The AI-Enabled Future of GRC and Integrated Risk Management


The shift to digital was already well underway before the Covid-19 pandemic changed everything. However, the events of 2020 have far-reaching implications for those of us in the business of risk management. The way that the pandemic unfolded highlights that the only way we can prepare for such events in any meaningful sense is to take a more forward-looking approach. The most critical tool in adopting such an approach is technology, which is set to transform the way we manage GRC over the coming years.

To some extent, technology has already begun to transform risk management and the way we manage compliance. RegTech is a fast-growing sector, worth $5.1 billion in 2019 and set to grow six-fold by 2026. However, research shows that the motivation for purchasing RegTech solutions is still often backward-looking and heavily skewed towards compliance rather than risk. An industry benchmark report from Cambridge’s Judge Business School indicates that around half of firms are buying RegTech to navigate existing regulations, implement new regulations, or implement an internal compliance program. Only 25% are using it to process large quantities of data or organize complex information.

This perception is borne out in the findings of the State of Risk Management 2020 report[i] conducted by VirtueSpark and Risk-!n. In this survey, only one-third of respondents confirmed that their risk management software offered an integrated risk management platform. Interestingly, over half of respondents came from organizations comprising more than 15,000 employees, implying there’s still a lack of buy-in to integrated risk management, even among large companies.

Laying the Foundations

Arguably, successfully implementing an integrated risk management approach is the critical pivot from a past-focused GRC mindset to one where an organization can effectively anticipate and mitigate risks. Given the complexities faced in today’s business environment, technology is the only to capture all of the necessary data points needed to keep the oversight of so many moving parts.

Furthermore, having a fit-for-purpose platform is also a crucial foundation in preparing for the next big technological shift in the GRC landscape – the advent of AI.

Data is the fuel needed to drive AI, and machine learning algorithms, which is why having a systematic approach to managing risk data will become so critical for organizations wanting to advance their GRC approach even further. While it’s fair to say that we’re very much at the beginning of this journey, the technology is developing rapidly, and before long, using AI throughout the risk management cycle will become a matter of competitive edge.

Intelligent Risk Management

So what will this look like? In 2019, the Federation of European Risk Management Associations (FERMA) launched its first paper on the implications of AI for risk management. It found that in some cases, AI is already in production for processes including risk identification, such as scanning and filtering third-party information sources to help enhance the risk inventory relating to specific assets. Another example would be to use internal and external historical risk data to conduct probability and impact assessments.

Taking this a step further, we can only imagine the future possibilities. A recent Forbes piece foresees three components of a fully AI-enabled risk management approach. A listening post would scan a vast array of data sources inside and outside the organization, feeding into the second component – a risk intelligence system.

This system understands the organization’s risk appetite and determines appropriate mitigation actions accordingly, automatically applying those that are possible without human intervention. The third component is the human element, dealing with mitigations that are too complex to be automated.

Of course, human oversight would still be desirable and perhaps necessary in some cases, particularly while the technology is still so nascent. However, it gives us a taste of what to expect.

Regulation 2.0

And what of compliance? Regulators are undergoing their own version of a digital transformation, with Regulation 2.0 looming on the horizon. A survey conducted jointly by the World Bank and the Cambridge Centre for Alternative Finance found that around 72% of financial regulators have either introduced or started speeding up digital infrastructure initiatives, mainly in response to the global pandemic.

A core component of this transformation involves a significant shift away from the heavily paper-based regulatory processes with which we’re all so familiar. For instance, in the UK, the Financial Conduct Authority is conducting a pilot program to make financial reporting requirements machine-readable. Ultimately, the idea is that an organization’s GRC software can interpret the regulation and update the relevant controls automatically.

In the Middle East, the Financial Services Regulatory Authority of Abu Dhabi Global Market has been engaged in a year-long project with an AI RegTech firm to digitize its entire library of rulebooks. The outcome is expressed as a set of APIs, meaning that organizations can interact with them more dynamically. This interaction is designed to be two-way – when the regulator wants to change something or introduce a new law, they can conduct testing and modeling that will help them better understand the impact from a compliance perspective.

If all this seems somewhat dizzying, it’s important to remember that every journey starts with a single step. Having a robust, fit-for-purpose GRC software platform that can enable an effective integrated risk management strategy is the best way to stay ahead of the curve. Contact VirtueSpark today and talk to us about your enterprise risk management needs.

[i] If you wish to receive a copy of the report, it is available from VirtueSpark on request.