Risk management has never been more critical to organizations. The rate of change is happening faster than ever in our world. The kinds of risks facing organizations evolve daily: third-party, supply chain, regulatory, privacy, operational, cyber, financial, environmental, etc. And these problems don’t exist in isolation — they’re interrelated risks that demand holistic responses.
Consider how the pandemic – a health and safety risk – created a downstream impact that opened the door for related risks: IT risks associated with remote work, corruption related to supply chain issues, and workforce management issues. Managing these risks on their own will never offer the big-picture view that an organization needs to thrive.
With that in mind, I have rounded up the trends that will shape the future of GRC and how we can adapt to meet those challenges.
Earlier this year, for only the second time in the history of the Allianz Risk Barometer, the threat of ransomware attacks, major IT outages and data breaches ranked as the biggest concern for companies globally.
There’s one contributing factor to mounting cybersecurity risks that I don’t see going away any time soon: remote work. HP Wolf Security found many employees are connecting to unsecured networks and view security policies and technologies as a hindrance to their work. Some even make efforts to circumvent those measures. The security firm also found that 91% of IT teams felt pressure to compromise security for the sake of business continuity, and 83% of those teams saw remote work as a “ticking time bomb” for a network breach.
In addition to the number of data breaches making headlines, we have seen an increase in executive orders and initiatives related to cybersecurity over the last year. Those orders will directly impact businesses with government contracts, but their effects will likely extend to the companies that support those businesses. The increased attention to cybersecurity regulation at the federal level introduces a significant source of opportunity and risk for organizations.
Investments in cybersecurity are increasing, and if you need further proof of this trend, try to hire cybersecurity professionals right now. The demand far outstrips the supply of qualified risk managers and CISOs, and they’re commanding much higher salaries than just 18-24 months ago.
The conversation around ESG — environmental, social and governance — in risk management has grown in recent years and shows no signs of slowing down. From lowering emissions to pursuing diversity, equity and inclusion goals and cracking down on corruption, organizations must get serious about ESG or risk getting left behind.
The way companies manage and report their ESG efforts drives investment strategies and board meetings, consumer behavior and even employment decisions. Sustainable investments have reached $4 trillion, and firms like BlackRock require companies in their portfolio to lay out plans to reduce greenhouse gasses and regularly issue ESG reporting. At the same time, members of Gen Z are rapidly joining the workforce, and they’re far more likely than previous generations to choose to work for organizations that align with their values.
While various frameworks exist to help organizations start their ESG journey, no one framework is the standard for U.S. companies. Those frameworks offer guidance about which factors are most important to particular industries but they don’t provide much insight into how to monitor and report on ESG on an ongoing basis. For that, organizations will need robust GRC software to integrate their existing initiatives, pull in data, provide assessments, and identify ESG-related risks. The work involved is no small feat, but with ESG in the limelight, organizations must show that the promises they make align with the actions they take.
Talent retention and loss
The Great Resignation hit every industry hard. Talent loss is a giant risk for organizations: There’s no way you can execute on strategic visions if you don’t have the right people in place. On top of that, replacing team members is costly and time-consuming, burdening departments already strained by dwindling employee numbers.
Some recent turnovers coincided with employees reevaluating their priorities and seeking a better work-life balance. One survey found roughly half of employees are considering a career change, and about 40% said it was because their employers did not care about their concerns during the pandemic.
Other risks come into play with an increased stream of onboarding and offboarding. When IT teams focus their resources on those processes, they have less time to spend on other priorities, like new projects and cybersecurity initiatives. Organizations that moved to remote work and have plans to return to the office will also face pushback from employees increasingly looking for flexible work options. As they respond to those employee expectations, they will also have to manage risks in their real estate holdings.
The competition for qualified security and risk management professionals in our industry is unlike anything seen before. Candidates can work anywhere and name their salary. I expect this trend to continue throughout 2022. In every field, it’s worth examining your current retention strategies, tracking the success of those programs, and identifying where you can make changes to respond to this moment.
Resiliency and agility
If the last two years taught us anything, it’s that you can’t avoid all risks. As organizations consider evaluating and planning for the most pressing risks, they must foster a culture of resiliency.
In risk management, agility is about the ability to avoid a fall — resiliency is the ability of an organization to recover from that fall. The pandemic forced organizations to show resilience against all kinds of events, finding ways to get their companies back up and running despite obstacles.
Resilience is more than traditional business continuity because it requires integration with enterprise risk management. Resiliency belongs in risk management alongside agility because they work together, supporting a company’s ability to make risk a strategic advantage. Where resiliency is a tactical approach focused on recovery, agility is a strategic view of uncertainty that helps organizations plan for the future.
What does a culture of resilience look like? GRC expert and pundit Michael Rasmussen compares resilient organizations to the human body systems, where all departments work together, independently and simultaneously. A strong culture of resiliency depends on the ability to see across departments, breaking down silos and embracing a holistic approach to risk, rather than looking at one system in isolation. Organizations that seek a culture of resilience need the support of robust processes and automation on a level that can’t be achieved in silos or on spreadsheets. They need GRC software that connects every part of their business and enables a big-picture view of what’s at stake.
The risk surface has expanded dynamically in the last few years. Organizations are breaking silos and trying to understand business processes holistically. They’re learning that there’s a risk to not doing risk management well. With a holistic approach, a focus on resiliency and agility and robust GRC software, organizations can face the risk trends that will continue to shape GRC and make risk a strategic advantage.