Michael Rasmussen
Michael Rasmussen

3 GRC Priorities for Your Organization in 2022

Michael Rasmussen |

Michael RasmussenThe past two years have been a trial for organizations as they have been required to respond to the complications, risks, and intricacies of the pandemic and its impact on business strategy, operations, and objectives.

The focus has been on resiliency with the ability to recover quickly to changing risk conditions to keep the organization moving forward.

GRC, by definition, is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance) (source: OCEG GRC Capability Model).

The organization must be constantly aware of objectives and their achievement. Those objectives can be at the entity level or down into the division, department, process, project, relationship, or asset level. In this context, the organization needs insight into the risk and uncertainty in achieving those objectives and ensure that the organization acts with integrity in their achievement in a distributed, dynamic, and disrupted business environment.

As we head into 2022, this focus on resiliency is evolving to a focus on agility. Organizations not only need to be resilient, but they also need to be agile. Resiliency is the ability to recover from a risk event while agility is the ability to navigate the environment to understand what risks are hurling at it to be able to navigate and avoid (or minimize) events.

Today’s organization in 2022 cannot be burdened by manual governance, risk management, and compliance (GRC) processes that slow the organization down. The organization needs real-time 360° situational awareness of risk within the business and across the extended enterprise of third-party relationships.

Top three priorities for 2022

Three priorities the organization needs to focus on in 2022 in context of GRC agility and resiliency are:

Monitor integrity: the importance of ESG

There is growing momentum to ensure the integrity of the organization’s commitments and statements to environmental, social, and governance (ESG).

The organization in 2022 will have to ensure the integrity of the organization in this context to make sure the organization meets these commitments and lives up to its statements and internal policies. ESG integrity is a mirror into the behavior and practices of the organization to confirm they align with the policies and ESG conduct that the organization has committed to.

Update your policies: hybrid/remote working is here to stay

Many are tired of hearing about the “new normal”, but it is here. The future is remote and Hybridarbeit, and the organization must prepare its policies and enforcement thereof to a new range of risks in context of hybrid and remote working.

This includes IT security, physical security, conduct (e.g., video conferencing), moonlighting, OSHA, and other policies that need to be addressed for the hybrid and remote work environments. The organization also needs to consider how to address these risks across the extended enterprise of third-party relationships, many of which are working from home or in hybrid formats themselves.

Protect your organization: ensure you are continuing to prioritize cyber security & data protection

Information/cyber security threats are growing. Hackers and organized/state-sponsored crime threats are coming at the organization from all angles. The hybrid and remote office environments simply add more complexity to these risks with more attack exposure, particularly when you take in the extended enterprise of third-party relationships and dependency on these relationships.

With hybrid working, the challenge is to not only protect electronic data but also physical data and conversations in the apartment/home where others may overhear sensitive information. Or at the local coffee shop where work is being done…

To be agile and resilient in 2022 and beyond and to address integrity, policies in the hybrid environment, and information security requires an integration of GRC strategy and process that is supported by an information and technology architecture that delivers 360° situational awareness of risk.

This enables the organization not only to monitor where risk and controls are at today, but what is trending and coming at us on the horizon so we cannot only be resilient when risk rears its ugly head but also agile enough to navigate the organization to minimize risk exposure and impact.