Issue #32: Unexpected GRC Findings: Unveiling the Hidden Risks in Governance, Risk, and Compliance

In the complex landscape of Governance, Risk, and Compliance (GRC), organizations are often focused on obvious risks - cybersecurity threats, financial fraud, regulatory changes, and operational inefficiencies. However, GRC frameworks can sometimes uncover unexpected findings that not only surprise organizations but also expose hidden vulnerabilities or missed opportunities that could have significant financial or reputational implications. These unexpected findings, while initially shocking, often serve as a wake-up call that leads to stronger risk management practices, more effective governance, and enhanced compliance structures.

In this article, we will explore some real-world examples and use cases of unexpected GRC findings and how they prompted organizations to take corrective actions, mitigate future risks, and improve their overall GRC strategies.

1. The Data Privacy Breach That Went Unnoticed

Case: Marriott International Data Breach (2018)

In 2018, Marriott International disclosed a massive data breach affecting approximately 500 million customers. This breach was initially thought to be a result of an external cyberattack, but through GRC assessments and internal investigations, it was revealed that the issue stemmed from the Starwood hotels' systems, which Marriott had acquired in 2016. During the acquisition process, an unexpected GRC finding surfaced: critical vulnerabilities in the Starwood IT infrastructure had never been adequately addressed or fully integrated into Marriott’s security protocols.

This unexpected finding highlighted a major gap in the company’s due diligence process during mergers and acquisitions (M&A), where data privacy and cybersecurity risks associated with inherited IT systems were not fully evaluated. While Marriott had focused on financial, legal, and operational risks during the acquisition, the data security risks went largely unnoticed until the breach occurred.

Lesson Learned:

• Companies must expand their GRC assessments during M&As to include a comprehensive review of IT and data security infrastructure, especially when dealing with large customer data sets.
• Post-acquisition integration should prioritize cybersecurity and data privacy from day one, as overlooking these factors can expose organizations to substantial reputational and financial damage.

Indian Context: Just Dial Data Breach (2020)

In India, Just Dial, a popular local search engine, experienced a massive data breach in 2020, which compromised sensitive customer data, including phone numbers and email addresses. The breach went undetected for several months, and the company faced a huge backlash from users who felt their privacy was violated. This incident highlighted an important GRC gap in Just Dial’s data protection practices. While the company’s compliance team was focused on business-as-usual activities, it overlooked the need for robust data privacy and cybersecurity controls, especially with the growing use of cloud-based solutions.

Lesson Learned:

• Organizations must conduct a thorough GRC risk assessment when acquiring new assets or integrating external systems, with a particular focus on data privacy, cybersecurity, and third-party risk.
• Regular audits and continuous monitoring are essential for detecting and mitigating risks associated with sensitive customer data.

2. Lack of Employee Awareness and Insider Threats

Case: The Capital One Data Breach (2019)

In 2019, Capital One suffered a breach that exposed the personal data of over 100 million customers. While the breach was initially attributed to an external hacker, a deeper investigation revealed an unexpected internal factor - an improperly configured firewall and a mismanaged vulnerability in the company’s cloud environment. The root cause was traced back to an employee's actions: an insider threat who had exploited this vulnerability.

While insider threats are often considered a known risk, the unexpected GRC finding in this case was how the company's employee awareness programs, security protocols, and compliance checks were insufficient in mitigating internal risks. While Capital One had implemented strong security measures, their GRC frameworks had overlooked potential vulnerabilities related to cloud-based platforms and did not emphasize employee training on safeguarding data within these environments.

Lesson Learned:

• Insider threats are not just about malicious intent but also stem from lack of awareness and unintentional mistakes.
• Companies must focus on training employees on the specific risks associated with new technologies and data storage solutions (like the cloud) and implement stricter access controls.
• GRC assessments should be revisited regularly to ensure that security protocols evolve in line with changing technologies.

Indian Context: Wipro Cybersecurity Breach (2020)

Wipro, one of India’s leading IT services companies, fell victim to a cybersecurity breach in 2020 due to an employee’s mishandling of login credentials. The breach was traced back to a phishing attack that compromised Wipro’s internal network. Although Wipro had implemented standard cybersecurity protocols, the unexpected GRC finding was the lack of comprehensive employee training on recognizing phishing scams and securing sensitive access points. This breach underlined the need for constant awareness and training within the organization to mitigate insider threats.

Lesson Learned:

• Organizations need to regularly train employees on the latest cybersecurity risks, including phishing attacks, malware, and data theft.
• A proactive GRC approach should consider internal security, employee training, and awareness as integral components of the overall risk management strategy.

3. Unreported Conflicts of Interest in Corporate Governance

Case: Volkswagen Emissions Scandal (2015)

One of the most infamous corporate governance failures in recent history occurred when Volkswagen (VW) was found to have installed "defeat devices" in their diesel engines to cheat emissions tests. While the scandal initially appeared to be a matter of compliance fraud, further investigation uncovered unexpected findings related to governance and oversight failures.

VW's GRC framework failed to flag or mitigate potential conflicts of interest within the company’s leadership and governance structures. Internal reports revealed that top executives had overlooked or ignored warning signs from employees about the illegal software, with some even directly involved in concealing the fraud. The scandal highlighted the company’s failure to establish a robust, transparent, and effective governance model that would ensure accountability at all levels.

Lesson Learned:

• Conflicts of interest can be hidden in plain sight, especially in complex organizations where leaders may have incentives to overlook or hide unethical behavior.
• GRC frameworks must promote transparency and ethical leadership, with clear escalation procedures and independent oversight mechanisms.
• Ethical risks should be integrated into GRC frameworks, not only focusing on compliance but also on corporate culture, leadership integrity, and conflict-of-interest prevention.

Indian Context: Satyam Scandal (2009)

In India, the Satyam Computers scandal serves as one of the most infamous cases of corporate governance failure. Founder Ramalinga Raju admitted to inflating the company’s financial statements by over $1 billion. The unexpected finding during investigations revealed that key members of the board and management had colluded in covering up the fraud, disregarding corporate governance norms. Despite Satyam having an established GRC framework, the company failed to detect and prevent conflicts of interest at the highest levels, leading to one of India’s largest corporate scandals.

Lesson Learned:

• A robust GRC framework must include mechanisms to detect conflicts of interest at all levels of the organization, especially among senior leadership.
• Organizations should implement independent audits, establish a transparent whistleblower policy, and strengthen internal controls to ensure governance practices are ethical and transparent.

4. The Failure to Manage Third-Party Risk

Case: Target Data Breach (2013)

The 2013 Target data breach, which affected over 40 million credit and debit card accounts, is often cited as a textbook example of how third-party risks can go unnoticed in an organization's GRC process. The breach originated from a third-party vendor who had access to Target’s network for routine services like HVAC maintenance. Attackers were able to infiltrate Target's network through this third-party connection, exploiting weak security controls in place at the vendor’s end.

This unexpected finding raised alarms about how deeply interwoven third-party relationships are in modern business operations, especially in areas like IT, supply chain, and customer data management. While Target’s internal GRC system was strong in terms of protecting its own infrastructure, it had not extended adequate risk assessments to vendors and external partners.

Lesson Learned:

• Organizations must incorporate third-party risk management into their GRC frameworks, particularly when it comes to vendors with access to sensitive data or IT infrastructure.
• Third-party risk assessments should be continuous and dynamic, with regular audits, security checks, and updates to vendor contracts that include clear cybersecurity and compliance requirements.

Indian Context: YES Bank's Financial Troubles (2020)

In India, YES Bank faced a liquidity crisis in 2020, and its downfall was partly linked to poor risk management practices associated with its third-party dealings. Investigations revealed that the bank had extensive exposure to related-party transactions and several high-risk borrowers, many of which were external companies with questionable financial health. While YES Bank had regulatory compliance frameworks in place, the risk assessment failed to properly evaluate and manage risks associated with these third-party entities, leading to a significant blow to the bank’s reputation and financial health.

Lesson Learned:

• Third-party risk management should be an integral part of an organization’s GRC framework, especially when dealing with financial institutions, vendors, and contractors who have access to sensitive data or infrastructure.
• Regular audits of third-party contracts and relationships are necessary to ensure compliance with internal policies and regulatory requirements.

5. Underestimating the Impact of Regulatory Changes

Case: Uber's Failure to Report Data Breach (2016)

Uber faced significant regulatory scrutiny and fines after it was revealed that the company had failed to report a 2016 data breach that exposed the personal data of over 57 million users and drivers. The breach was discovered later, but the company kept it hidden for more than a year, paying the hackers $100,000 to cover it up.

This unexpected GRC finding was tied to Uber's failure to adhere to data protection regulations, specifically regarding timely reporting to regulators and affected parties. Uber was also criticized for failing to implement a comprehensive incident response plan and failing to establish a culture of compliance.

Lesson Learned:

• Organizations must be proactive in monitoring and adapting to regulatory changes, particularly around data protection and privacy laws (e.g., GDPR, CCPA).
• Effective GRC frameworks should ensure compliance is not just about legal obligations but also about fostering a transparent culture that prioritizes ethical behavior and regulatory adherence.

Indian Context: Future Group’s Compliance Issues with the Retail Sector (2020)

In India, Future Group, one of the largest retail conglomerates, faced challenges with compliance during the period it attempted to sell its assets to Reliance Industries in 2020. The deal, which was part of Future Group’s efforts to resolve its financial troubles, faced regulatory hurdles, particularly with the Competition Commission of India (CCI) and the Securities and Exchange Board of India (SEBI). An unexpected finding emerged when it was revealed that Future Group’s compliance team had underestimated the regulatory implications of such a high-profile transaction, leading to delays and challenges in the deal’s approval.

Lesson Learned:

• Organizations must stay on top of evolving regulations, especially when undergoing significant business transitions such as mergers, acquisitions, or restructuring.
• A proactive GRC framework includes not only risk identification but also an awareness of the regulatory landscape and potential shifts in law that could impact strategic decisions.

Conclusion: The Importance of Continuous GRC Evaluation

The unexpected GRC findings from both global and Indian examples underscore a critical truth: GRC strategies must be dynamic, integrated, and continually evolving. Organizations must not only focus on compliance with current regulations but also work to uncover emerging risks, such as third-party vulnerabilities, insider threats, governance lapses, and data privacy concerns. Regular risk assessments, continuous monitoring, and adaptive GRC strategies are essential for detecting and mitigating these hidden risks before they escalate into significant issues.

By fostering a proactive GRC culture, organizations can ensure that they are not just reactive to crises but prepared to prevent them, securing their future in an increasingly complex and interconnected world.