Chief technology officer at NASDAQ GRC software provider BWise outlines how to optimise GRC programmes
An effective governance, risk and compliance (GRC) platform goes hand-in-hand with a powerful business.
As a result of the changing regulatory landscape, organisations are learning that an increased level of awareness of GRC is crucial to improving corporate culture and business longevity.
One of the biggest opportunities and challenges for organisations is determining what type of GRC platform is needed and how to successfully implement this framework into everyday business practices.
In a recent study examining challenges at 86 financial institutions, Deloitte reports that more than 85% of respondents felt their organisations would benefit from integrating and streamlining the use of technology for GRC activities enterprise-wide.
The time has come to generate a fresh outlook on the collective approach to integrating GRC into business practices. The regulatory and legal reasons why companies benefit from effective governance and compliance are obvious, but organisations need to make a powerful business case for integration, creating workflow that integrates all policies, processes and controls.
1. The GRC should be clearly defined
A lack of governance and/or leadership in an organisation can create difficulty in terms of department-wide collaboration and, therefore, challenges the decision-making process. Many delays observed in GRC projects often stem from a lack of governance and/or leadership.
During a GRC implementation, groups are required to collaborate with other departments to make decisions. Collaboration is required and crucial to driving a clear decision structure. Companies must have a designated oversight person to provide a clear, common view of the purpose of the programme and ensure a shared understanding of the definitions within the project. This group needs to discuss alignment on the definition of risk frameworks, including the most detailed data definition levels to ensure everybody has the same understanding and definitions, required to re-use data across departments.
Governance is required both during project rollout and after to ensure the project’s longevity. For example, collaboration groups should meet each month to assess changes on the data model and workflow levels and align strict timelines. One specific GRC department is not necessary, but alignment and collaboration between departments using the same data is necessary to drive results that reflect the entire organisation.
2. A project should be started with end goals in mind
It is important to say which way the organisation is going. What is the project trying to accomplish and what is the business justification behind the implementation? Keeping one’s goals in mind is vital to prioritising one’s time and budget. Sometimes, projects can be side-tracked by detailed discussions on how to reach certain goals, whereas a common understanding of the end-goal would have quickly shown there is more than one way to achieve it.
The main focus of the GRC platform will help businesses to address three main concerns, and when implemented successfully, can give companies the data they need to meet their regulatory and compliance goals.
Efficiency: organisations are looking for ways to increase efficiency and drive results quicker. Audit, compliance and risk assessment are time consuming when done without a GRC platform.
Risk reduction: the data from a GRC platform enables organisations to make better, more informed decisions, successfully identify root causes and allocate resources to mitigate risks.
Strategic support for performance: a GRC platform drives smart decision making. Often, companies have difficulty allocating resources, addressing conflicts of interest or trouble measuring success. If clear end objectives are set, the metrics generated from a GRC platform will help measure success.
It is vital to remember: when implementing a GRC platform, the goals are only part of the discussion. Another important discussion is how the company is going to reach its specific goals. In many cases it is a matter of getting everyone on the same page.
3. GRC data should be organized to enable aggregation and reporting
Poor data aggregation is a common and significant challenge in GRC implementation. How a GRC framework is organised is critical to driving successful results that will be useful to the company. The business should be able to compare apples to apples across the board. Creating this organisational view will allow management to enter audits, examinations and board presentations with confidence. This confidence is possible only if the reporting is trusted.
Aggregation is a critical part of the GRC process. Sensible information can be found by drilling down one or two levels to avoid being bogged down by information overload. Companies often start off with complex, fancy dashboards and ask for a simplified version a year later.
A big benefit of implementing a GRC platform is finding the data that stands out. Often, companies find implies verifying things that they know already. However, once collecting data and aggregating it together has begun, there are countless opportunities to find data that previously was not accessible. One might find out that the overview that looked simple will have enormous added value and will help find the required data.
4. The GRC data should integrate
Firms should think about the way their GRC processes run in their company in terms of different departments and units. To be successful in the integration process, firms must ensure that data that is produced in one department can be reused in another part. This requires strongly aligned data definitions (governance, see before) and alignment of timing and workflow, as well as sufficient data access.
Additionally, each business unit may have its own view on its approach to GRC. It is common that compliance functions will have a legal entity view, an operational risk manager holds the view of the business unit and business continuity needs to look at locations. All parts of the organisation should not be forced into the same structure. Instead, a conclusion should be reached on how the organisation is mapped and what works best for each department. This collaboration approach will lead to successful results.
5. Integrating a data model that can evolve
Each company needs a framework that everyone can use and is seamless across the business. As companies evolve through mergers, acquisitions and business restructuring, the risk and compliance landscape changes. Without flexibility in the platform, changes can force a company to stop the programme and start from scratch. If the application cannot change, it will not reflect the business, and it will not be possible to build meaningful reports and technology will not match the processes.
Implementing a standard data model that can easily evolve with the company is crucial. It is difficult to predict what a company will look like in a few years. The GRC platform should be simple and flexible. No single GRC platform will satisfy every need. Instead, businesses should adopt an open architecture approach to be sure they are getting the attention they need in all areas of GRC.
A study by Grant Thornton indicated surprising numbers about effective GRC implementation. Although GRC adoption numbers have increased, only 22% of survey respondents believe their organisations effectively leverage GRC technology. Significantly, 36% do not feel their organisations effectively leverage GRC technology.
Implementing an effective GRC platform can help increase these numbers and aid in fostering better regulatory and compliance practices across all areas of an organisation. By co-ordinating organisational strategies and processes, together with the necessary employees, departments and technology, businesses can increase transparency and maximise business control, which improves the overall health of an organisation.
By Luc Brandts, chief technology officer, BWise