Transcript: GRC Technology Perspectives Around the Globe - Middle East

Hello. This is Kevin Donahue with Protiviti, welcoming you to a new installment of Powerful Insights. We’re producing a series of podcasts on GRC programmes and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets. This episode features my conversation with Protiviti managing director Rakesh Kabra. Rakesh leads Protiviti’s Risk Technology Solutions practice for the Middle East and India. He offers his viewpoints on GRC developments and advancements in these markets. Rakesh, it’s great to speak with you today.

Thanks a lot, Kevin. I’m also quite excited to talk about the GRC drivers in our marketplace as well, in both Middle East and India.

Terrific. Rakesh, that actually is my first question. In considering the markets you oversee in India and the Middle East, when it comes to GRC technologies, what are the GRC drivers you’re seeing in those markets right now?

Kevin, if we classify the organisations, let’s say, into large, medium and small based on the size of the enterprise, the requirements would vary based on the maturity of the organisations. The two common factors, or what we see, are the rate of scale to better technological standards and meeting regulatory requirements. Beyond this, digitally mature large and medium enterprises look for GRC solutions to augment their existing governance landscape and improving business decision-making.

Organisations with medium digital maturity focus more on improving their practices or business decision-making by deploying the GRC solution as part of their digitalisation strategy. Small organisations, obviously, are much focused on everything – compliance and regulations or assurance services – while they have a road map for technical enhancements. Basically, large and mature organisations focus on solutions that are industry-focused and have strong capabilities to easily integrate with their other systems, like ERP, to provide robust and accurate reporting, including workflows for automation to follow up and close open items.

We typically prefer to work with solution providers who can augment solutions with industry and domain expertise. That’s why I think Protiviti, with our expertise on both the solution side and the software side, has the best placeholders when the clients reach to us. For medium-size enterprises, ease of use, configurability and pricing are the key considerations, since the solutions need to fit in their digital road map. Smaller enterprises tend to jump-start with functionality at optimum price and then keep adding as they grow. I would say, again, based on the type of the organisation across different industries and based on the maturity would be the primary drivers for the GRC.

That’s great, Rakesh. Thank you. Next, I wanted to ask you about innovation. What, if any, innovations in GRC are you seeing in the markets that you cover right now?

From the Middle East perspective, especially the UAE, they can be considered early adopters from the standpoint of technology-adoption lifecycle. Typically, this region has been a closed society, culturally, but over the last few years, they’ve opened up quite a bit, and they are almost on the forefront of technology, and the same applies for the GRC solution as well. While they initially have been factored in or looked at, most stand-alone audit management systems that started in the heyday, today, GRC plays a vital role as a domain in driving organisational performance.

Naturally, the expectations from the systems have grown to include instant value with cloud-based deployments for cost optimisation and security, mobile-based alert mechanisms, and even using bots to initiate recovery processes during continuity failures. I’ve seen IT infrastructure teams deploying automated bots that not only monitor and perform system monitoring, but also handle auto-recovery during crashes as well.

RP has become traditionally quite a big thing from an innovation perspective. Traditionally, such capability was not considered part of a GRC solution, but today, our clients are asking, “Why not?” since risk management and mitigation is part of GRC, and IT risk is a key threat to any organisation. It is also becoming commonplace to leverage NLP-enabled bots to capture issue-related data from the first line of defense in a manner that is simple, seamless and engaging. Organisations are now engaging in proof of concept to use predictive analytics – machine learning, for example – and even advanced visualisation for correlating data like never before. I’m sure the same goes globally, in the US especially, but we’re seeing those kinds of innovative practices being held in both the Middle East and India.

I’m sure such advancements would make the role of GRC much more technically advanced, with data-driven decision-making augmented with automated recommendations for handling potential risks for organisations. I think these are the innovative things, and it becomes challenging in certain ways from this kind of innovation, what it does from an audit management perspective – How do you control the bots? How do you manage and monitor the bots? We see a lot of innovation coming in this area.

Rakesh, next, I want to turn to some of the tools you’re implementing and/or maybe leading to your implementing on a day-to-day basis. What would you say is the key tool that you are implementing for your clients in India, as well as in the Middle East?

Good question, Kevin. GRC, as an overall domain perspective, is taking strength now, as I said. Initially, over the last few years, an audit management solution was our key requirement for the clients to automate their entire end-to-end internal audit management, whether it be from risk assessment to planning to executing on audit, as well as follow-up, but over the last year or so, we’re seeing a major shift from not just being an internal audit solution, and our clients are now really focused on enterprise risk management solution, as well as compliance. We’re seeing a lot of client requirements related to automating their whole enterprise risk management prospect, whether it’d be either a COSO Framework or an ISO 31000 in managing their risk register. We’re also now seeing trends with respect to linking their risk with incidents or KRIs and KRAs to manage their courses better.

Overall, in addition to just the tool or the solution within risk management, integrated data visualising has become a big, major factor. Clients are looking for really good dashboards and visualisation tools so they can pinpoint and get to the root of the problem very quickly. An integrated solution with visualisation tools like Power BI is becoming a major requirement in this marketplace.

Rakesh, what challenges are organisations facing, in your experience, when pursuing integrated GRC in their markets?

Kevin, I think the first and foremost challenge in any systems implementation is change management. When I think about change with digitalisation by itself, it’s a major task. All organisations need to handle it with extreme diligence. Additionally, there’s always a presence of manual process side-by-side with legacy systems, which makes technical integration and making any process seamless a challenge. Specifically, from a GRC perspective, some key challenges that organisations need to address include having a unified vision aligned with digital strategy. By that, I mean an integrated approach between, let’s say, audit management and risk management, where the risk register that is created by the business team or the risks team from the business side is closing to the audit in an integrated way, so that people don’t have to maintain two different risk registers and manually input and export data.

This is a key indicator of digital maturity and one of the most important factors, I would say, for driving the effective digitised GRC environment. The external challenges are mainly from a changing technological landscape with new cyber security threats and security issues that are becoming quite prevalent in this digital age. Regulatory and compliance updates from regulatory boards and government, in most cases, are not passed on via a singular, secured, digital channel. By that I mean, unlike, for example, in the US, where the compliance regulations are available in a digital format through a centralised service provider, and then can be integrated with the GRC system. In the Middle East and India, some of those things are not digitised. We still look for our clients to look at guidelines, publications or public announcements.

As such, creating an environment to receive process updates and act on regulations and compliance updates is a major challenge. In most cases, it required digital intervention of experts in the subject matter, IT, and in some cases, solution providers. Also, uncertainty in the regional economic, geopolitical status, environmental issues, and ups and downs in the market forces also affect the overall focus of the organisation and investments toward an integrated GRC. I would say these are some of the challenges that we or the organisations in this part of the world face.

These have been great insights. Thanks, Rakesh. Let me wrap up our discussion with one final question here. We obviously hear a lot in the market around the world and in many or most industries around digital transformation. How are you seeing organisations incorporating digital transformation practices into their GRC programmes?

Very good question, Kevin. As I mentioned earlier, the role of GRC has only changed from being the stand-alone software to being the linchpin in business decision-making. Let me take a few examples. Customer churn is a key risk for telecom operators, for example – a strong and digitised GRC system integrated with a customer central data and working with advanced analytics to potentially identify both threats and opportunities based on trends on data on consumer behavior, potentially impacting consumer sentiments. Gamification is being applied across most industries. Based on the situation, data generated, when seen under the GRC lens, may highlight rejection or acceptance of products, thus potentially saving or creating business cases or investment of millions of R&D dollars. Not only better decision-making but also data visualisation plays a key role in identifying knowns and unknowns, especially in the assessment of threats or opportunities. It could be based on historical trending. However, with advanced data coordination technology, it is now possible to identify factors affecting business, which may have been overlooked earlier. I believe operational excellence is one of the key outcomes of a well-implemented GRC programme. That’s how I would see incorporating digital transformation affecting our GRC programmes.

Rakesh, it’s been a pleasure speaking with you today. Thanks for joining me. Thank you for listening today. I hope you found Rakesh’s comments to be interesting and insightful.