Our first-ever Galvanize HighPoint came to a close earlier this month, and what a jam-packed three days it was. 

We hosted workshops that covered everything from automating processes with ACL Robotics to demonstrating compliance with Compliance Maps, and revealed some of our biggest product developments to date. We introduced you to Diligent, our new parent company, and welcomed Diligent CEO, Brian Stafford, to talk about the Galvanize and Steele acquisition and our shared vision for the GRC space. And we lined up more than 25 inspiring talks from our most innovative customers and top industry experts. 

Here’s a look at some of the biggest themes and most interesting takeaways: 

GRC technology is ready and waiting for you to take the reins 

Dan Zitting, Managing Director and CEO here at Galvanize, gave us a thought-provoking peek into the future of GRC when the industry embraces its most powerful tool: technology. He shared that tech like artificial intelligence, machine learning, and robotic process automation is already embedded in our everyday lives—it’s telling us the weather or suggesting the perfect mini-series—but when it comes to GRC, it’s still largely absent from the equation.

By embracing technology in our post-pandemic world, Dan says that GRC professionals have the opportunity to accelerate their organizations’ return to normalcy and lead the charge in defining the future of business for the next decade. 

Risks are becoming increasingly complex and interconnected

Renee Murphy, Principal Analyst at Forrester, wowed us all with a sobering but invigorating talk about the future of global risk. She reminded us that COVID-19 isn’t going to be the last major global event we’ll experience this decade. Between trade wars, collapsed industries, climate change, and widespread socioeconomic and geopolitical instability, we’ve got a lot more “unprecedented times” in our future—but also a lot of opportunity. Her key points included:

• The new risk paradigm involves things like: climate (hurricanes, droughts, fires); human health and wellness (that of your employees and customers); the rise of the value-based consumer; and your supply chain.
• You need to talk about the totality of the risk. It’s not enough just to worry about the security breach—you also need to worry about the ransom, how often it’s going to happen to you, the kind of impacts it’ll have on your customers, how it will affect your employees, etc. Systemic risk is risk that cascades.
• The more risk you manage, the more opportunities you create—that’s why you take on risk in the first place.

And much like in the physical world, risks are evolving quickly in the online world. Cybercrime is one of the biggest risks that organizations, including governments, face. Nick Frost, Principal Consultant & Co-Founder of CRMG, showed us how you can protect your organization without enormous investments and provided recommendations on how to move from tactical to strategic cybersecurity. Some key takeaways were:

• Organized crime is organized. Many businesses don’t appreciate that cyberattacks are sophisticated, coordinated efforts.
• Seemingly innocuous information that you share to attract customers and showcase clients can be weaponized against you.
• Having strong cybersecurity is not about adding more controls. Your top priority should be understanding your threat landscape and the systems and information that are critical to your organization.
• Sometimes, all you need to achieve is enough capability to frustrate attackers so they move on to another target.

Continuing the theme of cybersecurity, Chris Golden, Director of Information Security at Horizon Blue Cross Blue Shield and Founding Board Member of CMMC-AB, was on hand to walk us through the new Cybersecurity Maturity Model Certification (CMMC) released by the Department of Defense (DoD) to combat the growing threat of cybercrime. Is there value in using the CMMC model if you’re not engaged in a DoD contract? Chris says yes. We’re likely to see it expand to most government agencies, and even outside of government agencies, because of its powerful combination of practices and process.

Phil Moore and Fola Ojumu of Kearney & Company also helped break down the complexities of NISTIR 8286 so teams can bring cybersecurity successfully into the enterprise risk management (ERM) fold and effectively manage their cyber risks to support broader organizational goals. According to Phil and Fola, NISTIR 8286 exists because of ever-increasing data breaches thanks to cloud migrations, weak internal cyber security, and overly complex security systems coupled with a lack of in-house expertise.

Trust and communication are more important than ever

The work you do matters, but if you don’t share it with the C-suite, how do you expect your team’s needs to be prioritized? As Geoff Hudson-Searle, CEO of International Business and Executive Management, talked us through how to secure a seat at the executive table with strategic communication, trust became a major talking point. He told us that:

• 69% of employees reported having trust issues with their CEO or line manager, which shows that leaders need to work harder on their relationship building.
• Trust is a culture issue, and the culture of your board matters. A strong, positive corporate culture provides a framework, not only for risk mitigation, but for short- and long-term value creation.
• Board members are often skeptical about management’s handling of cybersecurity, so appointing a third-party cyber advisor as a non-executive director of the board or appointing the CIO/CISO as a member can help alleviate that apprehension and foster trust.

Niki Duhon and Brandon Vega-Finn from Centier Bank also showed us how to build trust with internal teams through transparency. Real-time, quality data can set the stage for faster, more effective decision-making across an organization, but it needs to be accessible and easy to understand if everyone’s going to get on board. Niki and Brandon suggest investing the time to make sure your various stakeholders are comfortable with the process—walk them through what you’re doing, how you’re doing it, and why, so that your organization can act on risk with greater confidence.

Automation and analytics are taking the lead

Robotic process automation (RPA) is the latest frontier in the quest to automate business processes, and forward-thinking companies are implementing bots throughout their organizations—from finance to marketing to human resources. David Graff and Amber Lindell from Focal Point Data Risk presented the strategies they use to offer visibility into RPA risk and opportunity, such as:

• Automate what makes sense. Common areas for RPA implementation are: IT, finance, and risk and compliance.
• Before you build your first bot, make sure you have the right governance process and policies in place. If you don’t do this at the beginning, you will have problems—they’re the foundational piece of the puzzle.
• Sometimes you need a bot to watch a bot. Automation can fail fast and big, so you need to detect those failures as quickly as possible.

Machine learning is also starting to make its mark on the GRC space. Daniel Serman, Director of IT & Analytics at Brookfield Asset Management, took us on a dive deep into the practical applications of machine learning to detect, prevent, and mitigate fraud. Some takeaways from him were:

• Machine learning helps you move beyond rule-based logic to find more complex cases of fraud. It takes your rules-based key fraud indicators as a starting point and learns, from those old cases, how to uncover new ones.
• Machine learning is not a silver bullet. It can learn the wrong things and go on to make poor decisions own its own, so it’s always better to have an expert in the loop to review your AI outputs.
• Break the rules you learned in data science courses because finding fraud is not a science.

Ashley Hunt, Group Head of Information Security at Sanne, helped untangle the seemingly complex but powerful technique of quantitative risk analysis. Used to measure and reduce uncertainty in organizational decision-making, Ashley offered a lot of reassurance for anyone looking to take on the challenge. Quantitative risk analysis, he said: has been tested through trial and error in numerous industries over hundreds of years; reduces the effect of heuristics and cognitive biases on risk and decision analysis; costs little to adopt; causes minimal disruption; and improves with every iteration—your worst quantitative analysis will always be your first.

GRC program implementation is still a team sport

As complex and technical as things can get, GRC programs still start with a team effort. Daniel Doyle, Director of Audit for ProMedica, shared his tactics for planning, implementing, reviewing, and testing internal controls—making sure to situate them in the context of people, process, and technology—in order to achieve the ideal internal controls program state. He left us with these key takeaways:

• The internal controls “utopia” is where controls are embedded as part of an organization’s DNA, not merely overlaid or seen as a tick-box exercise.
• Create a charter that clearly defines your intent and speak to that in every audit you do—this will help internal teams understand the importance of the audit function and garner better buy-in.
• Find and foster champions outside your department to be your internal sales and marketing team.

Since excellence in ERM is not easy to achieve with a business landscape that changes rapidly—risks emerge out of nowhere, departments are siloed, and organizations have competing objectives—Patrick Zanin, Director of Internal Audit at Avalara, joined us to share his journey implementing a successful ERM program. His top tips to remember were:

• ERM needs to be owned by everyone in the company. The more people that buy into your program, the better and more complete it will be.
• Get organizational buy-in with leaders setting the “tone from the top,” and then gain “bottom-up momentum” with broad communication, such as training programs and internal policies.
• Keep the core ERM team lean—audit committee, internal audit, legal, and security—to help cut down on the bureaucracy and prevent a “too many cooks” situation.

And that’s a wrap!

A very big thank you to all of our presenters, for offering their experiences and expertise, and also to our amazing attendees, who took the time to join us and tuned in from all over the world. Hopefully next year, we’ll be able to see everyone in person.