The GRC Blog

Earlier this year, I became a pet owner for the first time since becoming an adult and moving out on my own. I’d wanted to adopt for years, but my life’s circumstances never seemed to align with my dream. Either the building I was living in didn’t allow animals, whomever I was living with at the time wasn’t open to it, or I wasn’t certain I’d be living in the same place for very long.

That all changed this year. I’d had a successful experience with allergy shots, my social media algorithms had become determined to show me a plethora of cat videos, and I’d done extensive research to affirm that now was the time to take two baby kittens home with me. I was committed to investing my time and resources into making my home cozy, inviting, and fun for my new feline friends.

From day one, they were excited and ready to play. I’d purchased two wand toys that seemed to be a real crowd pleaser, as well as some crinkly balls they could toss around and little springs that would roll across the ground. However, I quickly realized that that wouldn’t be enough.

I didn’t have enough free hours in the day to both swing their wand toy around and keep them from getting bored. So I did some more research and invested in a little automatic mouse that runs around haphazardly for them to chase. But that, along with the springs I bought for them, would eventually tumble down the stairs in our condo and land in a little cat toy graveyard next to our front door.

I would soon learn that there was no easy, one-size-fits-all solution to keeping my kittens entertained. They’d get bored easily, or sometimes a toy just didn’t work out the way I’d hoped, and it was onto introducing something as simple as a new box for them to hide in, or researching a new take on something I already knew they liked. 

As any risk and compliance professional can attest, my adorable kittens aren’t the only ones with a constant desire to keep things interesting. In fact, according to the 2023 Risk & Compliance Report published by the Thomson Reuters Institute, “taking day-to-day concerns out of the equation, 61% of all respondents reported that their top strategic priority over the next 12 to 18 months was keeping abreast of upcoming regulatory and legislative changes.” Often, changing requirements to conduct business in certain regions or industries and pressure to keep up with competitors can affect how companies are prioritizing these changes.

There are three challenges that I’ve found impact how well an organization is able to keep up with the rapidly changing sea of requirements:

Keeping up with different frameworks and regulations as they are published

73% of respondents in Thomson Reuters Institute’s 2023 Risk and Compliance Report said their “top source for the most up-to-date risk and compliance information was simply ‘general publications and newsletters’.” This was followed by attendance at conferences, professional networks, webinars, search engines, and tools.

Authoritative sources are usually the best way to learn about changes that may affect your organization’s compliance posture, but the difficulty with relying on these alone comes in the volume of changes, frequency, and unpredictability of when changes will be published. 

Even for large organizations with the resources to keep up with it all, it can be difficult to weed through all of the information that’s available to figure out what’s going to actually affect your company, and what’s just nice to know. For smaller organizations that might have their security team wearing multiple hats, it can be difficult to find the resources to dedicate the time and effort to keep up alongside all of the other tasks they’re working on.

Tooling can help. Particularly if your organization works in a limited number of industries or in a specific region, and you have the money to invest in a tool that will automatically share relevant updates, there are tools available on the market that can be configured to provide the information you need to your team as soon as it’s available. The challenge with this is that you have to know what you need it to look for, and in organizations where rapidly evolving business needs impact the push to introduce new compliance requirements, you likely won’t be able to rely on a tool alone.

Deciding on the best course of action and doing it quickly

Once your GRC team is aware of new requirements or regulatory changes that are going to affect your organization, you need to find out what next steps need to be taken rather quickly. 

Chances are, your team already has processes in place to perform gap assessments and audits that can be leveraged to act upon these changes. However, sometimes interpreting immediate next steps, scope, impact, deadlines, and risk that may result from non-compliance are more difficult than creating an action plan to actually implement the new requirements.

Sometimes what your organization is expected to do can be quite literally hard to interpret if you do business in a number of different countries and your team is left to figure out what they have to do by reading government documents written in a foreign language. Other times, the timeline for complying with the change may restrict your team’s ability to get approval for proposed solutions that may not be implemented in the exact way the new requirements describe, but effectively mitigate the risk that inspired the change to requirements in the first place.

This challenge is one area where leveraging external expertise and engaging with peers can help significantly. Other than properly planning for the time it takes to interpret new requirements and what they mean for the company in addition to the actual implementation and assessment period, being able to “phone a friend,” whether they are a vendor, partner, or peer, can be a tremendously valuable resource.

Understanding how to prioritize changes that may interfere with work that has already been planned

Change is disruptive. Regulatory changes often occur unexpectedly, and have the potential to wreak havoc on regular workflows and any attempt to set a roadmap further than a couple of quarters ahead.

Ultimately, responding to these changes comes back to a process issue. Developing a process that integrates new requirements into existing frameworks as efficiently as possible, building in flexibility to budgets and roadmaps as part of your overall compliance strategy, and over communicating with stakeholders inside and outside of the organization is key to making this tricky problem a bit easier on everyone involved.

With the recent enthusiasm around AI, there is hope.

As published in the 2023 Risk & Compliance Report published by the Thomson Reuters Institute, “almost half (48%) of survey respondents thought AI could potentially improve internal efficiency, while 35% thought it might help departments keep abreast of upcoming regulatory and legislative changes.”

What are your thoughts? Do you think that AI will help organizations address the challenges of scaling GRC programs amidst the rapid growth of regulatory changes? What have you found works best for your teams?