January 2021

2021 Trends: Governance, Risk Management &

Compliance (GRC)
An Integrated Focus on Business Integrity & Resiliency

STRATEGYPERSPECTIVE
Governance, Risk Management & Compliance Insight
 © 2021 GRC 20/20 Research, LLC. All Rights Reserved.

No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of
GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage
Guidelines established in client contract.

The information contained in this publication is believed to be accurate and has been obtained from sources
believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability
whatever for actions taken based on information that may subsequently prove to be incorrect or errors in
analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements
of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may
include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research
should not be construed or used as such.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 2

 Table of Contents

What Have GRC Functions Learned from 2020?................................................................ 5

What Can GRC Functions Expect in 2021.......................................................................... 6

Three Strategic Trends in GRC in 2021...............................................................................7
Supporting Tactical GRC Trends in 2021............................................................................8

GRC 20/20’s Final Perspective.......................................................................................... 10

About GRC 20/20 Research, LLC..................................................................................... 12

Research Methodology..................................................................................................... 12

TALK TO US . . .
We look forward to hearing from you and learning what you think about GRC 20/20
research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC
related processes and utilize technology to drive GRC efficiency, effectiveness, and agility.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 3

2021 Trends: Governance, Risk Management &
Compliance (GRC)
An Integrated Focus on Business Integrity & Resiliency

The physicist Fritjof Capra stated:

“The more we study the major problems of our time, the more we come to realize that
they cannot be understood in isolation. They are systemic problems, which means that
they are interconnected and interdependent.”

Capra was making the point that ecosystems are complex, interdependent, and require a
holistic contextual awareness of the intricacy in their interconnectedness as an integrated
whole, rather than a dissociated collection of systems and parts. Change in one area
has cascading effects that impact other areas, as well as the entire ecosystem. Business
operates in a world of chaos. In chaos theory, the “butterfly effect” means that something
as simple as the flutter of a butterfly’s wings in the Netherlands can create tiny changes in
the atmosphere that have a cascading effect that can impact the development and path
of a hurricane in the Gulf of Mexico. A small event develops into what ends up being a
significant issue. The pandemic is one illustration of the interconnected and cascading
impact of risk on other risks, as well as on business performance, strategy, and objectives.

Gone are the years of simplicity in business operations. Exponential growth and
change in risks, regulations, globalization, distributed operations, competitive velocity,
technology, and business data encumbers organizations of all sizes. Keeping business
strategy, performance, uncertainty, complexity, and change in sync is a significant
challenge for boards and executives, as well as management professionals throughout all
levels of the business.

The interconnectedness of objectives, risks, resiliency, and integrity require 360°

contextual awareness of integrated governance, risk management, and compliance
(GRC). Organizations in 2021 need to see the intricate relationships of objectives,
risks, obligations, commitments, and controls across the enterprise. It requires holistic
visibility and intelligence of risk in the context of objectives. The complexity of business –
combined with the intricacy and interconnectedness of risk and objectives – necessitates
that the organization implement an integrated governance, risk management, and
compliance (GRC) management strategy.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 4

 GRC1 is: “a capability to reliably achieve objectives [governance], while addressing
uncertainty [risk management], and act with integrity [compliance].” There is a natural
flow to the GRC acronym:

n Governance – reliably achieve objectives. This is the governance function

of GRC. To set, direct, and govern the reliable achievement of objectives.
Objectives can be overall entity-level objectives, but also can be divisional,
department, project, process, or even asset level objectives. Governance involves
directing and steering the organization to reliably achieve objectives.

n Risk management – address uncertainty. This is the risk management function

of GRC. ISO 31000 defines risk as “the effect of uncertainty on objectives.” Good
risk management is done in the context of achieving objectives; to optimize risk
taking to ensure that organization creates value.

n Compliance – act with integrity. This is the compliance function of GRC. It

is more than regulatory compliance, but the adherence and integrity of the
organization to meet its commitments and obligations. These commitments and
obligations can be from regulations, but also can be found in ethical statements,
values, code of conduct, ESG2, and contracts.

What Have GRC Functions Learned from 2020?

2020 brought organizations lots of disruption to objectives, operations, and employees.

What started with devastating wildfires in Australia moved into a global pandemic
that shut down the world and its various borders. Then, racial tensions and a focus on
discrimination led to reevaluating policies and conduct rules within the organization and
across relationships. Followed by more wildfires in California, disrupting businesses. And
the year concluded with significant political turmoil, controversies, and a security breach
in a third-party context for the history books with the SolarWinds breach. Throughout all
of this was a risk and economic rollercoaster.

The year 2020 was a stress test of GRC related strategies, processes, and integration.
Some industries and organizations failed, while others were resilient. But there are
lessons to be learned looking back on 2020 for all. These lessons showed us:

n Interconnected risk. Organizations face an interconnected risk environment and

risk cannot be managed in isolation. What started with a health and safety risk
and became a global pandemic had downstream risk impacts on information
security, bribery and corruption, fraud, business and operational resiliency,
human rights, and other risk areas.

n Objectives became dynamic. As the pandemic unfolded, it had a specific impact

on business objectives. Adapting to the crisis, businesses had to modify their

1 GRC official definition in the GRC Capability Model, published by OCEG.

2 ESG stands for Environmental, Social & Governance and encompasses what was formerly called
Corporate Social Accountability (CSR) and sustainability.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 5

 strategies, departments, processes, and project objectives. Objectives became
dynamic in reaction to changes in risk exposure. These had to be monitored in
the midst of uncertainty in a state of volatility with the pandemic.

n Disruption. Business is easily disrupted from international to local events. In 2020,

organizations had to respond to disruption from the pandemic, political protests
and unrest, economic uncertainty, change in business models and a work from
home environment, human rights and discrimination protests, environmental
disasters (particularly with wildfires), and one of the largest information security
breaches in the SolarWinds hack, which impacted over 250 organizations and still
is unraveling.

n Dependency on others. No organization is an island. The year 2020 showed us

that disruption and the interconnectedness of risk impacts more than traditional
employees and brick-and-mortar business, but also the range of third-party
relationships the organization depends upon, as well as clients.

n Dynamic and agile business. Business had to react quickly to stay in business
in 2020. This required agility in changing employees, reduced staff with more
responsibilities, and shifting to work from home environments. All this introduced
new risks, as well as a demand for engaging employees and maintaining a strong
corporate culture in the midst of a global concern.

n Values were defined and tested. Organizations had to react to what their core
values were and how they practiced those values. From treating employees and
customers fairly in the midst of a crisis, to how they address human rights such as
ethnic racism in their business, operations, and third-party relationships.

2020 taught us that to reliably achieve objectives, manage uncertainty, and act with
integrity requires a 360° view of governance, risk management, and compliance within
the organization and across its relationships.

What Can GRC Functions Expect in 2021

The world of business in 2021 is distributed, dynamic, and disrupted. It is distributed and
interconnected across a web of business relationships with stakeholders, clients, and
third parties. It is dynamic as business changes day-by-day. Processes change, employees
change, relationships change, regulations and risks change, and objectives change. It is
disrupted, 2020 was the poster child for business and third-party disruption that rolls into
2021. The ecosystem of business objectives, uncertainty/risk, and integrity is complex,
interconnected, and requires a holistic contextual awareness of GRC – rather than a
dissociated collection of processes and departments. Change in one area has cascading
effects that impact the entire ecosystem.

This interconnectedness of business is driving demand for 360° contextual awareness

in the organization’s GRC processes to reliably achieve objectives, address uncertainty,
and act with integrity. Organizations need to see the intricate intersection of objectives,
risks, and boundaries across the business. Gone are the years of simplicity in operations.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 6

 Exponential growth and change in risks, regulations, globalization, distributed
operations, competitive velocity, technology, and business data impedes the ability of the
business to be agile in times of uncertainty.

This challenge is even greater when GRC management is buried in the depths of
departments and approached from silos, and not as an integrated discipline of
decision-making that has a symbiotic relationship on performance and strategy of the
organization.

Three Strategic Trends in GRC in 2021

The elements of distributed, dynamic, and disrupted business are driving significant
changes in GRC strategies in organizations in 2021. In addressing governance,
risk management, and compliance, GRC 20/20 is observing three strategic trends
organizations are focusing on in 2021:

n Integrity. Organizations are re-evaluating their internal core values, ethics, and
standards of conduct in 2021 and how this extends and is enforced across the
organization. The integrity of the organization is a front-and-center concern.
Organizations see the need to define and live their corporate values in the
business, its transactions, with clients, and in third-party relationships. This
includes a focus on human rights, privacy, environmental standards, health and
safety, corruption, conflicts of interest, compliance, how risk is managed, conduct
with others (e.g., customers, partners), privacy, and security.

n Resiliency. Firms globally and across industries are focusing on resiliency. The
organization has to maintain operations in the midst of uncertainty and change,
and this is becoming a key regulatory requirement in some industries.3 This
requires a holistic view into the objectives and performance of the organization
in the context of uncertainty and risk. Organizations are striving for business and
operational resiliency that requires an integration and symbiotic interaction of
risk management and business continuity. The organization in 2021 has to be a
resilient organization with full situational awareness of the interconnected risk
environment that impacts them.

n Integration. To support a federated GRC strategy in 2021 the organization will

look to rearchitect their GRC technology and information architecture. This will
involve moving to agile GRC solutions that can manage the range of governance,
risk, and compliance needs across the organization and engage back-office risk,
compliance, and assurance functions (2nd and 3rd lines), as well as front-office
risk takers and owners (1st lines). Key to this integration is the ability to provide
robust analytics and contextual awareness of objectives, risks, and controls to
ensure that objectives are met, while uncertainty, risk, and integrity are managed
across the business.

3 This is a particular focus of regulators in the financial services industry. The United Kingdom’s Finan-
cial Conduct Authority, Prudential Regulatory Authority, and Bank of England has been leading in
operational resiliency regulation. This has now been picked up by the European Union as well as the
United States Office of the Comptroller of the Currency to address operational resiliency regulations.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 7

 Supporting Tactical GRC Trends in 2021
The strategic drivers – integrity, resiliency, and integration – are supported by several
tactical trends impacting organizations in 2021. These are:

n Maturing risk management. There is growing pressure to mature risk

management in organizations. This includes more focus on risk quantification,
aggregation, and normalization. The range of RFPs that GRC 20/20 is monitoring
and advising on sees increased focus on these criteria elements. This is also
moving forward through standards and regulations, such as in the German IDW
PS 340 requirements.

n Policy management and regulatory change. Organizations across industries

– but particularly financial services, healthcare, and life sciences – are seeing
ongoing changes to regulations. Combined with the focus on integrity,
organizations are developing enterprise policy management strategies to
provide for collaborative policy authoring, management, and engagement. This
includes the back-office management, monitoring, and enforcement of policies
as well as the front-office engagement and awareness of policies.

n Compliance and ethics management. It has become clear that organizations

need a federated compliance management strategy. There is no single
department responsible for every aspect of compliance. Compliance functions
have been scattered and operating independently of each other. There is IT/
information compliance, privacy compliance, HR compliance, environmental
compliance, health and safety compliance, government contracting compliance,
procurement compliance, quality compliance, corporate compliance and ethics,
and more. Organizations are beginning to develop collaboration and federation
across these compliance and ethics functions to work together yet retain their
autonomy.

n Employee engagement and culture. 2020 has forced organizations to rethink

how they engage employees in 2021. Employee engagement in a remote work
from home environment drove many organizations to look for new technologies
to engage and communicate risks, controls, policies, and awareness.

n Compliance and defensibility. Organizations are driven by regulators, law

enforcement, external auditors, civil suits, and more to have a clear and
defensible system of record of compliance activities. Regulator and law
enforcement guidance, such as the updated U.S. Department of Justice
Evaluation of Compliance Program Guidelines, specifically are looking for a
robust system of record involving compliance activities. Defensibility also is a
focus of the organizations risk management and assurance practices.

n ESG reporting. GRC strategy and focus is turning to ESG (Environmental, Social
and Governance) reporting at a board level. ESG practices and reporting of
an organization dictates the evaluation and monitoring of the organizations
environmental, social, and governance practices across the organization and
its relationships. This has been a significant focus in Europe and is now gaining

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 8

 momentum in the USA. Bloomberg, Blackrock, Social Accountability Standards
Board (SASB), and the most recent National Association of Corporate Director’s
report shows this as a growing board and corporate level concern.

n Privacy. The EU’s GDPR and California’s CCPA are top of mind in many
organizations in the context of increased risk exposure. CCPA is now evolving
into CPRA in privacy requirements in California. The Schrems II decision in the
EU has shifted strategies. There are new privacy laws coming into effect (e.g.,
Switzerland).

n Information Security. Information security remains a significant focus in 2021,

particularly in the wake of the SolarWinds hack reported at the end of 2020 -
which impacted over 250 organizations that use SolarWinds. The work from
home environment, that is here to stay, has many organizations rearchitecting
their strategy, processes, and technology for information security.

n Accountability Regimes. There is a sweeping array of accountability regimes/

regulations that are putting personal liability on senior management functions
(e.g., executives) for conduct, risk, compliance, control, and ethics issues. These
individuals can be personally fined or go to jail. It started with the UK’s Senior
Manager Regime/Certification Regime (SMCR) and has cascaded into Australia’s
Banking Executive Accountability Regime (BEAR), Ireland’s Senior Executive
Accountability Regime (SEAR), Hong Kong’s Manager in Charge (MIC), and
most recently Singapore’s Individual Accountability regime. Firms that are not
headquartered, but have operations in these geographies, have to comply as
well.

n Third-Party GRC/Risk Management. The interconnectedness of business is

driving demand for 360° contextual awareness in the organization’s third-party
relationships. Organizations need to see the intricate intersection of objectives,
risks, and boundaries in each relationship. Gone are the years of simplicity in
operations. Exponential growth and change in risks, regulations, globalization,
distributed operations, competitive velocity, technology, and business data
impedes third-party relationships and the ability of the business to manage them.
These elements of distributed, dynamic, and disrupted business are driving
significant changes in third-party governance, risk management, and compliance
strategies in organizations.

n Environmental. It is a central component of ESG, but also stands on its own

because of the critical nature of environment issues, risk, and regulation.
Environmental change is a significant focus for organizations and corporations.
The World Economic Forum in their Global Risk Report each year lists
environmental risks at the top. With an incoming Biden administration in
the USA, there will be renewed focus on joining Europe and environmental
regulations and this impacts organizations. Some regulators, such as the UK
FCA in the SMCR regulation, are putting pressure to have senior management
functions accountable for managing climate change risk on the organization.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 9

 n Health and Safety. The Pandemic of 2020 has brought health and safety front-
and-center to all aspects of governance, risk management, and compliance
within the organization and in the extended enterprise. There is a renewed focus
on monitoring the health and safety risks in in the business from both a human
rights (ties into ESG) and a resiliency program.

n Greater Assurance. These drivers and trends in 2021 impact the role of internal
audit and assurance functions. Audit is being tasked to do more to provide
assurance across these areas. Gone are the days of audit being focused purely on
internal controls of financial reporting and IT controls. Today’s audit department
has to provide a range of assurance activities across operational areas and third-
party relationships.

n GRC Technology. Technology is changing to address these trends. There is

greater focus on RFPs to select solutions that are agile and easy to adapt
to the business environment. They also are becoming more engaging to
provide contextually relevant information in modern user interfaces to engage
front-office/first-line employees, as well as having the depth of analytics and
modeling for back-office/second and third line GRC functions. Technology is
also embracing the move to cognitive, artificial intelligence and robotic process
automation in 2021 and beyond.

GRC 20/20’s Final Perspective

The primary directive of a GRC management capability in 2021 is to deliver effectiveness,

efficiency, and agility to the business that needs to manage integrity and resiliency in the
midst of uncertainty.

This requires a strategy that connects the enterprise, business units, processes,
transactions, and information to enable transparency, discipline, and control of the
ecosystem of risks and controls across the organization. Organizations need a mature
GRC capability that brings together a coordinated strategy and process.

Successful GRC management in 2021 requires the organization to provide an integrated

process, information, and technology architecture. This helps to identify, analyze,
manage, and monitor GRC, and capture changes in the organization’s risk profile from
internal and external events as they occur. It requires the organization to take a top-
down view of risk linked to objectives, led by the executives and the board. It also
involves bottom-up participation where business functions at all levels identify and
monitor uncertainty and the impact of objectives. This enables GRC management to be a
seamless part of governance and operations. While that may sound like hard work – and
it is – organizations that get a good grip on their GRC initiatives in 2021 have a much
better chance of thriving in today’s complex business world.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 10

 Organisations striving to improve their GRC management capability in 2021 will find they
are more:

n Aware. They have a finger on the pulse of the business and watch for a change
in the internal and external environments that introduce risk to objectives. Key to
this is the ability to turn data into information that can be, and is, analysed and
shareable in every relevant direction.

n Aligned. They align performance, risk management, and compliance to support

and inform business objectives. This requires continuously aligning objectives
and operations of the integrated GRC capability to those of the entity, and to
give strategic consideration to information from the GRC management capability
to affect appropriate change.

n Responsive. Organizations cannot react to something they do not sense. Mature

GRC management is focused on gaining greater awareness and understanding
of information that drives decisions and actions, improves transparency, but also
quickly cuts through the morass of data to uncover what an organization needs
to know to make the right decisions.

n Agile. Stakeholders desire that the organization be more than fast; they require
it to be nimble. Being fast isn’t helpful if the organisation is headed in the wrong
direction. GRC enables decisions and actions that are quick, coordinated, and
well thought out. Agility allows an entity to use GRC to its advantage, grasp
strategic opportunities, and be confident in its ability to stay on course.

n Resilient. The best-laid plans of mice and men fail. Organisations need to
be able to bounce back quickly from changes and risks with limited business
impact. They need sufficient tolerances to allow for some missteps and have the
confidence necessary to adapt and respond to opportunities rapidly.

n Efficient. They build business muscle and trim the fat to rid their expenses from
unnecessary duplication, redundancy, and misallocation of resources to make
the organization leaner overall - with enhanced GRC capabilities and related
decisions about the application of resources.

©GRC 20/20 Research, LLC; Redistribution Rights Granted to MetricStream 11

About GRC 20/20 Research, LLC

GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and
compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and
analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape;
market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem
of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered
through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC
challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000
companies, major professional service firms, and the breadth of GRC solution providers.

Research Methodology

GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing
GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria,
regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research
reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and
best practices. Research facts and representations are verified with client references to validate accuracy. GRC
solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.

GRC 20/20 Research, LLC

+1.888.365.4560
[email protected]
www.GRC2020.com