We have seen a number of clients and industry associates tendering their arrangements for Governance, Risk and Compliance (GRC) systems over recent years, and this trend seems set to continue well into 2020.
A number of institutions are looking to replace and uplift their existing GRC system solutions, while others are in the process of implementing a GRC system solution for the first time, having relied on manual spreadsheet approaches in the past. Interestingly, the use of a GRC system solution to date does not always appear to be correlated with scale and complexity, but can be influenced by a range of other factors such as budget constraints, risk and compliance resourcing, management philosophy and strategic priorities.
It is also important to note that the choice between implementation of a GRC system solution or not does not necessarily correlate with the quality of risk and compliance outcomes, as it is often the way in which the selected approach (i.e. system based or manual) is implemented that influences the risk and compliance culture and drives the outcomes in practice.
Breadth of Functionality
When evaluating the pros and cons of implementing a GRC system, and comparing the alternative offerings available in the market, there is a lot to consider in terms of breadth of functionality. Some of the key modules available within various systems include:
* Policy document repositories.
* Conflict of interest registers.
* Outsourcing / procurement registers.
Enterprise Risk Management
* Risk registers (inherent / residual) and risk profile maps.
* Risk control registers, attestation tracking tools and control effectiveness reports.
* Risk appetite and tolerance tracking tools and reports.
* Obligations registers.
* Compliance control registers, attestation tracking tools and control effectiveness reports.
* Breach, incident and near miss registers.
* Complaints registers.
* Occupational health and safety registers.
Reporting / Analytics
* Dashboard / overview reporting aligned to various user profiles.
* Summary / detail reporting per function (e.g. risk reporting).
* Reports that are suitable to provide direct to executive / committees / board without alteration.
Automated Feeds of Compliance Obligations
An important consideration in evaluating the benefits of utilising a GRC system solution and selecting a preferred provider is the availability of an automated feed of updates to compliance obligations for the relevant organisational structure and operating sector(s).
There is a substantive amount of effort and resourcing commitment involved in the development and maintenance of compliance obligations registers, particularly in the current environment of escalating compliance requirements. As such, the availability of standardised and pre-vetted registers of compliance obligations that can be reviewed for application in the circumstances of the relevant entity, and updated via review of automated feeds, can be incredibly beneficial. This can allow the organisation to progress with other strategic, risk and compliance priorities, while having comfort that the basic infrastructure of systems to manage business-as-usual legislative and regulatory compliance are in place and operating effectively.
Protecht and Triline GRC are two GRC systems that are frequently used in the Australian financial services market that have provided for optional automated feeds of compliance obligations from Lexis Nexis. Cammsrisk similarly offers an option for an automated feed of compliance obligations from Lexis Nexis, as well as the opportunity to integrate the GRC system with strategic planning and project management modules. Mercer’s ExtraTextual also offers an option for a live feed of compliance obligations, but the scope is limited to the superannuation and managed investment scheme sectors.
Some advanced GRC system solutions, such as RSA Archer and OpenPages, do not offer automated feeds but may be selected by large organisations on the basis of their other progressive features. A sufficient amount of financial and human resources is required to cover the relatively high licensing costs of these systems, as well as the manual population, implementation and maintenance of the various modules, including the compliance obligations registers.
A range of other systems are available in the market, each of which offer different features, functionality and support options, including the following systems which are more frequently used and considered in the Australian financial services market:
* ReadiNow GRC;
* SAI Global SAI360;
* Tickit; and
Some institutions are continuing to utilise internally developed systems, which bring with them their own unique pros and cons relative to the various off the shelf options.
Further Development Opportunities
Based on our work on various GRC system related projects with clients and discussions with industry associates, there a number of opportunities for the further development and enhancement of the GRC system solutions currently available in the market. These opportunities include:
* Enhanced risk appetite and tolerance tracking tools that can be integrated with internal data collection and reporting systems.
* Improved reporting capabilities, with greater functionality for the specification and tailoring of custom reports by internal users on a more intuitive basis, without the need for intensive system provider support.
* Refinement of various system settings, processes and functions to be more user friendly, including the availability of greater optionality to provide for ease of fit to preferred operating models of different organisations.
* Improved graphic design of user facing screens to reflect a more modern, dynamic and engaging style.
Further, separate systems are typically used for the following functions, but have the potential to be integrated into consolidated GRC systems in the future:
* Repositories of Board / Committee agendas, papers and minutes.
* Administration of circular resolutions.
* Repositories of executive accountability maps and attestations.
* Risk and compliance training modules.
In addition to the initial and ongoing licensing fees for the GRC system and subscription fees for the automated feed from Lexis Nexis (where relevant), there are also resourcing requirements and related costs associated with the specification and roll-out of GRC systems across the business. The key activities that are necessary for the implementation process include:
* Specification of system settings based on existing business processes, where possible.
* Population of registers from existing manual records.
* Review and specification of automated compliance obligation registers, where available.
* Development and population of compliance attestation questions.
* Identification of owners for various risks, compliance obligations and controls.
* Training of selected risk / obligation / control owners and other intended system users.
The engagement of relevant personnel from the first line of defence in the process of rolling-out a new GRC system is critical to the success of the system and risk and compliance frameworks in practice, irrespective of how well any particular system may meet the business requirements. Executives and staff need to proactively and frequently engage with the GRC system solution, in order to ensure the accuracy of data inputs and the timeliness of actions taken in response to aggregated summaries and status reports. User briefings, training sessions and reference guides are all important mechanisms to help facilitate this process.
Once the initial implementation phase is complete, the risk and compliance functions need to retain a sufficient focus on ongoing maintenance of the GRC system and integration of the GRC system into business practices.
Hall Advisory has strong credentials in the deployment of various GRC systems, including the specification of system settings and content, population of data inputs, identification of individual owners, tailoring of reporting tools, development of training and reference materials, and facilitation of line 1 engagement sessions. Leveraging our background in system implementations, we are also well-placed to assist in guiding your considerations in tender and selection processes for your GRC solution.
Please get in touch if you’d like to discuss further.