Governance, Risk and Compliance

(GRC) Platform Thinking

February 2019
Table of Contents

Digital risk transformation overview

Key challenges

Platform thinking for Governance, Risk and Compliance (GRC)

Capability model

Benefits of integrated GRC platform and data model

Roadmap and evolution of GRC platform maturity

Recommended actions for quick wins

Risk management in a digital world and the need for evolved
technology and data capabilities
Being digital is about transforming one’s business at its core, including risk management processes, people, technology. Companies have
to reinvent their operating model and extended ecosystem. Core attributes of the Risk Management Office of the future are being nimble
and effective at identifying, monitoring, assessing, and controlling risk, and designing architecture, while dynamically enabling the business
to take advantage of upside risks. As such, the underlying technology and data capabilities need to improve and evolve.

Key Characteristics of Risk

Management in a Digitized World

Customer-Centric and Relationship-Driven

Digitized World Risk processes are integrated into the customer lifetime journey; risk
assessments and decisions are based on the lifetime relationship
value of the customer

In a digital world, risk management needs to
fundamentally transform to enable a business
and risk strategy that is more customer-centric
and relationship-driven.
Business
Advisor
Risk Management not only monitors downside and outside risks, but
also provides upside risk insights to business and product teams to
inform risk appetite and strategy
Flexible
Risk management needs be integrated into the first line of defense
while maintaining strong risk oversight and creating a nimble,
efficient risk operations model to keep pace with the
business landscape

3
Integrated data intelligence and architecture as an enabler for
digital risk transformation
In a digital world, risk management needs to fundamentally
transform to enable a business and risk strategy that is
Adaptive more customer-centric and relationship-driven.
governance
► Adaptive core risk
Adaptive digital risk management incorporates
management disciplines management of risks associated with the digital
► Accountability and strong
3LOD model transformation from the front- to back-office (digital risk
► Talent and culture Product and management), as well as fully testing and deploying digital
service management
Agile decisions strategies to better manage risk (digitizing risk
► Real-time product
► Agile risk data design management).
aggregation ► 1st LOD controls
► Real-time risk detection ► Digital product A customer-centric approach requires firms to design risk
and decisions
governance processes that are integrated to the customer journey;
► Dynamic customer
profile aligned to risk appetite; emphasize relationship value; rely
on Agile development bringing products to market more
quickly with automated controls; and enable digital
customer fulfillment.
Data intelligence Resiliency Digitally enabled advanced technologies provide real-time
and architecture
► Platform ecosystem
► Operational resiliency monitoring and insightful risk management, increasing
► Cybersecurity and
► Data Management privacy their ability to act as an advisor and provide nimble
Strategy
► Cloud architecture
►
►
Third party
Crisis management
oversight.
A connected GRC platform enables these processes
and technology capabilities.

4
Context of GRC challenges
Companies tackled Risk
management in silos as
regulations were created
1 2
As regulators released new
requirements, companies would
tackle that individual regulations
needs, instead of integrating this
new regulation into the existing
risk management framework
5
This lead to effective point
solutions – but duplicative
data sets
The result of targeting risk
management needs in silos is
that companies have very
effective point solutions, but
completely disconnected teams
across their risk management
organization, duplicating each
others work
Duplication and
segregation leads to
poor analytics
3 4
Because of these isolated
teams and data sets,
management can’t identify
themes or common
problems across the risk
functions, and the risk
functions over extend
themselves to maintain
their independent data sets
The overhead of these Assessment Fatigue
environments is not for the first line is
sustainable causing friction
5
The creation of multiple In addition to
solutions has lead to headcount and IT cost
unsustainable overhead to pressure, risk
administrate and fund the management
environments from an IT organizations are also
perspective, as well as to facing political
maintain unique data sets pressure due to
across multiple functions assessment fatigue on
from a business the first line
perspective
Today’s GRC shortcomings and new challenges introduced by a
digital business
Industry solutions have not fulfilled original goals of reducing manual processes and cost of labor involved in identifying, assessing,
monitoring and rating risks

1 2 3

Multiple GRC taxonomies and technologies GRC platforms are implemented without GRC platforms are not extensible to products,
used across different risk stripes make it the end goals in mind, limiting their services, or customer journeys, restricting the
difficult to obtain a comprehensive and usefulness ability to adapt to a changing business
consistent risk profile

Products
? Business Insights
Operational Regulatory ? Issue Management

? Testing schedule
Journeys GRC Services
? Risk assessment

? Risk management in product design

Audit IT Risk
? Upside AND downside risks

New Technologies

Risk management requires a proactive and consistent view into the business. Now, with the speed and scale of digital products and processes,
the enterprise GRC platform needs to facilitate access to data and insights that enable informed decision-making.

6
Governance, Risk and Compliance (GRC) Platform Thinking

What is Platform Thinking?

Platform Thinking is building an extensible and scalable capability platform to better integrate sources of data to produce better information and
insights, reduce cost, and leverage automation and analytics to respond more quickly to evolving the sophistication of agile businesses and
technology environments to enhance customer service.

Applying Platform Thinking to Governance, Risk and Compliance (GRC)?

► Enabling an integrated GRC ecosystem
that uses data more effectively to develop
Governance
a comprehensive risk profile.
► Enhancing and linking taxonomies and
libraries for digitally-enabled investigative
analysis, aggregate and granular reporting,
and responsiveness to change. Risk
► Establishing the foundation for a digitally
empowered environment that leverages
tools as end points to reduce manual
analysis.
Compliance
► Designing and implementing an
automated risk monitoring capability
and data model that enables risk
managers to more quickly identify and
respond to changes in risk.
Benefits
► Strong and integrated three lines-of-defense operating model, supported by platform roles and
workflows that are designed to adaptively map to changing business models and risks
► Integrated process, risk and control taxonomy linked to customer journeys and aligned with
new business models supporting PRC cohesiveness and ability to scale
► Meaningful connections between data to generate rich, resonant insights through intuitive
common digital business platforms
► Risk strategies and analysis aligned to the customer journey, that improves quality and value of
risk information
► Ability to manage a centralized, normalized framework, taxonomy, policies, processes, risks,
controls, assets and data through a compressive single-source repository seamlessly
addressing multiple compliance, regulatory and business requirements
► Right-time risk identification, automated data collection, integrated risk assessment and
near-real-time reporting for risk processes, controls testing, and monitoring

7
GRC platform thinking capability model

Use Cases
Governance

1 Business insights
Enabling business insights
Identification of upside risks, such as growing customer base and market share, based on changing market
dynamics, business strategies, or regulatory drivers
Adaptive risk governance that integrates ownership and accountability for risk and
compliance across the three-lines-of-defense, leveraging dynamic risk appetite

2 Adaptive risk governance

Risk Management and Compliance Processes Organize teams around end to end journeys with deep expertise in the customer needs, goals, metrics, and the
ecosystem of channels, processes, and products to identify emerging and potential risk

Dynamic risk assessment
Real time and automated that allows flexibility in
customization of risk
risk identification and
monitoring of changes in assessments and ingestion of
risk profile data from across the
environment
Monitor & Report
Integrated taxonomy that
enables intelligence through
relationships of organizational
hierarchy, process, risks,
controls, regulations, third
parties, and systems
Real time automated risk identification
3
Use dynamic indicators (e.g. KRIs, control testing results) and machine learning capabilities to provide
real-time transparency to risks and trigger actions (e.g. risk assessment, monitoring)
4 Dynamic risk assessment
Risk assessment results automatically factor changes in control, loss, and issue data or other indicators, prompting
risk owners and managers to re-evaluate

Advanced reporting and analytics that empowers management with actionable intelligence to
facilitate proactive and better decision making
Enable
5 Robust data strategy
Build a data lake to enable risk management capabilities through housing relationships between various data sources
and enabling reporting Automated reference data management to allow data structure or compliance rule changes to
automatically propagate through GRC infrastructure

Robust data and archirecture strategy that enables automated linkage of data across the 6 Tools and technologies
enterprise Use predictive analytics through next gen capabilities and data analytics (e.g. machine learning, AI, cognitive design)
to produce highly customized and interactive dashboards for the business to understand emerging risks to address
Enabling tools and technologies in integrated GRC platform within their business lines

Key Activities Capabilities Use Cases

8
Benefits of an integrated GRC platform and data architecture

Value of an integrated GRC ecosystem Value of future state data model

Enables a Process, Risk and Control (PRC) framework Facilitates risk assessments, testing/monitoring, issues
(e.g., taxonomy and risk data) and common assessment methods management, and reporting across the 3 lines of defense
that can adaptively map to a changing business structure to support
Risk, Compliance and Internal Audit activities
Defines your risk profile (combining different risk activities from
different risk functions) and focuses management on risks that
matter
Investment in data architecture Cost savings may be realized from
Reduces duplication and associated costs and creates a (e.g. Shared PRC) and governance removing duplications,
consistent tool-based approach as it relates to managing risks and establishes the foundation for a decommissioning legacy systems, and
enhancing control environment digitally empowered and robust risk optimizing technologies (e.g., cloud,
management environment advanced analytics)
Improves risk data, analysis/effective challenge and value-add
from risk functions to business, enabling informed risk-taking and
decision making along the customer journey
Supports the identification, monitoring, mitigation and reporting
of Risk, Compliance and Internal Audit activities across an
organization Business growth is enabled by
Value is unlocked by developing integrating risk and business functions
Integrates reporting through standard reports, data export analytical capabilities that enhance for improved business intelligence and
features, and configurable dashboards risk management and enable more agile risk management that
business insights and decision- increases competitive advantage
Saves time and resources from the retiring of legacy and making
inefficient tools and approaches (e.g., dynamic risk ID, risk based
pricing)

9
A platform is needed to enable digital products, processes and
capabilities with common data
Compliance data, Operational data, Credit data, Liquidity Data, Market data,
processes, processes, processes, Processes, processes, …
policies, reports policies, reports policies, reports Policies, Reports policies, reports
Today

Adaptive Risk Regulatory Inventory / Risk Enabled Dynamic Dynamic Risk Credit Bureau Reporting
Advanced Reporting Sales Practice Review
Governance Rule Mapping Review Customer Profile Assessment Compliance

Risk Management in Three Lines of Defense Risk Analytics and Risk Management,
Robust Data Strategy Compliance Monitoring
Agile Collaboration Performance Mgmt Retention and Resolution

Digital Product Fintech / Third Party Privacy, IT, Cloud, Real time and automated Compliance and Risk
Development Risk Management and Cyber, and Data Reg Mapping and Risk ID, Assessment and TOM and Technology
Governance Monitoring Risk Monitoring Monitoring Strategy

Sample Use Cases

Target
Common Data, Products, and Processes

Monitoring Results
Existing and New

Risk Assessment
(Team Members)
Product Pipeline

Products Terms
List of Systems
News (Consent

Testing Results
orders , MRAs)

Internal Project

and Conditions
Employee Info
Customer Info

Org Structure
Training Data

Internal Audit
Management
Transactions

Policies and
Agile Scrum
Regulations

Procedures
Market Info
Third Party

Risk Case
Contracts

Reports

Results

Results
Boards

Issues
Status
(KYC)

(KYE)

Platform

10
Example of how transforming the GRC platform enables the risk
management lifecycle
New product approval Ongoing monitoring of upside and downside
(repeated for product signoff) risks
(i.e. profitability model of credit worthiness)

Today: Credit identifies risks/controls

separately Origination (credit scores)
Requirements
documentation
Ops identifies risk/controls separately Design & Develop
Servicing (txns)

Compliance identifies risks/controls Multiple manual Release Manually

Product/ Provide separately approvals research
service vision product
multiple SOR Collections (defaults)
info to
systems
different Market identifies risks/controls
risk teams separately

Enhanced Design &

Target: taxonomy Develop Test & Deploy
automatically IDs
Feature risks and controls Sprint
Def’n Planning Automated ongoing monitoring
with different data already
accessible in one platform and
Product/ MVP Input Consolidated Release risks and controls already
service Def’n features in approvals having been identified
vision GRC

Risk Management

11
Use case
GRC Platform Build through an
Integrated Risk Transformation
EY supported a US financial
services organization in the
development of a GRC platform
which leveraged an integrated
approach across all risk
functions to help eliminate
redundant activities and
manage risk across the
organization.
► Significantly fewer FTEs than
competitors
► Reduced licensing and
administration costs through
platform consolidation
► Integrated assessments of
the business units
► Automated reporting leads to
on demand executive
dashboards, with no
dedicated FTE‘s required to
produce
12
Client investment drivers Integrated Solution & Outputs
The client wanted to capitalize on industry trends and create
a transformational and comprehensive risk management
program. A key priority was to ensure risk functions were
Risk Governance
Operational Risk
aligned, eliminate redundant activities and prevent
► Enterprise wide risk ► Common risk
assessment fatigue for first line of defense. The client strategy & roadmap
management
required assistance in re-designing foundational elements of ► Integrated operating model methodology
a risk management program, design of key processes, re- ► Integrated eGRC plaform ► Process, Risk and Control
(PRC) taxonomy
design of their internal control environment, and support for Risk
Governance ► Integrated risk
ongoing management reporting of top risks. assessments
Action Taken Third Party
Operational
We deployed a cross-functional team to build an integrated Risk
Corporate
Risk
risk management solution. We leveraged coordinated efforts Third Party Risk Risk
across all functions to eliminate redundant activities (i.e. management
► Vendor control
multiple risk assessments) and increase collaboration and assessment
questionnaire IT Risk
leverage across functions. The client successfully designed
► Third party ► Technology focused
and operationalized integrated processes in an integration assessment
Financial
Risk
IT Risk
risk assessment
solution. execution ► Cyber / IT Risk
Metrics and
EY’s value add to the client Liquidity, Market, Model & Dashboards
EY helped deliver and integrate risk functions across the Credit Risk
organization in a cost effective manner. EY worked with the ► Framework and program
development
client across all three lines of defense to hit multiple ► Policy and procedures
objectives, reduce redundancy and increase effectiveness of ► Stress testing
the risk program through a common eGRC platform
leveraging consistent methodology.
Evolution of GRC platform maturity

GRC platform maturity is measured by an organization’s

Note: The journey to build an integrated and
aligned GRC platform may take 2-3 years 4 y, alignm ,
ent to
integration and alignment of GRC data, functions, and te g
depending on the size and complexity of your s t ra lytics
outputs to support strategic business goals to create organization. Further enhancement to optimize n if ie d data vanced ana
+: U , ad n
value. value and meet longer term goals may take up to 5 Year 3 ess goals automatio
years to fully realize. 3 oc es s
es a nd b u s in
e n ha n
c e d
The need for transformed risk and compliance
g e ment pr tics and
a
management and alignment across the organization has k man k ana
ly
driven companies to build more integrated GRC - 3 : Align ris plement ris isions
Year 2 nomies, im enable dec Strategic goals & value creation
ecosystems. 2 ro c e s
form p ent,
s tax o
report
ing,
► Unified platform with common data
C p la t m
nt GR refine strategy and automated data collection
2 : I mpleme rations and
- e
Year 1 mation, op training
1 Alignment of GRC projects with
►
or u s er Alignment
n ts a n
d t r a ns f enterprise strategic goals
r e q u ireme erating ► Alignment of risk management, compliance and
ey op
ntify k define reporting processes ► Value creation from analytics &
a r 0 - 1: Ide platform; dmap
Journey: Ye GRC p ro a dashboards for better risk management
gy for el; develo ► Integration of policy, process, risk and control
how to s t r at e m o d Integration (PRC) taxonomy and regulations applicable to
of the future
get ► Integrated GRC operating model new or existing products or features ► Use of data mart for handling of big data
there? and risk aggregation
► Implementation of GRC platform to integrate ► Implementation of real time risk analytics in a
across the enterprise GRC platform providing better risk reporting and Analytics layer for automation &
Silos trending and
► Some consolidation of policies, risks, controls, strategic decisions
► Each risk organization acting independently
and testing ► Using risk data for better decisions
► Duplication of effort Common GRC platform, taxonomy,
► Some processes are unified across the three PRC taxonomy fed by policies and issues data strategy and automation layer
► Limited technology enablement or use of multiple lines of defense
tools across GRC programs GRC platforms aligned through common taxonomy
► Ease in generation of GRC reporting
Process
► Difficult to produce enterprise-wide risk, Risk
compliance, and audit reports Reduce number of GRC technology platforms Process Control
► Manual processes in risk management lifecycle Risk
Control
Policy Regulation Issues
s
Analytics and automation
Multiple GRC platforms Consolidated GRC platforms Policy Regulations Issues

13
Recommended actions for quick wins
Mapping and Definition
Immediate Steps
• Identify pilot projects or areas for GRC Platform assessments:
• Define the desired future state common PRC Taxonomy model for adaptable
categorization of processes, risks and controls through a common integrated
platform
• Aggregate current state risk activities from various risk functions and then
refine to define the most valuable insights that will drive future state risk
profile models
• Determine the requirements and functionalities of the common integrated
future state risk management and control platform
• Identify and map common product and risk datasets across the lines of
business for future linkage and integration.
• Identify and map common mitigating controls, reports, and policies across
Risk, Compliance and Internal Audit activities
• Define desired executive-level risk reports and dashboards
• Identify the ineffective legacy tools and manual processes performed across
risk management activities
14
Integration and Alignment Analytics
Progressing Steps
• Test the new platform operating model and develop a road map for integration:
• Train team on new/updated processes and controls for the pilot projects or area
• Formulate strategy for systems architecture and data strategy (data lake, micro-
services)
• Define strategy for a central risk data repository
• Plan integration/adoption of enterprise data repository including
integration tests
• Expand taxonomy to include regulation/product/process/portfolio to drive
linkages across risk data
• Begin alignment of risk and control processes and systems across 3LOD by
through implementing common integrated:
• RPA tools to perform repetitive and manual work supporting risk
• BI tool to connect disparate datasets and enable dynamic insightful report
generation
• AI and ML solutions to enhance management of risk data elements (i.e.,
meta-data) through smart monitoring and reporting
Appendix

15
Three lines of defense integration for common GRC platform

1 First line (operations and business units):

first-line management is responsible for
identifying and managing risks.

Identification and
management of A common GRC platform enables integration
across the three lines of defense:
risk-related
information 2 Second line
(management ► Data is compiled into a normalized policy,
Risk assurance): second-line risk and control matrix spanning the
optimization groups are responsible enterprise
for ongoing monitoring of
► People perform roles within a process
Monitoring of the design and operation
shared across the risk organization
control design of controls in the first line
and of defense, as well as ► Technology enables the process and
Manageme operation providing advice and exposes the risk posture of the enterprise
nt reporting facilitating risk to management
management activities. ► Management utilizes risk related
N
information in their decision making
L
Independent
assurance 3 Third line (independent
assurance):
third-line groups are responsible
for independent assurance over
managing of risks. This line
includes internal audit, external
audit and some regulators.

16
Technical Considerations underpinning GRC Platform Development
(18-24 months)
GRC programs are supported by an enterprise GRC technology systems that encapsulate the three lines of defense, along with additional functionality, in a single application. GRC technologies offer a common data library, process-specific
functionality and common functionality. GRC technologies provide a central point of management and a single point of truth. Our methodology brings together a multi-disciplinary functional & technical team, combined with agile delivery
capability.
Governance and PMO

Enterprise risk

Process-specific
management Policy Vendor

functionality
(ERM)

GRC Tool Risk Alignment Training and Post-

Solution
Information Selection Implementation Transition production
technology risk Support Support
Audit Compliance
management
(ITRM)

Tool Selection Training and Post-production

Risk Alignment Implementation
Transition Support Support
Common data library

Select GRC to Approach below Preparation

Product
Backlog
Sprints — lterative
design & build
UAT Rollout A blended approach to Ongoing post-
Common data library enable more — ensures transparency learning engages with the production after the
(Policies, risks, controls, assets, vendors, efficient risk Functional and technical implementation using an Agile
and agreement for risk target audience and implementation of each
evidence, issues, processes, etc.) management methodology
alignment for meets objectives: module:
capabilities. preparation for GRC ► Organize training ► Manage the
Activities tool implementation: documentations change request
performed: ► Perform current ► Knowledge transfer to and enhancement
► Scoping state assessment process
trainers
► Conduct ► Develop future state ► Interact with
requirement vision vendor as required
Common functionality

workshops and ► Document and to resolve technical

Reports Dashboards Interfaces
issue RFP design aligned risk issues, etc.
► Create Use taxonomies, rating
Cases scales and key risk
► Vendor demos processes
Issue and selection ► Preparation ► UAT Testing
Security Development
management ► Product Backlog ► Rollout
► Sprints - Iterative
Design & Build

17
Thank You
EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working
world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member
firms of Ernst & Young Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company limited by guarantee,
does not provide services to clients. For more information about our
organization, please visit ey.com.
© 2019 EYGM Limited.
All Rights Reserved.
EYG no.XXXX00
ED None
This material has been prepared for general informational purposes only and is not intended to
be relied upon as accounting, tax or other professional advice. Please refer to your advisors for
specific advice.

ey.com