A GRC project on life support recovers with timely intervention and thoughtful collaboration

A GRC project on life support recovers with timely intervention and thoughtful collaboration

GRC project on life support

Change Requested: 
Analyze a stalled third-party GRC system implementation project and determine a new path for success
Change Envisioned : 
Provide analysis of program's current state, develop governance model, support processes for execution, high-level implementation & project plan
Change Delivered: 
New implementation plan proposed, resulting in working, best-practice, sustainable regulatory compliance program & improved client-vendor relationship

The Challenge

When a large global bank undertook an ambitious multiyear governance, risk and compliance (GRC) transformation program to better adapt to the changing regulatory landscape, it set a clear goal: to create a sustainable and streamlined compliance process leveraging GRC technology that pushed automated regulatory updates to end users. The intent was to simplify the user experience and allow the bank to fulfill its regulatory obligations in a shortened time frame.

As part of this transformation, the bank invested many millions of dollars into regulatory content, a third-party GRC technology tool, and implementation services.

But after nearly four years of the effort, this goal was still far from being achieved. Worse, the project had stalled, and the regulatory risk exposure of the bank was growing by the day. Instead of effortless compliance processes, the client was stuck with a poorly designed, unusable system with stale regulatory content and no ability to refresh it automatically.

An early technical design decision to import a large amount of regulatory content without a defined regulatory coverage scope made the system so burdensome it was practically useless. There was lack of clarity with regard to the project requirements going forward, as well as lack of appropriate governance and change control processes. Leadership turnover and software upgrade compatibility issues further contributed to the grim picture. It looked like the entire project needed to be scrapped and started over.

The vendor was of the same opinion: a clean restart of the implementation, extending the project time frame an additional 17 months.

This was not the advice the bank wanted to hear. In a last-ditch attempt to save years’ worth of resources already invested, and for its own peace of mind, the bank reached out to Protiviti to conduct an independent root-cause analysis on the state of the project and to see whether the implementation could be put back on track.

To get started down the right path, Protiviti conducted workshops with representatives from both the bank and its vendor. These workshops identified root causes of problems across people, processes and technology, and then explored options and drove consensus towards an optimal content solution and implementation road map.

Protiviti prepared a revised and detailed implementation plan that identified key milestones and control gates, established a quality assurance framework, and developed metrics for issue reporting. The time frame for implementation was set at five months — less than one-third of the reimplementation time estimated by the vendor.

The new plan was approved by the bank, and the vendor was given the green light to implement the Protiviti-designed project plan, on one condition: Any unacceptable results at any milestone would lead to termination of the project.

With the decision made, the parties set out on the new course. Realizing that technology is only effective if it supports a sound program and process, the bank worked with Protiviti’s project and program managers and technology, risk and control experts to define a governance model and supporting processes for effective execution of their regulatory compliance program. Both the bank and the vendor were able to tap into the additional support and best practices expertise from Protiviti to establish effective project tracking, risk and issue management, status reporting, and program execution.

Throughout the project, the steering committee, comprised of senior vice presidents from the compliance and IT departments, provided review and approval for each critical milestone in the implementation. Best practices regarding effective project tracking, risk and issue management, and status reporting were established to ensure the project stayed on course.

This heightened scrutiny was critical — not only to ensure the project succeeded but also to obtain continued authorization at each key stage as required by the bank at the beginning of the project.

About five months after the bank approved the project design, the implementation was completed on time and on budget. The vendor successfully developed, tested and operationalized the new content-handling tools and processes according to the Protiviti plan. The restructuring resulted in a significant reduction of content while improving its relevance to end users.

In addition, the new sustainable solution allowed all the client’s business unit and process owners to successfully map regulatory compliance exposures to their areas of responsibility, initiate their respective risk assessments and be informed on an ongoing basis of regulatory updates and changes to their respective regulatory landscape.

Today, the status of the bank’s regulatory compliance program is considered “on the right track” by the steering committee — a long departure from the frustrating stalemate where it began. The implementation effort also received the corporation’s “Project of the Year” award for the value it provided.

There is an obvious moral to this story, that investment in careful planning and project mapping of any GRC initiative before hitting the “go” button is highly likely to prevent problems such as those that this global bank experienced firsthand. But more importantly, when things veer south for any reason, foreseeable or not, companies can protect the resources already invested by acting thoughtfully and deliberately, seeking a second opinion, engaging the right kind of help and enabling collaboration — all while exercising control at clear milestones to minimize the possibility of wrong turns and to proceed forward with confidence.