Insurer launches a combined assurance initiative with Protiviti’s Governance Portal

Change Requested

A leading multinational insurance group headquartered in the UK and serving more than 17 million customers in nearly 140 countries faced a technology turning point in 2009. The governance, risk and compliance (GRC) systems used by the Financial Control Group and the Internal Audit Group were nearing end-of-life status, and the Risk Group, which had no GRC platform, needed to satisfy emerging requirements for individual capital assessment (ICA) and Solvency II.

Rather than implementing three separate systems for each group, management decided to launch a combined assurance initiative designed to bring a single risk story back to its board of directors.

After developing detailed criteria and thoroughly investigating several market-leading providers and platforms, the insurance company selected the Protiviti Governance Portal. Along with the Governance Portal’s broad feature set and extensive configurability, four key factors contributed to this decision:

• The Governance Portal’s single, integrated database supports combined assurance. If the Risk Group entered a risk control with an audit or financial control dimension, the Audit and Financial Control Groups would have direct visibility. Protiviti was the only vendor able to demonstrate this capability.
• The Governance Portal’s key features were easy to see and demonstrate. Management could see all of the capabilities immediately, with no need for custom development.
• Protiviti offered a flexible licensing model that allowed the company to easily scale and deploy the solution with its user base across 33 countries.
• Most important, Protiviti understood the client’s needs and spoke the same language. The benefit of this connection became particularly clear during the configuration phase of the project, when Protiviti consultants played a vital role in helping the different client teams work toward a common taxonomy.

Change Envisioned

As part of the implementation, Protiviti performed an inventory of the requirements of seven project teams, developing a total of 40 specific functional areas (e.g., risk assessment, reporting, remediation, etc.) to be included in the implementation. During planning and diagnostic discussions, Protiviti helped management identify a series of common themes across the functional groups that would facilitate an integrated GRC approach while still supporting team-specific requirements. Throughout the configuration phase, Protiviti provided continuous feedback, direction and validation of the final design. The implementation was completed in 12 months.

​Currently, the Financial Control Group uses the Governance Portal to manage the financial reporting processes, including control models for remediation, testing and quality assurance. This group also uses the solution to manage the CFO accounting assertions. The Risk Group has incorporated compliance management, operational risk, information security, scenario assessments, and the Solvency II Risk Register in the Governance Portal. In the Audit Group, internal auditors use the Protiviti Governance Portal to manage the audit process, including recording findings, assigning actions, and creating management information reports. The auditors leverage the Portal’s offline functionality to perform work in the field while disconnected from the server.

The process of deploying and refining the system’s capabilities is ongoing, but the Protiviti Governance Portal has already proven to be an excellent foundation for the company’s combined assurance initiative. For example, when the Financial Controls Group and the Audit Group are engaged in similar activities, the Governance Portal flags those controls and identifies the two different opinions. This visibility allows executive management to decide whether to eliminate the duplicate effort or maintain the two separate activities because there is value in the different opinions.

Change Delivered

Although the company did not adopt the Protiviti Governance Portal with ROI in mind, the company has realized significant savings in a number of areas:

• Previously, users in the Financial Control Group each spent about a half-hour developing a control assertion by interviewing a subject and then keying and consolidating the results into the old GRC system. In the Governance Portal, this is a 5-minute automated task, a savings of more than 300 manhours every reporting period.
• In information security, the company previously used more than 35 policy assessment spreadsheets that were sent around to various IT resources, reviewed and summarized. Today, self-assessments are conducted in the Governance Portal, and a single report is easily generated.
• Having one GRC solution instead of three has reduced operational costs associated with maintaining multiple database administrators, hardware platforms, organizational models and risk registers.