Deciding to adopt a GRC platform is one of the most important strategic decisions an organisation makes. The right GRC platform should be able to transform an organisation. Certainly, senior management and boards are keen on successfully managing enterprise risk and improving regulatory relationships. However, GRC programs supported by a technology platform are also able to directly impact the bottom line in important ways.
Implemented correctly, a GRC platform provides high-quality data for decision-making, connects areas of the firm to support better conversations, reduces operational and compliance risk, enhances efficiency, and improves operational resilience. This article explores key way in which the right GRC technology platforms generate value around the globe every day.
Improve the way data is captured and connected
A fundamental way in which GRC platforms add value is by significantly improving the way GRC data is obtained, stored, and linked. With GRC technology, a firm can:
• Create a single source of GRC data for the whole organisation – GRC best practice encourages organisations to collect and store both qualitative and quantitative information within a single library. This single golden source should house all risk, control, and key indicator data, for example. It can also hold a wide variety of other kinds of GRC data, such as compliance obligations, compliance policies, internal audit documents, and information on operational resilience business services.
• Connect data points to enrich context – Having all of this data in one single place enables GRC teams to make connections, deepen understanding, and develop insights. For example, teams can link audit issues with risks, controls, and internal audit reports. Or compliance obligations could be joined up to risks and controls. Such links, for example, enable the firm to better understand how audit, compliance, or operational resilience information relates to other elements within GRC framework, as well as with risk appetite.
• Enhance GRC data flow – Using a technology platform to collect and store GRC data means that the data can flow faster. For example, a GRC platform enables the business to submit loss event data via online forms, helping the organisation to become aware of a loss event quicker, and react faster. Compliance breach reporting can also be completed by an online form. Organisations are able to track key indicators proactively with automated data via API.
When it comes to GRC data, a technology platform will transform the quality and the timeliness of the information that an organisation has, to better manage risks and improve outcomes.
Automate GRC processes
Once GRC data is in a single place, a whole range of processes can be automated for firms. This saves firms time and money, while also reducing the compliance and operational risks associated with manual processes, often completed in spreadsheets and email. For example, organisations are able to:
• Manage GRC workflow – Most GRC programmes have to organise a range of different workflows across risk, compliance, operational resilience, IT risk and other areas. Having a technology platform enables firms to ditch spreadsheets and email. For example, with all of a firm’s compliance policies in a single repository, policy acknowledgment, attestation, exception management, tracking and reporting can all be automated. Risk framework and internal audit processes can be handled in a similar fashion.
• Monitor alignment with risk appetite and other frameworks proactively – With a GRC platform, it’s possible to operationalise the firm’s risk appetite. Connect the risk appetite to risk and control self-assessments (RCSAs), key risk indicators (KRIs), and other forms of operational risk data. This creates up-to-date transparency around whether the business is staying within its limits. Through alerts, dashboards, and reporting, senior management can see who is approaching their limits and understand who is most exposed from an enterprise risk management (ERM) perspective.
• Sort out incidents and issues – A GRC platform provides a range of tools firms can use to take care of incidents and issues faster and more efficiently. To begin with, by automating the monitoring of key risk indicators (KRIs), firms can set target levels that can then kick off workflow if those levels are breached. Firms can also automate – for example – compliance breach, audit issue, or operational risk loss reporting, with easy-to-use online forms. Once the form is submitted, the platform can kick off a series of actions to begin the remediation process. Actions can be assigned automatically or manually to the business, providing clear ownership for issue resolution. The progress of issues and actions can be tracked in real time through a dashboard configured to the organisation’s needs.
• Embed operational resilience in GRC – A GRC platform can also automate operational resilience processes. For example, the platform can help the GRC team create impact tolerances, by using assessments to identify and understand the potential impacts on business services of an incident. The platform can track actual impacts on business services by using key indicators that can automatically flag the crossing of impact tolerance thresholds, based on API data feeds. Firms can then link risks and controls to the risk appetite, to related business services, and to the resources necessary to deliver those services.
Through these approaches to automating GRC, organisations can detect and respond to operational risk events, compliance breaches, and other incidents with more agility, potentially improving their operational resilience.
Enhance control effectiveness
Organisations spend a significant amount of their revenues each year on creating and maintaining their control environments. The right GRC platform can help firms better understand which controls are delivering value for money. For example, firms will be able to:
• Put a monetary value on risk to support decision-making – With the right GRC platform, firms can calculate net risk, which puts a real monetary value on the amount of risk left after the control framework has been applied. Net risk is computed based on the output of a firm’s risk and control self-assessments (RCSAs). With this information, GRC teams can assign gross losses, control benefits, and potential net losses to individual risk owners across the organisation. This can help senior management and the business see who owns the most risk, who has developed the biggest control benefits, and open conversations.
• Understand control impact – If a firm has a GRC platform with the right capabilities, it will be able to model the sensitivity of the organisation’s control environment in light of its risk appetite and control appetite. That is, the GRC team will be able to show the business how much money could be lost if a risk materialises, both before and after controls are applied. This kind of analysis also enables the board to relate risk and controls back to the risk appetite.
• Conduct cost-benefit analysis of controls – Identifying the cost/benefit of controls in a monetary value can help the business, senior management and the board better understand which investments to make in the control environment. This analysis can show which controls are more efficient and identify poorly-performing controls. GRC teams can rank the best and worst controls within the organisation, by control benefit after cost.
By using GRC technology, firms can make better choices about control investments, potentially reducing losses and costs. This translates directly into improved profitability on the bottom line, and can also help enhance other elements such as customer experience, employee satisfaction, and regulatory relations.
Provide better information to stakeholders
One of the most important benefits of a GRC platform is that it is capable of providing the business, senior management, and the board with significantly enhanced information for decision-making. Firms that have implemented the right GRC platform have found that they are able to:
• Improve the quality and timeliness of reporting – With the right platform, firms can engage with fully integrated BI reporting to create interactive dashboards and reports that will help key stakeholders understand GRC across all three lines of defence. Firms can use dozens of report templates out-of-the-box, or provide configurable permissioning to team members to enable them to design their own with the flexible dashboard creation wizard.
• Calculate regulatory and economic capital – Calculating and allocating operational risk capital to business lines helps to create fully risk-adjusted return on capital (RARoC) values. These can be used to align capital with the organisation’s risk appetite and operational risk framework. In the right GRC platform, firms can also compare regulatory and economic capital charges across multiple user-set business lines and user-set loss event types. This enables senior management and the board to measure business line performance based on capital allocation, and to better understand the relationship between risk and capital.
• Expand horizons with scenarios – Scenarios are an increasing focus for both firms and regulators. Certainly, scenarios can provide the board and C-suite with an idea of “what if” something happened, or a series of events happened. This can help them understand how strategic decisions or potential loss events could impact capital. There are also new ways in which scenarios are being used. For example, a GRC platform can capture important data that can then be used to create and test operational resilience scenarios. By using RCSAs, KRIs, and KCIs as inputs for scenario analysis, firms can both see how potential events would impact the organisation, and link operational resilience back firmly to the overall operational risk framework.
Being able to share improved data with key stakeholders is perhaps the most visible benefit of a GRC platform to the business, senior management, and the board. So, it’s important to select a GRC platform with proven dashboard and reporting capabilities.
Create a connected approach to GRC
In summary, implementing a GRC technology platform can deliver diverse benefits for the business, senior management, and the board. The data that sits within a GRC platform supports better decision-making about controls investment and other issues, and enhances communications across all three lines of defence. Automated processes improve operational resilience, enhance efficiency, and reduce risk. Better controls drive enhanced financial performance, and robust reporting supports decision-making across all three lines of defence, and within senior management and the board. Overall, a GRC platform will deliver a wide range of positive outcomes for firms, that have the potential to translate directly to the bottom line.