarios and guide decision-making.
Ultimately, the focus for every organization in
the year ahead will be on building a more
risk-aware, compliant, and well-governed
corporate culture and organization.
In this report, MetricStream takes a look at
the major GRC trends that shaped the year
2014, and makes predictions for the year
ahead.

2014 in Review: So, What Did We Learn?

Here are some of the key trends that shaped the year 2014:

GRC BEGINS WITH

GOOD GOVERNANCE
Governance - when
well-understood, carefully
planned, and thoughtfully
executed, can be one of the
most crucial drivers of growth.
It serves not just as a guide for
corporate strategy, but also as
a competitive dierentiator in
an increasingly competitive
business environment. In 2014,
organizations were pushed to
the limits, and tested in new
ways. GRC starts with
governance, and the leaders of
tomorrow will continue to be
tested in demonstrating the art
and science of good
governance 24/7. The tone at
the top is critical. We
witnessed several headlines in
2014, where a complacent
corporate culture led to
disaster. It is the responsibility
of those at the top to set the
tone every single day through
their own words and actions, in
order to cultivate a truly
responsible and risk-aware
company.

YEAR 2014 WAS A TURNING

POINT FOR GRC
In 2014, organizations
embraced Pervasive GRC,
which is all about empowering
a modern and diverse
user-base across the
organization, embedding GRC
within the enterprise
architecture, and adapting GRC
to the changing context of how
business is done. This
approach requires technology
that is user-friendly, has
ubiquitous touch-points across
devices, is in-line with users
behavioral constructs, and
provides an immersive
experience using gamication.

THE GRC VALUE

PROPOSITION IS CLEAR
GRC isnt new, but
implementing GRC in an
integrated manner, aligned
with business processes and
strategic objectives, is
something that many
organizations have struggled
with. In 2014, we witnessed
organizations build the internal
business case for GRC that can
justify the corresponding
investment. It requires not just
a measurement of the tangible
value of GRC in terms of time,
resources, and money saved,
but more importantly, an
articulation of how better risk
and compliance management
can lead to actual prots.
Increasingly, we are seeing
GRC being discussed and
leveraged to not only protect,
but also create value.

ORGANIZATIONS AROUND
THE WORLD ARE REALIZING
SUCCESS THROUGH GRC JOURNEY
More and more organizations
have expanded beyond
traditional GRC, into new areas
such as supplier governance,
ethics and compliance, privacy,
quality management, and
environment, health, and safety.
Designing and executing a
successful GRC Journey is more
than a technology deployment
leaders now concur that it is
about helping accelerate
organizational readiness, and
improving business performance
by managing GRC as a program
that combines people, processes,
and technologies. Implementing
phased, multi-year GRC initiatives
takes thoughtful planning, and
requires participation from the
right set of sponsors.
Orchestrating success across a
wide range of stakeholders with
diverse approaches to
governance can be challenging
but the rewards around a
360-degree view of risk, a
common risk language, and
analytics to support
decision-making are compelling
organizations to bring down their
silos, and get these essential
programs in place.

2015 Predictions: What Does the Future Hold?

MetricStream predicts the key GRC trends that
organizations are likely to face in the year ahead:

THE RISE OF GENERATION C

Businesses needs to start
planning for the coming of age
of Gen C users - a generation of
highly social, savvy,
digitally-connected users who
thrive on content, curation, and
community. This generation
will be the customers and
employees of tomorrow - and
they have dierent behaviors
and interaction paradigms
compared to the customers
and employees of today.
Meanwhile, social media will
continue to be embedded into
day-to-day professional and
personal lives -- from corporate
applications that integrate
social media widgets, to BYOD,
and everything in-between. A
new team led by your Chief
Information Ocer (CIO) and
Chief Digital Ocer will be
tasked with staying ahead of
these changes and paradigm
shifts. Understanding all of the
associated risks - and
opportunities - will be
imperative.

THE LEADING DIGITAL

BUSINESSES OF TOMORROW
ARE BEING CREATED TODAY
The Internet of Things is about
connecting people, things,
devices, and information in new,
game changing ways. Add to that
disruptive e-payment methods
like Google Wallet and Apple Pay,
and layer on top of that the
coming of age of Generation C
users. The future of business is
digital, connected, mobile, and
social. What worked yesterday
may not necessarily work today
or tomorrow. Amidst this change,
a laser sharp focus on risk is
critical understanding risk,
managing risk, mitigating risk,
and thriving on risk.

RISK AND OPPORTUNITY

ARE TWO SIDES OF
THE SAME COIN
If theres one thing weve
learned, its that advancement
doesnt happen, organizations
dont grow, and people dont
ourish if they are afraid to
take risks. The organizations
and leaders who will continue
to lead us bravely into this new
mobile, social, and global
world will not be afraid of
changing the status quo. From
delivery drones, to mobile
wallets, to the Internet of
Things, and everything in
between, technology in 2015
will continue to push and
stretch the bounds of our
realities and our imaginations
in surprising ways.

THE MISSION CRITICAL

ROLE IS THAT OF THE
CHIEF RISK OFFICER (CRO)
Arguably, the CRO has the
most important job of anyone
in the organization. The CROs
of tomorrow must be agile,
analytical thinkers and leaders,
who are able to turn data into
insight, and coordinate risk
management activities across
business units and external
third parties, while also
partnering with management
to guide corporate strategy. It
is a big job, and in 2015, we will
see CROs really step up to the
plate.

THE RISE OF THE CHIEF

DATA OFFICER
Looking ahead to the year
2015, we will see the
emergence of a new critical
organizational role - the Chief
Data Ocer. This person will
emerge from the
organizations Data Scientist
role, and will possess strong
left brain and right brain
competencies, will excel in the
areas of math and science, but
will also be extremely curious,
collaborative, and
communicative. Passionate
about data, these individuals
will help lead the
organizational charge, working
right alongside other key
business leaders such as the
Chief Data Ocer, the Chief
Digital Ocer, the Chief
Information Ocer, and the
Chief Risk Ocer to drive
better decision-making, and
enhance business
performance.

PAINTING A HOLISTIC
RISK PICTURE
In 2015, leading organizations
will leverage more
sophisticated models and
advanced analytics to better
understand the real-time risk
trends and relationships
between seemingly disparate
data points. Furthermore, data
spanning customer
complaints, litigation, control
test failures, and KRIs will be
brought together to paint a
truly holistic picture of
organizational risk. The aim
will be to collaborate through a
federated governance model
by bringing all key
stakeholders and data
together into a common risk
and control framework.

2015 Predictions: What Does the Future Hold?

MetricStream predicts the key GRC trends that
organizations are likely to face in the year ahead:

GRC TECHNOLOGY WILL

BE CHARACTERIZED BY
CONVERGENCE AND
ENTERPRISE-WIDE
ADOPTION
Decision-makers and key users
are discovering the benets
and synergies that exist
between policy, risk, and
compliance management. In
2015, we will see more
organizations adopt a common
technology platform that can
harmoniously manage all three
areas together.

THE BIG DATA OPPORTUNITY

The unprecedented volume,
variety, veracity, and velocity of
structured and unstructured
information, also known as Big
Data, is any organizations
biggest opportunity.
Sophisticated Big Data
processing technologies now
have the capability to
aggregate and analyze social
media and location-enabled
sites, multimedia, documents,
emails, weblogs, surveillance
records, medical records,
threat and vulnerability
scanners, supplier data,
regulatory feeds, e-commerce
transactions, voice notes,
audio transcripts, stock trades,
transaction logs, geo-spatial
data, and more -- all in real or
near-real-time. As a result,
organizations will be able to
identify trends and spot
anomalies based on a
rules-based framework, in a
way that can help strengthen
their risk and regulatory
compliance eorts. For
example, social media content
can be used to provide key
customer insights, and
supplier data in aggregate can
provide key indicators around
supplier nancials and
behaviors that support third
party vendor due-diligence.
The biggest challenge facing
any organization in the year
ahead will lie in their ability to
distill the signals from the
noise. New business rules will
also need to be created and
improved to eliminate the false
positives.

WE ARE MOVING TOWARDS

PREDICTIVE ANALYTICS
While those rare black swan
events may never be fully
detected and prevented, we
are getting closer to
understanding the underlying
themes and patterns that
contribute to high risk and
high impact events. In 2015,
emerging risks will receive
greater attention in the
governance process, along
with stress tests of
idiosyncratic risks linked to
macroeconomic indicators.
Organizations will need to look
at historical data and current
trends across key internal and
external emerging risks, and
then translate that into
forward-looking risk
governance processes.

So Whats Next?
As we enter an era of greater risk and
stricter regulatory enforcements,
organizations are putting in place the
policies, procedures, controls, and
systems needed to create a pervasive
culture of GRC. Yet, many are
overwhelmed by the sheer enormity
and complexity of the task that lies
ahead. How do we simplify GRC, is
the question most often asked.
The key is to start small - Implement a
phased GRC journey plan with
clearly-dened priorities for each
stage, starting with the foundational
elements such as establishing common
risk and control taxonomies. Its useful
to leverage technology -- there are
tools to automate and streamline risk
and compliance processes, as well as
to map data in such a way that users
immediately understand the
relationships and interactions between
various risks, regulations, controls,
strategic objectives, and other
elements.

www.metricstream.com

info@metricstream.com

Copyright 2015, MetricStream, Inc. All rights reserved.

Other tools help import and process

information from various sources such as social media, cloud security
assessment tools, and transaction
systems -- and then route that data for
reporting and visualization. All these
activities can be conducted on a
common technology platform for
optimal eciency and visibility.
Going forward, GRC will continue to
evolve and become more critical to
organizations as they strive to succeed
in a highly risky and regulated
environment. Embedding GRC
strategies, processes, and controls will
no longer be just a regulatory
mandated requirement. As many
organizations have discovered, good
GRC simply makes good business
sense.