The risk and compliance landscape? It’s shifting beneath the feet of GRC professionals with enormous speed – making it harder than ever to anticipate the potential consequences for businesses.
That’s where knowledgeable forecasts about the technologies, regulatory climates, security threats and other concerns that keep GRC managers up at night can be useful. So we prevailed on eleven top GRC experts to share their outlooks on what’s in store in 2019.
Michael Rasmussen, GRC Economist & Pundit, GRC 20/20 Research, LLC
Some big trends lie ahead for GRC in 2019:
- Data privacy – GDPR continues, but now there is California’s CCPA, and threat of US Federal regulation.
- Growing accountability – due to UK SMR, Australia BEAR, plus regulation in Singapore, Hong Kong, Japan, Ireland, and Spain.
- Operational Resiliency – integration of operational risk, business continuity, third party and more (e.g. Bank of England Operational Resiliency Focus).
- Lawsuits and legal issues from Marriott/Starwood breach and others.
- Growing anti-bribery & corruption enforcement globally, but particularly in Europe.
- Changes in GRC tech with more mature AI offerings.
- Third Party Management – one of the biggest challenges, and coming from many angles, as companies may be held liable for vendor or supply chain activities, particularly in data security.
- In that context, legislators are considering regulations on modern slavery in business – UK is reviewing a new enforcement push on UK Modern Slavery Act, and Australia just passed its own Modern Slavery Bill 2018 encompassing “slavery, servitude, the worst forms of child labour, forced labour, human trafficking, debt bondage, slavery-like practices, forced marriage and deceptive recruiting for labour or services.”
One of the most significant developments in GRC activity that we are seeing, which I expect to increase greatly in 2019, is the establishment of committees at the enterprise level specifically designed to address plans for better integration of GRC across the enterprise. While in many organizations the starting point for this is focusing on use of technology to support governance, risk management and compliance, and audit, changes are also being planned for structuring organizational and personnel responsibilities, and for standardization of processes.
These changes are necessary in order to support development of a technology architecture and ecosystem where all relevant data can be shared and reports can be developed to meet different needs. A second development is the availability of technologies that are now better able to pull and integrate data from a wide variety of internal and external sources. This enables companies to use “best of breed“ components we are necessary or desired which may be freestanding sass offerings and still have the data from those systems be available for a broader integrated view of GRC information. It also means that data can be pulled from ERP and other business systems, which is essential to enabling the mapping of risks to objectives and controls.
Finally, with the growth of AI or cognitive computing in GRC systems, deeper and more timely views of information are now possible.
Peter Johnson, Managing Director, Tempest Security Intelligence
2018 has been a significant year in Governance, Risk, and Compliance. The long-awaited General Data Protection Regulation (GDPR) came into play in May 2018, and more regulation is expected in the form of the EU’s ePrivacy Regulation (ePR) in 2019. UK industry standards are making progress in their respective sectors with more stringent policies; for example in the financial sector, new regulations such as the Payments Services Directive 2 and PCI DSS 3.2.1.
Nevertheless, many areas remain untouched in terms of GRC. For example; the IoT consumer market in the UK. Despite industry efforts to implement a code of practice, no firm regulations have been put in place. Subsequently, no real security standards exist to protect consumers in their own home.
It’s fair to say that industry is pushing in the right direction, but regulatory bodies still have a significant task in protecting consumers and in turn, organisations in the changing technological landscape. We expect this to be a considerable trend and theme moving forward in the next year, watching regulatory and compliance trying to keep up with the rapidly and constantly changing landscape.
Adam Turteltaub, Vice President of Strategic Initiatives & International Programs, SCCE & HCCA
For 2019 I expect to see both a broadening and deepening of compliance programs globally. In terms of broadening, we’re likely to see compliance programs in more and more countries and an ever-increasing number of companies as well. One proof point: a compliance conference of over 150 people I spoke to in Mongolia in November.
In terms of broadening, we will likely see compliance programs continue to expand beyond anti-corruption as organizations realize the value of compliance programs across a broad range of legal and regulatory risks.
Robert Bond, Partner & Notary Public for Bristows LLP, 2nd Vice President & Board Member, SCCE
2019 will see an increase in enforcements and fines in relation to data protection breaches and non-compliance. The risk of consumer class-actions for privacy infringements will drive compliance up the agenda and lead to greater attention to data protection compliance and governance and the need to not adhere to the law but to also apply an ethical approach to data analytics and profiling.
Jason Cropper, Global Head of Product Marketing – GRC, Mitratech
2019 will center around 3 main topics: data protection, personal accountability, and the continued rise of ethics over compliance. Data Protection will be “one to watch” this year as we start to see how GDPR enforcements take shape. The first fine under GDPR actually came through an audit where controls were not in place, versus an actual breach. I predict proactive regulatory fines versus large-scale data breach fines.
Personal Accountability will also grow from strength to strength; my prediction is global variations of the SM&CR regulation from the UK will arise, as we are already starting to see.
Ethics is set to really come forward in 2019. While it is not a new topic, organizations and regulators are really starting to embrace that ethics creates a solid culture of compliance. My prediction here is that we’ll see the rise of ethics-based compensation for employees.
Kristy Grant-Hart, Founder & CEO, Spark Compliance Consulting
In 2019, GRC risk relating to third-parties has gone beyond your basic sanctions checks and anti-bribery due diligence review. Checks on higher-risk third-parties should now include modern slavery/supply chain reviews, data privacy considerations, cyber-security risk, and even reputational risk due to political statements or scandals.
Getting your due diligence questionnaire in order is key. Work with the other stakeholders in the company to pull together one due diligence questionnaire and onboarding procedure for third parties. A little investment of time and money now will make life easier for your third-parties, and protect the company from the multiple threats it may encounter from its use of third-parties.
Connor Blake, Global Head of Alliances & Partnerships. Mitratech
I expect to see more high profile cases of social media activism forcing companies to react in 2019. If it looks like your customers care more about your company’s business ethical conduct than you do, that is a disaster waiting to happen.
Companies will need to be far more agile to get ahead of that curve, automating away compliance risks for their employees and delivering really intuitive GRC tools to make it simple for your employees to tell you what’s going on before your customers do.
Laurie Fisher, Managing Director, HBR Consulting
Two key trends we see for GRC are very similar to those in legal, information governance and compliance in general. First, the growing importance of the use of data and analytics in governance, compliance and risk management processes. This will allow for a more objective approach to risk assessment. Second, technology-supported collaboration will improve individuals working in GRC-related disciplines to work together towards common goals.
Fergus Allan, Head of Regulation & Compliance, TORI Global
In Europe there is a shift from implementing new regulation to ongoing supervision – across Europe this year we have seen the implementation of a variety of new regulations such as GDPR, MiFID II, PSD2 and parts of SMCR; in 2019 we can expect a shift from change back to run. This shift is going to test both financial firms’ operating models as well as their three lines of defence.
On the other side of the pond, the U.S. regulatory landscape is significantly different, with the pace of regulation seeing a deceleration and arguably a reversal in some cases under the current administration. This slowdown should not be seen as an opportunity for firms to return to business as usual, as this trend could change as quickly as it came; financial institutions should still pursue top-of-class.
Mark Delgado, General Manager, EMEA & APAC, Mitratech
With 2018 being a year of seemingly ever-increasing security breaches and data losses capped last month by the almost unimaginable scale of the Marriott guest reservation system hack which potentially exposed private information of around 500 million of its guests, 2019 could well be the year that consumer power becomes a significant driver for compliance.
I have thought for some time that a strong, demonstrable record of compliance and regulatory adherence is underutilised by businesses in how they market themselves and that it should be far more exploited by corporates as a positive differentiator. Now, though, could well be the time where consumers start to take notice and include a company’s compliance credentials as significant criteria when deciding on which organisations are to be trusted with their business.
Purchasing goods and services today isn’t anywhere as transactional as it used to be. The sharing of personal information nearly always seems to be an integral part of the buying experience whether that be the supply of credit card details required for execution, a delivery and/or billing address or an email address, date of birth, gender and other information that is gathered as part of a loyalty or discount program. Consumers are waking up to the fact that this information is precious and the blind trust that they have given to businesses they deal with is not necessarily prudent. To what extent this significantly changes buying behaviour remains to be seen, but I think it will become far more top-of-mind for many in 2019.