Risk & Compliance Predictions for 2017

The New Year is almost here. As risk and compliance professionals, it’s in our DNA to anticipate situations that will likely come our way and figure out how we’ll respond.  Here are five predictions that Rsam is tracking for 2017.

#1 – Organizations Will Favor Speed over Perfection

One reason GRC platforms have had a bad rap is the length of time it takes to deploy them. Many implementations take a year or more to complete. All the while the organization’s risk is growing. As we face evermore scrutiny it stands to reason that organizations will begin to favor speed over perfection.

Gone are the days when you map out every requirement you can think of and configure your platform around them. Requirements will change over time; that’s for certain. Getting bogged down in the quest for perfection can stall or completely derail a GRC implementation.  We think organizations are beginning to recognize the need for speed. You’re better off getting 80% of your requirements into production and iterating from than waiting for unattainable perfection. Just as important, you have to have a platform flexible enough to adapt to the onslaught of change when it does come.

#2 – Business Units Will Partner Strategically on GRC

The quest for the perfect platform has long frustrated many GRC professionals. Years ago the leading school of thought was: Let’s buy one enterprise platform to manage all of our use cases! The trouble was, in reality, there were far too many competing agendas, stakeholders and requirements. The panacea didn’t pan out. Looking forward, we believe business units will ban together when it comes to GRC. Not every department will want or need the same solution but it’s likely that three or four business units can agree and implement a GRC platform. The most obvious contenders are departments that have interdependent processes.

Remember the previous comment in prediction #1 about speed? It certainly applies here. The truth is the more stakeholders you have the slower the process will be. However, groups that already work together and have similar requirements can usually rally around a GRC implementation. Start with the Use Cases that fit together. Once you achieve success, see what else you can do with it.

#3 – Platform Confusion Will Grow

There seems to be a software platform for nearly every business situation. The sales team has Salesforce; Finance has NetSuite; Customer Service has ServiceNow. The list goes on and on. Lately, we’ve heard chatter about whether or not it makes sense to leverage an existing technology platform for something other than its intended purpose. For example, ServiceNow is a ticketing system for managing and tracking support issues. It also now has some “GRC Lite” capabilities so organizations may stop and say: “Can I leverage ServiceNow for GRC?” The answer to the question lies under the hood. First ask yourself what problem was this platform originally built to solve? Investigate the underlying data model. If a platform was built to handle ticketing queues, it might take too much time and resources to make it work for full spectrum of GRC Use Cases. The total cost of ownership will likely skyrocket and it will take entirely too much time to do. Trying to fit a square peg in a round hole always ends with a lot of frustration – and not much to show for it.

#4 – Scrutiny on Third Parties Will Increase

Scrutiny on third parties has been rising steadily since the Target breach in December 2013. It wasn’t the first and won’t be the last breach involving a trusted partner, but it was a tipping point in terms of awareness. Since then there have been a slew of regulations, frameworks, standards, etc. proposed to address third party risk. In fact New York recently proposed legislation that focuses squarely on these relationships. Third parties are more entwined than ever before. Think about how many applications you host on someone else’s infrastructure. Or, how many vendors have access to your internal systems. Organizations must stay on top of their growing vendor ecosystems and rigorously assess their security controls, financial health and general business resiliency.

#5 – Cyber Security Concerns will Drive Integration between Security Operations & GRC

Most CISOs tell us their biggest pipedream is a single view into every facet of enterprise risk and compliance. If the dream is ever to come true, security operations and GRC teams will have to work together closely and have access to the same type of information at all times. The challenge historically has been that security operations tools lack the ability to consolidate information and processes through a meaningful workflow engine. Sure, they can ingest lots of data but you have to be a security analyst to interpret it. GRC tools generally have more context and workflow; in the simplest terms: If requirement “A” isn’t met, situation “B” can happen, and we better notify person “X.”  The marriage of security operations data with GRC-related context and workflow will get CISOs closer to the dream. In the hyper-connected state we live in today, if organizations spend time trying to figure out what happened and what to do next, chances are it’s already too late to prevent damage.  By integrating Security Ops and GRC more tightly, you increase your ability to reduce risk.