Hello, and welcome to a new edition on Powerful Insights. This is Kevin Donahue with Protiviti. We are producing a series of podcasts on GRC programs and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets.
This episode features my conversation with Protiviti Managing Director Enrico Ferretti and Associate Director Luca Risi, both of whom are with our firm’s Technology Consulting practice and are based in Milan. They offer their viewpoints on GRC developments and advancements in Italy. Enrico, thank you for joining me today.
What I can see is that in most Italian companies, the size of the internal control functions, which include internal-loaded compliance and risk management, is limited to a few people, scaling from one person in most companies to 10–20 persons in the comparatively larger companies. In Italy, only about a dozen of the large organizations can count on tens of people in these areas. This characteristic reflects on what we see in the GRC tools market.
In fact, the need to support such processes with innovative tools must be balanced with a need to cope with budget limitation that can slow down such investments. We have often experienced that the tools which succeed in the market are those which represent the balance trade-off between affordable cost and benefits in terms of process automation and functionality improvements. One of the most challenging aspects in the approval of such business cases is the possibility to identify and measure effective key performance indicators that can sustain the benefits introduced and compare them to the cost incurred. This possibility to effectively measure the real return investment is a key success factor in the market position.
That is a great rundown. Thank you, Enrico. Luca, let me ask you my next question. What challenges are organizations facing when pursuing integrated GRC in Italy right now?
Kevin, it’s surprising, in my opinion, how many organizations are operating compliance efforts in a fragmented or siloed approach. The first crystal-clear pattern that we can observe is that the common approach to GRC based on such processes is inefficient. It’s too manual, siloed, reactive and still relying on spreadsheets, communicating through emails or, occasionally, stored in shared folders. This is what GRC in a typical enterprise looks like, and we can see that there are usually multiple subregulations that an organization must comply with.
When we look at it across all these groups, what we see is that each group thinks it’s completely unique. Each group goes and gets its own tool that is focused on solving their problems, and the result is siloes. None of it is connected. People are thinking about “How do I work?” instead of “How do we work?” Since there is no integrated view of the internal control system, multiple areas of process inefficiencies come up.
The second common pattern is that there is a ton of repeated processes within each department, as well as across them, that are not automated. Third, to bridge the gap between all these siloes, people are forced into collaborating using systems that are in no way connected to their work. As a result, employees are not productive and spend time on operational tasks with lower value, but necessary work to do, instead of strategic objectives.
There is a little time to be proactive, so they seem to always be reacting to the latest risk that bubbles up. It takes longer than it should to resolve issues, respond to the request and to get the work done, leading to even missing the deadline. Current tools are hard to manage and scale for legal and compliance business requirements and cannot properly track information. In our opinion, considering all these aspects, we can state that control functions really need to be supported by added and innovative tools to improve the way of working.
Even if organizations are still in their first stages of the digital-transformation journey, one of the key factors that we can identify is that they need tools to support the transformation also of their GRC processes that typically are inefficient in the structure. There are some features that these tools must provide in order to be effective in doing this. First of all, these tools should be actionable, which means that they should provide all the information required by the top management in order to promptly identify top risks and take informed decisions on how to face them.
Second, they should support the integration between GRC processes that, typically, are approached in a silo way. These tools should provide integrated workflows and the common knowledge base in order to make this integration and collaboration effective. Third, they should support the automation of low-value tasks so that people can focus on higher-value ones. This automation means that these tools should support task assignment for owners, escalation management and due-date monitoring so that all these activities do not require extra efforts to be carried out.
Last, another key feature that this tool should provide is the full transparency on the information they can dig out of the huge amount of data that organizations manage, which means that they should provide the dashboards, key performance indicators and key risk indicators that are very intuitive and immediate to be used by the management and the other stakeholders to take their business decisions.
In the Italian market, we are pushing and implementing the GRC module of the ServiceNow platform. Protiviti is an official partner of ServiceNow, a software-as-a-service platform which enables the digitization of business processes and management of workflows through easy and intuitive user experience improving collaboration between different functions. This is a key point — collaboration between different functions. The platform has extended, in the last year, its capabilities also to GRC processes. What we are seeing is that, especially for companies already adopting the platform to manage specific business processes, the adoption of the GRC module can lead to significant improvement in terms of process integration, automation of control-testing activities and risk assessment. All these functionalities can leverage on processes enforced within the platform.
So far, the implementation we are carrying out in the Italian and, in general, also in the European market are mainly related to compliance-management capabilities. Our perception is that the entry point for the adoption of the GDPR tool is heavily dependent on the need of compliance with a specific regulation. So, it’s more a tactical mission. For sure GDPR, in the last two years, gave a significant boost to the adoption of structure tools. Then the spreading of the use of the tool in our mission can be achieved by proceeding step by step, adding and managing other compliance requirements.
For sure, the full adoption of compliance management, which means integrated compliance, is an objective that can be achieved over a few years, depending on the level of maturity of the companies, leverage on tool capabilities and, above all, on the willingness of the top management.
We are starting right now also to configure risk management as the next step in the road map to fully integrated GRC, leveraging on the internal control system already embedded within the platform. While, for audit management, it’s not so far perceived as the top priority by the companies and installing an early stage. At the same time, we are convinced that having within the same platform the internal control system combined with the enterprise risk management, it will be also for the auditors an effective change inhibitor in their way of working.
While we are focusing on ServiceNow GRC, the main reason is the flexibility and the customization opportunities offered by the platform, which allows us also to build within GRC module our consultancy approaches and methodologies to specific compliances as well as risk management. In this way, combining our GRC consulting expertise with the development capabilities of the platform, we were able to define and implement several business cases successfully adopted by our client. This also will present an opportunity for us to innovate our way of delivering consultancy services by betting on digitalization.
The most significant business case we developed by using ServiceNow GRC is, for example, a GDPR tool to manage the main aspect and processes required by the regulation, such as, for example, data processing activities, data processing impact analysis and data risk management. Then we developed another successful example – we developed specific tools to manage the compliance with the Italian version of a subregulation. We developed a specific tool for anti-money laundering, leveraging on ServiceNow GRC to manage and streamline the end-to-end process of handling practices.
Another example is the compliance automation for the external auditors to eliminate email as the only mean of communication between external auditors and a business function when requesting control evidences to perform testing activities. So far, the external auditors are forced to access a specific portal, be it on a GRC module, to request an evidence that the tool is able to route the request to the right owner within the company by linking the request itself with the internal system of controls.
Finally, we are using also ServiceNow GRC internally to innovate our way to deliver and manage GRC consultancy services — in particular, enterprise risk management services — by replacing the use of more traditional tools as spreadsheets or other structure tools. So, the main benefits that we obtain were, for sure, better and improved collaboration between different controls and business functions, better decision-making, leveraging and sharing the same information, and traceability of task and measure processes, which make it easy to identify and address process inefficiencies. Those are the main pillars we are working on to facilitate and sponsor the adoption of the tool.
Organizations have started finalizing and explaining how new technologies can improve all their business processes, as well as justice processes, of course. It’s positive to see that most internal control functions have launched innovation and transformation initiatives starting their next-generation journeys.
However, I believe that there is a progress which is still needed to further mature and fulfill the potential. In fact, undertaking this journey requires recognition that transformation consists not only in a collection of discrete initiatives but also requires the definition of a comprehensive program with a new mind-set and the commitment to continue revolution according to the evolution of the organization. Of course, this includes the adoption of new technologies such as process mining, artificial intelligence and intelligent process automation that, in a world where the amount of data to be managed grows exponentially, enables GRC activities to be more effective and purposeful.
Overall, as we said before, even if we can see a positive trend in the adoption of next-generation capabilities in GRC functions and processes, this journey is still in its early stages, so there are many improvement opportunities for organizations that want to invest in this.
Thank you again.
Thank you for listening. You can find more information and podcasts offering perspectives on GRC from around the world at protiviti.com/grc.