Managing risk and compliance is a challenge for any large business, but the rapid changes affecting this department due to technology have raised the stakes even higher. Businesses are collecting and processing more data than ever, from more sources, and they’re sharing it more widely than ever, with partners, customers, and suppliers. With all this data moving around, internally, externally, and in the cloud, it’s clear that Governance, Risk, and Compliance (to use its official name) is at an inflection point. Today’s enterprise must reevaluate their traditional GRC practices in order to keep pace with the risks.
There are many ways to mitigate the new challenges, however — and ironically, some of these new technology trends, like machine learning, can be leveraged to improve GRC. Here are five technology shifts contributing to the changing landscape, and some best practices for dealing with each.
1) The interconnected business
We’re seeing a greater emphasis these days on third-party risk management, and with good reason. Thanks in large part to the use of cloud, today’s enterprises are more interconnected and using more cloud providers than ever before. With these connections come risks that need to be measured, monitored, and managed, however. And many of the high-profile breaches in the news recently occurred via these third-party relationships.
Here’s one example: the massive Target breach that occurred a few years ago was traced back to network credentials that were stolen from a third-party vendor — reportedly a heating and A/C services provider. The bottom line is that your security is only as good as your weakest link. This means enterprises must pay attention not just to their own security and compliance, but also those of partners and suppliers. Strengthening your GRC strategy means prioritizing third-party risk management programs in organizations and at the board level.
2) More data, potentially more problems
Earlier this year, The Economist defined data as “the world’s most valuable resource,” surpassing oil. Companies are generating, processing, and sharing more data than ever, creating unprecedented challenges for GRC officers. In addition, the fact that data is often consumed and processed in real time has introduced new risks.
Here’s one example: A large bank analyzing ATM and credit card transactions in real time to identify fraud. Or think of the scale of business intelligence (BI) initiatives that enterprises are creating, and the associated requirement to secure these vast quantities of data, as well as comply with regulations around privacy, auditing, and storage. Moving forward, risk and compliance frameworks must be flexible and, more importantly, scaleable to evolve alongside the big data explosion.
3) AI to the rescue?
If big data is the challenge, artificial intelligence (AI) may be part of the solution. AI, and particularly a subset of AI known as machine learning, allows enterprises to analyze data at scale, and spot patterns and anomalies that could indicate signs of trouble. With big data, enterprises can’t depend on traditional tools and manual processes to ensure security and compliance. Nor can they rely on traditional auditing techniques of sampling or posthumous audits.
Machine learning and data visualization can help automatically organize and monitor these data sets and flag signs of data leakage, policy violation, or other high-risk items. It’s essentially continuous auditing, if you will. In this way, GRC professionals can get ahead of risks, help ensure compliance with regulations, and provide the assurance that executives and Boards require.
4) IoT and the sensitivity of personal data
With the growing proliferation of consumer devices such as “smart” security cameras, thermostats, and other appliances coming online, companies are gathering new types of data that often include very personal information. The question of who owns this data is sometimes a controversial one, as multiple vendors often have a hand in the supply chain. What’s more, the sensitive nature of this data means agencies like the Federal Trade Commission (FTC), from a consumer privacy perspective, are closely watching how businesses secure and/or monetize it.
The number of stories in the news about privacy-related settlements between businesses and regulators is growing, as is the size of penalties–almost in rivalry with breach stories. GRC officers need to be highly aware of this data when it comes to risk and compliance, particularly as new regulations emerge, such as the IoT Cybersecurity Improvement Act of 2017, and the General Data Protection Regulation (GDPR).
5) GDPR on the horizon
The General Data Protection Regulation (GDPR) will enact strict data-privacy rules on behalf of every EU citizen when it goes into effect in May 2018. Every enterprise, regardless of their location, will be impacted by the GDPR if they have customers based in the EU — or even if their customers’ customers are in the EU. Simply put, the globalization of business means enterprises must pay attention to data protection regulations in multiple jurisdictions, not just their own.
Ninety-two percent of U.S. companies have indicated GDPR is their top data protection priority for 2017. GDPR sets precedent in that it promulgates a formula for penalties that business have not seen before. It also places new responsibilities on a business if it uses third parties to process data subject to GDPR, holding that initial “processor” responsible for the activities of its “sub-processors.” This makes effective third-party risk management even more critical.
GDPR requirements relate to the data definitions in the regulation, so effectively managing compliance means businesses must know when they collect that data, what they do with it, where it resides, how and where it gets shared, how they protect it, and so on. It is safe to say that an organization won’t manage GDPR risks if they can’t manage their data.
The Bottom Line
Advances in technology are creating new ways for businesses to delight customers and grow their bottom line, but they also create significant new challenges for risk and compliance. GRC officers need to stay abreast of these trends to successfully protect their organization. That means attending conferences, networking with peers, and paying close attention to what’s happening within their own businesses.
Just like security, investing in strong GRC practices is not a luxury — it’s a necessity that can pay dividends in future.
Related: Learn about Smartsheet and GDPR compliance.