Strong governance and compliance can increase agility
This is the third of three reports on how organizations need to evolve their approach to technology. This report focuses on compliance and resilience. The first report discussed growth, and the second report examined efficiency and profitability.
Contributors: Derek Han, Johnny Lee and Ethan Rojhani
Executive summary
In Grant Thornton's survey of more than 550 executives, 22% ranked cybersecurity and risk management as their top technology enhancement objective — second only to analytics and business intelligence.
Strong governance and compliance don’t slow progress — they enable it. Grant Thornton’s Digital Transformation Survey reveals that embedding cybersecurity, resilience and real-time compliance into tech strategies empowers agility and innovation.
By treating compliance as a cultural cornerstone and using automation, leaders can mitigate risk and accelerate transformation. Organizations that align governance with technology goals build a foundation for long-term success, proving that the right guardrails help them move faster — with greater confidence and security.
Introduction
Sometimes it takes a different point of view to fully appreciate the value that compliance and resilience can bring to an organization. Even in the fast-moving, competitive world of technology implementation, Grant Thornton Risk Advisory Services Partner Johnny Lee said compliance and resilience initiatives are built to assist with innovation, not to stand in the way.
“You don’t install brakes on a car so you can go slower,” Lee said. “You install them so you can go faster.”
When performed properly, compliance and resilience — and the governance activities that underpin both — fulfill the same role as brakes on a car. These efforts might be viewed strictly as costs, but well-governed compliance and resilience don’t reduce speed to market or undermine agility, they enable these things.
“Compliance and resilience don’t reduce agility,” said Grant Thornton Risk Advisory Services Partner Ethan Rojhani. “They increase agility because they enable people to understand their bounds and parameters so they make the most effective use of their time and resources.”
The positive impact of compliance and resilience isn’t lost on business leaders, Grant Thornton’s Digital Transformation Survey shows. In our survey of more than 550 executives, cybersecurity and risk management trailed only data analytics and business intelligence when respondents were asked to rank the top priorities for their organizations’ technology enhancements. Fifty-seven percent of executives chose cybersecurity and risk management as one of their top three tech objectives.
With spending on technology initiatives increasing rapidly, business leaders are charged with pursuing complementary goals:
- Incorporating technology that helps them boost compliance and resilience
- Embedding governance, security and compliance into the tech strategies and tools they offer
- Promoting a culture of compliance in their organization — and its technology lifecycle.
When these objectives are prioritized, technology’s benefits can be fully realized.
Governance and innovation: Strike the right balance
60% of executives identified governance, risk and compliance (GRC) tools/processes as a top-three tactic for mitigating technology risks.
With each technology implementation, it’s important to strike the right balance between governance and innovation.
Controls that are redundant or too strict certainly can stifle creativity and productivity. At the same time, experimentation without proper restraint can unleash risks that can put an unsuspecting organization in real jeopardy.
The proper balance lies in developing guardrails for technology transformations that create a walled garden where employees can experiment. If you’re experimenting with AI adoption, these guardrails protect the organization from intellectual property claims, preserve confidential data and ensure the quality of products and services — as well as the customer experience. Some of these guardrails can include basic functions the organization already has such as protected sandboxes, or IT change management.
Ownership and monitoring of those guardrails should be assigned to the appropriate personnel, with involvement from the chief risk officer or the chief compliance officer.
“That’s what unfolds for every technology transformation,” Lee said. “Don’t ruin the business model. Don’t send confidential information where it shouldn’t go. And once you’ve built the walled garden and the sandbox is safe, foster and encourage experimentation. Later, we can have a conversation about ROI, once we know what is reasonably measurable.”
Related resources
SURVEY REPORT
SURVEY REPORT
INFOGRAPHIC
Compliance gets an AI makeover
49% of executives rank regular risk assessments as a top-three approach for mitigating technology risks.
Risk assessments are the roots of strong resilience and compliance, and large organizations might have 10 or more of these processes in place to effectively manage their risks. Where these processes were once performed manually with the help of workflow tools, companies now are implementing AI tools to assist with these objectives.
The AI models need to be trained with relevant risk data and response rates defined, but companies are finding that the tools ultimately improve speed and accuracy at a modest cost. Additional AI tools for resilience and compliance include third-party supplier risk management applications and regulatory horizon scanning apps that alert management to changes in rules or laws that need to be addressed through compliance activities.
But an organization needs to prepare carefully to use these tools before implementing them. Effective use requires:
- A solid foundation of governance and thoughtful processes: For example, AI can create optimal value in risk-management processes that are well-defined, with detailed risk categories and tolerances. AI programs trained on procedural foundation will foster more insightful analysis.
- High-quality, well-organized data: Inaccurate, incomplete or poorly organized data will cause AI to provide flawed insights and outputs.
- Human validation and review: AI will not always provide the right answers, and risk ratings and compliance initiatives are too important to leave to chance. Knowledgeable, experienced people are needed to verify the accuracy of AI-provided outputs – maintaining the “human in the loop.”
Derek Han, the Cybersecurity and Privacy Leader for Grant Thornton’s Risk Advisory practice, said organizations are especially focused now on improving their data to enable successful AI use.
“Data has been the core challenge — but also the opportunity — for many organizations in their AI adoption,” Han said. “For some, it’s going to be a real journey to make sure their data is high in quality and widely usable for training large language models within organizational boundaries.”
Incident response emerges as cyber priority
Cybersecurity is the No. 1 technology that executives said they are investing in this year.
AI tools also are a key focus of implementation for cybersecurity, but while AI solutions can enhance protection, they can’t be solely relied upon for effective cybersecurity.
Our survey shows that executives are spending prodigiously on cybersecurity tools, as 68% of respondents named cyber solutions as one of the top five technologies they’re investing in this year. AI solutions for cybersecurity are emerging that can probe for vulnerabilities in defenses; review audit logs for potential indicators of compromises; and remediate risk issues or vulnerabilities.
Han says companies need to evaluate their confidence and risk tolerance level for using AI automations in lieu of human involvement for such a vital activity. In the interim, human oversight is required to ensure the accuracy and effectiveness of the AI solutions and to alleviate the risks of adverse impact on systems, operations and employees.
“The risks of overreliance on AI in cybersecurity have to be considered,” Han said. “If we start using AI to replace humans to monitor, respond to, and mitigate security risks, the human capabilities in building and managing cybersecurity could be degraded, especially for young professionals. It’s important to strike a balance between the use of AI tools and developing the expertise and critical thinking of the human security team.”
For employees throughout the organization, AI automation should not diminish the importance of regular training and embedding strong cybersecurity awareness practices throughout your workforce. Meanwhile, the need for thorough, cross-functional incident response and resilience drills should continue to be a focus.
“Where the real resilience starts to show up is in comprehension,” Lee said. “You can’t have comprehension without clarity. You can’t have clarity without people knowing what their job is when the ‘bad day’ happens. And you genuinely can’t know that without practice.”
Even in resilience drills, though, AI tools can play multiple roles.
“AI can create simulated cyber threat scenarios to test incident response capabilities,” Han said. “In addition, where written response playbooks can be lengthy and complicated to execute, the people on the response team can use AI to more quickly discern their responsibilities and take decisive action.”
Moving toward real-time monitoring
53% of executives listed data privacy compliance as one of their top three concerns about cybersecurity.
The next frontier for compliance and resilience is real-time monitoring as robotic process automation and AI tools are developing with the potential to immediately identify anomalies or red flags.
For example, companies are investing in tools that allow management to discover and correct financial reporting and IT anomalies long before third-party audits are conducted.
“Management is investing in systems upfront to make sure everything is clean,” Rojhani said. “Because of this, over time we’re going to see fewer and fewer material misstatements from a financial audit perspective — and fewer IT issues from a regulatory or compliance perspective.”
While this type of real-time analysis is already happening at many companies, mature processes and strong data hygiene are needed to fully realize the goal of continuous compliance. When upgrades are implemented and processes change, the monitoring of both controls and technology often does not keep pace.
But as dynamic compliance platforms are embedded to track and respond to regulatory changes — and as GRC and AI tools are developed to scale with regulation — the replacement of manual processes with automation makes continuous compliance an achievable objective.
Culture shift: Compliance is a shared responsibility
Just over 1 in 4 of executives cited compliance lapses or security issues as a top reason that past tech initiatives failed.
Compliance and resilience are strongest at organizations where they are embedded in the culture and reinforced by the tone at the top. Some companies are naming individuals to be risk champions in every business unit, and many are encouraging cross-department knowledge sharing that spreads the word about appropriate responses to risk.
"It's not just tone at the top," Rojhani said. "It's about providing the resources to embed compliance into the culture."
Once a company builds the appropriate infrastructure, it can be the foundation for numerous technology initiatives. For example, one of Lee’s clients hired Grant Thornton initially to assist with its cybersecurity maturation processes.
They developed a governance function with key constituents from finance, IT, HR, operations, legal and other key areas of the organization. When it came time for other implementations of enterprise risk, including insurance analysis, business continuity and AI adoption, the process could be repeated.
“They have the building blocks from the prior effort in place, and we were able to connect the dots and draw analogs to prior conversations by saying, ‘Your AI adoption is not materially different from your cyber maturation,’” Lee said.
Resilience as strategy
At the most successful organizations, governance, cyber readiness and compliance aren’t viewed as constraints. They’re necessities that can be pursued more effectively through the implementation of technology. And when transformative technology is implemented, leading organizations put the right guardrails in place to help themselves get the most out of such tools.
With the right guardrails in place, organizations can move faster with confidence and control.
Key takeaways:
- Embed compliance into culture for lasting resilience.
- Use AI and automation to strengthen monitoring — with human oversight.
- Build agile guardrails that enable safe innovation.
About our survey
Grant Thornton conducted the Digital Transformation Survey of 550+ cross-functional senior executives across industries, focusing on tech alignment, investment priorities, ROI metrics, and integration challenges. Additional insights drawn from industry-leading reports and macroeconomic analyses.
Contributor bios:
Partner, Risk Advisory Services
Grant Thornton Advisors LLC
Johnny Lee is a Partner in the Forensic Advisory practice and the National Practice Leader of the Forensic Technology practice.
A forensic investigator, management consultant, and former attorney, Johnny specializes in data analytics and digital forensics in support of investigations, litigation, and complex regulatory issues. He also provides advisory services to (and expert testimony for) organizations working to address complex AI, cybersecurity, blockchain, cryptocurrency, and data privacy issues.
He has led hundreds of forensic investigations over the past fifteen years, including numerous matters involving significant data volumes and complex forensic analytics tools and techniques. These matters include forensic analysis for a wide variety of digital asset and cryptocurrency projects, complex monitoring engagements, and investigations involving federal law enforcement and regulators.
Partner, Cybersecurity and Privacy Leader, Risk Advisory Services
Grant Thornton Advisors LLC
Derek is a Partner in the Advisory Cyber Risk Services Group. Derek has eighteen (18) years of professional experience in information security and IT risk consulting.
Chicago, Illinois
Industries
- Technology, Media & Telecommunications
Service Experience
- Advisory Services
Derek is a partner with professional experience in cybersecurity, privacy and AI governance consulting, including cybersecurity and privacy program assessment, AI governance program transformation, and privacy program optimization and automation. He has more than 20 years of experience working with client executives and senior management in the technology, cybersecurity, privacy, data governance and risk management fields. Many of his clients are Fortune 500 companies.
Derek has led teams to assess, design and implement cybersecurity, IT risk management, privacy and AI governance solutions for complex client environments with global operations.
Partner, Risk Advisory Services
Grant Thornton Advisors LLC
Mr. Rojhani is a Partner in Grant Thornton’s Risk practice with experience leading the full lifecycle of risk management and consulting engagements.
Ethan is a partner in Grant Thornton’s Risk practice with experience leading the full lifecycle of risk management and consulting engagements. His recent experience includes leading the transformation of organizational compliance and audit programs by integrating custom, emerging technologies to streamline compliance assessment and audit testing.
He also leads IT strategy engagements to help organizations identify and implement effective strategies for transforming their organizations. His recent experience also includes helping clients manage costs and risks through focused process improvement — which includes developing the training, tools and management controls necessary to drive organizational value.
Content disclaimer
This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
For additional information on topics covered in this content, contact a Grant Thornton professional.
Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
Tax professional standards statement
This content supports Grant Thornton Advisors LLC’s marketing of professional services and is not written tax advice directed at the particular facts and circumstances of any person. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. If you are interested in the topics presented herein, we encourage you to contact a Grant Thornton Advisors LLC tax professional. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein.
The information contained herein is general in nature and is based on authorities that are subject to change. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. This material may not be applicable to, or suitable for, the reader’s specific circumstances or needs and may require consideration of tax and nontax factors not described herein. Contact a Grant Thornton Advisors LLC tax professional prior to taking any action based upon this information.
Changes in tax laws or other factors could affect, on a prospective or retroactive basis, the information contained herein; Grant Thornton Advisors LLC assumes no obligation to inform the reader of any such changes. All references to “Section,” “Sec.,” or “§” refer to the Internal Revenue Code of 1986, as amended.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share