igor - Fotolia

New GRC tools include analytics, AI to keep businesses safe

As the governance, risk and compliance market changes, organizations can pass on the full-blown GRC suite and instead choose a tool that targets a specific issue.

Many products in the GRC -- governance, risk and compliance -- market are offered as full-blown suites that can be "integrated into a single platform for greater visibility into the entire state of the enterprise," according to analyst firm IDC.

However, there are also a number of point solutions, i.e., targeted tools created to help companies solve one or more specific challenges around such issues as corporate governance and compliance management, supply chain management, business continuity, third-party risk management, and operational risk management, according to the IDC report, "Worldwide Governance, Risk, and Compliance Software Taxonomy, 2017."

Market for targeted GRC tools includes analytics, AI

A number of vendors are offering these targeted GRC tools. Leading the way are those that have developed various offerings, including analytics tools, cognitive systems, event management tools and discovery software to collect data from disparate systems and automate decision-making.

"There's definitely a lot of analytics and artificial intelligence-types of tools out there," said Angela Gelnaw, an analyst at IDC, based in Framingham, Mass., and author of the report. "There are companies like Polecat that are doing some interesting things around reputational risk, and RiskVision, which uses analytics to help with IT and security risk."

Supply chain and vendor risk management are becoming really big areas, as well, she said.

"So [these GRC tools have] the ability to aggregate and analyze all of your supply chain and vendor data to be able to look at anomalies and try to identify where risks might come up," Gelnaw said. "Analytics and machine learning are definitely critical to the advancement of GRC."

Analytics and machine learning are definitely critical to the advancement of GRC.
Angela Gelnawanalyst, IDC

IDC analyst Sean Pike agreed that, at the heart of all these targeted GRC tools, is analytics, including natural language processing and machine learning. The trend toward the development of these niche GRC tools is being driven by regulations that may target one business unit, but not another.

Consequently, vendors have started creating analytics-based applications to help companies identify risk and solve challenges in specific areas, such as contract management.

For example, Apttus Corp., a provider of quote-to-cash and contract lifecycle management technology in San Mateo, Calif., just added artificial intelligence (AI) and machine learning to the contract management space, enabling teams to more easily identify potentially risky deal terms.

Apttus Intelligent Contract Management with Applied AI enables enterprises to locate key terms and topics that create financial risks in negotiated agreements and to compare the negotiated wording with agreement templates automatically to quantify and manage exposure to these risks, according to the company.

"We have a variety of machine learning with natural language processing at various points through this process," said Jason Smith, senior director and legal counsel for Apttus. "When we get to the contracting piece, that's where we start using natural language processing because we don't always create the contracts on our own paper; sometimes we use the other party's paper."

Machine learning in GRC
Understanding machine learning

Because of that, Apttus has to be able to quickly consume that information in an unstructured way and offer guidance to the person writing the contract on whether it's high risk, medium risk or low risk.

"And as I manipulate data elements, it may change that risk profile," Smith said. "But then it may also take information from the previous contracts, i.e., the history of the contracts that have been successful, the ones that haven't been successful, and so on and so forth, and ... really process this data a whole lot faster than an army of humans could do, realistically. Then push the information back to that user to help him make the right choices."

The ultimate end goal is to speed up the entire process to enable the company to get to the revenue faster, but doing it in a way that doesn't introduce more risk, he said.

"So you have that governance applied to this whole process," Smith said.

Smarter GRC tools need integration, automation

Many system-level GRC tools weren't designed to audit and control all transactions and, therefore, require a significant amount of manual configuration and ongoing administration, said Chris Doolittle, principal consultant for Teleran Technologies Inc., a provider of real-time business intelligence for application performance and compliance policy management, based in Fairfield, N.J.

To keep up with escalating sensitive data volumes and IT complexity, organizations need to take advantage of automation and true machine learning, beyond analytics, that audit, identify suspicious or subtle issues, and automatically control unwanted or pernicious user behaviors, according to Doolittle.

Some data protection systems are now developing more sophisticated artificial intelligence-based learning engines that predictively identify and stop malicious information requests or patterns of requests automatically.

Integrating the machine learning process with actual access policy generation is a critical automation step that minimizes the time-consuming process of a security specialist interpreting behaviors from logs or reports, and then having to create the appropriate control policy that will prevent that behavior or similar behaviors, Doolittle said.

"This integration and automation speeds effective policy generation, automatically keeps up with changing data usage patterns, and improves control policy accuracy and effectiveness," he said. "Teleran's data protection software delivers network-based auditing of sensitive data in the context of the business and applications in use."

Machine learning improves user experience

Apttus' Max is one such intelligent agent that listens to voice commands, understands texts and even interacts with salespeople in augmented reality environments.

Max provides a conversational user interface to manage all aspects of the contract management process, Smith said. Max helps users navigate critical business processes, including pricing, quoting and contracting. Max can also help a contract team reach the best deal by offering the right legal language and the best commercial terms that a buyer is most likely to accept.

As an intelligent agent, Max can talk and chat with users, and even interact using augmented reality. Max can teach users things they don't know and help them make use of details they often forget. Max delivers the right recommendations at the right time, so sales and legal teams are able to complete more agreements faster, according to Smith.

"Now, the salesperson or finance or legal can actually interact with the system as if it's human," he said. "So they can say, 'I need a contract.' And the system responds, 'OK, what kind of contract are we trying to put together? Is it an MSA [master service agreement] or an SOW [statement of work]?' And I pick one and the system asks, 'Which customer?' I say, 'ABC Corp.' But in the CRM system, there are 15 ABC Corps., so the system asks, 'Which one are you picking?'"

A GRC platform that just deals with static data in and out can limit the number of ABC Corps. that the user sees based on certain calculations and provisions, according to Smith.

However, after the user picks the ABC Corp. he's dealing with, the GRC system can't interact with the user and trigger another workflow process within the system that tells the user three more lawyers need to review the contract because the profile of that particular ABC Corp. indicates that it's a credit risk -- something that the chatbot Max is able to do, Smith said.

Next Steps

Learn how the cloud has affected GRC

SAP offers a number of services to improve GRC efforts

An in-depth look at what happens when GRC gets into the cloud

Dig Deeper on Financial compliance regulations