Enabling Risk Culture through Governance, Risk and Compliance (GRC) Platform Thinking - Minds made for financial services March 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Enabling Risk
Culture through
Governance, Risk
and Compliance
(GRC) Platform
Thinking
Minds made for financial services
March 2021
Enabling Risk Culture through GRC Platform Thinking | 1
Risk Culture is the foundation of any effective
risk management system. It is only when risk
management is enabled through the individuals in Changing behavior
through Platform
the organization that it can be effective. Because it
is a corporate-wide activity, it needs to be performed
at that level while also being embedded into the
Thinking
Building
daily way of working.
At EY Financial Services, we train In this article, we discuss why Risk Culture is
Putting governance and awareness programs in place is not
enough. It will not suffice to enhance the risk behavior of an
and nurture our inclusive teams to important and we introduce the idea that Platform organization. To foster a Risk Culture that works, you need the
a better
develop minds that can transform, Thinking is crucial in attaining an effective following:
shape and innovate financial Risk Culture. Finally, we explain how an eGRC • common processes;
services. Our professionals (Entreprise Governance, Risk and Compliance) • efficient interfaces;
come together from different
financial
tool enables Platform Thinking and what an eGRC • easy access to the relevant information;
backgrounds and walks of life to platform can bring to the organization in terms of • a holistic view on the risks facing the organization: and a single
apply their skills and insights to value, cost and risk reduction.
source of the truth.
ask better questions. It’s these The mechanisms in place need to be clear and efficient.
services
better questions that lead to better
answers, benefiting our clients, In order to enable these mechanisms, the organization can
use Platform Thinking which means building an extensible and
their customers and the wider scalable capability platform to integrate sources of data. This
community. Our minds are made
industry
will produce better information and insights as well as reduce
to build a better financial services cost, while leveraging automation and analytics to respond more
industry. It’s how we play our part quickly to the needs of risk personnel.
in building a better working world. Typical platforms that allow for proper risk management
Why Risk Culture is activities, are called eGRC tools. These offer a range of use cases
and functionalities that allow an organization to execute and
important
embed its core risk management processes in an effective way,
Minds made for building hence improving Risk Culture accordingly. Moreover, it makes for
financial services an effective implementation of the three lines of defense in which
In essence, Risk Culture focuses on value protection and assesses inefficiencies or gaps in activities are resolved.
ey.com/fsminds the behavior, motivations and ethical core of the organization. It is Applying Platform Thinking to Governance Risk and Compliance
enforced through organizational mechanisms, which can include would mean:
communication, policies, tools and the right “tone at the top” by
Senior Management. For employees to integrate risk management • e
► nabling an integrated GRC ecosystem that uses data more
activities and to actively try to understand the risks in their daily effectively to develop a comprehensive risk profile;
tasks, this needs to be made easy and to not be a burden on their • e
► nhancing and linking taxonomies and libraries for digitally
daily operational activities. This means that you need easy-to-use enabled investigative analysis, aggregate and granular
mechanisms that people understand and actually want to use. reporting, and responsiveness to change;
In order to achieve this, two things are deemed crucial: • e
► stablishing the foundation for a digitally empowered
environment that leverages tools as end points to reduce
• the first one is to make sure that everyone understands why manual analysis;
risk management is so important;
• d
► esigning and implementing an automated risk monitoring
Contents of this article: • the second one is for risk management tasks to be organized capability and data model that enables risk managers across
as efficiently as possible in order to allow people to dedicate the three lines of defense to identify and respond more quickly
• Why Risk Culture is important most of their time to their operational tasks. to changes in risk.
• Changing behavior through Platform Thinking
• eGRC
• So, what’s next?
• What can make your eGRC journey successful?
• What do the results look like?
2 | Enabling Risk Culture through GRC Platform Thinking Enabling Risk Culture through GRC Platform Thinking | 3
eGRC So, what’s next?
eGRC tools enable scalable solutions that cover a range of risk management activities. It allows for a single source of the truth and an
easy way to integrate risk management in day-to-day operational activities.
In today’s digital world, having a digitally enabled risk architecture, facilitates further improvements in the organization’s overall Risk
Culture thanks to a single version of the truth. It also gives key insights from already existing data, for all three lines of defense.
“
Advanced technologies
provide real-time
monitoring and
Implementing an eGRC system is not going to be easy. There are a number of pitfalls
when starting this initiative. The most important thing to remember is that the
success of an eGRC system depends on having an appropriate governance in place
and the people and expertise to actually run it.
When a decision is made to enable the technology, it is important to understand what
insightful risk risk management processes will be covered and what use cases the firm wants to
implement. This can range from internal control management, vendor management,
Process-specific
Enterprise risk
management,
functionality
Policy Vendor Process-specific functionality allows for individual internal audit, policy management, etc. to risk appetite (e.g.).
management (ERM)
risk management organizations to control
their own business processes uniquely, while increasing their ability A good way to start is to “ride the waves”. Based on years of experience, we have
Information technology defined a number of waves (see hereunder) that allow any firm to start its eGRC
Audit Compliance
risk management (ITRM)
contributing to a unified GRC program.
to act as an advisor journey. It is about knowing what to aim for and making sure that the organization is
and provide nimble mature enough to implement and embed it.
Common data
A common data library allows risk information
Common data library to be related and reused, not duplicated and oversight.
library
(Policies, risks controls, assets, vendors, redundant. Sharing data is a fundamental
aspect of GRC and reduces what EY refers to as
evidence, issues, processes, etc.)
“compliance fatigue”. Successful Roadmap
Robin Blondeel
functionality
Reports Dashboards Interfaces Common functionality allows for a unified issue Senior Manager • Design of governance structure and responsibilities
Common
management system and for developers and end
users to construct inputs and outputs without the
Technology Risk • High-level requirements for use cases to be integrated
need for third-party solutions.
• Organizational Hierarchy Methodology
Security Development Issue management
• Process, Risk, and Control Methodology
Wave 1
• Enterprise Issue Management Methodology
• Build out of quick wins(Application Inventory, etc)
• Enable PRC and standardization of risk data elements
• Build out minimum viable product of risk functions
• Audit • Policy
• Issues Management • Vendor Risk
Wave 2
• IT Risk • Model Risk
• SOX • Business Continuity Planning
• Compliance • Operational Risk
• Creation of Integrated Reporting
• Evolution of existing functionality
• Implementation of data feeds
• Enhancements to user experience
Wave 3
• Convergence of ongoing assessments
• Automation opportunities
4 | Enabling Risk Culture through GRC Platform Thinking Enabling Risk Culture through GRC Platform Thinking | 5
What can make your eGRC
journey successful? What do the results look like?
eGRC systems only bring the desired benefits if certain conditions are met. It is
important to understand that it will not be a cure for an immature organization or
a culture which is not risk-minded. It is a mechanism that supports collaboration,
communication and a flow of information.
With the successful implementation of an integrated GRC platform, organizations provide
a central point of management and a single point of truth, while appropriately managing
the cost of risk management activities.
Improving the overall Risk Culture through an integrated GRC platform will help risk
“In essence eGRC
enables you to do
“more with less”.
Experience in successful eGRC convergence programs tells us that the key success functions shift thinking and behavior in order to manage risk while bringing value to the
factors are the following: business.
Sylvie Goethals
Partner Technology Risk - EY
Benefits of an integrated GRC ecosystem Consulting
Make sure the A good business case for change with ‘buy-in’
• Defines your risk profile (combining • Integrates reporting through standard
issues with Risk from the Board and Senior Management.
different risk activities from different risk reports, data export features, and
Culture, conduct
Develop functions) and focuses management on risks configurable dashboards
and organizational
incremental that matter
governance Make the • Improves risk data, analysis/effective
milestones of
are tackled case for eGRC • Enables a Process, Risk and Control challenge and value-add from risk functions
appropriately. convergence
targets, throughout
(PRC) framework (e.g., taxonomy and risk Risk Value to business, enabling informed risk-taking
real and fact- the journey,
Make sure data) and common assessment methods and decision making along the customer
Address the based indicating that
the target that can adaptively map to changing journey
Risk Culture benefits have been
operating a business structure to support Risk,
and risk realized.
governance
model is
realistic and
Compliance and Internal Audit activities Cost
issues Key achievable • Supports the identification, monitoring, • Reduces duplication and associated
success mitigation and reporting of Risk, costs and creates a consistent tool-based
Compliance and Internal Audit activities approach as it relates to managing risks
factors Select a GRC
across an organization and enhancing control environment
Address the platform
need for core based on Prioritize • Saves time and resources from the
regulations Deploy a prioritized the criteria retiring of legacy and inefficient tools and
standard risk needs for selection approaches
framework with e.g. better
uniform risk
risk Managed
Bring the 3 lines of and process
taxonomies Information, better
defense together to
risk processes with
finalize a response
appetite etc.
strategy.
This helps reduce the cost of compliance and
improve ROE.
Want to know more ?
Get in touch with our Governance, Risk & Compliance professionals today:
Sylvie Goethals Robin Blondeel
Partner, EY Consulting Senior Manager, EY Consulting
sylvie.goethals@be.ey.com robin.blondeel@be.ey.com
6 | Enabling Risk Culture through GRC Platform Thinking Enabling Risk Culture through GRC Platform Thinking | 7
EY | Assurance | Tax | Strategy and Transactions | Consulting About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com. EY is a leader in serving the financial services industry We understand the importance of asking great questions. It’s how you innovate, transform and achieve a better working world. One that benefits our clients, our people and our communities. Finance fuels our lives. No other sector can touch so many people or shape so many futures. That’s why globally we employ 26,000 people who focus on financial services and nothing else. Our connected financial services teams are dedicated to providing assurance, tax, transaction and advisory services to the banking and capital markets, insurance, and wealth and asset management sectors. It’s our global connectivity and local knowledge that ensures we deliver the insights and quality services to help build trust and confidence in the capital markets and in economies the world over. By connecting people with the right mix of knowledge and insight, we are able to ask great questions. The better the question. The better the answer. The better the world works. © 2021 EYGM Limited - All Rights Reserved - ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. 8 | Enabling Risk Culture through GRC Platform Thinking
You can also read
