Modern organizations are competing for business in a marketplace undergoing rapid and disruptive technology changes. As such, businesses are reaching for technology-driven methods and tools to help deliver data-driven insights to reliably inform key leadership decisions, including strategic planning. When designed and matched to business use cases, these methods and tools can be used to help reduce or eliminate unwanted surprises (“risk”), improve governance and reporting, create early warning systems, and improve business process controls. “Knowledge is power” takes on a new twist in today’s marketplace. Business leaders must actively consider how to identify, prioritize, and implement technology that can deliver improved business results and reporting, including governance, risk, and compliance outcomes.

The ‘data scatter’ challenge

Today’s business reality is that many enterprises suffer from “data scatter”: their data is spread throughout the organization, across many stakeholders, and not easily linked or matched by one tool or aggregated by business need (i.e., a business use case). As such, internal departments may be limited in their ability to timely, accurately, and/or easily respond to various risk and internal audit processes otherwise imperative to the organizational governance and oversight (i.e., The Institute of Internal Auditors’ (IIA) Three Lines Model). When the data scatter problem festers, businesses begin to experience inefficiencies and blind spots, which in turn leads to ongoing risks to financial and operational performance, regulatory compliance, and so on.

Data scatter challenges and potential impacts include:

1. Material blind spots may occur when data is not leveraged holistically across the organization to identify and assess risks and controls matched to critical business processes. This translates through to increased threats to business goals and objectives that may not be timely identified or escalated.
2. Technology tools are not integrated, or a technology tool has critical work flow dependencies on other systems, leading to constraints in how tools do or do not work together as planned.
3. Scatter also tends to impair organizational reporting, in particular reliability and credibility – but more foundationally, it may impair an organization’s ability to aggregate, estimate, and predict potential future outcomes (adverse or otherwise), such as, what is our exposure, and how can we make better strategic decisions based on risk and return estimates?

How GRC technologies can help smooth the path forward

Leading organizations have shifted to more proactive risk management and oversight through governance, risk, and compliance (GRC) tools that are built to automate manual steps, allowing for faster reporting, analysis, and response to risk threats. These systems perform both business processes and compliance activities within the same workflows, and in the best cases function entirely within one complete system. A well-thought-out strategy is needed to determine the better path forward with potential system integration(s), or consolidation and over-dependency on a singular, critical system without adequate redundancy or roll-back measures.

What is driving the changes to GRC strategies and solutioning?

• Artificial intelligence (AI) capabilities
• A strong correlation between performance management and risk management
• Changing regulatory requirements

AI

Investments in more advanced risk management solutions can bring leaders and their organizations better peace of mind, allowing them to prioritize their efforts on remediation and resolution instead of research and investigation.

New AI-powered GRC solutions are driving risk management programs of the future. These tools can scan multiple sources of information and continuously be tuned to adjust tolerance thresholds and potential financial exposure and impact. AI’s ability to drill down to the source or root causes of issues in a matter of seconds is driving efficiencies in research that could have previously taken days to navigate.

New AI capabilities within GRC and risk management tools with embedded or API-connected AI models offer faster, more sophisticated analytics, immediate monitoring, and more thorough risk evaluations to mitigate threats, support compliance, and bolster operational performance.

Risk management = Performance management

There is no line between risk and performance. Risks have the potential to impact performance, and once a risk is realized, you’re now in triage or remediation mode.

Senior leaders sometimes have difficulty sharing information about risk indicators and performance metrics across teams, for various reasons. It could be culturally driven, information system/technology or licensing constraints, or even just a lack of awareness of what data is being captured across the organization.

The latter example also requires resources with the skill sets to model and draw correlations across “big” data sets. Developing these linkages across business and external datasets is the best way to extract value out of trends, quantify exposure, and move from reactive to proactive risk management.

If culture and internal politics are your main challenge, a well-articulated business case and collaboration driven from the top should help resolve these hurdles.

Regulatory requirements

The financial services and life sciences industries have been the driving force behind many regulatory requirements, aimed at protecting customers and the banking systems themselves from collapse. Over time these have evolved from higher-level security requirements to more detailed control requirements, stringent privacy tracking/disclosures, and now operational resilience, planning, and ESG (environmental, social, governance) reporting.

Some companies that operate outside of the financial services and life sciences spaces might still be subject to certain requirements, depending on who their customers are and what types of personal information they collect. This includes CCPA (California Consumer Privacy Act), NY DFS (Division of Financial Services) and other state-level privacy regulations, and the EU’s DORA (Digital Operational Resilience Act), which includes third-party technology service providers that support financial services companies and banks.

Below is a brief outline of some recent financial service regulatory publications that organizations (and their vendors) will need to adopt and report on. A well-thought-out GRC technology and reporting strategy should not only drive internal efficiencies and more value-driven insights, but also meet your compliance needs.

• DORA (2025)
  • Implement an overall risk management program and governance.
  • Maintain an established incident response program and associated reporting.
  • Implement an operational resilience testing program.
  • Implement and conduct third-party risk assessments and monitoring.
• NYDFS (2023 and 2024): Registrants must...
  • As part of third-party due diligence, evaluate whether third parties’ cybersecurity practices are sufficient, and require that a minimum set of cybersecurity controls be met before doing business.
  • Implement periodic reviews of third parties’ control environment and performance.
  • Establish policies and procedures to implement contractual protections, such as MFA (multifactor authentication), data encryption, breach notification, and representations and warranties of their cybersecurity practices.
  • Restrict use of commonly used passwords.
• SEC (2022 and 2023)
  • Release immediate cybersecurity disclosures in the event of a material breach (within four days of the incident in the Form 8-K).
  • Develop and implement a cybersecurity risk management plan and strategy.
  • For “investment advisers,” conduct due diligence and monitoring of service providers.

Where to begin

To start to realize the benefits of quantitative models and AI, tackle the issue of “data scatter,” and become more predictive and proactive with your risk management programs, start with identifying your key company objectives and current challenges. Next, review your existing and recently procured technologies and your data availability to understand your current abilities. When developing new capabilities or augmenting current ones, build with future needs in mind, and how you can increase the value and insights that Risk and Compliance teams deliver.

Work with Finance and Procurement to (potentially) centralize technology use, and with the Security and Privacy teams to see where key risk and performance data resides, if not already inventoried. All of this should be summarized in a strategy and plan to execute over a 2-5 year period.

Over time you’ll want to:

1. Enhance strategic decisioning based on risk and exposure estimations.
2. Map out critical business services products, and processes with system, technology, and vendor dependencies to help better identify emerging risks.
3. Quantify the cost savings achieved by limiting risk (taking into account disruptions, litigation, fines, etc.).
4. Implement visuals and dashboards across your organization to give you a “single pane of glass” visibility, bringing risk and performance information together from multiple sources, with custom views by department and level.
5. Implement data and change management procedures.
6. Mature and educate your employees.

All the above will help you and senior leadership enhance your decision-making based on integrated risk and performance data.

How CohnReznick can help

CohnReznick can help kickstart your initiatives with a strategy and plan for your organization, existing technologies, and data availability.

If you’re already ahead in some areas, we can meet you on your risk and performance management journey. We are widely recognized for tackling tough risk questions and delivering integrated systems and risk models with actionable insights to quantify and reduce volatility, protecting your investments.