10 minute read 31 Aug 2017
Drone over swimming pool

How to take a digital-age approach to governance, trust and risk

By EY Global

Ernst & Young Global Ltd.

10 minute read 31 Aug 2017

Now is the time for governance, risk management and compliance (GRC) functions to participate in shaping the future in the digital world.

Emerging threats in the digital era, such as cyber attacks, competitor shifts or geopolitical crises, are influencing the future direction of business and forcing their way onto board agendas. Old-world challenges (such as the integration of risk management and financial planning, protecting tangible goods or the fragmentation of data and business functions) collide with new ones in the digital sphere. Now, corporate governance, risk management, compliance management and other “line-of-defense” functions must invest in managing digital risks that matter, and risk functions must transform.

Designing a risk management approach based on agile guidelines and processes, empowered people, cutting-edge technology and analytical capabilities is critical to drive companies forward. It must harness the value of the digital world and protect the organization against the multitude of risks in a volatile and uncertain environment.

The evolution of GRC

Over the past three decades, GRC has evolved in response to a number of large-scale macroeconomic events, as well as the business and regulatory changes they precipitated. In doing so, GRC has continually adjusted its core focus and expanded the scope of risk it covers. Today, companies face greater uncertainty in a wide array of new and emerging risks. The ever-evolving globalization of competitive markets exposes many organizations to a new breed of risks, many of which were not planned for, nor could have even been anticipated. For these reasons, GRC is entering a new phase in its development, focused on continual monitoring and responsiveness, business decision support and improved shareholder value.

A future-oriented GRC approach can support organizations in multiple ways.

Agile GRC — governance, trust and risk in the digital era

Agile GRC, therefore, addresses a new way of corporate governance, supported by technology and a spirit of agility and entrepreneurial thinking. For this agile, integrated and future-oriented approach, we defined five key guiding principles that build the foundation for how to operate, empower and make decisions in our next generation of business operations and GRC management:

  1. People first — business leaders must understand and recognize that properly motivated people are the strongest links in the chain. It is necessary to shape behavior and motivate people to do the right thing rather than try to force them to do what they are told.
  2. Purpose-led — it is essential to activate purpose for a changing business landscape and a new GRC environment across the organization. This adds the right insights to help guide decisions.
  3. End-to-end centric — future success is based on the essential capability of being able to take the customer’s perspective (both internal and external) into consideration across all GRC-related functions, activities and outputs.
  4. Multilane speed — ensuring that the right governance, processes, capabilities and enablers are in place to address the different demands of business models, areas and lines of business.
  5. Fully digitalized — mobilizing a technology portfolio that digitalizes and optimizes all risk- and compliance-related activities, embeds them into the organization and end-to-end processes, and engages all stakeholders based on their individual needs.

GRC is entering a new phase in its development, focused on continual monitoring, business-decision support and improved shareholder value.

Using these key guiding principles, the Agile GRC approach is built on a framework of four components:

  • Purpose-led risk — making risk meaningful: the purpose-led risk approach aligns the cadence of strategic and business functions with the velocity of risk and opportunities to provide timely information and forecasting on key business drivers and values beyond the financial impact.
  • Adaptive governance — governing performance and risk: the future of corporate steering and risk governance is based on an integrated and adaptive approach of performance and risk management that is enabled through transparency, agile collaboration and business-centric elevation.
  • Optimized process — managing compliance in a smarter way: this includes making sure that regulatory changes and risk recognition are implemented in days rather than in months; securing the integrity of the organization and its people; and governing risk-based steering using holistic control optimization to enable trust and secure relationships in a performance-based manner.
  • Digitally infused — turning data into multispeed action: excellence through transparency is rooted in a GRC approach based on digitalized and intelligent applications and services. Using technologies such as blockchain and machine learning is just the first glimpse into the future of intelligent risk and compliance solutions.

To understand the full scope of the Agile GRC approach, a closer look at the four components within the approach is necessary; hence, they are examined in the remainder of this article.

This overview demonstrates that practically all areas of an organization are affected by Agile GRC.

1. Making risk meaningful

Agile GRC needs a component as its centerpiece. We believe that this will be “purpose-led risk” and that this approach will be the next evolutionary stage of enterprise risk management. The objective is to align risk and compliance management initiatives with the organization’s purpose to cover all aspects of its strategy. This includes everything from mission, vision, brand and legacy, to culture, values and people. The approach includes frameworks such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2016 enterprise risk management framework1 and the International Integrated Reporting Council’s (IIRC) Integrated Reporting.2

The intention is to create a “single source of truth” that defines one risk and compliance management approach for the entire organization. It is important to make the approach as simple as possible to secure stakeholder buy-in. Therefore, the EY approach comprises a three-step model involving GRC-affected groups, which we further divide into GRC partners, GRC functions and GRC customers.

How to start the journey the three step model

The Agile GRC approach extends the classic circle of stakeholders relevant to GRC issues. Compared with conventional GRC functions, Agile GRC is an end-to-end approach involving diverse external, as well as internal, sources in the process.

2. Governing performance and risk

The objective of “adaptive governance” is to guide all aspects of corporate governance, risk and performance management, as well as compliance and regulatory aspects. It can manage the risk and opportunity portfolio of programs, projects and operations, align their purpose and consider the risks. Therefore, adaptive governance can make GRC operations leaner and more integrated into governance and process capabilities, enabling agile collaboration and multispeed modes to manage an organization’s risk portfolio and support strong corporate performance.

Purpose led risk as key to a stable core

GRC operating models need to support the organization’s benefits and commercial management function to leverage investments in building capabilities and solutions — and they will achieve this by acting as the business process, information and organization management governance office. This fresh setup also helps to deal continually with the digital ecosystem's risk and opportunities, and ensures that the relevant stakeholders are more focused and engaged over the long term.

Adaptive governance demands a change to conventional GRC functions that are based on divisions and run by a hierarchical line organization — instead, GRC functions will become part of a hybrid organization that supports an agile, fully connected network structure with more integration and guidance.

The new hybrid organization changes the classic “three lines of defense” model. Due to better connections between the internal GRC functions, GRC partners and GRC customers, the siloed thinking between the lines of defense will soften. The first (operative management) and second (i.e., risk management, compliance management and quality management) lines in particular will blend. This allows the organization to react faster and to be more efficient. And because of the wider involvement within the organization, as well as with the business partner network, GRC operations will become more visible. This can be further enhanced if the GRC model is equipped with an innovation center and a solution hub. Business process management and business information management can be centralized to speed up internal discussions and solution-finding processes.

The intention is to create the “single source of truth” that defines one single risk and compliance management approach for the entire organization.

3. Managing compliance in a smarter way

Many GRC functions still conduct risk and compliance processes in a manual, ad hoc fashion. Standardization and optimization of processes is one of many steps that can improve GRC efficiency and effectiveness while maintaining the agility and flexibility needed by the multilanes principle to provide the business units with the freedom they need to be successful in the market.

The objective of optimized processes is, through standardization, to make processes leaner and more enriched with agile methodologies. This requires reconsideration of conventional risk functions and business operations, such as establishing formal procedures for functions, including third-party due diligence and partner screening, or adopting ISO 31000 to manage risk more holistically and consistently.

Accordingly, the optimized processes element of Agile GRC can also be applied to cybersecurity, resilience, and identity and access management so that it is more risk-based and agile. Simultaneously, internal control systems, compliance management and risk management can be more standardized and enriched by forecasting, steering and dimensional planning, while Agile GRC is embedded into business operations. It is integrated rather than sitting atop existing processes. Reward and incentive measurement and multilayer reporting can be enabled through technology and people behavior to provide greater  risk insights to the organization.

Meanwhile, the most important objective is to embed risk management activities in day-to-day business operations through SMART controls, risk- and regulatory-enabling assessments or risk insights in decision processes — for example, in third-party risk management, simplified deal selling or bidding processes, as well as IT risk and vendor management. Making processes simpler and more standardized and encouraging people to act with more integrity and to be risk-oriented is crucial. In the age of digital, the involvement (and empowerment) of people is more important than ever, and so it is for GRC operations.

The hybrid grc function of the future

The next generation of GRC architecture makes all GRC functions fully digitalized and connected to allow the best transparency, efficiency and agility for process operations.

4. Turning data into multispeed action

Beyond process and governance improvements, technology implications will extend the scope, consistency and efficiency of existing GRC efforts. This will empower users to support faster decision-making, enrich processes with controls, real-time actions and cognitive intelligence, use live data in response, and be risk-oriented and streamlined. This can be achieved through digitally infused and intelligent GRC technology.

Digitally infused environment

The next generation of GRC architecture makes all GRC functions fully digitalized and connected to allow the best transparency, efficiency and agility for process operations. The enterprise GRC platform has the capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture, and leverages the scalability of the cloud to fulfil the needs of a fast-changing environment.

It is important to understand that, in this context, one platform doesn’t mean one solution — it can comprise a variety of best-of-breed tools, harmonized by a common platform architecture and data lake for all relevant information that must be processed.

In addition to specific GRC technology, the approach is enhanced with other technology, such as using robotics to monitor user access behavior and customer interactions. The use of SMART analytics, artificial intelligence and real-time collaboration in applications such as psycholinguistics, relationship mapping and outlier analysis can result in better insight and a higher speed for more effective considerations of risk and compliance implications in strategic decisions (e.g., mergers and acquisitions, third-party risk scoring or fraud surveillance).

With the rise of new technologies, such as blockchain and other digital experience tools, GRC functions will probably undergo another step change, encouraging organizations to increase transparency, and change the way they make business decisions and how they will achieve compliance. This will drive GRC and your organization into the next century of business.


Agile GRC could help address the most significant market demands and benefits in any digitally disrupted economy.

About this article

By EY Global

Ernst & Young Global Ltd.