Professional Documents
Culture Documents
GRC Platform Thinking V3 GCO
GRC Platform Thinking V3 GCO
GRC Platform Thinking V3 GCO
February 2019
Table of Contents
Key challenges
Capability model
Advisor
In a digital world, risk management needs to Risk Management not only monitors downside and outside risks, but
fundamentally transform to enable a business also provides upside risk insights to business and product teams to
and risk strategy that is more customer-centric inform risk appetite and strategy
and relationship-driven.
Business
Flexible
Risk management needs be integrated into the first line of defense
while maintaining strong risk oversight and creating a nimble,
efficient risk operations model to keep pace with the
business landscape
3
Integrated data intelligence and architecture as an enabler for
digital risk transformation
In a digital world, risk management needs to fundamentally
transform to enable a business and risk strategy that is
Adaptive more customer-centric and relationship-driven.
governance
► Adaptive core risk
Adaptive digital risk management incorporates
management disciplines management of risks associated with the digital
► Accountability and strong
3LOD model transformation from the front- to back-office (digital risk
► Talent and culture Product and management), as well as fully testing and deploying digital
service management
Agile decisions strategies to better manage risk (digitizing risk
► Real-time product
► Agile risk data design management).
aggregation ► 1st LOD controls
► Real-time risk detection ► Digital product A customer-centric approach requires firms to design risk
and decisions
governance processes that are integrated to the customer journey;
► Dynamic customer
profile aligned to risk appetite; emphasize relationship value; rely
on Agile development bringing products to market more
quickly with automated controls; and enable digital
customer fulfillment.
Data intelligence Resiliency Digitally enabled advanced technologies provide real-time
and architecture
► Platform ecosystem
► Operational resiliency monitoring and insightful risk management, increasing
► Cybersecurity and
► Data Management privacy their ability to act as an advisor and provide nimble
Strategy
► Cloud architecture
►
►
Third party
Crisis management
oversight.
A connected GRC platform enables these processes
and technology capabilities.
4
Context of GRC challenges
Companies tackled Risk This lead to effective point Duplication and The overhead of these Assessment Fatigue
management in silos as solutions – but duplicative segregation leads to environments is not for the first line is
regulations were created data sets poor analytics sustainable causing friction
1 2 3 4 5
As regulators released new The result of targeting risk Because of these isolated The creation of multiple In addition to
requirements, companies would management needs in silos is teams and data sets, solutions has lead to headcount and IT cost
tackle that individual regulations that companies have very management can’t identify unsustainable overhead to pressure, risk
needs, instead of integrating this effective point solutions, but themes or common administrate and fund the management
new regulation into the existing completely disconnected teams problems across the risk environments from an IT organizations are also
risk management framework across their risk management functions, and the risk perspective, as well as to facing political
organization, duplicating each functions over extend maintain unique data sets pressure due to
others work themselves to maintain across multiple functions assessment fatigue on
their independent data sets from a business the first line
perspective
5
Today’s GRC shortcomings and new challenges introduced by a
digital business
Industry solutions have not fulfilled original goals of reducing manual processes and cost of labor involved in identifying, assessing,
monitoring and rating risks
1 2 3
Multiple GRC taxonomies and technologies GRC platforms are implemented without GRC platforms are not extensible to products,
used across different risk stripes make it the end goals in mind, limiting their services, or customer journeys, restricting the
difficult to obtain a comprehensive and usefulness ability to adapt to a changing business
consistent risk profile
Products
? Business Insights
Operational Regulatory ? Issue Management
? Testing schedule
Journeys GRC Services
? Risk assessment
New Technologies
Risk management requires a proactive and consistent view into the business. Now, with the speed and scale of digital products and processes,
the enterprise GRC platform needs to facilitate access to data and insights that enable informed decision-making.
6
Governance, Risk and Compliance (GRC) Platform Thinking
Platform Thinking is building an extensible and scalable capability platform to better integrate sources of data to produce better information and
insights, reduce cost, and leverage automation and analytics to respond more quickly to evolving the sophistication of agile businesses and
technology environments to enhance customer service.
Benefits
► Enabling an integrated GRC ecosystem
that uses data more effectively to develop ► Strong and integrated three lines-of-defense operating model, supported by platform roles and
Governance
a comprehensive risk profile. workflows that are designed to adaptively map to changing business models and risks
► Enhancing and linking taxonomies and ► Integrated process, risk and control taxonomy linked to customer journeys and aligned with
libraries for digitally-enabled investigative new business models supporting PRC cohesiveness and ability to scale
analysis, aggregate and granular reporting,
and responsiveness to change. Risk ► Meaningful connections between data to generate rich, resonant insights through intuitive
common digital business platforms
► Establishing the foundation for a digitally
empowered environment that leverages ► Risk strategies and analysis aligned to the customer journey, that improves quality and value of
tools as end points to reduce manual risk information
analysis.
Compliance ► Ability to manage a centralized, normalized framework, taxonomy, policies, processes, risks,
► Designing and implementing an controls, assets and data through a compressive single-source repository seamlessly
automated risk monitoring capability addressing multiple compliance, regulatory and business requirements
and data model that enables risk
managers to more quickly identify and ► Right-time risk identification, automated data collection, integrated risk assessment and
respond to changes in risk. near-real-time reporting for risk processes, controls testing, and monitoring
7
GRC platform thinking capability model
Use Cases
Governance
1 Business insights
Enabling business insights
Identification of upside risks, such as growing customer base and market share, based on changing market
dynamics, business strategies, or regulatory drivers
Adaptive risk governance that integrates ownership and accountability for risk and
compliance across the three-lines-of-defense, leveraging dynamic risk appetite
Dynamic risk assessment Integrated taxonomy that Real time automated risk identification
Real time and automated that allows flexibility in enables intelligence through 3
customization of risk relationships of organizational
Use dynamic indicators (e.g. KRIs, control testing results) and machine learning capabilities to provide
risk identification and
monitoring of changes in assessments and ingestion of hierarchy, process, risks, real-time transparency to risks and trigger actions (e.g. risk assessment, monitoring)
risk profile data from across the controls, regulations, third
environment parties, and systems
4 Dynamic risk assessment
Risk assessment results automatically factor changes in control, loss, and issue data or other indicators, prompting
risk owners and managers to re-evaluate
Monitor & Report
Advanced reporting and analytics that empowers management with actionable intelligence to 5 Robust data strategy
facilitate proactive and better decision making Build a data lake to enable risk management capabilities through housing relationships between various data sources
and enabling reporting Automated reference data management to allow data structure or compliance rule changes to
automatically propagate through GRC infrastructure
Enable
Robust data and archirecture strategy that enables automated linkage of data across the 6 Tools and technologies
enterprise Use predictive analytics through next gen capabilities and data analytics (e.g. machine learning, AI, cognitive design)
to produce highly customized and interactive dashboards for the business to understand emerging risks to address
Enabling tools and technologies in integrated GRC platform within their business lines
8
Benefits of an integrated GRC platform and data architecture
Enables a Process, Risk and Control (PRC) framework Facilitates risk assessments, testing/monitoring, issues
(e.g., taxonomy and risk data) and common assessment methods management, and reporting across the 3 lines of defense
that can adaptively map to a changing business structure to support
Risk, Compliance and Internal Audit activities
Defines your risk profile (combining different risk activities from
different risk functions) and focuses management on risks that
matter
Investment in data architecture Cost savings may be realized from
Reduces duplication and associated costs and creates a (e.g. Shared PRC) and governance removing duplications,
consistent tool-based approach as it relates to managing risks and establishes the foundation for a decommissioning legacy systems, and
enhancing control environment digitally empowered and robust risk optimizing technologies (e.g., cloud,
management environment advanced analytics)
Improves risk data, analysis/effective challenge and value-add
from risk functions to business, enabling informed risk-taking and
decision making along the customer journey
Supports the identification, monitoring, mitigation and reporting
of Risk, Compliance and Internal Audit activities across an
organization Business growth is enabled by
Value is unlocked by developing integrating risk and business functions
Integrates reporting through standard reports, data export analytical capabilities that enhance for improved business intelligence and
features, and configurable dashboards risk management and enable more agile risk management that
business insights and decision- increases competitive advantage
Saves time and resources from the retiring of legacy and making
inefficient tools and approaches (e.g., dynamic risk ID, risk based
pricing)
9
A platform is needed to enable digital products, processes and
capabilities with common data
Compliance data, Operational data, Credit data, Liquidity Data, Market data,
processes, processes, processes, Processes, processes, …
policies, reports policies, reports policies, reports Policies, Reports policies, reports
Today
Adaptive Risk Regulatory Inventory / Risk Enabled Dynamic Dynamic Risk Credit Bureau Reporting
Advanced Reporting Sales Practice Review
Governance Rule Mapping Review Customer Profile Assessment Compliance
Risk Management in Three Lines of Defense Risk Analytics and Risk Management,
Robust Data Strategy Compliance Monitoring
Agile Collaboration Performance Mgmt Retention and Resolution
Digital Product Fintech / Third Party Privacy, IT, Cloud, Real time and automated Compliance and Risk
Development Risk Management and Cyber, and Data Reg Mapping and Risk ID, Assessment and TOM and Technology
Governance Monitoring Risk Monitoring Monitoring Strategy
Target
Common Data, Products, and Processes
Monitoring Results
Existing and New
Risk Assessment
(Team Members)
Product Pipeline
Products Terms
List of Systems
News (Consent
Testing Results
orders , MRAs)
Internal Project
and Conditions
Employee Info
Customer Info
Org Structure
Training Data
Internal Audit
Management
Transactions
Policies and
Agile Scrum
Regulations
Procedures
Market Info
Third Party
Risk Case
Contracts
Reports
Results
Results
Boards
Issues
Status
(KYC)
(KYE)
Platform
10
Example of how transforming the GRC platform enables the risk
management lifecycle
New product approval Ongoing monitoring of upside and downside
(repeated for product signoff) risks
(i.e. profitability model of credit worthiness)
Risk Management
11
Use case
risk management solution. We leveraged coordinated efforts Third Party Risk Risk
across all functions to eliminate redundant activities (i.e. management
► Vendor control
► Significantly fewer FTEs than multiple risk assessments) and increase collaboration and assessment
questionnaire IT Risk
competitors leverage across functions. The client successfully designed
► Third party ► Technology focused
► Reduced licensing and and operationalized integrated processes in an integration assessment
Financial
Risk
IT Risk
risk assessment
administration costs through
solution. execution ► Cyber / IT Risk
platform consolidation
Metrics and
► Integrated assessments of EY’s value add to the client Liquidity, Market, Model & Dashboards
the business units EY helped deliver and integrate risk functions across the Credit Risk
► Automated reporting leads to organization in a cost effective manner. EY worked with the ► Framework and program
on demand executive development
dashboards, with no client across all three lines of defense to hit multiple ► Policy and procedures
dedicated FTE‘s required to objectives, reduce redundancy and increase effectiveness of ► Stress testing
produce the risk program through a common eGRC platform
leveraging consistent methodology.
12
Evolution of GRC platform maturity
13
Recommended actions for quick wins
• Aggregate current state risk activities from various risk functions and then • Define strategy for a central risk data repository
refine to define the most valuable insights that will drive future state risk • Plan integration/adoption of enterprise data repository including
profile models integration tests
• Determine the requirements and functionalities of the common integrated • Expand taxonomy to include regulation/product/process/portfolio to drive
future state risk management and control platform linkages across risk data
• Identify and map common product and risk datasets across the lines of • Begin alignment of risk and control processes and systems across 3LOD by
business for future linkage and integration. through implementing common integrated:
• Identify and map common mitigating controls, reports, and policies across • RPA tools to perform repetitive and manual work supporting risk
Risk, Compliance and Internal Audit activities
• BI tool to connect disparate datasets and enable dynamic insightful report
• Define desired executive-level risk reports and dashboards generation
• Identify the ineffective legacy tools and manual processes performed across • AI and ML solutions to enhance management of risk data elements (i.e.,
risk management activities meta-data) through smart monitoring and reporting
14
Appendix
15
Three lines of defense integration for common GRC platform
Identification and
management of A common GRC platform enables integration
across the three lines of defense:
risk-related
information 2 Second line
(management ► Data is compiled into a normalized policy,
Risk assurance): second-line risk and control matrix spanning the
optimization groups are responsible enterprise
for ongoing monitoring of
► People perform roles within a process
Monitoring of the design and operation
shared across the risk organization
control design of controls in the first line
and of defense, as well as ► Technology enables the process and
Manageme operation providing advice and exposes the risk posture of the enterprise
nt reporting facilitating risk to management
management activities. ► Management utilizes risk related
N
information in their decision making
L
Independent
assurance 3 Third line (independent
assurance):
third-line groups are responsible
for independent assurance over
managing of risks. This line
includes internal audit, external
audit and some regulators.
16
Technical Considerations underpinning GRC Platform Development
(18-24 months)
GRC programs are supported by an enterprise GRC technology systems that encapsulate the three lines of defense, along with additional functionality, in a single application. GRC technologies offer a common data library, process-specific
functionality and common functionality. GRC technologies provide a central point of management and a single point of truth. Our methodology brings together a multi-disciplinary functional & technical team, combined with agile delivery
capability.
Governance and PMO
Enterprise risk
Process-specific
management Policy Vendor
functionality
(ERM)
17
Thank You
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working
world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member
firms of Ernst & Young Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company limited by guarantee,
does not provide services to clients. For more information about our
organization, please visit ey.com.
© 2019 EYGM Limited.
All Rights Reserved.
EYG no.XXXX00
ED None
This material has been prepared for general informational purposes only and is not intended to
be relied upon as accounting, tax or other professional advice. Please refer to your advisors for
specific advice.
ey.com