GRC Solution: Now More Than Ever After Brexit

Author’s note:  Whatever your political views on the United Kingdom’s recent “Brexit” from the European Union, I am writing this article to share some of my thinking on the need for a Governance, Risk and Compliance (GRC) solution in the aftermath of this decision. It’s just my opinion, but it has been formed after extensive discussions about the implications of the decision.

Thursday 23^rd June was a most momentous day in Great Britain; the UK voted to leave the EU!

It was widely believe, before the Brexit vote, that leaving the EU was highly unlikely. Thus, when the Brexit referendum results were announced, the decision to leave the European Union was so unexpected that £120 billion was wiped off from FTSE 100 and value of the pound fell to its lowest since 1985. The Brexit decision has had global impact, creating a ripple effect across European Union referendums and the US presidential elections.

Brexit will have a long lasting and dramatic impact on international financial markets, investment, prices and jobs. Industries, both within the UK and globally, will feel the repercussions of this decision. As a result of these upheavals, it is likely that a post-Brexit global landscape will forcefully push organizations to fix their broken processes and siloed business approaches, while minimizing unnecessary interfaces and addressing the lack of linkage between corporate objectives and informed decisions.

Good Governance Desperately Needed
Now, more than ever, board and senior management will be desperate for ‘line of sight’ across all business functions, and better aligned resources that contribute to the delivery of desired outcomes.

Failure of good governance, a rising tide of cyber threats on the global risk landscape in both frequency and scale, a deluge of regulations, including the EU’s General Data Protection Regulation, to be complied with and the enormous headcount for the ‘eight eyes’¹ control system, are keeping boards and senior management awake at night.

In our post-Brexit world, now is the best time for organizations around the world to act in aligning their three lines of defense by using automated governance, risk and compliance (GRC) solutions.

The current situation provides a compelling business case for formulating and investing in an automated GRC solution. I am convinced that organizations will benefit by integrating technology into their GRC activities.

Six Automated GRC Solutions
An automated GRC solution will provide an integrated and holistic approach to organization-wide governance, risk, and compliance efforts to ensure that the organization acts ethically and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness. More precisely, automated GRC solution will help organizations to:

1. Manage third-party risk and compliance issues.
2. Manage regulatory content and change management in dealing with regulatory proliferation.
3. Develop risk analytics to support integration of risk management and performance management.
4. Perform business performance audits as a key internal audit feature.
5. Decide which business processes/assets are critical to their operations in term of confidentiality, integrity, availability ratings so they can prioritize and focus on critical applications.
6. Create a risk culture by articulating the organization’s risk appetite.

In my view, the lessons generated from Brexit will give management the opportunity and ability to constructively challenge and help boards to develop robust GRC plans. The board needs a fine sense of risk appetite against which to judge investment decisions, allowing ‘line of sight’ for key objectives, from top to bottom, before making any decisions.

It is clear that, in the wake of Brexit, we will experience some choppy waters. As far as the political landscape is concerned, it is now a monumental challenge for those in power to figure out how this new world is going to actually work. As professionals working in governance, risk and compliance, we need to be ready for the economic surprises popping up around us.

¹ Most organizations still have manual control testing, requiring nonessential headcounts due to the frequency of the control reviews in managing operational and compliance risk, so it is difficult to determine how effective these reviews are as failures can still occur.

Rehan Haque, CISA, CISM, CRISC, Academic Relations & Research Director, ISACA London Chapter Board

[ISACA Now Blog]