How Digital Transformation Really Drives GRC

Written by
Published 04/03/2017
digital transformation

Like most technology startups, we welcome digital transformation of the business world. It opens new markets, lets you forge closer bonds to customers and business partners, increases profits, accelerates sales cycles. Wonderful stuff, and we mean that.

For compliance and risk professionals, however, the digital revolution brings challenges unlike any you’ve faced before.

The easy analysis is to say that all the benefits mentioned above also bring new risks—ones that can strike unexpectedly. New markets bring new corruption or money-laundering risks; new business partners bring new data security risks. That’s all true.

But unless you want to keep reacting to new risks, frantically whacking them down every time they crop up, compliance officers need to ponder this new risk and compliance landscape more deeply. What really changes during digital transformation? How can you build a sustainable compliance strategy in that world?

Well, we know that digital transformation changes two things at a company: the assets it owns, and the processes it uses.

For example, according to financial research firm Calcbench, intangible assets (intellectual property, trademarks, goodwill, and so forth) accounted for 9.6 percent of all assets on the balance sheets of the S&P 500 in 2011. Five years later, the figure was 11.15 percent—and that’s only for the large, stable businesses of the S&P 500. For younger, smaller firms, the percentage can be much higher.

That tells us that as this transformation continues, more of a company’s value will be determined by what it knows (data collection and analytics capability), and what others know about it (reputation). That’s a world apart from the value determined by the cash and goods a company possesses.

So if creating and preserving value is what the board worries about (pro tip: it is), then for risk and compliance managers, the future will be about how to help the company protect its proprietary knowledge and its reputation.

Easy enough so far. When we add the future of digital processes, however, the situation gets more tricky.

Visibility for All

On one level, digital processes are fantastic: they enhance that collection and analysis of data we mentioned above. Everything the company does can be labeled, logged, saved, retrieved, and analyzed, all at a moment’s notice.

On another level, however, that same advantage that digital processes bring—enhanced visibility into operations—can be turned against the company’s other objective of protecting value and reputation. Why? Because all the power of that enhanced transparency is available to anyone, inside the company or out, who knows the proper way to ask for it.

This is more than saying, “Don’t let hackers steal your data.” In today’s highly interconnected business world, with many third parties acting as part of your extended enterprise, the goal is to govern how your data is used. The strength of your governance processes will become enormously important.

For example, the ability to perform due diligence on third parties, and to produce that homework on demand, will be invaluable. Maybe regulators will want to see that work as they investigate a money-laundering rumor; maybe social media activists will want to see it as they talk up a human-trafficking scandal in your supply chain.

Regardless, success will hinge on your ability to demonstrate that your business processes are grounded in strong ethical values and that they work. If they work, your digital assets are protected; if they’re ethical, your reputation is protected.

One practical example of this is the Corporate Human Rights Benchmark, a project supported by institutional investors that takes data disclosed by large businesses (that is, transparency) and uses it to pressure those businesses into improving their conduct. Another is United Airlines: the company stumbled into a social media snafu recently when it barred two girls from boarding a flight while wearing leggings. That decision was in compliance with company policy (no leggings for people flying on United employee guest passes), but the ensuing outcry underlines the importance of clear policy, good judgment, and when to grant exceptions or stand firm.

Will surprises still come? Absolutely. But strong, effective GRC builds a company’s resiliency to weather the storm—and that will be the most important key to the success of all.