Protiviti has produced a series of podcasts on GRC programmes and technologies in which we obtained perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets. In this episode, we talked with Ivan Torres, a Director with Protiviti’s Technology Consulting group. Ivan, who is based in Mexico City, offers his views on GRC trends in Mexico and in the organisations he works with.
Well, thank you. Well, we have seen that the need for having to perform internal risk management, internal and regulatory compliance, and internal audit for a unique technological platform drives the organisation to perform the search and to assess tools. Software, of course, like GRC tools, could support this need, even when the organisation is starting with implementation of internal risk management, including those who already have it for one or for many support areas like internal control, compliance risk management and internal audit with or without separate systems.
There are business cases where organisations want to start with the first efforts of process documentation and to identify their risks in different organisational processes, anticipating the needs of management, and the effort that it will represent in the short and medium terms, that will be generated starting at this moment, and all of the history that must be available for statistics and compilation purposes.
Another drive we have seen is that the bank industry, with its regulations, needs to have documentation and compliance management in place and to have available all the information for reporting purposes and for following up for the compromises that they establish with the authorities. Another drive that we have seen is that industry standards also require a risk management focus on the standards that they have to comply with. Also, the corporate governance areas that require assistance are internal control and internal audit; organisations want to automate their functions through the URC systems. Another one is that vendor risk management is also needed in the organisations that want to comply, and to document all of the support for those standards and regulations.
Finally, for controlling internal compliance and internal audit areas that are already operating that want to document a follow-up, they identify the gaps or findings through the integrated systems and want to manage the action plans to strengthen the internal control and remediate those improvement opportunities identified.
organisations are looking to implement and establish a common language for risk and control management that leads up to an adequate basis, and the professional staff to start with a business management based on those risks. To make the process owners responsible for their own risk and controls is also something that is happening in organisations that are looking for risk management and governance corporate implementation.
For those organisations that already have advanced risk and internal control management with or without a GRC tool, the stakeholders and senior management need to generate or to obtain data for decision-making and for prevention. As I said above, an innovation for the processes of gathering or having information like dashboards, online reports, makes the organisation look for business intelligence solutions that could be filled by their current information systems.
Well, the Protiviti governance portal is the GRC tool that Protiviti has to integrate the needed functionalities the three lines of defense need in order to manage, document, report, and follow up with the organisation. So, internal audit, internal control, policies and procedures management, and risk management are the most common functions to be automated through these GRC tools.
Through the GRC tools, the organisation is able to update all organisation risk management and provide an integrated system to support the compliance area’s functions and at the same time interact with the process owners. Also, through these GRC tools, it’s possible to provide process, risk and consulting owners the responsibility for managing their own information. So, the compliance business areas are also able to perform and document all the assessment information they need to generate to present results based on the business areas’ responses, since all the information is available in the same system that supports the three lines of defense.
Well, it is common to find that a common risk language is not present in the organisation. That means that there is not an adequate risk identification and assessment process that drives the company to comply with the business strategy and objectives. Sometimes, the internal areas, like risk management, internal control, quality assurance, compliance, have their own risk and control matrix for the same process where there are different points of view, approaches and criteria for the same risks.
So, we can say that the budget for prevention is not easy to get in organisations. GRC tools help to manage and monitor the organisation risks, but to acquire a tool that represents an investment for the entire organisation is the key challenge, since most of the time, the need and efforts just come from one area, and it’s hard to convince the board or CEOs that those systems will help or make a difference for the current area functions. When the area that needs the tool has good sponsorship to get the support and the budget to get the tool, and gets the other business areas to join the effort, it’s easier to get the approval, to get the tool, since integration into a unique platform could represent a good investment.
Another challenge that we have identified is that there are some organisations that see the internal control and the internal audit areas as the responsibility of the risk organisation, when the truth is that each process owner is responsible for their own risks and controls, while the compliance areas can focus on ensuring the important assets for the business.
Regarding customer engagement through automation of the action plans, the reviewers are notified via email based on following up and due dates, and receive notification when an action plan is overdue, with the option to escalate. Therefore, the system leads to interaction with the same system; the progress of their actions plans would be updated, and could be closed once the evidence and the support of their resolution is completed.
The risk compliance function plans and schedules their reviews based on the current system data, information updated by the owners and assigned to the staff, the auditors, who make a time and cost budget for each review. Once the review is in progress, the management and the evaluated areas can access the system to know the status and to obtain different reports.
The system also provides the functionalities, so the auditors and the auditees can interact through the same system until their findings and their action plans are resolved. For digitising products and services, we can say that through the self-assessment functionality the system has, the organisation is able to manage the periodic assessment a corporate governance management requires, such as risk assessment, control self-assessment to the process owners, through a digital questionnaire to collect their responses, at the same time that the recent controls are updated into their electronic matrix for the recent controls in the system.
Also, through those questionnaires, the compliance areas could review the evidence provided for the owners and generate reports to have an overview of recent control status based on the questionnaire answers to identify and define the scope for their compliance reviews and to determine action plans for those risks and controls the owners need to work on. And the other functionality for the digital questionnaire is to distribute and get the digital evidence of the acceptance and knowledge of different documents such as policies, procedures, ethical codes, updates of industry standards and regulations.
With custom dashboards based on the different data integrated into the same system, the organisations can access to update information that is managed by the owners around internal control and risk management, and those dashboards provide the drill-down option to obtain the details. For example, where are those high risks? What are those ineffective or nontested controls? Who is responsible for due-date action plans? What is the audit plan status? What are the most critical findings found, or the responsibilities and due dates of their action plans?
Finally, regarding operational performance, we can say that some organisations that want to use technology such as RPA need to first have an internal system where they could store the test results, since most of the time, they use Excel files and short drives, so this could represent extra work that the organisation needs to do for driving evaluations, workflow, reporting and remediation based on the bots’ results. This is something that the GRC tool provides to the organisations.