Four Lessons on Avoiding a GRC Failure

Large corporations, brands, and enterprises have a fair share of reasons to fall behind their governance, risk, and compliance management objectives, resulting in a massive GRC failure. It is common knowledge that getting a hold of GRC needs is complicated, but regulatory bodies and governments quickly slap hefty penalties that can run into billions of dollars.  Firms suffer class-action lawsuits, criminal charges, fines, and punitive damages due to poor corporate governance, operational, financial, and material risks, and non-compliance with statutory requirements.

Even the most ‘cautiously’ operating enterprises encounter major misalignments between their GRC frameworks and existing technology, business, and culture initiatives. This drives the need for centralized visibility into their GRC workflows. GRC software built atop recent innovations like AI and GenAI redefines organizations’ GRC strategies and keeps them current.

As much as we agree that there aren’t universally approved GRC approaches applicable to all businesses, integrated AI-driven GRC solutions like IBM OpenPages will be a great starting point for avoiding expensive GRC-related oversights.

In this article, we will explore four epic contemporary examples of leading firm GRC failures and defects. Some of these instances date back to before AI. However, their risk scenarios are relevant even today. An examination of their ‘mishaps’ would be a strong reminder to prioritize GRC initiatives and leverage the expertise of dedicated GRC professionals and automated, AI-led solutions like OpenPages with Watson.

GRC Failure #1: Uber’s 2022 Third-party Data Breach

In December 2022, Uber encountered a data breach when a hacker purchased compromised credentials of an employee over the dark web. The attacker pretended to be from Uber’s security team and infiltrated the network by contacting an Uber employee on WhatsApp to coax them to approve multi-factor authentication (MFA) sent to their phone. Upon connecting to the intranet, the hacker accessed the company’s VPN and login credentials to the Privileged Access Management (PAM) solution. It helped the hacker gain full admin access to confidential reports and other private information. The data breach was announced over Slack to Uber employees.

Although the incident never indicated theft or loss of customer data for ransom, the attack revealed Uber’s susceptibility to third-party data breaches. In 2016, Uber had already paid off nearly $100,000 as ransom to a hacking group that previously targeted firms like Microsoft, NVIDIA, and Cisco.

Lessons: Nearly 50% of data breach attempts involve third-party vendors and service providers. The Uber incident teaches us about the ever-growing risks of third parties.

1. Third-party risks are common with the increased reliance on SaaS applications, cloud-native solutions, third-party vendor services, and the use of external or shared databases and servers.
2. Third-party integrations are ideal entry points to internal networks and systems.
3. Strong cybersecurity protocols don’t always guarantee safety from third-party and fourth party risks.
4. Third-party vendors can have unsafe server configurations and poor cybersecurity policies regarding data management and network safety.
5. Zero-trust to identity and access management is a must in a cloud-based ecosystem. Zero-trust policies must include employees, partners, third-party entities, and all stakeholders across the value chain.
6. Identity security must be unique not just to each employee but also for touchpoints across cloud components like serverless functions, database, and containers.
7. Implementing least-privileged access is instrumental in reducing security risks from malicious attacks.

An effective third-party risk management (TPRM) framework is essential. It should include thorough vendor evaluation, establishment of risk criteria, complete due diligence, contract review, and effective incident response protocols. The TPRM framework must take a 360-degree view of the third-party risks, including identifying the scope of risks, mitigation and control, continuous monitoring, and training to increase employee and stakeholder awareness.

Our experts can assist businesses in banking, financial services, insurance (BFSI), and other industries. We help explore AI-powered enhancements with the TPRM solution to prevent compliance, brand, and operational disruption.

GRC Failure #2: Silicon Valley Bank Crisis and Poor Risk Management

The crisis at Silicon Valley Bank (SVB) serves as a stark wake-up call for commercial banks across the U.S., highlighting critical failures in risk management. SVB’s downfall was precipitated by its inability to foresee interest rate hikes, manage asset-liability mismatches, and prevent bank runs. Notably, the bank neglected a fundamental principle: diversification of investments to mitigate risks. Furthermore, SVB’s lack of a Chief Risk Officer (CRO) and a robust enterprise risk management framework exacerbated its vulnerabilities.

Once a phoenix to several start-ups and tech companies, SVB’s untimely collapse revealed concerns about the absence of effective risk management and accountability within the banking institution that was led without a Chief Risk Officer (CRO). The inability to predict and calculate liquidity risk, coupled with ill-advised investments in low-yielding government bonds, shows the dire need for proactive risk management strategies across industries.

Lessons: In principle, enterprises that demonstrate effective risk management will escape legal, reputational, and regulatory consequences. The board and leadership’s risk management knowledge and insights into material risks enable the development of risk management and governance principles to build risk models and policies. Here are some critical insights:

1. Model risk governance is indispensable for firms in heavily regulated sectors like banking and fintech.
2. Centralizing enterprise-wide models and adhering to model-focused regulations enable early detection of warning signs and facilitate the analysis of future risk scenarios.
3. Operational strategies that clearly define roles and responsibilities for model risk management, risk monitoring, and control assessments are essential for aligning enterprises with evolving expectations.

GRC Failure #3: T-Mobile, AT&T, Verizon, and Sprint’s FCC Non-Compliance

In 2020, the Federal Communications Commission (FCC) fined these U.S.-based network carriers $200 million for sharing customers’ geolocation data to aggregators that sold to third parties. Regulations like these give a gross GRC reality check for Telcos. The communication providers suffered penalties for failing to protect customer’s sensitive data and offloading their obligations to the customer’s consent. According to the FCC laws, including sec 222 of the Communications Act, network carriers must take reasonable steps to protect customer information, including location data. They must obtain customers’ consent before disclosing or allowing external access to their data.

Lessons: Industry-specific regulations evolve rapidly. Regulatory oversights are unique to every business, and non-compliance impacts enterprises beyond financial costs.

1. Non-compliance affects credit ratings, brand image, profitability, and funding opportunities.
2. Repeated non-compliance erodes trust and credibility, posing long-term risks to the business.
3. For end-to-end regulatory compliance management, organizations must adopt a proactive approach. This involves understanding strategic compliance obligations, monitoring regulatory changes, and integrating risk data to ensure end-to-end compliance
4. Compliance automation tools are essential for streamlining compliance processes at scale, enabling organizations to identify regulatory changes promptly and align their operations with evolving requirements.

GRC Failure #4: Wells Fargo’s Cross-selling Tactic: A Corporate Governance Failure

Auditors of the U.S.-based bank, Wells Fargo, unveiled a shocking truth about the bank’s deceptive tactic of opening unauthorized accounts to meet cross-selling targets, exposing a grave failure in corporate governance.  Over 5,000 employees were implicated in the scandal, utilizing fake email addresses to enroll customers without their consent. The subsequent lawsuit by the U.S. Consumer Financial Protection Bureau resulted in a hefty $100 million fine for Wells Fargo, alongside nearly $2.6 million in compensation to affected customers. The scandal also forced the bank to abandon its aggressive sales targets.

Lessons: Wells Fargo’s 2013 scandal stands out as a burning example of unregulated and misleading corporate governance practices. Despite once being lauded as one of Gallup’s Great Places to Work, the bank failed to implement adequate risk mechanisms within its sales culture. High employee engagement scores masked fundamental risks for several years, leaving the bank vulnerable to systemic failures.

1. Corporate governance necessitates rigorous testing, benchmarking, and continuous improvements to foster a culture of compliance and ethics.
2. Good governance practice requires clear guidelines, principles, roles, and responsibilities to be communicated across the organizations.
3. Successful corporate governance enables a balanced approach to profitability interests and ethical considerations like employee well-being and accountability.
4. Corporate governance is a business imperative for meeting regulatory requirements while promoting transparency and accountability.

Conclusion:

2024 is a GenAI accelerator era, and every organization is advancing adoption across operational areas. As the dose of GenAI in enterprise technologies gets more significant by the day, leaders like IBM present transformation opportunities with governance, risk, and compliance (GRC) solutions. From modeling risk scenarios, AI model management, and governance to unifying enterprise-wide risk and compliance processes, all are possible under a single platform called OpenPages.

While some may argue that it’s premature to trust GenAI without fully comprehending the intricacies of the models driving its decisions, the success of early adopters speaks volumes. These pioneers have shown the necessity of transcending traditional GRC processes and averting the possibility of a major GRC failure, which largely relied on outdated methods and historical data. With the right regulatory guidance and active regulation, enterprises can ride the global AI and GenAI evolution wave, propelling them toward a strategic and value-driven approach to GRC.

Would GenAI-led GRC platforms have foretold the epic events we covered in our blog? Let us know your thoughts.

For more information, contact our GRC experts today!