The expectations of governance, risk, and compliance (GRC) activities such as internal audit, risk management, and compliance, from both internal and external stakeholders, have never been greater. ‘Backward-looking’ audit reports, and ‘paper-driven’ risk-assessments and compliance programmes are not always helpful and effective in identifying what is on the horizon.
As the risk proﬁle of businesses evolve to keep pace with various forms of disruption and radical technological change (artificial intelligence is already here), so too would the assurance need and GRC expectations of both the Board and management change. Although much of the work of internal GRC activities would continue to center on assessing and providing assurance on financial, operational, IT, and compliance risks and the internal controls, processes, and programmes in place to mitigate these risks, these activities would also be expected to help the business to anticipate and react quickly to emerging issues.
Big data, technology, and digital innovation will have a fundamental impact on shaping, enabling, and disrupting an organisation’s operations and strategy. Businesses should therefore take a close look at how they can position and leverage their GRC activities to help them identify, anticipate, and react quickly and effectively to the risks arising from these developments. This will require their GRC activities to become more agile, learn new skills, and adopt innovative tools to enhance their capabilities.
The business environment is increasingly fast-paced. Static, backward-looking, and paper-driven risk assessments, audits, and compliance programmes that fail to consider the future (as well as the present) quickly date, and therefore offer less value.
GRC activities should therefore be accepted by management and the Board as ‘strategic risk partners’ to the business, operating alongside and at the speed of the business, and not just as standalone oversight and assurance functions.