GRC Tuesdays – What Will GRC Look Like in 2021? An Anticipation Scenario
Wake up in the morning to the sound of crushing waves and with a progressively lightening-up room. Smell the freshly-ground coffee pouring into your cup via your programmable coffee machine. Scan your empty bottle of milk on your fridge to automatically add it to your online shopping cart to be delivered in the afternoon. Swipe your finger to read the most up-to-date news before jumping into your auto-driven car for your first meeting of the day—with virtual attendance of course. Remember when all of this was pure science fiction? Well, except for the auto-driven car that is currently being tested, all the rest has been here for a few years now!
In a similar fashion, I wanted to imagine what artificial intelligence (AI) technology could bring to governance, risk and compliance (GRC) in the next five years.
Some of these technologies I’ll be mentioning have already been applied for quite some time now or are being used in different contexts, so I don’t really think it’s science fiction—but rather with anticipation—that I ask, “So, what will GRC be in 2021?”
Machine Learning System (MLS) for Regulatory Management
Regulatory management is still one of the most manual GRC tasks. To me, this is where AI holds the most promising applications for GRC since it would enable near full automation of the process.
What if, using a machine learning system, an artificial intelligence could review the regulation draft when it’s published by the regulatory body, analyse its content, assess the impact on the organization, and then automatically propose enhancements to the internal control framework within minutes?
Not only does this mean that the regulatory intake process would be drastically faster, but also that specialists would be able to focus on more value-added activities. And it would help reduce consulting fees for many companies!
Predictive Analytics (PA) for Risk Assessment
A risk is a combination of factors that will trigger it to occur but, unfortunately, risk assessment is still most often a process based on historical data (recorded incidents) to drive a manual evaluation of the situation.
What if, using internal and external historical data and applying simulations to predict future situations, you could receive more than an individual early warning for each risk event? What if, instead, you could have a complete risk profile of a changing situation?
For example, let’s assume you source most of a key component from a single supplier. Your supplier risk is already high. But, using historical, current, and predicted data, PA could make you aware that this has been a dry summer for your supplier’s location— more than usual— so the soil is very dry, and that precipitations are usually abundant during early autumn. This year, they’re predicted to be even more abundant. As a result, the risk of your supplier’s production chain to be in an inundated area increases day by day.
With this data in your hands, why not start a preventative measure and create emergency stocks during the summer and, in parallel, search for a secondary supplier should your first one not be able to provide you any longer for a period of time?
Natural Language Processing (NLP) for Auditing
Auditors usually pull deficient controls and sample of passed controls to review them and ensure the control was applied as designed.
But sometimes this means that they can miss controls that hint to a negative trend—the control has passed but there could still be a small issue. The control owner may have decided not to raise a remediation plan for this but would have mentioned it in the comments. Well, if auditors used NPL, they could run semantic intelligence analysis and discover these issues. They would then not only focus on controls that have failed (as these are now too late to improve) but they could focus on all controls where something is starting to go wrong but hasn’t yet. Wouldn’t that be more appropriate and useful?
Applying the Innovations of Today to GRC in the Future
As you can read, most of the technology mentioned above has been in the market already, but most of it hasn’t been applied to GRC.
The reason, I believe, is quite simple—GRC is not considered a business enhancing activity, contrary to sales or marketing for instance. As a result, PA has mostly been used in sales forecasting, NLP in social media management, and MLS helps us all type our emails faster on our mobile devices! But it doesn’t have to stay that way—and I don’t think it should.
What about you? What do you think we’ll see for GRC in 2021?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !