Getting to GRC: some lessons from the best

Companies have invested millionsand, in some cases, hundreds ofmillions of dollars in an array ofgovernance, risk and compliance (GRC)programmes. Much of the focus has beenregulatory-driven, as companies devotedsignificant resources to collecting riskdata, conducting risk assessments, evaluatingand enhancing audit and complianceprogrammes, implementing frameworksand software applications, and modellingexposures – all with an eye towards producingthe documentation needed to complywith a myriad of new regulations.
Now, many of these organisations areturning their attention to increasing thereturn on their GRC efforts. Some arelooking at this from a cost perspective: howto reduce what appears to be a lot of duplication,by implementing a single enterpriseframework that would address all thingsrelated to GRC. The arguments in supportof this include more efficient data gatheringthrough reduction of duplicative assessmentefforts, as well as enhanced reportingand data integrity.
While the benefits would seem intuitive,most organisations have been reluctant toapply a ‘big-bang’ strategy to GRC and,instead, are looking for ways to strengthenand leverage their current investments. Thereason is straightforward: so far, there is littleevidence the costs associated with what areoften viewed as duplicative assessment andreporting programmes are sufficiently largeto justify complete and potentially distractinginfrastructural and methodologicaloverhauls. At the same time, it is not clearhow much of what takes place on a day-todaybasis in the individual GRC functionalsilos is actually duplicative versus unique toeach particular function’s responsibilities.This does not mean progress in implementingthe GRC philosophy has stopped – itmeans companies are not necessarily lookingto adopt a single GRC platform applicationto drive integration and collaboration and improve risk identification and management.Rather, they are employing a suite of applications,and looking for ways to drive convergenceamong them.
They are going about this in different waysand focusing on different considerations.Some want to “turn all that risk data intoaction”, and integrate the output from theirGRC silos to produce a prioritised, firmwideview of risk exposures to drive actionplans. Others are focused on leveragingthe collective brain of their front-office andback-office employees by implementing toolsthat enable real-time collaborative decisionmaking.Still others are focused on assessingand managing the complex intersections ofrisk that exist between their products, businessunits and regions – that may reflectmaterial exposure when viewed collectively.At BPS, we call these “next generationGRC initiatives”. Some take place withinindividual GRC silos, some span a coupleof silos, and some take place at an enterpriselevel. All are focused on enhancing integrationand collaboration, while respecting thecultural realities of their businesses. All havea forward-looking, proactive dimension. Andmost importantly, all have linked the valueproposition of their efforts to the underlyingvalue proposition of their businesses.
The following case studies provide a closerlook at these next-generation initiatives. It’snoteworthy that each of the companiesdiscussed is a leader in its industry andhas sustained competitive advantage over along period of time. It’s perhaps not surprisingthat these historically well-managedcompanies are looking to implement nextgenerationinitiatives to further strengthentheir business operations.

Creating an enterprise GRCissues and action tracking hubThe first example is a global financial servicesfirm whose GRC activities are managedby separate functional silos. The CFO of thisorganisation took the view that importantoutput resided in the individual GRC units,and that it was important to find a way to integrate and aggregate data without necessarilychanging the structure of how theseunits operate. He believed that, viewedtogether, their output could provide valuableinsight into the overall risk exposure of thefirm. At the same time, he wanted to driveaction: speed up the ability to identify andprioritise issues and drive action plans tomitigate and manage these issues.
Working with BPS, the company implementedan issues and action tracking hub,which integrated the outputs from the separatecompliance, op risk, audit, and businesscontinuity applications. These outputs werecaptured and organised as risk issues andactions. The BPS hub application enabledthe CFO to prioritise issues and link them toaction tracking, workflow and reporting.The ability to create an overview of issuesin an enterprise and link these to risk exposuresin a company’s people, products andprocesses provides senior management andboards with a valuable strategic tool. Issuescan be assigned priority according to theirimpact, pervasiveness or non-compliancewith regulatory or governance policy. Actionplans may inherit these priorities as they arecast and approved. Like all types of managedchange, action plans may be near-term andtactical to effect an immediate fix or morelong-term, with multiple implementationphases and even separate management anddedicated resources.
In this case, proposed action plans arecollected and analysed as investments thecompany can make to prevent losses incurredby insufficiently mitigated issues. Groups ofissues and their related actions are furtherorganised into portfolios that allow managersto view and prioritise according to a varietyof parameters. These may include risk types,geography, product line, etc. They may alsobe cast in terms of specific top-down strategiessuch as improved customer service, lowerturnover or departmental rationalisation.
The relationships that exist between anorganisation’s risks, operations, issues andactions are sophisticated and multi-dimensional(many-to-many). This is particularlytrue for global financial services firms,where a single perceived deficiency mightcut across a number of products and unitsthat, collectively, will have a material impacton the company. Without a tool that enablesconvergence, total potential impact remainsinvisible. Therefore, the success of an issuesand action tracking hub is dependent on thedegree to which these inter-relationships areunderstood and maintained.
The implementation of an integrated issuesand action tracking hub is proving to be themethod of choice for organisations that wantto leverage their investments in compliance,audit and risk management and benefitfrom an integrated GRC approach withoutreplacing their current programmes. Manysenior executives see issues and action trackingreports as clearer and more relevant totheir core businesses and operations, and areincluding a large number of front-line andback-office users. In this case study, severalthousand employees are using the system.Each user can create an issue, which helpsspeed up the identification of risk and mitigateexposure.

Accelerating cross-unit riskanalysis in a highly complex anddynamic environment

Global organisations wanting to achieveconsistency in their risk management reportingare often challenged by the size andcomplexity of their organisations. Theseenterprises maintain sophisticated hierarchiesof legal entities, functional groups, managementstructures as well as lines of business,regional organisations and the like. Many ofthe points where risk data needs to be gatheredexist at the intersection of these hierarchies.
These intersections further dictate thefrequency and scope of assessment activity aswell as the organisation of issues and actionsthat may arise from the analysis. The interrelationshipsbetween these hierarchies andtheir related risk management activities canalso drive the rules for aggregating data.The organisation in this example demandedan approach that would fit its companystructure and could also handle frequentorganisational changes. Implementing asolution quickly was important, as there waslittle appetite for a long drawn-out projectin advance of adding value. Critical successcriteria also included the ability to capturehierarchical structures within the solutionand automate the various different assessmentswithin this context and withoutcompromising established methodologies.
Even more significantly, the companyneeded the ability to dynamically change themethodology, data structure and organisationwithout compromising historical accuracy.This ability to change needed to happen“on the fly” and at discrete levels, withoutdamaging the integrity of the system.BPS had recently matured two key facilitiesin its product platform that facilitatedthe solution. First, the system allowed usersto independently create and separatelymanage any number of structured hierarchiesto describe the enterprise’s actualstructure. Further, these hierarchies couldbe connected at all points, forming a matrix.The hierarchies and their connection pointscould be managed independently by administratorswithout the need for programming.
Changes to this structure could be securedand revision-controlled to maintain historicalaccuracy and data integrity. Second,the system would allow users to implementspecific templates that would controlhow data would be gathered and testingcompleted and scored more appropriately.These templates would operate at each node(hierarchy intersection) in the business.Workflow rules and email notificationswere configured to operate uniquely at eachpart of the structure, so the system couldachieve specific automatic behaviour in eachpart of the business, while providing the freedomfor risk managers to evolve and refinetheir methods and frameworks over time.Risk management methodology, risk andcontrol relationships and reporting requirements,as well as supporting evidentiaryinformation (documents, logs and other datafrom company systems) all work together inlockstep in a repeatable and automatic fashion,while feeding a growing library of informationabout the enterprise that provides the basis for accurate, automatic reporting aswell as rich ad-hoc inquiries conducted bymanagers throughout the enterprise.
Once in place, other representatives ofthe business operations as well as otherrisk management functions found it easierto justify adopting the facility to gatherrisk information and report on exceptionsand remediations.

Enabling collaborative risk evaluationin a secure environment.

Effective GRC initiatives must accommodatethe different ways that different businessunits, different cultures and different individualswork day-to-day, and how that changeson an ongoing basis. Most business unitsand business people do not work in a highlysystematised, linear, or structured fashion.Rather, their days are dynamic, episodic,filled with detours and course modifications,and they employ creative and cognitivelydissonant methods of decision-making.
Many companies have unique culturesand unique ways of running their businesses.This is particularly true in companieswhose major asset is the intellectualcapital of their people, and where judgmentand decision-making is entrusted to highlytrained and seasoned professionals who areexpected to collaborate within and acrossbusiness and functional lines to elicit collectiveinsights and achieve optimal outcomes.
Implementing a solution that will work forthese people in this kind of environment is ahuge challenge, requiring an artful balanceof flexibility and precision – in real-time.In this case, a global company’s auditorsneeded to plan and conduct cyclical reviewsof the business in collaboration with thebusiness process owners. High degrees ofresolution were often sought, requiringthe handling of masses of varied documenttypes. There was also an express desire to godeep into the documents to identify inconsistenciesand gaps between written policies,historical documents and logs, evidentiarytrails and daily business activity.
Highly skilled assessors needed to identifyand electronically document potentialpatterns and inconsistencies within businessoperations and share this informationsecurely within their expert ranks to formopinions as to the materiality of the issueand the potential risks. Detailed collaborationon these findings needed to includeinput from the business practice ownersand other management in real time toensure efficiency.
All participants had specific ways inwhich they desired to engage this work,communicate and even document theirviews, varying from highly structured analysis(requiring point proof for every assertion)to high-level diarised opinion andoverall guidance. The system’s ability toappeal to how they wanted to conduct theirwork as well as support the granular securitywith which they conducted their workand held these dialogues was critical.

From managing audit andcompliance risk to managingoperational risk

Perhaps the most exciting next generationapplication BPS has seen involves a transportation-distribution company that is using itsaudit and compliance application to bettertrack and manage the day-to-day operatingrisks of its business. This company decided toexpand its use of assessment methodologiesfor audit and compliance to gather informationabout its operations in general. It livesand dies by its ability to allocate its productsand services in different geographies withprecision and timeliness. The potential fora costly business interruption, in this case aderailment, is a well-understood reality.
Knowledge about the risks and effectivenessof individual controls is well-understoodat functional levels. But the companylacked a high-level view of its current exposureand operational risks and how the dailyimplementation of its policies and processeswere affecting this exposure. Withthe constant desire to run leaner and moreefficiently, the company needed to gatherdata from within the operation in a strategicfashion and to use this to help prioritisecontinuous, operational improvements.
At BPS, we are seeing a great deal ofgrass-roots GRC interest at companies likethis. They seem to develop a natural GRCattitude, because they have a front-andcentreunderstanding of what catastrophicevents are possible in their organisationsand what impact they have on the business.Therefore, expanding their efforts tomonitor their company’s risks – beyondwhat they are compelled to do legally– and maintain an ever-expanding understandingof how these risks interact withtheir day-to-day decision-making easilyjustifies the activity.

The GRC evolution

From the examples above, it seems clearthat the next generation of GRC initiativesare moving far beyond highly structured,static, compliance-focused activities thatwere the focus of many initial investments.These new initiatives are enabling moreproactive and timely risk identificationand issue resolution “in the trenches”, andenabling more effective prioritisation andoversight of risks at senior managementlevel. Important progress is taking place ona number of fronts, in compliance, audit andoperational risk management. Companiesare making real headway in turning all thatdata into action, and better leveraging thecollective brain of their organisations, andin identifying significant exposures thatwere formerly lost between the cracks.
The quest for more integration, collaborationand convergence that is at the heartof the GRC philosophy is well underway.The focus on implementing solutions insmaller, more precise and value-drivenways seems contrary to the all-encompassingGRC vision many observers advocate.But as the case studies demonstrate, theimplementation of right-sized pieces inlogical steps, is ultimately faster, easier tojustify, and more effective for companieswho have bought into the GRC vision.This trend, in our view, signals clarity andmaturation in the way the market is seekingto adopt both technology and methodologyin the GRC space.

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: