Cybersecurity

Regulatory activity forces compliance leaders to spend more on GRC tools – Help Net Security

Legal and compliance department investment in GRC (governance, risk, and compliance) tools will increase 50% by 2026, according to Gartner.

GRC tools investment

Assurance leaders are seeking out technology solutions to help them address increasing regulatory attention on executive risk oversight and monitoring.

“Recent actions ranging from the U.S. Securities and Exchange Commission (SEC) to the U.S. Department of Justice (DOJ) signal a focus on executive risk oversight and monitoring,” said Lauren Kornutick, director analyst in the Gartner Legal Risk & Compliance Practice. “For example, the DOJ is encouraging companies to voluntarily disclose misconduct, but firms can only do so if they’ve set up effective compliance programs and risk management strategies that leverage controls to prevent and detect misconduct.”

Elevating risk management with GRC tools

Without effective self-discovery, companies risk being subject to criminal prosecution, and officers and directors may be subject to shareholder derivative litigation for failing to fulfill their duty of oversight.

“While most organizations already have existing compliance programs, legal and compliance leaders need to ensure they are empowered to capture and elevate the right information to management and the board, take the appropriate action, and maintain documentation related to these processes,” Kornutick said.

GRC tools for assurance leaders help compliance, enterprise risk management (ERM), and other assurance teams build a more holistic understanding of risks. The tools integrate and consolidate risk and compliance data as well as processes and terminologies.

In practical terms, GRC tools can help assurance teams with evaluating and modifying compliance programs in near-real time, pressure-testing system operations, and together with management and the board, improving oversight processes.

Navigating new regulations

With increasing focus on reporting misconduct as soon as it’s known, legal and compliance leaders should consolidate existing risk management methodologies from their partners in assurance. ERM and audit may have an existing methodology they can contextualize to predict or detect misconduct that hasn’t been reported and help validate the effectiveness of controls.

“Understanding existing methodologies from assurance partners can help legal and compliance leaders more precisely understand the likelihood and probability of misconduct occurring depending on the data source available,” Kornutick said.

Organizations have focused traditionally on establishing sufficient board oversight processes. However, recent regulatory activity signals that officers also must have effective oversight processes. Legal and compliance leaders should build a comprehensive view of controls and procedures, clarify officers’ roles and responsibilities, improve compensation structures, and establish clawback policies.

Recent enforcement actions signal that all employees, with heightened scrutiny placed on officers, are expected to conduct themselves in accordance with company values, policies and all legal obligations. When compliance leaders update policy and procedures in response to regulatory changes, they should prioritize testing the effectiveness of policy change by measuring whether employees understand their obligations with respect to both business conduct and reporting misconduct.

Compliance leaders should also conduct role-based refresher training with a focus on ensuring understanding by including gamification, scenario-based role play, and improving two-way communications in the learning process,” Kornutick said.