What Will GRC Look Like In 2021? An Anticipation Scenario

Thomas Frenehard

Wake up in the morning to the sound of crashing waves in a progressively brightening room. Smell the freshly ground coffee pouring into your cup via your programmable coffee machine. Scan the empty bottle of milk on your fridge and automatically add it to the online shopping cart to be delivered in the afternoon. Swipe your finger to read the most up-to-date news before jumping into your self-driving car for your first meeting of the day—with virtual attendance, of course.

Remember when all of this was pure science fiction? Well, except for the self-driving car, which is currently being tested, all the rest has been here for a few years now!

Similarly, I wanted to imagine what artificial intelligence (AI) technology could bring to governance, risk, and compliance (GRC) in the next five years.

Some of the technologies I’ll be mentioning have already been applied for quite some time now, or are being used in different contexts, so I don’t really think it’s science fiction, but rather with anticipation, that I ask: “What will GRC be in 2021?”

Machine learning system (MLS) for regulatory management

Regulatory management is still one of the most manual GRC tasks. To my mind, this is where AI holds the most promising applications for GRC since it would enable near full automation of the process.

What if, using a machine learning system, an artificial intelligence could review the regulation draft when it’s published by the regulatory body, analyse its content, assess the impact on the organization, and then automatically propose enhancements to the internal control framework within minutes?

Not only would this make the regulatory intake process drastically faster, but specialists would be able to focus on more value-added activities. And it would help reduce consulting fees for many companies!

Predictive analytics (PA) for risk assessment

A risk is a combination of factors that will trigger it to occur but unfortunately, risk assessment is still most often based on historical data (recorded incidents) to drive a manual evaluation of the situation.

What if, using internal and external historical data and applying simulations to predict future situations, you could receive more than an individual early warning for each risk event? What if instead you could have a complete risk profile of a changing situation?

For example, let’s assume you source most of a key component from a single supplier. Your supplier risk is already high. But using historical, current, and predicted data, PA could make you aware that this has been a dry summer for your supplier’s location—more than usual—so the soil is very dry, and precipitations are usually abundant during early autumn. This year, they’re predicted to be even more abundant. As a result, the risk of your supplier’s production chain to be in an inundated area increases day by day.

With this data in your hands, why not start a preventative measure and create emergency stocks during the summer and, in parallel, search for a secondary supplier should your first one not be able to provide you any longer for a period of time?

Natural language processing (NLP) for auditing

Auditors usually pull deficient controls and sample of passed controls to review them and ensure the control was applied as designed.

But sometimes this means that they can miss controls that hint to a negative trend—the control has passed but there could still be a small issue. The control owner may have decided not to raise a remediation plan for this but would have mentioned it in the comments. Well, if auditors used NPL, they could run semantic intelligence analysis and discover these issues. They would then not only focus on controls that have failed (as these are now too late to improve) but they could focus on all controls where something is starting to go wrong but hasn’t yet. Wouldn’t that be more appropriate and useful?

Applying the innovations of today to GRC in the future

As you can see, most of the technology mentioned above is in the market already, but most hasn’t been applied to GRC.

The reason, I believe, is quite simple—GRC is not considered a business-enhancing activity, contrary to sales or marketing, for instance. As a result, PA has mostly been used in sales forecasting, NLP in social media management, and MLS helps us all type our emails faster on our mobile devices! But it doesn’t have to stay that way—and I don’t think it should.

What about you? What do you think we’ll see for GRC in 2021?

I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !

 


Thomas Frenehard

About Thomas Frenehard

Thomas Frénéhard is a director in the Governance, Risk, and Compliance Solution Management team at SAP. His particular responsibility is with SAP Risk Management. Thomas's other functional areas of focus are in internal control and compliance management and audit management. In this role and in constant interactions with SAP’s network of partners, clients, and internal stakeholders, Thomas is responsible for bringing together technology, skills, and products to deliver an always-compelling solution for enterprise risk management.