Hello. This is Kevin Donahue with Protiviti, welcoming you to a new edition of Powerful Insights. We are producing a series of podcasts on GRC programmes and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets.
This episode features my conversation with Yasumi Taniguchi, a managing director and leader of Protiviti’s offices in Japan. Yasumi-san provides her thoughts and perspectives on GRC trends in her market.
Before I talk about what’s going on now, maybe I can talk about how, in Japan, we see several phases of GRC development. Ten years ago, when U.S. SOX and J-SOX came in as a requirement for public companies, we saw many large organisation allowing SOX projects and implementing SOX tools as a part of GRC. Then, in the last 10 years, major banks and organisations with large audit teams implemented internal audit tools for the purpose of standardisation and efficiency.
Then, recently, we see more interest in ERM, enterprise risk management, with both external factors and internal factors. The external factors are that Japanese companies need to disclose corporate governance to comply with the Japan Corporate Governance Code, which came in three years ago, and the start of ESG investment by the Government Pension Investment Fund has increased the need for disclosure of corporate GRC and actual GRC management.
The internal factor for Japanese companies is that Japanese companies realised that they are exposed more in various risks due to their diversification of business with mergers and acquisitions, and they need to respond to regulatory needs in each country as they globalise, so the risk management department are more active these days. These enhancements of corporate governance affecting internal audit also involves external directors and audit committees demanding more information, and internal auditors need to provide a report in a more timely manner and with more insight to respond to their need. These are what we see as drivers in our market.
In the traditional risk management process, we see many Japanese companies have used the risk self-assessment process to identify risk in the business units. These days, we see conversations that they need to identify risk that is not noticed by the business process owner or the business owner. We see some companies who are starting risk management using AI – artificial intelligence. Some companies have started data-driven risk management and risk identification and have connected various data with KRI analysis and automated data collection and analysis – actually, using a GRC tool or RPA. These companies are in the process of implementing the dynamic risk assessment as a part of ERM.
That is great, and that actually is a good segue to my next question. I wanted to ask you more about tools. What are the key tools that you are implementing in your market?
Well, in Japan, most business activities conducted in the Japanese language, so our natural risk management and internal audit staff are recorded in Japanese. A GRC tool also needs the language capability to handle Japanese in the market, and not all tools that are available in the U.S. or European markets are available in Japan, due to a lack of multiple-language capability. On the other hand, there are some local GRC tools only available in Japanese and only for the Japanese market.
Protiviti is a global firm to support corporate governance, risk management, internal control and internal audit, so we choose and implement the tool, which means Japanese clients need it in Japanese, in addition to their global business expansion needs in English. We actually promote ACL, GRC, with a tool called Galvanize HighBond. Besides Galvanize, there are several multiple language-capability tools like the Protiviti Governance Portal or RSA Archer OpenPages or Teammate. Those are big players and have multiple-language capability. We partnered with ACL GRC with Galvanize HighBond in Japan.
There were several reasons. The first reason is that ACL has been in Japan over 15 years and is very popular for data analytics, so their products are available in Japanese. ACL Data Analytics – now it’s called ACL Robotics – has over 200 Japanese companies as customers. Many of the audit teams are still in the development phase of data analytics and audit, and the Galvanize GRC tool has both data analytics function and GRC functions like managing internal audit and risk management, so we evaluated this Galvanize GRC capability and its potential to bring data-driven risk management and audit in Japan highly. That’s the first reason.
The second reason is that except for large banks or government organisations, risk management teams or internal audit teams in Japanese companies are not that big. We see that about 90% of internal audit organisations are less than 20 people or smaller in Japan. HighBond has Galvanize cloud-based GRC software. It’s designed to integrate governance, risk and compliance, and some drive-strategy changes. With this cloud-based and user-friendly interface, together with the high security standards, we evaluated tools that are about right for the maturity and the size of Japanese companies’ risk management and internal audit teams. That’s the second reason.
The third reason is that with HighBond’s cloud-base capability, the customers in Japan can have the most updated functions and technologies such as digital reporting, BI functions available to global users like the U.S. and other areas. It was because of this cloud capability they’re quick to make such functionality available in Japan in Japanese, so we also evaluated that highly. That’s the reason that we partnered with Galvanize HighBond.
Maybe not only in Japan, but it’s maybe the same in the other countries, but the silos of the GRC players group in the second-line department or third-line internal audit staff in the company may push back the promotion of integrated GRC. When each GRC player promotes its own GRC needs, we see a cause like a duplication of omissions, then it also increases the burden on the first line of defense at the business unit for compliance or in the audit responses. Integrated GRC enables standardisation across GRC players, but it is, at least in Japan, difficult to define and agree that the responsibility is really that of the owner, and actually a tool implementation leader. In the discussion, in the process, that’s kind of hard to define.
The issue is not just a matter of the tool implementation project, but more of maybe organisational culture or organisational design. Politics could be the root cause. Integrated GRC needs strong leadership from the top, as well as the collaboration culture among the GRC players in departments, and that’s how we see it.
Another challenge we see in implementing a GRC tool is that we often find that the organisation may not be ready to implement a GRC tool, because they have not really designed their GRC functional process before they implement the tool. Protiviti has an ERM team and other various risk specialists and GRC tool specialists. In that case, we work jointly with these teams and the client to design their policy and process and organisation as we support the GRC tool implementation. I hope that responded to your question.
Well, digital transformation has many aspects, and one part of digital transformation is like employing data analytics to enable timely and effective data-driven decision-making. Another one is using technology like RPA to improve performance, so these are two areas that I think are close to the GRC programme. Actually, we see that companies that implement data-driven risk management are significantly more efficient than the traditional companies who are implementing your basic risk assessment or risk management. By implementing a more AI- or data-driven risk assessment with the new technology, the risk assessment is improving its accuracy.
In a case where RPA is used together with a GRC tool, we see continuous efficiencies achieved not only at the time of implementation; it connects to other tools. At the point of interfacing with other tools, it’s really also achieving efficiency. With the introduction of a GRC tool, we are hoping the second or third line can share risk information and provide consistent metrics and risk insight, and increase traceability. In the digital age, business is moving quickly, so by integrating and standardising those risk management processes, GRC players can manage the process easier. That’s not only Japan, but also with the extended practises overseas, and it should have timely updates, monitoring regulatory information and compliance status around the world. That kind of information should be available to GRC players.
The GRC tool has risk management capability to monitor various regulatory compliance information and the status through this unified procedure, which would also make the analysis easier and improve the efficiency. We expect to see more that those digital transformation practises would help GRC practises in the future.
Well, thank you very much for the opportunity.
Thank you for listening today. You can find more information and podcasts offering perspectives on GRC from around the world at Protiviti.com/GRC.