Hello. This is Kevin Donahue with Protiviti, welcoming you to a new installment of Powerful Insights. We are producing a series of podcasts on GRC programs and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets.
This episode features my conversation with Owen Strijland, a director with Protiviti’s Technology Consulting practice based in Amsterdam. Owen offers his viewpoints on GRC developments and advancements in the Netherlands. Owen, thanks for joining me today.
In my marketplace in the Netherlands, I recognize that more and more, organizations take their risk management and control management very seriously. Sometimes that is given to them by their supervisors, but also the urge from management themselves to get the organization more in line, sometimes even managed by key risk indicators, and they’re looking for a formal way to register key risk indicators and, of course, the GRC tools – that is a perfect thing to do that with.
If I’m in discussions with management, it’s for them mainly to provide insight and foresight on the company level, and that is often what they say is a main driver to get it more in control, to get more information from it, and, of course, the GRC tool itself can create this insight, but it’s only when the organization adopts an approach where they manage risk and controls in a more common way instead of all kinds of entities that do it in different ways and on their own behalf. It takes them a little bit of an investment not only in the GRC tool but also in the organizational change itself.
What they are looking for predominantly is, it should improve the business in doing its business and not so much “Let’s try to create a nice tool for the second line or for compliance or for our other department.” The business should benefit from it. They’re looking for the benefits from a GRC tool from a business perspective to become better – more predictable and better information.
Good question. The GRC tools, since I’ve been working for the financial industry – and sometimes you do a little bit of step into manufacturing or technology – is, the GRC tools itself, they don’t change that much. It still comes down to, OK, show me my risk, my controls.
I like to be more in a driving seat. I like to have an approach that fits better with my business, but what I predominantly see within the market is the interaction between the GRC tool and the organization through APIs, through data analytics, company BI tools, so more and more, a GRC tool should fit within the data suite that an organization is trying to manage and within the data suite where they do their analysis on an interaction between a GRC tool and other tools within the organization that are used to manage important data or important processes. It’s not the GRC tool itself so much, although, of course, they evolve over time. They become maybe more iPhone interfaces, or there may be better interaction with a graphical representation of workflow or the data in the tool itself.
But the innovation comes from having a more interactive approach to other tooling, an interactive approach to a more company-standard way of reporting. I think that in the last five to 10 years, from my point of view and from the clients that I talk with, the innovation is not really found in the GRC tool itself, as far as I see. They become nicer, but become part of that whole ecosystem in an organization, so more seen as a business tool. I think that’s the best innovation I see around GRC tooling, yes.
Owen, that’s probably a good segue into my next question. I did want to I ask you about tools. What are key tools that you’re implementing in your market at the moment? I guess I’ll even ask you just to pick one tool that you seem to be using more than others with the organizations you work with.
Yes, thank you. For us, this is quite simply said, is if we do entire implementations of a tool, it is predominantly around that tool, so the Governance Portal that we and Protiviti provide ourselves, and that has a couple of reasons. One is that when an organization makes the move from being more Excel-based and more maybe Word files and email-based risk management, the first move they make is to try to create a more digital environment, a more governed environment in which they would like to manage risk and controls.
From a consultancy perspective, we are often involved in that process, and then selecting a tool or being part of a tool selection makes using our own tool very easy because we know the tool really well. We also know what it can do and we are able to fit it right with the requirements of the client. Of course, sometimes we present a different tool, but when we talk about our own tool, I think clients like it because of the pragmatic approach that we take as a consultancy and that we are really honest and, “OK, we listen to your ideas. We listen to your demands.” Of course, we can go for a full-suite large implementation of something really fancy, but often they’re just looking for some digitization and, of course, a connection with a tool like Power BI or even our new connection, but even integration with a Power BI tool works really well.
In that regard, I think it’s our own tool. Now, often, more in SaaS, online in the cloud instead of a local implementation, that’s one of the big moves we see when we implement our own tool, that more and more companies are telling us, “Well, our own IT will not fit with the request that we have. What would the budget be – what is the needed budget when we would like to put it into your own online environment?” That’s what we install mostly. It’s the SaaS environment of our own BI tool.
It’s indeed the Protiviti Governance Portal, and more and more in relationship with our BI front end.
Yes. That’s an interesting question. From a consultancy perspective, we, of course, encounter a lot of organizations where they’re trying to do an integrated GRC exercise, whereas the organization is not ready from a perspective of working together in a similar way. Policies, procedures, work instructions might differ from entity to entity; maybe even geographies work in a different way; and, of course, a GRC tool requires a certain way and a certain level of agreements between, OK, how do we manage risks? What is a control in our organization? Who do we ask to rate a control? Who do we ask to assess a risk? There needs to be a certain level of understanding about how they do it.
It’s also formalities. What is the task of the second line? What is the task of a quality team? What is the task of internal audit, and how well do we know from each other what we then expect them to do with a GRC tool? Of course, for a consultancy company, that is always a question. Okay, how far do you want us to change your organization, and how far would you like us to implement a GRC tool the way you’re working right now, because we see that there is another challenge in your organization before you can work with a GRC tool?
Of course, that’s also a bit of discretion, because the client might be in the market for, “OK, let’s buy a tool, because we fix a lot with the tool,” and then we need to tell them, “OK, you can buy a tool. You can buy our own governance portal, but that has certain challenges within your organization, the way we look at it right now.” And we often encounter that already in the process of acquiring a tool – the requirements are not really clear defined. There are lots of different requirements coming from different entities that were allowed to participate in an RFP, and different approaches to risk, different approaches to control, different approaches to regulatory compliance. Then we, as a consultancy, we don’t like to tell them, “OK, you can buy the tool, and we create it.” We rather first help them change their business, but that, of course, sometimes will not be the answer that they’re looking for.
Then, the second thing is that sometimes an organization or a client has the idea that once they buy a GRC tool, they buy a tool that can do everything ¬– so, everything around governance, everything around the risks, everything around the controls. Then you go into a discussion of best of suite or best of breed, so sometimes a tool that can do one thing can do that really well, and sometimes a tool that can do loads of things might become very expensive in implementing it, although in requirement sessions, when you allow the client to tell what they all want to do, it’s like they want to create one big, overarching GRC monster that should automate 99% of the processes, whereas as a consultancy company, we might sometimes tell them, “Well, let’s not do that in a GRC tool. That is more business continuity. That’s more operationalizing of business continuity. Yes, business continuity in general is part of having things in control and part of your governance, but it might not be good to manage it in a GRC tool.”
It’s both what you should do in a GRC tool, what is better to do not in a GRC tool, and how complex are you going to make it yourself? Of course, that’s why they look at Protiviti often -– we are able to do both. We’re also able to help them in making a proper selection in that whole process.
Yes. I’ve seen many examples where if you look at digital transformation adopting more data analytics, adopting better workflow support to create inside in your organization and, in the end, to strengthen the organization so that, when you make a decision as a management team or when you make a decision as a supervisory board, you’re at least well informed. The whole digital analytics part – and I think that’s in all areas, not only GRC – forms a pretty solid basis on controls, a pretty solid basis on, “OK, how are our risks performing?” not only in assessment once a year but now we would like to have the knowledge per day, per week, per month on how we are affected by risks and how we are affected by controls. They do that through having very strong data analytics teams with the proper tools to do some data mining and to get the proper data on the discussion and to make decisions upon.
In relation to the workflows that I earlier mentioned, of course, the digital transformation into having a more workflow-based approach to GRC, to guide your employees in different kinds of assessments, to guide your employees in policy attestation, to guide your employees in creating more knowledge about risks, about controls, about your compliance programs, of course, that is a digital transformation in itself. More and more, there is a nice graphical user interface used on iPhones and iPads, on Android telephones, to make it very easy for the people to participate in risk and control management.
But there’s also a little bit risk involved there that the focus should not be on the smartest way or the most beautiful way to represent risk and control management or to guide them within a workflow so they can’t deviate, because, of course, a part of risk management is very much put in stone, so it is, you have to have certain elements to a risk to make sure that you can mitigate the risk, but it’s not a year-by-year process. It’s a continuous process of looking at your business and making sure that you reach your targets, and sometimes with digital transformation, people try to make it too beautiful and maybe trying to make it so easy to do that it becomes more a radio button, check-box exercise on an iPhone so it can be really quickly done.
It’s very good to support, but it should never stand in the way of really thinking about your risks, really thinking about your controls and having proper education on the themes, how workflow and data analytics can be helpful. But you also need to be careful not to take the human part out of risk management, because most organizations indeed have digital transformation programs and they try to make GRC more aligned with their digital strategy.
Owen, thanks for joining me today. This has been a great discussion. I appreciate you sharing your insights on GRC in your market.
Thank you for listening. You can find more information and podcasts offering perspectives on GRC from around the world at Protiviti.com/GRC.