In our initial blog we posited that Intelligent Automation (IA) and, specifically Cognitive Artificial Intelligence (AI), will be essential in Governance, Risk Management and Compliance (GRC) programs to achieve long term success and sustainability.  This viewpoint comes from assessing pain points that still exist within GRC programs today, which highlights ongoing difficulty that many organizations have in managing the scale and complexity of requirements/ obligations while keeping pace with changing and interconnected regulatory, business, and external risk environments.   

As emphasized earlier, establishing a robust and effective risk management and governance framework is crucial to ensuring compliance to internal or regulatory requirements. The key, however, is to understand how GRC has matured over the years to adapt to the transforming facets of business as technology continues to evolve drastically to enhance the way that businesses function. From being fragmented and obscure to being integrated and defined, GRC has seen a transition from usage of papers, emails, and spreadsheets to advanced technology platforms which are effective and agile in nature. Given the current scenario of growing organizational complexities comprised of increasing business units, distribution channels, geographies, human resources, etc., there is no doubt that organizations would need to adopt technology quickly. This is required to not only survive but to respond quickly and efficiently to business disruptions.  

Over the last few decades, businesses have been revolutionized, and the ability to manage and control organizations while delivering strategic objectives has become paramount. Technology has acted as an enabler and aided organizations to conduct GRC related activities in a more holistic manner. While traditional methods and older GRC tools can support workflows or act as data repositories, modern cognitive solutions augment the human effort by seamlessly linking, predicting, and providing actionable insights. Now with the advancements in cognitive technologies over the last several years, modern tools and techniques can be leveraged to drive efficiency, effectiveness, and agility into GRC initiatives.  

While traditional methods and older GRC tools can support workflows or act as data repositories, modern cognitive solutions augment the human effort by seamlessly linking, predicting, and providing actionable insights. Now with the advancements in cognitive technologies over the last several years, modern tools and techniques can be leveraged to drive efficiency, effectiveness, and agility into GRC initiatives.

History of Evolution 

Understanding the history and evolution of GRC technology can help organizations recognize the immense value that the current state GRC solutions offer as well as its maturity along this journey. The phrase GRC was coined almost 20 years ago by GRC Analyst and Pundit at GRC 20/20, Michael Rasmussen.  Since then, GRC has focused on the most critical external / internal obligations and risks related to an organization’s operations.  The GRC model has transformed over the years with each phase building on the previous one.  GRC “1.0” began in the year 2002 and was primarily focused on Sarbanes Oxley (SOX) compliance.  Fast forward to the current landscape and many organizations are aligned with GRC “4.0”, which anchors on Agile technology, and we are paving our way towards GRC “5.0”, which is centered on Cognitive technology.   Let’s look more closely into the evolution of GRC to understand how we arrived at this moment: 

GRC 1.0, Sarbanes Oxley (2002-2007)1 – When technology was first shaped for GRC, it was defined for an integrated view of objectives, risks, controls, and policies. The focus was limited to Sarbanes Oxley Compliance and internal controls for financial reporting due to the critical nature of the new compliance mandate and the ability to implement the base foundation quicker since SOX had a more structure framework already in place. 

GRC 2.0, Enterprise GRC (2007 to 2012) – As GRC technology advanced, an enterprise view of risks, controls and policies was developed, and the objective was to leverage enterprise-wide information for forming strategic policies and have multiple lines of business (LOBs) use an integrated GRC technology. 

GRC 3.0, GRC Architecture (2012 to 2017) – This phase of GRC evolution saw an expansion of technology in GRC initiatives by connecting GRC systems with other business systems and building an integrated GRC architecture which was used not only in 2nd and 3rd lines of defense (LODs) but also in 1st LOD for active risk and compliance decisions aligned to everyday business goals. 

GRC 4.0, Agile GRC (2017 to 2021) – With the need to design configurable GRC technology solutions that could be customized to the requirements of an organization, updated frequently for advanced features, and provided an engaging end-user interface, Agile GRC was born. It is currently the most widely used GRC version by multiple organizations.  

GRC 5.0, Cognitive GRC (2021 thru current day) – The focus of this version is not only to /facilitate compliance but generate actionable insights in the quickest timeframe possible to setup a business for success, and ahead of its competition. GRC 5.0 is anchored in the use of artificial intelligence / cognitive technologies including natural language processing, predictive analytics, etc.   

Technology, along with maturing processes, has been pivotal in handling compliance and corporate mandates throughout evolution of GRC. The more advancements made in cognitive technology, the more compelling it has become to take advantage of the sophistication and benefits within enterprise wide GRC initiatives. Through weaving artificial intelligence, natural language processing, neural networks, machine learning, predictive analytics, and other advance technologies into existing programs elevates human capacity and domain knowledge proving the ability to more quickly detect potential issues, devise solutions, and mitigate risks.  

Why Cognitive Technology is Important for GRC 

Over the last 3 to 4 years, cognitive technology has evolved, and it continues to improve at a significant pace. This advancement has helped businesses reduce the complexity of critical processes and the time to consume, and disseminate, often time-sensitive data. The evolution and melding of these technologies with GRC create competitive advantage and significant financial and operational opportunities for corporations. Now cognitive technology is improving the ability for businesses to handle change that is characterized by its velocity, variety, volume, and ambiguity.  

Today’s cognitive solutions can leverage artificial intelligence and other advanced technology that can help businesses gain end-to-end visibility, improve GRC processes, and accelerate and augment decision making by the business users. 

A holistic view of external and internal obligations on an organization’s internal control framework can now be automatically identified and analyzed. In no time, necessary actions can be taken on applicable GRC requirements, and the authoritative teams can take necessary actions to update their control framework. 

Incorporating the power of cognitive solutions into GRC processes builds confidence in completeness and accuracy, ensures an organization that the policies and frameworks are up to date, and boost business operations. Embracing technology can address labor-intensive tasks helping employees focus on value-add activities that bring more insight and intelligence when navigating the organization and managing risk and compliance. With business decisions driven by analytics and data, there’s so much more than firms can have done in a much more efficient manner. It is not Nirvana, but it is possible, and if adopted, these breakthrough innovations could be a game changer and allow for organizations to make quicker and better decision-making. 

The clear value proposition of incorporating cognitive technologies into companies’ GRC processes aligns with:  

  • EFFICIENCY: time saved; money saved 
  • EFFECTIVENESS: accuracy, completeness, and thoroughness 
  • AGILITY: quickly identify relationships from different perspectives and react to changes in your regulatory, business, and external risk environments 

Being more efficient, effective, and agile equates to more robust common control frameworks, more transparent and focused external obligation criteria, and stronger linkages between internal and external landscapes. Ultimately, this model is a differentiator creating a more resilient company that more easily manages the complexity, volatility, and velocity of the current dynamically changing business environment. 

Venky Yerrapotu – Founder and CEO, 4CRisk.ai

Venky is the founder and CEO of 4CRisk, an advanced AI and predictive analytics software company digitally connecting a firms regulatory, business, and external risk environments thus improving the efficiency, effectiveness, and agility of the organization. Venky is a hands-on leader with over 20 years of experience in building high performance GRC technology platforms and more importantly onboarding hundreds of customers onto the platforms.

Elizabeth Abraham – VP, Customer and Partner Success, 4CRisk.ai

Elizabeth’s leadership approach uses a multi-faceted perspective connecting industry, functional, and technology implementation expertise. With 25+ year experience in the governance, risk, and compliance space, Elizabeth has experienced the complex and dynamically changing environment from numerous perspectives. Working as a practitioner and advisor to numerous large established as well as high-growth start-up companies, she converges strategic thinking with an operational mindset to ensure successful customer and partner initiatives.

Jonathan Frieder

Jonathan Frieder

Principal Director – Strategy & Consulting

View Profile

Jessica McDermott

Principal Director

View Profile

Apoorva Jain

Apoorva Jain

Senior Manager, Digital Risk & Compliance, CFO&EV, Capability Network, India

View Profile


Submit a Comment

Your email address will not be published.