By Bob McCarter, Chief Technology Officer at NAVEX
Restricted budgets and an increasing number of compliance and data privacy laws and regulations create hurdles for business leaders to manage risks, particularly for third parties.
An organisation must handle several types of risks across multiple areas of the business in a quick, effective, and compliant way. In addition to environmental and external information security threats, organisations must be aware of employee-related risks as well as those that can impact the extended enterprise via third and fourth parties. According to the international industry body, ISACA, over half of cyber professionals are not confident in their organisation’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations. That is why cross-functional collaboration is critical.
With the expanding threat landscape, businesses need to develop a cybersecurity playbook that mitigates risks. It should include training, company-wide discussions, and awareness programmes. Some of the reasons why it is so hard to overcome governance, risk, and compliance (GRC) challenges is because there is a lack of business support, clarity on roles and responsibilities, as well as visibility. To better understand and present the company’s risk posture to the board, digital transformation is imperative. NAVEX’s 2023 State of Governance, Risk, and Compliance Management Report found that GRC programs that were described as “significantly” or “comprehensively” automated are more likely to be managed by a single department compared to GRC programs that have not undergone a digital transformation (45% versus 28%).
An effective programme forms the foundation for creating a culture and work environment that emphasise the importance of outstanding quality and business outcomes.
Avoiding silos
Efforts to improve quality processes, assess and manage risk and control activities, and comply with environmental, safety and other industry-specific regulations are challenged by organisational silos, a focus on proximal needs, and a reliance on point solutions. A siloed approach introduces considerable inefficiencies and, in the worst case, risk management gaps.
NAVEX’s 2023 State of Risk and Compliance Report revealed that integrated risk management remains a work in progress as only about one-quarter of respondents (27%) said their organisation has a centralised integrated risk management program run by senior management. Another third (31%) said they have integrated some, but not all, of their capabilities. However, this percentage is expected to increase as more organisations adopt GRC information systems (GRC-IS) that bring the different functions of risk and compliance into a single platform.
As global regulations continue to evolve, many companies are rushing to ensure they are fully compliant. However, silos pose a great challenge for IT decisionmakers as some businesses are still managing hotlines, training, third parties and speak-up across different departments. More mature businesses are adopting a single view of GRC, rather than a tick box procedure.
What next?
A holistic approach to managing risk requires full visibility. Utilising GRC as a strategy can enable businesses to make informed decisions that fundamentally change the way they manage risk and compliance. However, GRC cannot be managed effectively in silos as it is both impractical and ineffective. This could be detrimental to the business – it increases the likelihood of a data breach, reputational damage, and loss of trust.
For the foreseeable future, there will be a surge in data privacy roles as well as opportunities for existing employees to upskill. Cybersecurity is an ongoing process so there needs to be sustainable measures in place. The same NAVEX report highlighted that nearly one-third (30% in 2023 vs. 22% in 2022) of respondents said their organisation experienced a data privacy/cybersecurity breach in the past three years. Considering this real-world challenge compliance professionals are facing, cybersecurity (60%) and data privacy (57%) are two of the three most chosen topics respondents said their organisation will train on in the next two-to-three years.
Companies should plan ahead and consider investing in a Chief Compliance Officer or Chief Risk Officer. It would be one of their core responsibilities to implement effective risk management solutions and the necessary collaborative approach that is critical to success.
A strong ethics and compliance programme ought to be built on an organisation’s values, people, and principles. This would involve a robust security infrastructure that aligns with the organisation’s compliance posture. One way to achieve this and manage risk across the business is by deploying GRC-IS that gives companies a full view of:
• Front-line employees, who are the organisation’s human security system.
• A reporting system that allows them to report issues as they occur.
• The back office via sanctions management, third party management, and more.
The key to success is to nurture good habits such as open communication, collaboration, and agreed protocols across departments. This is particularly essential for managing data privacy and third-party risks, where there are several personas involved – the CISO/CIO, the supply chain, and the legal/compliance teams. Each with their own priorities, it is ineffective working in silos. At the end of the day, there are many overlapping goals shared between the legal, IT, and security teams. By working together, workload will be distributed and reduced.
