The ABCs of GRC for MENA economies and organizations in a digital, globalized economy
In 2023, the global GRC (Governance, Risk Management, and Compliance) market was valued at a whopping USD 50.5 billion, with projections to reach USD 104.5 billion by 2030.[1] At a CAGR of 15.4% in 2024-2030, this jump is not without reason. Shocks like the COVID-19 pandemic have shed light on supply chain resilience and crisis preparedness gaps. Decentralization is challenging the financial world as we know it. Geopolitical tensions and regulatory complexity are straining cross-border business continuity. Climate change is looming over sustainable development efforts. Cyber threats are becoming ever more sophisticated and targeted. Global leaders and executives are under unprecedented public and private scrutiny. The list goes on, but the message is one. If there is ever a time for organizations to treat GRC more seriously and holistically, it is now.
The legwork starts with acknowledging GRC as a strategic lever, not a siloed function within organizations. Nowhere is GRC’s cross-cutting role clearer than in its crossover with other loaded acronyms, ESG (Environmental, Social and Governance) and EHS (Environmental, Health and Safety).[2] GRC integrates environmental goals and compliance into corporate governance, supporting ESG reporting considerations and EHS action. Risk management and EHS work hand in hand to address environmental safety risks critical to ESG performance. Stringent GRC practices are also integral to transparent and ESG performance reporting. This is merely one example of the overlap between GRC and other organizational functions.
Now, consider the entire supply and value chain of an organization outside of its own operations, and the GRC web becomes even more complex. Third-party risk management (TPRM), associated with supply chain and ICT providers – among many others – is becoming a top priority for businesses, more out of necessity than novelty.
Take, for instance, recent ChatGPT leaks that have affected major tech conglomerates, and that have all the markings of a GRC shortfall. Such incidents alone signal gaps in data governance, cyber security, and third-party risk management. Their ripple effect, however, is much bigger. It places stakeholder and shareholder trust at stake both within these organizations and OpenAI, the company behind ChatGPT. It naturally increases the reputational risk of these conglomerates. And it equally exposes their competitive tech and talent edge to anyone with access to the tool. For one leak, that’s a lot of risk. And it has highlighted the dire need for GRC in the new AI-powered economy.
The MENA (Middle East and North Africa) region is slowly but surely catching up with this global shift. Global research and consulting firm Gartner estimates that end-user spending on security and risk management in MENA stood at USD 2.8 billion in 2023, a notable increase of 10.4% from 2022.[3] These investments have gone into technologies securing remote and hybrid work setups, digitization, and cloud migration. Other reports, however, signal gaps in a comprehensive approach to GRC in the region. For instance, in the regulatory compliance component, PwC has highlighted three key challenges for MENA organizations. The first is a lack of clarity on cross-sectoral and cross-border third-party compliance monitoring. The second is the absence of a single repository for relevant regulatory updates. The third, and most critical one, is the shortage of experienced compliance experts. Aon’s 2023 Global Risk Management Survey also highlights that while MENA organizations have their risk priorities in check (table 1), they have also underrated risks associated with climate change and ESG performance – despite markets like Libya and Morocco having experienced natural catastrophes in September 2023.
Table 1. Top 10 Current Risks identified by Middle East and Africa organizations[4]
- Economic Slowdown or Slow Recovery
- Exchange Rate Fluctuation
- Business Interruption
- Cash Flow or Liquidity Risk
- Political Risk
- Cyber Attack or Data Breach
- Supply Chain or Distribution Failure
- Commodity Price Risk or Scarcity of Materials
- Failure to Attract or Retain Top Talent
- Failure to Innovate or Meet Customer Needs
An integrated approach to GRC empowered MENA organizations to be proactive, rather than reactive in building effective governance structures; ensuring regulatory compliance; understanding risk appetite; and adhering to ethical and sustainable practices. At CRMI, our mission is to help them chart the course from risk to reward with foundational and advanced GRC education and capacity building.
Our starting point is, naturally, the insurance and reinsurance industry, equipping professionals to integrate GRC in their practices, policies, and plans. More critically, our goal is to promote and instill GRC in the very organizational culture and business ethos of insurance companies. In this direction, we’re partnering with renowned professional and academic institutions to offer not only learning tracks, but also real-life expertise that can help transfer GRC from theory to application. Ultimately, we are building a knowledge exchange platform and hub that can help create GRC centers of excellence across and beyond the MENA region. In a globalized and digitized economy, our focus remains on cross-border and agile strategies for organizations to embed GRC in their operations wherever, whenever.