Back in the day, manual processes were dominant, with telex and fax being the most common mode of communication. As a result, risk governance was also focused on these ways of business processing.
With the advent of the internet and e-commerce, business transactions began to be performed online and often in real time. Governance practices changed too, focusing more on risk related to cyberspace. Professionals acquired new cyberknowledge and skills to stay on top of the wave.
Information security risk professionals frequently discuss the evolution of information-related technologies. And although the evolution of technologies has simplified business processes in some ways, it has also given rise to data privacy and security risk. Risk governance in emerging technologies has become challenging due to their complexities and the murky legal and regulatory environment.
While organizations face the daunting challenge of securing their crown jewels while also complying with legal and regulatory requirements, little focus is left to create awareness among staff. However, risk awareness among staff has become more essential than any other time in the past.
Another critical point that needs more attention is meaningful compliance. Compliance can just be seen as a checklist to follow, but that view defeats the whole purpose of compliance. The focus should be on integrating compliance requirements with governance practices, with an emphasis on continuous improvement.
Traditionally, risk professionals have been looked at by management as advisors, which creates continuous pressure on them to be up to date with technology trends in the business operating environment. Although risk professionals are not expected to be technology or business experts, they are expected to understand the business process and the underlying risk. Risk professionals must leverage the expertise of relevant subject matter experts to establish the risk universe.
In my opinion, the GRC profession has a long way to go and is subject to evolution, with technology being the key business enabler. I expect emerging technologies will keep challenging risk professionals, with a focus on data privacy and security.
Editor’s note: For further insights on this topic, read Muhammad Asif Qureshi’s recent Journal article, “The GRC Journey Never Ends,” ISACA Journal, volume 1, 2021.
ISACA Journal Turns 50 This Year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!