iGRC and the Three Lines of Defense
In a blog written earlier I appropriated the “i” from IDC’s The Rise of Intelligent ERP. And I made the case for what I called iGRC in a different blog pointing out the failure of GRC professionals and standard setters to adapt to the digital revolution.
What is iGRC, you may ask, and what does it have to do with the Three Lines of Defense framework?
It’s a fair question. Much has been written about the Three Lines of Defense. It is widely acknowledged, but in my experience it’s misunderstood and loosely adopted at best.
To me, the fundamental outcome of a successful Three Lines of Defense implementation is a continuous and self-correcting system to manage risks across the enterprise. Each line works independently but collaboratively to identify and assess risks and self correct gaps. Without technology, it’s largely a manual process.
The technology required to digitize the Three Lines of Defense is what I referred to as intelligent or “I”GRC. The information needed to manage the Three Lines of Defense as a self-correcting system should be created by iGRC
iGRC: Self-Detecting Solutions for a Self-Correcting System
iGRC technology should self identify and self manage risks, controls, compliance failures, loss events, issues and other anomalies or patterns indicating non-conformance to defined standards.
Like iERP as envisioned in the IDC article, iGRC will be distinguished by:
- On-demand, not manual, periodic GRC practices
- The adoption of machine learning and advanced analytics consuming data from a carefully designed and constructed data set
- i-GRC professionals with high levels of digital knowledge and expertise and indifference towards today’s practices
- An orientation to the future, not the past, and a drive to contribute to business performance
I was inspired in writing this blog by an article from McKinsey & Company titled “The neglected art of risk detection.” Their premise is that risk detection can be automated. They are correct—I believe almost all aspects of GRC management can be digitized. The technology required is available today.
Embedding iGRC in the Business
Today’s GRC practices won’t survive the digitization of the business. Digitization does not mean automating today’s professional practices.
Most of what the business needs to know to manage the Three Lines of Defense is already captured in digital form and can be detected and managed with tools that are rapidly emerging. Professional practices that impose structured manual methodologies aren’t necessary. For example:
- Technology exists today to detect unusual and unwanted anomalies and patterns. Credit card companies use technology to detect and block fraudulent transactions.
- Predictive tools exist to extrapolate and refine detection. Algorithms that detect anomalies can be tested and improved automatically.
- Continuous monitoring and alerts are available today. Rule sets can be created to identify issues.
- In-memory real-time processing is here now. Massive amounts of data can be accessed and processed almost instantly.
- Machine learning to support self correction is also here now. Incidents can be detected and associated with risks. Controls can be adjusted.
- Collaborative tools to collect and share knowledge and collective wisdom exist. Risk surveys can penetrate the first line of defense and detect new or emerging risks.
- Analytical tools to aggregate, report, and visualize are available. A single source of truth is a good start. Now everyone can see everything in visual form at the same time.
Few of these technologies are in use by GRC practitioners today. Few if any professional standards or frameworks recognize their existence, let alone require their adoption.
Ending the Inertia
Most practitioners I have spoken with see themselves standing outside the business looking in, with risk identification, control, compliance, and audit practices dictated by the standard setters and regulators.
Some think digitization will drive demand for more audits, more risk assessments, more controls, and more testing.
I suspect instead, that iGRC technologies will eventually be deeply immersed within the business creating self-detecting, self-healing capabilities to drive the Three Lines of Defense.
Testing the Vision
My colleagues and I have been trying to develop the value proposition for using our technology to perform today’s GRC practices at the speed of light. There is none.
Please Share Your Thoughts
Is there such a thing as iGRC?
Will today’s standards and practices survive digitization?
Have you implemented the Three Lines of Defense in your organization?
What digital technologies are you using today in your GRC practice?
- Read the other GRC Tuesday blogs for more information on all things GRC.
- Watch our short video on GRC in the Digital Boardroom
- Understand how our SAP Solutions for GRC and Security support the Three Lines of Defense
- Please visit us at GRC Insider in Las Vegas February 12-17 and meet the SAP GRC solutions team. Register before December 15 for early bird discounts.