28th May 2021 – PwC launched the 2021 Asia Pacific Governance Risk and Compliance Insights Survey Report, entitled ‘Next generation digital GRC’. According to the report, COVID-19 has brought unprecedented challenges. As companies resume operations and adapt to new ways of working, many are looking inwards to see how they can tackle urgent and complicated governance, risk and compliance (GRC) issues. They are shifting the focus of compliance activities from those which result in high costs on customer experience, finances and culture to those which build trust, enhance resilience using technology and support competitive advantage.

Jasper Xu, PwC Asia Pacific and Mainland China/Hong Kong Governance Risk Compliance & IA Leader said: “Throughout the last decade, the concept of governance, risk, and compliance has been viewed as a supporting function. However, more than ever, businesses are evolving to respond to shifting market dynamics, new digitally enabled competitors and changing customer expectations. Addressing these emerging challenges requires companies to rethink how to integrate GRC in order to build trust and enhance their market competitiveness. Otherwise, businesses cannot successfully manage rising uncertainty, complexity, and ambiguity around today’s regulatory and geopolitical environments.”

The Survey involved 95 senior leaders in 8 territories, exploring the sources and outlook of uncertainties and how Risk and Compliance leaders are taking action to address them. Conducted in August, September and October of 2020, this survey focuses on insights in the following areas: GRC maturity, technology maturity, and GRC vision.

GRC maturity – The starting point of enterprise digital transformation

Of the APAC GRC Leaders surveyed, 49% reported that they either haven’t started to raise the GRC standard or are working towards streamlining compliance functions in one business unit. In addition, 56% said that compliance and oversight is not managed by a central department. As the world is experiencing an unprecedented rate of change, many organisations have identified speed of technology change as a key risk to growth and are looking forward to embracing digital transformation. However, some are unclear how to embark on this journey and how to move from traditional ways of working to digital GRC platforms.

According to PwC’s recommendations, it is important to understand the organisation’s GRC maturity in areas such as risk management and compliance before platform integration and GRC technology adoption. As a minimum baseline, management should understand their current GRC maturity level. Understanding this baseline will enable organisations to identify their desired state of maturity and implement a road map and remediation plans to achieve this in a timely manner and ensure that they get the most value out of their GRC functions and processes. The implementation of GRC technology needs to be supported by established processes which enable effective input of GRC tools, and a strong culture of engagement in the GRC processes by all stakeholders. One of the critical success factors for any transformation is ensuring that process changes and new operating models are working in practice, instead of just working in theory.

Technology maturity level – Collaboration between the business and risk functions needs to be strengthened to provide an integrated technology experience

The Survey showed 61% of respondents reported that they use paper/spreadsheets to track how they manage risk and compliance. Organisations are struggling to get an integrated and complete view of the risks they are facing, as well as to predict what might happen in terms of their risk programme. From the start of the COVID-19 pandemic until now, organisations are still struggling to collect risk data on time to understand the effectiveness and functioning of controls and processes.

How organisations change from paper/spreadsheet-based risk documentation to a digital platform is crucial. The importance of making sense of how structured and unstructured data are incorporated into the establishment of a strong GRC culture and supporting processes cannot be underestimated in the digital world. GRC technology allows organisations to use it as a repository for data and records across all functions, also enabling sharing with third-party service providers.

While the majority of the large organisations have already established their lines of defence, communication still appears to be siloed. GRC technology would help to level up the collaboration across risk management and business departments by integrating risk identification, risk management and testing procedures into a unified platform. It would assist to break through separate operations across each risk function, promote shared information, reinforce risk management and provide risk protection for the entire organisation.

GRC vision – Risk management department’s demand for technology continues to grow

A GRC vision should be aligned with a vision for an organisation’s supporting functions (including risk, internal audit, compliance, etc.) to digitalise and improve their utilisation of technology. Imelda Kwong, PwC Hong Kong GRC & IA Leader said: “The vision is to create a truly connected decision-making solution. We see the opportunity to connect data to risk frameworks, allowing us to identify risks that may not be apparent to businesses. By bringing together all data sources, we can make strategically aligned, faster, more coordinated and informed business decisions.”

Looking forward, the importance of GRC technology in risk management will continue to grow. According to the Survey, 64% of those interviewed believed that an enterprise’s compliance requirements could be fulfilled through the use of compliance-specific technology. An integrated platform would help integrate operational processes across multiple dimensions of risk and compliance, not just within a discreet process but right across the enterprise, all activities and all lines of defence. Moving towards an integrated platform allows an organisation to aggregate risk and control information, and ensure compliance with listing rules, corporate governance codes and other regulations.

Through the Survey we noted that most believed the compliance, risk, and incident management functions can be automated. We can see key themes of transitioning risk management programmes from reactive and tactical to proactive and strategic. Leading complex organisations are transforming their risk and compliance functions to enable effective reporting to drive risk prioritisation, effective decision making and efficient resource deployment.

Jennifer Ho, PwC Global Risk Assurance Leader said: “In a world of rapid change, digitisation and disruption – trust has been eroded across many parts of society. Stakeholders are seeking trusted sources of information around issues such as effective management of cyber risk, reliability of data and transformation programmes. Focusing on strategy execution and transforming risk into confidence will drive your business forward.”

A digitalised GRC could be the solution in dealing with new and emerging risks for all organisations while creating long-term value. While compliance, IA, and risk professionals understand the need for GRC technology, the common challenges or barriers to implementing the solution are management buy-in, cost vs. benefit, and lack of understanding of the technology capabilities. Success factors to start a GRC journey are a strategy/roadmap in GRC and business, support from business champions and product design experts , a clear future plan to enable the GRC process to evolve with the business, supplementary training, and effective integration processes that align with the solution and technology strategy.

Looking to the future, GRC technology should not be viewed in isolation. It is still necessary to improve the flexibility of GRC technology implementation and regard it as a long-term plan. At the same time, it needs to be pragmatic and scalable, and keep up with changes in corporate risk levels and management arrangements; most importantly the need to promote growth and create value for the company in a multitude of ways.