The year 2014 has come and nearly gone, and it’s clear that enterprise risk management will not go quietly into the night. Following a 2013 that saw Edward Snowden NSA leaks, a Carnival Cruise line generator fire, and Target’s credit card heist (to name only a signature few), this year has proven to be no slouch: FINRA has disciplined thousands of companies with over $34 million in fines, Home Depot and Sony fell victim to IT security threats, and GM issued one of the largest recalls in automaker history.
Risk has not shown a preference for any one industry nor any specific function, but there have been notable successes as well:
- – A third-party study of thousands of organizations found that not only is enterprise risk management effective in mitigating risk, but a mature program can directly contribute bottom line value to the organization.
- – The SEC has bumped ERM to the top of its priority list.
- – Organizations like COSO, the OCC, and PCI continue to adopt risk-based methodology in their design requirements.
With so much change, it begs the question: What does 2015 have in store for enterprise risk management and organizational governance?
Risk Assessments (there will be more, many more)
This one may not shock you, but 2015 will see a drastic increase in the number of risk assessments. Organizations are finding that to truly succeed in the identification of risk, you have to be conducting assessments where the majority of organizational risk resides – at the front lines. This includes managers from around the business that are customer facing, involved in product or service development, and who take part in key internal roles like HR and Business Continuity. The days of risk assessments at only the EVP level are numbered, and will be replaced by the challenge of connecting risks at the front lines to the goals and expectations of the C-suite.
Compliance: Operationalize or Bust
The “Compliance Closet” is out, and operationalized compliance is in. Compliance teams must now not only demonstrate that their policies and procedures are in line with regulatory expectation, but now also provide evidence that those procedures are being followed.
These new expectations are accompanied by rising stakes in all industries. Regulators have a more detailed understanding of the requirements of legislation like Dodd-Frank and HIPAA, and are starting to ramp up fines from violations. Compliance teams will have to adjust by collecting knowledge from subject matter experts across the organizations, and centralizing it in a way that can be aggregated and reported to senior management and examiners.
On Premise Solutions: The flip phone of the GRC Marketplace
At the beginning of 2014, less than 20% of GRC implementations were SaaS. In 2015, that number is expected to climb to 40%, over a 100% increase. Why? The simple answer is that on premise solutions are not flexible, too costly, and unable to compete with the innovation of SaaS solutions.
“GRC is a growth market that’s ripe for disruption, and many of the vendors that have entered this market by acquiring market leaders — including IBM, Nasdaq, and Thomson Reuters — are in danger of watching as more innovative, nimbler competitors pass them by… Don’t license any product that isn’t flexible enough to fill your changing needs unless your plan is to throw it out in three years. When in doubt, reduce the risk of a large capital investment with a SaaS or hosted subscription model.”
Forrester Research, Inc. “Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption.”
Consolidated Platforms will deliver a Knock-Out Blow
Forrester’s 2014 Wave highlighted the benefits of consolidated platforms, in stark contrast to Gartner’s pending release of upwards of 6 separate Magic Quadrants for seemingly overlapping use cases like IT Risk Management, Operational Risk Management, and Vendor Risk Management. While we agree with Gartner that GRC is a complicated, and possibly antiquated term, creating silos for 3 separate types of risk management is akin to asking wide receivers to practice without the quarterbacks, and hoping it all comes together at game time.
To understand the systemic concerns and issues that are identified in the risk, governance, and compliance process, information has to be shared. Failures in risk management are almost never due to a lack of internal knowledge, but instead a lack of internal communications. 2015 will see silos torn down, not built back up.
source : ebizq.net