In today’s fast-changing business environment, an effective governance, risk and compliance (GRC) programme is increasingly seen as a foundation of agile decision-making. Michael Gibbs, chief executive officer of SureStep Systems Integration, discusses the shifting perceptions of GRC, the growing opportunity around artificial intelligence (AI), and why Asia-Pacific (Apac) firms are playing catch‑up.
Has the notion that GRC only pays off when things go wrong been put to rest?
Michael Gibbs: Several positive developments have emerged in the risk space over the past year. First, companies have started to recognise that GRC can be an efficiency driver. A good GRC programme allows you to find holes and deficiencies in your organisational processes. If you plug those, it won’t be a top-line driver, but it will go straight to the bottom line.
GRC is also increasingly seen as an investment driver. As an investor, wouldn’t you rather fund a business that has an airtight governance programme, understands its risks and processes and has a system in place to manage them? To me, the answer is obvious.
Many companies seem to equate GRC with significant investment in technology, but is that necessary?
Michael Gibbs: Technology in GRC can be incredibly powerful, but it doesn’t need to be complex. You do not need to spend millions of dollars to see the benefits of something like AI in your organisation. Companies need to be specific when it comes to identifying what the business issue is, so they can then find the right technology to solve it.
One thing that needs to change is that firms in the Apac region have been slow to move to the cloud. Financial institutions should realise they are not going to build a better data centre than companies such as Amazon, IBM and Google. Cloud technology will make their lives so much better and in so many ways, including costs, efficiency and security. This is a big focus for us in Apac.
Are you seeing any real-life use cases of AI in GRC?
Michael Gibbs: I previously thought AI seemed overblown, too expensive and too complicated. I\’ve changed my tune on that. AI can read tens of thousands of documents in the time it would take one lawyer to read a single document. It can scan a pile of regulations, put them side by side and determine where the changes have been made and whether it will generate a new risk. It may even suggest a control that can go in place for it. This can save so much time and money spent on legal and compliance.
A second major area is the use of AI-driven chatbots. There is a younger demographic coming into the workforce that doesn\’t necessarily want to talk to and interact with people. This creates a problem in GRC, where people need to speak to each other to provide qualitative analysis of an issue. If a developer or a marketer spots a problem, they may not know where to go to report it. Using an AI-powered chatbot can direct those enquiries to the right places. This would cut back the time the second line of defence needs to spend on sorting through complaints or incidents.
How can an issue such as sustainability be integrated into a GRC framework?
Michael Gibbs: To me, sustainability is similar to reputational risk. The technology to deal with it is already there and GRC is the right space for those efforts to be housed. I haven\’t seen a coherent international framework for it yet but, when that happens, it should permeate a lot of GRC, from vendor management all the way through to where investments are happening. It is really just waiting for someone to agree on a framework and take it forward.
Finally, in the past, Apac seemed to be lagging when it came to GRC. Is the region starting to catch up?
Michael Gibbs: It has changed a lot recently, with the fintech market being the biggest driver. Apac has become a hub for fintech such as digital banks and payments systems. New regulations and compliance requirements have been thrust upon the sector. These companies are all looking for investment, so they need to get GRC programmes in place. The irony is there are small fintech companies that have more sophisticated governance programmes than their banks and investors. This is forcing financial institutions in the region to play catch-up. There are also better tools available now for smaller firms to manage GRC programmes – such as SureStep Fortress. I\’m extremely optimistic about the future of GRC in Apac.