A new NAVEX report shows that AI can have a significant role in removing silos that are impacting GRC programmes. The report set out to look at the major obstacles and gaps governance, risk and compliance (GRC) decision-makers face with their programmes.
Of great interest is the fact that almost all of the respondents say AI could improve the performance of their GRC programmes. This is due to the ability of AI to gather and interpret vast amounts of data, allowing them to identify issues and solutions.
A.G. Lambert, Chief Product Officer at NAVEX, said, “An effective GRC program should analyze data in a way that enables prediction and mitigation of potential business risks. Given the increasing complexity of both business challenges and regulatory requirements, risk management programs must become increasingly digitized and automated. The next logical step is to incorporate AI tools.
“This research shows that mature GRC programs emphasize automation and the holistic integration of data; with several business functions contributing to and deriving insights from it.”
The report, carried out by Forrester Consulting, surveyed more than 300 GRC program decision-makers at North American and European organizations. Respondents represented organizations from 1,000 to more than 20,000 employees and spanned industries including retail, travel and hospitality, manufacturing, business services, education and non-profit, financial services and insurance, and healthcare.
What do we learn?
The 2023 State of Governance, Risk and Compliance Management Report (registration required) has thrown up a number of interesting statistics. Not all are universal and the number of people who responded is relatively small. This also appears to be a quantitative rather than a qualitative report. It suggests that there is much more that could have been learned from the respondents.
There are a number of key stats from the report worth looking at:
- GRC headwinds: Unsurprisingly, a lack of money (37%) to implement better GRC programmes is a key headwind. That is matched by a lack of understanding of organisational risk (37%). This is a bigger surprise, and it would have been interesting to see a qualitative follow-up.
- Automation and better management: Automation is taking place. 45% report that automated programmes are likely to be managed by a single department. That department is also responsible for data gathering and analysis (41%). When responsibility is shared across multiple functional areas, it appears that data analysis and reporting is left to those departments (20%).
- Data analysis and collection is an issue: 64% say they have significant or comprehensive automation. When it comes to analysis, however, only 26% say collection, integration and storage are automated. A major challenge appears to be legacy tools and technology (47%).
- AI is key to GRC programmes: 98% see AI as capable of improving their GRC programme. However, this requires that the inconsistency around automation in other responses is resolved. Forrester says 55% cite the top two use cases as, “incident management data collection” and “efficient integration of relevant risk and compliance data into reports.”
Enterprise Times: What does this mean?
GRC should be an easy win for machine learning (ML) and AI. The vast amount of data to be gathered, collected and analysed is an ideal fit for current solutions. Yes, there are challenges in getting it set up, which requires automation and access to disparate data sources. But these are no different to many other analytics, ML and AI challenges, so they are not insurmountable.
What is of concern is the lack of urgency around implementing AI. According to the report, “57% expect to incorporate some aspects of AI into their GRC program in the near future. The vast majority, (92%) said they believe AI will be incorporated to some degree into GRC program management, in the next one to three years.”
That three-year wait shows that GRC programmes are not a priority for many organisations. Even after three years, the amount of AI in use is questionable given the statement above. A proper set of interviews and qualitative analysis on just this point would have yielded very interesting reasons for that hesitancy.