ERM Trends in 2024: Accountability, AI and acceleration
An action-packed 2024 looms for governance, risk and compliance professionals — full of more data, more regulations, more geopolitical uncertainty and of course, more artificial intelligence (AI).
GRC analysts and thought leaders Renee Murphy and Michael Rasmussen have much to say about the changes currently unfolding, and how GRC professionals can prepare for the year ahead.
In a recent webinar, the pair explored strategies for fortifying an organization’s enterprise risk management (ERM) systems, as well as tips for leveraging technology to boost efficiency.
Below are some highlights from their discussion.
Should GRC professionals view artificial intelligence (AI) as uncharted territory?
Murphy says no. “There should be no reason you think of this as the Wild West, in my mind. There are tons of regulations out there.”
Rasmussen disagreed, invoking the classic Western “The Good, the Bad and the Ugly.” The good is AI that is leveraged properly, governed effectively and used in a way that lets overextended subject matter experts get more done.
The bad is when there’s governance in place, but the organization “gets lazy,” in Rasmussen’s words — for example, relying on the tool to make decisions for the organization, not simply =collecting and analyzing data.
As for the ugly? “It’s not governed properly in the organization, and anything goes.” An example: leveraging models and data for purposes they were never designed for, or for which there is no assurance. Rasmussen called this “a critical exposure.”
How can compliance and risk teams use AI in 2024?
Rasmussen said he sees several potential use cases for AI, starting with regulatory change management.
“If you print off the United Kingdom’s FCA rule book, it’s a stack of paper six feet tall,” he said. “If you print off the US Code of Federal Regulations and stack it end to end, it’s longer than a marathon. It’s like 28 miles.” And a machine will be able to plow through both infinitely faster than a human.
There’s accuracy to consider as well, since machines’ minds don’t wander when slogging through a dense document. Rasmussen cited a life sciences firm that saw a 30% increase in accuracy when it brought natural language processing into its regulatory change management.
Rasmussen is also starting to see organizations use generative AI tools to fill out voluminous vendor questionnaires and SOC 2 reports. But a person must review those machine-generated answers.
And, Murphy added, you have to teach the model yourself. You can’t rely on a model of “taught by the internet with who knows what data in it,” she said. Adding to the risk: “If I really don’t know the beginnings of my data source, I have no audit trail.”
Modeling is a classic application of AI, and repurposing risk models offers great potential as new regulations grounded in existing frameworks roll out. Organizations shouldn’t just “take a model built for one purpose and all of a sudden leverage it for something else without proper validation,” Rasmussen cautioned. But “there’s no point in reinventing the wheel,” said Murphy.
Rising cyber accountability brings great responsibility
In terms of cybersecurity, Rasmussen noted “a great focus on accountability” from regulators in the UK, Ireland, Hong Kong, Australia, South Africa and Singapore. And top tech executives are being held personally accountable, from the SEC’s investigation of SolarWind’s CISO for fraudulent security statements to TSB Bank’s CIO, who, after a third-party risk failure in the bank’s IT department, was fined 80,000 pounds “that he had to pay out of his own bank account.”
“I’ve worked with enough CISOs in my former position at Forrester to know that you are not always the one in charge,” said Murphy. “If I have that level of accountability as a CISO, then I want that level of responsibility, too. And if there’s a disconnect there, that’s not fair to the CISO.”
So, what should CIOs and CISOs do in this unfair world?
“You’re going to get breached. And it’s not the breach itself, but it’s how you handle it that matters,” Murphy said. “And that’s why we tell you that GRC IT matters.”
Rasmussen illustrated the need for robust tracking and audit trails. In a world where people can easily manufacture evidence of security controls and assessments, documents, spreadsheets and emails, “the regulators, opposing counsel, and external auditors are wising up.” he said.
“What was assessed on what date and time? Who assessed it? If somebody came back two weeks later and changed something, who changed it? When did they change it? What time did they change it? You need technology that gives you a good system of record.”
Leveraging technology for velocity
The conversation then turned to ERM and GRC solutions.
Murphy described a common pain point for GRC and ERM teams in today’s data-deluged world: “‘I have good processes. I have regular meetings. What I don’t have is velocity.’ And you can’t get there without software.”
Rasmussen illustrated the potential benefits — and urgency. For the GRC team of a midsize bank, he said, “80% of their staff’s time was actually spent managing document spreadsheets and emails, and not managing risk.” Another organization takes 200 hours to build its annual risk report across spreadsheets, emails and siloed databases. By the time they present it to the board, the data is 11 months old.
“That’s not managing risk; that’s reacting to risk,” he said. “Organizations need technology to make them more efficient. That’s time saved, money saved, and more efficiency — and that itself is a risk reduction.”
And efficiency is just the beginning of the journey. The future of compliance is a multifaceted one, with continuous monitoring, performance management, data mining and beyond, according to Murphy.
“You are going to continue to mature your GRC programs because you have to,” she declared. “There’s no way around it. It’s getting more complicated. You’re expected to do more, and you’re supposed to have more evidence to prove that you’re continually improving these processes.”
Can your GRC team see everything on the horizon?
The talk concluded with a wide-ranging overview of today’s risk landscape: changing economic trends, costly ethical missteps, capitalism in China, geopolitical shifts and “gray swan” events we should have seen all along.
Rasmussen quoted physicist Fritjof Capra: “The more we study the major problems of our time, the more we come to realize that they’re interconnected and interdependent.”
And you can’t navigate such a global landscape with “nine different GRC platforms, and different functions and themes across 12 different groups and silos of risk that don’t talk to each other,” he declared. “You need to have visibility.”