Hello, this is Kevin Donahue with Protiviti, welcoming you to a new edition of Powerful Insights. We’re producing a series of podcasts on GRC programs and technologies, obtaining perspectives from Protiviti leaders and subject-matter experts around the world on GRC drivers, innovations and challenges in their markets.

This episode features my conversation with Protiviti Managing Director Scott Bolderson and Associate Director Nicolas Perna. Scott is a leader within our business performance improvement group, while Nicolas works within our Technology Consulting practice. Both are based in London. They offer their viewpoints on GRC developments and advancements in their market. Scott, thanks for joining me today.

Thank you, Kevin.

And Nicolas, it’s great to speak with you as well.

Nice to be on the call with you, Kevin.

Nico, let me start asking you some of the questions we have here around GRC. First off, what are you seeing as some of the GRC drivers in your marketplace?

That’s a good question. What we see across our clients is that business and technology changes are accelerating, so companies are really keen to put in place technologies like GRC just to make sure that they are on top of new regulations. What I would like to add as well is that risk landscape is evolving pretty quickly with GRC transformation. As another example, a company’s reputation can be manipulated by social media, for example. So, those are key drivers that push companies to think about GRC as part of their IT infrastructure, I would say.

Yes, I’d just add on that, Kevin. I think what was said is there’s more non-industry-aligned regulations such as GDPR; we’re seeing real demand outside of those traditionally related industries like the financial services. So, non-financial services companies are starting to understand what effective risk management is about to start value effective risk management, not only for regulatory requirements but also from an enhanced operations perspective and ensuring the management of risk properly. So, we’re certainly seeing as significant uptick in demand outside of financial services in the last couple of years.

Yes, that’s interesting and I guess expected as well. Nico, I just want to ask you about innovations. Nico, what sort of innovations in GRC are you seeing in the marketing with your clients right now?

Yes, I would probably highlight one key innovation that we did notice across a number of our clients, which is basically BI reporting and data analytics tools. So, clients are really keen to integrate the GRC tools with advanced BI reporting technologies. Very interesting to see that a lot of them are considering the concept of data cubes — so, being able to get multiple sources of information of data from an ERP system. For example, combined with data from the GRC to make sure that they can produce very relevant reporting for decision-makers within their company. So that’s definitely one key innovation that we do see across our clients.

I’d also just add to that, Kevin, in terms of the concept of creating a GRC ecosystem, an ecosystem of technology providers that complement the core GRC platform. So, we’re seeing innovation around workflow and workload management around the GRC platform. We’re also seeing innovation around automation of risk management activities, again, around the GRC platform. So, looking at third-party providers to really add in to that GRC ecosystem to both automate or effectively manage workflow.

Next, Nico, I wanted to ask around these third parties, as Scott just mentioned. What are the key tools that you're implementing in your market right now?

We do implement a lot the Protiviti GRC solution, which is called the Governance Portal, which is an integrated GRC solution, and a lot of our clients use the tool for risk management for internal control, but we also see new topics like vendor risk management, for example, or GDPR compliance. Around the Governance Portal, we do see a lot of interesting Microsoft tools. So, as we said before, we see a lot of interest with BI reporting tools, and our BI, for example, is definitely one Microsoft tool that we do implement a lot for our clients within the U.K., but also within Europe.

Yes, and again, I’ll extend that a little bit further, outside of other Microsoft Office 365 tools that are available to most of our clients, such as Microsoft Flow or Microsoft Forms. In fact, we’re helping one large financial institution at the moment, essentially automate the risk management reporting function, which at the moment is very manual, very burdensome, relies on over a hundred different sources of data. By using the Microsoft suite of tools, we’re able to automate that and make that more accurate, more effective. So, some of these tools don’t have to be big investments. They’re often tools that are already available to our clients.

I think both of you have touched on this concept of integrated GRC. What are some of the challenges organizations are facing right now as they pursue integrated GRC?

Yes, that’s a good question. From my perspective, what I definitely see as a challenge is change management within the organization. Especially with integrated GRC, you’ve got a lot of different teams involved with the final solution, and change management is always a challenge of making sure that training is done across the use of community and making sure that there is a proper adoption of the solution, not after go-live, but right after the beginning of the project. This is a key thing of implementing an integrated GRC tool. I think that’s what you could say, as well as part of the implementation of the GRC tool, is that with all the new digital technology that is on the market and interacting with the GRC tool, like RPA, like machine learning, we see a new principal volume of data, and that’s definitely another challenge that organizations are facing, which is making sure that they use, or they find the right way to use or to report on, this big volume of data that we see in tools like GRC.

I think what we’re seeing in that new marketplace for integrated GRC and that sort of nonregulated environment, where we’re starting to see the value in this, is really all the challenges around building an integrated platform and its use in the business, and its culture in the organization, and GRC being taken seriously and not treated as a compliance activity but as a value driver for the business. That will continue to be a challenge across our markets.

These have been great insights. Thank you. Let me wrap up with a final question here, and, again, I think you’ve touched on this a bit but, Nico, how do you see GRC programs becoming more digitally focused aligning with digital transformation that’s going on throughout some of these organizations?

Yes. I think that this is really the beginning of the journey, and I think that clients, generally speaking, are becoming more aware that GRC is part of the IT ecosystem and that they need to integrate with digital technologies like RPA, data mining and machine learning. One good example is control testing, for example, just to drive more of personal preference, I would say. I think that’s another thing to mention here, that governance frameworks with the digital transformation, I think that companies realize that they do need to have the right governance framework in place to be able to manage the risks linked to those new technologies, so that’s definitely a key topic for us as a consulting firm for the coming years.

I guess I’d probably reiterate some of the points I made earlier, which is, we see and demand from our clients in terms of understanding how they can leverage some of the digital transformation practices into their GRC programs through the innovative use of different technologies, different approaches to change management such as agile. I would also say, though, that for any GRC program, unfortunately, there is a perception that a GRC program is an inhibited digital transformation, and it shouldn’t be. It should embrace and be an enabler to more effective digital transformation. That’s all I’d add to that stage.

Scott, Nico, again, thank you for your insights today. It’s been a pleasure speaking with you. Thank you for listening today. You can find more information and podcasts offering perspectives on GRC from around the world at protiviti.com/grc.