“The future of GRC will not just be about managing known risks or monitoring compliance. It will be about sustaining an organisation’s social license to operate.”

Now that 2019 is underway, it is a good time for organisations to review risks over the past year in the hopes of previewing how they may develop in the future. After another year of landmark regulations such as MiFID II and the general data protection regulation (GDPR), more organisations are looking to change the way they respond to inbound regulations and emerging risks in their space, moving from reactive to proactive. To do this, more organisations are turning to integrated governance, risk, and compliance (GRC) programmes to help.

GRC technologies empower organisations to adopt a focused and business-driven approach when managing and mitigating risks. The best technologies help to streamline risk identification, assessments, and treatment, as well as providing sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, while improving decision-making. Furthermore, GRC technology allows organisations to implement standard risk assessment methodologies to create a sustainable and scalable risk management programme.

As cyber threats, financial fraud, regulatory fines, and other risks continue to escalate through 2019, GRC functions will need to be more vigilant to proactively spot and address the areas of concern that could potentially derail their enterprises. Here are some of the key trends that organisations will see over the coming year:

Operational technology outages: a new peril

In 2019, the cybersecurity conversation will move beyond business-specific threats and vulnerabilities, to focus more strongly on the larger, more perilous threats to critical infrastructure. While power grids have been in focus ever since the infamous 2015 Ukraine grid attacks, other critical facilities such as water supply networks, gas pipelines, and transportation systems have also become sources of worry for cybersecurity experts.

In 2018, the FBI sounded the alarm about Russian hackers attacking the U.S. electric grid, water processing plants, and aviation facilities. A few months before that, the British government’s top cybersecurity official had warned of similar attacks on the UK’s energy, telecom, and media industries. These incidents are only likely to escalate as malicious actors look to strike at the very heart of a city or nation.

The third-party maze

In 2018, leading organisations across retail, air travel, and the entertainment industry suffered major data exposures due to vendor security vulnerabilities. Around the same time, the European Banking Authority (EBA) published its draft guidelines on outsourcing for financial institutions. Going by these trends, third-party risk management will become an increasingly important priority in 2019. Organisations will be expected to document all third-party relationships, segment them based on risk, and conduct periodic reviews. They will also need to implement effective policies and controls for outsourcing, while ensuring effective oversight of the third-party ecosystem, including sub-contractors.

Senior management: focus on accountability

Right from the 2002 Sarbanes-Oxley (SOX) Act, to the 2016 UK’s Senior Managers Regime (SMR), regulators have been saying that the buck stops with senior management. No longer can CEOs claim to be ignorant of toxic cultures breeding in their organisations. They will be held accountable for setting the tone of integrity, compliance, and ethics across their enterprises. They will be expected to ensure effective corporate governance, while also building a pervasive culture of risk awareness, and imposing strong consequences for misbehaviour.

Data localisation: new digital barriers

With major markets like India and China imposing data localisation mandates, global companies will be under pressure to rethink their information governance mechanisms. No longer will they be able to store data however they see fit or enable the free flow of information across borders. Many organisations will have to make arrangements with local cloud service providers or build their own data centres – both of which come with significant costs.

From a security perspective, data risk assessments and monitoring activities will likely become more decentralised. So will compliance management, as data localisation laws vary from one region to the next. GRC professionals will need to stay one step ahead of these trends, tracking and understanding them, while educating the business on the best way forward.

Operational resilience: no more excuses

Operational resilience has caught the eye of UK regulators, particularly the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA). The underlying message is that financial institutions can no longer play the victim card when disruptions occur. They must be prepared with a strong resilience strategy and plan that allows them to deliver proficient services at all times, even in the midst or aftermath of a disruption. Business leadership will be responsible for driving this culture of resilience across the three lines of defence.

Indeed, with inbound regulations and a continued shift of increased business accountability, organisations should be sure to effectively monitor and work closely with regulators in order to mitigate any inbound risks and remain above board ahead of any legislation. Using integrated GRC technology, businesses will be able to anticipate unexpected risks while freeing up more time for business critical activities – keeping both regulators and shareholders happy.