Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for governance, risk management and compliance (GRC) fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of GRC. To address this challenge, a large commercial bank developed a GRC strategic plan that spanned risk and compliance departments. With this plan and vision in place for GRC they then evaluated GRC platforms in the market and selected RSA Archer’s GRC Platform to be the backbone of their integrated Enterprise Governance, Risk, and Compliance program. GRC 20/20 has evaluated and verified the implementation of RSA Archer at this bank and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized RSA Archer with a 2014 GRC Value Award in the domain of Enterprise GRC Platform.
Inevitable Failure: Managing GRC in Silos
Risk and compliance is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise. The dynamic and global nature of business is particularly challenging to risk and compliance management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for governance, risk management and compliance (GRC) fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
- Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture, and how resources can be leveraged and integrated for greater effectiveness, efficiency and agility. The organization ends up with varying processes, systems, controls and technologies to meet individual risk and compliance requirements. This means multiple initiatives to build independent GRC systems — projects that take time and resources and result in inefficiencies.
- Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture. The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats. The result is poor visibility across the organization and its GRC environment.
- Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over-reliance on spreadsheets, and point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently — introducing more points of failure, gaps and unacceptable risk. Inconsistent GRC not only confuses the organization but also regulators, stakeholders and business partners.
- Lack of business agility. It handicaps the business to run a reactive GRC strategy, managed in siloed and manual processes with hundreds or thousands of disconnected documents and spreadsheets. The organization cannot be agile in a demanding, dynamic and distributed business environment. This exacerbated by documents, point technologies and siloed processes that are not at the enterprise level and lack analytical capabilities. People become bewildered in a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic.
- Greater exposure and vulnerability. No one looks at GRC holistically across the enterprise. The focus is on what is immediately before each department and not the complex relationship and dependencies of risk across the organization. This is exacerbated by many so-called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver analytics or align with business applications. This creates gaps that cripple GRC, and a business that is ill-equipped for aligning GRC to the business.
The Bottom Line: Siloed GRC processes are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of GRC. Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
How a Bank Achieved Value with the RSA Archer GRC Platform
Providing a full range of banking, brokerage, insurance, investment, mortgage, trust and payment services to consumers, businesses and institutions, a large commercial bank was faced with a breadth of GRC challenges they had to align and manage across a dynamic and distributed environment.[1. The focus of this case study required anonymity according to their internal policies. GRC 20/20 interviewed and researched the details presented in this research report and validated the final deliverable with the organization referenced as the case study for accuracy.]
The bank knew something had to be done. The many areas of risk and compliance were not integrated and each was managed in silos primarily utilizing documents, spreadsheets, emails, custom databases, or a variety of other standalone commercial, off the shelf software tools. This was costing the bank a significant amount of time in human capital resources as well as significant investment in supporting disparate and redundant technology solutions.
To address this challenge, this bank developed a GRC strategic plan that spanned risk and compliance departments. With this plan and vision in place for GRC they then evaluated GRC platforms in the market and selected the RSA Archer GRC Platform as the backbone of their integrated Enterprise Governance, Risk, and Compliance program.
Today the RSA Archer GRC Platform is completely accessible by all employees across the banks diverse operations, and is accessed regularly by more than 3,500 GRC power users. Their GRC Platform implementation supports 35 unique GRC programs including:
- First-line of defense risk and control self-assessment process.
- Second line of defense subject matter expert assessments, which allow for credible challenge of first line of defense assertions.
- New and modified financial products assessment process.
- Third party risk and contract management.
- Sarbanes-Oxley and internal control management.
- Marketing material compliance and website content review.
- Quality assurance compliance program.
- Internal audit management.
- Model governance and risk management.
- Centralized problem resolution and root cause analysis.
- Scenario analysis, and more.
The core of the bank’s GRC Platform revolves around shared elements that are used to integrate these different programs into a cohesive GRC information and technology architecture. This includes a common organizational hierarchy, product and service inventory, electronic asset repository (e.g., hardware and software), facilities, contacts (employees), process listing, risk register, control library, regulatory applicability matrix, regulations, policies, and issues. Through the use of these shared elements, programs that used to be been standalone now are fully integrated with other programs. This allows each program to be intelligent through sharing information and being able to collaborate with other groups to stay informed.
As an example: a change to a law or regulation may impact a product or service and require a change be made to the product or service. This informs the bank’s new/modified product and service risk review and approval process which, in turn, determines if the product or service is offered, marketed, serviced, or fulfilled by a third party. In the event it is, the Platform initiates a reassessment of the third party relationship and notifies the contracting group to review contract terms and conditions for required updates.
The Value of RSA Archer at a Large Commercial Bank
GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].[2. This is the official definition of GRC found in the GRC Capability Model and other work by OCEG at www.OCEG.org.] Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment.
GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness and agility. Organizations looking to achieve GRC value will find that the results are:
- GRC Efficiency. GRC provides efficiency and savings in human and financial capital resources by reduction in operational costs through automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
- GRC Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators.
- GRC Agility. GRC delivers business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events in a timely manner so that action can be taken to contain these and keep them from growing.
GRC 20/20 has evaluated and verified the implementation of RSA Archer at this large commercial bank and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized RSA Archer with a 2014 GRC Value Award in the domain of Enterprise GRC Platform.
GRC Efficiency Value
This bank, using RSA Archer, has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measure of value as they pertain to the human and financial efficiencies they have benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC efficiency value:
- Within the first year of implementation, almost all end user computing solutions were retired as well as $300k a year in alternative, commercial software.
- The time to complete new/modified products and services assessments and approvals was reduced by 60%.
- In the first five years of implementation, the Platform has eliminated over $1.5 million a year in alternative, commercial software and an additional $450 thousand savings in human capital expense and time to administer the breadth of disconnected and redundant solutions they used to struggle with.
- The bank states that implementing RSA Archer as their enterprise GRC Platform has saved the organization approximately $1.65 million annually.
- GRC 20/20 has evaluated and verified the following qualitative measures of GRC efficiency value:
- The bank reports significant reduction in the expense and time used to manage disparate and disconnected solutions that existed previous to RSA Archer.
GRC Effectiveness Value
This bank, using RSA Archer, has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the effectiveness of GRC that the organization has benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC effectiveness value:
- The number of new/modified product/service assessment and approvals processed has increased 320% annually and is completely supported and done on the RSA Archer GRC Platform.
- The number of third-party risk assessments that are completed annually has increased 317% with use of the RSA Archer GRC Platform.
- The number of marketing material and website compliance reviews completed annually has increased 117% with use of the RSA Archer GRC Platform.
- GRC 20/20 has evaluated and verified the following qualitative measures of GRC effectiveness value:
- The bank reports increased ability to report on different GRC programs, both program-specific as well as in relation to other programs.
- The RSA Archer GRC Platform has given the bank an ability to meet heightened regulatory expectations for reporting and minimize regulatory issues for programs supported by the GRC Platform.
- By being able to easily report across GRC programs, their reporting resources are now focused on analysis as opposed to simply creating reports from different data sources.
- Their GRC strategy, program, and platform have received positive feedback and treatment from regulators.
- The bank reports an overall reduction in third-party risk.
- The ability for each individual GRC program to interact and inform others the next is a primary benefit of value the bank states.
- The RSA Archer GRC Platform has allowed for effective horizontal audits in which audits of common processes, such as “lending” or “collections”, across multiple business lines. Internal audit can identify where these processes reside, what risks have been identified against them, what controls are in place and when a business line last tested them.
- Their GRC Platform allows for an enhanced credible challenge process. For example, a business line may not identify third party risk in their risk and control self-assessment, but because the self-assessment is tied to the same organization hierarchy unit, the second line can challenge the first line on their failure to identify third party risk.
GRC Agility Value
This bank, using RSA Archer, has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the agility and responsiveness of GRC they have benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC agility and responsiveness value:
- The increased growth in new/modified product/service assessments (320%), third-party risk assessments (317%), and marketing material and website compliance reviews (117%), when traced against the bank’s market share and innovation metrics are almost identical, which demonstrates that the RSA Archer GRC Platform is positively impacting the overall business and keeping pace with the business.
- GRC 20/20 has evaluated and verified the following qualitative measures of GRC agility and responsiveness value:
- The bank reports increased speed to market for new/modified products/services and marketing.
- The integration of information and processes in the RSA Archer GRC Platform has been the key to taking the bank’s risk and compliance programs to the next level. Without the RSA Archer GRC Platform, the bank states that there is no doubt that they would have more audit and regulatory issues than they have today.
GRC 20/20’s Final Perspective
The greatest strength in this bank’s GRC Platform architecture in RSA Archer is the interconnectedness of the Platform and the ability to quickly enhance existing solutions or add new use cases. The flexibility RSA Archer has delivered to the bank has made them more agile and has enabled a highly efficient, effective, and agile GRC strategy aligned and in pace with a growing and dynamic organization. With the enhanced scrutiny and heighted regulatory expectations upon banks, the GRC strategy and RSA Archer GRC Platform at this bank has become critical to success. The bank is currently implementing several enhancements to meet regulatory heightened expectations and everything is integrated and connected through the GRC Platform. RSA Archer has enabled this bank to really understand their business and what impacts it and continues to contribute to informed business decision-making.
©GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such.