Transcription
Governance, Risk andCompliance (GRC) softwareBusiness needs and markettrendsDavid CauDirectorBusiness RiskDeloitteThe importance of a holistic view of risk and complianceissues and the difficulty to achieve it is often recognisedas a weakness for many organisations. As an indicationthat significant improvements may be required at manyorganisations, the recent Deloitte Global risk managementsurvey (eighth edition) reveals that when asked abouttheir capabilities of their data strategy and infrastructure,no more than one-third rated them as extremely or veryeffective in any area.As an organisation progresses in developing its riskmanagement, internal audit and compliance practices,the issue of investing in an automated solution to improveefficiency will arise sooner or later.Tools for governance, risk and compliance functionsFirst of all, it is important to clarify the concept of GRC.Although various definitions do exist, the definitionproposed by Nicolas Racz, Edgar Weippl and AndreasSeufert in their recent research paper ‘Frame of Reference30for Research of Integrated Governance, Risk & Compliance(GRC)’ provides a rather comprehensive view of theconcept. In this paper, GRC is defined as “an integrated,holistic approach to organisation-wide governance,risk and compliance ensuring that an organisation actsethically correct and in accordance with its risk appetite,internal policies and external regulations through thealignment of strategy, processes, technology and people,thereby improving efficiency and effectiveness”.
The primary purpose of GRC software is thereforeto automate much of the work associated with thedocumentation and reporting of the risk managementand compliance activities that are most closely associatedwith corporate governance and business objectives.The primary end users include internal auditors andthe audit committees, risk and compliance managers,and accountable executives. The key functions of GRCsoftware are usually the following: Audit management functions that support internalauditors in managing work papers, and schedulingaudit-related tasks, time management and reporting Policy management features that include a specialisedform of document management that enables thepolicy life cycle from creation to review, change andarchiving of policies; mapping of policies to mandatesand business objectives in one direction, and risks andcontrols in another, as well as the distribution to andattestation by employees and business partners31
Compliance management functions that supportcompliance professionals with the documentation,workflow, reporting and visualisation of controlobjectives, controls and associated risks, surveysand self-assessments, testing and remediation. Ata minimum, compliance management will not onlyinclude financial reporting compliance (e.g. SOXcompliance), but can also support other types ofcompliance, such as industry specific regulation(e.g. ISO 9000) and compliance with internal policies Risk management functions that support riskmanagement professionals with the documentationworkflow assessment and analysis reportingvisualisation and remediation of risks (as defined inISO31000). This component focuses generally on risksand incidents follow-up but may also collect data fromrisk analytics tools (Credit Risk, Market Risk, etc.) toprovide a consolidated view of risksThe GRC software market: the business need Most organisations are aware of the need for asignificant improvement in the way they managetheir risk, internal audit and compliance functionsthrough better automation of data and information.As illustrated by an OCEG survey, 85% of companiesinterviewed are convinced that they would benefitfrom integrating the use of technology for their GRCactivities. The need for a GRC technological solution isthere, but the question remains: which technologicaltools will be able to provide the appropriate solution? In the eighth edition of the ‘Deloitte Global RiskManagement Survey’, organisations cited a numberof concerns about their risk management informationtechnology systems (Figure 2) Among the main concerns addressed, the ability oforganisations to easily upgrade or revise their systemsrisk technology, 78% of companies are extremely, very32or somewhat concerned about their ability to adapt tochanging regulatory requirements, as well as the lackof flexibility to extend the current systems. Related tothis issue, 75% of organisations are extremely, veryor somewhat concerned about a lack of integrationamong systems and 63% of the organisations haveissues with an inability to integrate risk analytics frommultiple risk systems. Many organisations maintaindifferent information systems for specific productsor geographies, sometimes due to past acquisitions,and it can be difficult and expensive to combine theiroutput or else to replace them with an integratedinformation system Moreover, the pace of regulatory change has put theemphasis on the ability of organisations to have risksystems that can respond quickly to new requirements.This appears to be a concern especially for largerinstitutions: 40% of large institutions said they wereextremely or very concerned about the ability oftheir risk technology to respond to new regulatoryrequirements, as did 44% of mid-size institutions andonly 12% of small institutions Some of the other top priorities for investment includerisk analytics and risk reporting: risk analytics (53%),real-time risk monitoring (51%) and risk dashboards(44%) But the fastest growing business need relates torisk data quality and management, with 79 % ofinstitutions at least somewhat concerned, including40% who are extremely or very concerned.Creating consistent data standards is a challenge fororganisations, which often source data from multiplelocations with incompatible data formats. Further,departments within an organisation may not realisethat they both have a relationship with the samecounterparty as each may do business with a differentbusiness unit or subsidiary
Figure 1: Would your organisation benefit from integratingand streamlinning use of technology for GRC activitiesenterprise-wide?8085,6%34%Lack of integration among systems31%44%Lack of flexibility to extendthe current systems34%36%14,4%YesNoThe need for a GRCtechnological solution isthere, but the questionremains: whichtechnological tools will beable to provide theappropriate solution?18%Lack of integrated risk andfinance reporting for economic20%Out-of-date methodologies20%Lack of cross-asset-class riskcalculationsLack of aggregation of tradingand banking books10%Extremely/very 42%Inability to capture increasingvolumes69%40%Inability to source required 8%functionality from a single vendor070%45%13%Lack of product and asset classcoverage70%43%10%Constraints in aggregation andreporting of risk analytics75%48%25%Inability to integrate risk analyticsfrom multiple risk systems78%52%21%Inability to respond to timesensitive and ad-hoc requests79%44%18%Lack of performance for morefrequent and timely reporting2039%Risk technology adaptability tochanging regulatory requirementsHigh cost of maintenanceand vendor fees40040%Risk data quality and management10060Figure 2: How concerned is your organisation about each of the followingissues for its risk management information technology systems?29%39%35%25%2049%304050607080Somewhat concerned33
The GRC software market: the offeringMarket overviewThe GRC market as defined by the technology industry isabout 10 years old, and buyers have high expectations forthe performance of GRC software.Up to now, from a technical perspective, organisationshave generally opted for risk management systemsinstalled in-house, whether developed internally or byvendors, rather than hosted externally. Indeed, accordingto a recent Deloitte survey, roughly 40% of organisationssaid they were likely to make a major investment overthe next 12 months. Among these organisations, 45%were considering internally-developed applications, while41% would rather opt for third-party vendor applicationsinstalled in-house (41%). Third-party vendor applicationshosted by a vendor (20%) were cited less often as a targetfor major investment. Data privacy concerns aroundconfidential information being hosted off-site may wellbe a reason this last approach seems to be adopted lessoften.The GRC software market is dominated by key playerslike IBM, RSA Archer, Thomson Reuters, SAP or Oracle.Deloitte has established strong strategic and technicalalliances with these key players in order to better servethe clients that have opted for these softwares. But themarket is still offering a significant place to niche players(e.g. MetricStream, Sword, Checkpoint, Mega and Aris).Moreover, the GRC market seems to be thriving, as morecompanies realise that they pretty much have to investin this area, and so the market landscape might rapidlyevolve as a result.It is important to mention that this market segmentationis more a question of size of vendor rather than a34significant price differentiation. Price is key, as sometimesthe business case for GRC software is often stronglyquestioned and budgets for GRC software are oftenlimited in most of the companies and licence fees or, moreglobally, the Total Cost of Ownership (TCO), namely thecost of development, implementation, licence fees andmaintenance of a GRC solution is usually similar.Most of the recent market studies forecast an annualrate of increase of 10% over four years. Indeed towardthe end of 2011, after the market had grown 18% in2010, Forrester Research data suggested a CAGR of 14%or so through 2015. TechNavio, for its part, has recentlyforecast that the Global GRC software market will growat a CAGR of 9.2% over the period 2012-2016, driven by“increasing demand for comprehensive solutions”, whichseems to favour the biggest players in the industry, such asEMC, IBM, Thomson Reuters and the big ERP players (SAPand Oracle), though it is worth mentioning that projectedgrowth rates in previous years have been even higher.A strong consolidation, with a shift from best-of-breedplayers to well-established vendors will also be a keymarket trend. This consolidation trend will be driven bythe need for greater investment in complex risk analyticsto face the ‘big data’ problem of the vast majority oforganisations.Differentiation today is also about the ability to deliveragainst multiple use cases, and provide advanced riskmanagement functionality, with analysis of the impact ofrisks on strategic objectives and business performance,domain expertise in multiple highly regulated industries,ease of use—including mobile capabilities—andconfigurability.
GRC software market view in LuxembourgThe GRC software market is still emerging in Luxembourg,but the situation is rapidly evolving and differs amongsectors.In Luxembourg the banking sector is already wellequipped with various niche solutions covering onespecific aspect of risk (market risk, credit risk, operationalrisk, liquidity risk) and compliance. This sector is facingthe issue of a lack of integration of its various solutionsand has difficulty in migrating or integrating the variousapplications into an overarching structure. However, therecent CSSF circular 12/552 is already contributing to thedevelopment of the GRC market as this new regulationrecommends more and more efforts on commongovernance on risk and compliance issues.Investment management, a key sector in Luxembourg, isup to now significantly underequipped with GRC software.The main reason seems that investment managementsector is highly fragmented with various actors, who arestill overwhelmed by the operational management/setup of regulations, such as AIFMD or EMIR. Moreover, ithas to be said that the vast majority of GRC players is notoffering the appropriate solutions to this sector: bothpricing models and key features proposed by GRC vendorsare not yet fully adapted to this market.The insurance sector is increasingly interested in GRCsolutions, but either local players are part of internationalgroups and have to use (or wait for) the corporatesolution or they are small and cost is often perceivedas a key hindrance for a the implementation of a GRCsoftware.The industry and public sector is increasingly ready andinterested in GRC software and is generally starting itsGRC project with the implementation of an operationalrisk application/module. New regulations such as REACH,CLP or quality-related recommendations are also pushingthe industrial sector to enhance its holistic approach ofrisk, internal audit and compliance.Key trends affecting the GRC software marketThe functions of GRC software are evolving on the basisof several trends, which include: A growing need for internal audit features asorganisations face increasing regulatory requirements,GRC oversight and demands for more businessperformance audits An increasing need for regulatory content servicesand change management to deal with regulatoryproliferation. In the aftermath of the 2008 globalfinancial crisis, GRC has to support the transparencyobjectives of regulators and decision making bybusiness leaders. Currently the regulatory focus of thesoftware is on anti-corruption and bribery The development of risk analytics to supportintegration of risk management and performancemanagement The emergence of third-party risk management toensure that third parties do not present unacceptablecompliance and risk A focus on operational technology and criticalinfrastructure protection, which increases the varietyand volume of risk and control data (‘big data’management)Moreover, the GRC market seems to bethriving, as more companies realise thatthey pretty much have to invest in thisarea, and so the market landscape mightrapidly evolve as a result35
GRC software selectionUsual approach: vendor selection based on‘quadrants’Most companies that are opting for third-party GRCsoftware tend to base their GRC software selection onGRC market ‘quadrants’ analysis, mostly performed byGartner and Forrester. Instead of simply showing statisticsor ranking companies in lists, GRC market ‘quadrants’ usea two-dimensional matrix to illustrate the strengths anddifferences between vendors.The most common criteria used by these quadrants arethe ability to deliver GRC functions (audit management,compliance management, policy management and riskmanagement) and a credible presence in the marketplace(an existing enterprise GRC client base, a growth strategyand brand, support capabilities, a strategy for andinvestment in continued innovation in GRC solutionsand related products, geographical reach and financialstrength).However, these quadrants may lead companies to limittheir GRC tool selection process only to the vendorsmentioned in the quadrants, or even only consider playersfrom the leader’s quadrant and initiate their choice onlyfrom an IT standpoint, rather than also considering thebusiness needs.Deloitte holistic approachThe key driver for the holistic approach of a GRC softwareselection process is the agnostic position of Deloitteregarding technological solutions.The main purpose is to find the solution that gives thebest value for money for clients. Deloitte uses a wellproven methodology that will guide the client throughthe evaluation process for software options, allowing theclient to make a decision based on a sound analysis. Theselection process generally encompasses seven phases (asillustrated in figure 3).It will be important to start a GRC selection project witha deep analysis of the client’s business needs and contextin order to formalise the functional coverage. Then, aclear view on the client’s current IT environment (existingspecialised solutions or enterprise solutions—ERP) has tobe obtained. These analyses will help to see if the bestoption will consist in developing a new solution internally,buying a packaged solution or opting for a best-of-breedsolution. These reviews will also enable to evaluate if,given the current situation, the implementation is realistic.If the best option identified consists in the implementationof a third-party/vendor solution, it will be necessary tosee how we can identify the best solution on the marketfrom the wide range of software currently available. Fivekey areas of criteria will enable to select a list of potentialcandidates that will be able to make live demo (based onspecific client requirements). Lastly, price negotiations andfinal technical adjustments discussions will come into playin order to select the target solution.Deloitte’s specialists will therefore help clients throughouttheir selection process, providing specific support whenit comes to performing an analysis of requirements, andhelping to draft calls for tender, conducting researchon the software market and offering a selection ofappropriate suppliers or making the final decision throughcoaching, support and analysis.36
In a nutshell, integration is the key idea regarding the current and future situation of GRC software. There is a need forintegration of the decision process within the organisations. Too often, decisions concerning GRC technical solutionsare taken at department level and only cover a specific aspect of the GRC spectrum. There is a need for technicalintegration, as most of the companies have to deal with existing solutions. There is also a trend for integration amongthe GRC solution providers, driven by the need for greater investment in complex risk analytics to face the ‘big data’problem of the vast majority of the organisations. In fact the need for integration is rather logical as it is the essence ofGRC itself.Figure 3Project management and coaching1. Scope2. options3. Support for RFPValidate scopeand confirmapproachIdentification ofpossible softwareoptionsDefinition ofselection criteria andsupport in crafting ofspecifications4. Extended listPre-selection ofan extended listof solutions5. Shortlist6. Test andscenariosSelection of ashortlist of solutionsTest scenarios anddemonstrations7. Final selectionSelection of thesolution implementation strategyCommunication (objectives, results, relevance)Figure 41. Functional coverage Are the answers regarding specificfunctions clear or are they deliberatelyvague? Functional coverage is not perfectlymatching with the expectations2. Technical architecture Is the software available in multipleversions for multiple environments(Windows, Linux, Unix, etc.)?This demonstrates the suppliers’sexperience working in various technicalenvironments Is the solution modular?This will facilitate further development(sustainability)4. Costs Is the implementation of the solution clearlydescribed (e.g integration of existing data, timerequired for setup, time and cost required for thecustomisation of the solution)? Is the cost of consultants that will implement thesolution clear (fixed price? travel costs?)? Is the cost of licenses clearly defined? What does the maintenance contract exactlycover?3. User friendliness Design of screens Predictive text input Number of entries required for theoperation Level of customisation of reports5. Vendor characteristics Has the vendor replied in a timely manner? This isa measure of the seriousness of the supplier andavailable resources Does the vendor understand the requirements? Are the vendor references comparable? Somevendors have many references. in othercontinents. or other products. Is the vendor a ‘market maker’ or a ‘marketfollower’?37
The GRC software market is dominated by key players like IBM, RSA Archer, Thomson Reuters, SAP or Oracle. Deloitte has established strong strategic and technical alliances with these key players in order to better serve the clients that have opted for these softwares. But the mark
