Even companies with the best governance, risk, and compliance (GRC) strategies couldn’t have planned for every circumstance that arose from the COVID-19 pandemic. However, those companies with well-integrated GRC capabilities have fared far better.
A survey of 828 participants conducted by the Open Compliance and Ethics Group (OCEG) gathered some key findings about companies’ crisis planning before, during, and after the pandemic’s arrival.
Integrated groups, rather than siloed teams and departments, were more prepared for the crisis. The data clearly suggests that organizations with integrated GRC processes benefitted from more effective communication, an ability to pivot quickly to address changes and shifts, and more active engagement at all levels in crisis readiness planning and the advancement of those planning processes.
The survey found that prior to the start of the COVID-19 pandemic:
- 83% of organizations using GRC technology — and 53% of organizations using manual methods — identified crisis controls for each critical business objective
- 83.8% of organizations using GRC technology — versus 33.3% without — mapped objectives, crisis controls, ownership of each, and information flow
- 69% of organizations using GRC technology — and only 28% of groups using traditional, manual methods — planned and conducted audits and testing of their crisis plans and their design effectiveness
Teams that used integrated GRC technology — as opposed to organizations that relied on manual methods like spreadsheets or file sharing — were also more prepared to deal with the COVID-19 crisis. Yet only 25% of the respondents felt confident that their companies could handle a crisis prior to COVID-19 and only 36% of respondents felt confident that their organizations have in place the most effective processes and resources to manage another global crisis within the next two years.
The Future of GRC
Enterprise risk management programs (ERM) tend to focus on visible risks — like IT security — and not on low-level, less likely potential crises, like a pandemic. But it’s likely that not all pre-COVID-19 best practices, processes, or methodologies will make sense in the post-COVID-19 compliance environment.
How should future GRC look, in the context of the pandemic?
The COVID-19 pandemic offers a chance for innovation and will lead to more balanced ERM programs capable of monitoring a wider range of risks. These ERM programs may expand their focus to include risks like climate change or risks that could affect:
- Health and safety
- Quality
- Third-party suppliers
Businesses will need nimble, responsive GRC programs, which means using current technologies that maximize business performance, streamline costs, and safeguard security. Implementing innovative solutions to keep systems running at peak performance in a secure environment is critical. A well-designed GRC platform will include:
- Proactive strategic evaluation and tactical planning, with flexibility and scalability
- Preventative monitoring to identify potential issues before they escalate into much larger problems
- Responsive teams — whether onsite or remote — capable of addressing issues quickly, efficiently, and accurately
Maintaining operational resiliency will also factor into future risk management practices. COVID-19 caught too many companies off guard. But the pandemic may lead to a quicker adoption of new approaches and technologies as companies plot and strategize how to maintain compliance continuity when the world — and their business — is forced to shut down.
If they hadn’t already begun to explore stronger GRC strategies before COVID-19, savvy companies are evaluating and adopting them now. To thrive in a post-pandemic world, businesses must recognize the critical role played by risk management, which enables them to plan for all risk scenarios and monitor enterprise risks as they appear — even far out — on the horizon.
As more workplaces choose to remain virtual for the long term, cyber risks increase exponentially. Globalization requires that companies understand regulations worldwide — and GRC can help with that.
Maintaining Risk Fitness
Gunjan Sinha, founder and chairman of MetricStream recommends that all companies review their risks quarterly. He suggests evaluating four risk categories to maintain risk fitness:
- Operational Risk: This risk includes employees, vendors, and third parties who support key business operations.
- Financial Risk: This risk can increase should revenues or margins drop, supply chains or production become disrupted, or companies struggle to obtain financing.
- Reputation Risk: Good — or poor — leadership during a crisis can make or break a company’s reputation. How well prepared is your company to handle risk — and how will its decisions be seen by others?
- Strategic Risk: Companies that can pivot to address unexpected risks more easily meet their business objectives than those unable to analyze operational, financial, or other risks.
Companies with flexible, agile GRC systems in place can more easily address risk, maintain resiliency, and successfully navigate a crisis. If your company needs to revisit its current GRC plan — or develop and implement one — our CREA United members, like Scott Kuperman, Director of TeamLogic IT, and Michael DeSomma, President and CEO of Teknalysis Corp. can help.